Reconfigure Cognos gateway to use SSL using self-signed certificates

To recrypt Cognos to use self-certificates:

1. Launch the IBM Cognos Configuration tool as an administrator and stop the Cognos service if it is running.
2. Navigate to the Cognos installation directory (usually C:\ProgramFiles\ibm\cognos\analytics).
3. Take a protective backup copy of the configuration folder, and name it as configuration_original_datetime in a separate directory.
4. Navigate to File > Export As and export the decrypted content as backup_original.xml in a separate folder. Choose 'Yes' at the prompt and save the file.
5. Without restarting the Cognos service, close the IBM Cognos Configuration tool.
   Important: Do no re-open the IBM Cognos Configuration tool until instructed to do so. The configuration and cogstartup.xml are backed up so that the configuration could be reverted to non-SSL state should there be any issues with certs.
6. Follow the web-server vendors’ (Microsoft IIS, Apache) documentation to set up the web server correctly with SSL before making any changes in Cognos Analytics.
   Note: In this case, we do not require the request.csr file to be generated via Cognos Analytics server. You may work with IT/ networking team to generate certificates on the server directly.
7. Get a copy of the web server certificates and download all the levels that make up the full certificate.
   Note: Importing the certificates ensures that there is full chain of trust between the webserver and the application (cognos analytics) install that the webserver routes the request to.
8. Download the root, intermediate, and server certificates onto the Cognos Analytics server.
9. Use the following steps to convert each certificate to Base-64 encoded X.509 (.CER) format and save them under the CognosInstallationPath\bin directory as root.cer, server.cer, and intermediate.cer respectively.
   1. Open a certificate.
   2. Click the Details tab.
   3. Click Copy to File. A Certificate Export Wizard dialog appears.
   4. In the Certificate Export Wizard dialog, click Next.
   5. From the available options, select Base-64 encoded X.509 (.CER) format.
   6. Click Next.
   7. Enter the appropriate file name from these options, saving in the CognosInstallationPath\bin directory:
      • root.cer
      • server.cer
      • intermediate.cer.
   8. Click Next.
   9. Click Finish.
   10. Click OK to dismiss the message and all pop-up windows.
   11. Loop back and repeat for each remaining certificate.
10. Open a new command prompt as an administrator to import the certificates in the following order with these commands:

    Windows Operating System:
    cd c:\Program Files\ibm\cognos\analytics\bin
    ThirdPartyCertificateTool.bat -i -T -r root.cer -p NoPassWordSet
    ThirdPartyCertificateTool.bat -i -T -r intermediate.cer -p NoPassWordSet
    ThirdPartyCertificateTool.bat -i -T -r server.cer -p NoPassWordSet

11. In your preferred text editor, open CognosInstallationPath\configuration\FLEXnet.properties, and update the protocol in the URL to read HTTPS.
12. In your preferred text editor, update the web.config file under ApplicationserverinstallationPath\Program Files (x86)\Flexera Software\FlexNet Manager Platform\WEBUI to read biportalURL as HTTPS.
13. Launch the IBM Cognos Configuration tool as an administrator.
14. Navigate to Environment and change Gateway URI to HTTPS protocol. Also, update the port number to 443. Example: https://<webserver FQDN>:443/ibmcognos/bi/v1/disp.
15. Save the updated configuration.
16. Start the Cognos service and close the Configuration tool.
17. Ensure that the certificates are added to the Trusted Root Certificates and Intermediate Certificates in the MMC console.
18. Launch IIS on Flexera (Cognos) Analytics server and configure it as follows:
    1. Navigate to the website and add bindings to configure HTTPS.
    2. Add the correct server host name (FQDN) and certificate name.
    3. Restart IIS.