How setup SSL for CA 11 on Microsoft Windows IIS

Product:
Cognos Analytics 11.0.7
Microsoft Windows 2008/2012/2016 server
Problem:
How setup SSL with the IIS for the cognos users?
Solution:
For testing in your demo environment, you can create own certificate, but for setup in production you need to buy a certificate from trusted CA store.

More information on OPENSSL can be found  here https://www.feistyduck.com/books/openssl-cookbook/

Demo setup:
Download open ssl from here in a good installation package http://slproweb.com/products/Win32OpenSSL.html
ssl1
Check the file for virus before you install it.
Install openssl on your server
ssl2
Click next on all dialogs to install it
ssl3

ssl4

ssl5

ssl6

ssl7

ssl8

Create a folder c:\ssl
Start a command prompt as administrator
Change into c:\ssl directory.
Make a directory called keys.
Make a directory called certs.
Make a directory called requests.
Make a directory called demoCA.
Move to the demoCA folder
Make a directory called demoCA/newcerts.
Do Echo 01 >demoCA/serial.
Create an empty txt file called demoCA/index.txt.
ssl10
You can also try to Open notepad to create the index.txt file
SSL11
Save the file and close notepad.
ssl12
ssl13
Note the name of the server and domain to create the certs.
The name that is in the cert must exist in the DNS to make it work.
Generate the private key and CA certificate needed to sign requests
you need to add openssl\bin to path, otherwise you get below error
ssl14
Open control panel – system – advance settings
ssl15
ssl16
add the BIN folder to path and click OK

We will create a simple SSL cert, recommendation is that you create a newer and stronger cert in your testing.

Start a new administrative command prompt and move to SSL folder
Enter this command to create the ca key
openssl genrsa -des3 -out keys/ca.key 1024
ssl17
Ensure to enter the same password in all the steps.
e.g cognos101
generate a self-signed CA certificate that will be used later to sign all certificate requests
Enter this command to create the root ca
openssl req -new -x509 -out certs/ca.cer -key keys/ca.key -days 365
ssl18
Enter values that make sense for you.
Above is to setup the ca – this can also be done in Windows IIS to or use a public vendor like;
https://www.expertssl.se/
https://uk.godaddy.com/help/ssl-certificates-1000006#nav-1
https://really-simple-ssl.com/
ssl19
Start IIS on the Microsoft Windows Server 2016 where the Cognos gateway are installed.
Click on Server Certificates
ssl20
Click on Create certificate request
ssl21

ssl22
ssl23
Save file in request folder
Now create the cert with this command
openssl ca -md sha1 -policy policy_anything -cert certs/ca.cer -keyfile keys/ca.key -in requests/certreq.txt -days 365 -out certs/certreq.cer
ssl24
If you get errors, it can be that the index.txt file was not created in correct way.
ssl25
Check that a cert was created with this command
openssl x509 -text -in certs/certreq.cer
ssl26
Now you have a cert file.
Complete the process on the IIS server to import the cert now.
ssl27
Inside IIS manager mark the servername and click on SSL certificates
Click on complete certificate request
ssl28
Browse to the new cer file
Enter a name
And click OK
ssl29
After some time the cert will show up in the list.
Mark default web site and click on bindings
ssl30
Click on Add in site Bindings dialog.
ssl31
Select https
Select the SSL certificate from the drop-down list
ssl32
This is only the simplest demo setup, and therefor in production you should also follow things like this if above error comes up
https://support.microsoft.com/en-gb/help/954755/how-to-configure-intermediate-certificates-on-a-computer-that-is-runni
ssl33
If you can not save with a blank host name, enter a name and remove it later.
Click close.
Mark ibmcognos virtual folder in IIS manager and click on SSL settings
ssl34
ssl35
Mark Require SSL and click on Apply in top right corner.
Restart the iis webserver.
Now if you surf to http://labwin2012ca:9300/bi/ you go direct to cognos server and do not use a encrypoted session.
If you surf to https://labwin2012ca/ibmcognos you will get this message
ssl36
If you click on continue to this website – you will come through to the website.
To get away of this error message, we will import the trust cert (CA) into Internet Explorer.
ssl37
Go to internet options and click on content
ssl38
Click on Trusted Root Certification Authorities and click import
ssl39
Click next
ssl40
Mark the ca.cer file that was created by openssl
And click next
ssl41
There is a suggestion on how to do the SSL setup, there are other ways that are more correct.
Click Next
ssl42
Click finish
ssl43
Because this is a cert we created we get this warning, click yes, to import it to your laptops IE.
ssl44
If you check the cert should be in your IE now.
ssl45
Close IE and try to surf again.
ssl46
Now you get direct to CA 11 without errors. You see on the lock in the toolbar that it is a secure connection, you can click on the lock to get more information.
ssl47
if you use your own OPENSSL cert, you need to import the ca cert in every client computer to get a secure connection without error messages. Therefor it is simpler to buy a cert from a known CA.
You will also need to install the CA.CER in the Cognos BI server to be able to create PDF reports with pictures.
Copy your ca.cer to the cognos\bin folder
ssl48
Open an administrative dos prompt
Enter this command
ThirdPartyCertificateTool.bat -i -T -r “C:\Program Files\ibm\cognos\analytics\bin\ca.cer” -p NoPassWordSet
ssl49
Above error comes when the “ is of the wrong format.
ssl50
Enter the command in NOTEPAD to ensure you have the correct signs. Copy from notepad to the cmd prompt.
ssl51
Now restart Cognos services and try the report to PDF again.
Important that the reference to a picture in a Cognos report is relative like this
../samples/images/Alex_Active.png
ssl52
If you use the sample images that are stored in folder C:\Program Files\ibm\cognos\analytics\webcontent\bi\samples\images\
then it will work with both http://labwin2012ca:9300/bi/ (direct to BI services) and https://labwin2012ca/ibmcognos/bi (secure link to the IIS gateway).

