SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

[dsproffitt]

Hi Steve,
Im afraid I do not know the answers to your questions.
I cannot comment on unsupported releases as I honestly dont know and in my role, I dont even deal with unsupported older releases.
I can ask Product Management and get back to this forum, but I cannot give a timescale for this, as I dont even know if they will give an official statement on it.
But, I can try.

According to the technote published on the post

Code: Select all

The IBM Cognos TM1 Development team will be releasing an interim fix which only includes updated default/applixca certificates. This fix will be applicable to the following versions of TM1:

10.1.0 ( Including any interim fix/fixpack builds )
10.1.1 ( Including any interim fix/fixpack builds )
10.2.0 ( Including any interim fix/fixpack builds )
10.2.2 ( Including any interim fix/fixpack builds ) 

[Steve Rowe]

Hi Duncan,

Sure, thanks for the response it would be great if IBM were prepared to document fixes for older releases even if it were done in an unsupported "it's not our problem if it goes wrong" way.

Cheers

[Guillaume Galtier]

Hi All,

SSL is turned off on my configuration (UseSSL=F into my tm1s.cfg file).

I performed some tests simulating the 25 Nov 2016 (changing the system date on the client side).
I was expecting to be able to access my servers as usual but it's not the case: all the servers disappeared from my server explorer.

I don't understand why.
Has someone the same configuration and the same problem?

Thanks in advance,

Guillaume

[qml]

SSL is turned off on my configuration (UseSSL=F into my tm1s.cfg file).

I performed some tests simulating the 25 Nov 2016 (changing the system date on the client side).
I was expecting to be able to access my servers as usual but it's not the case: all the servers disappeared from my server explorer.

I don't understand why.
Has someone the same configuration and the same problem?

Yes, this behaviour is expected. As already mentioned earlier in this thread, this approach will not work. The reason it doesn't work is the fact that UseSSL is a parameter that controls how the communication between the TM1 server and the TM1 clients is performed, but not how the communication with the Admin Host is performed. Hence the behaviour you are seeing - without working SSL the Admin Host will not be able to return the list of active TM1 servers.

[Guillaume Galtier]

Yes, this behaviour is expected. As already mentioned earlier in this thread, this approach will not work. The reason it doesn't work is the fact that UseSSL is a parameter that controls how the communication between the TM1 server and the TM1 clients is performed, but not how the communication with the Admin Host is performed. Hence the behaviour you are seeing - without working SSL the Admin Host will not be able to return the list of active TM1 servers.

Thank you for your quick reply.

Does this mean that updating the certificates to v2 on the Admin Server will be enough to solve the problem in my case?
My concern is to go through the 24 Nov without planning a deployment on the clients...

[qml]

Does this mean that updating the certificates to v2 on the Admin Server will be enough to solve the problem in my case?
My concern is to go through the 24 Nov without planning a deployment on the clients...

Unfortunately, I don't see how this could work. Clients would have to be updated too to use the same certificates and be able to communicate with the Admin Host service as well as with the individual TM1 services.

[Steve Vincent]

Does this mean that updating the certificates to v2 on the Admin Server will be enough to solve the problem in my case?
My concern is to go through the 24 Nov without planning a deployment on the clients...

Unfortunately, I don't see how this could work. Clients would have to be updated too to use the same certificates and be able to communicate with the Admin Host service as well as with the individual TM1 services.

That is what my testing has shown - all elements must be using the same certificate for it to work. You have no option but to update clients one way or another.

[Guillaume Galtier]

Does this mean that updating the certificates to v2 on the Admin Server will be enough to solve the problem in my case?
My concern is to go through the 24 Nov without planning a deployment on the clients...

Unfortunately, I don't see how this could work. Clients would have to be updated too to use the same certificates and be able to communicate with the Admin Host service as well as with the individual TM1 services.

That is what my testing has shown - all elements must be using the same certificate for it to work. You have no option but to update clients one way or another.

Sorry if I insist, but I probably missed something...

