Your TM1 SSL certificates will expire in November

Update 02/10/2016: Fix pack / updater from IBM still not released, but a manual update instructions + a set of new certificates are published at http://www-01.ibm.com/support/docview.wss?uid=swg21990588 . I’ll post am update once we try them out, but it’s really good news.

Update 07/09/201t6: Corrected the post to reflect the fact that TM1 will not ‘crash’, it will refuse client connections, but server itself will be just fine. And added a solution that I missed before: disabling SSL altogether. There will be a preferred recipe and update from IBM around mid-September as I’m told, I’ll publish a followup post once that’s out.

Just making sure that everybody is aware of incoming that default SSL certificates in TM1 installation will expire on 24th of November. I hope everyone got the happy email from IBM, but reposting out just in case (scroll to the bottom).

What is happening:
Default certificates that TM1 uses for all client and server communications will expire on 24/11 and TM1 will stop accepting client connections, restarting won’t help 🙂
Applies to TM1 10.2 (all releases) and TM1 10.1 and I’d imagine to any 9.5 or older.

What to do:
0) (An insecure but easiest option). Disable SSL in tm1s.cfg altogether.
1) Switch to the more durable and secure v2 certs in the package as per http://www-01.ibm.com/support/docview.wss?uid=swg21697266 , they will expire in 2022. The main problem with this approach for that you’d need to update Perspectives configuration and that’s a big deal.
2) Wait for IBM to release a hot fix for this and apply it (hopefully it’ll be just a couple of cert files). Best option, I’ll update the post once I know of the fix pack.
3) Generate your own certs and install them. You’d still have to go through all the client configuration updates, but that will be your certificates and you get the warm fuzzy feeling 🙂

The original email from IBM:

“Dear Sirs,

as you may know, by default the communication between the TM1 components is is encrypted using SSL certificates shipped and installed with the TM1 software, also known as the out-of-the-box SSL implementation, see the manual IBM TM1 Installation and Configuration Guide =>

(1)
https://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_runningtm1insecuremodeusingssl_n120007.html#RunningTM1inSecureModeUsingSSL_N120007
Cognos TM1 > Cognos TM1 10.2.2 > Install > TM1 Installation and Configuration Guide 10.2.2.3 Security configuration >

Using SSL for data transmission security

You can configure IBM Cognos TM1 to use SSL for secure data transmission.

(1.1)
https://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_tm1-generatedcertificates_n1200a0.html#TM1-GeneratedCertificates_N1200A0
Cognos TM1 > Cognos TM1 10.2.2 > Install > TM1 Installation and Configuration Guide 10.2.2.3 > Security configuration > Using SSL for data transmission security >

Generated Certificates

When you install IBM Cognos TM1, all certificates and other files required to implement SSL are placed in the TM1_install_dir\bin\SSL directory.

The certificates contained in this directory are issued by the Applix, Inc. certificate authority, which was created using OpenSSL.

When you install Cognos TM1, the Admin Server, Cognos TM1 server, and Cognos TM1 client are all configured to use SSL, relying on the certificates installed in the TM1_install_dir\bin\SSL directory. While the Cognos TM1 certificates allow an out-of-the-box SSL implementation, you should replace these certificates with your own certificates (as well as a certificate revocation list) if you want to maximize security. For Cognos TM1 Web, all root certificates must be installed in the certificate store on the machine that the servers are using to run Cognos TM1 Web.

The TM1_install_dir\bin\SSL directory contains the following certificates and files.

– tm1admsvrcert.pem – the Admin Server certificate containing the public/private key pair

– tm1svrcert.pem – the Cognos TM1 server certificate containing the public/private key pair

Both the 1024-bit default SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, and the TM1 Server, tm1svrcert.pem, will expire on 11/24/2016.

These SSL certificates are stored in the directories ..\bin\ssl\ respectively ..\bin64\ssl\ on a TM component installation.

When you open these SSL certificates in a text editor like Notepad and search for the string “Not After” you get =>

tm1admsvrcert.pem
Not After : Nov 24 16:47:19 2016 GMT

tm1svrcert.pem
Not After : Nov 24 16:45:44 2016 GMT

When you are using the default set of 1024-bit SSL certificates, when you are using the expiring 1024-bit SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, and the expiring 1024-bit SSL certificate for the TM1 Server, tm1svrcert.pem, you must take action before 11/24/2016 otherwise your TM1 installation will stop working.

Among your options are:

(1)
Replace our default set of 1024-bit SSL certificates with your own SSL certificates.

