IBM Cognos Analytics, SSL

Cognos Analytics Configure SSL Certificate

Configuring SSL Certificate to Cognos Analytics server provides an extra layer of security that verify the website’s identity.

Pre-requisite

The following conditions must be met before you proceeding to configuring Cognos Analytics.

SSL certificate file must already be in PKCS12/PFX format and contain the complete certificate chain.
Place the certificate outside the TM1Web installation

Import SSL Certificate in Cognos Analytics

Do the following step to be able to retrieve the individual files of the certificate chain ( root certificate, intermediate certificate and end-user certificate).

Run MMC and right-click Run as Administrator.
Under File select Add or Remove Snap-ins

Select Certificate and click on Add>

Select COMPUTER ACCOUNT.

Select Local Computer and click Finish and then OK.

Select COMPUTER ACCOUNT.

Select Local Computer and click Finish and then OK.

Under Trusted Root Certificate Authorities, right-click on Certificate and click on All Task -> Import and click Next.

Under Trusted Root Certificate Authorities, right-click on Certificate and click on All Task -> Import and click Next.

Click on Browse… and select the location of the .pfx file (NOTE: Make sure to change the type to Personal Information Exchange) and then click Next.

Enter the password of the pfx file and click Next.

In the MMC, Under Trusted Root Certificate Authority -> Certificate select the server certificate. The default view is shown as below. Make sure the certificate is issue for the correct server.

Export Root, Intermediate and End-User Certificate from PFX File

Under Trusted Root Certificate Authorities, click on the imported certificate.

Go under Certificate Path, in this page you should be able to verify the certificate chain. The top is the root certificate, underneath it is the intermediate certificate and the last is the end-user certificate.

Under Details, click on Copy to File… and click Next.

Click on No, do not export the private key. (NOTE: Selecting Yes, export the private key will only allow you to export the file in pfx file)

Select Browse… and browse to the directory where you want to keep you certificates.

Save the end-user certificate as cacert, intermediate certificate as caint and root certificate as caroot.
Repeat the same for all the other certificates.

Import SSL Certificate

Open Command Prompt as Administrator and go to the <cognos analytics installation>/ibm/cognos/analytics/bin
Write the following scripts to import the caroot (root certificate).

ThirdPartyCertificateTool.bat -java:local -i -T -r <location of cacert location> -p “NoPassWordSet”

Do the same for the caint (intermediate certificate).
Import the pfx file using the following script.

ThirdPartyCertificateTool.bat -java:local -i -e -a rsa –p “NoPassWordSet” -K <location of the pfx file> -w <pfx password>

Configure SSL Certificate in Cognos Analytics

Once you have imported the certificate you would need configure to the SSL Certificate in Cognos Analytics through IBM Cognos Configuration.

Under Environment, update the following to use https instead of http.

Gateway URI
External dispatcher UR
Internal dispatcher URI
Dispatcher URI for external applications
Content Manager URIs

Under Security -> Cryptography, delete Cognos and right click on Cryptography and select New Resource and enter the name and select Third Party Certificate authority.

Update Cognos Gateway

If you are using Cognos Gateway to utilize single-signon, you would need to make additional configuration.

MICROSOFT INTERNET INFORMATION SERVICE (IIS)

Open Microsoft Internet Information Services (IIS) and go the host server name on the top of the navigation tree and open Server Certificate.
Add click on Import Certificate
Go to bi folder, double-click on URL Rewrite and select Reverse Proxy and update Rewrite URL to use https.