Planning Analytics

Philippe,

If you want to stick with the out-of-the-box IBM SSL rather than pursue the custom certificate route, this should help. I think we are already all set with the default certificates.

You really have to look at https://www.ibm.com/docs/en/planning-analytics/2.1.0?topic=security-default-configuration for a better sense of what certificates are in force for a fresh install, such as what you have to do when you install PA 2.0.9.21, and 2.1.8/2.1.9. Previously, the upgrade upon upgrade upon upgrade with preserved files in-between that were tweaked several versions/years ago will need some untangling. But the latest release require a fresh install, so the following will be true.

\bin64\ssl\ibmtm1.arm is the default certificate and it does not expire until 2035. ibmtm1.arm has been in use for a few years now, and even in 2020, its expiration was 2035. The "applixca" files in that folder are just there for some historical/nostalgic reason in my opinion, but I'm always focused on the latest releases, so there is that.

Inside of the \bin64\ssl\ibmtm1.kdb keystore, ibmtm1.arm has already been imported as "ibmtm1_server" and has been set as the default personal certificate. The "keystore" is what the components of PA will use to access the stored certificates and ibmtm1.sth is an encrypted password that PA uses to have access into the ibmtm1.kdb keystore while it is running.

New file \bin64\config.tm1admsrv.json  replaces the Cognos Configuration node that accepted TM1 Admin server settings. It defaults to using the \bin64\ssl\ibmtm1.kdb keystore and referring to the server certificate label ibmtm1_server that represents the imported ibmtm1.arm certificate IBM provided. A fresh install should be all set using ibmtm1.arm inside of ibmtm1.kdb.

You may have a \bin\tm1api.config or \bin64\tm1api.config where Architect and Perspectives have been installed on the users machines. This text file just refers to where Architect/Perspectives can find the keystore if it has been moved from \bin64\ssl\ibmtm1.kdb, if it is at a networked shared location, or it has been renamed. You likely don't have this tm1api.config file if you never used custom certificates, but I mentioned it just in case. See link but ignore the stale top half. Most of the old Architect and Perspectives SSL Options are deprecated, so the top half is stale.

If you want to see the inside of the \bin64\ssl\ibmtm1.arm cert yourself, make a copy of it, and rename the copy to ibmtm1.crt. Then right-click on it and select "Open"...not "Install". Microsoft will show you the date, etc. 2035.

Custom certificates for PA are not impossible, just really, really tedious.....Really tedious.

NEW for 2.0.9.21/2.1.8/2.1.9 default \bin64\config.tm1admsrv.json file:

{
    "tm1AdminNonSSLPortNumber": 5495,
    "tm1AdminSSLPortNumber": 5498,
    "tm1AdminHTTPPortNumber": 5895,
    "tm1AdminHTTPSPortNumber": 5898,
    "tm1AdminSupportNonSSLClients": false,
    "tm1AdminKeyFile": "./ssl/ibmtm1.kdb",
    "tm1AdminKeyStashFile": "./ssl/ibmtm1.sth",
    "tm1AdminKeyLabel": "ibmtm1_server",
    "tm1AdminTLSCipherList": [],
    "tm1AdminFIPSOperationMode": 2,
    "tm1AdminSupportPreTLSv12Clients": false,
    "tm1AdminNIST_SP800_131A_MODE": false,
    "tm1AdminIPVersion": "IPv4",
    "tm1AdminActivityInterval": 10,
    "tm1AdminInactivityTimeout": 10,
    "tm1AdminRESTAPIToken": ""
}

The pre-2.0.9.21/2.1.8/2.1.9 Cognos Configuration. The old default NIST setting has been changed in the new release for some reason.

From the online documentation:

applixca.der

The original default certificate in DER format used for Java™ certificate stores.

applixca.pem

The original root authority certificate.

ibmtm1.arm

The default certificate file.

ibmtm1.crl

The certificate revocation list.

ibmtm1.kdb

The key database file, which contains the server certificate and trusted certificate authorities.

ibmtm1.rdb

The requested key pair and the certificate request data.

ibmtm1.sth

The key store, which contains passwords to the key database file.

tm1ca_v2.der

The updated default certificate.

tm1ca_v2.pem

The updated default root authority certificate.

tm1store

The Java certificate store containing the public root authority certificate.

IBM has published  a number of technotes covering TM1 / Planning Analytics & custom SSL certificates.

In short terms:
Most of the TM1 / Planning Analytis SSL stuff revolves around the ibmtm1-files like bin64/ssl/ibmtm1.kdb
By default the ibmtm1-files include the default IBM TM1 SSL certificate.
These documents outline how to replace the default ibmtm1-files by you own, using your custom SSL certificate.


