Configure SSL for Cognos components 
.
Set up shared trust between Cognos components and other servers,
if required .
Select and rank Cipher Suites to be used in an SSL connection,
if required .
The Secure Sockets Layer (SSL) protocol is used to secure communication between Cognos components installed on the same computer or on different computers.
In addition, you may want to set up SSL connections between Cognos components and other servers. You must ensure that SSL is set up for the other servers and then you must set up a shared trust between Cognos components and the other servers.
After configuring the SSL protocol, you can select and rank cipher suites, which control the quality of protection used in the SSL connection.
To configure SSL protocol, do the following:
| | Configure SSL for Cognos components |
| | Set up shared trust between Cognos components and other servers,
if required |
| | Select and rank Cipher Suites to be used in an SSL connection,
if required |
You can configure Cognos components to use the SSL protocol for
internal connections only
external connections only
internal and external connections
connections to local and remote log servers
If you configure SSL only for internal connections, Cognos components on the local computer communicate using this protocol. The dispatcher listens for secure connections on a different port than for remote, http requests. Therefore, you must configure two dispatcher URIs.
If you configure SSL only for external connections, communications from remote Cognos components to the local computer use the SSL protocol. You must configure the dispatcher to listen for secure, remote requests on a different port than local, HTTP requests. You must also configure the Content Manager URIs and the dispatcher URI for external applications to use the same protocol and port as the external dispatcher.
If you configure SSL for all connections, the dispatcher can use the same port for internal and external connections. Similarly, if you do not use SSL for local or remote communication, the dispatcher can use the same port for all communications.
You must also update the Content Manager URIs, Dispatcher URI for external applications, and Gateway URI to use SSL, if required.
If the internal dispatcher URI is prefixed with http but the external dispatcher URI is prefixed with https, or vice versa, both the non-SSL Coyote HTTP/1.1 and SSL Coyote HTTP/1.1 connectors are enabled in the server.xml file.
If the internal and external dispatcher URIs use different protocol or ports, the internal dispatcher port is accessible only to the components on the local computer. The internal dispatcher URI must also specify localhost.
In single computer installations, if you are running Cognos 8 without SSL, you must stop the service before adding SSL to your configuration. After you save the configuration with SSL settings, you can restart the service.
In distributed installations, if you are using the Cognos certificate authority service, you must first configure all Cognos computers to use the non-secure (http) protocol before you configure Cognos components to use the SSL protocol. You must do this because you cannot set up the SSL protocol before trust has been established.
Also, ensure that you follow the required order of configuring computers in a distributed environment. That means that you must first configure the computer where the default active Content Manager is installed and then start the services on this computer before you configure other computers or start services on other computers. By first configuring the default active Content Manager computer and starting the services, you ensure that the certificate authority service on the default active Content Manager computer can issue certificates to other computers in the Cognos environment.
After you configure all computers in the distributed installation to use the default, non-secure protocol, we recommend that you test your installation to ensure that Cognos components are working properly. After you test your installation, you can configure the SSL protocol.
When you configure Cognos 8 to use the SSL protocol, ensure that you first configure the default active Content Manager computer to use the protocol and start the services on the default active Content Manager computer. After you do this, you can configure the SSL protocol on other Cognos computers in your environment.
If you add a computer to an SSL-enabled environment, you will be prompted to temporarily accept trust for a certificate when you save the configuration. Accepting the temporary certificate will allow permanent trust to be established with the Content Manager computer.
You can later add a component to the same location as other Cognos components. If you add the component to a different location on the same computer as other Cognos components, you will be prompted to temporarily accept trust for a certificate when you save the configuration. Accepting the temporary certificate will allow permanent trust to be established between the new component and the Content Manager computer.
Start Cognos Configuration.
In the Explorer window, click Environment.
In the Properties window, type the appropriate values for the Internal dispatcher URI and External dispatcher URI values:
To configure SSL for internal connections only, for the Internal dispatcher URI property, type https and a port for SSL communication. For the External dispatcher URI property, type http and use the default or another available port.
