Tel:  +44 (0)2920 02 04 05
e-Mail: info@planitcpm.com

Home About us Services Products Support News Blogs Contact us

Blogs

IBM Cognos Technical Blog

September 27, 2011

Configuring SSL / HTTPS with IBM Cognos 10.1 BI and TM1 9.5.2

Filed under: BI and TM1 Integration,Configuration,Contributor,HTTPS / SSL,Installation,Integration,Server,TM1 Contributor — Tags: , , , — Blog Admin @ 5:07 pm

It’s been a long few days. A customer who wanted not just to integrate IBM Cognos 10.1 Business Intelligence with TM1 9.5.2, but also wanted to do it using SSL / HTTPS rather than the out of the box HTTP protocol.  Nice.

I would have said that what follows is not for the faint hearted however with the right steps set out in-front of you its a lot easier than it seemed at the time!

This is a fairly complex task which will need you to have a pretty good level of understanding of a lot of technologies.  I have tried to write this in a simple way but I think I will need to refine this over time based on comments made.  Please feel free to add any feedback at the end so that I can improve this article as required

We will assume a few things before we start:

  •  You have your own SSL certificate either purchased or created for IIS.
  • The SSL certificate is configured and is working (able to serve up a basic HTML page via HTTPS)
  • You have basic installations of IBM Cognos 10.1 BI and TM1 9.5.2 already integrated (help on integration here)

Getting Cognos BI working via HTTPS

With IIS already configured to work on HTTPS its a simple task to get the Cognos Gateway components up and running.

First of all you must get all of your dispatchers up and running using the HTTPS protocol and the secured port 9343.  See the screenshot below for an example.

Cognos Configuration - Dispatcher URI's for SSL Configuration

 

Now that this is done, navigate to the Cryptography -> Cognos section of the tree-view.  Here we need to make sure that the server name is listed for the Server Common Name property.  As below this should be set to the exact name of the server as specified in your dispatcher URI fields.

Settings for Cognos Configuration - SSL Cryptography

Whilst you are there, make sure you set a password for each of the key stores.  It is advisable to use a single, strong password here or else you may find it difficult later on to know which password to use.

The  server common name value above is used in the certificate creation, if this does not match the name of the server specified in the dispatcher URI’s then you will get a prompt due to an invalid certificate during certain operations.  This could stop the integration between TM1 and BI from working correctly.

With IBM Cognos Configuration updated its now time to save and restart the services.  If you have just changed an existing installation from HTTP to HTTPS you will find that the IBM Cognos 10 service is re-registered and so you will have to input the service account credentials again to get things to start up properly.

Saving will take some time as the cryptography settings will be recreated.

Now is a good time to check that IBM Cognos 10 is up and running on HTTPS.  Check IBM Cognos Connection by visiting your gateway URI which should be in the form of

https://bi101.planitcpm.local/ibmcognos

This should return the familiar IBM Cognos portal screen.

If all is well, now try connecting to the dispatcher direct.  This is best done on the server its self as we can then ensure that the SSL certificate is imported at the same time.

The URI to enter is similar to this:

https://bi101.planitcpm.local:9343/p2pd/servlet/dispatch

Because the self-created certificate is not from a trusted root authority you will get the following screen in Internet Explorer.  For now click “Continue to this website (not recommended)”.

You will now see the bare dispatcher login screen.  Notice that the address bar is in pink and you have a certificate error to the right.

Click on “Certificate Error” to view and install the certificate.

When the pop-up screen shows, click on “View Certificate”

You will now see the certificate, click “Install Certificate”.

On the Certificate Store selection screen select “Place all certificates in the following store” and make sure Trusted Root Certification Authorities is selected.

Complete the Wizard.  You will be warned that you are about to install the certificate.  Click “Yes” to complete the process.

Now on the Certificate view, switch to the “Certification Path” tab and complete the same process for the CA Root Certificate.

Now with both certificates installed and trusted, exit from Internet Explorer and visit the Dispatcher URI again.  This time there should be no warnings etc.

IBM Cognos 10.1 is now working using SSL at both the Gateway and the Dispatcher levels.

Enabling TM1 to connect to IBM Cognos 10.1 via SSL

TM1 will need to trust and access the certificate used in the IBM Cognos 10.1 dispatchers,  for this to work we must export the certificate from the CA Keystore.  IBM provides a tool for this ThirdPartyCertificateTool.bat (or on Linux / Unix ThirdPartyCetificateTool.sh).

