Planning Analytics

 View Only
Expand all | Collapse all

PA and CAM security with SSL (SystemServerClientNotFound)

  • 1.  PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Wed January 27, 2021 10:39 AM
    Hello,

    I'm stuck with an issue regarding CAM security and SSL.
    It was all fine running PA and CA on http. CAM security was working in sec. mode 5.

    Now I changed the CA server to https and now PA can't login with CAM credentials anymore.
    On the other hand, CA can't read the PA cube anymore.

    The error message (SystemServerClientNotFound) leads me to a trusting problem. I've already followed the instructions given here (https://www.ibm.com/support/pages/how-configure-planning-analytics-connect-ssl-secured-cognos-dispatcher) but still the same error.

    my tm1s points to the https URIs, CAMUseSSL=T is set, and I#ver tried with and without the CAMSSLCertificate setting.

    I'm trying in Architect, that's the only TM1 application that I really use. Does anybody know how to solve this or can anyone point out how to get more information out of the logfiles?

    Thanks a lot.... this installation is driving me crazy....
    Best Regards
    Stefan

    ------------------------------
    Stefan Held
    ------------------------------

    #PlanningAnalyticswithWatson


  • 2.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Thu January 28, 2021 04:23 AM
    Edited by System Fri January 20, 2023 04:14 PM

    Based on your ssl topic in the CA section, your dispatcher is secured with a custom ssl certificate.
    The sample import strings from the article you listed, assumes usage of the build in ssl certificate, which only has a Root certificate to import.
    Most custom certificates have both an Intermediate and a Root certificate in the path, and both need to be imported.
    More complex custom certificates can even have more then 1 intermediate certificates.

    When importing multiple for example, you would need 2 lines:
    gsk8capicmd_64 -cert -add -db "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb" -stashed -label caRoot -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -format ascii -trust enable
    gsk8capicmd_64 -cert -add -db "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb" -stashed -label caInter -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caInter.cer" -format ascii -trust enable

    To see what is in the keystore you can run:
    gsk8capicmd_64 -cert -list -db "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb" -stashed
     
    You CA may need to have the PA ssl certificate ibmtm1.arm imported as described here:
    https://www.ibm.com/support/pages/node/295051



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------

    Original Message


  • 3.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Wed February 03, 2021 04:10 AM
    Stefan,

    thanks for your reply.
    to me, the certificate entries look pretty much standard.

    This is what I get from the gsk8....-list command
    ! tm1ca_v2
    ! applixca
    ! caRoot
    *- ibmtm1_server
    - tm1svr_v2
    - tm1adminsvr_v2
    - tm1svr
    - tm1adminsvr

    as described in the support article, I've added the caRoot exported from the dispatcher, trusted.
    How to Configure Planning Analytics to Connect to an SSL Secured Cognos Dispatcher
    Ibm remove preview
    How to Configure Planning Analytics to Connect to an SSL Secured Cognos Dispatcher
    If you intend to use CAM Security (IntegratedSecurityMode=5) for your Planning Analytics authentication and your Cognos Dispatcher is secured with SSL, you must perform additional steps to ensure that the Cognos Dispatcher certificate authorities are trusted by the Planning Analytics keystore.
    View this on Ibm >


    Maybe the problem is, that CA and PA are running on the same server here?
    On the other hand, I have the same problem connecting the additional gateway,  discussed in the other group. What can be wrong with the built-in certificate?

    Stefan

    ------------------------------
    Stefan Held
    ------------------------------

    Original Message


  • 4.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Wed February 03, 2021 04:38 AM

    The "caRoot" entry in your PA camkeystore is indeed the correct certificate authority to trust the CA default build in ssl certificate called "CAMUSER".
    Are both your CA servers (application server and gateway server) now ssl secured with the build in certificate, or did you use a custom created certificate on any of these 2?
    As you describe still having issues with your CA, it is not wise to continue with PA at this point. 
    I would suggest to fix the CA section first.
     



