How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.2 FP4 IF1+ - WINDOWS
*This document is applicable only to TM1 10.2.2 FP4 InterimFix1 (or higher) releases.*
If you have already implemented Custom SSL Certificates or the TM1 v2 SSL Certificates, across all TM1 Components - then no action is required. It is still suggested that you roll your test environment clock to a date beyond November 24th 2016 - and verify that all connectivity/components functions as expected.
Your TM1 SSL Certificates will expire on November 24th. If you use TM1 10.2.2 FP4 IF1+, follow these steps to ensure you do not experience an outage! Failure to take action will result in your TM1 Environment being completely inaccessible November 24 2016.
BEFORE YOU BEGIN:
-Please ensure that you have already reviewed all of the relevant detail on the following page before you proceed: IBM Cognos TM1 SSL Expiration - Manual Fix Approach - Landing Page
-Do NOT confuse having custom certificates in your WebTier, as the solution. It is very possible that your WebTier had been configured for custom FRONT END / WEB certificates - and is still relying on the default TM1/APPLIX certificates for TM1 Server communication
-If your IBM Cognos TM1 environment uses a custom application server (such as Websphere), you will want to ensure you inquire with your AppServer Administrator to ensure all keystores are updated accordingly.
-If your IBM Cognos TM1 environment is distributed (server components residing on different servers), be sure to follow the appropriate steps for the appropriate components.
-All steps assume you are using a 64bit architecture. If you are using a 32bit installation of TM1, substitute all \bin64\ references, for \bin\
-If your IBM Cognos TM1 environment communicates with any other services secured by SSL (for example but not limited to, an SSL Secured Cognos BI Dispatcher for CAM Authentication) you will be required to re-import all required certificates in to the tm1store using the keytool commands found in Step10.
-It is advised that all customers verify not only that these steps work in a test environment (prior to any production changes), but that the server clocks be rolled ahead past November 24th 2016 to ensure that the product behaves as expected post expiration date.
-If you have questions, please log a service request with TM1 Support so that the problem can be addressed.
- Download the updated TM1 SSL Certificates from the following location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001
- Stop all IBM Cognos TM1 Services in the environment you are updating
- Extract the downloaded file/archive and extract it to any directory. For the purpose of this document, our files will be extracted in to <tm1_install_dir>\tm1_64\NewSSLCerts\
- After extracting the files, look inside of your extracted folder <tm1_install_dir\tm1_64\NewSSLCerts\ . The following files should be present.
- Back up the following directories in your <tm1_install_dir>
- Copy the contents of the folder you extracted earlier <tm1_install_dir>\tm1_64\NewSSLCerts\ , and place them inside of the 3 directories listed above in Step 4. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones.
- After all files have been copied successfully, navigate to <tm1_install_dir>\tm1_64\bin64\ssl\
- Execute the uninstallSSL.bat file, to uninstall old keys from the Windows Keystore
- Execute the importsslcert.exe file, to install the new keys in to the Windows Keystore
- Open and run Windows Command Prompt as an Administrator. Navigate to <tm1_install_dir>\tm1_64\bin64\jre\7.0\bin . Execute the following command:
- keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
- keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "<tm1_install_dir>\bin64\ssl\applixca.der" -storepass changeit -noprompt
*Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.
- Navigate to <tm1_install_dir>\bin64\ and open/edit the service_pmpsvc.bat file
- Find the line beginning with 'set BASE_JVM_OPTIONS'
- Append the following to the end of the string: ;-Dcom.ibm.cognos.tm1.certificate.dir=%PMPSVC_ROOT%\webapps\pmpsvc\WEB-INF\bin64
***Use %PMPSVC_ROOT% as is, you are not expected to modify this variable as it sets itself via the batch script. Do not forget the semi-colon at the beginning of the string.
- Save your changes and close the open service_pmpsvc.bat file
- Open Windows Command Prompt as an Administrator, and navigate to <tm1_install_dir>\tm1_64\bin64\
- Execute the following commands in the sequence below. Nothing is really being 'uninstalled' - just re-registering the TM1 Services. If your TM1 Services were configured to run as a service account, be sure to update the service to include the service account again - as it will likely be lost with this step.
- service_pmpsvc stop
- service_pmpsvc uninstall
- service_pmpsvc install
- Navigate to <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\configuration
- Copy your fpmsvc_config.xml file, and paste it in to your <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ directory
- Start your IBM Cognos TM1 Services
At this stage, all IBM Cognos TM1 Server-side components have been updated to use the new TM1 Certificates - and are no longer are risk of ticket expiration. If you wish to confirm, you may roll ahead your computer date/time, and recycle your TM1 Services - to know for sure that you are able to function on a date post November 24 2016.