Search This Blog

2019-08-28

Cognos Analytics: Advance SSL Certificate Import

Product: IBM Cognos Analytics
Version: 10.2.x, 11.0.x, 11.1.x
Main Cognos Online Doc: Cognos Analytics 11.0.x Installing & Configuring > Configuration options

This post is related to Cognos Analytics SSL configuration that listed below:

11.0.x: Import the CA certificates into IBM Cognos components (11.0.x)
11.1.x: Import the CA certificates into IBM Cognos components (11.1.x)

The procedure only work for following SSL certificate, which IBM didn't document in Cognos documentation for 10 years or longer:
1. self-sign SSL certificate - no hierachy
2. self-sign SSL certificate - only has 1 CA certificate to import
3. paid SSL certificate - CA certificate is the root certificate
4. paid SSL certificate - Just 1 root CA cert, and 1 intermediate cert, where root CA cert is already in keystore

In contrast, this step doesn't consider following real life scenarios:

  1. Customer buy a public SSL certificate instead of using self-sign certificate
  2. There is a chain of SSL CA certificate whenever you buy a public SSL certificate
  3. A corporate self-sign certificate could also centrally managed with CA hierarchy/chain
  4. Root CA certificate is not in the Cognos Analytics' default Java trust store
  5. Even if root CA certificate is in the Cognos Analytics' default Java trust store, if there is more than 1 intermediate CA certificate in the chain
So following scenarios could result in Step 4 of the ThirdPartyCertificateTool.sh/.bat failed with following error:


D:\cognos\analytics\bin> ThirdPartyCertificateTool.bat -i -e -r encryptCertificate.cer -p NoPassWordSet -t ca.cer
Looking in: \bin...
Looking in: \jre\bin...
Executing:
\jre\bin\java.exe  com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool -i -e -r encryptCertificate.cer -p NoPassWordSet -t ca.cer
log4j:WARN No appenders could be found for logger (Trace.CAM.JCAM).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

CAM-CRP-1238 Unable to store the third party crypto certificate. Unable to build the entire certificate chain. Ensure that the CA certificate file contains the entire CA certificate chain.
Reason: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1256)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.installCamCryptoKeyCert(ThirdPartyCertificateTool.java:450)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.main(ThirdPartyCertificateTool.java:511)
Caused by: CAM-CRP-1240 Unable to build the entire certificate chain. Ensure that the CA certificate file contains the entire CA certificate chain. Reason: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1422)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1250)
        ... 2 more
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle145.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:112)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1418)
        ... 3 more
CAM-CRP-1240 Unable to build the entire certificate chain. Ensure that the CA certificate file contains the entire CA certificate chain. Reason: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1422)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1250)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.installCamCryptoKeyCert(ThirdPartyCertificateTool.java:450)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.main(ThirdPartyCertificateTool.java:511)
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle145.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:112)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1418)
        ... 3 more
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle145.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:112)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1418)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1250)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.installCamCryptoKeyCert(ThirdPartyCertificateTool.java:450)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.main(ThirdPartyCertificateTool.java:511)
CAM-CRP-1240 Unable to build the entire certificate chain. Ensure that the CA certificate file contains the entire CA certificate chain. Reason: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1422)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1250)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.installCamCryptoKeyCert(ThirdPartyCertificateTool.java:450)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.main(ThirdPartyCertificateTool.java:511)
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle145.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:112)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1418)
        ... 3 more
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle145.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:112)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1418)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1250)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.installCamCryptoKeyCert(ThirdPartyCertificateTool.java:450)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.main(ThirdPartyCertificateTool.java:511)
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle145.jce.provider.PKIXCertPathBuilderSpi.engineBuild(PKIXCertPathBuilderSpi.java:112)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter._orderCertChain(KeyStoreWriter.java:1418)
        at com.cognos.accman.jcam.crypto.misc.KeyStoreWriter.storeThirdPartyCamCryptoCert(KeyStoreWriter.java:1250)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.installCamCryptoKeyCert(ThirdPartyCertificateTool.java:450)
        at com.cognos.accman.jcam.utilities.ThirdPartyCertificateTool.main(ThirdPartyCertificateTool.java:511)

Entire configuration is to configure the WebSphere Liberty Profile web application server to server https.  In fundamental of web server SSL configuration, the entire SSL certificate chain has to be imported into the Java trust store, and not just the certificate the issue to the machine itself.

