Friday 4 November 2016

IBM Cognos TM1 v9.4 custom certificate creation

Following recent news that TM1 default certificates were expiring this month, and with no fix available for version 9.4, we were left bashing our heads against the wall to work this one out. Having now fixed it, the below is the full end to end process. This is exactly how we fixed it, play with certificate contents and passwords if you wish, I can't guarantee the results. If you can't be bothered doing it yourself, scroll to the bottom for the link to the certs I have created, which you can duly import into your environment.

 Note, this only covers the basic components, so you may have additional work to do after this. Also assumes you are currently using the default certificates, these ones we will create copy those exactly but with another 10 years on the expiry date. I will add that I don't know much about TM1, so probably best not to ask many questions.

Setup CA


Install 64 bit OpenSSL from https://slproweb.com/products/Win32openSSL.html
After install, create folders under root install directory;

demoCA
demoCA\certs
demoCA\crl
demoCA\newcerts
demoCA\private

in demoCA create an empty text file called index.txt
in demoCA create a file called serial (no extension) with content 1000

in command prompt type;
set openssl_conf=c:\openSSL-win64\bin\openssl.cfg

in openssl.cfg make the following edits;

under [ CA_default ]

certs                      = c:/openssl-win64/democa/certs                            # Where the issued certs are kept
database             = c:/openssl-win64/democa/index.txt    # database index file.
new_certs_dir   = c:/openssl-win64/democa/newcerts                   # default place for new certs
certificate            = c:/openssl-win64/democa/private/cacert.pem                # The CA certificate
serial                     = c:/openssl-win64/democa/serial                            # The current serial number
private_key        = c:/openssl-win64/democa/private/ca.key# The private key
#crlnumber        = $dir/crlnumber              # the current crl number (must be commented out for v1 CRL)
private_key        = c:/openssl-win64/democa/private/ca.key# The private key
default_days     = 3650                                   # how long to certify for
default_crl_days= 3650                                 # how long before next CRL
default_md        = sha1                   # use public key default MD

under [ policy_match ]

change all to optional except CommonName = supplied

under [req ]

default_bits       = 1024
default_md        = sha1

under [ req_distinguished_name ]

countryName_default                   = US
stateOrProvinceName_default  = Massachusetts
0.organizationName_default      = Applix, Inc.
organizationalUnitName                               = Applix, Inc
organizationalUnitName_default              = Applix, Inc.
commonName                                  = supplied

under [ proxy_cert_ext ]

uncomment nsCertType                                = server

Important


Note, when generating all certificates/keys use the password applix

Default answers should be correct if you have edited openssl.cfg correctly, but for the avoidance of doubt;

Country = US
State = Massachusetts
Location = Westboro
Organisation = Applix, Inc.
OU = Applix, Inc.

Create CA key/certs


In command prompt

Cd “c:\openssl-win64\bin”

Openssl genrsa –des3 –out “C:\openssl-win64\democa\private\ca.key” 1024
Openssl req –out “C:\openssl-win64\democa\private\applixca.pem” –new –x509 –extensions v3_ca –key “C:\openssl-win64\democa\private\ca.key” –days 3650
Openssl ca –gencrl –keyfile “C:\openssl-win64\democa\private\ca.key” –cert “C:\openssl-win64\democa\private\applixca.pem” –out “C:\openssl-win64\democa\private\applixcacrl.pem”

Your c:\openssl-win64\democa\private folder should now contain;

Ca.key – private key for CA certificate
applixca.pem – CA certificate
applixcacrl.pem - CRL

Create CSR & private keys


Openssl genrsa –out “C:\openssl-win64\democa\tm1admsvrcert.key” 1024
Openssl genrsa –out “c:\openssl-win64\democa\tm1svrcert.key” 1024
Openssl req –new –sha1 –key “c:\openssl-win64\democa\tm1admsvrcert.key” –out “c:\openssl-win64\democa\tm1admsvrcert.csr”
Openssl req –new –sha1 –key “c:\openssl-win64\democa\tm1svrcert.key” –out “c:\openssl-win64\democa\tm1svrcert.csr”

You should now have 4 files in c:\openssl-win64\democa\;

  • Tm1admsvrcert.key
  • Tm1svrcert.key
  • Tm1admsvrcert.csr
  • Tm1admsvrcert.csr

Sign certificates


Openssl ca –in “c:\openssl-win64\democa\tm1admsvrcert.csr” –out “c:\openssl-win64\democa\tm1admsvrcert.pem”
Openssl ca –in “c:\openssl-win64\democa\tm1admsvrcert.csr” –out “c:\openssl-win64\democa\tm1admsvrcert.pem”

Should end up with 2 more files in c:\openssl-win64\democa\:

  • Tm1admsvrcert.pem
  • Tm1svrcert.pem


Now open up tm1admsvrcert.pem and tm1admsvrcert.key in notepad, copy the contents of the key file into the pem file, below the existing content, and save. Repeat for tm1svrcert.pem. This will give you two pem files that include the private key.

Generate DER certificate


Openssl x509 –outform der –in “C:\openssl-win64\democa\private\applixca.pem” –out “C:\openssl-win64\democa\private\applixca.der”

Generate TM1 files


Now, on your TM1 server create a subfolder under “C:\program files\cognos\tm1\bin\ssl” called new, copy the below files there;

  • Applixca.pem
  • Applixca.der
  • Applixcacrl.pem
  • Tm1admsvrcert.pem
  • Tm1svrcert.pem


In command prompt on the TM1 server;

Cd “c:\program files\cognos\tm1\bin”
Tm1crypt –pwd applix –validate

In your “c:\program files\cognos\tm1\bin” folder you should now have two new files;

  • Tm1cipher.dat
  • Tm1key.dat


Copy these into C:\program files\cognos\tm1\bin\ssl\new

Create Java keystore


In command prompt;

Cd “C:\program files\cognos\tm1\axajre\jre\bin”
Keytool –import –file “C:\program files\cognos\tm1\bin\ssl\new\applixca.pem” –keystore “C:\program files\cognos\tm1\bin\ssl\new\tm1store”

Update Certificates


You should now have all the files you need, so follow the below to update your setup;

Stop your TM1 services

In command prompt;

Cd “C:\program files\cognos\tm1\bin\ssl”
Importsslcert –remove

Create a folder under SSL called “old” to back up your existing files, move everything except importsslcert.exe, dh512.pem and dh1024.pem into it.

Copy the contents of “new” into the root ssl folder, you should now have

  • Importsslcert.exe
  • Applixca.pem
  • Applixca.der
  • Applixcacrl.pem
  • Tm1admsvrcert.pem
  • Tm1svrcert.pem
  • Tm1cipher.dat
  • Tm1key.dat
  • Tm1store
  • Dh512.pem
  • Dh1024.pem


Back in command prompt;

Importsslcert.exe

Start your TM1 services


You should find it’s working, tm1server.log in your data directory should also confirm this.


And now, the bundle of files to save you the pain;

https://drive.google.com/file/d/0Bx5Jfsdt4yqIUVVtSUV5Zkx5NW8/view?usp=sharing
Posted by at

19 comments:

  1. Unknown7 November 2016 at 03:32

    You really made my day.. Really owe you million thank you for the detailed instructions.
    Keep up the great work and keep posting such good stuff which helps people immensely.

    ReplyDelete
  2. Unknown8 November 2016 at 08:06

    This has been a massive help for me too. We're even further behind on V9.1.4, and I was starting to panic I might not get it working in time (or at all), but I was able to use the files you produced as a straight swap for the ones I have, and everything's good again. Thanks.

    ReplyDelete
  3. InVirt8 November 2016 at 08:13

    Glad I could help. I often think of writing a blog when I fix random stuff that Google doesn't already have an answer for but this is the first time I've bothered. Perhaps I'll do it more in future!

    ReplyDelete
    Replies
    1. Nightwolf29 November 2016 at 22:40

      This comment has been removed by the author.

      Delete
    2. InVirt29 November 2016 at 22:56

      Clients will need updating too, when updating server run the -remove command, copy new files in and then run -import

      Delete
    3. Nightwolf29 November 2016 at 23:06

      when backup old files you said that copying all files except importsslcert.exe, dh512.pem and dh1024.pem new files
      is that right? why I keep these old files?
      while new bundle include new files

      Delete
    4. InVirt29 November 2016 at 23:34

      Keep them or don't keep them, your choice. Not sure why you deleted your original question thought!

      Delete
    5. Nightwolf29 November 2016 at 23:47

      sorry I deleted by mistake

      Delete
    6. Nightwolf29 November 2016 at 23:53

      Thank you very much for your great support I will try your files

      Delete
  4. Mark14 November 2016 at 13:24

    This is awesome. Question: Are you also running TM1Web? If so, did it work?

    ReplyDelete
  5. InVirt14 November 2016 at 13:51

    Not running TM1Web so can't help there, if it uses the same certs no reason it wont work, however I expect there is an additional cert for that service, if so simply make another one copying the details in the existing one.

    ReplyDelete
  6. Mark14 November 2016 at 14:27

    I just tried it on a dev instance, and TM1Web is working! When I tried with the new IBM certs, TM1Web refused to work.

    This is awesome. Really saved my butt. Thank you!

    ReplyDelete
  7. Unknown22 November 2016 at 18:59

    This comment has been removed by the author.

    ReplyDelete
  8. Unknown4 December 2016 at 09:48

    Thanks InVirt, it helped a lot.

    The certificates you supplied work perfectly. I just wanted to try to make them by myself following the instructions. But while signing the certificates i get the following error:

    OpenSSL> ca -in /usr/local/etc/openssl/demoCA/tm1admsvrcert.csr -out /usr/local/etc/openssl/demoCA/tm1admsvrcert.pem
    Using configuration from /System/Library/OpenSSL/openssl.cnf
    Enter pass phrase for /usr/local/etc/openssl/demoCA/private/ca.key:
    Error opening CA certificate /usr/local/etc/openssl/demoCA/private/cacert.pem

    It seems to be a common error according to google. I did not find a way to fix it…

    Do you have any guess?

    ReplyDelete
  9. InVirt5 December 2016 at 00:15

    Could be a configuration issue, if you're following my guide the CA certificate wasn't called cacert.pem. If it's an existing OpenSSL setup, perhaps your CA certificate has expired? Either way I think my gambit would be to start again.

    ReplyDelete
  10. Unknown5 December 2016 at 05:09

    Do you mean that I should modify the line "certificate" in the openssl.cnf file ?

    ReplyDelete
  11. Stephan G11 January 2017 at 12:06

    Thank you very much. You saved my night (and day ;) ).

    ReplyDelete
  12. Unknown9 October 2017 at 05:08

    Check it once through Cognos TM1 Online Training Hyderabad for more information on Cognos tm1.

    ReplyDelete
  13. Anonymous30 April 2022 at 02:03

    mmorpg oyunları
    instagram takipçi satın al
    Tiktok jeton hilesi
    Tiktok Jeton Hilesi
    Sac ekimi antalya
    instagram takipçi satın al
    Takipci Satın Al
    Metin2 pvp serverler
    instagram takipçi satın al

    ReplyDelete

Subscribe to: Post Comments (Atom)