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------

    Original Message


  • 5.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Thu January 28, 2021 05:05 PM
    Stefan

    I am on 2.0.9.1 PA, and found that CAMUseSSL is a redundant parameter in the tm1s.cfg. We are now using UseSSL=T

    Have you also ensured that this parameter is updated in the tm1s.cfg ?

    ClientCAMURI=https://yourservername:443/ibmcognos/bi/v1/disp​

    ------------------------------
    Ajay
    ------------------------------

    Original Message


  • 6.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Thu January 28, 2021 05:05 PM
    Stefan

    I am on 2.0.9.1 PA, and found that CAMUseSSL is a redundant parameter in the tm1s.cfg. We are now using UseSSL=T

    Have you also ensured that this parameter is updated in the tm1s.cfg ?

    ClientCAMURI=https://yourservername:443/ibmcognos/bi/v1/disp

    Ajay
    ​​

    ------------------------------
    Ajay Chandhok
    ------------------------------

    Original Message


  • 7.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Thu January 28, 2021 05:08 PM
    Hi Stefan

    Under the Environment settings in IBM Cognos Configuration, did you change the port number in the Gateway URI from 9300 to 443 ? You must save the change and then stop and start the "Local Configuration".

    You will also need to update the "TM1 Application Server Gateway", "External URI" and "TM1 Application Server Gateway" with the https. Then save and restart Cognos Configuration.

    Have you also updated the ClientCAMURI in the tm1s.cfg file, with the new https and 443 port number ?

    Additional, I was under the impression that the CAMUseSSL in your tm1s.cfg is no longer valid and that it is now UseSSL=T......that is how I have it anyway

    Not sure if you are running PAW, but if so, have you also updated the paw.ps1 file, to include:

    $env:EnableSSL="true"
    $env:ServerName="nameofyourserver"


    ------------------------------
    Ajay Chandhok
    ------------------------------

    Original Message


  • 8.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Fri January 29, 2021 11:45 AM
    FYI, on 2.0.9.1 there is an issue where using Cognos Configuration can corrupt the CAMKeystore.  We had a heck of time until we figured this out as one minute we would have it working then after making some small changes it would stop working.

    Best thing to do with SSL is to take it very step by step.  IE 1st test that you can get architect connected to TM1 using ssl, then move to your next step and test.


    https://www.ibm.com/support/pages/sites/default/files/inline-files/ibm_fixlist_planning_analytics_2093.pdf



    ------------------------------
    Robby Meyers
    ------------------------------

    Original Message


  • 9.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Wed February 03, 2021 03:58 AM
    Robby,

    thanks for your reply,
    actually I'm on 2.0.6, are there any known issues for this version, too?

    Stefan

    ------------------------------
    Stefan Held
    ------------------------------

    Original Message


  • 10.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    IBM Champion
    Posted Fri January 29, 2021 06:07 PM
    Hey Stefan,

    For me, 90% of the time this issue is caused by missing Cognos dispatcher certificates in the PA keystore.  You can actually export the cert straight from your browser.  Connect to the CA dispatcher endpoint (port 9300 with SSL enabled), and then click the padlock icon to see the URL in the browser.  Make sure to "drill down" on the cert and select the bottom entry, then export to file.  In plaintext you should see 2 sections in the cert file.

    Then it's just a simple command run from the Planning Analytics data server (bin64 folder I think!)

    gsk8capicmd_64 -cert -add -db .\ssl\ibmtm1.kdb -stashed -label cognosCA -file ca.cer -format ascii -trust enable

    Ping me if this is unclear and I'd be happy to jump on a screenshare to help you.



    ------------------------------
    Brian Simpson
    ------------------------------

    Original Message


  • 11.  RE: PA and CAM security with SSL (SystemServerClientNotFound)

    Posted Mon February 01, 2021 07:35 AM
    Hi Stefan,

    Take a look at this...

    https://www.ibm.com/support/pages/how-configure-planning-analytics-connect-ssl-secured-cognos-dispatcher

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message