TM1 SSL Certification Expiration - How to Fix EasilyStep By Step Screen captures

1. Download the updated TM1 SSL Certificates from the following

location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm

%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001

NewSSLCerts.zip

2. Stop all IBM Cognos TM1 Services in the environment you are updating

3. Extract the downloaded file/archive and extract it to any directory. For the

purpose of this document, our files will be extracted in to a new folder

NewSSLCerts under shared R drive based on the environment ( DEV, QA and

Prod) as seen below in screen capture.

4. After extracting the files, look inside of your extracted folder R:\NewSSLCerts

The following files should be present.

o applixca.der

o applixca.pem

o applixcacrl.p7b

o applixcacrl.pem

o tm1admsvrcert.pem

o tm1store

o tm1svrcert.pem

5. Back up the following directories

o <tm1_install_dir>\tm1_64\bin\ssl

o <tm1_install_dir>\tm1_64\bin64\ssl

o <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl

in our shared R: drive in the folder named OldSSLCerts based on the environment

( DEV, QA and Prod) as seen below in screen capture. R:\OldSSLCerts

R:\OldSSLCerts\binssl

R:\OldSSLCerts\bin64ssl

R:\OldSSLCerts\webssl

6. Copy the contents of the folder you extracted earlier <tm1_install_dir>\tm1_64\

NewSSLCerts\ , and place them inside of the 3 directories listed above in Step 4.

During this process, you will be required to REPLACE all conflicting files as we

must replace the old certificate files with new ones.

If you have problems, complete the same process in "command line" using "Run

as administrator" option as seen below.

Go to R:\Newsslcerts folder as seen below and list all objects using dir command

and followed by a copy command with Y switch as copy /y

7. After all files have been copied successfully, navigate to each of the folders

<tm1_install_dir>\tm1_64\bin\ssl

<tm1_install_dir>\tm1_64\bin64\ssl

<tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl

8. Execute the uninstallSSL.bat file, to uninstall old keys from the Windows

Keystore

9. Execute the importsslcert.exe file, to install the new keys in to the

Windows Keystore

R Repeat the same steps 8 AND 9 for other two SSL folders also

C:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl

If you face any problems using command line approach, you use the windows

"Certificates Import Wizard" as described below with detailed screen shots.

Repeat the these steps for both the files applixa and applixcacrl as below.

Now we have to update the JAVA KEYSTORE effectively

10. Open and run Windows Command Prompt as an Administrator. Navigate to C:\

Program Files\ibm\cognos\tm1_64\bin\jre\7.0\bin folder by execute the following

command

cd C:\Program Files\ibm\cognos\tm1_64\bin\jre\7.0\bin

Execute the following command:keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-

authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It

also allows users to cache the public keys (in the form of certificates) of their communicating peers.

keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit

keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\applixca.der" -storepass changeit -

noprompt

keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit

keytool -keystore ..\lib\security\cacerts -alias applixca -import -file

"<tm1_install_dir>\bin64\ssl\applixca.der" -storepass changeit -noprompt

16. Start your IBM Cognos TM1 Services