SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

[Willi]

At least for 10.2.2 FP6 the last post in http://www.tm1forum.com/viewtopic.php?f ... 826#p62988 gives the solution. Thx

[arthur_r]

Hi everyone!
Sorry for my silly question, I'm only at the beginning:)

Could anybody tell me what are "Cognos BI TM1 Client Components"?

I've updated SSL certificates according to the instructions for our TM1 version.
Also I found this article which is named "How to Update Your Cognos BI TM1 Client Components"
http://www-01.ibm.com/support/docview.w ... wg21991658

But I can't understand what components are included in "Cognos BI TM1 Client Components".

[simon.birleson]

Yes, done that for 9.5, 9.4, 9.1. Can't find anyone using 8.x to test

Follow the steps in 9.5:
http://www.ibm.com/support/knowledgecen ... es_N1207C4

I choose the file system method but you will still need to run the TM1Crypt to generate the password files.
My advise is to keep the default cert name so that you do not need to update all the cfg, ini files.

I have a 9.4 environment and this situation has only just been brought to my attention. Searching through this forum and talking to an IBM engineer it appears this is the only option for us 9.4 users. Do you have any other documentation around this on how we create and apply our own certs? The links you provide here are great but have little information around the exact how and where's. Cheers

[invirt]

Having been through the pain of getting 9.4 sorted this morning, please find below a blog post detailing the process end to end, along with a zip of the required certificates (created with the same info as the originals, but expiry in 2026)

http://in-virt.blogspot.co.uk/2016/11/i ... icate.html

[nanobaka]

Hi All,

My organization is using TM1 10.2.2 FP5 and I am trying to decide whether to manually update the certs or to simply use the v2 certs.

My question is, if I went the manual update route, do I need to go through this again if I reinstall TM1? (My assumption is "Yes".) On the other hand, does installing FP6 (or any future fixpacks) will require me to reapply the update? I assume future fixpacks, including the already released FP6, will not mess with the certs.

I am leaning toward using the v2 certs as it is much easier to deploy and we are fairly confident we will not be using v10.2.2 in 2022. It seems that the only downside of using v2 certs is their expiration date.

Thanks

[st2000]

Just for the files, assuming not everybody found it:
Checking the effective SSL version when using 10.2.x AND Cognos Configuration doesn't start.

Open .\tm1_64\configuration\cogstartup.xml and search for this tag ( tm1AdminSvrCertificateVersion ):

Code: Select all

      <!-- tm1AdminSvrCertificateVersion: Gibt an, welche Version des von TM1 generierten SSL-Zertifikats 
           verwendet werden soll.  -->
      <!-- Standardmäßig wird die 1024-Bit-Verschlüsselungsversion des von TM1 generierten SSL-Zertifikats 
           verwendet. Ändern Sie diesen Parameter nur, wenn Sie die neue 2048-Bit-Verschlüsselungsversion 
           des Standardzertifikats verwenden möchten. Sie können die neue Version mit alten 
           und neuen TM1 Clients verwenden, Sie müssen jedoch die Clients für die Verwendung 
           der neuen Zertifizierungsstellendatei konfigurieren. Dieser Parameter ist nicht anwendbar, 
           wenn Sie eigene SSL-Zertifikate verwenden. Gültige Werte: 1 = Aktivierung der 1024-Bit-Verschlüsselung 
           mit sha-1 (Standardwert) durch die Zertifizierungsstelle; 2 = Aktivierung der 1048-Bit-Verschlüsselung 
           mit sha-256 durch die Zertifizierungsstelle.  -->
      <crn:parameter name="tm1AdminSvrCertificateVersion">
       <crn:value xsi:type="xsd:int">1</crn:value>
      </crn:parameter>

Value=1 means old SSL, 2 means V2 (expiring 2022)
So for me, it's the plain old SSL. Not much time left, unfortunately.

[gtonkin]

I have been writing some batch files to assist with the update of the certificates - thought I would share the update for the TM1 client.
I am making the assumption that the certificate per the TM1 Options, stored in the TM1P.ini is the one to be updated.
I create a folder with the relevant certificates and then update the batch file with this reference-obviously a network share would be ideal.

