IBM Cognos 8 BI makes use of public key infrastructure (PKI) technique. This concept for symmetric encryption implies the use of a large key which is broken in half to form a key pair. Whatever one of them encodes, the other can decode and vice versa. One key of each pair becomes public the other remains private. Those which get public need to get “signed” by some higher (more trustworthy) entity, which for PKI is called Certifying Authority (CA).
The process of signing involves submitting a special request, the certificate signing requests (CSR) to a CA. The response to such a request will be a certificate, which is basically nothing else but the public key “rubber stamped“ by the CA.
IBM Cognos 8 uses certificates for various purposes including internal SSL communication.
IBM Cognos 8 incorporates a service for signing certificates out of the box. The “AutoCA” service implements a scaled down Certifying Authority (CA). This service is part of the Content Manager component and is sufficiently complete to service all the functionality needed by IBM Cognos 8 in context of certificates. It is not possible to use this service to sign non-cognos certificates.
In a default install of IBM Cognos 8 the CSRs for keys will be created automatically and sent to the AutoCA service which will sign them with the AutoCA’s CA certificate. The certificate is then saved in a file called keystore next to the keys it was issued for. However in some enterprises there may be a company CA or some external CA provider already, which an IBM Cognos 8 administrator would like to Leverage
IBM Cognos 8 supports using those 3rd party CAs for signing IBM Cognos 8 internal certificates but several additional configuration steps are required.
IBM Cognos 8 incorporates a java based command line tool called “ThirdPartyCertificateTool” which is used for all operations around the IBM Cognos 8 keystores. It’s located in the /bin subfolder and is called through a script file called ThirdPartyCertificateTool.sh on UNIX/LINUX and ThirdPartyCertificateTool.bat on Windows.
The tool will pick up the configured JAVA_HOME so if you didn’t specify it before just set it before calling this tool.
