Summarised guide to the expiring TM1 SSL certificates issue and how to fix it

The TM1 SSL certificates are expiring on November 24. This post is your definitive reference guide to choosing and applying the best solution for your environment.

IBM has now released all available information/solutions to remedy the expiring TM1 SSL certificates issue. This post summarises all this information in a one-stop-shop.

When do the default TM1 SSL certificates expire?

The default TM1 SSL certificates expires on the 24th November 2016. You need to apply one of the solutions provided below, or your TM1 will stop working after this date.

Which versions of TM1 are affected?

ALL versions of TM1 are affected by this issue. There have been some talk going around that if you have upgraded your TM1 version 10.2.2 to use Fix Pack 5 or 6, then you do not have to do anything, as this will take care of the issue. This is incorrect. You still need to apply one of the options listed below

Can I turn off SSL?

There have been some theories that you can switch off SSL altogether. This is incorrect. You can change your TM1 server cfg parameters to not use SSL (i.e. UseSSL=F), however, you cannot turn off SSL on your TM1 Admin server, so turning off SSL is not a solution, and you must apply one of the options listed below.

What options are available?

IBM has provided several options, however, Cubewise would recommend you to apply one of the following options:

1. Download a new set of certificates (v3 certs), and apply these manually. This solution can be applied to ALLTM1 versions, and Cognos Express version 10.1 or above:
http://www-01.ibm.com/support/docview.wss?uid=swg21991653

2. Download and apply Interim Fix “updaters” for your TM1 version. This solution is not applicable to Cognos Express.
http://www-01.ibm.com/support/docview.wss?uid=swg21991790

3. Use your own certificates.
https://www.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/c_usingindependentcertificates_n1207c4.html#UsingIndependentCertificates_N1207C4

How do you know which options to choose?

Please refer to our “Decision Tree” below to see which option/s are recommended for your TM1 environment.

PDF file:
SSL Certificates Update – Decision Tree

In general, since IBM has released a new set of certificates that do not expire until 2026 (v3 certificates), we do not recommend you to switch to the v2 certificates (expiry 2022) unless you have already done so.

What other products/applications are affected?

All applications that communicate with TM1 are affected by this issue. Examples of such applications include Cognos BI, Cognos Disclosure Management, Executive Viewer, Performance Modeler/Cognos Insight etc. If you are using any of these applications, we recommend that you apply the v3 certificates update (i.e. either manually or by running the Interim Fix “updaters”) as they are the simplest to implement.

Instructions on how to apply these certificates on those aforementioned applications are provided in the respective landing pages:

Manual approach:
http://www-01.ibm.com/support/docview.wss?uid=swg21991653

Interim Fix “updaters”:
http://www-01.ibm.com/support/docview.wss?uid=swg21991790

Is it difficult to apply these solutions?

In most cases, applying the solution is not very difficult at all. The only caveat here is that the solutions needs to be applied on both the server and the client side simultaneously, or otherwise, TM1 will no longer be able to communicate between the two components. TM1 will need to be shut down during the update, and hence it is not accessible to the business. Coordination is therefore required between IT and the business, to ensure that the update happens with minimal disruption.

Please call Cubewise if you would like more information in regards to this issue, or would like one of our consultants to perform this update for you.