Cognos
Analytics includes its own cryptographic provider.
This default cryptographic provider is named Cognos, but this name can be
changed.
The following settings can be configured for the default provider:
- Algorithms and ciphersuites
- Identity name settings
- Crypto key store settings
The crypto key pair includes the private key that is used to encrypt
data, and the public key that is used to decrypt data.
- Certificate authority settings
The certificate authority (CA) is either the default CA or a
different CA.
- Subject Alternative Name settings
The Subject Alternative Name (SAN) is used to validate the
origin of an SSL certificate.
Before you begin
- If you are using a JRE other than the one provided with IBM®
Cognos® server, go to the
install_location/ibm-jre/jre/lib/ext, and copy
bcprov-jdkversion.jar to
JRE_location/lib/ext.
- If you are using a JRE other than the one that IBM Cognos
provides, you must also download and install the unrestricted Java™ Cryptograph Extension (JCE) policy file for your JRE to ensure that all available
algorithms and cipher suites are shown in IBM
Cognos Configuration.
Procedure
- Start IBM Cognos Configuration.
- In the Explorer window, under
, click
Cognos.
- In the Properties window, change
the properties as needed.
Tip: For detailed information about each property, view the property description in IBM
Cognos Configuration when you click the property.
- To configure the confidentiality algorithm, under the appropriate property,
Confidentiality algorithm or PDF Confidentiality
algorithm, click in the Value column and then select the
algorithm from the drop-down list.
The value of a confidentiality algorithm determines how data is
encrypted by IBM
Cognos components. For example, database passwords entered
in IBM
Cognos Configuration are encrypted when you save the
configuration. The algorithm selected when the data is encrypted must also be available for the data
to be decrypted at a later date.
The availability of confidentiality algorithms can change if there are changes to your
environment. For example, if your Java Runtime Environment
(JRE) has changed or if you have installed other cryptographic software on the computer. You must
ensure that the Confidentiality algorithm that was selected when the data was
encrypted is also available when you want to access the data.
JREs include a restricted policy
file that limits you to certain cryptographic algorithms and cipher suites. If you require a wider
range of cryptographic algorithms and cipher suites, unrestricted (unlimited) policy files are now
provided by default. They can be found here:
- install
location/ibm-jre/jre/lib/security/policy/unlimited/US_export_policy.jar
- install
location/ibm-jre/jre/lib/security/policy/unlimited/local_policy.jar
In addition, for Java that is provided by IBM, the unrestricted JCE policy files are also available here.
- To adjust the cipher suites, under Supported ciphersuites, click in the
Value column and then click the edit icon .
Remove the cipher suites that are not applicable and move the remaining cipher suites up
or down in the list so that the cipher suites in the highest range are higher in the list.
Do not mix cipher suites in the 40- to 56-bit range with cipher suites in the 128- to 168-bit
range.
- To change the location of the crypto keys, under Encryption key settings,
change Encryption key store location to the new location.
- When configuring the Certificate Authority settings, ensure that the
Use third party CA property is set to False to use the
default certificate authority.
To use another certificate authority, set this
property to True. For more information, see Configuring Cognos Analytics components to use another certificate authority.
- If configuring for HTTPS/SSL, change the Server common name from CAMUSER
to the fully qualified domain name of the server.
- To configure the Subject Alternative Name, specify DNS
names, IP addresses, and Email addresses
(optional) that are associated with the server certificate. The values are added to the Subject
Alternative Name extensions in the server certificate. You can specify multiple values for each
property. Separate the values using the space character.
- From the File menu, click Save.