generate Cognos security keys and certificate signing requests to use with your third-party CA
submit the Cognos security keys and certificates to your third-party certificate authority
By default, Cognos 8 components use their own certificate authority (CA) service to establish the root of trust in the Cognos security infrastructure. You can configure Cognos 8 components to use another certificate authority, if you already have an existing third-party certificate authority, such as iPlanet or Microsoft, in your reporting environment.
When you configure Cognos 8 components to use a third-party certificate authority, ensure that you specify the same information in both the command line utility tool and in Cognos Configuration.
To configure Cognos 8 components to use your third-party certificate authority, you must
| | generate Cognos security keys and certificate signing requests to use with your third-party CA |
| | submit the Cognos security keys and certificates to your third-party certificate authority |
| | configure Cognos 8 components to use a third-party certificate authority |
Use the command line utility to generate all the keys for the Cognos key stores and to generate the certificate signing requests (CSR).
The following table lists the options for the command-line tool used to generate keys and signing requests.
Command | Description |
Main operation mode | |
-c | Create a new CSR |
-i | Import a certificate |
Operation modifiers | |
-s | Work with the signing identity |
-e | Work with the encryption identity |
-T | Work with the trust store (only with -i) |
Information Flags | |
-d | DN to use for certificate |
-r | CSR or certificate file location (depends on mode) |
-t | certificate authority certificate file (only with -i) |
-p | Key Store password (must be provided) |
-a | Key pair algorithm. RSA or DSA. Default: RSA |
-D | Directory location |
The following sample values are used:
Property | Value |
Signing certificate DN | CN=SignCert,O=MyCompany,C=CA |
Encryption certificate DN | CN=EncryptCert,O=MyCompany,C=CA |
Key store password | password |
In the c8_location\configuration directory, back up the cogstartup.xml file to a secure location.
Back up the contents of the following directories to a secure location:
c8_location\configuration\signkeypair
c8_location\configuration\encryptkeypair
Using Cognos Configuration, export the configuration in clear text by doing the following:
Open Cognos Configuration.
From the File menu, click Export As.
When prompted about exporting decrypted content, click Yes.
In the Export As dialog box, select cogstartup.xml and then click Save.
When prompted about replacing the existing file, click Yes.
When the tasks are complete, close the Cognos Configuration dialog box.
Save the configuration.
Close Cognos Configuration.
Go to the c8_location\bin directory.
Create the certificate signing request for the signing keys by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -c -s -d "CN=SignCert,O=MyCompany,C=CA" -r signRequest.csr -D ../configuration/signkeypair -p password
On Windows, type
ThirdPartyCertificateTool.bat c -s -d "CN=SignCert,O=MyCompany,C=CA" -r signRequest.csr -D ../configuration/signkeypair -p password
Tip: UNIX or Linux filenames are case-sensitive and must be entered exactly as shown.
You can safely ignore any warnings about logging.
The command creates the jSignKeystore file in the signkeypair directory, sets the specified password, creates a new keypair and stores it in the keystore, and exports the signRequest.csr file to the c8_location\bin directory.
Create the certificate signing request for the encryption keys by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -c -e -d "CN=EncryptCert,O=MyCompany,C=CA" -r encryptRequest.csr -D ../configuration/encryptkeypair -p password
On Windows, type
ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=MyCompany,C=CA" -r encryptRequest.csr -D ../configuration/encryptkeypair -p password
You can safely ignore any warnings about logging.
The command creates the jEncKeystore file in the encryptkeypair directory, sets the specified password, creates a new keypair and stores it in the keystore, and exports the encryptRequest.csr file to the c8_location\bin directory.
Copy the signRequest.csr and encryptRequest.csr files that were generated in steps 5 and 6 to a directory that is accessible by your third-party certificate authority.
Input the signRequest.csr and encryptRequest.csr files into the third-party certificate authority.
The certificate authority produces a signing certificate and an encryption certificate.
For more information, see your third-party CA documentation.
Copy the contents of the signing certificate into a file named signCertificate.cer.
Copy the contents of the encryption certificate into a file named encryptCertificate.cer
Find the root CA certificate for the certificate authority and copy the contents into a file named ca.cer.
Copy ca.cer, signCertificate.cer, and encryptCertificate.cer to c8_location/bin.
These files must be PEM (Base-64 encoded ASCII) format.
Import the signing certificate from step 10 into the Cognos signing key store by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -i -s -r signCertificate.cer -D ../configuration/signkeypair -p password -t ca.cer
On Windows, type
ThirdPartyCertificateTool.bat-i -s -r signCertificate.cer -D ../configuration/signkeypair -p password -t ca.cer
You can safely ignore any warnings about logging.
The command reads the signCertificate.cer and ca.cer files in the c8_location\bin directory and imports the certificates from both files into the jSignKeystore file in the signkeypair directory using the specified password.
Import the encryption certificate from step 11 into the Cognos encryption key store by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -i -e -r encryptCertificate.cer -D ../configuration/encryptkeypair -p password -t ca.cer
On Windows, type
ThirdPartyCertificateTool.bat -i -e -r encryptCertificate.cer -D ../configuration/encryptkeypair -p password -t cacert.cer
You can safely ignore any warnings about logging.
The command reads the encryptCertificate.cer and ca.cer files in the c8_location\bin directory and imports the certificates from both files into the jEncKeystore file in the encryptkeypair directory using the specified password.
Import the CA certificate from step 12 into the Cognos trust store by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -i -T -r ca.cer -D ../configuration/signkeypair -p password
On Windows, type
ThirdPartyCertificateTool.bat -i -T -r ca.cer -D ../configuration/signkeypair -p password
The command reads the ca.cer file and imports the contents into the jCAKeystore file in the signkeypair directory using the specified password.
The certificates are now ready to be configured for Cognos 8.
You must configure each Cognos computer to use an external certificate authority by setting the appropriate property in Cognos Configuration.
By setting this property, Cognos 8 components assume that all required keys have been generated and vetted by the external certificate authority.
Ensure that the key store locations and password in Cognos Configuration match the ones you typed in the command-line tool.
Start Cognos Configuration.
In the Explorer window, under Security, Cryptography, click Cognos.
In the Properties window, under Certificate Authority settings property group, click the Value box next to the Use third party CA property and then click True.
Note: When you set this property to true, all properties for the certificate authority and identity name are ignored.
Configure the following properties to match the ones you typed in the command line utility:
From the File menu, click Save.
If you want to start the Cognos 8 service, from the Actions menu, click Start.
This action starts all installed services that are not running. If you want to start a particular service, select the service node in the Explorer window and then click Start from the Actions menu.
