Troubleshooting
Problem
Customer is trying to configure Controller Web to use HTTPS (via TLS, sometimes referred to as SSL).
Customer reconfigures the configuration file 'com.ibm.cognos.fcm.web.PROPERTIES' so that the setting 'ccrwsUrl' uses TLS (HTTPS), for example:
- ccrwsUrl=https://<servername>/ibmcognos/controllerserver/ccrws.asmx
Users launch Controller Web. An error appears.
Symptom
When ccrwsUrl=https://<servername>/ibmcognos/controllerserver/ccrws.asmx there are several different errors seen, for example:
- Screen:
Server is not reachable or still initializing, please refresh the page in a few seconds
- messages.log (by default located: C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs)
[5/12/20 8:37:56:844 BST] 00000030 com.ibm.ws.ssl.core.WSX509TrustManager E CWPKI0823E: SSL HANDSHAKE FAILURE: A signer with SubjectDN [CN=teledu1.castle.fyre.ibm.com] was sent from the host [teledu1.castle.fyre.ibm.com:443]. The signer might need to be added to local trust store [C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.p12], located in SSL configuration alias [defaultSSLConfig]. The extended error message from the SSL handshake exception is: [unable to find valid certification path to requested target].
- com.ibm.cognos.fcm.log (by default located: C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs)
2020-05-12 08:53:14 | | ERROR | [com.ibm.cognos.fcm.wmc.ccrws.DefaultCcrClientFactoryInitializer] CCR WS API not initialized yet [error=2 counts of InaccessibleWSDLException.
]. Retrying in 1000 ms...
]. Retrying in 1000 ms...
Cause
There are several known causes for this symptom.
- TIP: See separate IBM Technote #6210360 for more examples.
This Technote specifically relates to the scenario where the cause is that the JAVA keystore file (key.jks) contains wrong information about TLS certificates.
Example:
In one real-life example, the keystore incorrectly contained two certificates (two 'aliases') for the same server.
Diagnosing The Problem
To check what certificates are added to the java key store, launch a command prompt and run commands similar to:
cd C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security
"c:\Program Files\ibm\cognos\ccr_64\fcmweb\jre\bin\keytool" -list -v -keystore key.jks
Example:
In one real-life example, the output showed that there were (erroneously) two similar certificates (but with differerent 'alias' names) installed:
...and:
Resolving The Problem
Fix:
Ensure that the JAVA keystore file (key.jks) contains the correct information (about TLS certificates).
Example:
In one real-life example, the solution was to:
1. Delete the relevant file (key.jks) from all the relevant locations
By default, these are:
- C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\bin
- C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\lib\security
- C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security
2. Re-create the file key.jks
- TIP: By default, this will be created here: C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\bin
3. Re-import the relevant certificate (once)
For example, run this command:
4. Copy the file key.jks to both the relevant 'security' locations
By default, these are:
- C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\lib\security
- C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security
5. Restart both Controller Web windows services
6. Test.
Workaround
Modify the setting 'ccrwsUrl' inside the configuration file 'com.ibm.cognos.fcm.web.PROPERTIES':
- Specifically, change the value to use HTTP, for example: if ccrwsUrl=http://<servername>/ibmcognos/controllerserver/ccrws.asmx
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"ARM Category":[{"code":"a8m0z000000GnFaAAK","label":"Controller WEB"}],"ARM Case Number":"TS003637370","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
18 May 2020
UID
ibm16208609