IBM Support

TM1 10.2.2 - Configure Custom SSL Certificates for TM1Web, pmpsvc, and pmhub

Technote (troubleshooting)


This document provides required steps to configure custom SSL certifitcates for TM1Web, pmpsvc, and pmhub web applications run with Tomcat.


IBM Cognos TM1 10.2 and 10.2.2 on Windows, AIX and Linux.

Resolving the problem

Create the Certificate Requests

Create a working directory named ssl in D:\Program Files\ibm\cognos\tm1_64\

From the D:\Program Files\ibm\cognos\tm1_64\bin directory run the following ThirdPartyCertificateTool commands to generate the encryption and signing certificate requests. The cn value will typically match the fully qualified domain name of the system running TM1Web.

ThirdPartyCertificateTool.bat -java:local -c -e -d -D "D:\Program Files\ibm\cognos\tm1_64\configuration\encryptkeypair" -r "D:\Program Files\ibm\cognos\tm1_64\ssl\encryptrequest.csr" -p NoPassWordSet

ThirdPartyCertificateTool.bat -java:local -c -s -d -D "D:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -r "D:\Program Files\ibm\cognos\tm1_64\ssl\signrequest.csr" -p NoPassWordSet

The certificate request files named signrequest.csr and encryptrequest.csr in the D:\Program Files\ibm\cognos\tm1_64\ssl\ directory.

Have the Certificate Requests Signed by a Certificate Authority

The certificate request must be provided to a certificate authority (CA). The CA will respond with issued signing, encryption, and the CA certificates.

It's common for the certificate authority to provide both the issued certificate and CA certificates in a single file. The issued certificate must be copied into it's own file (encryptcert.pem and signcert.pem) and all CA certificates should be placed in a single file (ca.pem). If the issued and CA certificates are provided in single base64 file a text editor can be used to split the certificates into separate files. If the files provided by the CA are not in base64 format the Windows certificate utility or openSSL can be used to convert into base64 format.

For additional information about certificate formats please see:

Import the Encryption and CA Certificates

Copy the signcert.pem, encryptcert.pem, and ca.pem files into the D:\Program Files\ibm\cognos\tm1_64\ssl\ directory.

From the .\tm1_64\bin\ directory run the following commands:

ThirdPartyCertificateTool.bat -java:local -i -e -D "D:\Program Files\ibm\cognos\tm1_64\configuration\encryptkeypair" -r "D:\Program Files\ibm\cognos\tm1_64\ssl\encryptcert.pem" -t "D:\Program Files\ibm\cognos\tm1_64\ssl\ca.pem" -p NoPassWordSet

ThirdPartyCertificateTool.bat -java:local -i -s -D "D:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -r "D:\Program Files\ibm\cognos\tm1_64\ssl\signcert.pem" -t "D:\Program Files\ibm\cognos\tm1_64\ssl\ca.pem" -p NoPassWordSet

ThirdPartyCertificateTool.bat -java:local -i -T -D "D:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -r "D:\Program Files\ibm\cognos\tm1_64\ssl\ca.pem"
-p NoPassWordSet

Setup Cognos Configuration to use the SSL Certificate

Add the following property under the Local Configuration - Advanced Properties section.

Update the TM1 Applications settings in Cognos Configuration to specify https.

Set use third part CA to true in the Security - Cryptography - Cognos section of Cognos Configuration.

Restart the IBM Cognos TM1 Service from Cognos Configuration and test the TM1Web URL using HTTPS (

At this point it's also strongly recommended to backup the .\tm1_64\configuration\certs\ directory and the .\tm1_64\configuration\cogstartup.xml.

Document information

More support for: Cognos TM1

Software version: 10.2, 10.2.2

Operating system(s): Linux, Windows

Reference #: 1902547

Modified date: 30 November 2015

Translate this page: