IBM Support

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - Cognos Express 10.1 / 10.2.1 Server

Fix readme


Abstract

*This document is applicable to IBM Cognos Express 10.1 and 10.2.1, regardless of FixPack or InterimFix level.*

If you have already implemented Custom SSL Certificates or the TM1 v2 SSL Certificates, across all TM1 Components - then no action is required. It is still suggested that you roll your test environment clock to a date beyond November 24th 2016 - and verify that all connectivity/components functions as expected.

Your TM1 SSL Certificates will expire on November 24th. If you use Cognos Express 10.1 or 10.2.1, follow these steps to ensure you do not experience an outage! Failure to take action will result in your TM1 Environment being completely inaccessible November 24 2016.

Content

BEFORE YOU BEGIN:

-Do NOT confuse having custom certificates in your WebTier, as the solution. It is very possible that your WebTier had been configured for custom FRONT END / WEB certificates - and is still relying on the default TM1/APPLIX certificates for TM1 Server communication

-It is advised that all customers verify not only that these steps work in a test environment (prior to any production changes), but that the server clocks be rolled ahead past November 24th 2016 to ensure that the product behaves as expected post expiration date.

-If you have questions, please log a service request with TM1 Support so that the problem can be addressed.

  1. Download the updated TM1 SSL Certificates from the following location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001
  2. Stop all IBM Cognos Express Services in the environment you are updating:
    • IBM Cognos Analytic Server - CXMD
    • IBM Cognos Analytic Server Admin Service
    • IBM Cognos Express
    • IBM Cognos Express Advisor
    • IBM Cognos TM1 Server x64 / <any other TM1 server registered>
  3. Extract the downloaded file/archive and extract it to any directory. For the purpose of this document, our files will be extracted in to <express_install_dir>\NewSSLCerts\
  4. After extracting the files, look inside of your extracted folder <express_install_dir>\NewSSLCerts\ . The following files should be present.
    • applixca.der
    • applixca.pem
    • applixcacrl.p7b
    • applixcacrl.pem
    • tm1admsvrcert.pem
    • tm1store
    • tm1svrcert.pem
  5. Back up the following directories in your <express_install_dir>
    • <express_install_dir>\bin\ssl
    • <express_install_dir>\bin64\ssl
    • <express_install_dir>\webapps\pmpsvc\WEB-INF\bin64\ssl
      If you do not have a pmpsvc folder, this is not applicable. Ignore any future reference to pmpsvc in this document if it is not part of your install.
  6. Copy the contents of the folder you extracted earlier <express_install_dir>\NewSSLCerts\ , and place them inside of the 3 directories listed above in Step 5. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones.
  7. After all files have been copied successfully, navigate to <express_install_dir>\bin64\ssl\ using Windows Command Prompt
  8. Execute the following command to uninstall old keys from the Windows Keystore
  9. Execute the importsslcert.exe file, to install the new keys in to the Windows Keystore
    • importsslcert.exe
      If you do not have this file, you will need to add the APPLIX certificate to the Windows Keystore manually. Doubleclick the applixca.der file and install the certificate.
  10. Open and run Windows Command Prompt as an Administrator. Navigate to <express_install_dir>\bin64\jre\#.#\bin . Execute the following command:
    • keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
    • keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "<express_install_dir>\bin64\ssl\applixca.der" -storepass changeit -noprompt

      *Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.
  11. Open and run Windows Command Prompt as an Administrator. Navigate to <express_install_dir>\bin\jre\#.#\bin . Execute the following command:
    • keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
    • keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "<express_install_dir>\bin\ssl\applixca.der" -storepass changeit -noprompt

      *Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.
  12. Navigate to and copy all NGTM1*.dll files from your <express_install_dir>\webapps\pmpsvc\WEB-INF\bin64\ directory
  13. Paste the NGTM1*.dll files on your clipboard, and paste in to your <express_install_dir>\bin64\ directory. If prompted, REPLACE/OVERWRITE any conflicting files (specifically the NGTM1API.DLL file)
  14. Navigate to <express_install_dir>\bin64\. Open/edit the bootstrap_winx64.xml file.
  15. Look for the following line:
    • <param>"-Dcom.ibm.cognos.disp.useDaemonThreads=true"</param>
  16. Under the line found above, add a new line:
    • <param>"-Dcom.ibm.cognos.tm1.bin=${install_path}\bin64"</param>
  17. Save and close the bootstrap_winx64.xml file
  18. Start your IBM Cognos TM1 Services
    • IBM Cognos Analytic Server - CXMD
    • IBM Cognos Analytic Server Admin Service
    • IBM Cognos Express
    • IBM Cognos Express Advisor
    • IBM Cognos TM1 Server x64 / <any other TM1 server registered>

Note: Please ensure to update all Express clients installed locally or remotely after the server certificate upgrade as client connectivity to TM1 servers requires synchronization of the certificate update. Please see the following: http://www-01.ibm.com/support/docview.wss?uid=swg21991971

At this stage, all IBM Cognos Express Server-side components have been updated to use the new TM1 Certificates - and are no longer are risk of ticket expiration. If you wish to confirm, you may roll ahead your computer date/time, and recycle your TM1 Services - to know for sure that you are able to function on a date post November 24 2016.

Related information

Document information

More support for: Cognos Express

Software version: 10.1, 10.2.1, 10.2.2

Operating system(s): Windows

Software edition: All Editions

Reference #: 1991652

Modified date: 04 November 2016