SSL in your cognos environment?

[PolzovatelCognos]

Just curious to hear how many of you have SSL configured in your cognos environment? Were there any obstacles/issues presented in the process of implementing SSL? Please share your experiences. Thanks.

[AussiePete2011]

SSL is a ticklish subject.  SSL can be setup against a few different Authentication sources.  E.g. ADS, SunOne, Novell etc

Each one will have its problems.
For ADS you can find details on the setup in the IBM Proven Practices site under security

SunOne has a few documents specifically about hardening which then works into the SSL aspect.

You've touched on a very very broad subject.  Could you be a bit more specifc?

Cheers
Peter B

[PolzovatelCognos]

SSL on Windows Server 2003 R2, Standard Edition; IBM Cognos version 8.4.1; Web Server IIS. Thanks.

[SomeClown]

Had one for a while that had Win2003/IIS6 on a stand-alone gateway in the DMZ.  Put SSL on that and opened firewall ports between it and the main dispatcher.  Didn't put SSL on any dispatchers (that can be really messy).  Ran fine but then no thick clients (Framework Manager) on the external side.

[PolzovatelCognos]

Interesting that you write that you did not place SSL on the dispatchers. Could you provide more information as to why so? -The IBM Cognos documentation seems to recommend updating the dispatchers with https in the process as well.

[SomeClown]

If everything is out on the DMZ, then yes, you'll probably need SSL on the dispatchers.  If you have a standalone gateway, you only need the cert for the inbound traffic from the browsers.

"that can be really messy" == lucky if I can get it to work.  I don't know of that many deployments that went with full SSL - those few I know of spent a lot of extra time getting the configuration running.  Since I only had the gateway in the DMZ, I only opened the needed ports between the two IPs and blocked everything else.

[SomeClown]

To elaborate a bit:
I ran two gateways in this config: one external gateway (stand-alone) with SSL cert on it; second internal gateway sitting on one of the dispatchers.  All internal clients used the internal gateway.