How To
Summary
The steps in the document guide you toward securing IBM Planning Analytics Spreadsheet Service, by using a keystore provided to you in PFX/PKCS12 format. In this document you replace the keystore used by the IBM Planning Analytics Spreadsheet Services, with your own.
Steps
PRE-REQUISITE
- TM1 Admin Server and TM1 Server already secured using custom certificates/keystore
- Backup the TM1WEB_INSTALL_DIR\bin64\ssl\ folder to a different directory
CONFIGURE PA SPREADSHEET SERVICES APPLICATION SERVER WITH CUSTOM KEYSTORE
- Ensure that your IBM Planning Analytics Spreadsheet Service is not running, stop the service
- Delete the ibmtm1.* files from the TM1WEB_INSTALL_DIR\bin64\ssl\ directory
- Copy your ibmtm1.* files (your keystore) from the PA_INSTALL_DIR\bin64\ssl\ directory to TM1WEB_INSTALL_DIR\bin64\ssl\ directory
- Open the following file with your text editor: TM1WEB_INSTALL_DIR\wlp\usr\servers\tm1web\server.xml
- Update the httpPort and httpsPort to reflect the ports you would like to use. To disable http altogether, set httpPort to httpPort="-1". For example:
- Remove the following lines from the server.xml file:
- Add the following under the last <application> tag:
- <keyStore id="defaultKeyStore" location="${wlp.user.dir}/../../bin64/ssl/ibmtm1.p12" password="CustomPA!@" />
- Open Command Prompt and navigate to TM1WEB_INSTALL_DIR\jre\bin\
- Type the following to add the Root Certificate Authority to the tm1store:
- keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ibmtm1-rootca.arm" -keystore "..\..\bin64\ssl\tm1store" -alias ca -storepass applix
- Type the following to add the Intermediate Certificate Authority to the tm1store:
- keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ibmtm1-intca.arm" -keystore "..\..\bin64\ssl\tm1store" -alias intca -storepass applix
- Save and close the server.xml file
VALIDATE YOUR PLANNING ANALYTICS SSL CONFIGURATION
The following validation steps use the Chrome web browser. If you are using another browser, you will need to adjust the steps as required.
- In Windows Services, start the IBM Planning Analytics Spreadsheet Service
- Access the TM1Web URL by using Chrome, for example: https://painstall1.fyre.ibm.com:9510/tm1web/
- Assuming your certificates are valid and trusted, you should see the following
POST-CONFIGURATION STEPS
- Any application that communicates with the Planning Analytics Spreadsheet Service (TM1Web) must be updated to trust the new custom certificates
- If the Data tier is using a different CA authority you might need to import the Data tier certificate into the pfx used by the PASS service .
Symptom : unable to see any instances
in the <install directory> tm1web\wlp\usr\servers\tm1web\logs console.log you can see entry like
ERROR ] CWPKI0823E: SSL HANDSHAKE FAILURE: A signer with SubjectDN [CN=TM1Server, OU=TM1, O=www.ibm.com, C=US] was sent from the host [127.0.0.1:5498]. The signer might need to be added to local trust store [C:/Program Files/ibm/cognos/tm1web/bin64/ssl/customKeystore.pfx], located in SSL configuration alias [defaultSSLConfig]. The extended error message from the SSL handshake exception is: [unable to find valid certification path to requested target].- To import the data tier certificate you can use the Java Keytool located in TM1WEB_INSTALL_DIR\jre\bin\
- keytool -importcert -keystore ..\..\bin64\ssl\customKeystore.pfx -storepass admin1234EXPORT -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\dataTier.arm
- To import the data tier certificate you can use the Java Keytool located in TM1WEB_INSTALL_DIR\jre\bin\
**The -keystore should reflect your keystore path which is set in server.xml
**The -storepass must match pfx file password
**The -file should reflect path to the certficate which you want to import to the store
**The -storepass must match pfx file password
**The -file should reflect path to the certficate which you want to import to the store
Document Location
Worldwide
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000cwgYAAQ","label":"How to"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
26 June 2024
UID
ibm16323649