SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

[u970700]

Hi all,

Our site is on 9.5.2 FP3, I've been doing a few tests so far without much success.

After reading IanB's method, I tried the same by just replacing the *.pem certificates with the v2 2048bit ones, all looked very promprising with TM1 Admin Server and TM1 server started up and being recognised. Perspective worked as well with the new renamed applixca.pem certificates.

I've tested this scenario with current system date as well as future system date (30/11/2016), all passed in our test environment.

However...TM1 web will not function, during login it would fail with the following error:

Code: Select all

Integrated Login Failed.  Please Try Again...
87: TM1APIDOTNET Exception: - amc planning: The specified server is not found

From going thru the TM1Web debug log, looks like v2 certificate failed the validation check...so not sure if it failed due to the 2048bit encryption key? Can anyone confirm the below error log?

Code: Select all

2016-09-30 12:07:45,080 [3] DEBUG Applix.TM1.Web.Page.Global - ==> Application_Start
2016-09-30 12:07:45,236 [3] DEBUG Applix.TM1.Web.Page.Global - <== Application_Start
2016-09-30 12:07:45,267 [3] DEBUG Applix.TM1.Web.Page.Global - === Application_BeginRequest - IP [127.0.0.1] to URL [/tm1web/TM1WebLogin.aspx]
2016-09-30 12:07:45,314 [3] DEBUG Applix.TM1.Web.Page.Global - ==> Application_PreRequestHandlerExecute
2016-09-30 12:07:45,314 [3] DEBUG Applix.TM1.Web.Page.Global - <== Application_PreRequestHandlerExecute
2016-09-30 12:07:45,392 [3] DEBUG Applix.TM1.Web.TM1WebConfig - Retrieving 'CustomStyle' value: css/corporate.css;AllowOverwrite=true
2016-09-30 12:07:45,392 [3] DEBUG Applix.TM1.Web.TM1WebConfig - Retrieving 'CustomStyle' style value: css/corporate.css
2016-09-30 12:07:45,392 [3] DEBUG Applix.TM1.Web.TM1WebConfig - Retrieving 'CustomStyle' - 'allowoverwrite' value: true
2016-09-30 12:07:45,407 [3] DEBUG Applix.TM1.Web.WebControls.TM1WebApplication - Created TM1WebApplication for User: 9089598
2016-09-30 12:07:45,407 [3] DEBUG Applix.TM1.Web.WebControls.TM1WebApplication - Memory usage: 5529616
2016-09-30 12:07:45,829 [3] DEBUG Applix.TM1.API.Internal._TM1NetClass - Server Certificate Issued To: CN=tm1adminserver, OU=TM1 CA V2, O=TM1 CA V2, S=Massachusetts, C=US
2016-09-30 12:07:45,829 [3] DEBUG Applix.TM1.API.Internal._TM1NetClass - Server Certificate Issued By: OU=TM1 CA V2, O=TM1 CA V2, L=Littleton, S=Massachusetts, C=US
2016-09-30 12:07:45,829 [3] DEBUG Applix.TM1.API.Internal._TM1NetClass - Server Certificate Validation ErrorRemoteCertificateChainErrors
2016-09-30 12:07:45,829 [3] DEBUG Applix.TM1.API.Internal._TM1NetClass - Applix TM1 Error-> Error creating socket (AuthenticationException) - System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
   at Applix.TM1.API.Internal._TM1NetClass.Connect()

Which is a bummer considering my users are all TM1Web users, currently waiting for our custom certificate to be issued (1024bit encryption)...so may be that's the only way to go.

UPDATE: After importing the applixca.pem (v2) in MMC, I managed to get TM1Web working...but I had to replace the server host name with the IP address in the URL. So some progress at least...

[Steve Vincent]

I've had multiple calls with IBM this week and this is the latest;

• versions < 10 - you are on your own. Only suggestions are upgrade to a supported version or deploy custom certs.
• the fix is currently in QA. they are trying to provide a single fix for all the different FPs of 10.x, and they are finding that each one has some subtle differences which is why its taking so long. It isn't a simple replacement of certs - some elements (CDM etc) need much more fundamental changes to objects like DLLs, which is why the manual steps from the FAQ won't work for all elements.
• as a result of the above, there is still no date available for its release

[stephen waters]

Steve,
We have had a similar update from IBM today and been told the updater will be released "as soon as possible" Which is not very helpful or informative. As I replied, the absence of a release date does not help our customers who are trying to plan for this.

It seems IBM are aiming for a single updater which will cater for every supported fix pack and combination of products. I understand this is the ideal scenario But, given the time constraints, I wonder if a better approach would be to concentrate on the most common versions and combinations as a first release and add other variations subsequently. If an initial release could cover e.g. 80% of customers would allow them to get on with the process and also restore some confidence that IBM is actually dealing with the problem.

