SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

Post by Steve Vincent »

BrianL wrote:IBM has been shipping updated SSL certificates for a while. They're just not the default. The 'v2' certificates expire in 2022 and contain a 2048 bit key instead of the default 1024 bits.

Using these certificates is a much better option than disabling SSL, and is one you can already start testing/deploying today if you don't want to wait for official patches.

http://www-01.ibm.com/support/docview.w ... wg21697266
I raised a concern with our account manager the other day about the lack of communication and the fact this technote was incomplete. It seems that might have worked to a fashion - the note was updated yesterday to include details on pmhub / opsconsole.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
blackhawk
Community Contributor
Posts: 136
Joined: Thu May 29, 2008 2:29 pm

Re: SSL breaks on Nov 24

Post by blackhawk »

I confirmed with IBM yesterday that they are releasing a new 1024 bit certificate, that will allow existing users (including 9.5) to remain untouched in terms of software upgrades. The new certificate is going to be part of an interim fix for 10.2 but may also be issued separately for those who cannot upgrade.

All it *should* mean is to just re-point to the new certificate in your client and server. Or, perhaps just rename the file to the current name and re-distribute the file to everyone.

This is good news. I was afraid that this was going to be used as a way for IBM to generate upgrade revenue on those people who have not kept up.
User avatar
paulsimon
MVP
Posts: 808
Joined: Sat Sep 03, 2011 11:10 pm
OLAP Product: TM1
Version: PA 2.0.5
Excel Version: 2016
Contact:

Re: SSL breaks on Nov 24

Post by paulsimon »

Thanks BlackHawk

We have also approached our own Account Manager. He said he is going to look in to it but it will take him a few days to get back to us. It appears that even the Account Managers are not aware of this issue.

I will point him in the direction of your post and ask him to confirm when the new certificate is going to be made available.

Regards

Paul Simon
jcr55
Posts: 54
Joined: Tue May 08, 2012 3:58 pm
OLAP Product: TM1
Version: 9.5.2 FP2
Excel Version: Excel 2007

Re: SSL breaks on Nov 24

Post by jcr55 »

Steve Vincent wrote:
BrianL wrote:IBM has been shipping updated SSL certificates for a while. They're just not the default. The 'v2' certificates expire in 2022 and contain a 2048 bit key instead of the default 1024 bits.

Using these certificates is a much better option than disabling SSL, and is one you can already start testing/deploying today if you don't want to wait for official patches.

http://www-01.ibm.com/support/docview.w ... wg21697266
I raised a concern with our account manager the other day about the lack of communication and the fact this technote was incomplete. It seems that might have worked to a fashion - the note was updated yesterday to include details on pmhub / opsconsole.
We are on 10.2.2. I have read the Technote instructions on how to change over to using the Version 2 certificates, but am not sure what the correct sequence of changes should be. The technote has the items in this order:
TM1 Admin Server Configuration change
TM1 Server tm1s.cfg config change
TM1 Architect Options change
TM1 Application Server xml change

But I should stop all TM1 Servers before the TM1 Admin Server Configuration change to Certificate Version 2, correct?

Has anyone successfully switched to using the Version 2 2048 bit certificates yet?
If so, what was the order of changes used?
kangkc
Community Contributor
Posts: 206
Joined: Fri Oct 17, 2008 2:40 am
OLAP Product: TM1, PA , TMVGate
Version: 2.x
Excel Version: 36x
Location: Singapore
Contact:

Re: SSL breaks on Nov 24

Post by kangkc »

Yes. We have tested it. All services have to be stopped before V2 certs configuration. And of course Admin server has to be up first before all TM1 instances once V2 certs are done. The client side will be client by client.
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: SSL breaks on Nov 24

Post by Steve Vincent »

PMhub is currently causing issues, otherwise the rest has been simple enough. The technote for the pmhub section is incorrect (for Windows at least) and I've got an open PMR with IBM on trying to find out what the correct actions are.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

Re: SSL breaks on Nov 24

Post by David Usherwood »

PMhub is currently causing issues, otherwise the rest has been simple enough. The technote for the pmhub section is incorrect (for Windows at least) and I've got an open PMR with IBM on trying to find out what the correct actions are.
My belief (but happy to be corrected) is that PMhub is only for Ops Console. In our experience, and our clients', Ops Console is a nice idea that never worked - possibly due to the documentation issues. I recall trying to configure it when going through the 10.2.2 BI/TM1 integration, when the documented steps broke CAFE. It's even broken on TM1 Cloud. If others have better experience and find Ops Console of value, I'd be happy to change my view.
declanr
MVP
Posts: 1815
Joined: Mon Dec 05, 2011 11:51 am
OLAP Product: Cognos TM1
Version: PA2.0 and most of the old ones
Excel Version: All of em
Location: Manchester, United Kingdom
Contact:

Re: SSL breaks on Nov 24

Post by declanr »

David Usherwood wrote: My belief (but happy to be corrected) is that PMhub is only for Ops Console. In our experience, and our clients', Ops Console is a nice idea that never worked - possibly due to the documentation issues. I recall trying to configure it when going through the 10.2.2 BI/TM1 integration, when the documented steps broke CAFE. It's even broken on TM1 Cloud. If others have better experience and find Ops Console of value, I'd be happy to change my view.
I might be one of the few but I always use ops console now in place of TM1 Top and don't really have any issues - other than remembering to turn off compatability view in IE (I have a blindspot in my memory on that one.)

