Troubleshooting
Problem
Symptom
Cause
Example: Server Certificate S was signed by Intermediate CA C1, whose certificate in turn was signed by root CA C2.
The administrator would have to import the certificates from C1 and C2, but not S.
The process is as follows:
- Configure your Web server for SSL and start it.
- Obtain the certificates that make up the chain of trust for the Web server's certificate,
(i.e. all intermediate CA certificates and the trusted root's certificate).
The certificates must be either in Base64 encoded ASCII (PEM) or DER format to be
readable by ThirdPartyCertificateTool.
You must not use a self-signed server certificate; only CA certificates are valid.
Resolving The Problem
For every installation running (Batch) Report Service that uses the Web Server (Gateway) that is enabled for HTTPS, apply the following steps:
- Stop the product
- Open Cognos Configuration and change the Gateway URL
to use HTTPS instead of HTTP - Save configuration but don't start yet
- Using the ThirdPartyCertificateTool from the /bin directory of your IBM Cognos installation, import all the certificates from the chain of trust into the IBM Cognos truststore.
Start with the root CA certificate and work your way down to the last possible intermediate CA certificate
ThirdPartyCertificateTool.bat -T -i -r CA_certificate_fileName -D ../configuration/signkeypair -p password
For UNIX and Linux repeat the following command for each certificate:
ThirdPartyCertificateTool.sh -T -i -r CA_certificate_fileName -D ../configuration/signkeypair -p password
ThirdPartyCertificateTool.bat -T -i -r CA_certificate_fileName -p password
For UNIX and Linux repeat the following command for each certificate:
ThirdPartyCertificateTool.sh -T -i -r CA_certificate_fileName -p password
Tip: The password is generally set by your administrator, the default is "NoPassWordSet".
- Access the Gateway and import the presented certificate into your browser to avoid getting reprompted on every new session. Follow
To verify the trust, create and run a report containing pictures that are fetched via the Gateway (not local File system) in PDF output format. If they appear trust is established.
the previous steps for all client components on Windows (FM, Transformer, PowerPlay client, Cube Designer, etc....). For Transformer on Linux or UNIX use ThirdPartyCertificateTool.sh.
Tip: Tools such as these can be used to verify the import into the truststore. IKeyMan, OpenSSL, KeyStoreExplorer, or Portecle.
Note that keytool (part of SUN JREs) won't show the signer certificates in a PKCS12 keystore!
iKeyman
choose to open a PKCS12 type file, find <COG_INSTALL>/configuration/signkeypair/jCAKeystore. Make sure you select "Signer Certificates" from the drop down for viewing the imported CA certificates instead of the ca Keypair contained in this file.
For OpenSSL
use a command like like:
OpenSSL pkcs12 -info -in <COG_INSTALL>/configuration/signkeypair/jCAKeystore
For KeyStoreExplorer or Portecle, o
open, o<COG_INSTALL>/configuration/signkeypair/jCAKeystore
Related Information
Was this topic helpful?
Document Information
Modified date:
29 April 2020
UID
swg21339658