If you are unable to create a new account, please email support@bspsoftware.com

 

[Solved] BI Server v10.2.2 Cryptography Config issue leads to CAM-CRP-1064 error

Started by r_aldrich, 08 Dec 2014 09:45:09 PM

Previous topic - Next topic

r_aldrich

I am experiencing CAM-CRP-1064 issue and am searching for resolution. 

I am in the process of deploying a new install of 10.2.2 and noticed in the <coginstall>/configuration folder, the encryptkeypair & signkeypair folders are not created.  The new 10.2.2 instance is being installed on same server as existing 10.2.1, its going into new directory with different port assignments.  Upon saving the cogstartup.xml new encryption folders are not created. I discovered the issue when importing a password protected deployment file from 10.2.1 and received this error: "CAM-CRP-1064 Unable to process the  PKCS #7 data".    I am also unable to save Signon passwords.

I initially thought I needed to regenerate the keys, and re-configured everything in cognos configuration. Rename the cogstartup.xml file. Open the configuration new cogstartup.xml will be generated. Then re-configure everything manually as per this document.
Reference #: 1341609                                                   
http://www-01.ibm.com/support/docview.wss?uid=swg21341609 As per the document, I renamed cogstartup.xml and csk folder and redid the configuration.   The missing folders were not CREATED.

I think the issue is with the default cogstartup.xml file which is included with 10.2.2
I have engaged IBM support and have asked them, why parameters for signkeypair and encryptkeypair are not included in the default cogstartup.xml file?

New Cryptography options are included in 10.2.2 , but I am not yet understanding how to enable them.  When I launch IBM Cognos Configuration and compare the Cryptography Configuration screens between 10.2.1 and 10.2.2, I see a new option in 10.2.2, but I don't see any signing or encryption key settings,   Reading the installation and configuration guide, but it's is still not clear to me how to get the options for the encryption folders to reappear.   Do I need to edit XML in cogstartup.xml ?  If any one has been through this issue, I would appreciate a little guidance on this.  Thanks,  Hopefully IBM support will have an answer, its only been 3 days now. 

To help everyone see the issue I have attached a word document with relevant print screens.
I will post the resolution once I have it, as I am sure others will stumble into this too.  If this was mentioned in the What's NEW in 10.2.2, I missed it.



r_aldrich

I believe I have it worked out.

The Cryptography options changed in 10.2.2 , I basically only read the opening chapter of the installation guide about New Features and Cryptography was not mentioned, So I assumed I could follow the same steps that I had done for 10.2.1 install.   Previously, we never concerned ourselves with replacing the default passwords for the keystores.  But apparently, you have to enter a password during the configuration setup.

Without entering passwords, No errors were generated and the Cognos portal appeared to work normally.  But once, I started to build database connections and store signons OR import deployment files that were encrypted, that's when I would get the error:
" CAM-CRP-1064 Unable to process the PKCS #7 data because of an internal error. Unable to find an appropriate common symmetric key to decrypt the data."

To resolve my issue, I launched IBM Cognos Configuration and stopped the service for this Single Server deployment
Then navigated to "Cryptography" / "CSK Settings" / "common symmetric key store password" and entered the Cognos default password "NoPassWordSet"   ( I could have changed the password, and probably would have needed to deleted the Configuration/CSK folder before I saved the changes.)
While I was at it, I also navigated to the next screen "Cryptography" / "Cognos" and entered the same default password for both "Key store password" and "Certificate Authority settings" / "Password"

I then saved and restarted the service.   Tested by importing an encrypted deployment file and created a new database connection with signon.   Both actions were successful.

Papave

r_aldrich,

Thank you very much for your post.

I had the exact same issue and solved it using your procedure!

Papave