Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook
------------------------------

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Hi Brian,

Have tried using ikeyman.exe to import the openssl-generated .pfx file under the following two scenarios, with no success:

- pkcs12 using privatekey and cert
- pkcs12 using privatekey and cert and chain.pem file (there is a root certificate and 2 intermediate certs in there)

In both instances ikeyman throws an error: Error extracting keyentry aliases from PFX

Again, probably just doing something in the OpenSSL part wrong, but I am using the raw plaintext files the CA sent me, so not sure what it could be.


------------------------------
Tom Cook
------------------------------

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

OK so apparently there was an issue with the version of OpenSSL I was using (v 3).

Switching to OpenSSL 1.4 stopped giving me the alias error and has allowed me to import the certificate!

Now to see if I can continue on from there!

------------------------------
Tom Cook
------------------------------

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Great success! Managed to get cognos to accept the wildcard cert, everything seems to be in working order.

Very much appreciate your help on this, Brian. Thank you!

------------------------------
Tom Cook
------------------------------

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

That's great!   Glad I could be of assistance.  Hopefully this thread will help others if they run into the same problem :)

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Wed November 03, 2021 06:35 PM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Great success! Managed to get cognos to accept the wildcard cert, everything seems to be in working order.

Very much appreciate your help on this, Brian. Thank you!

------------------------------
Tom Cook

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

I am trying to use the same approach to import cert. The certs were imported successfully but getting errors during startup.

SSL Handshake failure is the error. Below is the snippet from the cognosserver log file.

 Can you help me out here in case if you guys have faced similar issue.

2022-07-20T22:30:36.991-0400 ERROR com.cognos.pogo.reportservice.ProcessManager [CAMLPS-ProcessMgrThread] NA External Report Server process CAM_LPSvr cannot be started
java.io.IOException: Failed to send HTTP request or read HTTP response
at com.cognos.pogo.http.ServerConnection.executeMethod(ServerConnection.java:800) ~[p2pd.jar:?]
at com.cognos.pogo.http.ServerConnection.sendRequest(ServerConnection.java:254) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.sendXMLIgnoreReturnCode(ProcessFacade.java:467) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.sendXML(ProcessFacade.java:458) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.configureProcess(ProcessFacade.java:389) ~[p2pd.jar:?]
at com.ibm.cognos.camaaa.internal.LPS.LPSProcessFacade.configureProcess(LPSProcessFacade.java:104) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:170) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:122) ~[p2pd.jar:?]
at com.ibm.cognos.camaaa.internal.LPS.LPSProcessFacade.<init>(LPSProcessFacade.java:69) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.ibm.cognos.camaaa.internal.LPS.CAMRSComponentFactory.newProcessFacade(CAMRSComponentFactory.java:53) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.cognos.pogo.reportservice.ProcessManager.createProcessFacade(ProcessManager.java:521) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.startProcess(ProcessManager.java:497) [p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.startProcessesDueToCapacity(ProcessManager.java:392) [p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.safeRun(ProcessManager.java:350) [p2pd.jar:?]
at com.cognos.pogo.util.threads.SafeThread.run(SafeThread.java:61) [p2pd.jar:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

------------------------------
Dinesh Boppana
------------------------------

Original Message:
Sent: Thu November 04, 2021 09:17 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

That's great!   Glad I could be of assistance.  Hopefully this thread will help others if they run into the same problem :)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 06:35 PM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Great success! Managed to get cognos to accept the wildcard cert, everything seems to be in working order.

Very much appreciate your help on this, Brian. Thank you!

------------------------------
Tom Cook

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Dinesh, my best guess on this is that there's something wrong with your cert... either an incompatible cipher suite or incomplete trust path (ensure the keystore has the Certificate Authority certificate as well)

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Wed July 20, 2022 10:34 PM
From: Dinesh Boppana
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

I am trying to use the same approach to import cert. The certs were imported successfully but getting errors during startup.

SSL Handshake failure is the error. Below is the snippet from the cognosserver log file.

 Can you help me out here in case if you guys have faced similar issue.

