Reconfigure Cognos components to use Cognos signed certificate

Note: This is an optional step that enables SSL across your full Cognos estate and components. Complete this step after completing one of the above steps (Reconfigure Cognos Analytics to Use Third-Party SSL Certificates or Reconfigure Cognos gateway to use SSL using self-signed certificates).
This process configures SSL communication between Cognos components using Cognos Analytics’ built-in functionality to create and sign certificate. Once the webserver (gateway) has been enabled to use SSL protocol, the following process is to be followed if there is no requirement to use third-party certificates. Commence this process while logged in to your Flexera Analytics server, using an account with administrator privileges.

To recrypt Cognos Analytics to use Cognos signed certificate:

  1. Launch the IBM Cognos Configuration tool as an administrator and stop the Cognos service if it is running.
  2. Navigate to the Cognos installation directory (usually C:\ProgramFiles\ibm\cognos\analytics).
  3. Take a protective backup copy of the configuration folder and save it as configuration_withgatewaySSL_datetime in a separate directory.
  4. Navigate to File > Export As and export the decrypted content as backup.xml in the configuration folder. Choose 'Yes' at the prompt and save the file.
  5. Without restarting the Cognos service, close the IBM Cognos Configuration tool.
  6. To remove the current encryption, follow the steps below:
    1. Create a backup folder and move the following files to the backup location: 
      <install directory>/configuration/cogstartup.xml
<install directory>/configuration/caSerial
<install directory>/configuration/certs/CAMCrypto.status
<install directory>/configuration/certs/CAMKeystore
<install directory>/configuration/certs/CAMKeystore.lock
<install directory>/configuration/certs/CAMKeystore.bkup
<install directory>/configuration/certs/CAMKeystore.jks
<install directory>/temp/cam/freshness
    2. Move the following directory '<install directory>\configuration/csk' to the backup location.
  7. In the CognosInstallationPath\configuration folder, rename ‘backup.xml’ to ‘cogstartup.xml’.
  8. Launch the IBM Cognos Analytics Configuration tool as an administrator.
  9. Navigate to Environment and change all URIs to change all URIs to use HTTPS protocol. In Gateway URI and Controller URI for gateway, also replace port 80 with 443. Ensure to enter fully qualified host names (or corresponding IP address) in all the values for all URIs.
  10. Navigate to Environment > Configuration Group and enter the fully qualified host name (or corresponding IP address) into the following fields:
    1. Group contact host
    2. Member coordination host.
  11. Navigate to Security > Cryptography > Cognos and enter the fully qualified host name (or corresponding IP address) into the following fields:
    1. Server common name
    2. Subject Alternative Name > DNS names.
  12. If an alias name is being used instead of a server host name, then update the following fields:
    1. Under the Gateway URI (update to the alias name)
    2. Under Security > Cryptography > Cognos > Subject Alternative Name > DNS Name (add the alias name next to the fully qualified domain name).
  13. Save the configuration.
  14. Ensure that the biportalURL under Program Files (x86)\Flexera Software\FlexNet Manager Platform\WebUI\web.config file reads as HTTPS.
  15. Ensure the URL under CognosInstallationPath\configuration\FLEXnet.properties file, reads as HTTPS.
  16. Start the IBM Cognos service.
  17. To use Cognos as the certifying authority, export the Cognos root certificate and import it to trusted root certificate authorities.
    Note: This ensures that IIS trusts the Cognos certificate authority that signed the certificate.
  18. Launch a command prompt window selecting 'Run as Administrator' from the CognosInstallationPath\bin directory:
    1. Windows Operating System: ThirdPartyCertificateTool.bat -E -T -p NoPassWordSet -r CognosCAroot.cer
    2. This command generates the CognosCAroot.cer in the CognosInstallationPath\bin directory
    3. Copy the certificate to the IIS server (within analytics server)
    4. Right-click on the certificate and select Install Certificate
    5. Select Local Machine for the store location
    6. Select 'Place all certificates in the following store'
    7. Under browse button, select 'Trusted Root Certification Authorities'
    8. Select Next and Finish.
  19. Launch IIS on Flexera Analytics server and configure it as follows:
    1. Navigate to website> ibmcognos/bi and open the URL Rewrite feature
    2. Update the Reverse Proxy rule to use HTTPS
    3. Apply the changes
    4. Ensure that the bindings in IIS contain HTTPS and reference the correct certificate
    5. Restart the web server (IIS).