Ironside Uncovers TM1 SSL Certificate Expiration Issue

TM1 SSL certificate breakdown warning concept

Ironside recently reported a new issue to IBM that is now confirmed as having an impact on all TM1 sites regardless of version. The Ironside Managed Services team uncovered the issue while troubleshooting a client’s environment.

“In our efforts to secure an environment for one of our larger insurance clients, it was noticed that the SSL certificate was going to expire shortly,” said Erik Romanek, Ironside’s Director of Platform and Managed Services. “John Commons, one of Ironside’s platform consultants, worked with IBM to come up with a few solution options. This is just another example of Ironside going the extra mile to make sure the implementations we work on are configured securely and for longevity.”

Below is a write-up from John Commons that summarizes the problem and our recommended responses to it.

The Problem: IBM Cognos TM1 SSL Certificate Expiration

If TM1 has been deployed in your environment using built-in 1024-bit SSL Certificates and your clients utilize SSL for communication with TM1 servers, as is default for most recent versions, you will be impacted.

In a standard TM1 installation, a TM1 environment is comprised of the TM1 Admin Server,  TM1 Server instances, TM1 Web and Web Application server components, and TM1 Client applications.

The TM1 client applications, such as Architect and Perspectives, communicate with the TM1 Admin Server via the Secure Socket Layer (SSL). The same is true for the TM1 Web application components.

In order for this communication to occur, they utilize SSL certificates.  As part of the TM1 installation, a set of default 1024-bit SSL certificates are installed with TM1 components.

The issue we’ve identified is that the default 1024-bit certificates previously installed with all TM1 versions, and used for secure client/server communication between all TM1 client applications (Architect, Perspectives…), TM1 Web application components, and the TM1 Server instances, will expire on November 24th, 2016.

Once the certificates have expired, TM1 Client applications and web application components will be unable to communicate with the TM1 Admin server and TM1 server instances.  This means if no action is taken prior to 11/24 your TM1 applications will no longer function after that date.

As mentioned previously, this will affect all versions of TM1.

IBM is currently working on interim fixes for the following versions –  10.2 FP2, 10.1.1 FP2, 10.2 FP2, 10.2.2.x.  If you are running an earlier release of TM1 you will need to apply a manual update to the certificate to correct the issue.

Solution Options

There are steps you can take prior to November 24th to ensure no loss of functionality due to the TM1 SSL certificate expiration. Below are the options available to correct the issue.

Ironside can work with you proactively to review and assess your TM1 installations to provide the best solution and help apply the appropriate fix for your current TM1 environment to minimize any possible downtime or outage prior to the expiration date.

Option 1

If you are currently on TM1 versions 10.1, 10.2 or 10.2.2, wait for IBM to provide the interim fix update which will include new default 1024 bit certificates to replace the existing one. This would likely be the most straightforward option. IBM now has an updater kit available for implementing this option.

Option 2

If you are currently on TM1 version 10.2.2 or are planning to upgrade to 10.2.2 prior to November 24th, you have the ability to switch from the default 1024-bit certificate to the new 2048-bit SSL Certificate that was also installed with all TM1 10.2.2 installs.  This TM1 SSL certificate will not expire until 2022.

You can look at IBM’s tech note on this topic to see a process for switching your TM1 SSL certificate in this manner.

Option 3

Generate your own SSL certificate or apply for third-party certificates to replace the current 1024-bit certificates.  This does require more maintenance and, in the case of third-party certificates, additional cost.

If you’re on a version of TM1 prior to 10.1, this may be the only option you have for maintaining SSL communication as these versions are no longer supported.

To get more details on any of these options or if you’re unsure which path works best, please contact Ironside and we can help you review your specific TM1 environment and provide the best solution to keep everything running smoothly.

Get in touch with us to make sure your TM1 assets remain active: