In a distributed installation, IBM®
Cognos® computers communicate with Content Manager to
establish trust and obtain some cryptographic keys from Content Manager.
If you change the cryptographic keys in Content Manager, such as by changing application servers
or reinstalling Content Manager, you must delete the cryptographic keys on the other IBM
Cognos computers. You must then save the configuration on
each computer so that they obtain the new cryptographic keys from Content Manager. In addition, all
IBM
Cognos components in a distributed installation must be
configured with the same cryptographic provider settings.
Also, in a distributed environment, the symmetric key should only be stored on computers where
Content Manager has been installed.
You can configure the following general cryptographic settings:
- Standards conformance
Specifies which cryptographic standard is to be used, IBM Cognos or NIST
SP 800-131A.
- Common symmetric key store (CSK) properties
The CSK is used by IBM
Cognos to encrypt and decrypt data.
- Secure sockets layer (SSL) settings
These include mutual authentication, confidentiality and
SSL Transport Layer Security settings.
Note: Transport Layer Security consists of a set of encryption rules that uses verified certificates
and encryption keys to secure communications over the Internet. TLS is an update to the SSL
protocol. Choose from 1.1, 1.2, or the combination setting.
- Advanced algorithm settings
These include signing and digest algorithms.
Procedure
- Start IBM
Cognos Configuration.
- In the Explorer window, under Security,
click Cryptography.
- In the Properties window, change the default values by clicking
the Value box and then selecting the appropriate value:
- Standards conformance
- The supported values are IBM Cognos and NIST SP
800-131A. This property might cause the save operation to fail if other parameters are
not allowed in the selected standard. You must change the selected algorithm or the standards
conformance. You may need to install the JRE's unlimited jurisdiction policy files to enable all the
supported algorithms. They are available from IBM
- CSK settings
- On computers that do not contain Content Manager, if you do not want to store the CSKs locally,
change the Store symmetric key locally property to
False.
- When the Store symmetric key locally property is set to
False, the key is retrieved from Content Manager when required. The
Common symmetric key store location property is ignored.
- SSL Settings
- If you want the computers at both ends of a transmission to prove their identity, change
Use mutual authentication to True.
- Do not change the Use confidentiality setting.
- Advanced algorithm settngs
- If you want to change the digest algorithm, for the Digest algorithm
property, select another value.
- From the File menu, click Save.
- Test the cryptographic provider on a gateway computer only. In the
Explorer window, right-click Cryptography, and click
Test.
IBM
Cognos components check the availability of the symmetric
key.
Results
After you configure the cryptographic settings, passwords in your configuration and any data
that you create are encrypted.