IBM Support

How to add a 3rd Party CA to allow for SSL between components in IBM Cognos Analytics

Troubleshooting


Problem

This document describes how to reset the cryptographic keys, create the certificate request to be signed by your third-party certificate authority and then import the signed certificates.   
Special attention needs to be paid during the process, as when not to launch the Cognos Configuration tool, which could potentially cause corruption and force the process to be restarted.

Cause

The Cognos certificate authority needs to be replaced, or new certificates need to be imported.

Environment

Steps are given for a single server environment.
In multi-server environment the same steps should be performed on each Content Manager and Dispatcher.
For Gateways see step 12 at the end of the technote.

Resolving The Problem

1) Ensure entire IBM Cognos system is shut down.

Note: Steps below assume a single server environment. For a distributed environment with multiple content managers and dispatchers these steps must be performed on each server. For gateways in a distributed environment see step 12.

2) Make a full backup copy of your ..\configuration directory;

3) Export unencrypted configuration:

In Cognos Configuration tool click ‘File > Export As’

Choose ‘Yes’ at the prompt and save the file. For example, name it ‘backup.xml’, which by default is stored in the c11\configuration folder.

Close Cognos Configuration.

4) Delete current cryptographic configuration files:

c11\configuration\cogstartup.xml

c11\configuration\caSerial

c11\configuration\certs\CAMCrypto.status

c11\configuration\certs\CAMKeystore

c11\configuration\certs\CAMKeystore.lock

c11\temp\cam\freshness

c11\configuration\csk (delete the directory with all files in it)

5) In the c11\configuration folder, copy ‘backup.xml’ from step 3 to ‘cogstartup.xml’.

That way, exported configuration takes place of the original cogstartup.xml file, and you also retain unencrypted backup.

WARNING #1:  Do not start the Cognos Configuration Tool until step 10 of the document.

6) Generating CSR (Certificate Signing Request)

Important:

Certificates are domain-specific. It is required to use identical fully qualified domain names (FQDN) of the server used everywhere in Cognos configuration and in CSR request. Referencing the server with certificates by a short hostname or IP address or localhost reference will result in certificate host mismatch error and the server won't function properly.

If server has multiple host names, each FQDNs should be specified in Subject Alternative Name (SAN) in CSR request. Multiple SAN names must be separated by space.

"Main" server name (specified in URIs on Environment page) must match CN record in CSR.

Checklist of URIs that must be set to FQDNs:

On Environment page

  • Dispatcher URIs for gateway
  • External dispatcher URI
  • Internal dispatcher URI
  • Dispatcher URI for external applications
  • Content Manager URIs

In Security > Cryptography > Cognos

  • Server common name

Important:

Thirdpartycertificatetool.bat (.sh in Linux) has to be ran from <CA11>\bin directory.

Syntax of CSR command:

ThirdPartyCertificateTool.(bat|sh) -c -e [-p <keystorePassword>] -a <keyPairAlgorithm> -r <path/to/CertOrCSR> -d <dn> [-H <subjectAlternativeNameDnsNames>] [-I <subjectAlternativeIpAddresses>] [-M <subjectAlternativeEmailAddresses>]

Open a command prompt (on Linux - command must be run as the user account that runs Cognos).
Change directory to <ca11_location>\bin

Windows Operating System Request (Change CN, OU, O, L, and C parameters:

Example:
ThirdPartyCertificateTool.bat -c -e -p NoPassWordSet -a RSA -r "request.csr" -d "CN=server.domain.com,OU=Support,O=IBM,L=Ottawa,C=CA" -H "server.domain.com"

Run the command. Output file "request.csr" is the file that needs to be sent to certificate authority.

Tip: in a multi-server environment for convenience use server names for each CSR file, e.g. server111.csr, server222.csr, etc.

image-20190814135740-2

Example that uses multiple values for the Subject Alternative Name:

Note: use spaces between values, not a comma

ThirdPartyCertificateTool.bat -c -e -p NoPassWordSet -a RSA -r "request.csr" -d "CN=server.domain.com,OU=Support,O=IBM,L=Ottawa,C=CA" -H "server.domain.com server2.domain"

image-20190814135740-1

OR

On unix and Linux Operating System Request (Change CN, OU, O, L, and C parameters:

CN is set to your Domain

./ThirdPartyCertificateTool.sh -c -e -p NoPassWordSet -a RSA -r "request.csr" -d "CN=server.domain.com,OU=Support,O=IBM,L=Ottawa,C=CA" -H "server.domain.com"
 

Important:
Take a backup of <CA11>\configuration\certs\CAMKeystore file immediately after running CSR command.
Certificate received from certificate authority must be imported into the original CAMKeystore created by the CSR command above.
Typical size of CAMKeystore file at that step is around 4 KB.

Cognos CAMKeystore now contains the private key that is used with the certificates for encryption.  If you encounter an issue where the private key is overwritten before you get the signed certificate imported successfully all of the steps would need to be redone if a backup is not available.

Common pitfall is when Cognos environment is started after generating CSR to use the environment without 3-rd party certificates, while waiting for certificate authority to send the certificate back. If installing 3-rd party certificates is incomplete, Cognos generates internal certifcates and that makes impossible importing a 3-rd party certificate when it arrives. Saving backup of CAMKeystore therefore becomes critical, as the 3-rd party certificate must be imported into original CAMKeystore after running CSR command.

