Solved: OCI DWH and Cognos Reporting

sstrznwra · ‎2015-12-22

Hi,

Does anyone have experience with the exchange of certificates on Cognos Server ?

We like to import our own Certificates.

I try this as described in the Cognos documentation ,

create signrequest / encryptrequest....

create cert in our CA

import cert

config cognos to Use third party CA,

but the Report Server show always the selfsigned Cert from the Basic Installation.

Thanks Michael

dbourque · ‎2015-12-22

Michael,

The following previously answered thread may help you.

The jboss we ship is SSL enabled with a self signed cert out of the box. On OCI 7.0.x, we no longer ship Apache, and instead use Jboss to front-end the Cognos components. Theoretically, this procedure should work to replace the self signed SSL certs on each OCI operational server as well as DWH.

The Jboss certs/keys are stored in the java keystore. The password is changeit.

..\SANscreen\jboss\server\onaro\cert

Contains the keystore – backup this file, and at any point, you can safely revert to your original keystore by reverting to your backup, and restarting the “SANscreen Server” service, along with all acquisition units.

Oracle ships a keytool with Java. It should be in your ..\java\bin folder

##############

First, understand what is in the keystore by doing a verbose list

keytool -list -v -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

Alias name: ABC

We may need to purge certain keys:

keytool -delete -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

Then, generate new key

keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

What is key is that when you are asked for "What is your first and last name?" you respond with the FQDN you expect to use

After a variety of questions about organization and structure, you will be prompted:

Is CN=localhost, OU=Waltham, O=NetApp, L=Waltham, ST=MA, C=US correct?

[no]

Only type in yes when the Common Name (CN) value is accurately displaying the FQDN

Enter key password for <localhost>

(RETURN if same as keystore password):

keytool -certreq -alias localhost -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore" -file c:\localhost.csr

The c:\localhost.csr file is the certificate request. Submit it to your CA. Once it is approved, you want the cert returned to you in DER format. This may may or may not be a .der extension. Microsoft CA services defaults to a .cer extension.

keytool -importcert -alias localhost -file c:\localhost2.cer -keystore "c:\Program Files\SANscreen\jboss\server\onaro\cert\server.keystore"

You will be prompted for the keystore password, and you should receive:

Certificate reply was installed in keystore

At this point, if you restart the “SANscreen Server” service, you should find that it is using the CA signed certs. Your web browser should no longer throw certificate errors because the signer of the certs is not trusted

View solution in original post

sstrznwra · ‎2015-12-23

dbbourque,

Thanks very much , it was very helpfull.

Can I find this in OCI Documentation ?

dbourque · ‎2015-12-23

The provided steps are not in the current documentation. I have submitted the information provided to have in productized in our documentation. For clarity purposes, did you determine what the problem was?

sstrznwra · ‎2015-12-29

hi,

the problem was that we create and import the cert´s directly on the cognos server and not on the front end ( jboss )

thanks

OCI DWH and Cognos Reporting

Re: OCI DWH and Cognos Reporting

Re: OCI DWH and Cognos Reporting

Re: OCI DWH and Cognos Reporting

Re: OCI DWH and Cognos Reporting