Notice: There is an Important Issue That will affect All TM1 Installations and Versions
IBM Cognos TM1 ships with a digital certificate called an SSL (“secure Socket Layer”) certificate that is used to securely encrypt communication between the TM1 server and its web and non-web (TM1 Perspectives and TM1 Architect) clients. It’s basically a set of files that sit on the TM1 server. These certificates have expiration dates and it was recently realized that the one that ships with TM1 will expire on November 24, 2016 causing any TM1 server using the certificate to stop communicating with its clients. In other words: TM1 will STOP WORKING unless the certificate files are replaced.
This is an important issue that will affect ALL TM1 INSTALLATIONS AND VERSIONS.
Solution options are provided below. For more information on QueBit TM1 services see:
- TM1 Automated Report Bursting
QueBIT Maximizes the Productivity of Your TM1 Implementation
- TM1 Financial Consolidations
Building a Financial Consolidation Model
- TM1 Financial Planning & Analysis
The Burdens of Financial Planning and Analysis
The Bad News
TM1 may stop working on November 24, 2016, unless you have already taken action
We believe that this will affect most QueBIT customers.
An issue has been discovered within the 1024-bit SSL Certificate used by TM1 for communication within the application (e.g. Admin Server) and to the client tools (e.g. Perspectives). This issue is that the SSL Certificate IBM shipped with the TM1 Software will expire at midnight on 11/24/2016 and IBM has not done a good enough job of communicating this critical issue to customers.
The issue lies in the default use of the 1024-bit SSL Certificate shipped with the IBM Cognos TM1 that is set to expire on 11/24/2016 and is one that every IBM Cognos TM1 customer will have to deal with as it is a software configuration issue rather than a software bug that could be fixed via a software patch.
The potential impact of the 1024-bit SSL Certificate expiring is that the TM1 Instance will stop work once the Default SSL Certificate has expired and may result in data loss.
The Good News
There are solutions, and QueBIT is here to help if you need it!
If you took the step earlier of installing your own SSL certificates in order to secure your web communication with the TM1 server, you may be OK, but we would still recommend that you verify that the certificates in use for Perspectives client communication were also updated as part of that process.
If you are part of the majority of our customers who have not changed anything, and are still using the default set of 1024-bit SSL certificates that shipped with the product, you must take action in order for TM1 to continue to work after November 24, 2016:
Here are the options:
- IBM shipped a new 2048-bit SSL Certificate with TM1 v10.2.2 GA and newer releases that is valid until 2022. If you are on a TM1 10.2.2 release, you already have the new certificate and all you need to do is replace the Default set of 1024-bit SSL Certificates with the optional set of 2048-bit SSL Certificates, these are marked and known as the v2 set and are set to expire in 2022.
The procedure for replacing the SSL Certificates is outlined by the IBM TechNote 1697266.
How to configure TM1 to use the bundled 2048-bit SSL Certificate
- If you are not already on TM1 10.2.2, and are ready to upgrade before November 24, 2016, be aware that you will still need to take the extra step of replacing the default certificate with the new one.
- If you are not already on TM1 10.2.2 and are NOT ready to upgrade before November 24, 2016 please contact QueBIT to review your options.
- Replacing the Default set of 1024-bit SSL Certificates with valid SSL Certificates not provided with TM1 is also an option. However, this option is for clients that have a means to manage and troubleshoot their own SSL Certificates via their IT group.
Note: Merely upgrading TM1 to v10.2.2 or installing a Fix Pack will not fix this issue as it is not an application code issue, but instead an application configuration issue.
Please do not hesitate to reach out to your friends at QueBIT at firstname.lastname@example.org for more information on this issue, and to make a plan to address it. If you have been thinking about upgrading TM1 for a while, there is still time to get it done, and QueBIT is available to help!
The following link to the IBM Knowledge Center will provide you all the information necessary to learn more about how TM1 can use/uses SSL and how to configure TM1 to use SSL were permitted.
Using SSL for data transmission security in TM1