How to add a 3rd Party CA to allow for SSL between components in IBM Cognos Analytics 11
Replacing the IBM Cognos CA with 3rd Party certificates to complete the chain of trust to allow SSL between IBM Cognos components or other software.
Cognos CA needs replacing
This is platform independent.
Resolving the problem
First ensure entire IBM Cognos system is shut down. Use appropriate operating system tools to make sure there are no Orphan processes.
Ensure that the JAVA_HOME environment variable is set properly to the JRE bing used.
To recrypt IBM Cognos Analytics 11 (password default: NoPassWordSet)
Make a backup copy of your ..\configuration directory;
Using the Cognos Configuration Tool's File -> Export As.. Option export to Desktop\Cogstartup.xml. Close tool after file is saved;
Delete the following;
Copy Desktop\cogstartup.xml to ..\configuration;
DO NOT START config tool;
Open a command prompt as Administrator.
In the command window...
Change directory to ca11_location\bin;
CN is set to your Domain;
Windows Operating System Request:
ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=cognos,c=CA" -r encrypt.csr -p NoPassWordSet
Unix and Linux Operating System Request:
ThirdPartyCertificateTool.sh -c -e -d "CN=EncryptCert,O=cognos,c=CA" -r encrypt.csr -p NoPassWordSet
Make another backup copy of your ..\configuration directory so that there is a backup of the keystore which then contains the private keys in case the configuration is started before the signed certificates are returned;
Get encrypt.csr signed by the CA which will come back with encrypt.cer and ca.crt;
Copy your encrypt.cer AND ca.crt files to ca11_location\bin;
Windows Operating Systems:
ThirdPartyCertificateTool.bat -i -e -r encrypt.cer -p NoPassWordSet -t ca.crt
ThirdPartyCertificateTool.bat -i -T -r ca.crt -p NoPassWordSet
Unix or Linux Operating systems:
ThirdPartyCertificateTool.sh -i -e -r encrypt.cer -p NoPassWordSet -t ca.crt
ThirdPartyCertificateTool.sh -i -T -r ca.crt -p NoPassWordSet
Open Configuration tool with unencrypted cogstartup.xml file.
Navigate to Cryptography:
Change CSK Keystore (Common Symmetric Keystore) password to "NoPassWordSet";
Navigate to Cryptography -> Cognos:
Change Key store password to "NoPassWordSet";
Change Certificate Authority password "NoPassWordSet";
Change Use third party CA? to "True";
Change Dispatcher URIs for gateway to use https;
Change External dispatcher URI to use https;
Change Internal dispatcher URI to use https;
Change Dispatcher URI for external applications to use https;
Change Content Manager URIs to use https;
Start IBM Cognos Service.
When applying this technique you will need to ensure that the Third Party Chain of Trust Certificates are added to the the appropriate Operating System tools like IIS or Apache and that your Browsers have also been given the certs for their Keystores. This is beyond the scope of this document.
More support for:
Administration and Configuration v11x
Software version: 11.0
Operating system(s): Platform Independent
Software edition: Edition Independent
Reference #: 1992784
Modified date: 14 December 2017