CA 11.1.7 Upgrade with SSL

[adam_mc]

I have upgrade our LAB/Sandbox environment to CA 11.1.7 FP2 from CA 11.0.13.
However, I am now experiencing connection issues to the Content Store (and all other Oracle databases/schemas) defined in Cognos Configuration.

I have edited the bootstrap_wlp_winx64.xml and cogconfig.bat files as needed, but I now believe I need to re-apply our certificates to the cacerts file.
This is something that I have not done previously.

I know this is a big ask, but does anyone have any documentation/instructions that they can share with me.

As always, any help would be greatly appreciated.
Thanks in advance,
Adam.

[dougp]

How did you perform the installation?  I installed 11.1.7 over 11.0.13 (SSL and SSO) and it was seamless.

Here is my process:

verify <install_location>\configuration\preserve\preserve.txt does what you need
Open Cognos Configuration.
Stop the IBM Cognos service.
Close Cognos Configuration.
back up files in <install_location>
back up databases (or maybe only the content store?)
run the installer as an administrator
choose the zip file containing the installable content
be sure to install to the same location where 11.0.13 is installed (<install_location>)
verify JDBC auth and drivers are in the right place (should have been handled with preserve.txt)

Open Cognos Configuration.
Click OK on "Older versions of configuration files were found."
Save configuration.
Start Cognos.
Close Cognos Configuration.

Run the "Report Upgrade" task:
IBM Cognos Administration.
Configuration
Content Administration
New Content Maintenance
Report Upgrade...

[adam_mc]

Doug...
Thanks for the feedback!

I pretty much did everything you did step-by-step.
I even got the same "Older versions of configuration files were found." message.
It just failed on restarting Cognos with error messages relating to unable to connect to the various Oracle databases (Content Store, Audit, Notification, etc...).
I think the only variance may be what you put in preserve.txt file vs. the fact that I left mine as the default entries.

Did you add the files bootstrap_wlp_winx64.xml and cogconfig.bat to the preserve.txt file?
Did you add any reference to the cacerts file in the preserve.txt file?

I was informed that these steps needed to be done manually as these are part of a "fresh" set of configuration files, but I may have misunderstood...

Thanks again,
Adam.

[dougp]

My preserve.txt includes...

bin\sqljdbc_auth.dll
bin64\sqljdbc_auth.dll

But my Content Store and databases are MS SQL Server.  Yours will be different since you are using Oracle.  You may need these for data source connections, but not at this stage since you can't even connect to the Content Store.

I did not include bootstrap_wlp_winx64.xml, cogconfig.bat, or cacerts in the preserve.txt file.

There are some manual steps to my install/config because of decisions I made in my environment, but not those files.

[adam_mc]

I have now re-applied the signer certificates to cacerts using Ikeyman successfully.

In Cognos Configuration, I am now able to successfully test connections to the Oracle databases including the Content Store.
However, on attempting to restart the services, I am now getting the message below.
Any thoughts would be greatly appreciated.

