tm1ssl certificate expiration - how to fix
TRANSCRIPT
TM1 SSL Certification Expiration - How to Fix EasilyStep By Step Screen captures
1. Download the updated TM1 SSL Certificates from the following
location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm
%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001
NewSSLCerts.zip
2. Stop all IBM Cognos TM1 Services in the environment you are updating
3. Extract the downloaded file/archive and extract it to any directory. For the
purpose of this document, our files will be extracted in to a new folder
NewSSLCerts under shared R drive based on the environment ( DEV, QA and
Prod) as seen below in screen capture.
4. After extracting the files, look inside of your extracted folder R:\NewSSLCerts
The following files should be present.
o applixca.der
o applixca.pem
o applixcacrl.p7b
o applixcacrl.pem
o tm1admsvrcert.pem
o tm1store
o tm1svrcert.pem
5. Back up the following directories
o <tm1_install_dir>\tm1_64\bin\ssl
o <tm1_install_dir>\tm1_64\bin64\ssl
o <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
in our shared R: drive in the folder named OldSSLCerts based on the environment
( DEV, QA and Prod) as seen below in screen capture. R:\OldSSLCerts
R:\OldSSLCerts\binssl
R:\OldSSLCerts\bin64ssl
R:\OldSSLCerts\webssl
6. Copy the contents of the folder you extracted earlier <tm1_install_dir>\tm1_64\
NewSSLCerts\ , and place them inside of the 3 directories listed above in Step 4.
During this process, you will be required to REPLACE all conflicting files as we
must replace the old certificate files with new ones.
If you have problems, complete the same process in "command line" using "Run
as administrator" option as seen below.
Go to R:\Newsslcerts folder as seen below and list all objects using dir command
and followed by a copy command with Y switch as copy /y
7. After all files have been copied successfully, navigate to each of the folders
<tm1_install_dir>\tm1_64\bin\ssl
<tm1_install_dir>\tm1_64\bin64\ssl
<tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
8. Execute the uninstallSSL.bat file, to uninstall old keys from the Windows
Keystore
9. Execute the importsslcert.exe file, to install the new keys in to the
Windows Keystore
R Repeat the same steps 8 AND 9 for other two SSL folders also
C:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
If you face any problems using command line approach, you use the windows
"Certificates Import Wizard" as described below with detailed screen shots.
Repeat the these steps for both the files applixa and applixcacrl as below.
Now we have to update the JAVA KEYSTORE effectively
10. Open and run Windows Command Prompt as an Administrator. Navigate to C:\
Program Files\ibm\cognos\tm1_64\bin\jre\7.0\bin folder by execute the following
command
cd C:\Program Files\ibm\cognos\tm1_64\bin\jre\7.0\bin
Execute the following command:keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-
authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It
also allows users to cache the public keys (in the form of certificates) of their communicating peers.
keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\applixca.der" -storepass changeit -
noprompt
keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
keytool -keystore ..\lib\security\cacerts -alias applixca -import -file
"<tm1_install_dir>\bin64\ssl\applixca.der" -storepass changeit -noprompt
16. Start your IBM Cognos TM1 Services