IBM Support

How to add a 3rd Party CA to allow for SSL between components in IBM Cognos Analytics 11

Technote (troubleshooting)


Problem(Abstract)

Replacing the IBM Cognos CA with 3rd Party certificates to complete the chain of trust to allow SSL between IBM Cognos components or other software.

Cause

Cognos CA needs replacing

Environment

This is platform independent.

Resolving the problem

First ensure entire IBM Cognos system is shut down. Use appropriate operating system tools to make sure there are no Orphan processes.

Ensure that the JAVA_HOME environment variable is set properly to the JRE bing used.

To recrypt IBM Cognos Analytics 11 (password default: NoPassWordSet)

Make a backup copy of your ..\configuration directory;

Using the Cognos Configuration Tool's File -> Export As.. Option export to Desktop\Cogstartup.xml. Close tool after file is saved;

Delete the following;
ca11_location\temp\cam\freshness
ca11_location\configuration\cogstartup.xml
ca11_location\configuration\caSerial
ca11_location\configuration\certs\CAMCrypto.status
ca11_location\configuration\certs\CAMKeystore
ca11_location\configuration\certs\CAMKeystore.lock
ca11_location\configuration\csk

Copy Desktop\cogstartup.xml to ..\configuration;

DO NOT START config tool;


Open a command prompt as Administrator.
In the command window...
Change directory to ca11_location\bin;

CN is set to your Domain;
Windows Operating System Request:
ThirdPartyCertificateTool.bat -c -e  -d "CN=EncryptCert,O=cognos,c=CA" -r encrypt.csr -p NoPassWordSet

OR

Unix and Linux Operating System Request:
ThirdPartyCertificateTool.sh -c -e  -d "CN=EncryptCert,O=cognos,c=CA" -r encrypt.csr -p NoPassWordSet

Make another backup copy of your ..\configuration directory so that there is a backup of the keystore which then contains the private keys in case the configuration is started before the signed certificates are returned;

Get encrypt.csr signed by the CA which will come back with encrypt.cer and ca.crt;

Copy your encrypt.cer AND ca.crt files to ca11_location\bin;

Windows Operating Systems:
ThirdPartyCertificateTool.bat -i -e -r encrypt.cer -p NoPassWordSet -t ca.crt
ThirdPartyCertificateTool.bat -i -T -r ca.crt -p NoPassWordSet

OR

Unix or Linux Operating systems:
ThirdPartyCertificateTool.sh -i -e -r encrypt.cer -p NoPassWordSet -t ca.crt
ThirdPartyCertificateTool.sh -i -T -r ca.crt -p NoPassWordSet

Open Configuration tool with unencrypted cogstartup.xml file.

Navigate to Cryptography:
Change CSK Keystore (Common Symmetric Keystore) password to "NoPassWordSet";

Navigate to Cryptography -> Cognos:
Change Key store password to "NoPassWordSet";
Change Certificate Authority password "NoPassWordSet";
Change Use third party CA? to "True";

Change Dispatcher URIs for gateway to use https;
Change External dispatcher URI to use https;
Change Internal dispatcher URI to use https;
Change Dispatcher URI for external applications to use https;
Change Content Manager URIs to use https;

Save configuration;
Start IBM Cognos Service.

When applying this technique you will need to ensure that the Third Party Chain of Trust Certificates are added to the the appropriate Operating System tools like IIS or Apache and that your Browsers have also been given the certs for their Keystores. This is beyond the scope of this document.

Document information

More support for: Cognos Analytics
Administration and Configuration v11x

Software version: 11.0

Operating system(s): Platform Independent

Software edition: Edition Independent

Reference #: 1992784

Modified date: 14 December 2017


Translate this page: