Note, this only covers the basic components, so you may have additional work to do after this. Also assumes you are currently using the default certificates, these ones we will create copy those exactly but with another 10 years on the expiry date. I will add that I don't know much about TM1, so probably best not to ask many questions.
Setup CA
Install 64 bit OpenSSL from https://slproweb.com/products/Win32openSSL.html
After install, create folders under root install directory;
demoCA
demoCA\certs
demoCA\crl
demoCA\newcerts
demoCA\private
in demoCA create an empty text file called index.txt
in demoCA create a file called serial (no extension) with content 1000
in command prompt type;
set openssl_conf=c:\openSSL-win64\bin\openssl.cfg
in openssl.cfg make the following edits;
under [ CA_default ]
certs =
c:/openssl-win64/democa/certs #
Where the issued certs are kept
database =
c:/openssl-win64/democa/index.txt #
database index file.
new_certs_dir =
c:/openssl-win64/democa/newcerts #
default place for new certs
certificate =
c:/openssl-win64/democa/private/cacert.pem #
The CA certificate
serial =
c:/openssl-win64/democa/serial #
The current serial number
private_key =
c:/openssl-win64/democa/private/ca.key# The private key
#crlnumber = $dir/crlnumber # the current crl number (must be
commented out for v1 CRL)
private_key =
c:/openssl-win64/democa/private/ca.key# The private key
default_days = 3650 # how long to
certify for
default_crl_days= 3650 #
how long before next CRL
default_md = sha1 # use public key default MD
under [ policy_match ]
change all to optional except CommonName = supplied
under [req ]
default_bits = 1024
default_md = sha1
under [ req_distinguished_name ]
countryName_default =
US
stateOrProvinceName_default =
Massachusetts
0.organizationName_default =
Applix, Inc.
organizationalUnitName =
Applix, Inc
organizationalUnitName_default =
Applix, Inc.
commonName =
supplied
under [ proxy_cert_ext ]
uncomment nsCertType =
server
Important
Note, when generating all certificates/keys use the password applix
Default answers should be correct if you have edited openssl.cfg
correctly, but for the avoidance of doubt;
Country = US
State = Massachusetts
Location = Westboro
Organisation = Applix, Inc.
OU = Applix, Inc.
Create CA key/certs
In command prompt
Cd “c:\openssl-win64\bin”
Openssl genrsa –des3 –out “C:\openssl-win64\democa\private\ca.key” 1024
Openssl req –out “C:\openssl-win64\democa\private\applixca.pem” –new
–x509 –extensions v3_ca –key “C:\openssl-win64\democa\private\ca.key” –days
3650
Openssl ca –gencrl –keyfile “C:\openssl-win64\democa\private\ca.key”
–cert “C:\openssl-win64\democa\private\applixca.pem” –out
“C:\openssl-win64\democa\private\applixcacrl.pem”
Your c:\openssl-win64\democa\private folder should now contain;
Ca.key – private key for CA certificate
applixca.pem – CA certificate
applixcacrl.pem - CRL
Create CSR & private keys
Openssl genrsa –out “C:\openssl-win64\democa\tm1admsvrcert.key” 1024
Openssl genrsa –out “c:\openssl-win64\democa\tm1svrcert.key” 1024
Openssl req –new –sha1 –key “c:\openssl-win64\democa\tm1admsvrcert.key”
–out “c:\openssl-win64\democa\tm1admsvrcert.csr”
Openssl req –new –sha1 –key “c:\openssl-win64\democa\tm1svrcert.key”
–out “c:\openssl-win64\democa\tm1svrcert.csr”
You should now have 4 files in c:\openssl-win64\democa\;
- Tm1admsvrcert.key
- Tm1svrcert.key
- Tm1admsvrcert.csr
- Tm1admsvrcert.csr
Sign certificates
Openssl ca –in “c:\openssl-win64\democa\tm1admsvrcert.csr” –out
“c:\openssl-win64\democa\tm1admsvrcert.pem”
Openssl ca –in “c:\openssl-win64\democa\tm1admsvrcert.csr” –out
“c:\openssl-win64\democa\tm1admsvrcert.pem”
Should end up with 2 more files in c:\openssl-win64\democa\:
- Tm1admsvrcert.pem
- Tm1svrcert.pem
Now open up tm1admsvrcert.pem and tm1admsvrcert.key in notepad, copy
the contents of the key file into the pem file, below the existing content, and
save. Repeat for tm1svrcert.pem. This will give you two pem files that include
the private key.