What I understood about the upgrade to v2 certificates is that on the client side we have only to update the SSL options through Architect (or Perspectives) to make the Certifcate Authority = tm1ca_v2.pem

But my current configuration is non SSL and if I let all the SSL fields empty under the Architect TM1 options (so mainly Certifcate Authority and Certifcate ID), everything is working fine.

So why on 25th of Nov should I fill in the fields?
Is there another modification to do on the client side?

Guillaume

[qml]

But my current configuration is non SSL and if I let all the SSL fields empty under the Architect TM1 options (so mainly Certifcate Authority and Certifcate ID), everything is working fine.

So why on 25th of Nov should I fill in the fields?
Is there another modification to do on the client side?

Well in that case just updating the certificates on the server might work. The Admin Host service will communicate with the TM1 services via SSL using the v2 certificate (communication between server components cannot be non-SSL as far as I'm aware) and the TM1 clients would communicate with Admin Host using the non-SSL method that I believe is left available for backward compatibility. Communication between the Client and the TM1 services would also be done without SSL since you are forcing it to 'UseSSL=F'. This is my hypothesis, but you will have to test it anyway to be sure.

[BrianL]

IBM *just* released a support alert for the expiring certificates.

http://www-01.ibm.com/support/docview.w ... wg21990869

Not sure if it has any new information as I have yet to read through all the links, but maybe someone will find it helpful.

[jcr55]

IBM *just* released a support alert for the expiring certificates.

http://www-01.ibm.com/support/docview.w ... wg21990869

Not sure if it has any new information as I have yet to read through all the links, but maybe someone will find it helpful.

Yes - today I received an email from IBM My Notifications
Cognos TM1 : Flashes
Support Alert: Cognos TM1 SSL Certificate Expiration

and it provides a link to the same certification information.

Thank you to IBM for the breaking news!

[qml]

Thank you to IBM for the breaking news!

What are you doing to make sure everyone is aware of this important change?

We are using all available channels to ensure our customers and partners are aware of the required changes

You know what that means! It will be lurking in your fridge soon.

[Steve Vincent]

the instructions for PMhub / Ops Console were changed yesterday, but they still bare little resemblance to what I got via PMR and still seem to miss a load of steps out...

this bit in the FAQ made me laugh;

...once every 10 years the certificates expire and we are forced to react quickly to prevent a mass outage. The team has been working hard to ensure the best possible experience for customers prior to certificates expiration.

They knew when the expiry was, and they should have learnt from the farce of 10 years ago when Applix forgot and everything fell over. Why have they left it so damn late?

[Guillaume Galtier]

Well in that case just updating the certificates on the server might work. The Admin Host service will communicate with the TM1 services via SSL using the v2 certificate (communication between server components cannot be non-SSL as far as I'm aware) and the TM1 clients would communicate with Admin Host using the non-SSL method that I believe is left available for backward compatibility. Communication between the Client and the TM1 services would also be done without SSL since you are forcing it to 'UseSSL=F'. This is my hypothesis, but you will have to test it anyway to be sure.

This was my hypothesis too, but after 2 days of testing I didn't manage to make it work without updating the TM1 options on the client side.

Once the certificates are updated to v2 on the server side (Certificate version = 2 on TM1 Admin Server and on Tm1s.cfg), the client isn't able to list the servers unless the SSL options are filled-in with v2. And this even with UseSSL=F !

This looks strange, because today with v1 certifcates, UseSSL=F and all SSL options on client set to blank works like a charm.

[qml]

Once the certificates are updated to v2 on the server side (Certificate version = 2 on TM1 Admin Server and on Tm1s.cfg), the client isn't able to list the servers unless the SSL options are filled-in with v2. And this even with UseSSL=F !

I can only speculate that switching over to v2 certificates does something to change the Admin Host's behaviour and makes it stop communicating with clients via the legacy non-SSL port (5495 by default). That could be intended or it could be a defect, but either way if it doesn't work, it doesn't work.