2022-07-20T22:30:36.991-0400 ERROR com.cognos.pogo.reportservice.ProcessManager [CAMLPS-ProcessMgrThread] NA External Report Server process CAM_LPSvr cannot be started
java.io.IOException: Failed to send HTTP request or read HTTP response
at com.cognos.pogo.http.ServerConnection.executeMethod(ServerConnection.java:800) ~[p2pd.jar:?]
at com.cognos.pogo.http.ServerConnection.sendRequest(ServerConnection.java:254) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.sendXMLIgnoreReturnCode(ProcessFacade.java:467) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.sendXML(ProcessFacade.java:458) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.configureProcess(ProcessFacade.java:389) ~[p2pd.jar:?]
at com.ibm.cognos.camaaa.internal.LPS.LPSProcessFacade.configureProcess(LPSProcessFacade.java:104) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:170) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:122) ~[p2pd.jar:?]
at com.ibm.cognos.camaaa.internal.LPS.LPSProcessFacade.<init>(LPSProcessFacade.java:69) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.ibm.cognos.camaaa.internal.LPS.CAMRSComponentFactory.newProcessFacade(CAMRSComponentFactory.java:53) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.cognos.pogo.reportservice.ProcessManager.createProcessFacade(ProcessManager.java:521) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.startProcess(ProcessManager.java:497) [p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.startProcessesDueToCapacity(ProcessManager.java:392) [p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.safeRun(ProcessManager.java:350) [p2pd.jar:?]
at com.cognos.pogo.util.threads.SafeThread.run(SafeThread.java:61) [p2pd.jar:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

------------------------------
Dinesh Boppana

Original Message:
Sent: Thu November 04, 2021 09:17 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

That's great!   Glad I could be of assistance.  Hopefully this thread will help others if they run into the same problem :)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 06:35 PM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Great success! Managed to get cognos to accept the wildcard cert, everything seems to be in working order.

Very much appreciate your help on this, Brian. Thank you!

------------------------------
Tom Cook

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Found out Root cert was Sha1 and from cognos 11.1.7 cognos doesn't support SHA1. Had to update config to make the cert works.

------------------------------
Dinesh Boppana
------------------------------

Original Message:
Sent: Thu July 21, 2022 11:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Dinesh, my best guess on this is that there's something wrong with your cert... either an incompatible cipher suite or incomplete trust path (ensure the keystore has the Certificate Authority certificate as well)

------------------------------
Brian Simpson

Original Message:
Sent: Wed July 20, 2022 10:34 PM
From: Dinesh Boppana
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

I am trying to use the same approach to import cert. The certs were imported successfully but getting errors during startup.

SSL Handshake failure is the error. Below is the snippet from the cognosserver log file.

 Can you help me out here in case if you guys have faced similar issue.

2022-07-20T22:30:36.991-0400 ERROR com.cognos.pogo.reportservice.ProcessManager [CAMLPS-ProcessMgrThread] NA External Report Server process CAM_LPSvr cannot be started
java.io.IOException: Failed to send HTTP request or read HTTP response
at com.cognos.pogo.http.ServerConnection.executeMethod(ServerConnection.java:800) ~[p2pd.jar:?]
at com.cognos.pogo.http.ServerConnection.sendRequest(ServerConnection.java:254) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.sendXMLIgnoreReturnCode(ProcessFacade.java:467) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.sendXML(ProcessFacade.java:458) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.configureProcess(ProcessFacade.java:389) ~[p2pd.jar:?]
at com.ibm.cognos.camaaa.internal.LPS.LPSProcessFacade.configureProcess(LPSProcessFacade.java:104) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:170) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessFacade.<init>(ProcessFacade.java:122) ~[p2pd.jar:?]
at com.ibm.cognos.camaaa.internal.LPS.LPSProcessFacade.<init>(LPSProcessFacade.java:69) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.ibm.cognos.camaaa.internal.LPS.CAMRSComponentFactory.newProcessFacade(CAMRSComponentFactory.java:53) ~[camaaa_LegacyNamespace.jar:11.1.7.23]
at com.cognos.pogo.reportservice.ProcessManager.createProcessFacade(ProcessManager.java:521) ~[p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.startProcess(ProcessManager.java:497) [p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.startProcessesDueToCapacity(ProcessManager.java:392) [p2pd.jar:?]
at com.cognos.pogo.reportservice.ProcessManager.safeRun(ProcessManager.java:350) [p2pd.jar:?]
at com.cognos.pogo.util.threads.SafeThread.run(SafeThread.java:61) [p2pd.jar:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

------------------------------
Dinesh Boppana

Original Message:
Sent: Thu November 04, 2021 09:17 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

That's great!   Glad I could be of assistance.  Hopefully this thread will help others if they run into the same problem :)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 06:35 PM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Great success! Managed to get cognos to accept the wildcard cert, everything seems to be in working order.

Very much appreciate your help on this, Brian. Thank you!

------------------------------
Tom Cook

Original Message:
Sent: Wed November 03, 2021 01:51 PM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Your PEM file is a plaintext format.  You can convert it to PFX by splitting out the private key to it's own file, keep the entire cert chain in another file, and then run this command in OpenSSL:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out cert.pfx

It'll prompt you to set a password.  You should then be able to import the pfx file into CAMKeyStore using ikeyman.  Remember to relabel it 'encryption'.