Open a Command Prompt and navigate to your IBM Cognos 10.1 installation directory / bin folder (in my case c:\Program Files\IBM\Cognos\c10\bin).

You will need to set the JAVA_HOME variable so that it can use the IBM Cognos supplied JRE.  Enter the command:
set JAVA_HOME=c:\program files\ibm\cognos\c10\bin\jre\6.0\
Now run the following command to export the keys.  You will need to substitute my paths for your own.  I am exporting the certificate file to the root of c:\ to a file called cognos.cer.

ThirdPartyCertificateTool.bat -E -T -r c:\cognos.cer -k "c:\Program Files\ibm\cognos\c10\configuration\signkeypair\jCAKeystore" -p password

Where “password” is the password you set for your keys tores in IBM Cognos Configuration.

You will get a response similar to the one below.

 

Note: If you get an error message with number CAM-CRP-1201 it seems to indicate that the password specified is incorrect.  Strangely if you actually omit the password you get an error that tells you that the password is wrong.

The file cognos.cer should now be in your output location.  Locate this file and copy it to a secure location on your TM1 Server.

With the file copied to your TM1 Server you will now need to edit the TM1s.cfg file to ensure that it knows where to find the certificate file.

You should have the following lines, edited for your installation.

ServerCAMURI=https://bi101.planitcpm.local:9343/p2pd/servlet/dispatch
ClientCAMURI=https://bi101.planitcpm.local/ibmcognos/cgi-bin/cognosisapi.dll
ClientPingCAMPassport=900
#Optional CAM parameters
CAMSSLCertificate=c:\cognos.cer
#CAMSSLCertRevList=
SkipSSLCAMHostCheck=TRUE

Once that has been updated you will need to save the file and restart your TM1 Services to allow the changes to be picked up.

Now, to ensure that TM1 and BI can integrate correctly there are a few more steps to complete, these have been discussed in another blog article which can be found here:

TM1 and BI Integration

There are a few differences now however, importantly, these are that the URL’s specified in the various configuration files must contain the HTTPS protocol not HTTP and that  you must reference the new port 9343 in place of 9300.

The files to update are on the BI / Gateway Server:

  • variables_TM1.xml

Which should now contain the following lines instead:

https://bi101.planitcpm.local/TM1Web/TM1WebMiniLogin.aspx

https://bi101.planitcpm.local/TM1Web/TM1WebLoginHandler.aspx

https://bi101.planitcpm.local/TM1Web/TM1WebMain.aspx

https://bi101/TM1Web/TM1WebMiniLogin.aspx

https://bi101/TM1Web/TM1WebLoginHandler.aspx

https://bi101/TM1Web/TM1WebMain.aspx

  • planning.html

Which should now contain the following line

// Update the following to point to the location of the planning service(s)
var planningServices = ["https://bi101.planitcpm.local:9343"];

Allowing TM1 Web to trust the BI Certificate

If you now run the initialize.jsp script from your installation of TM1 Contributor you will find that you get an error.

 

You are getting this error because the SSL Certificate that was applied to your IIS servers not trusted by the IBM Cognos supplied JAVA environment.  We must run a command line application to import this file.

On the BI Server open a command prompt and navigate to c:\Program Files\IBM\Cognos\c10\bin\jre\6.0\bin and execute the following command:

keytool -import -alias caWeb -keystore "c:/program files/ibm/cognos/c10/bin/jre/6.0/lib/security/cacerts” -trustcacerts -file c:\CertificateName.cer

You will be prompted for a password, this is the default password used by the keytool app – enter “changeit” in lower-case.

We also need to run the command to import the certificate created by IBM Cognos 10.1 or we will see an error stating:

 

We must run a command line application to import the cognos.cer file.

On the BI Server open a command prompt and navigate to c:\Program Files\IBM\Cognos\c10\bin\jre\6.0\bin and execute the following command:

keytool -import -alias caRoot -keystore "c:/program files/ibm/cognos/c10/bin/jre/6.0/lib/security/cacerts” -trustcacerts -file c:\cognos.cer

You will be prompted for a password, this is the default password used by the keytool app – enter “changeit” in lower-case.

With this all completed you should now find that you can access TM1 Contributor using HTTPS as shown below:

As stated at the beginning of the article, please do comment or ask questions.  I know this article needs some refinement but I really did want to keep it as short and to the point as possible whilst still explaining the steps involved to get this working.

I would also like to thank Keith Faulkner from IBM Support who helped me get this working and organised the relevant people behind the scenes at IBM to get the right information out to me.

