Enabling FIPS mode
Federal Information Processing Standards (FIPS) is an American cryptographic standard that is published by the National Institute of Standards and Technology (NIST). IBM Cognos Analytics is not FIPS-certified. However, you can configure Cognos Analytics on all platforms to use only FIPS-certified security modules. When you complete this configuration, Cognos Analytics is in "FIPS mode".
For more information, see Federal information processing standards (FIPS) (https://www.nist.gov/federal-information-processing-standards-fips).
Before you begin
You must be running IBM JRE. Other JRE versions are not supported.
About this task
When in FIPS mode, IBM Cognos Analytics uses the FIPS 140-2 approved cryptographic providers; IBM® Crypto for C (Certificate 3064) and Openssl (Certificate 4282). The certificates are listed on the NIST web site at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
- Limitations of FIPS mode
-
When Cognos Analytics is configured in FIPS mode,
- the Series 7 authentication provider is not available
- PDF password protection is disabled
- cogstartup.xml, keystores, and deployment archives are not encrypted using a FIPS-certified provider. If these files must be manually moved to a different computer, you must ensure that they are adequately protected during transport.
The supported cryptographic algorithms are limited only by the cryptographic providers listed above. You can configure IBM Cognos Analytics to use specific algorithms and TLS cipher suites. However, no runtime check is made to verify that the selected algorithms adhere to FIPS or any other standard. You are responsible for this verification.
If you use an existing content store, some legacy encrypted data that was persisted use algorithms that were configured when they where generated. Currently, the only method of re-encrypting data in the content store is to do a full deployment export/import. If possible, this import should be into an empty content store.
Note:Your authentication provider must use the CAMKeystore method for LDAPS authentication. LDAPS that uses the legacy certutil database (NSPR networking) is not supported with FIPS.
If you try to use certutil LDAPS with FIPS, this error message appears:
CAM-AAA-0026 The function call to 'ldap_simple_bind_s' failed with error code: '81'
By default, Cognos Analytics FIPS mode is not enabled, as it can result in slightly reduced product performance.