Planning Analytics

 View Only

 Https on pa 216 & Windows 2022

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX posted Sat December 14, 2024 02:49 AM
Hello ladies and gentlemen,
 
I started to install PA 2.1.6 on windows 2022 and everything seemed to work fine (TM1, TM1Web, Workspace) until I followed the IBM documentation to switch to https with my own certificate.
I had already done this with PA 2.0.9 and windows 2019 ... it worked perfectly.
Now, as soon as I modify the configuration files (<install_dir>\tm1web\wlp\usr\servers\tm1web\server.xml)
Tm1web is no longer able to list any tm1 instance, whether http or https.
In some logs, I see errors such as (for sample)
<<ERROR ] CWPKI0824E: SSL LINK ESTABLISHMENT FAILURE: host name verification error when connecting to host [127.0.0.1]. The host name used to access the server does not match the SubjectDN or Subject Alternative Name (SAN) information in the server certificate. Detailed error message generated by the SSL connection establishment exception: [Subject Alternative Name []].”>>
 
I then modified the file by adding 
<ssl id=“DefaultSSLSettings” keyStoreRef=“defaultKeyStore” hostNameVerification=“false”/>
But nothing works.
I've tried many things, but no success.....
 
If anyone has any bright ideas, I'd love to hear them!
 
Kind regards,
Philippe
Bernd Siebert's profile image
Bernd Siebert

What happens when you replace   hostNameVerification=“false”   by   verifyHostname="false"   ?


See

Hostname verification for Liberty

 WebSphere and wlp hostname verification on SSL

Vlad Didenko's profile image
Vlad Didenko

Have you imported the TM1 server and CA chain certificates to your TM1Web keystore?

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Thanks Bernd,

I try 

    
    <ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" skipHostnameVerificationForHosts="*" verifyHostname="false"/>

but nothing better

regards,

Philippe

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Hi Vlad,

I import  (I think, I hope) the tm1server certificate with :

keytool -importcert -keystore "E:\ibm\cognos\tm1web\bin64\ssl\ibmtm1.p12" -storepass "xxxxxxx" -storetype pkcs12 -noprompt -alias ibmtm1 -file "E:\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.arm"

do i need to import another "file" ?

My ibmtm1.p12 contain :

 - my custom certificat

 - ibmtm1 (wich is ibmtm1.arm

 - tm1svr

Regards,

Philippe

Vlad Didenko's profile image
Vlad Didenko

To confirm, are you using the default ibmtm1.arm certificate for the TM1 server? Have you imported the root and intermediate certificates?

Please see this technote: https://www.ibm.com/support/pages/how-configure-ibm-planning-analytics-spreadsheet-service-custom-ssl-using-existing-keystore

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Thanks Vlad,

But with 2.1.6 we have not theses files, only ibmtm1.arm.

Regards,

Philippe

Martin Erlmoser's profile image
Martin Erlmoser

i have a very similar issue with 2.1.6, not sure what the difference is to 2.0.9 setup yet.
custom web and data tier cert, works fine in 2.0.9 environment, web tier works but data tier refuses to work in tm1web on a new 2.1.6 / win 2022 server. (no tm1 servers visible)
last time i deployed the keystore with custom certs it was the file tm1store, not ibmtm1.p12 mentioned here, but i think you can check this in jvm.options as well. 

already added verifyHostname="false" to server.xml, is there something similar needed for jvm.options?

Walter Coffen's profile image
Walter Coffen

Philippe,

Are you using the same certificate for the Win 2022 server as you used for the older server?

"The host name used to access the server does not match the SubjectDN or Subject Alternative Name (SAN) information in the server certificate"

Would seem to indicate that the Win 2022 server FQDN is not in the certificate. If the old certificate was a wildcard cert, it would probably work, but usually an endpoint certificate is for one server(the old one?) or it has a specific list of servers in the "Subject Alternative Name" field and may have been generated before the Win 2022 server came into existence.

Vlad Didenko's profile image
Vlad Didenko

Can you post the content of the tm1web\wlp\usr\servers\tm1web\server.xml file? Just mask any sensitive information

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Walter,

Yes, I use the same certificat as i used for older server.

