If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

SSL in your cognos environment?

Started by PolzovatelCognos, 02 May 2011 01:11:19 PM

Previous topic - Next topic

PolzovatelCognos

Just curious to hear how many of you have SSL configured in your cognos environment? Were there any obstacles/issues presented in the process of implementing SSL? Please share your experiences. Thanks.

AussiePete2011

SSL is a ticklish subject.  SSL can be setup against a few different Authentication sources.  E.g. ADS, SunOne, Novell etc

Each one will have its problems.
For ADS you can find details on the setup in the IBM Proven Practices site under security

SunOne has a few documents specifically about hardening which then works into the SSL aspect.

You've touched on a very very broad subject.  Could you be a bit more specifc?

Cheers
Peter B

PolzovatelCognos

SSL on Windows Server 2003 R2, Standard Edition; IBM Cognos version 8.4.1; Web Server IIS. Thanks.

SomeClown

Had one for a while that had Win2003/IIS6 on a stand-alone gateway in the DMZ.  Put SSL on that and opened firewall ports between it and the main dispatcher.  Didn't put SSL on any dispatchers (that can be really messy).  Ran fine but then no thick clients (Framework Manager) on the external side.

PolzovatelCognos

Interesting that you write that you did not place SSL on the dispatchers. Could you provide more information as to why so? -The IBM Cognos documentation seems to recommend updating the dispatchers with https in the process as well.

SomeClown

If everything is out on the DMZ, then yes, you'll probably need SSL on the dispatchers.  If you have a standalone gateway, you only need the cert for the inbound traffic from the browsers.

"that can be really messy" == lucky if I can get it to work.  I don't know of that many deployments that went with full SSL - those few I know of spent a lot of extra time getting the configuration running.  Since I only had the gateway in the DMZ, I only opened the needed ports between the two IPs and blocked everything else.

SomeClown

To elaborate a bit:
I ran two gateways in this config: one external gateway (stand-alone) with SSL cert on it; second internal gateway sitting on one of the dispatchers.  All internal clients used the internal gateway.