How setup SSL for CA 11 on Microsoft Windows IIS

Cognos Analytics 11.0.7
Microsoft Windows 2008/2012/2016 server
How setup SSL with the IIS for the cognos users?
For testing in your demo environment, you can create own certificate, but for setup in production you need to buy a certificate from trusted CA store.

More information on OPENSSL can be found  here

Demo setup:
Download open ssl from here in a good installation package
Check the file for virus before you install it.
Install openssl on your server
Click next on all dialogs to install it






Create a folder c:\ssl
Start a command prompt as administrator
Change into c:\ssl directory.
Make a directory called keys.
Make a directory called certs.
Make a directory called requests.
Make a directory called demoCA.
Move to the demoCA folder
Make a directory called demoCA/newcerts.
Do Echo 01 >demoCA/serial.
Create an empty txt file called demoCA/index.txt.
You can also try to Open notepad to create the index.txt file
Save the file and close notepad.
Note the name of the server and domain to create the certs.
The name that is in the cert must exist in the DNS to make it work.
Generate the private key and CA certificate needed to sign requests
you need to add openssl\bin to path, otherwise you get below error
Open control panel – system – advance settings
add the BIN folder to path and click OK

We will create a simple SSL cert, recommendation is that you create a newer and stronger cert in your testing.

Start a new administrative command prompt and move to SSL folder
Enter this command to create the ca key
openssl genrsa -des3 -out keys/ca.key 1024
Ensure to enter the same password in all the steps.
e.g cognos101
generate a self-signed CA certificate that will be used later to sign all certificate requests
Enter this command to create the root ca
openssl req -new -x509 -out certs/ca.cer -key keys/ca.key -days 365
Enter values that make sense for you.
Above is to setup the ca – this can also be done in Windows IIS to or use a public vendor like;
Start IIS on the Microsoft Windows Server 2016 where the Cognos gateway are installed.
Click on Server Certificates
Click on Create certificate request

Save file in request folder
Now create the cert with this command
openssl ca -md sha1 -policy policy_anything -cert certs/ca.cer -keyfile keys/ca.key -in requests/certreq.txt -days 365 -out certs/certreq.cer
If you get errors, it can be that the index.txt file was not created in correct way.
Check that a cert was created with this command
openssl x509 -text -in certs/certreq.cer
Now you have a cert file.
Complete the process on the IIS server to import the cert now.
Inside IIS manager mark the servername and click on SSL certificates
Click on complete certificate request
Browse to the new cer file
Enter a name
And click OK
After some time the cert will show up in the list.
Mark default web site and click on bindings
Click on Add in site Bindings dialog.
Select https
Select the SSL certificate from the drop-down list
This is only the simplest demo setup, and therefor in production you should also follow things like this if above error comes up
If you can not save with a blank host name, enter a name and remove it later.
Click close.
Mark ibmcognos virtual folder in IIS manager and click on SSL settings
Mark Require SSL and click on Apply in top right corner.
Restart the iis webserver.
Now if you surf to http://labwin2012ca:9300/bi/ you go direct to cognos server and do not use a encrypoted session.
If you surf to https://labwin2012ca/ibmcognos you will get this message
If you click on continue to this website – you will come through to the website.
To get away of this error message, we will import the trust cert (CA) into Internet Explorer.
Go to internet options and click on content
Click on Trusted Root Certification Authorities and click import
Click next
Mark the ca.cer file that was created by openssl
And click next
There is a suggestion on how to do the SSL setup, there are other ways that are more correct.
Click Next
Click finish
Because this is a cert we created we get this warning, click yes, to import it to your laptops IE.
If you check the cert should be in your IE now.
Close IE and try to surf again.
Now you get direct to CA 11 without errors. You see on the lock in the toolbar that it is a secure connection, you can click on the lock to get more information.
if you use your own OPENSSL cert, you need to import the ca cert in every client computer to get a secure connection without error messages. Therefor it is simpler to buy a cert from a known CA.
You will also need to install the CA.CER in the Cognos BI server to be able to create PDF reports with pictures.
Copy your ca.cer to the cognos\bin folder
Open an administrative dos prompt
Enter this command
ThirdPartyCertificateTool.bat -i -T -r “C:\Program Files\ibm\cognos\analytics\bin\ca.cer” -p NoPassWordSet
Above error comes when the “ is of the wrong format.
Enter the command in NOTEPAD to ensure you have the correct signs. Copy from notepad to the cmd prompt.
Now restart Cognos services and try the report to PDF again.
Important that the reference to a picture in a Cognos report is relative like this
If you use the sample images that are stored in folder C:\Program Files\ibm\cognos\analytics\webcontent\bi\samples\images\
then it will work with both http://labwin2012ca:9300/bi/ (direct to BI services) and https://labwin2012ca/ibmcognos/bi (secure link to the IIS gateway).