If you use Tomcat, the Internal dispatcher URI property must also specify localhost.
The ports in the two dispatcher URIs must be different.
To configure SSL for external connections only, for the External dispatcher URI property, type https and a secure port. For the Internal dispatcher URI property, type http and use the default or another available port.
If you use Tomcat, the Internal dispatcher URI property must also specify localhost.
The ports in the two dispatcher URIs must be different.
To configure SSL for all connections, type the same URI for both the Internal dispatcher URI and External dispatcher URI properties. Type https and a secure port, such as 9343.
Note: You do not have to use port 9343, the default SSL port. You can choose any available port.
Configure the SSL protocol for the other environment URIs, including the Content Manager URIs, the Dispatcher URI for external applications, and Gateway URI.
For internal connections only, type https in the URIs that contain localhost.
For external connections only, type https in the URIs that do not contain localhost.
For all connections, type https in all the URIs.
In the Explorer window, click Security, Cryptography.
To use SSL protocol, you must specify passwords for the Cognos 8 encryption key stores. There are more settings under Security, Cryptography, Cognos.
From the File menu, click Save.
If you want to use the default Cognos certificate authority and you want to use SSL for connections from other servers to Cognos servers, you must add the Cognos certificate to the trust store on the other servers.
Note: If you use browsers to connect to Cognos components, the browsers automatically prompt users to update their trust stores.
If you want the connection between Cognos servers and the other server to be mutually authenticated, you must also copy the certificate from your certificate authority to the trust store for Cognos servers.
If you have configured Cognos components to use a third-party certificate authority (CA), you do not have to set up shared trust between Cognos server and other servers.
Go to the c8_location\bin directory.
Extract the Cognos certificate by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -E -T -r destination_file -k c8_location/configuration/signkeypair/jCAKeystore -p password
On Windows, type
ThirdPartyCertificateTool.bat -E -T -r destination_file -k c8_location\configuration\signkeypair\jCAKeystore -p password
Import the certificate to the trust store on your server.
For information on updating the server trust store, see the documentation for your server.
Copy the certificate from your certificate authority to a secure location on the Cognos server.
Ensure that the CA certificate is in Base-64 encoded X.509 format.
Import the CA certificate by typing the following command:
On UNIX or Linux, type
ThirdPartyCertificateTool.sh -T -i -r CA_certificate_file -k c8_location/configuration/signkeypair/jCAKeystore -p password
On Windows, type
ThirdPartyCertificateTool.bat -T -i -r CA_certificate_file -k c8_location\configuration\signkeypair\jCAKeystore -p password
An SSL connection begins with a negotiation in which the client and server present a list of supported cipher suites in a priority sequence. A cipher suite provides the quality of protection for the connection. It contains cryptographic, authentication, hash, and key exchange algorithms. The SSL protocol selects the highest priority suite that the client and the server both support.
Cognos provides a list of supported cipher suites for SSL. You can eliminate cipher suites that do not meet your requirements and then assign a priority, or preference, to the remaining cipher suites. The selected cipher suites are presented in priority sequence for the client and server sides of the negotiation. At least one of the selected cipher suites between the client and server platforms must match.
The list of supported cipher suites is dynamically generated on each computer, and depends on the Java Runtime Environment (JRE) or whether you have third-party cryptographic software installed on the computer. If you have made changes to a computer, such as upgraded the JRE or installed software that has upgraded the JRE, this may affect the supported cipher suites available on that computer. If you no longer have a supported cipher suite that matches the other computers in your environment, you may have to change the JRE on the computer to match the other computers in your environment.
Start Cognos Configuration.
In the Explorer window, click Cryptography, Cognos.
In the Properties window, click the Value column for the Supported ciphersuites property.
Click the edit button.
To move a cipher suite to the Current values list, click the check box in the Available values list and then click Add.
To move a cipher suite up or down in the Current values list, click the check box and then click the up or down arrows.
To remove a cipher suite from the Current values list, click the check box and then click Remove.
Click OK.
From the File menu, click Save.