[Steve Vincent]

my thoughts precisely, I made that suggestion too but I don't think they are so keen...

[declanr]

my thoughts precisely, I made that suggestion too but I don't think they are so keen...

Look at you two trying to apply logic and common sense... BURN THE WITCHES!

[stephen waters]

Look at you two trying to apply logic and common sense... BURN THE WITCHES!

Thank you for your support Sir Bedevere...

[moby91]

It seems IBM are aiming for a single updater which will cater for every supported fix pack and combination of products. I understand this is the ideal scenario But, given the time constraints, I wonder if a better approach would be to concentrate on the most common versions and combinations as a first release and add other variations subsequently. If an initial release could cover e.g. 80% of customers would allow them to get on with the process and also restore some confidence that IBM is actually dealing with the problem.

(1)
IBM Technote 1991653:

http://www-01.ibm.com/support/docview.w ... wg21991653
IBM Cognos TM1 SSL Expiration - Manual Fix Approach - Landing Page

Fix readme

Abstract

You have reached the landing page, for the TM1 SSL Expiration - Manual Fix Approach. While the manual fix approach is similar across versions, certain streams of TM1 require a slightly different approach for manually updating TM1 Certificates.

Before you begin, please ensure you have already read/reviewed the following:
If you use CDM or Controller - please do not yet proceed with updating your TM1 Server components!

Content

Updated TM1 SSL Certificates Download Location:
http://www.ibm.com/support/fixcentral/q ... -ZIP-IF001

IBM Cognos TM1 Server Side Updates / Steps

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 9.5.X (or earlier)
http://www.ibm.com/support/docview.wss?uid=swg21991655


(2)
IBM Technote 1991549:

http://www-01.ibm.com/support/docview.w ... wg21991549
How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - UNIX

[stephen waters]

Moby,
I got that in my technical notifications yesterday. They have released the new SSL certificates but have not yet issued an automatic updater. That's certainly a step forward, particularly since it seems the new certificates can work with 9.5.x.

SO, provided the manual update instructions work we have a fall back in the event of delays to the "Updater" which is good news.

[kaazimraza]

Hi everyone,

I have followed the manual steps for TM1 server 10.x (10.1.1 in my case) as listed on http://www-01.ibm.com/support/docview.w ... wg21991547 and the client components, mainly TM1 Architect as listed over here http://www-01.ibm.com/support/docview.w ... wg21991657.

Backed up existing certs, replaced the new ones. Removed the existing certs & imported the new ones in the KeyStore using the utilities in the ssl folder. Got TM1 services up, once with native TM1 authentication and then with CAM authentication. My test environment date is set as 30 November 2016 and, I have been able to test TM1 Web, and Architect and it works well. Changed the system date to 1 Jan 2027 and my test server disappeared from available TM1 servers' list in Architect which was expected.

My only question now, is, I have now got two certs from Applix installed on my server. One of them is expiring in 2016, and the other one is expiring in 2026. Does having two certs make a difference? Ideally, I'd like to have only one of them listed there.

TM1 SSL Certificates , old & new

TM1-SSL-Certs-Old-New.png (5.87 KiB) Viewed 17312 times

Thanks
Kaz

[dsproffitt]

only question now, is, I have now got two certs from Applix installed on my server. One of them is expiring in 2016, and the other one is expiring in 2026. Does having two certs make a difference? Ideally, I'd like to have only one of them listed there.

TM1-SSL-Certs-Old-New.png

Thanks
Kaz

You will need them both until 24th November when one expires and the other takes over.

Why do you feel the desire to only have one?

[u970700]

My only question now, is, I have now got two certs from Applix installed on my server. One of them is expiring in 2016, and the other one is expiring in 2026. Does having two certs make a difference? Ideally, I'd like to have only one of them listed there.

I think the uninstallSSL.bat didn't remove the expiring certificates properly...

For the 9.5.x manual fix, it used the importsslcert.exe to uninstall the old keys and install the new keys into the Windows Keystore. See step 8-10 in IBM support article: http://www-01.ibm.com/support/docview.w ... wg21991655

The end result for my test environment is only the new certificate appearing in the Trusted Root Certification Authority.

applixca.JPG (26.53 KiB) Viewed 17239 times

[dsproffitt]

The end result for my test environment is only the new certificate appearing in the Trusted Root Certification Authority.

applixca.JPG

What was your expectation?

[kangkc]

For those who are still on 9.4 (for some reason), the new SSL certs issued by IBM will not work as in 9.4 the private key is encrypted using different cipher.
Only way is to use custom certs. Just in case any of you still hanging on to 9.4.

[dsproffitt]

For those who are still on 9.4 (for some reason), the new SSL certs issued by IBM will not work as in 9.4 the private key is encrypted using different cipher.
Only way is to use custom certs. Just in case any of you still hanging on to 9.4.