The current client I am working at is using CAM security through full BI for TM1 and it works well but I will admit that I haven't checked Cafe as its something I rarely use if it can be avoided.

EDIT - I will caveat that I am just using it as a TM1 top replacement and that I have had issues with trying to view transactions logs in it (if they have more than about 4 records)... used the application server monitor a couple of times but there are better free tools for that.
Last edited by declanr on Tue Sep 13, 2016 11:00 am, edited 1 time in total.
Declan Rodger
User avatar
qml
MVP
Posts: 1094
Joined: Mon Feb 01, 2010 1:01 pm
OLAP Product: TM1 / Planning Analytics
Version: 2.0.9 and all previous
Excel Version: 2007 - 2016
Location: London, UK, Europe

Re: SSL breaks on Nov 24

Post by qml »

David Usherwood wrote:My belief (but happy to be corrected) is that PMhub is only for Ops Console.
If I remember correctly, CAFE also connects to the PMhub. Which would explain this problem:
David Usherwood wrote:I recall trying to configure it when going through the 10.2.2 BI/TM1 integration, when the documented steps broke CAFE.
I have to agree with you that Ops Console, like too many of TM1 interfaces/tools, looks better on paper than in practice. However, I am organically opposed to running any server monitoring and management tools as a web service. It should be implemented as a thick client (in this case TM1top on steroids) which can connect to the server directly and lets you fix things even when everything else fails.
Kamil Arendt
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: SSL breaks on Nov 24

Post by Steve Vincent »

declanr wrote: I might be one of the few but I always use ops console now in place of TM1 Top and don't really have any issues - other than remembering to turn off compatability view in IE (I have a blindspot in my memory on that one.)
Nope, we use it and after some setup niggles it seems to work just fine, both with and without CAM authentication. It's the only way we have of seeing what is going on if a customer complains about performance issues. We don't use CAFE (yet) so if they are the only 2 areas we might struggle with then I think we can work with that.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
ByronB
Posts: 17
Joined: Tue Mar 01, 2016 5:55 am
OLAP Product: TM1 + BI
Version: TM1 10.2
Excel Version: Excel 2010

Re: SSL breaks on Nov 24

Post by ByronB »

Hi All,

You should have a look at this article:
http://cubewise.com/blog/solutions-expi ... tificates/

It describes the different solutions depending on the TM1 version.

Cheers,
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: SSL breaks on Nov 24

Post by Steve Vincent »

all fine except that option B still means local changes on client machines, and worse still it is usually harder for anyone with a deployed app to do rather than just asking users to update a client config (its no different to adding an adminhost really). people seem to forget that a lot of companies don't allow editing of software like that, and in our case the deployed software is packaged & installed by a 3rd party. all that costs money and more significantly time, let alone the need to thoroughly test beforehand because fixes for one thing have a nasty habit of breaking another 5...

for us, the only viable option I can see is swapping all the servers & other apps to the 2nd cert and asking users to edit their own configs. nothing else allows us the needed time to deploy it before BOOM day :x
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
jinnivan
Posts: 1
Joined: Sun Jan 25, 2015 7:31 pm
OLAP Product: Cognos TM1
Version: 10.2
Excel Version: 2010

Re: SSL breaks on Nov 24

Post by jinnivan »

Have they will effect on IntegratedSecurityMode=5 or other authorize (CAM , LDAP) ?
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: SSL breaks on Nov 24

Post by lotsaram »

jinnivan wrote:Have they will effect on IntegratedSecurityMode=5 or other authorize (CAM , LDAP) ?
SSL affects whether client<->server communication is encrypted or not. Can you please explain how your question is relevant?
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
MSidat
Community Contributor
Posts: 110
Joined: Thu Aug 26, 2010 7:41 am
OLAP Product: TM1, PA
Version: PAL 2.0.8
Excel Version: 2016
Location: North West England

Re: SSL breaks on Nov 24

Post by MSidat »

RE: Cubewise - Option B

For those in the know, Do you know if there is anything extra needed for a CX Installation (Running 10.2.0), I don't thing there will be as it is a TM1 communication issue, but unsure if CX possibly leverages the same SSL Certs for anything else.

