Importing CA-signed SSL certificates for Cognos and DWH (Insight 7.3.5 and later)

You can add SSL certificates to enable enhanced authentication and encryption for your Data Warehouse and Cognos environment.

Before you begin

This procedure is for systems running OnCommnand Insight 7.3.5 and later.

About this task

You must have admin privileges to perform this procedure.


  1. Create a backup of ..\SANScreen\cognos\analytics\configuration\cogstartup.xml.
  2. Create a backup of the “certs” and “csk” folders under ..\ SANScreen\cognos\analytics\configuration.
  3. Generate a Certificate Encryption Request from Cognos. In an Admin CMD window, run:
    1. cd “\Program Files\sanscreen\cognos\analytics\bin”
    2. ThirdPartyCertificateTool.bat -java:local -c -e -p NoPassWordSet -a RSA -d “CN=FQDN,O=orgname,C=US” -r c:\temp\encryptRequest.csr
  4. Open the c:\temp\encryptRequest.csr file and copy the generated content.
  5. Input encryptRequest.csr content and generate a certificate using the CA signing portal and add the additional attribute "SAN:dns=FQDN (For example," .
    If you want to add SubjectAltName, google chrome complains if SubjectAltName is missing from the certificate for version 58 onwards.
  6. Download the chain certificates by including root certificate by using PKCS7 format
    This will download fqdn.p7b file
  7. Get a cert in .p7b format from your CA. Use a name that marks it as the certificate for the Cognos Webserver.
  8. Split the chain by exporting them individually as follows:
    1. Open the .p7b certificate in “Crypto Shell Extensions”.
    2. Browse in the left pane to “Certificates”.
    3. Right-click on root CA > All Tasks > Export.
    4. Select Base64 output.
    5. Enter a file name identifying it as the root certificate.
    6. Repeat steps 8a through 8c to export all of the certificates separately into .cer files.
    7. Name the files intermediateX.cer and cognos.cer.
  9. Ignore this step if you have only one CA certificate, otherwise merge both root.cer and intermediateX.cer into one file.
    1. Open intermediate.cer with NotePad and copy the content.
    2. Open root.cer with NotePad and save the content from 9a.
    3. Save the file as CA.cer.
  10. Import the certificates into the Cognos keystore using the Admin CMD prompt:
    1. cd “Program Files\sanscreen\cognos\analytics\bin”
    2. ThirdPartyCertificateTool.bat -java:local -i -T -r c:\temp\CA.cer
      This will set CA.cer as root Certificate Authority.
    3. ThirdPartyCertificateTool.bat -java:local -i -e -r c:\temp\cognos.cer -t c:\temp\CA.cer
      This will set Cognos.cer as encryption certificate which is signed by CA.cer.
  11. Open the IBM Cognos Configuration.
    1. Select Local Configuration--> Security --> Cryptography --> Cognos
    2. Change “Use third party CA?” to True.
    3. Save the configuration.
    4. Restart Cognos
  12. Export the latest Cognos certificate into cognos.crt using the Admin CMD prompt:
    1. "D:\Program Files\SANscreen\java\bin\keytool.exe" -exportcert -file “c:\temp\cognos.crt” -keystore "D:\Program Files\SANscreen\cognos\analytics\configuration\certs\CAMKeystore" -storetype PKCS12 -storepass NoPassWordSet -alias encryption 13. Take the backup of DWH server truststore at ..\SANscreen\wildfly\standalone\configuration\server.trustore
  13. Import the “c:\temp\cognos.crt” into dwh truststore to establish SSL communication between Cognos and DWH, using the Admin CMD prompt window.
    1. "D:\Program Files\SANscreen\java\bin\keytool.exe" -importcert -file “c:\temp\cognos.crt” -keystore "D:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -storepass changeit -alias cognoscert
  14. Restart the SANscreen service.
  15. Perform a backup of DWH to make sure DWH communicates with Cognos.