Generate DER certificate
Openssl x509 –outform der –in
“C:\openssl-win64\democa\private\applixca.pem” –out
“C:\openssl-win64\democa\private\applixca.der”
Generate TM1 files
Now, on your TM1 server create a subfolder under “C:\program
files\cognos\tm1\bin\ssl” called new, copy the below files there;
- Applixca.pem
- Applixca.der
- Applixcacrl.pem
- Tm1admsvrcert.pem
- Tm1svrcert.pem
In command prompt on the TM1 server;
Cd “c:\program files\cognos\tm1\bin”
Tm1crypt –pwd applix –validate
In your “c:\program files\cognos\tm1\bin” folder you should now have
two new files;
- Tm1cipher.dat
- Tm1key.dat
Copy these into C:\program files\cognos\tm1\bin\ssl\new
Create Java keystore
In command prompt;
Cd “C:\program files\cognos\tm1\axajre\jre\bin”
Keytool –import –file “C:\program files\cognos\tm1\bin\ssl\new\applixca.pem”
–keystore “C:\program files\cognos\tm1\bin\ssl\new\tm1store”
Update Certificates
You should now have all the files you need, so follow the below to
update your setup;
Stop your TM1 services
In command prompt;
Cd “C:\program files\cognos\tm1\bin\ssl”
Importsslcert –remove
Create a folder under SSL called “old” to back up your existing files,
move everything except importsslcert.exe, dh512.pem and dh1024.pem into it.
Copy the contents of “new” into the root ssl folder, you should now
have
- Importsslcert.exe
- Applixca.pem
- Applixca.der
- Applixcacrl.pem
- Tm1admsvrcert.pem
- Tm1svrcert.pem
- Tm1cipher.dat
- Tm1key.dat
- Tm1store
- Dh512.pem
- Dh1024.pem
Back in command prompt;
Importsslcert.exe
Start your TM1 services
You should find it’s working, tm1server.log in your data directory
should also confirm this.
And now, the bundle of files to save you the pain;
You really made my day.. Really owe you million thank you for the detailed instructions.
ReplyDeleteKeep up the great work and keep posting such good stuff which helps people immensely.
This has been a massive help for me too. We're even further behind on V9.1.4, and I was starting to panic I might not get it working in time (or at all), but I was able to use the files you produced as a straight swap for the ones I have, and everything's good again. Thanks.
ReplyDeleteGlad I could help. I often think of writing a blog when I fix random stuff that Google doesn't already have an answer for but this is the first time I've bothered. Perhaps I'll do it more in future!
ReplyDeleteThis comment has been removed by the author.
DeleteClients will need updating too, when updating server run the -remove command, copy new files in and then run -import
Deletewhen backup old files you said that copying all files except importsslcert.exe, dh512.pem and dh1024.pem new files
Deleteis that right? why I keep these old files?
while new bundle include new files
Keep them or don't keep them, your choice. Not sure why you deleted your original question thought!
Deletesorry I deleted by mistake
DeleteThank you very much for your great support I will try your files
DeleteThis is awesome. Question: Are you also running TM1Web? If so, did it work?
ReplyDeleteNot running TM1Web so can't help there, if it uses the same certs no reason it wont work, however I expect there is an additional cert for that service, if so simply make another one copying the details in the existing one.
ReplyDeleteI just tried it on a dev instance, and TM1Web is working! When I tried with the new IBM certs, TM1Web refused to work.
ReplyDeleteThis is awesome. Really saved my butt. Thank you!
This comment has been removed by the author.
ReplyDeleteThanks InVirt, it helped a lot.
ReplyDeleteThe certificates you supplied work perfectly. I just wanted to try to make them by myself following the instructions. But while signing the certificates i get the following error:
OpenSSL> ca -in /usr/local/etc/openssl/demoCA/tm1admsvrcert.csr -out /usr/local/etc/openssl/demoCA/tm1admsvrcert.pem
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for /usr/local/etc/openssl/demoCA/private/ca.key:
Error opening CA certificate /usr/local/etc/openssl/demoCA/private/cacert.pem
It seems to be a common error according to google. I did not find a way to fix it…
Do you have any guess?
Could be a configuration issue, if you're following my guide the CA certificate wasn't called cacert.pem. If it's an existing OpenSSL setup, perhaps your CA certificate has expired? Either way I think my gambit would be to start again.
ReplyDeleteDo you mean that I should modify the line "certificate" in the openssl.cnf file ?
ReplyDeleteThank you very much. You saved my night (and day ;) ).
ReplyDeleteCheck it once through Cognos TM1 Online Training Hyderabad for more information on Cognos tm1.
ReplyDeletemmorpg oyunları
ReplyDeleteinstagram takipçi satın al
Tiktok jeton hilesi
Tiktok Jeton Hilesi
Sac ekimi antalya
instagram takipçi satın al
Takipci Satın Al
Metin2 pvp serverler
instagram takipçi satın al