Thank you for this answer.
Original Message:
Sent: Wed September 13, 2023 02:28 AM
From: Tony Wijaya
Subject: Configuring Cognos Analytics components to use another certificate authority
Hi Patrick,
I just recently configured SSL for both application tier and web tier (IIS). I mostly used the below link as my reference:
https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11
In my situation, I was already provided with pfx and cer files (I did not start from CSR) and I also used iKeyman instead of ThirdPartyCertificateTool.
Here is the summary of how I did the configuration:
Application Server
- Prepare all certificate files. (server.pfx, root.cer, and intermediate.cer)
- Follow Steps 1 - 5 from the above technote
- Use iKeyman to open CAMKeyStore and delete the existing "encryption" certificate from "Personal Certificates"
- In iKeyman, switch to "Signer Certificates". Import both intermediate.cer and root.cer
- In iKeyman, switch back to "Personal Certificates". Import server.pfx and change the certificate label to "encryption"
- Follow Steps 9 (I did not update "Gateway URI" yet) and 10 from the above technote
Web Server
- Import intermediate.cer and root.cer to CAMKeystore using iKeyman
- Go to IBM Cognos Configuration and update "Dispatcher URIs for gateway" to use HTTPS
- Go to IIS - Default Website - ibmcognos - BI, click on URL Rewrite. Edit "Reverse Proxy" rule and update "Rewrite URL" with HTTPS
- Restart IIS
- Configure IIS to use HTTPS
- Go to IBM Cognos Configuration in Application Server and update "Gateway URI" to use HTTPS
Hope this will give you some insight on the configuration steps.
Edit: I forgot to include the link for iKeyman. You can refer to below link if you need help with iKeyman
https://www.ibm.com/support/pages/how-use-ikeyman-secure-ibm-cognos-analytics-third-party-certificates
------------------------------
Tony Wijaya
Original Message:
Sent: Tue September 12, 2023 06:10 AM
From: Patrick Neveu
Subject: Configuring Cognos Analytics components to use another certificate authority
Hi,
I will have to configure Cognos Analytics components to use another certificate authority based on the following documentation:
https://www.ibm.com/docs/en/cognos-analytics/11.2.0?topic=cmica-configuring-cognos-analytics-components-use-another-certificate-authority
This is a multi-server running Cognos Analytics v11.2.x.
In this documentation, there are 4 steps:
- Delete the existing key store
- Create the certificate signing request (CSR) files
- Import the certificate authority (CA) certificates
- Enable the external certificate authority (CA)
I believe the 4 steps need to be done on all components. Correct me if I'm wrong.
Step 1: Delete the existing key store
It seems quite straightforward. Note the Cognos Analytics v12.0 documentation needs to be updated (as there are changes/reorganization in Cognos Configuration settings).
Step 2: Create the certificate signing request (CSR) files
In the step, I can read the following: The distinguished name (DN) value in the command ("CN=EncryptCert,O=MyCompany,C=CA") uniquely identifies the Cognos Analytics installation. The attributes that are used in this parameter reflect a hierarchical structure in your organization.
Question: Where do I find the real command/value for my customer ("CN=EncryptCert,O=MyCompany,C=CA")? I'm thinking about using ("CN=EncryptCertNAME,O=CustomerCompanyName,C=FR").
Step 3: Import the certificate authority (CA) certificates
It seems quite straightforward too. I believe the copy of the root CA certificate (ca.cer) needs to be provided by my customer's Security Team.
Step 4: Enable the external certificate authority (CA)
It seems quite straightforward too. It needs to be done on every Cognos servers and Framework Manager instance (my customer is not using Planning Analytics).
Any comment or advice will be appreciated.
Best regards,
------------------------------
Patrick Neveu
Positive Thinking Company
IBM Champion
------------------------------