Configuring TM1 Server to trust the SSL certificate on CA Side

If Cognos Analytics is configured to use SSL TM1 Server must trust the certificate to be able to connect to CAM Security. If not any TM1 Client will throw an error and is not able to connect.

please follow the steps in PA Documentation to configure TM1 Server to trust the Ca certificate:

Configure Planning Analytics 2.0 TM1 Server with SSL Cognos BI Dispatcher:

http://www-01.ibm.com/support/docview.wss?uid=swg22000821

To configure TM1 Server 10.2.2 and lower to work with a Cognos BI Dispatcher using SSL please see: http://www-01.ibm.com/support/docview.wss?uid=swg21980367. 

The process to configure CAM Authentication with a SSL enabled Cognos BI Dispatcher has changed in Planning Analytics 2.0 as the CAMSSLCertificate and SkipSSLCAMHostCheck parameters in the tm1s.cfg file have been deprecated. A list of changed and deprecated parameters in the tm1s.cfg file for Planning Analytics 2.0 can be found here: http://www-01.ibm.com/support/docview.wss?uid=swg27047055.

The following parameter must be added to the tm1s.cfg file.
CAMUseSSL=T

The root and any intermediate CA (signing) certificates for the Cognos BI or Analytics Dispatcher must also be imported into the key database used by the TM1 Server. By default this key database file is <TM1 Server>\bin64\ssl\ibmtm1.kdb.

The root and intermediate CA certificates for the BI Dispatcher can typically be obtained by browsing to the Cognos BI Dispatcher URL (e.g https://cognosbi.ibm.com:9300/p2pd/servlet/dispatch) using Internet Explorer and then clicking on the lock icon to the right of the URL, then clicking View certificates. The certificates can be exported to a Base-64 encoded cer file.

To import the certificates into the key database run the following command from the TM1 Server installations bin64 directory.

gsk8capicmd_64 -cert -add -db .\ssl\ibmtm1.kdb -stashed -label cognosbi -file .\ssl\cognosbica.cer -format ascii -trust enable

The above command assumes the certificates are in a file named cognosbica.cer that has already been copied into the <TM1 Server>\bin64\ssl\ directory.

Run a list command on the CMS Keystore to see whether the whole Keychain from the CA Server is imported

gsk8capicmd_64 -cert -list -db .\ssl\ibmtm1.kdb -stashed

Certificates found

* default, - personal, ! trusted, #‌ secret key

!    tm1ca_v2

!    applixca

!    MainCA

!    cognosbi

*-   ibmtm1_server

-    tm1svr_v2

-    tm1adminsvr_v2

-    tm1svr

-    tm1adminsvr

Restart the TM1 Server after making the above changes.

Debugging:

Create a tm1s-log.properties file with the following content, place it to the same folder as the  Tm1s.cfg file restart the server and login with Cam Security

#
#  Enable INFO level logging through the shared memory appender, by default.  The server #  will write informational messages, as well as errors and warnings to the log file.
#

log4j.logger.TM1=INFO, S1

# S1 is set to be a SharedMemoryAppender
log4j.appender.S1=org.apache.log4j.SharedMemoryAppender
# Specify the size of the shared memory segment
log4j.appender.S1.MemorySize=5 MB
# Specify the max filesize
log4j.appender.S1.MaxFileSize=100 MB
# Specify the max backup index
log4j.appender.S1.MaxBackupIndex=20
# Specify GMT or Local timezone
log4j.appender.S1.TimeZone=GMT

log4j.logger.TM1.CAMSecurity=DEBUG, LOCK

log4j.additivity.TM1.Login=false

log4j.appender.LOCK=org.apache.log4j.SharedMemoryAppender
log4j.appender.LOCK.File=lock.log
log4j.appender.LOCK.MaxFileSize=100 MB
log4j.appender.LOCK.MaxBackupIndex=20
log4j.appender.LOCK.TimeZone=Local 

This will create a a log file called lock in your Tm1 log folder. If you see an entry with certificate validation, the Tm1 Server is not trusting the CA Server certs