Troubleshooting
Problem
If you intend to use CAM Security (IntegratedSecurityMode=5) for your Planning Analytics authentication and your Cognos Dispatcher is secured with SSL, you must perform additional steps to ensure that the Cognos Dispatcher certificate authorities are trusted by the Planning Analytics keystore.
Symptom
-If your TM1 Server does not trust the Cognos Dispatcher certificate authorities, you may receive a SystemServerClientNotFound error when logging in to Architect/Perspectives.
-If your Planning Analytics Application Server does not trust the Cognos Dispatcher certificate authorities, you may encounter a logon loop when accessing the PMPSVC page.
Resolving The Problem
In this document, the example given uses the DEFAULT CAMUSER certificate. The CAMUSER certificate is created when you secure your Cognos Dispatcher(s) by simply changing your configuration from HTTP to HTTPS. By default, IBM Cognos Analytics components use an internal certificate authority (CA) to establish the root of trust in the IBM Cognos security infrastructure.
If you want to use certificates that are managed by another service, see Configuring IBM Cognos components to use another certificate authority: https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_configuringreportnettouseathird-partycertificateauthority.html
UPDATE THE TM1S.CFG FILE PARAMETERS TO ALLOW FOR SSL SECURED CAM DISPATCHER
- Update the tm1s.cfg file(s) for your environment, to ensure that the following parameter is set:
CAMUseSSL=T - Save and close the file
DOWNLOAD THE COGNOS DISPATCHER CERTIFICATES
- In your web browser (this example will use Google Chrome, if using a different browser you will need to adjust accordingly), connect to your Cognos Dispatcher URL (example: https://servername.domain.com:9300/p2pd/servlet/dispatch/)
- Click the appropriate button(s) to expose the Certificate properties
- Click the Certification Path tab to observe the chain of authority for your certificate. In this example, we see that there are two certificates securing the Cognos Dispatcher. You must select each certificate above the last certificate in the chain, and click View Certificate. In this example, there is only one certificate above the last certificate in the chain...if you have more than one in your implementation, you must repeat these steps for each one.
- After clicking View Certificate, click the Details tab of the new Certificate window. On the details tab click Copy to File...
- Follow the Certificate Export Wizard prompts. Export the certificate using the Base-64 encoded X.509 format. Then, export the certificate and save it to the <tm1 install dir>\bin64\ssl\ folder of your PA Install, and provide an appropriate name (in this example, we call the certificate caRoot.cer)
- Open the exported certificate in the <tm1 install dir>\bin64\ssl\ directory to confirm that the correct certificate had been obtained
IMPORT THE COGNOS DISPATCHER CERTIFICATE(S) TO THE PLANNING ANALYTICS KEYSTORES
- First, you must import the certificate(s) to the TM1 Server keystore to allow for authentication (as the TM1 Server must communicate with the Cognos Dispatcher URL during the authentication process). Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\ directory.
- Execute the following command to import/trust the certificate (modify as required for path and filename): gsk8capicmd_64 -cert -add -db "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb" -stashed -label caRoot -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -format ascii -trust enable
- We must also import/trust the certificate(s) to the CAMKeystore, used by TM1Web. Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\ directory.
- Execute the following command to import/trust the certificate (modify as required for path and filename): gsk8capicmd_64 -cert -add -db "C:\Program Files\ibm\cognos\tm1_64\configuration\certs\CAMKeystore" -pw "NoPassWordSet" -label caRoot -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -format ascii -trust enable
- Lastly, the JAVA Keystore used by PMPSVC. Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\jre\bin\ directory.
- Execute the following command to import/trust the certificate (modify as required for path and filename): keytool.exe -import -trustcacerts -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -keystore "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store" -alias caRoot -storepass applix
**When prompted, type yes
After having completed all of the above steps, you must recycle all of your Planning Analytics services. Note that in distributed environments, the above steps must be followed on the appropriate servers/tiers.
Once the services have been recycled, you should now be able to log in to Planning Analytics successfully.
Common problems during this configuration:
After correctly importing the certificates and when trying to log in inside Architect the users are presented with the error message 'SystemServerClientNotFound'.
One of the causes can be the Cognos Analytics dispatcher certs imported into ibmtm1.kdb are not NIST-compliant.
The issue can be resolved by adding the following parameter into tm1s.cfg file.
NIST_SP800_131A_MODE=False
You can find more about this parameter in the Product documentation:
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
06 December 2021
UID
ibm10959835