Code: Select all

@echo off
REM Update the path below to point to your new certificate deployment folder
SET SSL_Cert_Path=C:\Temp\SSL_Update_20161026\NewSSLCerts 20160617
FOR /F "tokens=2* delims==" %%C in ('type %appdata%\applix\tm1\tm1p.ini ^| FINDSTR /I AdminSvrSSLCertAuthority') do (
SET TM1_Install=%%C )

IF EXIST "%TM1_Install%" DO (
SET TM1_Install=%TM1_Install:~1,-13%
echo TM1 Client installed at %TM1_Install%
copy /Y "%SSL_Cert_Path%\*.*" "%TM1_Install%"
)

Don't forget that this batch file would need to be run with local admin rights. If anyone is interested, I can share scripts to update the V95 or V10.2 servers (V10.2 could be tweaked for pre-tomcat).

[gilad2004]

For those who are still on 9.4 (for some reason), the new SSL certs issued by IBM will not work as in 9.4 the private key is encrypted using different cipher.
Only way is to use custom certs. Just in case any of you still hanging on to 9.4.

In here http://ibm.biz/TM1SSLCertificate

There is a section
IBM Cognos TM1 Server Side Updates / Steps

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 9.5.X (or earlier)
http://www.ibm.com/support/docview.wss?uid=swg21991655

This will explain how to implement the new certs into more mature products

No. It won't work and I have confirmed that with two sites on 9.4. Anyway I have worked around with a custom certs only for 9.4 and below (9.1). It has to do with different encryption for the private key.

hi
i have a customer wiht 9.4 version
how can i creat SSl CERTIFICATE for this server ?
can i use your certificate ?

[simon.birleson]

For those who are still on 9.4 (for some reason), the new SSL certs issued by IBM will not work as in 9.4 the private key is encrypted using different cipher.
Only way is to use custom certs. Just in case any of you still hanging on to 9.4.

hi
i have a customer wiht 9.4 version
how can i creat SSl CERTIFICATE for this server ?
can i use your certificate ?

Have a look at the blog my colleague posted above, invirt, this is the link http://in-virt.blogspot.co.uk/2016/11/i ... icate.html

we used these very certs to fix our environment this week and it worked perfectly. Feel free to download the certs at the end of the blog and use them to save you time.

[spiderwallet]

All,

I haven't seen much talk about the Cognos BI 10.2 bin64\ssl directory. I understand that the Tm1 client needs to be upgraded on the Cognos BI server through the flash updates + manual tasks (uninstall, import, ikeyman command) but have any of you also replaced the default applixca cert that gets installed by the Cognos server install? i.e. <CognosInstall>\bin64\ssl\.

Currently on the BI server I have Cognos BI installed in one dir and another dir for the TM1 client.

Cheers!

[GKhabou]

Hello,

We are going to update our TM1 SSL Certification to avoid the planned expiration for the November 24th 2016.
IBM recommands to roll ahead the server clock past November 24th 2016 to ensure that the product behaves as expected post expiration date.
Any ideas about the impact of this action on the users and hosted applications ?

Thanks in advance.

Best regards;
Ghassen KHABOU

[dsproffitt]

Hello,

We are going to update our TM1 SSL Certification to avoid the planned expiration for the November 24th 2016.
IBM recommands to roll ahead the server clock past November 24th 2016 to ensure that the product behaves as expected post expiration date.
Any ideas about the impact of this action on the users and hosted applications ?

Rolling forward is a bad idea.
This has been suggested in the past as there was no awareness of the issues this could cause. Now there is greater awareness of problems with Active Directory, for example, the recommended way of checking this is to check the certificates themselves as directed by this blog

http://ibm.biz/TM1SSLCertificate

[Bakkone]

If I only use Cognos BI for CAM. Do I need to do anything with it? It is installed on a different server than TM1. I searched that server but couldn't even find the files that Im supposed to replace.

Anyone know?

[nanobaka]

Hello,

We are going to update our TM1 SSL Certification to avoid the planned expiration for the November 24th 2016.
IBM recommands to roll ahead the server clock past November 24th 2016 to ensure that the product behaves as expected post expiration date.
Any ideas about the impact of this action on the users and hosted applications ?

