IBM Support

Updates for supported cipher suite changes in Java Runtime Environment as part of Cognos Analytics 11.0.7

Question & Answer


Question

After upgrading from previous versions of Cognos Analytics into 11.0.7 version, supported cipher suites look different within Cognos Configuration when comparing two versions. For example: Cognos Analytics 11.0.6 displays the following under Supported cipher suites which are not listed in 11.0.7 - RSA-RSA-DES(168)CBC3-SHA - DH-RSA-DES(168)CBC3-SHA

Answer

Cognos Analytics 11.0.7 contains a newer JRE (Java Runtime Environment) and it has disabled support for Triple DES (TDES) also known as Triple Data Encryption Algorithm (TDEA).

At the current time, 3 DES ciphers are no longer considered secure due to a vulnerability found in the implementation that allows it to be broken without a brute force attack of the key space.



IBM JRE 1.8.0 SR4 and later versions has disabled this by default to prevent potential security vulnerabilities.

As a result, these are no longer displayed in Cognos Configuration as supported cipher suites.

To check the version of Java Runtime Environment, use command line java -version in <Cognos_Install_Directory>/jre/bin

- CA 11.0.6 JRE (version: 1.8.0 SR3)

- CA 11.0.7 JRE (version: 1.8.0 SR4 FP5)

By checking java.security under <Cognos_Install_Directory>/jre/lib/security

- CA 11.0.6 JRE (version: 1.8.0 SR3)

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

- CA 11.0.7 JRE (version: 1.8.0 SR4 FP5)

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, \

EC keySize < 224

Where it states “3DES_EDE_CBC" and "DESede” are the entries that effectively disabled 3 DES.

For details on these changes, please also refer to the following documentation.

Fix Security Vulnerability

http://www-01.ibm.com/support/docview.wss?uid=swg1IV93010

Security changes in IBM JRE 8.0 SR4

https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/disabledalgorithms.html

Security bulletin for Cognos Analytics 11.0.7

http://www-01.ibm.com/support/docview.wss?uid=swg22007242

[{"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Administration and Configuration v11x","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
15 June 2018

UID

swg22009453