Within all TM1 environments 9.5.X environments through to 10.2.2, Fix Pack 6, client (Performance Modeler, Cognos Insight, Architect, Perspectives) to server communications are encrypted by default using IBMs ‘Applix’ certificate chain of trusts and corresponding private keys. When all TM1 Server components and clients are installed and configured for the first time, the Applix Certificates are installed by default, with all components configured to bind to these certificates by default.

These default certificate have an expiry date of 24th November 2016 and after this date, will be unable to encrypt SSL communication across all tiers of a TM1 environment. When this occurs, each tier with a TM1 environment which interfaces onto one another, will be refused connection and therefore, TM1 functionality across the stack will cease to work.

IBM have now released the renewed Applix certificates which extends the year of expiry to 2026.

Please Note: the below instructions covers all TM1 10.2 (all builds) and all 10.2.2 environments. However, please note the points which only apply if you have version 10.2 up to 10.2.2 Fix Pack 4, Interim Fix 1. For any environment which is post 10.2.2 Fix Pack 4, please proceed to the steps indicated. If you are not sure how to identify what build of TM1 environment you are running, please see the following IBM Technote: http://www-01.ibm.com/support/docview.wss?uid=swg21964134.

For any environment pre 10.2, please see the following IBM Technote which will cover these earlier versions: http://www-01.ibm.com/support/docview.wss?uid=swg21991653

For any Express environment the following guidance has been released http://www-01.ibm.com/support/docview.wss?uid=swg21991652

There is also an interim fix available for download from IBM , for any TM1 environment before 10.2.2. When the Interim fix for 10.2.2. is released we will send out additional information. http://www-01.ibm.com/support/docview.wss?uid=swg21991790

For any environment pre 10.2, please see the following IBM Technote which will cover these earlier versions: http://www-01.ibm.com/support/docview.wss?uid=swg21991653

It should also be noted that should your TM1 environment be integrated with Cognos BI (or Cognos Analytics 11) security (CAMBI Security), then Cognos BI is also referred to as a client of TM1. In this scenario, please follow through to the relevant section in this guide to cover Cognos BI clients.

In addition to this, it should be noted that the ‘Applix’ client to server certificates are different to any third party ‘CA’ certificates which may be applied to the Web Interfaces of TM1. This includes the TM1 Application Web, TM1 Operations Console and TM1 Web. These third party certificates will continue to be managed by their own CA, chain of trusts and private keys. However, after renewing the Applix certificates described earlier in this guide, any third party SSL certificates which bind to TM1 Web Interfaces, may be required to be re-configured.

Should any client require further assistance with the renewal of the discussed certificates, Simpson Associates can offer Technical Consultancy to deliver this assistance. Please contact your Business Development Manager for further information.

Renewing TM1 Server and Client Certificates for TM1 10.2 to TM1 10.2.2

  1. Download the updated TM1 SSL Certificates from the following location:http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001

Should you not have access to the IBM Fix Central site, please contract Simpson Associates Support Desk, who will be able to provide this download directly.

  1. Stop all IBM Cognos TM1 Services in the environment you are updating
  2. Extract the downloaded file/archive and extract it to any directory. For the purpose of this document, our files will be extracted in to <tm1_install_dir>\tm1_64\NewSSLCerts\
  3. After extracting the files, look inside of your extracted folder <tm1_install_dir>\tm1_64\NewSSLCerts\ . The following files should be present.
  • applixca.der
  • applixca.pem
  • applixcacrl.p7b
  • applixcacrl.pem
  • tm1admsvrcert.pem
  • tm1store
  • tm1svrcert.pem.
  1. Back up the following directories in your <tm1_install_dir>
  • <tm1_install_dir>\tm1_64\bin\ssl
  • <tm1_install_dir>\tm1_64\bin64\ssl
  • <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
  1. Copy the contents of the folder you extracted earlier <tm1_install_dir>\tm1_64\NewSSLCerts\ , and place them inside of the 3 directories listed above in Step 5. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones.
  2. After all files have been copied successfully, navigate to <tm1_install_dir>\tm1_64\bin64\ssl\
  3. Execute the uninstallSSL.bat file, to uninstall old keys from the Windows Keystore
  4. Execute the importsslcert.exe file, to install the new keys in to the Windows Keystore
  5. Open and run Windows Command Prompt as an Administrator. Navigate to <tm1_install_dir>\tm1_64\bin64\jre\7.0\bin . Execute the following command:
  • keytool -delete -alias applixcakeystore ..\lib\security\cacerts –storepass changeit
  • keytoolkeystore ..\lib\security\cacerts -alias applixca -import -file “<tm1_install_dir>\bin64\ssl\applixca.der” –storepass changeitnoprompt

*Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.

NOTE: Steps 11 and 12 are only carried out for TM1 10.2 up to 10.2.2 Fix Pack 4 environments. Otherwise, please proceed to step 13 onwards.

