Product:
Planning Analytics 2.0.9.7
Microsoft Windows 2019 server
Problem:
What java keystore should i use for PA?
Follow official documentation in the first place, as the solution change with different versions of Cognos.
Suggested solution:
Make a backup of the ssl folder before you change anything.
The JAVA Keystore used by PMPSVC. Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\jre\bin\ directory.
Execute the following command to import/trust the certificate:
keytool.exe -import -trustcacerts -file “C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer” -keystore “C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store” -alias caRoot -storepass applix
The JAVA Keystore used by TM1WEB. Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\jre\bin\ directory.
Execute the following command to import/trust the certificate:
keytool.exe -import -trustcacerts -file “C:\Program Files\ibm\cognos\tm1web\bin64\ssl\caRoot.cer” -keystore “C:\Program Files\ibm\cognos\tm1web\bin64\ssl\tm1store” -alias caRoot -storepass applix
More information:
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Java Keytool Commands for Creating and Importing
These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.
- Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
- Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
- Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
- Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
- Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Java Keytool Commands for Checking
If you need to check the information within a certificate, or Java keystore, use these commands.
- Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
- Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
- Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Other Java Keytool Commands
- Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
- Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
- Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
- List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
- Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/secur
https://www.ibm.com/support/pages/how-configure-custom-ssl-certificates-planning-analytics-20-and-201