Question & Answer
Question
After upgrading from previous versions of Cognos Analytics into 11.0.7 version, supported cipher suites look different within Cognos Configuration when comparing two versions. For example: Cognos Analytics 11.0.6 displays the following under Supported cipher suites which are not listed in 11.0.7 - RSA-RSA-DES(168)CBC3-SHA - DH-RSA-DES(168)CBC3-SHA
Answer
Cognos Analytics 11.0.7 contains a newer JRE (Java Runtime Environment) and it has disabled support for Triple DES (TDES) also known as Triple Data Encryption Algorithm (TDEA).
At the current time, 3 DES ciphers are no longer considered secure due to a vulnerability found in the implementation that allows it to be broken without a brute force attack of the key space.
IBM JRE 1.8.0 SR4 and later versions has disabled this by default to prevent potential security vulnerabilities.
As a result, these are no longer displayed in Cognos Configuration as supported cipher suites.
To check the version of Java Runtime Environment, use command line java -version in <Cognos_Install_Directory>/jre/bin
- CA 11.0.6 JRE (version: 1.8.0 SR3)
- CA 11.0.7 JRE (version: 1.8.0 SR4 FP5)
By checking java.security under <Cognos_Install_Directory>/jre/lib/security
- CA 11.0.6 JRE (version: 1.8.0 SR3)
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
- CA 11.0.7 JRE (version: 1.8.0 SR4 FP5)
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, \
EC keySize < 224
Where it states “3DES_EDE_CBC" and "DESede” are the entries that effectively disabled 3 DES.
For details on these changes, please also refer to the following documentation.
Fix Security Vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg1IV93010
Security changes in IBM JRE 8.0 SR4
Security bulletin for Cognos Analytics 11.0.7
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg22009453