SDK How to connect the application to SSL configured IBM Cognos server

Resolving The Problem

Add the CA certificate of your IBM Cognos 10 environment to your SDK application.

Steps:

1. Extract the CA certificate from the CRN/Cognos8/Cognos10 install. In the CRN/Cognos8/Cognos10 install use the ThirdPartyCertificateTool to extract the CA certificate from the keystore jCAKeystore. The ThirdPartyCertificateTool resides in the CRN/Cognos8 bin directory and will have a .bat extention for windows or .sh for unix.
   
   Syntax (Cognos 10.2.2):
   
   ThirdPartyCertificateTool.sh -E -T -r cacert.cer -p <password>
   
   Please Note: When using a Cognos 64-bit installation, the ThirdPartyCertificateTool is located in the bin directory, however it requires to use the jre located in the bin64 directory. You may need to edit the ThirdPartyCertificateTool to point to the right JRE, e.g.: J_HOME=E:\IBM\cognos\c1022_64\bin64\jre\7.0
   
   Sample (Cognos 10.2.2):
   
   E:\IBM\cognos\c1022_64\bin>ThirdPartyCertificateTool.bat -E -T -r cacert.cer -p NoPassWordSet
   
   Syntax (Previous Versions):
   
   ThirdPartyCertificateTool.sh -E -T -r cacert.cer -k path_to_crn/configuration/signkeypair/jCAKeystore -p <password>
   
   As value for the password provide the password which is defined in Cognos Configuration for 'Certificate Authority key store password'. If you have not changed this value the default is "NoPassWordSet" (without quotes). If you can't remember the password you can do an export of your configuration (described in KB 1030350) and open the exported configuration file in an editor. Search for "certificateAuthorityKeyFilePassword" and you will find the value for this password.
   
   The cacert.cer will contain the certificate we need. So copy it over to where your SDK application resides. By default, you will find this file in the bin directory.
2. Using the java keytool create a keystore by importing the certificate exported from the cognos 8 install.
   
   keytool -import -file cacert.cer -keystore MyKeystore -storepass admin1234 -alias Cognos8
   
   When you are asked if you want to trust this certificate, confirm this with 'yes'.
   
   The file "MyKeystore" will now contain the certificate exported from CRN/Cognos8 and be protected with the password "admin1234".
   
3. Tell JAVA to use MyKeystore as a truststore. A truststore is a keystore that contains certificates that we have identified that we trust. There are two methods to tell a JVM that we have a truststore but both methods result in java system properties being set. Method one involved setting these system properties on the java command line:
   
   java -jar yourjar.jar -Djavax.net.ssl.trustStore="MyKeystore" -Djavax.net.ssl.trustStorePassword=admin1234

System.setProperty("javax.net.ssl.trustStorePassword", "admin1234");
Here is an example of the changes required to the sample batch file
<Cognos install location>\sdk\java\ExecReports\run64.bat
...
rem Run ExecReportsUI.class
"%JAVA_HOME%" -Djavax.net.ssl.trustStore="c:\cognoskeystores\10_2_1VM\MyKeystore" -Djavax.net.ssl.trustStorePassword=admin1234 -classpath %CLASSPATH% ExecReportsUI

Note that placement of the -D parameters is important. This sequence results in a message box containing "Connect Failed. Try again."
...
rem Run ExecReportsUI.class
"%JAVA_HOME%" -classpath %CLASSPATH% ExecReportsUI -Djavax.net.ssl.trustStore="c:\cognoskeystores\10_2_1VM\MyKeystore" -Djavax.net.ssl.trustStorePassword=admin1234