2015-12-22 04:42 AM
Does anyone have experience with the exchange of certificates on Cognos Server ?
We like to import our own Certificates.
I try this as described in the Cognos documentation ,
create signrequest / encryptrequest....
create cert in our CA
config cognos to Use third party CA,
but the Report Server show always the selfsigned Cert from the Basic Installation.
Solved! SEE THE SOLUTION
2015-12-22 05:17 AM
The following previously answered thread may help you.
The jboss we ship is SSL enabled with a self signed cert out of the box. On OCI 7.0.x, we no longer ship Apache, and instead use Jboss to front-end the Cognos components. Theoretically, this procedure should work to replace the self signed SSL certs on each OCI operational server as well as DWH.
The Jboss certs/keys are stored in the java keystore. The password is changeit.
Contains the keystore – backup this file, and at any point, you can safely revert to your original keystore by reverting to your backup, and restarting the “SANscreen Server” service, along with all acquisition units.
Oracle ships a keytool with Java. It should be in your ..\java\bin folder
First, understand what is in the keystore by doing a verbose list
keytool -list -v -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"
Alias name: ABC
We may need to purge certain keys:
keytool -delete -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"
Then, generate new key
keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"
What is key is that when you are asked for "What is your first and last name?" you respond with the FQDN you expect to use
After a variety of questions about organization and structure, you will be prompted:
Is CN=localhost, OU=Waltham, O=NetApp, L=Waltham, ST=MA, C=US correct?
Only type in yes when the Common Name (CN) value is accurately displaying the FQDN
Enter key password for <localhost>
(RETURN if same as keystore password):
keytool -certreq -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore" -file c:\localhost.csr
The c:\localhost.csr file is the certificate request. Submit it to your CA. Once it is approved, you want the cert returned to you in DER format. This may may or may not be a .der extension. Microsoft CA services defaults to a .cer extension.
keytool -importcert -alias localhost -file c:\localhost2.cer -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"
You will be prompted for the keystore password, and you should receive:
Certificate reply was installed in keystore
At this point, if you restart the “SANscreen Server” service, you should find that it is using the CA signed certs. Your web browser should no longer throw certificate errors because the signer of the certs is not trusted
2015-12-23 06:55 AM
The provided steps are not in the current documentation. I have submitted the information provided to have in productized in our documentation. For clarity purposes, did you determine what the problem was?