(2)
When you are using TM1 v10.2.2 and newer, replace our default set of 1024-bit SSL certificates with the optional set of 2048-bit SSL certificates, the v2 set, as outlined by the IBM Technote 1697266 =>

http://www-01.ibm.com/support/docview.wss?uid=swg21697266
How to configure TM1 to use the bundled 2048-bit SSL certificate

Technote (FAQ)

Question
By default, the TM1 Admin Server and TM1 Server, are secured using a 1024-bit SSL Certificate. The rootCA of that certificate is the applixca.pem file. The steps in this technote describe how to configure the TM1 Admin Server and TM1 Server (as well as the TM1 Client components), to use the provided 2048-bit SSL certificate ( tm1ca_v2.pem ).

You would replace

– the default 1024-bit SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, by the optional 2048-bit SSL certificate tm1admsvrcert_v2.pem

– the default 1024-bit SSL certificate for the TM1 Server, tm1svrcert.pem, by the optional 2048-bit SSL certificate tm1svrcert_v2.pem

The optional v2 set of SSL certificates are too stored in the directories ..\bin\ssl\ respectively ..\bin64\ssl\ of a TM component installation.

When you open these SSL certificates in a text editor like Notepad and search for the string “Not After” you get =>

tm1vrcert_v2.pem
Not After : Aug 25 18:22:55 2022 GMT

tm1admsvrcert_v2.pem
Not After : Aug 25 18:23:11 2022 GMT

(3)
Currently TM1 v10.1 and v10.2 are the only supported TM1 on premises releases.

We are working on an Interim Fix to patch these releases which will include a new default set of 1024-bit SSL certificates to replace the current set which expires 11/24/2016.

This will be the straightforward option to patch all TM1 component installations within an existing TM1 environment.

If you have not done already, please subscribe to IBM My Notifications to be notified when the Interim Fix patching the expiring 1024-bit SSL certificates will be released =>

Manage your My Notifications subscriptions, or send questions and comments.
– Subscribe or Unsubscribe – https://www.ibm.com/support/mynotifications

If you have questions on the expiring 1024-bit SSL certificates, please contact TM1 Support.”

  • Sunil

    Hi Yuri,

    I got reply from one of the IBM analyst, the patch which will be released in couple of days to update 1024 bit certificates is applicable for TM1 10.2.2 as well including all pix packs.
    So I am hoping till we get instructions for perspective for 2048 certificates, we can apply the patch to update the existing 1024 bit certificates. And hope new certificates will come with new expiry date.

    Later once we have instructions for perspectives, we may turn on 2048 certificates which is more secured way.

  • Travelling Dunx

    You are wrong about Perspectives being a problem.
    You do not need to adjust Perspectives at all.
    This is just scaremongering and untrue

  • ykud

    Hi Dunx,

    That’s great to hear, so you switched to 2048 certificates and didn’t have to update tm1p.ini files to select new cert files?

    Y

  • Fedor Zevako

    a technote on this matter is now available
    http://www-01.ibm.com/support/docview.wss?uid=swg21990588

  • ykud

    Thanks!
    Yup it’s there, but not the fix pack itself. And the tech note is a bit light on detail, I still don’t see what to do with BI / Express, etc. I’m sure there are more updates to come.

  • Anders Sangvik Halvorsen

    Hi,

    Have anyone else experienced problems with Cognos Analysis for Excel after doing this update?
    After making the necessary changes my users are no longer able to access the server list in CAFE.

  • anand

    Hi Ykud,

    Thanks for your continuous support. The whole work around of switching it to 2048 bit SSL cert is quite simple but the problem I am having is with tm1p.ini file & setting the parameter in the TM1RunTi.exe command line. I am not sure of where exactly I need to change the parameter certversion=2 to the ini file being used with the TM1RunTi.exe command line. I guess its not in either TM1 admin/application server rather its on the client component side. If you can provide a little bit more insight & detailing on how/where to update this part it would be of great help.

  • Rajeev Kamdar

    Our organization is on tm1 9.5.2. Can someone provide instructions on how to create the certificate
    .pem files

  • ykud

    Hi Sunil,

    2048 certificates are not more secure than 1024, it’s just a different key 😉

    The latest tech note on the topic is http://www-01.ibm.com/support/docview.wss?uid=swg21990588

    Still no ETA on updater, though.

    Cheers,
    Yuri

  • ykud

    Hi Anders,

    This must be linked to your pmhub update. CAFE connects via PMHub, make sure you go through the related steps in http://www-01.ibm.com/support/docview.wss?uid=swg21697266 (this tech note was recently updated to include this bit).

