Database connection encryption

IBM® Controller supports database connection encryption.

Background

The Controller servers connect to databases and require connection information such as ports, server names, and credentials such as database usernames and passwords.

This connection information is saved in several files.

If you installed Controller in the default location C:\Program Files\IBM\cognos\ccr_64, the main Controller server looks in the C:\Program Files\IBM\cognos\ccr_64\Data directory for files with a udl extension.

Universal Data Link (udl) files are stored as text and contain the database connection information that includes credentials.

An udl file exists for each database that Controller has been configured to use.

If you also installed the Controller Web, then an extra file exists that holds the same information as the udl files.

TheController Web server looks in the C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\shared\config\datasources directory for a file datasources.xml.

The datasources.xml file has entries for every database Controller is configured to use. Similar to the udl files, the xml file is in text format and contains the database connection information that includes credentials.

Database connection encryption

If you require that files that contain credentials must be encrypted, Controller has a feature to support that. Enabling the encryption feature in Controller ensures that newly created database definitions are stored in an encrypted formation in the udl files and the datasources.xml file. Only the Controller servers can decrypt them.

Enabling database connection encryption

To enable encryption, edit the configuration file.

  1. Open the file C:\Program Files\IBM\cognos\ccr_64\webcontent\ccr\ControllerConf.exe.config.
  2. Add the line <add key="UseUDLEncryption" value="true"/> to ControllerConf.exe.config.
    <configuration>
    <appSettings>
        <add key="ShowDetailedError" value= "true"/>
        <add key="DEVMODE" value= "false"/>
        <add key="UseUDLEncryption" value="true"/>
    </appSettings>
</configuration>

If you add the UseUDLEncryption entry to the ControllerConfig.exe.config file, you can save new database connections to in an encrypted format.

Note: Existing database connections are not encrypted. Delete the old database connection udl files and re-create them using the Controller Configuration tool.

Controller Web

If Controller Web is installed and you want encrypted credentials, then re-create the datasources.xml file.

  1. Delete the datasources.xml in the C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\shared\config\datasources folder.
  2. Run the SyncDBConf.bat file as you normally would but with the addition of a encrypt argument.

    For more information, see Configuring Controller Web.

For example, from the C:\Program Files\IBM\cognos\ccr_64\fcmweb folder, run the command .. .\SyncDBConf.bat --encrypt ..\Data wlp\usr\shared\config\datasources. The datasources.xml file is created and the credentials are encrypted.