ShowTable of Contents
Introduction
The Metrics application is one of the new components in IBM® Connections 4.0, providing clear business value to users, executives, and administrators by use of simple charts. Metrics is supported by IBM Cognos® Business Intelligence, which is installed as a part of a Connections deployment. So if you want to configure your Connections to use Secure Sockets Layer (SSL), you must deal with the Cognos part as well.
This article shows you how to configure SSL for a Connections server with Metrics installed, focusing on the SSL configuration for Cognos. In general, the process consists of configuring:
(1) the LDAP server's SSL certificate in the IBM WebSphere® Application Server (WAS) Administrative Console
(2) LDAP via SSL for Cognos
(3) HTTP for SSL (if HTTP server is deployed)
Configuring LDAP Server's SSL Certificate in WAS Administrative Console
First you must enable SSL communication between the LDAP server and WAS, which is hosting IBM Connections, by following these steps:
- Log in to the WAS administrative console.
- Select Security --- SSL certificate and key management --- Manage endpoint security configurations.
- A list of Inbound and outbound endpoints displays; expand the Outbound cell and select <cellname>(cellDefaultSSLSettings) as shown in figure 1.
Figure 1. Manage endpoint security configurations window
4. Under "Related Items", select Key stores and certificates --- CellDefaultTrustStore.
5. Under "Additional Properties", select Signer certificates; all signer certificates are listed (see figure 2).
Figure 2. Signer certificates
6. Click the Retrieve from port button and enter the correct host name and port of your LDAP server (see figure 3).
7. Assign an alias (for example, idsldap) and then click the Retrieve signer information button.
Figure 3. Retrieve from port window
8. Save your configuration, and then select Security --- Global Security
9. For User account repository, Select Federated repositories, and click Configure.
10. Click “Manage Repositories” and open the repository you configured previously. Change the port number and select the "Require SSL communications" check box as shown in figure 4.
Figure 4. Manage repositories window
11. Save your changes and restart the server.
Configuring LDAPS (LDAP via SSL) for Cognos
When configuring IBM Cognos to communicate with an LDAP server by LDAP via SSL (LDAPS) you must provide an SSL Certificate Database. This section describes how to get an SSL Certificate Database and then configure SSL in Cognos.
Obtain the Network Security Services (NSS) toolkit
First, we need to download the most recent version of
NSS from the Mozilla Web site. Unfortunately Mozilla no longer provides binary releases, but we can use one of the most recent binaries that is known to work well (NSS 3.12.4).
Select the sub-folder representing your Operating System (msvc9 is suitable for all Microsoft® Windows® versions), choose the "OPT.OBJ" folder, and download the ZIP file.
NSS is used to generate the certificate database that is used by Cognos later. The server locating NSS need not to be the same OS as that of the Cognos server. For example, you can install NSS on a Windows machine, generate the database using it, and then copy the generated certificate database to the Cognos server on Linux or Windows OS.
Here, we use a Windows machine to install NSS, downloading the Windows version of NSS 3.12.4 from the following site:
Install the certutil tool
To do this:
- Unzip the downloaded files into a single folder.
- Add the NSPR libs to the environment so that certutil can pick them up by adding NSPR-<version>/lib to the library path for your system. For example, on Windows, it's SET PATH=%PATH%;<NSPR_PATH>/lib.
Create the keystore
Cognos Business Intelligence can establish trust with a presented server certificate for LDAPS connection based on either the server certificate imported as a valid signer certificate or on the root CA certificate that signed the server certificate.
If you choose to proceed with the server certificate, it is sufficient to import only the server certificate; you don't necessarily need to import the CA certificate as well. Here we show how to import the server certificate on a Windows machine. If you want to import the CA certificate, refer to the Cognos Support Technote #1344083, “
Configuring LDAPS (LDAP via SSL) for CRN/Cognos 8.”
- Acquire the certificate(s) to use in Base-64 encoded X.509 (PEM) format. The most straightforward approach is to ask the LDAP server administrator for the certificate. If you cannot get it by this way, you can use WAS to generate the certificate file instead:
a) Follow Steps 1--5 in Section 2, “Configuring LDAP SSL certificate in WAS Administrative Console” till you get to the Signer certificate window (see figure 5).
b) Select the check box of the certificate created in the last section (that is, idsldap), and click the Extract button.
