Cognos Analytics

Expand all | Collapse all

Renewing SSL certificates in Cognos 11.1.7 FP3 - PKI entry not found

  • 1.  Renewing SSL certificates in Cognos 11.1.7 FP3 - PKI entry not found

    Posted 3 days ago
    Hello everyone, we recently upgraded our test environment of Cognos Analytics from 11.1.3 to 11.1.7 FP3. That went well with an over the top installation.  I am now trying to regenerate the certificates and getting a PKI Entry not found.

    IBM has produced new documentation for certificate managed in Cognos with this version at https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=options-certificate-management-in-cognos-analytics.

    One item of note is that instead of manually deleted files and folders related to certs, IBM has a shorter method that has you open Config and set the Use Third Party To CA to false and then save.  Everything went well until I tried to import the new certificate into the keystore.   Prior to that, importing the CA root went without issue.  When I search IBM for the PKI entry not found I find a single article https://www.ibm.com/support/pages/node/1087017 that indicates that the signature algorithm for the certificate must be SHA256WithRSA.  However, the new certificate is definitely the correct signature algorithm.  I did note that in this version the jre location has changed from install_location/jre to install_location/ibm-jre/jre.  I was sure to set my JAVA_HOME environment variable.

    I have opened a case with IBM but they immediately sent me the 'old link' for the ssl, and when I responded with a question about the new documentation they responded that they need to compare articles!  

    Any advice is greatly appreciated.
    Thanks


    ------------------------------
    Penny Flower
    ------------------------------


  • 2.  RE: Renewing SSL certificates in Cognos 11.1.7 FP3 - PKI entry not found

    Posted 2 days ago
    Hi Penny,

    Couple of things to try...

    - If you open the keystore using the ikeyman tool, do you see the 'encryption' certificate and does it show the correct signature algorithm?  And do you see the root certificate in there as well (under signer certs)?
    - Have you tried resetting the keystore back to its default state and then reimporting the certificates?

    ------------------------------
    Brian Simpson
    ------------------------------



  • 3.  RE: Renewing SSL certificates in Cognos 11.1.7 FP3 - PKI entry not found

    Posted 2 days ago
    Penny, setting third party CA to false and saving would have generated a new key store with the internal certificates for encryption and signer. I don't think that is a correct step when implementing 3rd party CA. The steps used to be something like delete the existing certificate stores, run third party certificate tool to create new ones compatible with 3rd party CA and generate the CSR to be signed, backup the certificate stores for emergency, get them signed and import them. Hopefully you have a backup of the folder from right after generating the CSR.

    ------------------------------
    Robert Hofstetter
    ------------------------------



  • 4.  RE: Renewing SSL certificates in Cognos 11.1.7 FP3 - PKI entry not found

    Posted 2 days ago
    My mistake was not clearing the certs folder before starting the process with a csr, getting and importing the new certs.  Once I added that step everything went smoothly.
    Thank you both for your responses Brian and Robert.

    ------------------------------
    Penny Flower
    ------------------------------