Blog

How to Fix TM1’s Expiring SSL Certificates

Posted by: Ryan Clapp

Sep 27, 2016 10:45:20 AM

This is a follow up to our blog post titled, “QueBIT Blog - WARNING: TM1 may STOP WORKING on November 24, 2016.”  

This blog takes a critical look at all of the available solutions to solve the upcoming TM1 SSL expiration issue. It also provides a way to find the best solution for your TM1 system, as well as methods to test the solution was successful.

For more information on QueBit TM1 services see:

Options based on your TM1 Version

The options you have are limited by your TM1 version. The infographic below shows the options by version.

Chart showing SSL fix based on TM1 version

upgrade TM1 arrow

 

Options by TM1 Client Connectivity

chart reviewing your options - Client provided certifications, IBM Provided Fix, v2 Certifications, or Rename Certificates

 

Technical Notes on TM1 from IBM

Using the IBM Provided Fix

IBM is working on an update for all supported versions of TM1. This update is not yet available, but is coming soon. The update will replace the existing 1024 bit certificates. IBM has issued the following tech-note http://www-01.ibm.com/support/docview.wss?uid=swg21990588

Users of Cognos Express: A fix for Cognos Express (which bundles with TM1) will also be made available. Depending on the version of Cognos Express, a manual approach (which will be documented) may be required.

SSL3.jpg 
Move to v2 2048-bit certificates
All installs of TM1 10.2.2 ship with 2048 bit certificates as well as the default 1024 bit certificates. To change to the 2048 bit certificates, follow the steps in this tech-note:

 http://www-01.ibm.com/support/docview.wss?uid=swg21697266

To continue using TM1Top you must add the admin server ssl ca to the tm1top.ini configuration file. For example: adminsvrsslcertauthority=C:\Program Files\ibm\cognos\tm1_64\bin\ssl\tm1ca_v2.pem. (Do not put the path in quotes) You must also ensure that the TM1Top SSL folder is a copy of the TM1 Server SSL directory.         

If BI is connected to TM1 the TM1 certificate information needs to be updated on the BI server. You can find details in this tech note. http://www-01.ibm.com/support/docview.wss?uid=swg21644290. The solution requires access to copy files from TM1 server to the BI server, as well as file edit permissions on the BI server.

SSL4.jpg

Users of Cognos Express: This is not supported for Cognos Express versions prior to 10.2.2 (enterprise based installs)

Enabling WebWORQ to use v2 Certificates

Step 1: Locate the SSL directory

If your WebWORQ and TM1 Server share the same machine locate the TM1 SSL directory,

<TM1 Install Dir>/tm1_64/bin64/ssl

If WebWORQ is hosted on a separate machine the SSL directory should be in a similar location. If the SSL directory is not there, you can copy it from your TM1 Server

Step 2: Edit the web.config file

You can find the web.config file in the root directory of your WebWORQ site. A sample one is located in the WebWORQ install directory ( \Program Files\QueBIT\FrameWORQ\WebWORQ\Web). Open the file in the text editor of your choice, I prefer notepad++ but notepad works as well.

Locate the section that pertains to SSL Communication, it should look like this:

SSL9.jpg

Remove the XML comment tags, “<!—“ and “-->”, around the “add key” portion so it looks like this.

SSL10.jpg

Update the file paths to point to the new certificates.

SSL11.jpg

Step 3: Save and Test

Save the changes to the web.config file, this will trigger a restart of IIS. You can now test WebWORQ to make sure it can connect to TM1.

Provide your own certificates
Though a standard TM1 installation is configured to use SSL by relying on the certificates installed in the TM1_install_dir\bin\SSL directory, you could use your own certificates to maximize security. This process can be very complicated and requires knowledge of encryption technologies like OpenSSL. Instructions can be found here:

10.2.2: http://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_usingindependentcertificates_n1207c4.html#UsingIndependentCertificates_N1207C4

10.2.0: http://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.0/com.ibm.swg.ba.cognos.tm1_inst.10.2.0.doc/c_usingindependentcertificates_n1207c4.html

10.1.0: http://www.ibm.com/support/knowledgecenter/SS9RXT_10.1.0/com.ibm.swg.ba.cognos.tm1_inst.10.1.0.doc/c_usingindependentcertificates_n1207c4.html

SSl5.jpg 

Users of Cognos Express: This is not supported for Cognos Express versions prior to 10.2.2 (enterprise based installs)

Rename certificates
Use the v2 (2048 bit) certificates by renaming them to match the v1 names. We have tested the approach and it works. Note this method is not officially supported by IBM

SSL6.jpg 

Step 1: Backup
Take note of all of your SSL directories and back them up by making a copy and renaming them ssl-bak

  • Install/bin/ssl
  • Install/bin64/ssl
  • Client Install/bin/ssl
  • Client Install/bin64/ssl
  • Remote TM1Top Directory

Step 2: Create a sample SSL directory
In one of the ssl directories delete for following files:

  • applixca.pem
  • applixcacrl.pem
  • tm1admsvrcert.pem
  • tm1svrcert.pem

Rename the following files

  • tm1ca_v2.pem change to applixca.pem
  • tm1cacrl_v2.pem change to applixcacrl.pem
  • tm1admsvrvert_v2.pem change to tm1admsvrcert_v2.pem
  • tm1svrcert_v2.pem change to tm1svrcert.pem

Step 3: Copy SSL Files
Replace all SSL directories noted in step 1 with the directory created in step 4

Step 4: Test
Test that perspectives, architect, and TM1Top can continue to connect

Users of Cognos Express: This is not supported for Cognos Express versions prior to 10.2.2 (enterprise based installs)

 

Deciding What is Right for You

With so many different options it is important to understand which one fits your system best. We invite you visit our TM1 SSL Decision Assistance website.

 

Testing Your Solution

Once the fixes are in place there are few ways to test if the changes were successful.

  • Review the admin server log: <install dir>/tm1_64/bin64/tm1admsrv.log look for the certificate authority in the server registration

SSL7.jpg

  • Review the TM1Server.log for SSL Settings
SSL8.jpg
  • Turn your system clock forward past the expiration date (11/24/2016). Only do this on a non-production system. Please be aware of governance and compliance rules regarding tests like this.

 

   

Blog Search

Subscribe to Email Updates

Popular Posts

Recent Posts

Follow Me