IBM Cognos TM1 Certificate Expiry - FAQ

Answer

---------------------------------- NOTICE----------------------------------

**TM1 on Cloud and Planning Analytics customers are not required to do anything**

• IBM Operations will be performing the necessary patch management and will notify with at least one (1) week's notice
• The update is included in a wider update for the TM1 components tentatively targeted for late October / early November
  

• Advertising
• We are using all available channels to ensure our customers and partners are aware of the required changes, and understand the approach they can take
• Documentation
• All possible solutions have been documented and options provided to avoid any rejected connections in TM1 once certificates expire on November 24 2016
• This document will continue to be updated to allow for a one-stop-shop of Q&A

• The default TM1 (APPLIX) certificates expire on November 24 2016

• Certificates are created with an expiration in mind. They may be due to policy, standards changing, or simply the license authority wanting fees to renew. The pre-contained certificates provided by IBM are self-signed, typically with a 10yr life span. As SSL encryption evolves so to does the need to update certificates to ensure the latest encryption methods are adhered to. The APPLIX certificate was created on Nov 27, 2006 whereas encryption methods have evolved greatly since that time

• All non-cloud TM1 Customers who are NOT using custom certificates or have NOT updated to the TM1 v2 certificates WILL be affected. If you rely on the bundled/default/pre-configured APPLIX certificates - they WILL expire November 24 2016

• All versions of TM1 are affected by the certificate expiry. See 'How do I know if this affects my organization?' to determine if / how you need to react

• The easiest way to check if you will be affected:
• Log on to the box where your TM1 Admin Server is running
• Open Cognos Configuration (for TM1)
• Click on the 'TM1 Admin Server' entry and in Explorer pane
• Look at the 'Certificate File Location' parameter
• If blank, you have NOT configured TM1 for Option 3 (Custom Certificates)
• If blank, you WILL be affected by the SSL certificate expiry
• Look at the 'TM1 Admin Server Certificate Version'
• If '1', you have NOT configured TM1 for Option 4 (v2 Certificates)
• If '1', you WILL be affect be the SSL certificate expiry
• Additional ways to confirm:
• If you have configured TM1 for Option 3 (Custom Certificates) you will have the following entries in your tm1s.cfg file
• SSLCertAuthority=
• SSLCertificate=
• SSLCertificateID=
• If you have configured TM1 for Option 4 (v2 Certificates) you will have the following entry in your tm1s.cfg file
• CertificateVersion=2

• No! Once a certificate expiration date has been defined and built into a certificate, the date cannot change or be extended without invalidating the certificate

• No! The certificates must remain consistent and trusted in order to achieve secured communication.

• Please see the referenced material throughout this FAQ.
• Review the following How to Update Your Expiring TM1 Certificates technote here: http://www-01.ibm.com/support/docview.wss?uid=swg21990588
  

• All Server Components
• The TM1 Server, Admin Host, and the TM1 Application Server will all require updates
• All TM1 Client Components
• Architect, Perspectives, Performance Modeler, Cognos Insight and TM1Top will all required a new certificate to communicate with TM1
• Cognos Analysis for Excel (CAFE), does not require any specific client updates/changes. CAFE communicates directly with PMHub - which is configured server-side.
• IBM Cognos BI
• If using IBM Cognos BI to report on TM1, the IBM Cognos TM1 client used by Cognos BI will need to be updated

• The updater replaces the old applixca certificates (expiring in November) with new ones (using the same name) that expire in 2026.

• The updater will NOT apply any new product fixes. These updaters are built only to update the expiring certificates.