6a) If provisioning a 3-rd party certificate has a long turnaround time during which Cognos environment has to be up and running i.e. IBM Cognos system re-started, you should back up CAMKeystore after running CSR command, then use Cognos as needed, and when certificate arrives - you should remove existing cryptographic files again, copy a backup of CAMKeystore taken after CSR command into configuration\certs directory and run the rest of the commands below using that copy of CAMKeystore.

7) Processing 3-rd party certificate

When the certificate arrives, you need to process it before importing into the keystore.
 

Get encrypt.csr signed by your certificate authority. Typically there's a Root, 1 or more Intermediate (optional), and the server certificate in the bundle. Verify the bundle (if necessary rename the file to have .cer or .crt extension). Windows can open .cer or .crt files and display certificate properties.

Using www.ibm.com certificate as an example we can identify Root (DigiCert), Intermediate (DigiCert TLS RSA SHA256 2020 CA1) and Server (www.ibm.com) certificates:

image-20230424134156-1

Extract the Root and Intermediate certificates on the server.

Convert all the certificates to Base-64 encoded X.509 (.CER) format
 

image-20190814135740-3

image-20190814135740-4

For simplicity, rename the certificates as shown in the screen capture:

image-20190814135740-5

In a text editor create chain certificate made of Intermediate certificate, followed up by Root certificate, and save it as chain.cer file.


image-20190814135740-6

Save as chain.cer


image-20190814135740-7

Special cases:

- If there is only a root certificate and no intermediate - use root.cer as a chain certificate, and reference root.cer instead of chain.cer in the command at step 8.3.

- If there are 2 or more intermediate certificates, then chain certificate must have all intermediate certificate saved in a reverse order: lowest intermediate certificate in the chain comes first, then then next intermediate certificate, and the root comes last.

Copy all these certificates to ca11_location\bin location.

image-20190814135740-8

8) Importing certificate

8a) If have performed steps in section 6a) to start IBM Cognos system until the server certificates are provisioned, then perform steps below, otherwise, if IBM Cognos services down since creation of the initial CSR command, then skip and proceed to step 8.1.)

 - Stop IBM Cognos services
 - Rename the current c11\configuration\certs directory to c11\configuration\certs.YYYYMMDD


- Important: make sure that c11\configuration\certs\CAMKeystore file is original CAMKeystore after CSR command. Use backup taken on step 6 if necessary. Typically CAMKeystore at that step is only 4KB large. If you have a larger file (100KB or more) - this is likely a wrong copy. Review the steps above and fix the errors before proceeding.
 

- Import the certificate in the following order with these commands:

8.1.) Root:

ThirdPartyCertificateTool.bat -i -T -r root.cer -p NoPassWordSet

image-20190814135740-9

8.2) Intermediate

ThirdPartyCertificateTool.bat -i -T -r intermediate.cer -p NoPassWordSet

image-20190814135740-10

8.3) Chain and server:

ThirdPartyCertificateTool.bat -i -e -r server.cer -t chain.cer -p NoPassWordSet

image-20190814135740-11

OR

On unix or Linux Operating systems, accordingly:


ThirdPartyCertificateTool.sh -i -T -r root.cer -p NoPassWordSet

ThirdPartyCertificateTool.sh -i -T -r intermediate.cer -p NoPassWordSet

ThirdPartyCertificateTool.sh -i -e -r server.cer -t chain.cer -p NoPassWordSet

 

9) Switching Cognos to use 3-rd party certificates.

This step is Cognos version-specific. Steps differ for Cognos 11.x and 12.x

9.1) Steps for CA 11.x

Launch the Cognos Configuration Tool.

It is critical to perform the steps below in exact order. Saving configuration BEFORE these steps are performed can wipe out 3-rd party certificates and you will have to start all over again.

Navigate to Security > Cryptography > Cognos:

Change 'Use third-party CA?' setting to "True"

image-20230424141340-2

9.2) Steps for CA 12.x

Right-click on Cognos under Security > Cryptography and select Delete
 
image-20231026123354-3
 
Then Right-click on Security > Cryptography, select New resource > Certificate authority
 
image-20231026123558-5
 
Give new resource any name and select "Third party certificate authority" from the drop down list:
 
image-20231026124059-7

9.3) Change the following URIs from HTTP to HTTPS on Environment page

  • Dispatcher URIs for gateway
  • External dispatcher URI
  • Internal dispatcher URI
  • Dispatcher URI for external applications
  • Content Manager URIs

There must be no mix of http and https for URIs running on the same port.

Example:

image-20190814135740-14

10) Save configuration


image-20190814135740-15


Start IBM Cognos Service.
 

When Cognos starts - open Dispatcher URI or Content Manager URI in a web browser and check certificate properties to ensure correct certificate is installed.

​11) In a distributed environment, repeat the steps 1-10 for each Content Manager and Dispatcher server, following the same order as for starting up the servers:
primary CM first then Dispatcher(s) and standby CM(s)
12) For dedicated gateways that do not have CM or Dispatcher follow simplified procedure.
Install 3-rd party certificates on all CMs and dispatchers first and start Dispatchers.
Perform crypto configuration backup and clean up (steps 2-5 above)
Copy CAMKeystore file from Dispatcher listed first in Gateway configuration to <CA11 GW>\configuration\certs directory.
I.e. we're reusing CAMKeystore with 3-rd party certificates from one of the dispatchers where 3-rd party certificates have been successfully installed.
Save GW configuration.
Repeat the steps for each gateway, if there are more than one.

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl5lAAC","label":"Security-\u003ESSL\/Cryptography"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.0;11.1.0;11.2.0;12.0.0"}]

Document Information

Modified date:
07 December 2023

UID

swg21992784

Page Feedback