1)
The starting point:

https://www.ibm.com/support/pages/ibm-planning-analytics-custom-ssl-quick-start-and-troubleshooting
IBM Planning Analytics Custom SSL - Quick Start and Troubleshooting
 
Troubleshooting
 
Problem
The purpose of this document is to compliment the existing product documentation and provide extra guidance to those implementing custom SSL with IBM Planning Analytics Local. 

Of special interest is the paragraph labeled "Component Guides" branching out to technotes diving deeper into a specific TM1 / Planning Analytics component like TM1 Server or TM1 Web & custom SSL certificates.

When applying custom SSL certificates follow the order outlined by this paragraph.

 
 
2)
The first step - TM1 Server & custom SSL certificates
 
How to replace the default IBM TM1 SSL certificate by a custom SSL certificate:

 
https://www.ibm.com/support/pages/node/886183
How to Configure Planning Analytics Data Tier with Custom SSL (using Existing Keystore)

 
3)
The second step:
How to apply a custom SSL certificate to the Planning Analytics Administration (PAA) Agent ?
How to convert the custom SSL certificate into a P12-file ( eg ibmtm1.p12 ) also needed in later steps ? 

https://www.ibm.com/support/pages/node/6573069
How to Configure IBM Planning Analytics Administration Agent with Custom SSL (using Existing Keystore)
 
3.
Convert the ibmtm1 keystore file to a PKCS12 keystore for the Planning Analytics Administration Agent:
gsk8capicmd_64 -keydb -convert -db "%PA_INSTALL_DIR%\bin64\ssl\ibmtm1.kdb" -stashed -old_format kdb -new_db "%PA_INSTALL_DIR%\bin64\ssl\ibmtm1.p12" -new_pw "CustomPA!@" -new_format pkcs12

Note:
When you applied a custom SSL certificate to the PAA Agent, and you notice some weird behaviour in PAW like
- PAA never displaying the agent's state, but just a spinning clock
- PAA never displaying the state of the TM1 instances monitored by said PAA Agent, but just a spinning clock
- Workbench not listing any of the TM1 instances monitored by said PAA Agent

you have to 
- stop PAW by executing the script scripts/paw.ps1 stop
- copy the P12-file used by said PAA Agent into the PAW certificate directory config/certs
- execute the script scripts/process-certs.ps1
=> you should see a line stating the the copied P12-file has been imported
- start PAW by executing the script scripts/paw.ps1 

4)
TM1 Web / Planning Analytics Spreadsheet Services (PASS) & custom SSL certificates
 
Needs the P12-file created by the previous step.

 
https://www.ibm.com/support/pages/node/6323649
How to Configure IBM Planning Analytics Spreadsheet Service with Custom SSL (using Existing Keystore)
 
9.
Type the following to add the Root Certificate Authority to the tm1store:
keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ibmtm1-rootca.arm" -keystore "..\..\bin64\ssl\tm1store" -alias ca -storepass applix
 
10.
Type the following to add the Intermediate Certificate Authority to the tm1store:
keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ibmtm1-intca.arm" -keystore "..\..\bin64\ssl\tm1store" -alias intca -storepass applix
 

Notes:

4.1)
When you are using TM1 Web / PASS Version 2.0.99 or newer, you may have to apply the IBM Technote 7177474:

https://www.ibm.com/support/pages/ibm-planning-analytics-spreadsheet-services-after-updatefresh-install-version%C2%A0%C2%A02099-or-newer-cannot-list-database-instances-when-using-custom-ssl
IBM Planning Analytics Spreadsheet Services after update/fresh install of version 2.0.99 or newer, cannot list database instances when using custom SSL

4.2)
What to do after you successfully applied a custom SSL certificate to TM1 Web / PASS but it does not display any TM1 instances:
 
https://www.ibm.com/support/pages/tm1-servers-not-appearing-server-list-tm1-web-after-configuring-https
TM1 Servers not appearing in the server list on TM1 Web after configuring HTTPS
 
 
5)
Planning Analytics Workspace (PAW) & custom SSL certificates- How to construct the PAW PEM-file config/ssl/pa-workspace.pem ?
 

https://www.ibm.com/support/pages/node/6573331
How to Configure IBM Planning Analytics Workspace with Custom SSL (using Existing Keystore)

Thanks for you !

I will try to understand and to test with my own certificats

Kind regards,

Philippe

Hello Philippe, Walter, Bernd,

Great information ! Would it be an idea to post in the Blogs section, 1 summary article with how-to steps on certificates ?

We can disregard from the older TM1 clients if that makes the task less daunting.

Both IBM and own certificates could be discussed. Maybe a little less technical and some background information like what are certificates and so on ?

There is already plenty of excellent material in this topic that can be used. I have seen very good blogs by Paul Hart Prieto too, maybe team up to come to a readable article for the average TM1 person that is not necessarily technical ?

From my side I will continue writing blogs, next one will be on drill through in TI in a generic way.

Thanks,

Wim