To configure IBM Cognos TM1 Applications to use SSL, you
configure SSL for the other Cognos TM1 components that interact
with Cognos TM1 Applications, configure the web servers that support
Cognos TM1 Applications, and edit the Cognos TM1 Applications configuration.
Before you begin
Install and configure Cognos TM1 Applications
without SSL
and ensure that you can run and log in to the program.
About this task
Some of the tasks to use a certificate from another certificate
authority use a command-line tool named
ThirdPartyCertificateTool.
This tool is located in
C:\Program Files\ibm\cognos\tm1_64\bin.
For more information about this tool, see
ThirdPartyCertificateTool command-line reference.
Procedure
- Configure TM1 Admin Server to use SSL.
See Configuring the Cognos TM1 Admin Server to use SSL.
- Configure TM1 Server to use SSL.
See Configuring the Cognos TM1 Server to use SSL.
- Configure TM1 Web to use SSL.
See Configuring Cognos TM1 Web to use SSL.
- Copy your certificate files into the Cognos TM1 Applications
SSL folder:
Cognos TM1 install location\webapps\pmpsvc\WEB-INF\bin\ssl
- If you are using your own certificates, import them as
follows.
- On the computer running Cognos TM1 Admin Server, use
IBM Cognos Configuration to update the SSL parameters for the Admin
Server.
See Editing SSL parameters in Cognos Configuration to use independent certificates.
- On the computer running Cognos TM1 Server, run the tm1crypt.exe tool
See Running the TM1Crypt utility.
- For Cognos TM1 Applications, see Importing third-party CA SSL certificates into TM1 Application Server.
- In the Cognos Configuration tool change the TM1
Application Server Gateway URI and External
Server URI to use the https prefix.
- Save the configuration and restart the TM1 Applications
Server.
- On the computer running the Cognos TM1 Application Server,
edit the Cognos TM1 Applications configuration file, fpmsvc_config.xml.
- Open the fpmsvc_config.xml file:
- Edit or add the following entry under the </tm1><servers> section:
<certificate authority="authority_file_name"
id="id_name" />
where authority_file_name is
the name of the certificate file and id_name is
the certificate name. This file is expected to be found in the folder:
Cognos
TM1 install location\webapps\pmpsvc\WEB-INF\bin\ssl
Remember: You must manually copy this file to this location.
- To specify an SSL certificate revocation list, use the
optional revocationList attribute. If specified,
the file with the same name is expected to be in the \pmpsvc\WEB-INF\bin\ssl folder.
- To specify authority and certificate id for a Cognos
TM1 Admin Server, add the same <certificate authority /> section
under the admin_host section. If a certificate is
not specified, the default one is used.
- Update the URL configuration for the Cognos TM1 Application
Web client:
- Log in to Cognos TM1 Applications.
- Click the Administer IBM Cognos TM1 Applications icon on the toolbar of
the Cognos TM1 Applications main page.
- Click the TM1 Application Web check
box and then click Edit.
- Update the value in the URL field
to the secure URL for your installation of Cognos TM1 Web. For example:
https://web server name:9510/tm1web/Contributor.jsp
- Click OK.
- Import TM1 Applications SSL certificate to the Java client keystore.
- Export the TM1 Applications root SSL certificate:
Line breaks shown for publishing purposes only.
cd <install>\tm1_64\bin
ThirdPartyCertificateTool.bat -E -T -r
c:\tmp\cacert.cer -k
"<install>/tm1_64/configuration/signkeypair/jCAKeystore"
-p NoPassWordSet
- Import the ssl certificate to the Java keystore.
cd <install>\tm1_64\bin64\jre\7.0\bin
keytool -import -file c:\tmp\cacert.cer -keystore "
<install>\tm1_64\bin64\jre\7.0\lib\security\cacerts"
-storepass changeit -alias TM1ApplicationsSSL