I asked to my customer to generate and give me a new certificat with more informations in SubjectDN and SAN.... I am waiting for it..... I hope it would be the solution.

Regards,

Philippe

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Hi Vlad,

My server.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
    Licensed Materials - Property of IBM
    IBM Planning Analytics
    (C) Copyright IBM Corp. 2013 2020
    US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
-->
<server description="IBM Cognos TM1">
<applicationMonitor dropins="${wlp.user.dir}/../../wlpdropins" updateTrigger="mbean" pollingRate="10s"/>
<executor coreThreads="-1" maxThreads="1500"/>
<featureManager>
            <feature>jsp-2.2</feature>
            <feature>localConnector-1.0</feature>
            <feature>jaxb-2.2</feature>
            <feature>json-1.0</feature>
            <feature>jaxrs-1.1</feature> 
            <feature>ssl-1.0</feature>
</featureManager>  
 
<httpEndpoint id="defaultHttpEndpoint" httpPort="9510" httpsPort="9511" host="*" removeServerHeader="true" >
</httpEndpoint>
<httpSession cookieHttpOnly="true"/>
<logging consoleLogLevel="WARNING" logDirectory="${server.output.dir}/logs" messageFileName="tm1_messages.log" maxFiles="2" maxFileSize="20" /> 
<!-- <logging consoleLogLevel="INFO" logDirectory="${server.output.dir}/logs" traceSpecification="*=audit:*=info" messageFileName="tm1_messages.log" maxFiles="2" maxFileSize="20"/> -->
 
 
<httpDispatcher appOrContextRootMissingMessage=" " enableWelcomePage="false"/>
 
<application id="tm1web" location="${wlp.user.dir}/../../webapps/tm1web/" name="tm1web" type="war" context-root="tm1web"/>
<application id="evalservice" location="${wlp.user.dir}/../../webapps/evalservice.war" name="evalservice" type="war" context-root="evalservice"/>
 
<keyStore id="defaultKeyStore" location="${wlp.user.dir}/../../bin64/ssl/ibmtm1.p12" password=XXXXXXXXX />
<ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" skipHostnameVerificationForHosts="*" verifyHostname="false" hostNameVerification="false"/>  
 
</server>

Regards,

Phiippe

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Martin,

I try 

-Dcom.ibm.ssl.verifyHostname=false

in jvm.options but .... not better ;-(

regards,

Philippe

Dominik Schott's profile image
Dominik Schott

According to my documentation it should be 

<ssl id="defaultSSLConfig" verifyHostname="false" />

(not DefaultSSLSettings).

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX

Thanks Dominik,

yes, you are rigth. !!

I modify .

but .... Not better... does'nt work

We create a ticket with IBM support, wait and see

An other solution is to install spreadsheet 2.1.5  

kind regards,

Philippe

Vincent Zeng's profile image
Vincent Zeng

We experienced the same issue after we switched our PA 2.1.6 TM1Web from http to https by following this post

https://www.ibm.com/docs/en/planning-analytics/2.1.0?topic=ipass-configuring-ssl-planning-analytics-spreadsheet-services-tm1-web-existing-keystore

Make sure to use the keytool.exe to add the alias for the ibmtm1.arm to your custom keystore.

Before we switched to https, our TM1web can list tm1 instances. After we switched to https, our TM1web can't list tm1 instances anymore. In <install_dir>\tm1web\wlp\usr\servers\tm1web\logs, we found the same error message of "[ERROR ] CWPKI0824E: SSL LINK ESTABLISHMENT FAILURE: host name verification error when connecting to host [127.0.0.1]".  However, if we modified the server.xml file AND restarted "IBM Planning Analytics Spreadsheet Services" to switch back to http, our TM1web could list all the tm1 instances again. 

When we enabled https,  we set httpPort="-1" httpsPort="9510"  in the server.xml. When we disabled https, we set httpPort="9510" httpsPort="9513" and removed the <keyStore id="defaultKeyStore" entry. This might be different from your setting.

Disabling host verification mentioned in the post IBM Planning Analytics Spreadsheet Services after update/fresh install of version  2.0.99 or never, cannot list database instances when using custom SSL did work for us.