 

 

June 23, 2011

TM1 9.5.2 and BI 10.1 Integration

Filed under: BI and TM1 Integration,Business Intelligence,Configuration,Contributor,IBM Cognos,Installation,IntegratedSecurityMode,Integration,Server,TM1,TM1 Contributor — Blog Admin @ 7:50 pm

Having spent quite some time trying to figure out why our installation of TM1 Contributor would not work when using IBM Cognos 10 Integrated Security we figured it may be worth a blog entry to make sure that others coming across this problem don’t run into the same issues.

There are a number of steps involved with getting the installation up and running but first, lets just outline the server topology.

  • 1x 32-bit BI Server (Gateway, Application Tier and Content Manager) with TM1 Portlets and TM1 Web and TM1 Contributor installed.
  • 1x 64-bit TM1 Application Server (Running as a TM1 Admin Server and also hosting the individual TM1 Servers)
  • 1x SQL Server hosting the Content Store database and miscellaneous other databases not directly related to the install.

We are assuming here that you can (and have) installed the different IBM Cognos products correctly and are now focussing on integrating these products.

Enabling IBM Cognos Security on the TM1 Server

On your TM1 Application Server you will have a number of TM1 Servers such as the Planning Sample TM1 Server.  Each TM1 Server has a file called tm1s.cfg that contains parameters used during the startup of your TM1 Server.  An example file is below:

# Security mode
## If IntegratedSecurityMode is set to 1. All clients must provide a database
# username and password. This is traditionally done through a login screen.
## If IntegratedSecurityMode is set to 2. The clients will have the choice
# to connect provide a database username and password or use the single-login
# mechanism for authentication.
## If IntegratedSecurityMode is set to 3. All clients must use the single-login
# mechanism for authentication.
## If this is not set the parameter will be set to 1 by default.
# GroupsCreationLimit
## Note: The GroupsCreationLimit server configuration parameter pre-allocates
# memory and should not be set higher than needed. Please see TM1 technical
# bulletin: GroupsCreationLimit Recommendations for more information on
# how this parameter works.
[TM1S]ServerLogging=F
SecurityPackageName=Kerberos
IntegratedSecurityMode=5
UseSSL=T
ServerName=Planning Sample
DataBaseDirectory=C:\Program Files\Cognos\TM1\Custom\TM1Data\PlanSamp\
AdminHost=TM1952
PortNumber=12345
Language=ENG
SaveTime=
DownTime=
ProgressMessage=True
AuditLogOn=F
AuditLogMaxFileSize= 100 MB
AuditLogUpdateInterval=60
PersistentFeeders=F
ParallelInteraction=F
ServerCAMURI=http://bi101:9300/p2pd/servlet/dispatch
ClientCAMURI=http://bi101/ibmcognos/cgi-bin/cognosisapi.dll
ClientPingCAMPassport=900
#Optional CAM parameters
#CAMSSLCertificate=
#CAMSSLCertRevList=
#SkipSSLCAMHostCheck=TRUE
#CAMPortalVariableFile=portal\variables_plan.xml 

To enable IBM Cognos 10.1 BI Integrated Security we need to change the value of "IntegratedSecurityMode" from 1 to 5.

Also by default the “ServerCAMURI”, “ClientCAMURI” and  ”ClientPingCAMPassport” values are commented out.  These need to be given the values for your server which can be obtained from IBM Cognos Configuration.

The TM1 Server will need to be restarted to pick up these values.

More detailed information on setting up the integrated security can be found here:

http://www.ibm.com/developerworks/data/library/cognos/page413.html

Installing the TM1 Portlets

The TM1 Portlets are used to provide integration between TM1 Web and IBM Cognos Connection, these are available as a separate download “TM1Portlets_10.1_mp.tar.gz” – the full list of part numbers is here:

Parts and Platforms Required/
Optional		 Details Part number
IBM Cognos TM1 Quick Start Guide 9.5.2 Multilingual Required Describes the general steps required to install TM1. CZW15ML
IBM Cognos TM1 Widget Updater 9.5.2 for BI 10.1.0 Multiplatform Multilingual Optional Updates the Cognos BI 10.1 TM1 Widgets, providing the TM1 CubeViewer and Websheet Widgets with new toolbars. CZW16ML
IBM Cognos TM1 Portlets 9.5.2 for BI 8.4.0 Multiplatform Multilingual Optional Allows you to create portlets to view TM1 cube views and websheets in BI 8.4.0. CZW1NML
IBM Cognos TM1 Portlets 9.5.2 for BI 8.4.1 Multiplatform Multilingual Optional Allows you to create portlets to view TM1 cube views and websheets in BI 8.4.1. CZW1PML
IBM Cognos TM1 Portlets 9.5.2 for BI 10.1.0 Multiplatform Multilingual Optional Allows you to create portlets to view TM1 cube views and websheets in BI 10.1.0. CZW1MML