    Cheers,
    Yuri

  • ykud

    Hi Anand,

    it should be changed on the machine you’re running tm1top from (whether it’s your server or some desktop). You can add it to command line itself, like tm1top -servername SData -adminhost localhost -certversion 2

    Cheers,
    Yuri

  • ykud

    Hi Rajeev,

    You’re using an unsupported version of TM1, you know it, right? 🙂

    I think the workaround would be to replace the existing certificate with new ones:
    – Either get the v2 certificates from 10.2.2 installation or from an updater when it’ll be released
    – for v2 rename
    Client side:
    Tm1ca_v2.pem -> applixca.pem
    Tm1cacrl_v2.pem -> applixcacrl.pem
    Server side:
    tm1admsvrcert_v2.pem -> tm1admsvrcert.pem
    tm1svrcert_v2.pem -> tm1svrcert.pem

    This would replace expiring certificates with extended ones. This is unsupported, please test carefully.

    Cheers,
    Yuri

  • Rajeev Kamdar

    Yuri,

    IBM sent me some updated certificates and I replaced
    them in the C:Program Files (x86)CognosTM1binssl. I advanced the
    system date on server and perspectives did not work. Is there anything
    thing special that I need to do for the new certs to be picked up by
    perspectives.

  • Anders Sangvik Halvorsen

    Hello Yuri,

    Thank you for your reply.
    I actually followed this technote but ran into problems because we use single sign-on. According to IBM technicians there are at this point no working solution for this update for TM1 installations running with single sign-on.

    BR Anders

  • anand

    Thank you Yuri for the reply. So I think tm1runti.exe is optional only if a developer is using that utility that needs to be changed. And ideally they should be able to do it themselves. Correct me if I am wrong.
    One more question – any update needs to be done for Cognos Insight, Cognos package connector, TM1 application portal & TM1 web? As per your initial point if the servers remains intact then I don’t care much about the development tool but the users client components are very important. So just wanted to ensure that everything remains in working condition as the IBM tech note does not mention anything about them.
    Thanks again in advance for all your inputs.
    BR
    Anand

  • ykud

    That’s interesting.
    You’re using CAM-based single-signor? I thought that importing the new certificate to BI JVM should do the trick, but it seems that life is always more interesting.

    Thanks,
    Yuri

  • ykud

    Hi Anand,

    Yes, TM1RunTI can be updated by developers. But if you use it in TIs, you’d have to change the way you call it.

    Congas Insight works through application server, so as long as application server is updated all is good. Same for Applications portal and TM1Web.

    Cheers,
    Yuri

  • ykud

    Hi Rajeev,

    Can you try following the steps outlined here: http://www.ibm.com/support/docview.wss?uid=swg21991655
    Its the latest updated informative.

    Cheers,
    Y

  • Anders Sangvik Halvorsen

    Hi,
    We’re the BI sso. Doesn’t seem to be a working solution for this yet but according to my IBM source it will be included in the announced Interim Fixes for TM1 and for BI.

  • I just found another thing that doesn’t work, Cognos Analytics can’t use TM1 as a Datasource on Linux, only Windows, AIX and Solaris, 10.2.2 didn’t have any OS restrictions, this is just annoying.

  • ykud

    Hi Mario,

    Looks like they stopped packaging Linux tm1 client with cognos analytics, strange indeed. Do they say if it’s temporary and will be updated soon, or it’s by design ? )
    Cheers,

    Yuri

    On Tue., 11 Oct. 2016 at 4:20 am Disqus

    <
    mailto:Disqus

  • I am waiting for an answer to that question, if I get one I will post it here.

    Cheers.

  • Fekete Gábor

    Hi Yuri,

    I tried to completely get rid of SSL using the good old UseSSL=F on TM1 9.5.2. Strange, but the TM1 Server still tries to connect to the Admin Server (same machine) on the SSL port thus nothing works.Admin Server ports are set in the services file as

    tm1adminsvr 5495/tcp # Added by IBM Cognos TM1
    tm1admsrv_ssl 5498/tcp # Added by IBM Cognos TM1

    For simplicity I run the TM1 Server as an application, so it starts the Admin Server itself. Whatever I do (tested) only the second port is tried to be used by the TM1 Server to connect to the Admin Server.

    Do you have any idea?

    Thanks!

    Gábor

  • ykud

    Hi Gabor,

    I think you need to check the admin server configuration file as well to see if SSL is enabled explicitly there
    The file is called tm1admsrv.ini and parameters are described here:
    http://www.ibm.com/support/knowledgecenter/SS9RXT_9.5.0/com.ibm.swg.im.cognos.tm1_op.9.5.2.doc/tm1_op_id15096ConfiguringtheTM1AdminServertoUseSSL_N120.html#ConfiguringtheTM1AdminServertoUseSSL_N12010F Cheers,

    Yuri

    On Mon., 24 Oct. 2016 at 10:52 pm Disqus

    <
    mailto:Disqus

  • Gilad Sandor

    i have a customer wiht 9.4 version and the new versuin of ssl Certificate that IBM provided to us is not suported on this version
    i I tried to cancel the sll on the server but without success
    Any ideas?

