Configuring the Cognos cryptographic provider

Cognos® Analytics includes its own cryptographic provider, named Cognos.

Tip: The provider default name Cognos can be changed to any other name. The provider type is alwaysCognos.

Before you begin

  • If you are using a JRE other than the one provided with IBM® Cognos server, go to the install_location/ibm-jre/jre/lib/ext, and copy bcprov-jdkversion.jar to JRE_location/lib/ext.
  • If you are using a JRE other than the one that IBM Cognos provides, you must also download and install the unrestricted Java™ Cryptograph Extension (JCE) policy file for your JRE to ensure that all available algorithms and cipher suites are shown in IBM Cognos Configuration.

Procedure

  1. Start IBM Cognos Configuration.
  2. In the Explorer window, under Security > Cryptography, click Cognos.
  3. In the Properties window, change the properties as needed.
    Tip: For detailed information about each property, view the property description in IBM Cognos Configuration when you click the property.
    • To configure the confidentiality algorithm, under Cryptography, Confidentiality algorithm or PDF Confidentiality algorithm, click in the Value column and then select the algorithm from the drop-down list.

      The value of a confidentiality algorithm determines how data is encrypted by IBM Cognos components. For example, database passwords entered in IBM Cognos Configuration are encrypted when you save the configuration. The algorithm selected when the data is encrypted must also be available for the data to be decrypted at a later date.

      The availability of confidentiality algorithms can change if there are changes to your environment. For example, if your Java Runtime Environment (JRE) has changed or if you have installed other cryptographic software on the computer. You must ensure that the Confidentiality algorithm that was selected when the data was encrypted is also available when you want to access the data.

      JREs include a restricted policy file that limits you to certain cryptographic algorithms and cipher suites. If you require a wider range of cryptographic algorithms and cipher suites, unrestricted (unlimited) policy files are now provided by default. They can be found here:

      • install location/ibm-jre/jre/lib/security/policy/unlimited/US_export_policy.jar
      • install location/ibm-jre/jre/lib/security/policy/unlimited/local_policy.jar

      In addition, for Java that is provided by IBM, the unrestricted JCE policy files are also available here.

    • To adjust the cipher suites, under Supported ciphersuites, click in the Value column and then click the edit icon Actions icon.

      Remove the cipher suites that are not applicable and move the remaining cipher suites up or down in the list so that the cipher suites in the highest range are higher in the list.

      Do not mix cipher suites in the 40- to 56-bit range with cipher suites in the 128- to 168-bit range.

    • To change the location of the crypto keys, under Encryption key settings, change Encryption key store location to the new location.
    • If configuring for HTTPS/SSL, change the Server common name from CAMUSER to the fully qualified domain name of the server.
    • To configure the Subject Alternative Name, specify DNS names, IP addresses, and Email addresses (optional) that are associated with the server certificate. The values are added to the Subject Alternative Name extensions in the server certificate. You can specify multiple values for each property. Separate the values using the space character.
  4. From the File menu, click Save.

Results

If you use another certificate authority (CA), see Configuring Cognos Analytics to use another certificate authority (CA) certificate.