I don't think I've ever been successful using the ThirdPartyCertificateTool with a wildcard cert, but you might find the appropriate command here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-thirdpartycertificatetool-command-line-reference
(the page is for PA but should be the same tool for CA)

------------------------------
Brian Simpson

Original Message:
Sent: Wed November 03, 2021 11:33 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian,

Thanks for taking the time to give me hope in my darkest hour!

Did not know the label needed to be 'encryption' so thank you for that, will remember when the time comes.

I have tried using ikeyman.exe (run as admin) with certs formatted (I think, very much a newb with SSL and OpenSSL but I followed the instructions to convert a .pem-formatted* cert to a PKCS12 format and it didn't bark at my), with no success. Tried doing the same but with the Private Key and Cert in the same file. PK and Cert in different files. With input and output passwords generated by OpenSSL. Without them.

Does the actual file extension matter for this or the third party cert tool?

Tried the same things with the ThirdPartyCertificate tool (admin cmd prompt) with similar results (i.e. "this didn't work, will not explain").

* I say pem-formatted because I believe that is right. Basically the cert/key I got come as text files like:

-----BEGIN CERTIFICATE-----
*** nonsense
-----END CERTIFICATE-----

I am definitely doing something wrong at some step and it is likely in the conversion of the text certs to the PKCS12 format, but I'm at a loss as to how to not do it wrong.

------------------------------
Tom Cook

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Hi Brain, hope you are well,  I have this problem of "Cognos continually overwrites that certificate after restarting", do you know what's the problem?

Thank you!

Kevin Sun

------------------------------
kevin sun
------------------------------

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Hi Brian, I'm in the dilemma of  what you described as "I've seen a problem where Cognos continually overwrites that certificate after restarting ", do you know how to fix it ?

Thank you!

Kevin Sun

------------------------------
kevin sun
------------------------------

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Hi Kevin,

I've had success solving that "overwrite" issue by using ikeyman and following the instructions above in this thread.  I believe that Cognos overwrites the cert if it finds something invalid in the keystore, so it just restores from backup.

Have you tried the ikeyman method outlined in the thread above?  Make sure you change the label to 'encryption' after you import your cert.

Cheers,

Brian

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Thu August 01, 2024 05:13 PM
From: kevin sun
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian, I'm in the dilemma of  what you described as "I've seen a problem where Cognos continually overwrites that certificate after restarting ", do you know how to fix it ?

Thank you!

Kevin Sun

------------------------------
kevin sun

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Original Message:
Sent: 8/6/2024 11:32:00 AM
From: Brian Simpson
Subject: RE: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Kevin,

I've had success solving that "overwrite" issue by using ikeyman and following the instructions above in this thread.  I believe that Cognos overwrites the cert if it finds something invalid in the keystore, so it just restores from backup.

Have you tried the ikeyman method outlined in the thread above?  Make sure you change the label to 'encryption' after you import your cert.

Cheers,

Brian

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Thu August 01, 2024 05:13 PM
From: kevin sun
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian, I'm in the dilemma of  what you described as "I've seen a problem where Cognos continually overwrites that certificate after restarting ", do you know how to fix it ?

Thank you!

Kevin Sun

------------------------------
kevin sun

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson

Something must be wrong with your certificate or the process you're following that is causing Cognos to regenerate the internal cert.

Try the instructions that use the ThirdPartyCertificateTool:

https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics

If nothing else, you may get better error reporting from that tool.  You may have to adapt the instructions for a wildcard cert instead of the whole sign request thing.  Also there's a log file in the logs folder (CBS I think?) that may have SSL-specific errors that give you a clue where the problem is.  Look for something like "GSK_error_bad_cert".

------------------------------
Brian Simpson
------------------------------

Original Message:
Sent: Fri August 09, 2024 11:59 AM
From: kevin sun
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Categorization: Unclassified

Hi Brain, thank you for your help, sorry for replying late. I didn't have time to repeat the process and document what I did with your suggestion. The cert in the browser still points to the old self-signed one after I imported the new wildcard one and restart, can you diagnose where I could go wrong ? Thank you so much!

