Active IQ Unified Manager Discussions

OCI DWH and Cognos Reporting



Does anyone have experience with the exchange of certificates on Cognos Server ?

We like to import our own Certificates.

I try this as described in the Cognos documentation , 

create signrequest / encryptrequest....

create cert in our CA

import cert

config cognos to Use third party CA,

but the Report Server show always the selfsigned Cert from the Basic Installation.


Thanks Michael


Re: OCI DWH and Cognos Reporting




The following previously answered thread may help you.


The jboss we ship is SSL enabled with a self signed cert out of the box. On OCI 7.0.x, we no longer ship Apache, and instead use Jboss to front-end the Cognos components. Theoretically, this procedure should work to replace the self signed SSL certs on each OCI operational server as well as DWH.



The Jboss certs/keys are stored in the java keystore. The password is changeit.




Contains the keystore – backup this file, and at any point, you can safely revert to your original keystore by reverting to your backup, and restarting the “SANscreen Server” service, along with all acquisition units.


Oracle ships a keytool with Java. It should be in your ..\java\bin folder




First, understand what is in the keystore by doing a verbose list


keytool -list -v -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"


Alias name: ABC


We may need to purge certain keys:


keytool  -delete -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"


Then, generate new key


keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"


What is key is that when you are asked for "What is your first and last name?" you respond with the FQDN you expect to use


After a variety of questions about organization and structure, you will be prompted:

Is CN=localhost, OU=Waltham, O=NetApp, L=Waltham, ST=MA, C=US correct?



Only type in yes when the Common Name (CN) value is accurately displaying the FQDN


Enter key password for <localhost>

        (RETURN if same as keystore password):


keytool -certreq -alias localhost  -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore" -file c:\localhost.csr


The c:\localhost.csr file is the certificate request. Submit it to your CA. Once it is approved, you want the cert returned to you in DER format. This may may or may not be a .der extension. Microsoft CA services defaults to a .cer extension.


keytool -importcert  -alias localhost -file c:\localhost2.cer -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"


You will be prompted for the keystore password, and you should receive:


Certificate reply was installed in keystore


At this point, if you restart the “SANscreen Server” service, you should find that it is using the CA signed certs. Your web browser should no longer throw certificate errors because the signer of the certs is not trusted

View solution in original post

Re: OCI DWH and Cognos Reporting




Thanks very much , it was very helpfull.


Can I find this in OCI Documentation ?

Re: OCI DWH and Cognos Reporting


The provided steps are not in the current documentation.  I have submitted the information provided to have in productized in our documentation.   For clarity purposes, did you determine what the problem was?

Re: OCI DWH and Cognos Reporting



the problem was that we create and import the cert´s directly on the cognos server and not on the front end ( jboss )



2021 NetApp Partner Experience Survey
PES Banner
All Community Forums