Active IQ Unified Manager Discussions

OCI DWH and Cognos Reporting

sstrznwra
5,096 Views

Hi,

Does anyone have experience with the exchange of certificates on Cognos Server ?

We like to import our own Certificates.

I try this as described in the Cognos documentation , 

create signrequest / encryptrequest....

create cert in our CA

import cert

config cognos to Use third party CA,

but the Report Server show always the selfsigned Cert from the Basic Installation.

 

Thanks Michael

1 ACCEPTED SOLUTION

dbourque
5,087 Views

Michael,

 

The following previously answered thread may help you.

 

The jboss we ship is SSL enabled with a self signed cert out of the box. On OCI 7.0.x, we no longer ship Apache, and instead use Jboss to front-end the Cognos components. Theoretically, this procedure should work to replace the self signed SSL certs on each OCI operational server as well as DWH.

 

 

The Jboss certs/keys are stored in the java keystore. The password is changeit.

 

..\SANscreen\jboss\server\onaro\cert

 

Contains the keystore – backup this file, and at any point, you can safely revert to your original keystore by reverting to your backup, and restarting the “SANscreen Server” service, along with all acquisition units.

 

Oracle ships a keytool with Java. It should be in your ..\java\bin folder

 

##############

 

First, understand what is in the keystore by doing a verbose list

 

keytool -list -v -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

Alias name: ABC

 

We may need to purge certain keys:

 

keytool  -delete -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

Then, generate new key

 

keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

What is key is that when you are asked for "What is your first and last name?" you respond with the FQDN you expect to use

 

After a variety of questions about organization and structure, you will be prompted:

Is CN=localhost, OU=Waltham, O=NetApp, L=Waltham, ST=MA, C=US correct?

[no]

 

Only type in yes when the Common Name (CN) value is accurately displaying the FQDN

 

Enter key password for <localhost>

        (RETURN if same as keystore password):

 

keytool -certreq -alias localhost  -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore" -file c:\localhost.csr

 

The c:\localhost.csr file is the certificate request. Submit it to your CA. Once it is approved, you want the cert returned to you in DER format. This may may or may not be a .der extension. Microsoft CA services defaults to a .cer extension.

 

keytool -importcert  -alias localhost -file c:\localhost2.cer -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

You will be prompted for the keystore password, and you should receive:

 

Certificate reply was installed in keystore

 

At this point, if you restart the “SANscreen Server” service, you should find that it is using the CA signed certs. Your web browser should no longer throw certificate errors because the signer of the certs is not trusted

View solution in original post

4 REPLIES 4

dbourque
5,088 Views

Michael,

 

The following previously answered thread may help you.

 

The jboss we ship is SSL enabled with a self signed cert out of the box. On OCI 7.0.x, we no longer ship Apache, and instead use Jboss to front-end the Cognos components. Theoretically, this procedure should work to replace the self signed SSL certs on each OCI operational server as well as DWH.

 

 

The Jboss certs/keys are stored in the java keystore. The password is changeit.

 

..\SANscreen\jboss\server\onaro\cert

 

Contains the keystore – backup this file, and at any point, you can safely revert to your original keystore by reverting to your backup, and restarting the “SANscreen Server” service, along with all acquisition units.

 

Oracle ships a keytool with Java. It should be in your ..\java\bin folder

 

##############

 

First, understand what is in the keystore by doing a verbose list

 

keytool -list -v -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

Alias name: ABC

 

We may need to purge certain keys:

 

keytool  -delete -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

Then, generate new key

 

keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

What is key is that when you are asked for "What is your first and last name?" you respond with the FQDN you expect to use

 

After a variety of questions about organization and structure, you will be prompted:

Is CN=localhost, OU=Waltham, O=NetApp, L=Waltham, ST=MA, C=US correct?

[no]

 

Only type in yes when the Common Name (CN) value is accurately displaying the FQDN

 

Enter key password for <localhost>

        (RETURN if same as keystore password):

 

keytool -certreq -alias localhost  -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore" -file c:\localhost.csr

 

The c:\localhost.csr file is the certificate request. Submit it to your CA. Once it is approved, you want the cert returned to you in DER format. This may may or may not be a .der extension. Microsoft CA services defaults to a .cer extension.

 

keytool -importcert  -alias localhost -file c:\localhost2.cer -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

 

You will be prompted for the keystore password, and you should receive:

 

Certificate reply was installed in keystore

 

At this point, if you restart the “SANscreen Server” service, you should find that it is using the CA signed certs. Your web browser should no longer throw certificate errors because the signer of the certs is not trusted

sstrznwra
5,066 Views

dbbourque,

 

Thanks very much , it was very helpfull.

 

Can I find this in OCI Documentation ?

dbourque
5,060 Views

The provided steps are not in the current documentation.  I have submitted the information provided to have in productized in our documentation.   For clarity purposes, did you determine what the problem was?

sstrznwra
4,998 Views

hi,

the problem was that we create and import the cert´s directly on the cognos server and not on the front end ( jboss )

 

thanks 

Public