 

Brain's procedure:

Use jre/bin/ikeyman to open the CAMKeystore file in configuration/certs (type PKS12) Import your cert, formats are JKS and PKS (can convert them using openSSL if required.) The cert needs to be labeled "encryption" Do all the changes in configuration

 

What I did:

The raw material I have: wildcard.key, wildcard.crt, entrust_mid.crt ,entrust_root crt Step 0 stop cognos   Step 1 Combine the crts: wildcard.crt entrust_mid.crt entrust_root.crt > combined_cert_chain.pem   Step 2: Convert PEM to PKCS12 Format openssl pkcs12 -export -in combined_cert_chain.pem -inkey wildcard.key -out combined_cert_chain.p12 -name "cognos"   Step 3: open ikeyman, Import the PKCS12 Certificate into the Cognos Keystore         # encryption-old was from the original CAMKeystore.jks and I relabelled it as encryption-old before I imported the new one (combined_cert_chian.p12 # I then deleted the "encryption-old" before saving to the CAMKeystore.jks again       # click the "encryption" to open the imported key and certs, looks like the content is the new wildcard data.   Step 4 dbl check the configuration Use third party CA: True   Step 5: restart cognos

 

When ls, it shows the CAMKeystore.jks is the newly created one:

-rw-rw-r-- 1 cognos cognos 190975 Aug  9 11:40 CAMKeystore.jks

After restarted, it went back to the old one and the cert in browser still point to the self signed cert.

 

Regards,

 

Kevin Sun

 

 

Original Message:
Sent: 8/6/2024 11:32:00 AM
From: Brian Simpson
Subject: RE: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Kevin,

I've had success solving that "overwrite" issue by using ikeyman and following the instructions above in this thread.  I believe that Cognos overwrites the cert if it finds something invalid in the keystore, so it just restores from backup.

Have you tried the ikeyman method outlined in the thread above?  Make sure you change the label to 'encryption' after you import your cert.

Cheers,

Brian

------------------------------
Brian Simpson

Original Message:
Sent: Thu August 01, 2024 05:13 PM
From: kevin sun
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Brian, I'm in the dilemma of  what you described as "I've seen a problem where Cognos continually overwrites that certificate after restarting ", do you know how to fix it ?

Thank you!

Kevin Sun

------------------------------
kevin sun

Original Message:
Sent: Tue November 02, 2021 09:31 AM
From: Brian Simpson
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hi Tom,

I've definitely been successful with wildcard certs for CA 11 and I've probably done this 10 or 15 times for different clients, but it does seem to be quite finnicky and I've seen lots of different errors and problems.  I would suggest trying the ikeyman.exe tool (run as admin) that you'll find in the jre/bin folder.  Use it to open the CAMKeyStore file in configuration/certs (type PKCS12, password NoPassWordSet).  Next, try to import your cert.  The trick here is your cert needs to be in the correct format to import (as opposed to "receiving" it per the instructions that involve generating a CSR).  Formats that I've been successful with are JKS and PFX.  You can convert them using OpenSSL if required.  The cert needs to have the label 'encryption' once imported or Cognos won't recognize it.  You can double-click the cert to view it.  Then do all the changes in Cognos Configuration and you should be good to go.   Let me know if that works for you.

All that said, I've seen a problem where Cognos continually overwrites that certificate after restarting.  I've had more success with the ThirdPartyCertificateTool, but it's even more picky about the cert format.  What file format are your certs in?  And what's the exact error you're seeing via the ThirdPartyCertificateTool.

------------------------------
Brian Simpson

Original Message:
Sent: Mon November 01, 2021 11:25 AM
From: Tom Cook
Subject: 3rd Party SSL with pre-existing Wildcard Certificate

Hey everyone,

Question: Has anyone had any success coercing Cognos Analytics into using an SSL certificate when said certificate has not been issued using a CSR generated by Cognos Analytics itself? (i.e. a 3rd party wildcard certificate that my organization is using elsewhere)

Context:

I am trying (and failing) to get Cognos Analytics (11.2 if it matters) to use a wildcard SSL certificate, partly so that I don't have to generate (and pay for) an individual SSL certificate for each of our Cognos Analytics installations, and partly because I feel like it should just work (as it does with PAW, for example).

I tried just doing the normal 3rd Party SSL routine from the documentation and of course got a Private Key mismatch when I got to importing the actual cert.

Have engaged IBM support and they basically said "we don't have support or documentation for this, but try the different ThirdPartyCertTool flags" which is sort of what I was expecting, and I had already tried playing around with them but with no success, and as I have seen in other semi-related threads on there, the error messages amounted to "sorry, didn't work" with no actually hints as to why. I believe I have the various components (certs, keys, etc) formatted correctly (using OpenSSL) but no joy so far.

Any help on this would be much appreciated.

Thanks,
Tom

------------------------------
Tom Cook
------------------------------

#CognosAnalyticswithWatson