TM1 User Conference

Join us August 15th-17th in Sydney

Cubewise Tech Blog

Solutions to the expiring TM1 SSL certificates

UPDATE 09/10/16 – IBM has now released the Interim Fix “Updaters” and the download link and instructions on how to apply these can be found through the link below:
http://www-01.ibm.com/support/docview.wss?uid=swg21991790

These updaters contain the v3 certificates that do not expire until 2026, and would place these certificates automatically on the correct directories upon install.

Please note that there are no updaters made available for the SERVER side of TM1 version 10.2.2. This is due to some restrictions with the fix packaging. In addition, there are also no updaters made available for TM1 version 9.5.x or below, nor Cognos Express. Therefore, these would need to be updated manually (please see link below).

UPDATE 06/10/16 – Please note that IBM has released a new set of SSL certificates (referred as the v3 certificates) and a set of instructions on how to manually apply these certificates. These certificates do not expire until 2026 and cover ALL versions of TM1 (i.e. including version 9.5.x or older). We have updated our Decision Tree to reflect this new information.

Follow the link below to access the download link and instructions:
http://www-01.ibm.com/support/docview.wss?uid=swg21991653

By now, you are aware that the default 1024-bit TM1 SSL certificates are expiring on 24th November 2016, and that you need to take action to remedy the situation.

It is noted that IBM is currently working on some hot fix in the form of Interim Fixes releasing some time mid-September that would cover all TM1 versions 10.1 and later, but there is currently no definitive date.

There are however some alternatives to waiting for IBM if you want to start implementing solutions now.

Depending on your TM1 environment, some solutions would be more suited than others. To guide you in determining which solution to choose, we have created a “Decision Tree” which can be accessed below:

IMPORTANT NOTES:

  • All of the options listed would require you to have Admin access on the servers.
  • Before applying any of the options below, you would need to first stop both the TM1 Admin Host and the TM1 Server. Once the solutions are applied, you would then need to start them back up.

DECISION TREE:

ssl-cert-update-decision-tree-pg1-v6 ssl-cert-update-decision-tree-pg2-v6

Link to download PDF: SSL Certificates Update – Decision Tree

Furthermore, according to our testings, we would like to highlight the following:

Turning off SSL?

Please be advised that contrary to popular theory, turning SSL off does not work according to our testing, and solely for this reason, we cannot recommend this option.

Installing TM1 10.2.2 Fix Pack 6 to solve the issue?

There have been some talk going around that Fix Pack 6 (for TM1 10.2.2) would fix this as it would register the v2 certificates by default on installation, but unfortunately, this is not the case. Therefore, even if you have Fix Pack 6 installed, you would still be required to address the expiring TM1 SSL certificates issue.

Tagged , written by Andrew Widjaja on October 9th, 2016

KEEP READING