Troubleshooting
Problem
When using an SSL-enabled URL and trying to instantiate a IBM Cognos Connection with the SDK using a SSL URL that works correctly in a browser, the following exceptions are thrown:
Symptom
Java: SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Cause
The SSL handshake between the client and the server is not possible because the client is not aware of the SSL certificates.
Environment
IBM Cognos 10 with SSL secured dispatchers
Resolving The Problem
Add the CA certificate of your IBM Cognos 10 environment to your SDK application.
Steps:
- Extract the CA certificate from the CRN/Cognos8/Cognos10 install. In the CRN/Cognos8/Cognos10 install use the ThirdPartyCertificateTool to extract the CA certificate from the keystore jCAKeystore. The ThirdPartyCertificateTool resides in the CRN/Cognos8 bin directory and will have a .bat extention for windows or .sh for unix.
Syntax (Cognos 10.2.2):
ThirdPartyCertificateTool.sh -E -T -r cacert.cer -p <password>
Please Note: When using a Cognos 64-bit installation, the ThirdPartyCertificateTool is located in the bin directory, however it requires to use the jre located in the bin64 directory. You may need to edit the ThirdPartyCertificateTool to point to the right JRE, e.g.: J_HOME=E:\IBM\cognos\c1022_64\bin64\jre\7.0
Sample (Cognos 10.2.2):
E:\IBM\cognos\c1022_64\bin>ThirdPartyCertificateTool.bat -E -T -r cacert.cer -p NoPassWordSet
Syntax (Previous Versions):
ThirdPartyCertificateTool.sh -E -T -r cacert.cer -k path_to_crn/configuration/signkeypair/jCAKeystore -p <password>
As value for the password provide the password which is defined in Cognos Configuration for 'Certificate Authority key store password'. If you have not changed this value the default is "NoPassWordSet" (without quotes). If you can't remember the password you can do an export of your configuration (described in KB 1030350) and open the exported configuration file in an editor. Search for "certificateAuthorityKeyFilePassword" and you will find the value for this password.
The cacert.cer will contain the certificate we need. So copy it over to where your SDK application resides. By default, you will find this file in the bin directory. - Using the java keytool create a keystore by importing the certificate exported from the cognos 8 install.
keytool -import -file cacert.cer -keystore MyKeystore -storepass admin1234 -alias Cognos8
When you are asked if you want to trust this certificate, confirm this with 'yes'.
The file "MyKeystore" will now contain the certificate exported from CRN/Cognos8 and be protected with the password "admin1234".
- Tell JAVA to use MyKeystore as a truststore. A truststore is a keystore that contains certificates that we have identified that we trust. There are two methods to tell a JVM that we have a truststore but both methods result in java system properties being set. Method one involved setting these system properties on the java command line:
java -jar yourjar.jar -Djavax.net.ssl.trustStore="MyKeystore" -Djavax.net.ssl.trustStorePassword=admin1234
System.setProperty("javax.net.ssl.trustStore","MyKeystore");
- System.setProperty("javax.net.ssl.trustStorePassword", "admin1234");
<Cognos install location>\sdk\java\ExecReports\run64.bat
...
rem Run ExecReportsUI.class
"%JAVA_HOME%" -Djavax.net.ssl.trustStore="c:\cognoskeystores\10_2_1VM\MyKeystore" -Djavax.net.ssl.trustStorePassword=admin1234 -classpath %CLASSPATH% ExecReportsUI
Note that placement of the -D parameters is important. This sequence results in a message box containing "Connect Failed. Try again."
...
rem Run ExecReportsUI.class
"%JAVA_HOME%" -classpath %CLASSPATH% ExecReportsUI -Djavax.net.ssl.trustStore="c:\cognoskeystores\10_2_1VM\MyKeystore" -Djavax.net.ssl.trustStorePassword=admin1234
[{"Product":{"code":"SSEP7J","label":"Cognos Business Intelligence"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Software Development Kit","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.2;10.2.1;10.2.1.1;10.2.2;8.4.1","Edition":"Edition Independent","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0","Edition":"Edition Independent","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Historical Number
1041926
Was this topic helpful?
Document Information
Modified date:
24 February 2020
UID
swg21367416