We added  <ssl id="defaultSSLConfig" verifyHostname="false" />to <INSTAL_DIR>\tm1web\wlp\usr\servers\tm1web\server.xml and restarted the server. Problem solved. 

Hope it helps your troubleshooting of this same issue.

Philippe CHAMPLEBOUX's profile image
Philippe CHAMPLEBOUX
Hello Vincent,
 
We've given up and switched to 2.1.5, while waiting for our final customer to give us a certificate corresponding to ibm's expectations and for ibm to also test under a windows 2022 environment.
 
Kind regards,
Philippe
Vincent Zeng's profile image
Vincent Zeng

Happy Holidays everyone! 

Hi Philippe, our PA 2.1.6 is also installed on Windows 2022.

Saif Ali Sabri's profile image
Saif Ali Sabri

My response was crafted with AI assistance, tailored to provide detailed and actionable guidance for your query.

The issue you're facing is related to SSL hostname verification. This commonly occurs when the SSL certificate being used doesn't match the hostname specified in the configuration or the server's actual hostname. Here's a systematic approach to troubleshoot and resolve the issue:


1. Certificate Configuration

  • Verify the Certificate:
    Ensure the certificate used matches the server's fully qualified domain name (FQDN) or IP address.

    • If the hostname is 127.0.0.1, the Subject Alternative Name (SAN) of the certificate must include 127.0.0.1.
    • If you're accessing the server using a specific FQDN (e.g., tm1server.mycompany.com), the certificate's SAN must include tm1server.mycompany.com.
  • Check KeyStore:
    Confirm the keystore contains the correct certificate:

    bash
    keytool -list -keystore <path_to_keystore>

    Verify that the alias matches the one referenced in your server.xml.


2. Update Configuration

  • Modify server.xml: Ensure your server.xml includes the correct SSL settings:

    xml
    <ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" hostNameVerification="false" /> <keyStore id="defaultKeyStore" location="<path_to_keystore>" password="<keystore_password>" />

    Replace <path_to_keystore> and <keystore_password> with the actual path to your keystore and its password.

  • Disable Hostname Verification (Temporary Solution):
    If you must bypass hostname verification temporarily for testing:

    xml
    <ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" hostNameVerification="false" sslProtocol="TLSv1.2" />

    Note: Disabling hostname verification is not recommended in production environments.


3. Hostname Mapping

  • Update hosts File:
    If you're using 127.0.0.1 to connect, map the server's hostname in the hosts file:

    • On Windows:
      Edit C:\Windows\System32\drivers\etc\hosts:
      127.0.0.1 tm1server

    Then, access the TM1 instances using tm1server instead of 127.0.0.1.


4. TM1 Configuration

  • Verify tm1s.cfg:
    In each TM1 instance's tm1s.cfg, check the ServerCAMURI and ClientCAMURI to ensure they point to the correct URL (matching the certificate's SAN or hostname).

  • Update tm1web_config.xml:
    Make sure the TM1 Web configuration points to the correct URL:

    xml
    <TM1WebConfiguration> <AdminHost>localhost</AdminHost> <TM1Server>your_tm1_instance_name</TM1Server> <UseSSL>true</UseSSL> </TM1WebConfiguration>

5. Logs and Diagnostics

  • Review Logs:
    Check the following logs for detailed errors:

    • <install_dir>\tm1web\logs\systemout.log
    • <install_dir>\tm1web\logs\systemerr.log
    • WebSphere logs (if applicable).
  • Enable Debugging:
    Add debug options to your server.xml for SSL troubleshooting:

    xml
    <logging traceSpecification="SSL=all" />

6. Validate Connection

  • Use tools like curl or browsers to test the SSL connection:
    bash
    curl -v -k https://127.0.0.1:9443
    Check for any certificate or hostname mismatch warnings.

7. Fallback Option

  • Recreate the Certificate:
    If the above steps don’t work, recreate a self-signed certificate or obtain a new certificate with the correct SAN entries:
    bash
    keytool -genkeypair -alias tm1web -keyalg RSA -keysize 2048 -validity 365 -keystore <path_to_keystore>