IBM Support

How to update your expiring IBM Cognos TM1 Certificates

Technote (FAQ)


Question

I have seen a flurry of emails, blogs, posts and notes about TM1 Certificates expiring. What does this mean and how do I update my certificates?

Cause

IBM Cognos TM1 Certificate Expiry Alert:
http://www-01.ibm.com/support/docview.wss?uid=swg21990869

IBM Cognos TM1 Certificate Expiry FAQ:
http://www-01.ibm.com/support/docview.wss?uid=swg21990940

Answer

By default, the IBM Cognos TM1 Admin Server and TM1 Server are secured using default SSL certificates. By default, TM1 web components are not SSL secured.

  • Unless you are already using custom SSL Certificates on both your TM1 Admin Server and TM1 Server, or using the v2 TM1 Certificates - you will be affected.
  • **Do not mistake having custom certificates on your WEB TIER (if SSL Secured) as a solution. Unless you also configured custom certificates for the TM1 Admin Server and TM1 Server - you will be affected.

Option 1 - Manual Certificate Updates
A set of new certificates have been created and published. Using the documentation on the following page, allows you to manually update your TM1 SSL Certificates prior to expiration. See:
' IBM Cognos TM1 SSL Expiration - Manual Fix Approach - Landing Page'
http://www-01.ibm.com/support/docview.wss?uid=swg21991653


Option 2 - Apply an Interim Fix Updater
A set of Updater Kits have been made available for various versions of TM1. Please review the IBM Cognos TM1 SSL Expiration - Updater Kits - Landing Page for more detail: http://www-01.ibm.com/support/docview.wss?uid=swg21991790

Option 3 - Secure your IBM Cognos TM1 Environment with Custom Certificates

When: You can do this today if you wish - no Interim Fix required
Why: IBM Cognos TM1 comes packaged with default SSL certificates. In general, it is recommended to use your own organizations SSL Certificates. This is beneficial as the expiration dates and certificate types can be controlled by your own organization. Many organizations require custom certificates due to security policy.
How: See the following documentation (Change version using dropdown on page):
http://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_usingindependentcertificates_n1207c4.html#UsingIndependentCertificates_N1207C4

Option 4 - Switch to the IBM Cognos TM1 v2 Certificates (TM1 10.2.2 FP4 IF1+ only)
When: You can do this today if you wish - no Interim Fix required
Why: The v2 certificates provided as of aforementioned release use keys of 2048bit size and SHA256 digest which complies to current best practices. The previous v1 certificates were using keys of 1024bit size along with SHA-1 digest which don't suffice to adhere modern security standards any more. Those v2 certificates expire in 2022 only.
How: See the following technote: http://www-01.ibm.com/support/docview.wss?uid=swg21697266
**Note
: There has been some confusion around the use of 2048 keys in general. The size of keys in certificates is one of several factors contributing to the overall security of an encrypted communications channel. By increasing key size and choosing a stronger digest algorithm for certificates TM1 helps to improve security and stay current in regards to security demands. The certificates in this step are not our only set of 2048 keys, they are first set of 2048 keys we have provided the the product. The updated APPLIXCA keys in Option 1 and Option 2 are both now 2048 encrypted.

Document information

More support for: Cognos TM1
TM1

Software version: 10.1.0, 10.1.1, 10.2, 10.2.2

Operating system(s): AIX, Linux, Windows

Software edition: All Editions

Reference #: 1990588

Modified date: 04 November 2016


Translate this page: