Configuring Cognos for encrypted connections

Set up IBM® Cognos® to handle encrypted connections.

About this task

To enable IBM Cognos components to use an encrypted connection-enabled Web server, you must have copies of the trusted root certificate (the certificate of the root Certificate Authority which signed the Web server certificate) and all other certificates that make up the chain of trust for the Web server's certificate. These certificates must be in Base64 encoded in ASCII (PEM) or DER format, and must not be self-signed, because self-signed certificates will not be trusted by IBM® Cognos® components.

Procedure

  1. Import certificates into IBM Cognos Transformer Trust Store.
    1. Launch a Command Prompt on the machine Transformer installed on. Change directory into the ..\<transformer installation>\bin. For example:
      • IBM AIX®, Linux: /opt/IBM/CognosTF/bin/
      • Microsoft™ Windows™: C:\IBM\CognosTF\bin
    2. Repeat the following command for each certificate (root and intermediate-level certificates):
      • AIX or Linux: ./ThirdPartyCertificateTool.sh -T -i -r CA_certificate_fileName -D ../configuration/signkeypair -p password
      • Windows: ThirdPartyCertificateTool.bat -T -i -r CA_certificate_fileName -D ..\configuration\signkeypair -p password
      Replace CA_certificate_fileName with the correct file names of the Root and Intermediate-level certificates. The certificates must be either in Base64-encoded ASCII (PEM) or DER format in order to be readable by ThirdPartyCertificateTool. All certificates can be stacked in one file, for example, exported via the Firefox browser. Refer to this tech note for more information.For example:
      • AIX or Linux: export JAVA_HOME=/usr/java/jre
      • Windows: set JAVA_HOME=<Cognos_Installation>\bin\jre\6.0
      For example:
      • AIX or Linux: ./ThirdPartyCertificateTool.sh -T -i -r c:\hostname_Certificate.cer -D ../configuration/signkeypair -p NoPassWordSet
      • Windows: ThirdPartyCertificateTool.bat -T -i -r c:\hostname_Certificate.cer -D ..\configuration\signkeypair -p NoPassWordSet
      Tip: The trust store password should have been set automatically by the installation wizard during the installation; the default is NoPassWordSet. If the ThirdPartyCertificateTool is unable to locate a valid JRE, you have to set the JAVA_HOME environment variable to the Java™ Runtime Environment (JRE) that the product is configured to use. ThirdPartyCertificateTool needs a 32-bit Java to run. If you use, for example, the 64-bit Java installed with WebSphere, the following error occurs:
      Exception in thread "main" java.lang.NoClassDefFoundError: com.cognos.accman.jcam.crypto.jni.JNISystemProperties (initialization failure)
      ...
      Caused by: java.lang.UnsatisfiedLinkError: JCAM_Crypto_JNI (./libJCAM_Crypto_JNI.so: wrong ELF class: ELFCLASS32)
      will show.
      To fix, either install a 32-bit Java on the operating system level or use the Java runtime of the IBM Installation Manager, typically the 32-bit version as specified in the Connections system requirements. To use the Java runtime of the IBM Installation Manager:
      • AIX or Linux: export JAVA_HOME=/opt/ibm/InstallationManager/eclipse/jre_7.0.9000.20150514_1022/jre/
      • Windows: set JAVA_HOME=\IBM\InstallationManager\eclipse\jre_7.0.9000.20150514_1022\jre\
  2. Configure Cognos Transformer and BI to use HTTPS.
    1. Configuring Cognos Transformer as follows:
      1. (IBM AIX or Linux) Set the JAVA_HOME variable: Navigate to the WAS_install_root/bin directory, for example: /opt/IBM/WebSphere/AppServer/bin
      2. (AIX or Linux) Run the following command: setupCmdLine.sh
      3. (AIX or Linux) Set environment variables to point to the Cognos BI Server’s /bin directory by running the following command. By default, the Transformer’s environment variables point to its own directory, so you must change them to point to the BI Server’s directory:
        • AIX: export LIBPATH=/opt/IBM/CognosBI/bin64/
        • Linux: export LD_LIBRARY_PATH=/opt/IBM/CognosBI/bin64/
      4. Start the Cognos Transformer Configuration Tool: Navigate to the /bin directory of the Cognos BI server installation directory. For example:
        • IBM AIX, Linux:/opt/IBM/CognosTF/bin/
        • Microsoft™ Windows™: C:\IBM\CognosTF\bin
      5. Start the Cognos Configuration tool by running the following command:
        • AIX, Linux: ./cogconfig.sh
        • Windows: cogconfigw.exe
      6. Expand Local Configuration > Environmentand edit the URLs for the following properties by replacing the http URLs with https URLs.
        • Gateway Settings
        • Other URI Settings
        Attention: The URLs must be updated to point to the HTTP server's host name and port number. The port number must be included even if it is the standard port 443.
      7. Save your changes.
      8. Exit the Cognos Configuration tool. You do not need to restart the Transformer component.
    2. Configure Cognos BI to use https as follows:
      1. Start the Cognos Configuration Tool by navigating to the /bin64 directory of the Cognos BI server installation directory. For example:
        • IBM AIX, Linux: /opt/IBM/CognosBI/bin64/
        • Windows: C:\IBM\CognosBI\bin64
      2. Start the Cognos Configuration tool by running the following command:
        1. AIX, Linux: ./cogconfig.sh
        2. Windows: cogconfigw.exe
      3. ExpandLocal Configuration > Environment to edit the URLs for the following properties by replacing http URLs with https URLs.
        Attention: The URLs must be updated to point to the HTTP server's host name and port number. The port number must be included even if it is the standard port 443.

        In the Gateway Settings section, change only the Dispatch URIs for gateway attribute.

        In the Other URI Settings section, change only the Dispatcher URI for external applications attribute.

      4. Save your changes.
      5. Exit the Cognos Configuration tool, making sure to select No at the following prompt:
        The service 'IBM Cognos' is not running on the local computer. Before you can use it your computer must start the service. Do you want to start this service before exiting?
      6. Restart the Cognos server.