Product:
Planning Analytics 2.0.9.3
Microsoft Windows 2019 server
Problem:
After SSL setup in TM1WEB, then TM1WEB does not list any TM1 servers to connect to.
In TM1 APP WEB (pmpsvc) when you click on a contributor link you get a “an error has occurred”.
TM1 applications should use the internal Cognos certificate, ibmtm1.arm.
Please follow the official documentation, as it changes with every new version of PA.
Possible Solution:
As TM1Web is using a new keystore, you must include the TM1 Server certificates in the keystore file or you will be unable to see your TM1 Servers, point to that the SSL CERT import failed.
Redo the setup from; but first take a backup of all keystores files you use.
If you got a PFX file with the certificate chain and key as you need you can use it to setup SSL.
For PMPSVC do this;
Start IKEYMAN.EXE as administrator from C:\Program Files\ibm\cognos\tm1_64\jre\bin folder
Open CAMkeystore file from C:\Program Files\ibm\cognos\tm1_64\configuration\certs folder
It is a PKCS12 file with password NoPassWordSet
In Personal Certificates remove the encryption certificate
As you already have a correct PFX file, you click on IMPORT button.
Select you PFX file and enter the password you got with the PFX file from the Certified Authority who created the PFX for you.
You will be asked to rename the personal certificate, enter encryption and press OK.
Go then to Signer Certificates and check that you have also got the root and intermediate certificates for your server. Double click on the certificates to check they have correct date and DNS alias.
You may need to import the \bin64\ssl\ibmtm1.arm file again as Signer Certificates.
Close IKEYMAN.
Go into Cognos Configuration for Planning Analytics (TM1).
Edit the TM1 Applications Properties. Update all URI references to contain your fully qualified address, as well as change the http to https.
Edit the Local Configuration properties. Add the property StandaloneCertificateAuthority and set it to True.
Edit the Cryptography > Cognos properties. Change the Use third party CA? to True.
Save the Cognos configuration for Planning Analytics (TM1).
Start the TM1 service.
For new TM1WEB:
Export the Root and Intermediate certificates from your web browser, by go to the cognos site, and then select each certificate and save them as Base-64 encoded X.509 cer files.
Stop IBM Cognos TM1 service.
Copy the PFX file you got to C:\Program Files\ibm\cognos\tm1web\bin64\ssl folder
Open C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\server.xml in notepad++
Update the ports you want to use, here 9510 for SSL and enter -1 to disabled HTTP.
<httpEndpoint id=”defaultHttpEndpoint” httpPort=”-1″ httpsPort=”9510″ host=”*” removeServerHeader=”true”>
Add as last line:
<keyStore id=”defaultKeyStore” location=”${wlp.user.dir}/../../bin64/ssl/customKeystore.pfx” password=”xxxxthepasswordxxxx” />
Replace with your PFX file name and the password for that file.
Go to C:\Program Files\ibm\cognos\tm1web\jre\bin\ in a DOS prompt.
Import the TM1 cert with command:
keytool -importcert -keystore ..\..\bin64\ssl\customKeystore.pfx -storepass xxxxthepasswordxxxx -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\ibmtm1.arm
Copy your Root and Intermediate certificate files to your \tm1web\bin64\ssl\ directory
Import the Root and Intermediate certificates with this command:
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\ca.cer” -keystore “..\..\bin64\ssl\tm1store” -alias ca -storepass applix
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\intermediate.cer” -keystore “..\..\bin64\ssl\tm1store” -alias intca -storepass applix
CER or PEM files should work both. Now the new tm1store is updated with your root certs.
Start your IBM Planning Analytics Spreadsheet Service
Test to browse to https://paservername.domain.com:9510/tm1web
Check for errors in file C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\logs\console.log
More information:
https://www.ibm.com/support/pages/use-ikeyman-configure-custom-ssl-certificates-tm1web
https://www.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd175.htm
https://www.sslshopper.com/ssl-converter.html
To check a PFX file;
One your laptop install openssl from here https://github.com/git-for-windows/git/releases/tag/v2.23.0.windows.1 – get the file Git-2.23.0-64-bit.exe. Run the installation with all default values.
Start a command prompt as administrator. Go to folder C:\Program Files\Git\mingw64\bin
openssl pkcs12 -in c:\temp\customKeystore.pfx -out c:\temp\good.pem -nodes
Open good.pem in notepad++ to check it contains 4 certificates.
The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extensions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.