  • Ammar Aslan

    Hi Ykud,
    Thanks for information. i have a problem. My problem’s step “Configure TM1RunTI.exe”. How to add ‘-certversion 2’ parameter in the TM1RunTi.exe command line?
    i try this code “tm1top -servername XXX -adminhost localhost -certversion 2” in cmd but I could not be successful. what can i solve this problem. i can not pass next steps.
    url:http://www-01.ibm.com/support/docview.wss?uid=swg21697266

  • ykud

    Hi Ammar,

    You’re running Tm1runti or tm1top? The string you’re quoting has tm1top which doesn’t require cert parameter.

    Cheers,
    Y

  • Ammar Aslan

    i running TM1RunTI.

    Actually, I want to write clearer the my problem.
    i want change our cert from v1 to v2. i following this link: http://www-01.ibm.com/support/docview.wss?uid=swg21697266.
    My problem steps “Configure TM1RunTI.exe”. i cannot add ‘-certversion 2’ as a parameter in the TM1RunTi.exe. What can i solve this step. how to add ‘-certversion 2’ as a parameter.
    Thanks you for your answer and interest.

  • ykud

    Hi Ammar,

    Why can’t you add a parameter to TM1RunTI.exe? It’s just adding another parameter to the command line, like
    tm1runti –server MyTM1Server –username John –pwd “my secret”
    ti_parm1=yes ti_parm2=”my value” -certversion 2

    Does this give you any errors?

    Cheers,
    Yuri

  • we running this TM1RunTI’s path:
    C:Program Filesibmcognostm1_64bin64tm1runti and our
    comment is server=”OurT https://uploads.disquscdn.com/images/019f59b53d8d7620eeaba0dcdba7fbc3813a895d5314e01c090d750ec97c0c39.jpg m1Server” -username
    =”admin” -pwd=”apple” -certversion 2
    output:
    “tm1runti -?
    or tm1runti -help
    or tm1runt1 […] […]

    where is one of:
    -i
    -process
    -connect

    where is:
    ‘=’

    where is one of:
    -adminhost
    -server
    -user
    -securitymode
    -retryattempts
    -retryinterval

    -AdminSvrSSLCertAuthority
    -AdminSvrSSLCertID
    -AdminSvrSSLCertRevList
    -AdminSvrSSLExportKeyId
    -ExportAdminSvrSSLCert
    -CAMNamespace

    where is one of:
    -pwd
    -passwordfile -passwordkeyfile P☻”

    what is our problem. how to make current comment.

  • Neeraja Ramesh

    Hi, In our company we are using IBM Cognos Express 10.1 with Xcelerator client, Architect Client and TM1 Web. Because of TM1 SSL Certificates Expiry, we have updated the SSL certificates in Development environment. And everything went well. We did server side SSL update, Xcelerator and Architect’s SSL update. TM1 Web worked fine after Server update.
    Later we did roll-out this update in TM1 Prod as well. But after SSL update, TM1 Web is not working. And I could see the following message:
    Login Failed. Please Try Again…
    87: TM1APIDOTNET Exception: – cxmd:The specified server is not found
    Up on seeing this msg, I have implemented the following solutions available:
    http://www-01.ibm.com/support/docview.wss?uid=swg21351337
    http://www-01.ibm.com/support/docview.wss?uid=swg21456587

    TM1Web Log file:
    2016-11-14 08:19:22,735 [1] ERROR Applix.TM1.API.Internal._TM1Main – Failed attempt to connect to host [tm1prod] on port [5498] with SSLCertID [tm1adminserver] Message [TM1APIDOTNET Exception: – System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.]

  • ykud

    Hi Ammar,

    I think there’s something wrong with your syntax, I just ran the following and it worked nicely:
    tm1runti.exe -process SaveAllData -adminhost localhost -server SampleOutdoorsAB -user admin -pwd apple -certversion 2

    Cheers,
    Yuri

  • Hi Ykud,
    Thank you for support.
    i solved my problem. After i make your step, i download “Cognos TM1 SSL certificate expiration self extractor Interim Fix” in ibm Fix Central and i runed this Interim Fix.
    Best regards,

  • ykud

    Hi Neeraja,

    It seems that you didn’t fully update the certs that tm1web uses / it’s mismatching with the one tm1 admin server is using. Maybe check whether both bin and bin64 certs are updated?

    Cheers,
    Yuri

  • Neeraja Ramesh

    Hi Ykud,
    I think we had updated both bin and bin64. I could see the ssl folders with new certs info. Is there any way to check whether any of the bin wasnt update.

    Can I resuse the step#11 from this url irrespective of whether ssl certs updated in bin or not?
    http://www-01.ibm.com/support/docview.wss?uid=swg21991652

  • It works now on CA 11.0.5, they never answer any of my questions, but at least now is working, Cheers and happy new year!