Securing your data server connection using a cloud-based certificate
If you want to create a connection to a data source that is secured with SSL encryption, you must specify a valid SSL certificate. This certificate may be stored externally in a Cloud Object Storage (COS) location.
Using an SSL certificate that is stored externally provides these benefits:
- Your Cognos Analytics environment does not have to be accessed by the certificate.
- You don't need to import certificates into different keystores, as they do when imported to a local environment.
- You don't need to import certificates to multiple Cognos Analytics servers.
If your database vendor supports the inclusion of a certificate's location in the jdbc URL, you can use this feature. See your database vendor's documentation for the following information:
- a list of supported certificate types
- samples of jdbc URLs
Step 1: Create a COS location
Follow the steps in Creating a connection with a Cloud Object Storage provider.
Step 2: Upload the certificate to the COS location you created
First, ensure that your certificate meets the format criteria.
To upload your certificate, follow the instructions of your Cloud Object Storage provider:
- If you are using IBM Cloud Object Storage, see Upload data (https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-upload).
- If you are using Amazon Simple Storage Service (S3), see Upload an object to your bucket (https://docs.aws.amazon.com/AmazonS3/latest/userguide/uploading-an-object-bucket.html).
- If you are using Google Cloud Platform (GCP) storage, see Uploading objects (https://cloud.google.com/storage/docs/uploading-objects).
Step 3: Connect to the COS location from Cognos Analytics
Follow the steps in Creating a storage connection in Cognos Analytics.
Step 4: Specify S3 header information
You can point your data server connection to a database that is configured for SSL certificates. In your connection, you specify S3 header information that references a certificate stored in a Cloud Object Store location.
Connections to a data source via JDBC may be required to use TLS. In turn, Cognos Application tier servers may need to be provisioned with certificates required by TLS. When a data source connection is defined, optionally it may refer to a file which is dynamically retrieved from external storage. The associated JDBC driver must provide a name-value pair via which the location of certificate is provided.
The location of the certificate will be referenced using a session variable called $certificatePath$. For example, if a vendor provides the name SSLCert the URL or connection for a data source would include SSLCert=$certificatePath$. If a certificate cannot be retrieved from external storage, for example it was deleted or renamed, an error will be displayed. A JDBC driver may reject a certificate if it has expired or cannot be read.
For more information, see the applicable vendor documentation for further details about which name-value pairs a JDBC driver may support for TLS.
- Ensure that you have uploaded the certificate to a Cloud object Storage location.
- Follow the steps to create a data server connection, ensuring that the data server type supports SSL certificates.
- Click the chevron icon
to expand the Cloud certificate details field. - Enter the Connection name that you specified when you created the COS location.
- Select from the list the COS Location to which you uploaded the certificate.
- Select from the list the certificate.
- In the Connection properties field, enter the values that are required
for your specific driver.Important: For details, see the vendor documentation for your driver.
For example, for a DB2 connection, enter the following:
sslConnection=true;sslCertLocation=$certificatePath$/certFile.arm - Click Test to ensure that the connection works
- Click Save.