09:00:09, 'LogService', 'StartService', 'FAILED'.
09:00:09, 'LogService', 'StartService', 'Success'.
09:00:10, CAF-WRN-0010 CAF input validation enabled.
09:00:10, CAF-WRN-0021 CAF Third Party XSS checking disabled.
09:00:12, 'CAM', 'StartService', 'Success'.
09:00:19, CM-CFG-5063 A Content Manager configuration error was detected while connecting to the content store.  CM-SYS-5003 Content Manager is unable to connect to the content store. Verify that the database connection properties in the configuration tool are correct and that when you test the connection, the test is successful. Cause: IO Error: IO Error General SSLEngine problem, Authentication lapse 0 ms.    Stack trace:  java.sql.SQLRecoverableException: IO Error: IO Error General SSLEngine problem, Authentication lapse 0 ms.     at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:821)     at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:782)     at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:39)     at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:704)     at com.cognos.cm.dbstore.CMDriverManager.getConnection(CMDriverManager.java:105)     at com.cognos.cm.dbstore.CMDriverManager.getConnection(CMDriverManager.java:123)     at com.cognos.cm.dbstore.CMDbStoreFactory.getJDBCConnection(CMDbStoreFactory.java:1983)     at com.cognos.cm.dbstore.CMDbStoreFactory.getInitialConnection(CMDbStoreFactory.java:1780)     at com.cognos.cm.dbstore.CMDbStoreFactory.initContentIndependentBeforeLock(CMDbStoreFactory.java:2002)     at com.cognos.cm.dbstore.CMDbStore.initializeContentIndependentBeforeLock(CMDbStore.java:4392)     at com.cognos.cm.server.CMServlet.initializeContentStoreContentIndependentBeforeLock(CMServlet.java:1278)     at com.cognos.cm.server.CMServlet.init(CMServlet.java:1080)     at com.cognos.cm.server.ContentManager.start(ContentManager.java:440)     at com.cognos.cm.server.ContentManagerLifecycleHandler.start(ContentManagerLifecycleHandler.java:65)     at com.cognos.pogo.services.DefaultHandlerService.start(DefaultHandlerService.java:88)     at com.cognos.pogo.services.DispatcherServices.startInitialService(DispatcherServices.java:379)     at com.cognos.pogo.services.DispatcherServices.startInititalServices(DispatcherServices.java:365)     at com.cognos.pogo.transport.PogoServlet$PogoStartup.runWithDispatcherServices(PogoServlet.java:841)     at com.cognos.pogo.transport.PogoServlet$PogoStartup.run(PogoServlet.java:823)     at com.cognos.pogo.util.threads.SafeThread.safeRun(SafeThread.java:70)     at com.cognos.pogo.util.threads.SafeThread.run(SafeThread.java:61)  Caused by: java.io.IOException: IO Error General SSLEngine problem, Authentication lapse 0 ms.     at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:817)     ... 20 more  Caused by: java.io.IOException: IO Error General SSLEngine problem     at oracle.net.nt.SSLSocketChannel.wrap(SSLSocketChannel.java:545)     at oracle.net.nt.SSLSocketChannel.wrapHandshakeMessage(SSLSocketChannel.java:458)     at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:440)     at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:126)     at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:308)     at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:235)     at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:114)     at oracle.net.ns.NSProtocol.connect(NSProtocol.java:318)     at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1481)     at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:540)     ... 20 more  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem     at com.ibm.jsse2.D.A(D.java:655)     at com.ibm.jsse2.as.b(as.java:427)     at com.ibm.jsse2.as.c(as.java:376)     at com.ibm.jsse2.as.wrap(as.java:479)     at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:45)     at oracle.net.nt.SSLSocketChannel.wrap(SSLSocketChannel.java:541)     ... 29 more  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem     at com.ibm.jsse2.k.a(k.java:43)     at com.ibm.jsse2.as.a(as.java:509)     at com.ibm.jsse2.D.a(D.java:397)     at com.ibm.jsse2.D.a(D.java:572)     at com.ibm.jsse2.E.a(E.java:585)     at com.ibm.jsse2.E.a(E.java:479)     at com.ibm.jsse2.D.s(D.java:286)     at com.ibm.jsse2.D$b.a(D$b.java:3)     at com.ibm.jsse2.D$b.run(D$b.java:2)     at java.security.AccessController.doPrivileged(AccessController.java:770)     at com.ibm.jsse2.D$c.run(D$c.java:14)     at oracle.net.nt.SSLSocketChannel.runTasks(SSLSocketChannel.java:600)     at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:432)     ... 27 more  Caused by: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors     at com.ibm.jsse2.util.f.a(f.java:21)     at com.ibm.jsse2.util.f.b(f.java:151)     at com.ibm.jsse2.util.e.a(e.java:6)     at com.ibm.jsse2.aD.a(aD.java:75)     at com.ibm.jsse2.aD.a(aD.java:40)     at com.ibm.jsse2.aD.checkServerTrusted(aD.java:48)     at com.ibm.jsse2.E.a(E.java:273)     ... 35 more  Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors     at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:149)     at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:75)     at java.security.cert.CertPathValidator.validate(CertPathValidator.java:304)     at com.ibm.jsse2.util.f.a(f.java:169)     ... 41 more 
09:00:23, 'ContentManager', 'getActiveContentManager', 'Failure'.
DPR-CMI-4006 Unable to determine the active Content Manager. Will retry periodically.

[dougp]

It looks like you're trying to hard.  Like I said:  I installed 11.1.7 over 11.0.13 and it just worked.  I didn't redo my SSL config, didn't change anything in Cognos Configuration, didn't edit any XML files,...  It just worked.

Windows Server 2016 Standard
IIS
MS SQL Server 2016
IBM Cognos 11.0.13 -> 11.1.7

During one of my early attempts, I had some problem from either not stopping the IBM Cognos service or from not closing Cognos Configuration.  Look through the my instructions again.  If you miss a step, it may mean you need a complete system restore from backups.  When I missed a step in the process, that server was completely down.  I couldn't even delete Cognos and reinstall into an empty folder.  The system was down for 4 hours while my server support staff fixed it.

For recovery, if you're running this on Windows Server, Windows Explorer and even command line utilities like xcopy can't handle the deep folder nesting in Cognos.  When you back up your files, use a product that can handle that.  I used 7-zip.