Configuring SSL Certificate to Cognos Analytics server provides an extra layer of security that verify the website’s identity.
Pre-requisite
The following conditions must be met before you proceeding to configuring Cognos Analytics.
- SSL certificate file must already be in PKCS12/PFX format and contain the complete certificate chain.
- Private Key
- Backup of decrypted cogstartup.xml
- Backup the following files and folders
- · /configurationcogstartup.xml
- · /configuration/certs/CAMCrypto.status
- · /configuration/certs/CAMKeystore
- · /configuration/certs/CAMKeystore.lock
- ·/configuration/csk
- . /configuration/cert
Backup of Decrypted cogstartup.xml
- Stop all services running in IBM Cognos Configuration.
- Click on File -> Export As.
- Choose “Yes” at the prompt and save the file. For example, name it ‘backup.xml’, which will be stored in the <%cognos analytics installation%>\ibm\cognos\analytics\configuration folder.
- Close IBM Cognos Configuration.
Import SSL Certificate in Cognos Analytics
Do the following step to be able to retrieve the individual files of the certificate chain ( root certificate, intermediate certificate and end-user certificate).
- Run MMC and right-click Run as Administrator.
- Under File select Add or Remove Snap-ins
- Select Certificate and click on Add>
- Select COMPUTER ACCOUNT.
- Select Local Computer and click Finish and then OK.
- Select COMPUTER ACCOUNT.
- Select Local Computer and click Finish and then OK.
- Under Trusted Root Certificate Authorities, right-click on Certificate and click on All Task -> Import and click Next.
- Under Trusted Root Certificate Authorities, right-click on Certificate and click on All Task -> Import and click Next.
- Click on Browse… and select the location of the .pfx file (NOTE: Make sure to change the type to Personal Information Exchange) and then click Next.
- Enter the password of the pfx file and click Next.
- In the MMC, Under Trusted Root Certificate Authority -> Certificate select the server certificate. The default view is shown as below. Make sure the certificate is issue for the correct server.
Export Root, Intermediate and End-User Certificate from PFX File
- Under Trusted Root Certificate Authorities, click on the imported certificate.
- Go under Certificate Path, in this page you should be able to verify the certificate chain. The top is the root certificate, underneath it is the intermediate certificate and the last is the end-user certificate.
- Under Details, click on Copy to File… and click Next.
- Click on No, do not export the private key. (NOTE: Selecting Yes, export the private key will only allow you to export the file in pfx file)
- Select Browse… and browse to the directory where you want to keep you certificates.
- Save the end-user certificate as cacert, intermediate certificate as caint and root certificate as caroot.
- Repeat the same for all the other certificates.
Import SSL Certificate
- Open Command Prompt as Administrator and go to the <cognos analytics installation>/ibm/cognos/analytics/bin
- Write the following scripts to import the caroot (root certificate).
ThirdPartyCertificateTool.bat -java:local -i -T -r <location of cacert location> -p “NoPassWordSet”
- Do the same for the caint (intermediate certificate).
- Import the pfx file using the following script.
ThirdPartyCertificateTool.bat -java:local -i -e -a rsa –p “NoPassWordSet” -K <location of the pfx file> -w <pfx password>
Configure SSL Certificate in Cognos Analytics
Once you have imported the certificate you would need configure to the SSL Certificate in Cognos Analytics through IBM Cognos Configuration.
- Under Environment, update the following to use https instead of http.
- Gateway URI
- External dispatcher UR
- Internal dispatcher URI
- Dispatcher URI for external applications
- Content Manager URIs
- Under Security -> Cryptography, delete Cognos and right click on Cryptography and select New Resource and enter the name and select Third Party Certificate authority.
Update Cognos Gateway
If you are using Cognos Gateway to utilize single-signon, you would need to make additional configuration.
MICROSOFT INTERNET INFORMATION SERVICE (IIS)
- Open Microsoft Internet Information Services (IIS) and go the host server name on the top of the navigation tree and open Server Certificate.
- Add click on Import Certificate
- Go to bi folder, double-click on URL Rewrite and select Reverse Proxy and update Rewrite URL to use https.
- Under Default Website, select on the right-pane, Bindings…
- In the Binding Site, click on Add.
- Update the following field:
- Type : https
- Host Name : Host Name FQDN
- SSL Certificate : SSL Certificate of the Web Server
- Go to Application Pool and stop ICAPool
- Go to the Host Name and Stop and then Start.
- Go back to the Application Pool and start ICAPool.
Need Help?
If you have any questions about installing Planning Analytics and configuring SSL Certificate, please reach out to us. We’d be delighted to help.