Also is it just a simple case of deletions and renames on the relevant Bin folders on the Servers and Clients, Is there no requirement to register the new certificates into the Servers trust store or will that be done automatically at some stage.
Always Open to Opportunities
Edward Stuart
Community Contributor
Posts: 247
Joined: Tue Nov 01, 2011 10:31 am
OLAP Product: TM1
Version: All
Excel Version: All
Location: Manchester
Contact:

Re: SSL breaks on Nov 24

Post by Edward Stuart »

A different IBM Technote on SSL Certificates released today:

https://www-01.ibm.com/support/docview. ... SS9RXT-_-R
Technote (FAQ)

Question
My TM1 Certificates expire in late-November. How can these be updated so that our environment is not impacted?
Answer
Option 1 - Secure your IBM Cognos TM1 Environment with Custom Certifciates
When: You can do this today if you wish - no Interim Fix required
Why: IBM Cognos TM1 comes packaged with default SSL certificates. In general, it is recommended to use your own organizations SSL Certificates.
How: See the following documentation (Change version using dropdown on page):
http://www.ibm.com/support/knowledgecen ... es_N1207C4
Option 2 - Switch to the IBM Cognos TM1 v2 Certificates (TM1 10.2+ only)
When: You can do this today if you wish - no Interim Fix required
Why: The v2 certificates provided were created as 2048 encrypted keys, whereas the default Applix certifcates were 1024. These guys expire in 2022.
How: See the following technote: http://www-01.ibm.com/support/docview.w ... wg21697266
**Note: 2048 is just an encryption method. There has been some confusion around the use of 2048...simplify this and think of it as nothing more than a different set of keys.
Option 3 - Apply an Interim Fix Updater
The IBM Cognos TM1 Development team will be releasing an interim fix which only includes updated default/applixca certificates. This fix will be applicable to the following versions of TM1:

10.1.0 ( Including any interim fix/fixpack builds )
10.1.1 ( Including any interim fix/fixpack builds )
10.2.0 ( Including any interim fix/fixpack builds )
10.2.2 ( Including any interim fix/fixpack builds )

Once the fix is available, it will need to be applied to all TM1 Server components - as well as all TM1 Client components (both a server side, and client side updater will be released).
INSTALLING THE UPDATER:
1) Download/Extract the Updater to your TM1 Servers (this includes application servers)
2) Stop your TM1 Services
3) Run the installer as an Administrator
4) Next, Next, Finish (follow the prompts to apply the fix to your TM1 directory)
5) After the installer has been completed, the following directories will contain the updated certificates:
<install dir>\tm1_64\bin\ssl
<install dir>\tm1_64\bin64\ssl
<install dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
6) Start your TM1 Services
7) Update TM1 Client machines following the same steps - with the Client Updater
(If you used the Server install to install your TM1 Clients - then continue to use the server fix, to update your install)

The ETA for this Interim Fix is not currently available. This document will either be updated with an ETA - or a reference to a link where the fix can be found. The release of the fix is very near.
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: SSL breaks on Nov 24

Post by Steve Vincent »

great, except it tells us nothing new and points us back to the original technote anyway. I've received some stuff from my PMR today, hoping it'll complete the gaps and i'll then know exactly what we need to do
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
jcr55
Posts: 54
Joined: Tue May 08, 2012 3:58 pm
OLAP Product: TM1
Version: 9.5.2 FP2
Excel Version: Excel 2007

Re: SSL breaks on Nov 24

Post by jcr55 »

kangkc wrote:Yes. We have tested it. All services have to be stopped before V2 certs configuration. And of course Admin server has to be up first before all TM1 instances once V2 certs are done. The client side will be client by client.
OK thank you.
dsproffitt
Posts: 66
Joined: Wed Jul 16, 2014 9:20 am
OLAP Product: All of them
Version: All of them
Excel Version: 2003 -2013

Re: SSL breaks on Nov 24

Post by dsproffitt »

This site has the answers to the SSL conundrum.

It assumes TM1 default installation and is a temporary solution to the certificate issue until the Interim Fix is pushed out.

http://ibm.biz/TM1SSLCertificate
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: SSL breaks on Nov 24

Post by Steve Rowe »

Hi Duncan,
From your post in your link.

"So, before 24/11/2016 any customer must upgrade to TM1 v10.2.2 FP6, TM1 v10.2.0 FP2 or TM1 v10.1.1 FP2 as only for these releases the new Interim Fix will be published."

Are you saying categorically that there is no alternative to this and that IBM are only going to patch supported releases? Is this the official IBM position?

Will there be a method documented by IBM to fix unsupported releases?

Cheers,
Technical Director
www.infocat.co.uk
Post Reply