FAQ: Security concerns regarding credentials stored in Content Store

Q1: When IBM Cognos BI software stores credentials, where are those stored ?

A1: Credentials are stored in the Content Store (CS) database.
Database security can be applied to protect the contents of the CS tables. Only a dedicated account should have read permission on the CS.
The credentials for accessing the Content Store are saved in the IBM Cognos BI configuration file in encrypted form.

Q2: Are the credentials stored in clear text in the CS database ?

A2: Never. The credentials are encrypted with proven standard security algorithms. For obvious reasons, information on this encryption is considered and kept confidential IBM Cognos BI Private.

Q3: Are the credentials dynamically updated upon password changes in the underlying external authentication source ?

A3: As of IBM Cognos BI version 10, any scheduled Job or Report will automatically update the stored credential in the schedule when run, eliminating the need for doing the "Renew Credentials" option by the user. This prevents the previous Failing of the Job or Report run when user changed the password in the Authentication Source.

Q4: Are the credentials accessible externally, like with Identity Management tools ?

A4: NO, since the credentials are encrypted and Content Store is considered a black box environment, one MUST NOT access the tables with anything but IBM Cognos BI functionality.
Besides , it is not possible through the SDK or other means to Write directly to the Content Store that Credential. Doing so is considered a Security Audit Failure.