Configuring the Cognos cryptographic provider

Cognos® Analytics includes its own cryptographic provider.

This cryptographic provider is named Cognos. You cannot use a third-party cryptographic provider.

The following settings can be configured for the Cognos provider:

  • Algorithms and ciphersuites
  • Identity name settings
  • Crypto key store settings

    The crypto key pair includes the private key that is used to encrypt data, and the public key that is used to decrypt data.

  • Certificate authority settings

    The certificate authority (CA) is either the default CA or a different CA.

  • Subject Alternative Name settings

    The Subject Alternative Name (SAN) is used to validate the origin of an SSL certificate.

Before you begin

  • If you are using a JRE other than the one provided with IBM® Cognos server, go to the install_location/ibm-jre/jre/lib/ext, and copy bcprov-jdkversion.jar to JRE_location/lib/ext.
  • If you are using a JRE other than the one that IBM Cognos provides, you must also download and install the unrestricted Java™ Cryptograph Extension (JCE) policy file for your JRE to ensure that all available algorithms and cipher suites are shown in IBM Cognos Configuration.


  1. Start IBM Cognos Configuration.
  2. In the Explorer window, under Security > Cryptography, click Cognos.
  3. In the Properties window, change the properties as needed.
    Tip: For detailed information about each property, view the property description in IBM Cognos Configuration when you click the property.
    • To configure the confidentiality algorithm, under Cryptography, Confidentiality algorithm or PDF Confidentiality algorithm, click in the Value column and then select the algorithm from the drop-down list.

      The value of a confidentiality algorithm determines how data is encrypted by IBM Cognos components. For example, database passwords entered in IBM Cognos Configuration are encrypted when you save the configuration. The algorithm selected when the data is encrypted must also be available for the data to be decrypted at a later date.

      The availability of confidentiality algorithms can change if there are changes to your environment. For example, if your Java Runtime Environment (JRE) has changed or if you have installed other cryptographic software on the computer. You must ensure that the Confidentiality algorithm that was selected when the data was encrypted is also available when you want to access the data.

      JREs include a restricted policy file that limits you to certain cryptographic algorithms and cipher suites. If you require a wider range of cryptographic algorithms and cipher suites, unrestricted (unlimited) policy files are now provided by default. They can be found here:

      • install location/ibm-jre/jre/lib/security/policy/unlimited/US_export_policy.jar
      • install location/ibm-jre/jre/lib/security/policy/unlimited/local_policy.jar

      In addition, for Java that is provided by IBM, the unrestricted JCE policy files are also available here.

    • To adjust the cipher suites, under Supported ciphersuites, click in the Value column and then click the edit icon Actions icon.

      Remove the cipher suites that are not applicable and move the remaining cipher suites up or down in the list so that the cipher suites in the highest range are higher in the list.

      Do not mix cipher suites in the 40- to 56-bit range with cipher suites in the 128- to 168-bit range.

    • To change the location of the crypto keys, under Encryption key settings, change Encryption key store location to the new location.
    • When configuring the Certificate Authority settings, ensure that the Use third party CA property is set to False to use the default certificate authority.

      To use another certificate authority, set this property to True. For more information, see Configuring Cognos Analytics components to use another certificate authority.

    • If configuring for HTTPS/SSL, change the Server common name from CAMUSER to the fully qualified domain name of the server.
    • To configure the Subject Alternative Name, specify DNS names, IP addresses, and Email addresses (optional) that are associated with the server certificate. The values are added to the Subject Alternative Name extensions in the server certificate. You can specify multiple values for each property. Separate the values using the space character.
  4. From the File menu, click Save.


If you use another certificate authority (CA) server, configure IBM Cognos components to use the CA. For more information, see Configuring Cognos Analytics components to use another certificate authority.