Product:
Cognos Analytics 11.1.7
Microsoft Windows 2016 server
Issue:
How setup custom certificate in CA11?
Solution:
Follow IBM recommendations, from here:
https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=components-configuring-ssl-cognos-analytics
https://www.ibm.com/support/pages/steps-set-ssl-cognos-analytics-configuration
https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11
When configuring IBM® Cognos® Analytics to use an external certificate authority (CA), you must start with a stopped system and an empty key store.
Export the Cognos Configuration as plain text first, by use Select File – Export as, on all CA11 servers. Save as backup.xml in configuration folder.
Procedure to clean the keystore
- Open IBM Cognos Configuration as an administrator. Ensure HTTP is used under Environment.
- In the Explorer window, under , click Cognos.
- Under Certificate Authority settings, click the Use third party CA property, and ensure that its Value is set to False.
- From the File menu, click Save to save the configuration.
- Close Cognos Configuration.
- Go to the Cognos Analytics installation directory, and delete all content from the install_location\configuration\certs directory.
On Microsoft Windows installations, you can run the tool with the -java:local
command to use the JRE that is provided with the installation, as shown in the following example: ThirdPartyCertificateTool.bat -java:local
-c -d ...
The default password is NoPassWordSet.
Procedure to request a new cert
- From the install_location\bin directory, run the ThirdPartyCertificateTool.
- Type the following command to create the certificate signing request for the crypto key:
On Windows from inside a Administrator Command Prompt, type
ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=MyCompany,C=CA"
-r encryptRequest.csr -p keystore_password -a RSA
-
The distinguished name (DN) value in the command ("CN=Servername,O=MyCompany,C=SE")
uniquely identifies the Cognos Analytics installation.
You can add more information with use of a command line like this:
ThirdPartyCertificateTool.bat -c -e -p NoPassWordSet -a RSA -r "encryptRequest.csr" -d "CN=servername.domain.com,OU=Finance,O=MyCompany,L=Stockholm,C=SE" -H "servername.domain.com dnsalias.domain.com"
The password that you enter for this key must be used again when you import the certificate, and again in IBM Cognos Configuration.
You can ignore any warnings about logging.
Backup your D:\Program Files\ibm\cognos\analytics\configuration folder to d:\temp
(in case you start Cognos BI, you may need to go back to this settings before importing the certificates)
Important: The certificates that are generated by your CA must be PEM (Base-64 encoded ASCII) format.
Results
The command generates the following CSR files:
- The CAMKeystore file in the install_location\configuration\certs directory.
- The encryptRequest.csr file in the install_location\bin directory.
After the CSR files are generated, perform the following steps:
- Share the crypto key file encryptRequest.csr, or its contents, with the external CA. Using this key, the CA produces a crypto key certificate, a root certificate, and an intermediate certificate for the request, and sends them back to you.
- If you get a P7B file, you need to convert it to PEM with OPENSSL. Use this command
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
- File certificate.cer can be open in Notepad++ and copy out to 3 certificate, one for each function. A pem certificate should not start with a blank line.
- Copy the certificates from the external CA to the Cognos Analytics installation directory, such as install_location\configuration\bin.
You must import the certificates from the external certificate authority (CA) into your IBM® Cognos® Analytics key store.
The import must be done on each computer where the following Cognos Analytics components are installed: Content Manager, the Application Tier Components, the gateway, and the client components such as Framework Manager, and other components if you use them.
Procedure to import the cer files
- Go to the location where you saved the certificate files from the CA authority, and do the following:
- Create a copy of the crypto certificate, and name it encryptCertificate.cer.
- Create a copy of the root CA certificate, and name it ca.cer. (cer or pem files work equal good).
- If the files are not already there, copy the encryptCertificate.cer, and ca.cer files to the install_location/bin directory.
- From install_location/bin directory, start the ThirdPartyCertificateTool command line tool (as shown below).
- Type the following command to import the CA root certificate into the Cognos Analytics trust store:
On Windows operating systems, type
ThirdPartyCertificateTool.bat -i -T -r ca.cer -p keystore_password
On Windows operating systems, type
ThirdPartyCertificateTool.bat -i -e -r encryptCertificate.cer -p
keystore_password -t ca.cer
-
Results
The command reads the encryptCertificate.cer and ca.cer files in the install_location\bin directory and imports the certificates from both files into the CAMKeystore file in the install_location/configuration/certs directory using the specified password.
Ensure that the key store locations and passwords in IBM Cognos Configuration match the ones that you typed in the ThirdPartyCertificateTool tool.
Procedure to start CA with custom cert
- Open IBM Cognos Configuration as an administrator. Ensure HTTPS is used under Environment.
- In the Explorer window, under , click Cognos.
- Under Certificate Authority settings, click the Use third party CA property, and set its Value to True.
- For the Key store password property, enter the password that you used for the crypto key.
- Click to save the configuration.
- Restart your IBM Cognos services.
Test the IIS cert by browse to (or only browse to the Server name):
https://servername.domain.com/ibmcognos/controllerserver/ccrws.asmx
Test the Cognos BI cert by browse to (update with the port you use in Cognos Configuration):
https://servername.domain.com:9300/p2pd/servlet
If you have had the Cognos BI site running HTTP before, you must change in IIS webfarm to use the new HTTPS, and also update the port in use. Otherwise you will get 404 or 502 errors in Web browser.
Best is to clear the IIS configuration, and update the CA_IIS.Config.bat file with the new port number and rerun it. You should not need to delete the COGNOSCONTROLLERS folder, as long it uses a different application pool.
To remove IIS settings.
– Open IIS
– Click Application Pools
– Select the Cognos 11 App Pool and stop it
– Expand everything
– Select the ibmcognos -> sso application and remove it
– Select the ibmcognos application and remove it
– Click Application Pools, select the Cognos app pool, and delete it
– Close IIS
Open your file explorer
– Navigate to the Cognos gateway install directory
– Delete the following web.config files:
- cgi-bin\web.config
- webcontent\web.config
- webcontent\bi\web.config
https://www.ibm.com/support/pages/node/301009
Edit the CA_IIS_Config.bat file with HTTPS and correct port
:: If more than one dispatcher is defined, a Server Farm will be created
::
set disp[1].protocol=https
set disp[1].name=servername
set disp[1].port=9300
:: Enable SSO (True/False)
::
Run the script again, to reconfigure the IIS setup.
You need also to add the certificate for your server to IIS Manager, simplest is if you get a PFX file with all information and import that to Windows server. Then you can in IIS manager bind it to your default web site.
More information:
https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11
https://www.thebestcsharpprogrammerintheworld.com/2014/01/17/configuring-application-request-routing-arr-to-use-a-port-other-than-port-80/