Configuring general cryptographic settings

In a distributed installation, IBM® Cognos® computers communicate with Content Manager to establish trust and obtain some cryptographic keys from Content Manager.

If you change the cryptographic keys in Content Manager, such as by changing application servers or reinstalling Content Manager, you must delete the cryptographic keys on the other IBM Cognos computers. You must then save the configuration on each computer so that they obtain the new cryptographic keys from Content Manager. In addition, all IBM Cognos components in a distributed installation must be configured with the same cryptographic provider settings.

Also, in a distributed environment, the symmetric key should only be stored on computers where Content Manager has been installed.

You can configure the following general cryptographic settings:

  • Standards conformance

    Specifies which cryptographic standard is to be used, IBM Cognos or NIST SP 800-131A.

  • Common symmetric key store (CSK) properties

    The CSK is used by IBM Cognos to encrypt and decrypt data.

  • Secure sockets layer (SSL) settings

    These include mutual authentication, confidentiality and SSL Transport Layer Security settings.

    Note: Transport Layer Security consists of a set of encryption rules that uses verified certificates and encryption keys to secure communications over the Internet. TLS is an update to the SSL protocol. Choose from 1.1, 1.2, or the combination setting.
  • Advanced algorithm settings

    These include signing and digest algorithms.

Procedure

  1. Start IBM Cognos Configuration.
  2. In the Explorer window, under Security, click Cryptography.
  3. In the Properties window, change the default values by clicking the Value box and then selecting the appropriate value:
    Standards conformance
    The supported values are IBM Cognos and NIST SP 800-131A. This property might cause the save operation to fail if other parameters are not allowed in the selected standard. You must change the selected algorithm or the standards conformance. You may need to install the JRE's unlimited jurisdiction policy files to enable all the supported algorithms. They are available from IBM
    CSK settings
    On computers that do not contain Content Manager, if you do not want to store the CSKs locally, change the Store symmetric key locally property to False.
    When the Store symmetric key locally property is set to False, the key is retrieved from Content Manager when required. The Common symmetric key store location property is ignored.
    SSL Settings
    If you want the computers at both ends of a transmission to prove their identity, change Use mutual authentication to True.
    Do not change the Use confidentiality setting.
    Advanced algorithm settngs
    If you want to change the digest algorithm, for the Digest algorithm property, select another value.
  4. From the File menu, click Save.
  5. Test the cryptographic provider on a gateway computer only. In the Explorer window, right-click Cryptography, and click Test.

    IBM Cognos components check the availability of the symmetric key.

Results

After you configure the cryptographic settings, passwords in your configuration and any data that you create are encrypted.