Importing CA-signed SSL certificates for Cognos and DWH (Insight 7.3.5 to 7.3.9)

You can add SSL certificates to enable enhanced authentication and encryption for your Data Warehouse and Cognos environment.

Before you begin

This procedure is for systems running OnCommnand Insight 7.3.5 through 7.3.9.

About this task

You must have admin privileges to perform this procedure.


  1. Create a backup of ..\SANScreen\cognos\analytics\configuration\cogstartup.xml.
  2. Create a backup of the “certs” and “csk” folders under ..\ SANScreen\cognos\analytics\configuration.
  3. Generate a Certificate Encryption Request from Cognos. In an Admin CMD window, run:
    1. cd “\Program Files\sanscreen\cognos\analytics\bin”
    2. ThirdPartyCertificateTool.bat -java:local -c -e -p NoPassWordSet -a RSA -d “CN=FQDN,O=orgname,C=US” -r c:\temp\encryptRequest.csr
  4. Open the c:\temp\encryptRequest.csr file and copy the generated content.
  5. Send the encryptRequest.csr to the certificate authority (CA) to obtain an SSL certificate.
    Make sure to add additional attributes such as “SAN:dns=FQDN (For example,” to add the SubjectAltName. Google Chrome version 58 and later complains if the SubjectAltName is missing from the certificate.
  6. Download the chain certificates by including root certificate by using PKCS7 format
    This will download fqdn.p7b file
  7. Get a cert in .p7b format from your CA. Use a name that marks it as the certificate for the Cognos Webserver.
  8. ThirdPartyCertificateTool.bat fails to import the entire chain, so multiple steps are required to export all certificates. Split the chain by exporting them individually as follows:
    1. Open the .p7b certificate in “Crypto Shell Extensions”.
    2. Browse in the left pane to “Certificates”.
    3. Right-click on root CA > All Tasks > Export.
    4. Select Base64 output.
    5. Enter a file name identifying it as the root certificate.
    6. Repeat steps 8a through 8c to export all of the certificates separately into .cer files.
    7. Name the files intermediateX.cer and cognos.cer.
  9. Ignore this step if you have only one CA certificate, otherwise merge both root.cer and intermediateX.cer into one file.
    1. Open intermediate.cer with NotePad and copy the content.
    2. Open root.cer with NotePad and save the content from 9a.
    3. Save the file as CA.cer.
  10. Import the certificates into the Cognos keystore using the Admin CMD prompt:
    1. cd “Program Files\sanscreen\cognos\analytics\bin”
    2. ThirdPartyCertificateTool.bat -java:local -i -T -r c:\temp\CA.cer
      This will set CA.cer as root Certificate Authority.
    3. ThirdPartyCertificateTool.bat -java:local -i -e -r c:\temp\cognos.cer -t c:\temp\CA.cer
      This will set Cognos.cer as encryption certificate which is signed by CA.cer.
  11. Open the IBM Cognos Configuration.
    1. Select Local Configuration--> Security --> Cryptography --> Cognos
    2. Change “Use third party CA?” to True.
    3. Save the configuration.
    4. Restart Cognos
  12. Export the latest Cognos certificate into cognos.crt using the Admin CMD prompt:
    1. "D:\Program Files\SANscreen\java\bin\keytool.exe" -exportcert -file “c:\temp\cognos.crt” -keystore "D:\Program Files\SANscreen\cognos\analytics\configuration\certs\CAMKeystore" -storetype PKCS12 -storepass NoPassWordSet -alias encryption
  13. Import the “c:\temp\cognos.crt” into dwh trustore to establish SSL communication between Cognos and DWH, using the Admin CMD prompt window.
    1. "D:\Program Files\SANscreen\java\bin\keytool.exe" -importcert -file “c:\temp\cognos.crt” -keystore "D:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -storepass changeit -alias cognoscert
  14. Restart the SANscreen service.
  15. Perform a backup of DWH to make sure DWH communicates with Cognos.