You can add SSL certificates to enable enhanced authentication and
encryption for your Data Warehouse and Cognos environment.
Before you begin
This procedure is for systems running OnCommnand Insight 7.3.3 and 7.3.4.
About this task
You must have admin privileges to perform this procedure.
Procedure
- Create a backup of ..\SANScreen\cognos\analytics\configuration\cogstartup.xml.
- Create a backup of the “certs” and “csk” folders under ..\ SANScreen\cognos\analytics\configuration.
-
Generate a Certificate Encryption Request from Cognos. In an Admin CMD window, run:
- cd “\Program Files\sanscreen\cognos\analytics\bin”
- ThirdPartyCertificateTool.bat -java:local -c -e -d “CN=FQDN,O=orgname,C=US” -r c:\temp\encryptRequest.csr
- Open the c:\temp\encryptRequest.csr file and copy the generated content.
- Input encryptRequest.csr content and generate a certificate using the CA signing portal and add the additional attribute "SAN:dns=FQDN (For example, win2k12r2image.na.ead.netapp.com)" .
If you want to add SubjectAltName, google chrome complains if SubjectAltName is missing from the certificate for version 58 onwards.
- Download the chain certificates by including root certificate by using PKCS7 format
This will download fqdn.p7b file
- Get a cert in .p7b format from your CA. Use a name that marks it as the certificate for the Cognos Webserver.
- Split the chain by exporting them individually as follows:
- Open the .p7b certificate in “Crypto Shell Extensions”.
- Browse in the left pane to “Certificates”.
- Right-click on root CA > All Tasks > Export.
- Select Base64 output.
- Enter a file name identifying it as the root certificate.
- Repeat steps 8a through 8c to export all of the certificates separately into .cer files.
- Name the files intermediateX.cer and cognos.cer.
- Ignore this step if you have only one CA certificate, otherwise merge both root.cer and intermediateX.cer into one file.
- Open intermediate.cer with NotePad and copy the content.
- Open root.cer with NotePad and save the content from 9a.
- Save the file as CA.cer.
- Import the certificates into the Cognos keystore using the Admin CMD prompt:
- cd “Program Files\sanscreen\cognos\analytics\bin”
- ThirdPartyCertificateTool.bat -java:local -i -e -r c:\temp\cognos.cer -t c:\temp\CA.cer
This will set CA.cer as root Certificate Authority.
- Open the IBM Cognos Configuration.
- Select Local Configuration--> Security --> Cryptography --> Cognos
- Change “Use third party CA?” to True.
- Save the configuration.
- Restart Cognos
- Export the latest Cognos certificate into cognos.crt using the Admin CMD prompt:
-
"D:\Program Files\SANscreen\java\bin\keytool.exe" -exportcert -file “c:\temp\cognos.crt” -keystore "D:\Program Files\SANscreen\cognos\analytics\configuration\certs\CAMKeystore" -storetype PKCS12 -storepass NoPassWordSet -alias encryption 13. Take the backup of DWH server trustore at ..\SANscreen\wildfly\standalone\configuration\server.trustore
-
Import the “c:\temp\cognos.crt” into dwh trustore to establish SSL communication between Cognos and DWH, using the Admin CMD prompt window.
-
"D:\Program Files\SANscreen\java\bin\keytool.exe" -importcert -file “c:\temp\cognos.crt” -keystore "D:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -storepass changeit -alias cognoscert
- Restart the SANscreen service.
- Perform a backup of DWH to make sure DWH communicates with Cognos.