Figure 5. Signer certificate window
c) Enter the absolute file path with file name in the File name field, in this case, idsldap.cer (both “cer” and “cert” suffix are OK), as shown in figure 6.
d) Select Base64-encoded ASCII for the Data data, and click OK to extract the file.
Figure 6. Extract signer certificate window
e) You will find there's one “idsldap.cer” file under D:\ on the WAS machine. Copy the “idsldap.cer” certificate to the machine on which NSS is installed.
2. Create a directory to hold the certificate database that will be created in the next steps, for example "mykeys" (d:\mykeys).
3. Create a new NSS certificate database by issuing the command “certutil.exe -N -d <cert_directory>”; for example, certutil.exe -N -d d:\mykeys.
This creates a cert7.db or cert8.db file and a key3.db file in the directory “mykeys” created in step 2. You will see the following message on the command window:
“Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long and should contain at least one non-alphabetic character”
Enter one password and press Return.
4. Add the certificate you want to use to the new certificate database:
certutil.exe -A -n <cert_name> -d <cert_directory> -i <certificate_file> -t P
For example, certutil.exe -A -n idsext -d d:\mykeys -i d:\idsldap.cer -t P
where:
- <cert_name> is an arbitrary name you assign to the certificate in the certificate database as an alias.
- <cert_directory> specifies the subdirectory for the certificate database to use. Certutil will have created a cert7.db/cert8.db (& key3.db) in this location in Step 3.
5. Verify the import was successful and the trust option is correct by typing “certutil -L -d = <cert_directory>”; for example, certutil -L -d d:\mykeys.
An output that has a Server certificate correctly installed will look like the example shown in figure 7.
Figure 7. Example server certificate
Complete the setup in Cognos configuration
- Copy the folder d:\mykeys to the Cognos server; for example, the new directory is c:\mykeys.
- Start the Cognos Configuration tool:
a) Navigate to the /bin64 subdirectory of the Cognos BI Server installation directory; for example:
AIX® or Linux: /opt/IBM/Cognos64/bin64/
Windows: C:\Program Files\IBM\Cognos\bin64
b) Start the Cognos Configuration tool by running the following command:
AIX or Linux: ./cogconfig.sh
Windows: cogconfigw.exe
3. Expand Local Configuration --- Security --- Authentication, and click on the namespace IBMConnections:
a) Change the port to the SSL port (usually 636).
b) Provide the absolute path to the folder that holds the cert7.db/cert8.db files (the folder just copied from Step 1), for the SSL Certificate Database property in Cognos Configuration as shown in figure 8.
c) Select File --- Save.
Figure 8. IBMConnections Namespace
4. Verify the LDAP SSL connection by right-clicking on the IBMConnections LDAP namespace and selecting Test. If the SSL connection can be established successfully, the test will succeed.
5. Exit the Cognos Configuration tool, making sure to select No at the following prompt: “The service 'IBM Cognos' is not running on the local computer. Before you can use it your computer must start the service. Do you want to start this service before exiting?
6. Save configuration and restart the Cognos server:
a) Stop the WAS server that hosts the Cognos server.
b) Wait at least 1 full minute to ensure that all Cognos processes have stopped:
AIX or Linux: cgsServer.sh and CAM_LPSvr processes
Windows: cgsLauncher.exe and CAM_LPSvr processes
c) Start WAS and then start the Cognos server.
Configuring HTTP for SSL (if HTTP server is deployed)
If your server is configured with HTTP server, refer to the Product Documentation topic, “
Configuring IBM HTTP Server for SSL,” for details on how to do this.
Conclusion
This article has explained the step-by-step instructions for configuring Secure Sockets Layer (SSL) for the Connections Metrics application. You should now know how to configure SSL in a Connections server and a Cognos server to secure Metrics.
Tell us what you think
Please visit this link to take a one-question survey about this article:
Resources
developerWorks® IBM Connections product page:
http://www.ibm.com/developerworks/lotus/products/connections/
IBM Connections wiki article, “Using the Metrics application in IBM Connections 4.0:”
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Using_the_Metrics_application_in_IBM_Connections_4.0
IBM Connections forum:
http://www-10.lotus.com/ldd/lcforum.nsf?OpenDatabaseAbout the author
Rong Rong Wang is a Staff Software Engineer based at IBM's Beijing, China, Lab. She currently works as the Team Lead for the Functional Verification Test team for the Connections Moderation feature and also works on testing Metrics in IBM Connections. She can be contacted at
rrwang@cn.ibm.com.