Software, Technical

Urgent: TM1 Servers to Become Inaccessible in November 2016

-

Yes, you heard right! Your TM1 and Planning Analytics servers will become inaccessible to your users on 24 November 2016.

UPDATE: Fixes are now available. Please see this post for more details.

Why is This Happening?

IBM uses a Secure Sockets Layer Certificate (SSL Certificate) inside TM1 to encrypt the data as it is transferred around a network. All SSL Certificates have an expiry date in them. For TM1 and Planning Analytics (at least the TM1 part) all servers have an SSL Certificate that expires on 24 November 2016.

What does it Mean?

The expiry of the SSL Certificate means that all users will be unable to access TM1 from this date onwards. The server itself will be fine, however all client connections will be refused.

What Versions does it Impact?

All versions of TM1 including 10.2, 10.1, 9.5 and we expect further backwards.

What Can You Do About It?

You have a couple of options for dealing with this problem. Unfortunately doing nothing is not one of them! Your options are:

  1. Disable SSL in TM1s.cfg. This is not recommended because it will leave your traffic not protected by the SSL certificate.
  2. Apply the interim fix that IBM is expected to release in the coming weeks.
  3. Generate your own SSL Certificate and then apply it.
  4. If you are using TM1 10.2.2, upgrade to a 2048 bit SSL as discussed in this tech note from IBM.

We are Here to Help!

Of course you are welcome to do this change yourselves. But if you need any assistance or advice on how to do it, please get in touch with us directly via [email protected] or call us on 1300 136 755.

[ninja_form id=1]

IBM’s Notification

IBM has sent out notification to all clients regarding the issue. Here it is reprinted for your information:

Both the 1024-bit default SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, and the TM1 Server, tm1svrcert.pem, will expire on 11/24/2016.

These SSL certificates are stored in the directories ..\bin\ssl\ respectively ..\bin64\ssl\ on a TM1 component installation.

When you open these SSL certificates in a text editor like Notepad and search for the string “Not After”, you get =>

tm1admsvrcert.pem
Not After : Nov 24 16:47:19 2016 GMT

tm1svrcert.pem
Not After : Nov 24 16:45:44 2016 GMT

When you are using the default set of 1024-bit SSL certificates, when you are using the expiring 1024-bit SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, and the expiring 1024-bit SSL certificate for the TM1 Server, tm1svrcert.pem, you must take action before 11/24/2016 otherwise your TM1 installation will stop working.

Among your options are:

Option 1

Replace our default set of 1024-bit SSL certificates with your own SSL certificates.

Option 2

When you are using TM1 v10.2.2 and newer, replace our default set of 1024-bit SSL certificates with the optional set of 2048-bit SSL certificates, the v2 set, as outlined by the IBM Technote 1697266 => http://www-01.ibm.com/support/docview.wss?uid=swg21697266

How to configure TM1 to use the bundled 2048-bit SSL certificate:

Technote (FAQ)
Question
By default, the TM1 Admin Server and TM1 Server are secured using a 1024-bit SSL Certificate. The rootCA of that certificate is the applixca.pem file. The steps in this technote describe how to configure the TM1 Admin Server and TM1 Server (as well as the TM1 Client components) to use the provided 2048-bit SSL certificate (tm1ca_v2.pem).

You would replace:

1. the default 1024-bit SSL certificate for the TM1 Admin Server, tm1admsvrcert.pem, by the optional 2048-bit SSL certificate tm1admsvrcert_v2.pem

2. the default 1024-bit SSL certificate for the TM1 Server, tm1svrcert.pem, by the optional 2048-bit SSL certificate tm1svrcert_v2.pem

The optional v2 set of SSL certificates are stored in the directories ..\bin\ssl\ respectively ..\bin64\ssl\ of a TM1 component installation.

When you open these SSL certificates in a text editor like Notepad and search for the string “Not After”, you get =>

tm1vrcert_v2.pem
Not After : Aug 25 18:22:55 2022 GMT

tm1admsvrcert_v2.pem
Not After : Aug 25 18:23:11 2022 GMT

Option 3

Currently TM1 v10.1 and v10.2 are the only supported TM1 on premises releases.

We are working on an Interim Fix to patch these releases which will include a new default set of 1024-bit SSL certificates to replace the current set which expires 11/24/2016.

This will be the straightforward option to patch all TM1 component installations within an existing TM1 environment.

If you have not done already, please subscribe to IBM My Notifications to be notified when the Interim Fix patching the expiring 1024-bit SSL certificates will be released =>

Manage your My Notifications subscriptions, or send questions and comments.
– Subscribe or Unsubscribe – https://www.ibm.com/support/mynotifications

If you have questions on the expiring 1024-bit SSL certificates, please contact TM1 Support.”

Once again, if you need help from us, please let us know.

Posted in:
Tags: , , , ,

John Vaughan

John Vaughan is a highly experienced Accountant and Consultant. He has experience in the pharmaceutical, FMCG, distribution, professional services, manufacturing and financial service industries. With over 25 years of commercial experience and 20 years working with the Cognos products, he...

Leave a Comment





Need help with TM1?
We're here for you

Get expert help now

Categories

Tags

Popular Articles

September 30, 2011

IBM Software PVU’s Made Easy

July 18, 2016

Do I Need a Data Warehouse?

What drives the score?
August 22, 2016

What are the Critical Numbers in Your Business?

August 18, 2008

What is TM1 (Updated)?

October 13, 2023

Universal Report Ranges