This is a follow up to our blog post titled, “QueBIT Blog - WARNING: TM1 may STOP WORKING on November 24, 2016.”
This blog takes a critical look at all of the available solutions to solve the upcoming TM1 SSL expiration issue. It also provides a way to find the best solution for your TM1 system, as well as methods to test the solution was successful.
For more information on QueBit TM1 services see:
The options you have are limited by your TM1 version. The infographic below shows the options by version.
IBM is working on an update for all supported versions of TM1. This update is not yet available, but is coming soon. The update will replace the existing 1024 bit certificates. IBM has issued the following tech-note http://www-01.ibm.com/support/docview.wss?uid=swg21990588
Users of Cognos Express: A fix for Cognos Express (which bundles with TM1) will also be made available. Depending on the version of Cognos Express, a manual approach (which will be documented) may be required.
Move to v2 2048-bit certificates
All installs of TM1 10.2.2 ship with 2048 bit certificates as well as the default 1024 bit certificates. To change to the 2048 bit certificates, follow the steps in this tech-note:
http://www-01.ibm.com/support/docview.wss?uid=swg21697266
To continue using TM1Top you must add the admin server ssl ca to the tm1top.ini configuration file. For example: adminsvrsslcertauthority=C:\Program Files\ibm\cognos\tm1_64\bin\ssl\tm1ca_v2.pem. (Do not put the path in quotes) You must also ensure that the TM1Top SSL folder is a copy of the TM1 Server SSL directory.
If BI is connected to TM1 the TM1 certificate information needs to be updated on the BI server. You can find details in this tech note. http://www-01.ibm.com/support/docview.wss?uid=swg21644290. The solution requires access to copy files from TM1 server to the BI server, as well as file edit permissions on the BI server.
Users of Cognos Express: This is not supported for Cognos Express versions prior to 10.2.2 (enterprise based installs)
If your WebWORQ and TM1 Server share the same machine locate the TM1 SSL directory,
<TM1 Install Dir>/tm1_64/bin64/ssl
If WebWORQ is hosted on a separate machine the SSL directory should be in a similar location. If the SSL directory is not there, you can copy it from your TM1 Server
You can find the web.config file in the root directory of your WebWORQ site. A sample one is located in the WebWORQ install directory ( \Program Files\QueBIT\FrameWORQ\WebWORQ\Web). Open the file in the text editor of your choice, I prefer notepad++ but notepad works as well.
Locate the section that pertains to SSL Communication, it should look like this:
Remove the XML comment tags, “<!—“ and “-->”, around the “add key” portion so it looks like this.
Update the file paths to point to the new certificates.
Save the changes to the web.config file, this will trigger a restart of IIS. You can now test WebWORQ to make sure it can connect to TM1.
Provide your own certificates
Though a standard TM1 installation is configured to use SSL by relying on the certificates installed in the TM1_install_dir\bin\SSL directory, you could use your own certificates to maximize security. This process can be very complicated and requires knowledge of encryption technologies like OpenSSL. Instructions can be found here:
Users of Cognos Express: This is not supported for Cognos Express versions prior to 10.2.2 (enterprise based installs)
Rename certificates
Use the v2 (2048 bit) certificates by renaming them to match the v1 names. We have tested the approach and it works. Note this method is not officially supported by IBM
Step 1: Backup
Take note of all of your SSL directories and back them up by making a copy and renaming them ssl-bak
Step 2: Create a sample SSL directory
In one of the ssl directories delete for following files:
Rename the following files
Step 3: Copy SSL Files
Replace all SSL directories noted in step 1 with the directory created in step 4
Step 4: Test
Test that perspectives, architect, and TM1Top can continue to connect
Users of Cognos Express: This is not supported for Cognos Express versions prior to 10.2.2 (enterprise based installs)
With so many different options it is important to understand which one fits your system best. We invite you visit our TM1 SSL Decision Assistance website.
Once the fixes are in place there are few ways to test if the changes were successful.