Your TM1 SSL certificates will expire in November

Update 02/10/2016: Fix pack / updater from IBM still not released, but a manual update instructions + a set of new certificates are published at http://www-01.ibm.com/support/docview.wss?uid=swg21990588 . I’ll post am update once we try them out, but it’s really good news.

Update 07/09/201t6: Corrected the post to reflect the fact that TM1 will not ‘crash’, it will refuse client connections, but server itself will be just fine. And added a solution that I missed before: disabling SSL altogether. There will be a preferred recipe and update from IBM around mid-September as I’m told, I’ll publish a followup post once that’s out.

Just making sure that everybody is aware of incoming that default SSL certificates in TM1 installation will expire on 24th of November. I hope everyone got the happy email from IBM, but reposting out just in case (scroll to the bottom).

What is happening:
Default certificates that TM1 uses for all client and server communications will expire on 24/11 and TM1 will stop accepting client connections, restarting won’t help 🙂
Applies to TM1 10.2 (all releases) and TM1 10.1 and I’d imagine to any 9.5 or older.

What to do:
0) (An insecure but easiest option). Disable SSL in tm1s.cfg altogether.
1) Switch to the more durable and secure v2 certs in the package as per http://www-01.ibm.com/support/docview.wss?uid=swg21697266 , they will expire in 2022. The main problem with this approach for that you’d need to update Perspectives configuration and that’s a big deal.
2) Wait for IBM to release a hot fix for this and apply it (hopefully it’ll be just a couple of cert files). Best option, I’ll update the post once I know of the fix pack.
3) Generate your own certs and install them. You’d still have to go through all the client configuration updates, but that will be your certificates and you get the warm fuzzy feeling 🙂

The original email from IBM:

“Dear Sirs,

as you may know, by default the communication between the TM1 components is is encrypted using SSL certificates shipped and installed with the TM1 software, also known as the out-of-the-box SSL implementation, see the manual IBM TM1 Installation and Configuration Guide =>

(1)
https://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_runningtm1insecuremodeusingssl_n120007.html#RunningTM1inSecureModeUsingSSL_N120007
Cognos TM1 > Cognos TM1 10.2.2 > Install > TM1 Installation and Configuration Guide 10.2.2.3 Security configuration >

Using SSL for data transmission security

You can configure IBM Cognos TM1 to use SSL for secure data transmission.

(1.1)
https://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.3.doc/c_tm1-generatedcertificates_n1200a0.html#TM1-GeneratedCertificates_N1200A0
Cognos TM1 > Cognos TM1 10.2.2 > Install > TM1 Installation and Configuration Guide 10.2.2.3 > Security configuration > Using SSL for data transmission security >

Generated Certificates

When you install IBM Cognos TM1, all certificates and other files required to implement SSL are placed in the TM1_install_dir\bin\SSL directory.

The certificates contained in this directory are issued by the Applix, Inc. certificate authority, which was created using OpenSSL.

When you install Cognos TM1, the Admin Server, Cognos TM1 server, and Cognos TM1 client are all configured to use SSL, relying on the certificates installed in the TM1_install_dir\bin\SSL directory. While the Cognos TM1 certificates allow an out-of-the-box SSL implementation, you should replace these certificates with your own certificates (as well as a certificate revocation list) if you want to maximize security. For Cognos TM1 Web, all root certificates must be installed in the certificate store on the machine that the servers are using to run Cognos TM1 Web.

The TM1_install_dir\bin\SSL directory contains the following certificates and files.

– tm1admsvrcert.pem – the Admin Server certificate containing the public/private key pair

– tm1svrcert.pem – the Cognos TM1 server certificate containing the public/private key pair

Both the 1024-bit default SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, and the TM1 Server, tm1svrcert.pem, will expire on 11/24/2016.

These SSL certificates are stored in the directories ..\bin\ssl\ respectively ..\bin64\ssl\ on a TM component installation.

When you open these SSL certificates in a text editor like Notepad and search for the string “Not After” you get =>

tm1admsvrcert.pem
Not After : Nov 24 16:47:19 2016 GMT

tm1svrcert.pem
Not After : Nov 24 16:45:44 2016 GMT

When you are using the default set of 1024-bit SSL certificates, when you are using the expiring 1024-bit SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, and the expiring 1024-bit SSL certificate for the TM1 Server, tm1svrcert.pem, you must take action before 11/24/2016 otherwise your TM1 installation will stop working.

Among your options are:

(1)
Replace our default set of 1024-bit SSL certificates with your own SSL certificates.

(2)
When you are using TM1 v10.2.2 and newer, replace our default set of 1024-bit SSL certificates with the optional set of 2048-bit SSL certificates, the v2 set, as outlined by the IBM Technote 1697266 =>

http://www-01.ibm.com/support/docview.wss?uid=swg21697266
How to configure TM1 to use the bundled 2048-bit SSL certificate

Technote (FAQ)

Question
By default, the TM1 Admin Server and TM1 Server, are secured using a 1024-bit SSL Certificate. The rootCA of that certificate is the applixca.pem file. The steps in this technote describe how to configure the TM1 Admin Server and TM1 Server (as well as the TM1 Client components), to use the provided 2048-bit SSL certificate ( tm1ca_v2.pem ).

You would replace

– the default 1024-bit SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, by the optional 2048-bit SSL certificate tm1admsvrcert_v2.pem

– the default 1024-bit SSL certificate for the TM1 Server, tm1svrcert.pem, by the optional 2048-bit SSL certificate tm1svrcert_v2.pem

The optional v2 set of SSL certificates are too stored in the directories ..\bin\ssl\ respectively ..\bin64\ssl\ of a TM component installation.

When you open these SSL certificates in a text editor like Notepad and search for the string “Not After” you get =>

tm1vrcert_v2.pem
Not After : Aug 25 18:22:55 2022 GMT

tm1admsvrcert_v2.pem
Not After : Aug 25 18:23:11 2022 GMT

(3)
Currently TM1 v10.1 and v10.2 are the only supported TM1 on premises releases.

We are working on an Interim Fix to patch these releases which will include a new default set of 1024-bit SSL certificates to replace the current set which expires 11/24/2016.

This will be the straightforward option to patch all TM1 component installations within an existing TM1 environment.

If you have not done already, please subscribe to IBM My Notifications to be notified when the Interim Fix patching the expiring 1024-bit SSL certificates will be released =>

Manage your My Notifications subscriptions, or send questions and comments.
– Subscribe or Unsubscribe – https://www.ibm.com/support/mynotifications

If you have questions on the expiring 1024-bit SSL certificates, please contact TM1 Support.”