IBM Support

How to determine when the cryptographic keys will expire and are the cryptographic key and CA certificate lifetime settings related

Question & Answer


When I open the freshness file I don't see an expiration date. How do we check the expiration date for the cryptographic (symmetric) key? The gateway servers are setup with the default 365 days and the application servers are setup with 1500 days.  What I see in the freshness file is a freshness value of minus 1. What does this mean? 
We started to notice that users could not login to the application and after re-saving the configuration file that resolved the problem. The CA lifetime is set to 730 days. 
Also, how is the cryptographic (symmetric) key lifetime related to the CA certificate lifetime?


The freshness file indicates when was the last time you saved the configuration. It normally exists when you first generate the cryptographic keys and it is updated each time you save.
Here is an example of a freshness file opened in Notepad:
#CA Cache Freshness
#Wed Aug 29 15:55:23 EDT 2018
What this indicates is that the keys were last renewed August 29th as per the time stamp in the file. If you were to open Cognos Configuration and click save, or regenerate your crypto keys, the file would be updated to show the new timestamp.
When you see in the freshness file a value of minus 1, that means that the cryptographic keys (symmetric keys) have been refreshed.  So when you saved the configuration, Cognos reset the freshness value to minus 1. This is a value that is used internally by Cognos. That value will change and be increased as you save the configuration again in the future but it is not anything for you to be concerned about.
To determine the expiration date, you would add the symmetric key lifetime in days to the date in the freshness file.  By default, the lifetime for the keys is set to 365 days and this value should be fine.
There is no reason to set the content manager and app tier to use 1500 and the gateway to use 365.  They should all be the same value and you can use 1500 if you want to, or the default of 365.  As a rule, if you save the cryptographic keys once per year, you should be fine. These are keys and not certificates. As such it only contains the date on which it was created. Cognos determines if the cryptographic key has expired by comparing the date it was created on, and the 'Common symmetric key lifetime in days' in the local configuration. This check is done every time Cognos uses the key.
For the CA lifetime set to 730 days, this is totally independent from the cryptographic keys and not related to the symmetric key lifetime. The "Certificate lifetime in days" value governs the amount of time before Cognos no longer recognizes the Certificate Authority.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 March 2019