Importing CA-signed SSL certificates for Cognos and DWH (Insight 7.3.10 and later)

You can add SSL certificates to enable enhanced authentication and encryption for your Data Warehouse and Cognos environment.

Before you begin

This procedure is for systems running OnCommnand Insight 7.3.10 and later.

About this task

You must have admin privileges to perform this procedure.


  1. Stop Cognos using the IBM Cognos Configuration tool. Close Cognos.
  2. Create backups of the ..\SANScreen\cognos\analytics\configuration and ..\SANScreen\cognos\analytics\temp\cam\freshness folders.
  3. Generate a Certificate Encryption Request from Cognos. In an Admin CMD window, run:
    1. cd “\Program Files\sanscreen\cognos\analytics\bin”
    2. ThirdPartyCertificateTool.bat -java:local -c -e -p NoPassWordSet -a RSA -r c:\temp\encryptRequest.csr -d “,O=NETAPP,C=US” -H “” -I “ipaddress”. Note: here -H and -I are to add subjectAltNames like dns and ipaddress.
  4. Open the c:\temp\encryptRequest.csr file and copy the generated content.
  5. Input the encryptRequest.csr content and generate certificate using CA signing portal.
  6. Download the chain certificates by including root certificate by using PKCS7 format
    This will download fqdn.p7b file
  7. Get a cert in .p7b format from your CA. Use a name that marks it as the certificate for the Cognos Webserver.
  8. ThirdPartyCertificateTool.bat fails to import the entire chain, so multiple steps are required to export all certificates. Split the chain by exporting them individually as follows:
    1. Open the .p7b certificate in “Crypto Shell Extensions”.
    2. Browse in the left pane to “Certificates”.
    3. Right-click on root CA > All Tasks > Export.
    4. Select Base64 output.
    5. Enter a file name identifying it as the root certificate.
    6. Repeat steps 8a through 8e to export all of the certificates separately into .cer files.
    7. Name the files intermediateX.cer and cognos.cer.
  9. Ignore this step if you have only one CA certificate, otherwise merge both root.cer and intermediateX.cer into one file.
    1. Open root.cer with NotePad and copy the content.
    2. Open intermediate.cer with NotePad and append the content from 9a (intermediate first and root next).
    3. Save the file as chain.cer.
  10. Import the certificates into the Cognos keystore using the Admin CMD prompt:
    1. cd “Program Files\sanscreen\cognos\analytics\bin”
    2. ThirdPartyCertificateTool.bat -java:local -i -T -r c:\temp\root.cer
    3. ThirdPartyCertificateTool.bat -java:local -i -T -r c:\temp\intermediate.cer
    4. ThirdPartyCertificateTool.bat -java:local -i -e -r c:\temp\cognos.cer -t c:\temp\chain.cer
  11. Open the IBM Cognos Configuration.
    1. Select Local Configuration--> Security --> Cryptography --> Cognos
    2. Change “Use third party CA?” to True.
    3. Save the configuration.
    4. Restart Cognos
  12. Export the latest Cognos certificate into cognos.crt using the Admin CMD prompt:
    1. cd “C:\Program Files\SANscreen"
    2. java\bin\keytool.exe -exportcert -file c:\temp\cognos.crt -keystore cognos\analytics\configuration\certs\CAMKeystore -storetype PKCS12 -storepass NoPassWordSet -alias encryption
  13. Back up the DWH server trustore at..\SANscreen\wildfly\standalone\configuration\server.trustore
  14. Import the “c:\temp\cognos.crt” into DWH trustore to establish SSL communication between Cognos and DWH, using the Admin CMD prompt window.
    1. cd “C:\Program Files\SANscreen"
    1. java\bin\keytool.exe -importcert -file c:\temp\cognos.crt -keystore wildfly\standalone\configuration\server.trustore -storepass changeit -alias cognos3rdca
  15. Restart the SANscreen service.
  16. Perform a backup of DWH to make sure DWH communicates with Cognos.