Skip to main content
OnCommand Insight

Importing CA-signed SSL certificates for Cognos and DWH (Insight 7.3.10 and later)

Contributors netapp-alavoie
PDFs

You can add SSL certificates to enable enhanced authentication and encryption for your Data Warehouse and Cognos environment.

Before you begin

This procedure is for systems running OnCommand Insight 7.3.10 and later.

Note

For the most up to date CAC and Certificate instructions, see the following Knowledgebase articles (Support login required):

About this task

You must have admin privileges to perform this procedure.

Steps

  1. Stop Cognos using the IBM Cognos Configuration tool. Close Cognos.

  2. Create backups of the ..\SANScreen\cognos\analytics\configuration and ..\SANScreen\cognos\analytics\temp\cam\freshness folders.

  3. Generate a Certificate Encryption Request from Cognos. In an Admin CMD window, run:

    1. cd “\Program Files\sanscreen\cognos\analytics\bin”

    2. ThirdPartyCertificateTool.bat -java:local -c -e -p <password> -a RSA -r c:\temp\encryptRequest.csr -d “CN=server.domain.com,O=NETAPP,C=US” -H “server.domain.com” -I “ipaddress”. Note: here -H and -I are to add subjectAltNames like dns and ipaddress.

    3. For <password>, use the password from the /SANscreen/bin/cognos_info.dat file.

  4. Open the c:\temp\encryptRequest.csr file and copy the generated content.

  5. Input the encryptRequest.csr content and generate certificate using CA signing portal.

  6. Download the chain certificates by including root certificate by using PKCS7 format

    This will download fqdn.p7b file

  7. Get a cert in .p7b format from your CA. Use a name that marks it as the certificate for the Cognos Webserver.

  8. ThirdPartyCertificateTool.bat fails to import the entire chain, so multiple steps are required to export all certificates. Split the chain by exporting them individually as follows:

    1. Open the .p7b certificate in “Crypto Shell Extensions”.

    2. Browse in the left pane to “Certificates”.

    3. Right-click on root CA > All Tasks > Export.

    4. Select Base64 output.

    5. Enter a file name identifying it as the root certificate.

    6. Repeat steps 8a through 8e to export all of the certificates separately into .cer files.

    7. Name the files intermediateX.cer and cognos.cer.

  9. Ignore this step if you have only one CA certificate, otherwise merge both root.cer and intermediateX.cer into one file.

    1. Open root.cer with NotePad and copy the content.

    2. Open intermediate.cer with NotePad and append the content from 9a (intermediate first and root next).

    3. Save the file as chain.cer.

  10. Import the certificates into the Cognos keystore using the Admin CMD prompt:

    1. cd “Program Files\sanscreen\cognos\analytics\bin”

    2. ThirdPartyCertificateTool.bat -java:local -i -T -r c:\temp\root.cer

    3. ThirdPartyCertificateTool.bat -java:local -i -T -r c:\temp\intermediate.cer

    4. ThirdPartyCertificateTool.bat -java:local -i -e -r c:\temp\cognos.cer -t c:\temp\chain.cer

  11. Open the IBM Cognos Configuration.

    1. Select Local Configuration-→ Security -→ Cryptography -→ Cognos

    2. Change “Use third party CA?” to True.

    3. Save the configuration.

    4. Restart Cognos

  12. Export the latest Cognos certificate into cognos.crt using the Admin CMD prompt:

    1. cd "`C:\Program Files\SANscreen"

    2. java\bin\keytool.exe -exportcert -file c:\temp\cognos.crt -keystore cognos\analytics\configuration\certs\CAMKeystore -storetype PKCS12 -storepass <password> -alias encryption

    3. For <password>, use the password from the /SANscreen/bin/cognos_info.dat file.

  13. Back up the DWH server trustore at..\SANscreen\wildfly\standalone\configuration\server.trustore

  14. Import the “c:\temp\cognos.crt” into DWH trustore to establish SSL communication between Cognos and DWH, using the Admin CMD prompt window.

    1. cd "`C:\Program Files\SANscreen"

    2. java\bin\keytool.exe -importcert -file c:\temp\cognos.crt -keystore wildfly\standalone\configuration\server.trustore -storepass <password> -alias cognos3rdca

    3. For <password>, use the password from the /SANscreen/bin/cognos_info.dat file.

  15. Restart the SANscreen service.

  16. Perform a backup of DWH to make sure DWH communicates with Cognos.

  17. The following steps should be performed even when only the “ssl certificate” is changed and the default Cognos certificates are left unchanged. Otherwise Cognos may complain about the new SANscreen certificate or be unable to create a DWH backup.

    1. cd “%SANSCREEN_HOME%cognos\analytics\bin\”

    2. “%SANSCREEN_HOME%java64\bin\keytool.exe” -exportcert -file “c:\temp\sanscreen.cer” -keystore “%SANSCREEN_HOME%wildfly\standalone\configuration\server.keystore” -storepass <password> -alias “ssl certificate”

    3. ThirdPartyCertificateTool.bat -java:local -i -T -r “c:\temp\sanscreen.cer”

    Typically, these steps are performed as part of the Cognos certificate import process described in How to import a Cognos Certificate Authority (CA) signed certificate into OnCommand DataWarehouse 7.3.3 and later