IBM Support

How to Configure IBM Planning Analytics Application Web (TM1 Contributor/PMPSVC) with Custom SSL (using Existing Keystore)

How To


Summary

The steps in the document guide you toward securing Planning Analytics Application Web (TM1 Contributor/PMPSVC), by using a keystore provided to you in PFX/PKCS12 format. In this document, you replace the keystore used by Planning Analytics Application Web, with your own.

Steps

PRE-REQUISITE
  • TM1 Admin Server and TM1 Servre already secured by using custom certificates/keystore
  • Back up the PA_INSTALL_DIR\configuration\ folder to a different directory
EXPORTING CURRENT COGNOS CONFIGURATION SETTINGS
  1. Open Cognos Configuration as an Administrator
  2. Click File > Export As
    • image-20220418151829-4
  3. Save the file to the PA_INSTALL_DIR\configuration\ directory. 
    • In this example, the file is named export.xml
    • image-20220418151916-5
  4. Close Cognos Configuration

PREPARE THE CONFIGURATION DIRECTORY
  1. Delete file PA_INSTALL_DIR\configuration\cogstartup.xml
  2. Delete file PA_INSTALL_DIR\configuration\caSerial
  3. Delete contents of PA_INSTALL_DIR\configuration\csk\ folder
  4. Delete contents of PA_INSTALL_DIR\configuration\certs\ folder
  5. Rename PA_INSTALL_DIR\configuration\export.xml to cogstartup.xml
  6. Do not open Cognos Configuration until instructed
CONFIGURE ENVIRONMENT VARIABLES FOR COMMAND PROMPT
  1. Open Command Prompt as an Administrator
    • Update and execute the following to set the PA_INSTALL_DIR path to your TM1 Server installation directory
      • set PA_INSTALL_DIR=C:\Program Files\ibm\cognos\tm1_64
      • image-20220415142809-1
    CONVERT CUSTOM IBMTM1 KEYSTORE TO PKCS12 FORMAT FOR IBM PLANNING ANALYTICS APPLICATION SERVER
    1.  Open Windows Services, stop the IBM Cognos TM1, TM1 Admin Server, and TM1 Server service
      • image-20220418150049-2
    2.  Open Command Prompt as an Administrator.  Navigate to the \bin64\ folder inside the PA Install Directory:
      • cd "%PA_INSTALL_DIR%\bin64\"
      • image-20220415142913-3
    3. The Planning Analytics Application Web server requires it's keystore to have an ID of encryption.  We must temporarily rename the ID of the certificate in our keystore before we convert it to a format used by the application server.
      • gsk8capicmd_64 -cert -rename -db "%PA_INSTALL_DIR%\bin64\ssl\ibmtm1.kdb" -stashed -label ibmtm1_server -new_label encryption
      • image-20220418150435-3
    4. Convert the ibmtm1 keystore file to a PKCS12 keystore for the Planning Analytics Application Web server:
      • gsk8capicmd_64 -keydb -convert -db "%PA_INSTALL_DIR%\bin64\ssl\ibmtm1.kdb" -stashed -old_format kdb -new_db "%PA_INSTALL_DIR%\configuration\certs\CAMKeystore.p12" -new_pw "CustomPA!@" -new_format pkcs12
      • image-20220418153218-6
    5. Rename the CAMKeystore.p12 file to CAMKeystore
      • rename "%PA_INSTALL_DIR%\configuration\certs\CAMKeystore.p12" CAMKeystore
      • image-20220418153702-8
    6. Ensure that the file has been created in the specified directory:
      • image-20220421163256-1
    7. Rename the ID of the certificate in our ibmtm1 keystore back to ibmtm1_server.
      • gsk8capicmd_64 -cert -rename -db "%PA_INSTALL_DIR%\bin64\ssl\ibmtm1.kdb" -stashed -label encryption -new_label ibmtm1_server
      • image-20220418153330-7
    CONFIGURE PLANNING ANALYTICS APPLICATION WEB
    1. Open Cognos Configuration as an Administrator
    2. Update Local Configuration > Advanced Properties to include StandaloneCertificateAuthority = True
      • image-20220418154525-2
    3. Update all URLs under TM1 Applications section to use https
      • image-20220418154605-3
    4. Update Cryptography > Cognos > Key store password, to match the password of your keystore
      • In this document, the password is CustomPA!@
      • image-20220418155006-4
    5. Update Cryptography > Cognos > Use third party CA to True
      • image-20220418155047-5
    6. Save the configuration.  This step can take a few moments to complete
      • image-20220418155300-6
    7. Close Cognos Configuration
    8. Remove all ibmtm1.* files from the PA_INSTALL_DIR\webapps\pmpsvc\WEB-INF\bin64\ssl\ directory
      • image-20220421164346-2
    9. Copy your ibmtm1.* files (your keystore) from the PA_INSTALL_DIR\bin64\ssl\ directory to PA_INSTALL_DIR\webapps\pmpsvc\WEB-INF\bin64\ssl\
      • image-20220421164432-3
    VALIDATE YOUR PLANNING ANALYTICS APPLICATION WEB CONFIGURATION
    The following validation steps use the Chrome web browser.  If you are using another browser, you need to adjust the steps as required.
    1. Open Windows Services, start the IBM Cognos TM1 service
      • image-20220419130858-1
    2. Access the Planning Analytics Application Web URL using Chrome, for example: https://painstall1.fyre.ibm.com:9511/pmpsvc/
    3. Assuming your certificates are valid and trusted, you should see the following:
      • "Not Found" is expected here as there is no webpage at the root of this server.  This test is still valid to confirm that port 9012 is secured by using your custom certificates.
      • image-20220418160937-9
      • If Planning Analytics Application Web has already been configured, you will be logged in to the application instead of the initialization page
    POST-CONFIGURATION STEPS
    • Any applications that communicate with Planning Analytics Application Web, must be updated to trust the new custom certificates
    ​​

    Document Location

    Worldwide

    [{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m50000000KzK7AAK","label":"Planning Analytics-\u003ESecurity-\u003ESSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    21 April 2022

    UID

    ibm16573071

    Page Feedback