Rolling forward is a bad idea.
This has been suggested in the past as there was no awareness of the issues this could cause. Now there is greater awareness of problems with Active Directory, for example, the recommended way of checking this is to check the certificates themselves as directed by this blog

http://ibm.biz/TM1SSLCertificate

I did the upgrade on one of our test servers by switching to using v2 certificates. I did try change the server clock forward and the result is I couldn't even login. (We use CAM authentication through BI against Active Directory. So it indeed is a bad idea.) When I check the certificate in Internet Explorer, I only see the old one that will expire on 11/24.

So how would I know it works if I went the v2 cert route?

Thanks

[macsir]

We have encountered this error in the server log when failed to open some tm1 web reports after updating SSL for 10.2.2 FP5

TM1.Blob CommitDeferredFileCommand - BLOB_FILE_CLOSE is pending all blob readers to drain out. Any updates will not be fully committed until this happens or the server is shutdown.

Here is the result:
So, just deleted all unnecessary sheets which are created by someone and problem solved. And it is not relevant to SSL updating.

[dsproffitt]

I did the upgrade on one of our test servers by switching to using v2 certificates. I did try change the server clock forward and the result is I couldn't even login. (We use CAM authentication through BI against Active Directory. So it indeed is a bad idea.) When I check the certificate in Internet Explorer, I only see the old one that will expire on 11/24.
So how would I know it works if I went the v2 cert route?
Thanks

OOI Why would you want to go to the V2 route?
I have been advising revert to v1 and then update the certs.

[nanobaka]

I did the upgrade on one of our test servers by switching to using v2 certificates. I did try change the server clock forward and the result is I couldn't even login. (We use CAM authentication through BI against Active Directory. So it indeed is a bad idea.) When I check the certificate in Internet Explorer, I only see the old one that will expire on 11/24.
So how would I know it works if I went the v2 cert route?
Thanks

OOI Why would you want to go to the V2 route?
I have been advising revert to v1 and then update the certs.

Is there anything wrong with using the v2 certs? Yes they do expire earlier but we do not plan on staying with this version for more than 6 years. Since we are using 10.2.2 FP5, I will have to use the manual method to update the certs. I do not want to go through all that again whenever I need to reinstall TM1. (It happens with our servers getting replaced and etc.)

[dsproffitt]

Is there anything wrong with using the v2 certs? Yes they do expire earlier but we do not plan on staying with this version for more than 6 years. Since we are using 10.2.2 FP5, I will have to use the manual method to update the certs. I do not want to go through all that again whenever I need to reinstall TM1. (It happens with our servers getting replaced and etc.)

V2 certs are classed as custom certs. This needs special handling and record keeping.
Changes made in the tm1s.cfg file, the cognos configuration might get changed when you upgrade in the future.
It is additional complications when you dont need to

I dont understand this

Since we are using 10.2.2 FP5, I will have to use the manual method to update the certs.

It is not just a case of copying and pasting, so what else do you mean?
When FP7 comes out, it will have v1 updated certs, so it will make no changes to your system
There is no evidence of what happens if you have V2 certs and then upgrade to Fp7 with new v1s

[GKhabou]

Hello,

I will update SSL certificates on Cognos Express server.
IBM describes the procedure here : http://www-01.ibm.com/support/docview.w ... wg21991652

In the 12th step, it's asked to navigate and copy all NGTM1*.dll from <express_install_dir>\webapps\pmpsvc\WEB-INF\bin64\ but I don't find this directory.
Eventhough, I find these files in this location : <express_install_dir>\webapps\tm1web\WEB-INF\bin but this location is not mentionned in IBM documentation for the certificates update.

What do you think ? Shall I do this step on this folder or not ?
What's the utility of this folder <express_install_dir>\webapps\tm1web\WEB-INF\bin ?
Why it's not concerned by the updates described by IBM ?

Thanks in advance for your replies

Best regards,
Gkhabou

[TomBr]

Hi,

I did a Cognos Express 10.2.1 SSL Update recently.

It says in Step 5 that you may not have a pmpsvc folder so some of the steps may not be applicable.

I did have a pmpsvc folder but didn't have pmpsvc\WEB-INF\Bin64\ssl folder so I ignored the 3rd bit of Step 5 and also ignored some of the later bits such as Step 12 as there was nothing to copy. It all worked fine.

Edit: I suspect not relevant but I was using Native TM1 authentication.

HTH,

Tom