SSL HTTPS IMPLEMENTATION

[nairra]

Hi All,

  I have joined a new company and they already have a setup of both Cognos BI and TM1 10.2.2(distributed) I have been assigned a task to implement SSL with IBM HTTP server 8.5.
(Separate CM,App,Web&gateway server)

I have gone through a lot of documents but need assistance.

-Certificates have to be procured from CA, will the CA provide all the certificates ie, the root, intermediary??please mention if any other.
-Can the cn used be like mycompany.com or specifically require myserver.mycompany.com??
-Do we have to raise a request certificate to be sent to the CA which is signed by them??if yes, from which server web,cm,app...

-Can SSL be implemented only for the WebServer and not the Cognos components BI/TM1??ie, applying the certificates to HTTP server only and modifying URI in cognos....or certificates to be applied for cognos components also??

Can anyone assist with the procedure to take me through this??

Thanks In Anticipation...

[bdbits]

Your CA should provide you with the intermediary cert. It is often downloadable at the CA's web site.

Whether you need the server name as part of the FQDN depends on the type of certificate you purchase. "Wildcard" certificates use *.mycompany.com and can be installed on any server within mycompany.com, but are more expensive.

Yes, you need to issue the CSR to the CA. This is typically done from the server on which you will be installing the certificate. I do not know IBM's server, but in Microsoft IIS you can generate it directly from the IIS management software.

I do not know TM1 so sadly cannot help you there. I would consult the admin guide there.

[nairra]

Thankyou for answering....

[nairra]

I raised an SR with IBM for the same...Though I have not yet implemented... but this is how the approach would be

SSL Implementation Approach:
-Using IKEYMAN create a key.db, then raise a CSR from the webserver and send to CA (ie,our Corporate security team in our case) for signing.
-Receive the signed certificate from CA
-Open the key.db and Import the CA certificate into the store.
-Make necessary changes for SSL enabling in HTTP.CONF file
-Start web server using command: apachectl start
-Check if accessible/logs for errors and stop service.


In Cognos CM/App server:
-Open Cognos Configuration - Change Gateway URI from HTTP to HTTPS (Not to start the Service yet)
-go to the c10_location/bin directory and import all the certificates that make up the chain of trust
ThirdPartyCertificateTool.sh -T -i -r certificate_fileName -D ../configuration/signkeypair -p password
-On each Application Tier Components computer, in IBM Cognos Configuration, start the IBM Cognos service ie, on CM, APP, web.

Regards,