[Steve Vincent]

Once the certificates are updated to v2 on the server side (Certificate version = 2 on TM1 Admin Server and on Tm1s.cfg), the client isn't able to list the servers unless the SSL options are filled-in with v2. And this even with UseSSL=F !

This looks strange, because today with v1 certifcates, UseSSL=F and all SSL options on client set to blank works like a charm.

think this was covered earlier on - whilst you can avoid the TM1 server communicating with a client via SSL, you can NOT do so with the admin server. I believe that flag only affects the client comms, hence why when the client is using v1 and admin server v2 the list is blank. BTW, leaving options blank doesn't turn SSL off - it defaults to the v1 SSL certs. Yes, it'll be fine right now but it won't be come 24th Nov

[Steve Vincent]

Update on my PMR:

Instructions I have from the PMR are more comprehensive than the technote but that is a result of also dealing with custom certificates as well as switching from v1 to v2. The PMhub section on the technote as of the amendments made yesterday will achieve the same goal, so can be relied upon to fully complete the switch.

[Steve Vincent]

Cognos BI Connectivity;

Has anyone figured out how to get the Cognos BI server to use the v2 cert? Without doing that it can't see TM1 servers running on v2. The only idea I've had so far is to rename the new certs to the old names but I can't see that being very supportable by IBM...

[paulsimon]

Hi Steve

If there is an issue with BI that would be interesting as the system I look after uses BI extensively to report from TM1. It also launches TM1 Web Sheets, and somewhere there is a bit of JavaScript that directly executes a TI process.

However, I am not sure that there is an issue. The BI App Server needs to have the TM1 Client installed on it. I would have thought that, so long as this Client has the SSL v2 Cert then BI would be able to communicate with TM1 via the v2 Cert? Is there possibly something in the BI Inter-operability layer that is causing a problem?

Regards

Paul Simon

[paulsimon]

Hi Brian

Many thanks for that link.

http://www-01.ibm.com/support/docview.w ... wg21990869

A link from that

http://www-01.ibm.com/support/docview.w ... wg21990588

Does at least confirm that there will be a third option, of installing "updated default/applixca certificates".

Which is certainly our preferred option. It gives instructions for updating the certificates.

The Technote does seem to imply that the v2 Certs are only going to work to 10.2+. I had thought that IBM were going to be releasing a patch for 10.1 to allow it to use the v2 certs but that doesn't appear to be the case.

My client is still on 10.1 and cannot upgrade to 10.2 because the consultancy that implemented the system designed it with BI Reports launching TM1 Web sheets, passing parameters via the URL API. This means that we have several hundred reports to update in order cater for in my view, the largely unnecessary changes to the URL API when IBM moved from .Net based TM1 Web to Java based TM1 Web. I will probably have to write a program to parse the XML in the BI reports to do this.

Anyway, the only option for us, certainly by 24th Nov, is to stay on 10.1 and apply the updated certificates. Unfortunately the tech note does not say when they will be released. When they are, I will certainly be advancing the server and client clocks in one of our non-prod environments to check that they work before the 24th Nov.

I spoke to our IBM Account Manager on Monday, but I have heard nothing further from him, nor from the PMR that we raised. Thank god (or should that be InfoCat?) for this forum.

I have another client who is still on 9.5. They are intending to upgrade to 10.2 but they wanted to get an upgrade to their general ledger finished first. I know that IBM won't confirm it, as 9.5 is no longer supported, however, it seems likely that the new certificates with the extended expiry dates will work on earlier versions. The instructions refer to downloading an Updater. However, that just seems to be something like a self-extracting zip file that creates folders with the new certificates. After that it seems to be a matter of using standard tools that were already there in 9.5 to install the certificates:

importsslcert.exe

It also refers to an uninstallSSL.bat file which isn't there in 9.5, but when I looked at this on 10.2, all it does is
importsslcert.exe -remove
so there isn't really a need for the bat file.

Regards

Paul Simon