Troubleshooting
Problem
The IBM Cognos Business Intelligence Installation and Configuration Guide is missing a topic called "Enable SSL on the Web Server." This topic should appear in the "Configuring the SSL protocol for IBM Cognos components" section of the guide. The topic contents are included below.
Resolving The Problem
Enable SSL on the Web Server
Enable secure sockets layer (SSL) to encrypt a user’s communication with the Web server.
To enable SSL on your Web server, you must obtain a Web server certificate signed by a Certificate Authority and install it into your Web server. The certificate must not be self-signed, because self-signed certificates will not be trusted by IBM Cognos components.
To enable IBM Cognos components to use an SSL-enabled Web server, you must have copies of the trusted root certificate (the certificate of the root Certificate Authority which signed the Web server certificate) and all other certificates which make up the chain of trust for the Web server’s certificate. These certificates must be in Base64 encoded in ASCII (PEM) or DER format, and must not be self-signed. The certificates must be installed on every computer where you have installed Application Tier Components.
For more information about installing certificates into your Web server, see your Web server documentation.
Steps
- Configure the Web server for SSL and start the Web server.
For more information, see your Web server documentation. - On each Application Tier Components computer that points to the gateway on the Web server, in IBM Cognos Configuration, change the gateway URI from HTTP to HTTPS, and save the configuration.
Do not start the IBM Cognos service yet. - On each Application Tier Components computer, go to the c10_location/bin directory and import all the certificates that make up the chain of trust, in order starting with the root CA certificate, into the IBM Cognos trust store.
Import the certificates by typing the following command: - In version 10.2.2, on UNIX® or LINUX®, type
ThirdPartyCertificateTool.sh -T -i -r certificate_fileName -p password
In version 10.2.0 and 10.2.1, on UNIX® or LINUX®, type
ThirdPartyCertificateTool.sh -T -i -r certificate_fileName -D ../configuration/signkeypair -p password - In version 10.2.2, on Windows®, type
ThirdPartyCertificateTool.bat -T -i -r certificate_fileName -p password
In version 10.2.0 and 10.2.1, on Windows®, type
ThirdPartyCertificateTool.bat -T -i -r certificate_fileName -D ../configuration/signkeypair -p password
Note: The password should have already been set. If not, the default password is NoPassWordSet. - On each Application Tier Components computer, in IBM Cognos Configuration, start the IBM Cognos service.
You can verify trust, by creating and running a PDF report that contains pictures that are not stored locally but which the gateway gets from a remote computer. If the pictures appear, trust is established.
To avoid being prompted by a security alert for each new session, install the certificate into one of your Web browser’s certificate stores.
In addition, you may want to set up SSL connections between IBM Cognos components and other servers. You must ensure that SSL is set up for the other servers and then you must set up a shared trust between IBM Cognos components and the other servers.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21695524