IBM Support

How to Configure IBM Planning Analytics Spreadsheet Service with Custom SSL (using Existing Keystore)

How To


Summary

The steps in the document guide you toward securing IBM Planning Analytics Spreadsheet Service, by using a keystore provided to you in PFX/PKCS12 format. In this document you replace the keystore used by the IBM Planning Analytics Spreadsheet Services, with your own.

Steps

PRE-REQUISITE
  • TM1 Admin Server and TM1 Server already secured using custom certificates/keystore
  • Backup the TM1WEB_INSTALL_DIR\bin64\ssl\ folder to a different directory
CONFIGURE PA SPREADSHEET SERVICES APPLICATION SERVER WITH CUSTOM KEYSTORE
  1. Ensure that your IBM Planning Analytics Spreadsheet Service is not running, stop the serviceimage 5711
  2. Delete the ibmtm1.* files from the TM1WEB_INSTALL_DIR\bin64\ssl\ directory
    • image-20220421165157-1
  3. Copy your ibmtm1.* files (your keystore) from the PA_INSTALL_DIR\bin64\ssl\ directory to TM1WEB_INSTALL_DIR\bin64\ssl\ directory
    • image-20220421165309-2
  4. Open the following file with your text editor: TM1WEB_INSTALL_DIR\wlp\usr\servers\tm1web\server.xml
  5. Update the httpPort and httpsPort to reflect the ports you would like to use.  To disable http altogether, set httpPort to httpPort="-1".  For example:
    • image 5723
  6. Remove the following lines from the server.xml file:
    • image 5724
  7. Add the following under the last <application> tag:  
    • <keyStore id="defaultKeyStore" location="${wlp.user.dir}/../../bin64/ssl/ibmtm1.p12" password="CustomPA!@" />
    • image-20220421191216-4
  8. Open Command Prompt and navigate to TM1WEB_INSTALL_DIR\jre\bin\
  9. Type the following to add the Root Certificate Authority to the tm1store: 
    • keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ibmtm1-rootca.arm" -keystore "..\..\bin64\ssl\tm1store" -alias ca -storepass applix
  10. Type the following to add the Intermediate Certificate Authority to the tm1store: 
    • keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ibmtm1-intca.arm" -keystore "..\..\bin64\ssl\tm1store" -alias intca -storepass applix
  11. Save and close the server.xml file

VALIDATE YOUR PLANNING ANALYTICS SSL CONFIGURATION

The following validation steps use the Chrome web browser.  If you are using another browser, you will need to adjust the steps as required.

  1. In Windows Services, start the IBM Planning Analytics Spreadsheet Service
    • image 5730
  2. Access the TM1Web URL by using Chrome, for example:  https://painstall1.fyre.ibm.com:9510/tm1web/
  3. Assuming your certificates are valid and trusted, you should see the following
    • image-20220418163342-6

POST-CONFIGURATION STEPS
  • Any application that communicates with the Planning Analytics Spreadsheet Service (TM1Web) must be updated to trust the new custom certificates
  • If the Data tier is using a different CA authority you might need to import the Data tier certificate into the pfx used by the PASS service . 
    Symptom : unable to see any instances
    in the <install directory> tm1web\wlp\usr\servers\tm1web\logs  console.log you can see entry like 
    ERROR   ] CWPKI0823E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN [CN=TM1Server, OU=TM1, O=www.ibm.com, C=US] was sent from the host [127.0.0.1:5498].  The signer might need to be added to local trust store [C:/Program Files/ibm/cognos/tm1web/bin64/ssl/    customKeystore.pfx], located in SSL configuration alias [defaultSSLConfig].  The extended error message from the SSL handshake exception is: [unable to find valid certification path to requested target].
    • To import the data tier certificate  you can use the Java Keytool located in TM1WEB_INSTALL_DIR\jre\bin\
      • keytool -importcert -keystore ..\..\bin64\ssl\customKeystore.pfx -storepass admin1234EXPORT -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\dataTier.arm 
 **The -keystore should reflect your keystore path which is set in server.xml 
  **The -storepass  must match pfx file password 
  **The -file should reflect path to the certficate which you want to import to the store
 
     

 

    Document Location

    Worldwide

    [{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000cwgYAAQ","label":"How to"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

    Document Information

    Modified date:
    26 June 2024

    UID

    ibm16323649

    Page Feedback