 

Once extracted and installed using the usual IBM Cognos InstallStream installer you will need to move around and edit some files as follows: -

From the location C:\Program Files\Cognos\TM1\Cadmin\gateway take the files

pmpsvc.war -> c:\Program Files\IBM\Cognos\c10\webapps
planning.html -> c:\Program Files\IBM\Cognos\c10\webcontent
variables_plan.xml -> c:\Program Files\IBM\Cognos\c10\templates\ps\portal

Once the files are moved in to place we need to perform some actions upon them.

pmpsvc.war

This file has been copied into the IBM Cognos 10 webapps folder, if the IBM Cognos 10.1 BI service is running it will automatically be extracted and loaded into memory.  This forms the TM1 Contributor Web Application and is now running into the bundled Tomcat instance.  It can also be deployed manually to another instance of Tomcat if you so choose.

planning.html

This file needs to be edited to contain the path to your PMPSVC application.  By default the file has the following line:

// Update the following to point to the location of the planning service(s)
var planningServices = ["http://localhost:8080"];

We must change the path to one that is correct for your installation such as:

// Update the following to point to the location of the planning service(s)
var planningServices = ["http://YOUR-BI-SERVER.DOMAIN.COM:9300"];

Be sure to get this exactly right as this is something that caught us out during our first installation.  Due to a number of other errors we were troubleshooting at the time we ended up with the “/pmpsvc” added to the end of the URL.  This is very bad and will result in the following error:

The planning service parameter was not specified or is not one of the configured locations

variables_plan.xml

This file does not need to be edited, the default file as below is correct and works out of the box:

<?xml version="1.0" encoding="UTF-8"?>
<CRNenv>
	<urls>
		  <url>../planning.html</url>
 	</urls>
</CRNenv>

variables_tm1.xml.sample

This file already exists in the c:\Program Files\IBM\Cognos\c10\temlates\ps\portal folder but needs to be renamed to “variables_tm1.xml” and it also needs to be edited.  The default file looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<CRNenv>
	<urls>
<url>
		<url>http://tm1webhostname/tm1web/tm1weblogin.aspx</url>
		<url>http://tm1webhostname/tm1web/tm1webloginhandler.aspx</url>
		<url>http://tm1webhostname/tm1web/tm1webmain.aspx</url>
</url>
	</urls>
	<cookies>
		<param name="cam_passport"/>
	</cookies>
</CRNenv>

One thing to look out for is that in our initial installation there was an extra set of <url></url> tags that had to be removed.  They are shown in red in the file above, these were not correct.

To ensure that TM1 Web is working correctly we need to add in all the permutations of the three URL’s above.  Namely using the NETBIOS name and the full DNS name of the servers as well as and DNS aliases that my may have set up.

In our test server setup we had the following as an example:

<url>http://bi101.planitcpm.local/TM1Web/TM1WebMiniLogin.aspx</url>
<url>http://bi101.planitcpm.local/TM1Web/TM1WebLoginHandler.aspx</url>
<url>http://bi101.planitcpm.local/TM1Web/TM1WebMain.aspx</url>
<url>http://bi101/TM1Web/TM1WebMiniLogin.aspx</url>
<url>http://bi101/TM1Web/TM1WebLoginHandler.aspx</url>
<url>http://bi101/TM1Web/TM1WebMain.aspx</url>

Restart the services

With these files copied into place and edited correctly you should restart the IBM Cognos 10 service so that the new files are picked up.

Initialising the TM1 Contributor Web Application

We need to set the parameters for the TM1 Contributor application now, to do this navigate to the URL set up earlier, e.g. http://servername.domain.com:9300/pmpsvc/ – assuming this is the first time you have run this it will redirect automatically to the initialize.jsp page as shown below:

TM1 Contributor initialise.jsp

Ensure that you get all of the correct URL’s in the fields and also be sure to put the the DNS name for your TM1 Admin Server into the Admin Host field as it defaults to the local machine and won’t list any of your TM1 Servers.

The TM1 installation and IBM Cognos Business Intelligence will now be integrated.

What is a Cognos Competency Centre?
  • Other Posts
© 2012 Planit CPM

Privacy Policy
Cookie Policy
Site Map
Contact Us
Twitter