  1. Navigate to and copy all NGTM1*.dll files from your <tm1_install_dir>\webapps\pmpsvc\WEB-INF\bin64\ directory
  2. Paste the NGTM1*.dll files on your clipboard, and paste in to your <tm1_install_dir>\bin64\ directory. If prompted, REPLACE/OVERWRITE any conflicting files (specifically the NGTM1API.DLL file)
  3. Navigate to <tm1_install_dir>\bin64\ and open/edit the service_pmpsvc.bat file
  • Find the line beginning with ‘set BASE_JVM_OPTIONS’
  • Append the following to the end of the string:
    ;-Dcom.ibm.cognos.tm1.bin=%PMPSVC_ROOT%\bin64
    ***Use %PMPSVC_ROOT% as is, you are not expected to modify this variable as it sets itself via the batch script. Do not forget the semi-colon at the beginning of the string.
  • Save your changes and close the open service_pmpsvc.bat file
  1. Open Windows Command Prompt as an Administrator, and navigate to <tm1_install_dir>\tm1_64\bin64\
  2. Execute the following commands in the sequence below. Nothing is really being ‘uninstalled’ – just re-registering the TM1 Services. If your TM1 Services were configured to run as a service account, be sure to update the service to include the service account again – as it will likely be lost with this step.
  • service_pmpsvc stop
  • service_pmpsvc uninstall
  • service_pmpsvc install

Start your IBM Cognos TM1 Services

Renewing TM1 Architect and Perspectives Client Certificates – All Versions

  1. Download the updated TM1 SSL Certificates from the following location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001

Should you not have access to the IBM Fix Central site, please contract Simpson Associates Support Desk, who will be able to provide this download directly.

  1. Stop all IBM Cognos TM1 Services in the environment you are updating
  2. Extract the downloaded file/archive and extract it to any directory. For the purpose of this document, our files will be extracted in to <tm1_client_install_dir>\tm1_64\NewSSLCerts
  3. After extracting the files, look inside of your extracted folder <tm1_client_install_dir>\tm1_64\NewSSLCerts\ . The following files should be present.
  • der
  • pem
  • p7b
  • pem
  • pem
  • tm1store
  • pem
  1. Back up the following directories in your <tm1_client_install_dir>
  • <tm1_client_install_dir>\tm1_64\bin\ssl
  • <tm1_client_install_dir>\tm1_64\bin64\ssl
    *Depending on the version of TM1 you are using, you may NOT have a bin64 directory. If you do not, simply skip this step as it is not required.
  1. Copy the contents of the folder you extracted earlier <tm1_client_install_dir>\tm1_64\NewSSLCerts\ , and place them inside of the 2 directories listed above in Step 4. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones.
  2. After all files have been copied successfully, navigate to <tm1_client_install_dir>\tm1_64\bin\ssl\
  3. Execute the uninstallSSL.bat file, to uninstall old keys from the Windows Keystore
  4. Execute the importsslcert.exe file, to install the new keys in to the Windows Keystore

Renewing Performance Modeler and Cognos Insight Client Certificates – All Versions

  1. Download the updated TM1 SSL Certificates from the following location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001

Should you not have access to the IBM Fix Central site, please contract Simpson Associates Support Desk, who will be able to provide this download directly.

  1. Extract the downloaded file/archive and extract it to any directory. For the purpose of this document, our files will be extracted in to C:\NewSSLCerts\
  2. After extracting the files, look inside of your extracted folder C:\NewSSLCerts\ . The following files should be present.
  • der
  • pem
  • p7b
  • pem
  • pem
  • tm1store
  • pem
  1. In your Windows Start menu, find and right-click your IBM Cognos TM1 Performance Modeler / Cognos Insight shortcut and click ‘Open File Location’**If you are using IBM Cognos TM1 10.1.0 or TM1 10.1.1 Performance Modeler / Cognos Insight, they do not contain shortcuts in the Start menu by default. If you are not sure where Performance Modeler/Cognos Insight had been installed, you will need to launch Performance Modeler and then open Task Manager on your computer. With Task Manager open, look for the ModelingMDT process – on the Processes tab. Right click the ModelingMDT process and select ‘Open File Location’
  2. ‘C:\Users\username\AppData\Roaming\IBM\Cognos Performance Modeler\’ directory.
  3. From within the directory just opened, use the Windows Search utility to find all folders named ‘ssl’
    *Depending on your installation, you may have MULTIPLE directories. For example, if you have two versions of TM1 you use in your environment – you will likely have two unique versions of Performance Modeler that will require SSL file updates
  • An example SSL folder location would look like the following: C:\Users\username\AppData\Local\Programs\IBM\Cognos TM1 Performance Modeler\bins\bin_10.2.5240.84\tm1\bin\ssl
  • As well as: C:\Users\username\AppData\Local\Programs\IBM\Cognos TM1 Performance Modeler\bins\bin_10.2.5240.84\tm1\bin\tm1api101\ssl
  • And: C:\Users\username\AppData\Local\Programs\IBM\Cognos TM1 Performance Modeler\bins\bin_10.2.5240.84\tm1\bin\tm1api102\ssl
  1. Back up one of the SSL Folders to ensure that you have the original keys, just in case. This is more specific to a scenario in which you are simply testing this procedure – before rolling out to the masses.
  2. Copy the contents of the folder you extracted earlier C:\NewSSLCerts\ , and place them inside of ALL \ssl\ folder found in your Performance Modeler or Cognos Insight installation directory. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones.

 

 

Back to blog