Secure connection to the content store (SQLServer)

[Yoshick]

Hi.

I'm trying to secure connection to the Content Store in SQLServer. But the document (https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_ssl_sqlserver.html) I followed left me frustrated.

Steps done:
- Certificate signed by own CA installed on the SQLServer, instance restarted, Force encryption is set to No (i.e. permissive encryption).
- CS is accessible from SSMS with and without encryption set on the client side. Query to sys.dm_exec_connections shows encrypt_option=true if encryption utilized.
- DB authentication is used.
- SQLServer jdbc driver (mssql-jdbc-6.2.2.jre2.jar) is installed in COGNOS_HOME/drivers directory.

I tried to follow procedure in the document above but failed. Even more, checking cbs_cnfgtest_run_WebSphereLiberty.log I do not see parameters added to bootstrap_wlp_win64.xml.

May I ask your advice on the subject?
Questions I have:
1. Was anybody successful in configuring traffic encryption to SQLServer?

2. Document requests standard java keytool from jre/bin directory to create trust store. Does it mean that Cognos key store managed by standard ThirdPartyCertificateTool, iKeyman/iKeycmd tools should not be used?

3. What keystore for the imported certificates assumed? Should it be a separate dedicated store or standard trust store from JRE (lib/secirity/cacerts)?

4. Will adding of the additional trust store with -Djavax.net.ssl.trustStore=... overwrite default (i.e. jCKeystore) key store or they will act independently?

5. Document request to start Cognos with cogconfig.bat(sh) only. How it will work in case of server reboot and automatic startup? Will IBM Cognos service start correctly (i.e. supporting Content Store traffic encryption) through Services, or sc, or wmic?


Thank you in advance and hope for your help.

[Yoshick]

The problem solved.

Certificates in the top-down order should be imported to Cognos trust store with ThirdPartyCertificateTool AND to cacert trust store of the JVM used by Cognos.
It is not necessary to modify bootstrap_wlp_win64.xml, cogconfig.bat and startwlp.bat as it is mentioned in the IBM's document.

[nguyenb2]

The problem solved.

Certificates in the top-down order should be imported to Cognos trust store with ThirdPartyCertificateTool AND to cacert trust store of the JVM used by Cognos.
It is not necessary to modify bootstrap_wlp_win64.xml, cogconfig.bat and startwlp.bat as it is mentioned in the IBM's document.

Hi Yoshick, could you provide me the instruction in detail or any online resources to follow? I am also having this issue now. The Cognos Analytics version in my system is 11.1.x and document provided from IBM doesn't work.

Is there any notes in generating certificate of SQL server, I used the command New-SelfSignedCertificate in PowerShell to generate a self-signed cert for SQL server.

Thanks in advance.

[jcw3631]

nguyenb2 I am having same issues.  Here is what IBM provided me.  I am having trouble getting the server and chain to combine.  Maybe this document will help you get your issue resolved.

https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11