Urgent Message to all ‘On premises’ Cognos TM1 and Cognos Express Customers – SSL Certificate Expiry

Published 10th November 2016

If you use any one or more of these Cognos products: TM1, Cognos Express, FAP (Cognos Controller into TM1), Architect, Perspectives, Cognos Insight, Performance Modeller, TM1 Web, BI TM1 Clients, Cognos Command Centre, then you need to update your TM1 SSL Certificates.

IBM have released a flurry of Tech notes of which, the most useful page to look at is the How to update page.

This page outlines the various options available but doesn’t make it clear that you need to know which version of TM1 or Cognos Express you are on. The reason for this is not all options are available for all versions. Check the version by looking in the cmplst.txt file in the root folder of your Cognos Install against the list of product versions (TM1 for example) found at the IBM Support Site.

For the best understanding of what is required, Option 1 – Manual Certificate Updates is the most helpful, and provides clarity of where the Certificates were and what was being updated. On this page is listed all the TM1 & Cognos Express versions for both Server and Client installs, of which there are many, so it’s important to know which version is installed. Follow the link to the method you have decided upon.

I had to update one of our test Cognos Express servers which sits at, and for this there is only one option and that’s the manual approach.

Reading through the technote I didn’t see anything too frightening, no going in changing the registry or running masses of scripts, so, I set about the task.

Downloading the Fix Pack was simple enough, it’s the same Fix Pack across all platforms. The FP contains 7 files of which one is the new Applix Certificate, dated from Mid-June 2016 to Mid-June 2026.

Steps 1 - 6 were also straightforward, basically copy 3 folders for back-up purposes then paste the ‘NEW’ files in over the ‘old’ files in the SSL folders.

Steps 7 - 9 – showed up a small discrepancy, in that the importsslcert.exe may not be in the folder you have been asked to navigate to. But don’t fret, if you have Architect installed as a client you can find it in the SSL folder in the Client install location, just copy it across to the SSL folder as per the command prompt location.

Step 10 - 18 as long as you are comfortable with using Command Prompt (always as Administrator) then these steps should not send you any curve balls.

I rolled the server forward and tested successfully, but this is only a test environment, I wouldn’t necessarily follow the IBM advice on rolling servers forward especially in a production environment. You can check the Certificate is installed via MMC, also just open the Certificate to check it is registered.

Once I was happy the Server side had been completed I moved onto the Client tools. Every pc that has client tools installed on them will need to be updated, and this needs to be done as soon as possible because the user will not be able to access any TM1 related work whilst the SSL Certificates are mismatched

Reading through the Client tools technotes, they are very similar for each client, For the client tools, you have to do each one for each client machine. I found the best method was to locate all the related SSL folders by using Search and then copy in the ‘NEW’ Certificate files, overwriting the original files. You should already have a backup of the original files from doing the server.

Steps 1 - 5 Follows the server update.

Step 6 - Ignore

Step 7 -  Install the Certificate.

To update Performance Modeler / Cognos Insight follow this technote, which is very similar to the other client updates, but gets you to search for all the SSL folders, where you overwrite the existing files with the ‘NEW’ SSL Certificates.

On the updater kits (not available for all versions) pick the version and follow the instructions, you still have to use a Command Prompt to add the certificates to the keystore.

Whilst initially this might seem a daunting task, once you get an understanding of what work is involved it’s not so bad.

If you need any advice or help with updating your TM1 SSL Certificates, then please get in touch. We would be more than happy to assist you.