In here http://ibm.biz/TM1SSLCertificate

There is a section
IBM Cognos TM1 Server Side Updates / Steps

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 9.5.X (or earlier)
http://www.ibm.com/support/docview.wss?uid=swg21991655

This will explain how to implement the new certs into more mature products

[kangkc]

For those who are still on 9.4 (for some reason), the new SSL certs issued by IBM will not work as in 9.4 the private key is encrypted using different cipher.
Only way is to use custom certs. Just in case any of you still hanging on to 9.4.

In here http://ibm.biz/TM1SSLCertificate

There is a section
IBM Cognos TM1 Server Side Updates / Steps

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 9.5.X (or earlier)
http://www.ibm.com/support/docview.wss?uid=swg21991655

This will explain how to implement the new certs into more mature products

No. It won't work and I have confirmed that with two sites on 9.4. Anyway I have worked around with a custom certs only for 9.4 and below (9.1). It has to do with different encryption for the private key.

[dsproffitt]

IBM Cognos TM1 SSL Expiration - Updater Kits

While the updater kit simplifies the manual approach, a few additional steps are required in order to ensure that the update takes effect. This document will help you find the right updater and setup steps for your install.

http://www-01.ibm.com/support/docview.w ... wg21991790

[Steve Vincent]

Done some testing with both the manual approaches and the updaters; can't say I'm impressed.

All of this is with 10.2.2 FP1

Server; no updater made available - "An updater kit for TM1 10.2.2 (Server Components) will not be made available due to a restriction with the fix packaging." I read that as "we can't get it to work and have run out of time".

Client; Updater works fine although still need to re-register the certs manually. No idea why that couldn't have been done for us, seeing as the bog standard installer does...

PM; the updater doesn't work, at least on our environment. The files replaced by the manual approach aren't being touched by the updater. The manual instructions lead you to the wrong folders too, its a good job we've had so many issues with PM in the past that I knew where to really look...

So yeah, not great really is it?

[Guillaume Galtier]

Hi,

The option chosen is to switch to the IBM Cognos TM1 v2 Certificates.
Re-reading the Technotes, I feel a bit confused regarding the limitations of this option (limitations I hadn't noted before... ).

On the technote "How to update your expiring IBM Cognos TM1 Certificates" (http://www-01.ibm.com/support/docview.w ... wg21990588), it's written :

Option 4 - Switch to the IBM Cognos TM1 v2 Certificates (TM1 10.2.2 FP4 IF1+ only)

But on the dedicated technote "How to configure TM1 to use the bundled 2048-bit SSL certificate" (http://www-01.ibm.com/support/docview.w ... wg21697266), it's written:

Do NOT proceed with this documentation unless you either:
a) Do NOT use TM1 Operations Console/PMHub/CAFE
b) or are on TM1 10.2.2 FP4+

Limitations are not the same between these 2 technotes.

We are using TM1 10.2.2 FP1 without TM1 Operations/PMHub/CAFE.
According to the 1st technote, I can't consider option 4 as a valid solution, but according to the 2nd I can.

I've done some testing on switching to v2 certificates, updating the configuration of TM1 Admin Server + TM1 Server on the server side and TM1 Architect on the client side.
For now it seems to work correctly, but I'm afraid to miss something...

Has somebody chosen this solution with the same configuration than my client?
What's your understanding on that limitations?

Thanks in advance for your feedback

Guillaume

[qml]

What's your understanding on that limitations?

The manual switch to v2 certs approach you have chosen is absolutely fine for pre-10.2.2 FP4 versions, including yours, except for the following components: Ops Console, PmHub, CAFE. So if you are not using them, then you need not worry.

Here is a quote from Duncan Proffitt's FAQ:

What is special about Ops Console, PMHub & CAFE in relation to TM1 10.2.2 FP4? Why cant I install v2 certs in anything older than that version?
The reason that this is in is because of a bug in the application of custom certificates when using SSL and TM1. (with Ops Console, PMHub/tm1/servers & CAFE)
Version 2 certificates ARE custom certificates, therefore they will not work with anything that is older than TM1 10.2.2 FP4 when trying to reach Ops Console, PmHub or CAFE.

While this doesn't say in a straightforward way that it will work for other components, I believe this is the intended implication and also it's what testing shows.

[dsproffitt]

According to the 1st technote, I can't consider option 4 as a valid solution, but according to the 2nd I can.

This is being adjusted in the Technotes now by the author .. sorry for the confusion

He will update this section tho:

Do NOT proceed with this documentation unless you either:
a) Do NOT use TM1 Operations Console/PMHub/CAFE
b) or are on TM1 10.2.2 FP4+


To state:
IBM Cognos TM1 v2 Certificates (TM1 10.2.2 FP4 IF1+ only)