Product:
Cognos Controller 10.4.2
Cognos Analytics 11.0.13
Microsoft Windows 2012 server
Problem:
On a CA installation where the IIS web server is using HTTPS for IBMCOGNOS.
How update the certificate on the IIS server when it expire after some years.
Suggested Solution:
Get a new certificate from the company’s internal Certificate Authority.
You get a pfx file and a cer.pem file.
You also get a password to the pfx file – save it in notepad.
Save them in a separate folder on the server (c:\temp\cert)
Go to the IIS Manager
Select the server name in the tree
Click on Server Certificates icon
Click on Import link at the right
Click on … to find the pfx file.
Enter the password and press OK
Click on Default web site
Click on Bindings
Select HTTPS
Click Edit
Click on drop down and select the new cert
Click OK
Start your Cognos Controller client and check that you can login.
You may also need to update the CACERTS file in the cognos controller client installation to get the Java menus to work (like maintain – jobs – define).
Export the certificate from IIS with use of IE:
Surf to your IBMCOGNOS site with https
Click on the lock icon in IE toolbar and click “View certificates”
Click on Details tab
Click Copy to file button
Click next
Select Base-64 encoded X.509 and click next
Enter path and name and click next
Click finish
Repeat above for the Root certificate and any intermediate certificates.
You must first view the certificate before you export it from the details tab.
Import the cert with the IKEYMAN:
If you have Cognos Analytic on the same server as you have installed Cognos Controller client, you can use it to import the cer files to the cacert file.
Before change the cacerts file make a backup of the file to other folder.
Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Right click ikeyman.exe and select run as administrator
click open and select your cacerts file in folder C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security
Click ok
Enter password changeit
Click ok
Click drop down list and select Signer Certificates
Click on Add button
Click on browse and select your cer file.
Click OK
Enter a name e.g. Cognos
Repeat the ADD steps for Root and other company needed certificates.
Changes are save direct, so only select exit to end the program.
The update cacerts file can be made part of any Cognos Controller client installation package the company uses (so not every user need to do this) .
Or import the cert with the command line, if you do not have CA11 on the server:
“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias CognosController -file “C:\temp\cert\CognosController.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”
You should manage with only have the Company Root certificate and any intermediated in the file;
“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias root1 -file “C:\temp\cert\root1.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”
“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias intermediated2 -file “C:\temp\cert\intermediated2.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”
More Information:
To add certificates to the Trusted Root Certification Authorities store for a local computer
Click Start, click Start Search, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
Under Available snap-ins, click Certificates,and then click Add.
Under This snap-in will always manage certificates for, click Computer account, and then click Next.
Click Local computer, and click Finish.
If you have no more snap-ins to add to the console, click OK.
In the console tree, double-click Certificates.
Right-click the Trusted Root Certification Authorities store.
Click Import to import the certificates and follow the steps in the Certificate Import Wizard.
https://www.ibm.com/support/pages/node/372873
https://www.ibm.com/support/pages/node/563063
https://www.ibm.com/support/pages/how-configure-controller-web-use-ssl-https
https://en.wikipedia.org/wiki/Root_certificate
https://www.thesslstore.com/blog/root-certificates-intermediate/
https://comodosslstore.com/resources/what-is-a-root-ca-certificate-and-how-do-i-download-it/