Following is the background info and preparation:
1. Backup all certificate files used by Cognos Configuration Manager in COGNOS_HOME\configuration\certs\
2. Ensure JAVA_HOME is not set, or set it to COGNOS_HOME\jre.  Do not use other Java for compatibility with Cognos, or you would be getting other SSL issue
3. Cognos Configuration Manager used SSL stores in COGNOS_HOME\configuration\certs, and not COGNOS_HOME\jre\lib\security\
4. This key store is a Java JKS key store, full name is COGNOS_HOME\configuration\certs\\CAMKeystore.jks
5. SSL verification can use keytools as it is pure Java keystore

Following is the resolution where CA root certificate, and intermediate CA certificate both are not in the Java keystore:
1. Uses Windows Explorer to open up the CA certificate that issue SSL certificate to Cognos server.  This is called intermediate cert.  This intermediate cert is the CA certificate Cognos document provided instruction to import it, but it will fail
2. For paid SSL certificate, this SSL certificate will be the vendor's intermediate certificate.  For example, DigiCert's SHA2 based CA cert will look below:

 3. Click on the last tab label "Certification Path" to see the CA chain.  In this scenario, there is just 1 intermediate CA certificate, and 1 root certificate.  If there are multiple intermediate certs, then all of them will need to be imported

4. Double click on the parent cert, in this case the root cert.  This will be how it looks like

3. Export out this root cert from Details tab.  Click on button "Copy to File..."

4. "Certificate Export Wizard" will run, and following the screen to create "Base-64 encoded X.509 (.CER)" file.  The filename can be any extension as Java doesn't care about its extension

5. If there are multiple intermediate CA cert, then repeat this for each of them.  You will have 1 CER file for each CA cert

6. Import the root CA cert first using this command.  For some reason, this command is shown as the last step in Cognos' document:
ThirdPartyCertificateTool.bat -E -T -r D:\DigiCert\digicert_root.cer -p NoPassWordSet
ThirdPartyCertificateTool.bat -E -T -r D:\DigiCert\digicert_intermediate1.cer -p NoPassWordSet
(if there are more intermediate SSL cert)
ThirdPartyCertificateTool.bat -E -T -r D:\DigiCert\digicert_intermediate2.cer -p NoPassWordSet
ThirdPartyCertificateTool.bat -E -T -r D:\DigiCert\digicert_intermediate3.cer -p NoPassWordSet

7. Lastly, import the CA cert issued the SSL certificate to the Cognos server together with the crypto cert
ThirdPartyCertificateTool.bat -i -e -r crypto.cer -p NoPassWordSet -t cacert.pem

8. If immediate CA cert is already imported into trust store, then there will be a warning message to tell you it already exists, but it will continue to import the crypto cert.  Just ignore the warning

9. Verify that entire SSL certificate are imported by using the fingerprint/thumbprint, or serial number:

%java_home%\bin\keytool -list -keystore COGNOS_HOME\configuration\certs\CAMKeystore.jks -storepass NoPassWordSet -storetype JKS

10. Uses this command to find the issuer's name for root certificate
%java_home%\bin\keytool -list -keystore COGNOS_HOME\configuration\certs\CAMKeystore.jks -storepass NoPassWordSet -storetype JKS | find "Issuer: CN=" | find "Root"

11. Uses this command to find by fingerprint
%java_home%\bin\keytool -list -keystore COGNOS_HOME\configuration\certs\CAMKeystore.jks -storepass NoPassWordSet -storetype JKS | find "59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:"

2 comments:

IT said...

I like your post very much. It is very much useful for my research. I hope you to share more info about this. Keep posting cognos tm1 online training hyderabad

Srinu Vasu said...

Very informative post for Cognostm1 developers.You can also visit aststraining.com for Cognostm1 stuff.

Cognostm1 Online Training
Cognostm1 Training
CognosBI Online Training