Use F12 in IE to troubleshoot, if you get errors, you will see text like this
SEC7132: The certificate protecting this web site uses weak cryptography, SHA1. The web site should replace this certificate with a SHA2 certificate before SHA1 is no longer allowed https://labwin2012ca/ibmcognos/bi/pat/images/select_container.png

You need to create a stronger SSL cert, to not get above warning in the Web Browser.

SSL Setup in Production IIS server:
How setup SSL with a bought certificate.
Create a DNS alias for the server, so you have a good FQDN that will work in your domain.
Test that the users can surf to you IIS/IBMCOGNOS server with use of the dns alias like this
Get a cert from your supplier for the DNS alias.
You need to fill in information like this – please talk to your Internet provider, they can help.
You will get a PFX file that you will have a password to, normally you get the password by sms.
Place the cert file in a folder on the IIS server.
Import Cert to IIS
Start IIS manager
Mark the computer (server)
Click on server certificates
Click on Import to read in the certificate you have got from your ISP.
Enter the path and filename of pfx file
Enter the password you have got for the certificate.
Leave it to store in Personal folder.
Click OK.
Mark the default web site and click on Bindings to the right.
Click on add to add the new cert
Fill in the hostname
Click on select to select the cert you have read in.
Click OK
Click Edit on the same line you saved.
Remove the host name so it is blank.
Click OK to save it again.
Mark your IBMCOGNOS folder in IIS Manager and click on SSL settings
Mark Require SSL and click Apply in the top right corner.
This will make that a user that surf to /IBMCOGNOS/ must have a cert.
We have left port 80 open to default website, so users do not get a message that the site does not exist.
To make it easier for users, we create a default.htm page with below content and place it in the iisroot folder (C:\inetpub\wwwroot). This should make users that surf only to the server name, are redirected to the correct address.
<title>Cognos Connection</title>
<meta http-equiv=”refresh” content=”0 ;url=https://labwin2012ca/ibmcognos”>
<a href=”https://labwin2012ca/ibmcognos” >click here</a>.
More information on how you could do it in old Cognos;

To get report with pictures to be created as PDF, you need to import the root cert to Cognos BI server.
Export CA cert from IE for your trust issuer
Go to Windows control panel
Open internet options
Click on certificates
Click on Trusted Root Certificate Authorities
If you do not find your supplier in the list, check on your local Windows 7 computer, it can have more certificates than a Windows server.
Select you certificate and click on Export
Click next
Select BASE-64 CER file and click Next
Enter a filename and click next.
CLick finish
You will need to copy the cer file to your Cognos BIN folder.

Import CA cert to CA 11.0.7 content store
Place the ca2.cer file in your cognos BIN and BIN64 folder.
Start an administrative command prompt
Move to the bin folder
Enter the command ThirdPartyCertificateTool.bat -i -T -r ca2.cer -p NoPassWordSet
The password is the password for the Cognos storage, most cases NoPassWordSet
This will get the cert into the Cognos store.
If you get an error like “short read” then the cer file is in the wrong format. Please export it again from IE.
In most cases you need to put the full path to the file like this
ThirdPartyCertificateTool.bat -i -T -r “C:\Program Files\ibm\cognos\analytics\bin\ca2.cer” -p NoPassWordSet
Then it should be possible to read in the cert without errors.
You must restart the Cognos Analytics service, to make it notice the new cert.
Test by create a cognos report with a picture and run it as a PDF.
You should use the ../samples/images/Alex_Active.png to the picture if you have the picture in folder C:\Program Files\ibm\cognos\analytics\webcontent\bi\samples\images

Cognos Framework manager will work, as long it points to the CA server and not the gateway.
So, FM and other clients like Cube Designer should point to http://servername:9300/bi/v1/disp
If FM use a Gateway URI that use HTTPS and point to the IBMCOGNOS, then you need to do the same import in their local store.
This is for all Cognos tools that uses Java.

When testing, ensure that the Cognos Service have started correct, and also ensure that the web browser you use, have the trusted root cert for you cert. You must clear the web browser cache between every test.

More information