Framework Manager and Cognos Server on separate systems.

[fulekia]

I'm having trouble finding documentation or best practices for installing Framework Manager and the rest of the Cognos stack on separate systems.

We run Cognos (Content Store, Report Service, etc.) on a Linux server, and Framework Manager on separate Windows 7 workstations. Every time we rebuild/upgrade the server, Framework Manager freaks out, giving lots of encryption errors. Overwriting the contents of the workstation's certs, csk, encryptkeypair, and signkeypair directories seems to fix it. I'd like to know exactly what parts are required, so that we can track those files in our code repository.

Can someone point me to some docs or a support article on this? The install docs seem to assume everything will go on the same Windows box. Thanks!

[bdbits]

"Every time we rebuild/upgrade the server..."  What does that mean, exactly? Why are you having to rebuild/upgrade the server?

It does not matter that FM is on a separate box; we do not even install it on the server (as far as I know). The workstation directories you listed are where FM is storing encryption keys. They are synced to Cognos server encryption keys when you configure FM. Those server keys get set when you configure the Cognos server. So if you are re-installing Cognos, you are likely getting new encryption keys stored on the server, and thus they are out of sync with what FM has stored from the prior build.

[fulekia]

"Every time we rebuild/upgrade the server..."  What does that mean, exactly? Why are you having to rebuild/upgrade the server?

For example, we're preparing to rollout single sign-on configuration, and as our sysadmin went about his work, changing some settings, the keys were regenerated, and FWM could no longer connect. He sent me the new files, I copied them onto my workstation, and things started working again.

...encryption keys. They are synced to Cognos server encryption keys when you configure FM.

Interesting. I've never seen these "sync" in our environment. I've just been copying them manually. I do see this error message every time I hit save in Cognos Configuration on my FWM workstation:

Code Select Expand

The cryptographic information cannot be encrypted. Do you want to save the configuration in plain text?

I always hit OK, and the changes take effect. I'm not sure if that's related. It would be nice if the keys would sync automagically, or if there were a way to establish some kind of root certificate trust scheme, so that certs from the same signing authority/source were just trusted. My reading thus far hasn't really helped me understand the security model enough, though.

[MFGF]

For example, we're preparing to rollout single sign-on configuration, and as our sysadmin went about his work, changing some settings, the keys were regenerated, and FWM could no longer connect. He sent me the new files, I copied them onto my workstation, and things started working again.

Interesting. I've never seen these "sync" in our environment. I've just been copying them manually. I do see this error message every time I hit save in Cognos Configuration on my FWM workstation:

Code Select Expand

The cryptographic information cannot be encrypted. Do you want to save the configuration in plain text?

I always hit OK, and the changes take effect. I'm not sure if that's related. It would be nice if the keys would sync automagically, or if there were a way to establish some kind of root certificate trust scheme, so that certs from the same signing authority/source were just trusted. My reading thus far hasn't really helped me understand the security model enough, though.

Hi,

The message you are seeing is normally a result of incorrect configuation on the Framework Manager machine - for example pointing at the wrong dispatcher or gateway URL. What should happen is that when you hit save in your FM Cognos Configuration, it should contact the Cognos server (provided the service is up) and copy across the encryption keys automatically.

Deleting the key folders and copying them manually is a last-resort hack that I would only undertake if all else fails. Even so, if this has been done properly, a normal Save from Configuration after this would usually work fine with no errors. If you still see errors you need to sort out the local config URLs.

Cheers!

MF.

[redstang]

I often switch my Cognos config between two servers and the only way I can get it to save/update is to delete the key folders/files in the Configuration directory.  I get the same error as fulekia above.  The dispatcher and URI addresses are correct - any other ideas/settings I can check?