Use F12 in IE to troubleshoot, if you get errors, you will see text like this
SEC7132: The certificate protecting this web site uses weak cryptography, SHA1. The web site should replace this certificate with a SHA2 certificate before SHA1 is no longer allowed https://labwin2012ca/ibmcognos/bi/pat/images/select_container.png

You need to create a stronger SSL cert, to not get above warning in the Web Browser.

SSL Setup in Production IIS server:
How setup SSL with a bought certificate.
Create a DNS alias for the server, so you have a good FQDN that will work in your domain.
Test that the users can surf to you IIS/IBMCOGNOS server with use of the dns alias like this
http://dnsalias.domain.com/ibmcognos/bi
Get a cert from your supplier for the DNS alias.
SSL53
You need to fill in information like this – please talk to your Internet provider, they can help.
You will get a PFX file that you will have a password to, normally you get the password by sms.
Place the cert file in a folder on the IIS server.
Import Cert to IIS
ssl54
Start IIS manager
Mark the computer (server)
Click on server certificates
ssl55
Click on Import to read in the certificate you have got from your ISP.
SSL56
Enter the path and filename of pfx file
Enter the password you have got for the certificate.
Leave it to store in Personal folder.
Click OK.
ssl57
Mark the default web site and click on Bindings to the right.
ssl58
Click on add to add the new cert
ssl59
Fill in the hostname
Click on select to select the cert you have read in.
Click OK
SSL60
Click Edit on the same line you saved.
Remove the host name so it is blank.
Click OK to save it again.
ssl61
Mark your IBMCOGNOS folder in IIS Manager and click on SSL settings
ssl35
Mark Require SSL and click Apply in the top right corner.
This will make that a user that surf to /IBMCOGNOS/ must have a cert.
We have left port 80 open to default website, so users do not get a message that the site does not exist.
To make it easier for users, we create a default.htm page with below content and place it in the iisroot folder (C:\inetpub\wwwroot). This should make users that surf only to the server name, are redirected to the correct address.
<html>
<head>
<title>Cognos Connection</title>
<meta http-equiv=”refresh” content=”0 ;url=https://labwin2012ca/ibmcognos”>
</head>
<body>
<a href=”https://labwin2012ca/ibmcognos” >click here</a>.
</body>
</html>
More information on how you could do it in old Cognos;
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpredirect/

To get report with pictures to be created as PDF, you need to import the root cert to Cognos BI server.
Export CA cert from IE for your trust issuer
Go to Windows control panel
Open internet options
ssl62
Click on certificates
Click on Trusted Root Certificate Authorities
If you do not find your supplier in the list, check on your local Windows 7 computer, it can have more certificates than a Windows server.
ssl63
Select you certificate and click on Export
ssl64
Click next
ssl65
Select BASE-64 CER file and click Next
ssl66
Enter a filename and click next.
ssl67
CLick finish
ssl68
You will need to copy the cer file to your Cognos BIN folder.

Import CA cert to CA 11.0.7 content store
Place the ca2.cer file in your cognos BIN and BIN64 folder.
Start an administrative command prompt
Move to the bin folder
ssl69
Enter the command ThirdPartyCertificateTool.bat -i -T -r ca2.cer -p NoPassWordSet
The password is the password for the Cognos storage, most cases NoPassWordSet
This will get the cert into the Cognos store.
If you get an error like “short read” then the cer file is in the wrong format. Please export it again from IE.
In most cases you need to put the full path to the file like this
ThirdPartyCertificateTool.bat -i -T -r “C:\Program Files\ibm\cognos\analytics\bin\ca2.cer” -p NoPassWordSet
Then it should be possible to read in the cert without errors.
You must restart the Cognos Analytics service, to make it notice the new cert.
Test by create a cognos report with a picture and run it as a PDF.
You should use the ../samples/images/Alex_Active.png to the picture if you have the picture in folder C:\Program Files\ibm\cognos\analytics\webcontent\bi\samples\images

Cognos Framework manager will work, as long it points to the CA server and not the gateway.
So, FM and other clients like Cube Designer should point to http://servername:9300/bi/v1/disp
If FM use a Gateway URI that use HTTPS and point to the IBMCOGNOS, then you need to do the same import in their local store.
This is for all Cognos tools that uses Java.

When testing, ensure that the Cognos Service have started correct, and also ensure that the web browser you use, have the trusted root cert for you cert. You must clear the web browser cache between every test.

More information
https://www.digicert.com/csr-ssl-installation/iis-8-and-8.5.htm
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_thirdpartycertificatetoolcommands.html
http://www-01.ibm.com/support/docview.wss?uid=swg21339916
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_10.2.1/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.1.doc/t_importcacertificates.html
http://www-01.ibm.com/support/docview.wss?uid=swg21992784