IBM Support

[Check NIST 131A conformance warning] while starting the Cognos services

Troubleshooting


Problem

 "Check NIST 131A conformance" Warning message appears while starting Cognos services after upgrading the software to version 11.1.x.

 

Symptom

[Check NIST 131A conformance]

[WARNING] CAM-CRP-1632 The selected PDF Confidentiality algorithm is not permitted by the NIST SP 800-131A standard. You must change the selected algorithm to a stronger algorithm such as 'AES-256'. You might need to install the JRE's unlimited jurisdiction policy files to enable all of the supported algorithms. It is available from http://ibm.com

Cause

Updating to NIST SP 800-131A security standards to the use of stronger cryptographic keys and more robust algorithms. 

Diagnosing The Problem

Go to Cognos Configuration > under Cryptography > Cognos > on the right window you find field "PDF Confidentiality Algorithm - Advanced encryption standard with Cipher Block Chaining (CBC) mode 128-bit key"

Resolving The Problem

IBM Cognos Analytics is configured to support the NIST SP800-131a security standard. To be compliant with this security standard, you must use a JRE that also supports this standard.

If your JRE supports it, skip the download and set the values as described under Configuration.


Download
If JRE8 is not being used download the policy files from the link for IBM JRE:

Unrestricted SDK JCE policy files

Steps to follow if your version of JRE is not version 8

  • Download the file unrestrictedpolicyfiles.zip
  • Extract the files from zip
  • Go to <cognos_installation>\jre\lib\security
  • Back up the local_policy.jar and US_export_policy.jar files
  • Place the new files from the unrestricted folder from the policy file download into this directory, replacing the existing ones.
Configuration

A new value will display for the field "PDF Confidentiality Algorithm  - Advanced encryption standard with Cipher Block Chaining (CBC) mode 256-bit key". Please change the PDF Confidentiality Algorithm as well as the Confidentiality Algorithm to this field.

Note that you may need to right-click on 'Supported cipher suites' and select "Reset to Default" in order to pull in the new ciphers.  If not, you may require to select the drop-down option for each attribute to explicitly choose the correct value.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl5lAAC","label":"Security-\u003ESSL\/Cryptography"}],"ARM Case Number":"TS012655151","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
05 April 2023

UID

ibm10884902