Enabling FIPS mode

Federal Information Processing Standards (FIPS) is an American cryptographic standard that is published by the National Institute of Standards and Technology (NIST). IBM Cognos Analytics is not FIPS-certified. However, you can configure Cognos Analytics on all platforms to use only FIPS-certified security modules. When you complete this configuration, Cognos Analytics is in "FIPS mode".

For more information, see Federal information processing standards (FIPS) (https://www.nist.gov/federal-information-processing-standards-fips).

Before you begin

You must be running IBM JRE. Other JRE versions are not supported.

About this task

When in FIPS mode, IBM Cognos Analytics uses the FIPS 140-2 approved cryptographic providers; IBM® Crypto for C (Certificate 3064) and Openssl (Certificate 4282). The certificates are listed on the NIST web site at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.

Note: IBM® Crypto for C is in the process of achieving FIPS 140-3 certification, as seen here: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List
Limitations of FIPS mode

When Cognos Analytics is configured in FIPS mode,

  • the Series 7 authentication provider is not available
  • PDF password protection is disabled
  • cogstartup.xml, keystores, and deployment archives are not encrypted using a FIPS-certified provider. If these files must be manually moved to a different computer, you must ensure that they are adequately protected during transport.

The supported cryptographic algorithms are limited only by the cryptographic providers listed above. You can configure IBM Cognos Analytics to use specific algorithms and TLS cipher suites. However, no runtime check is made to verify that the selected algorithms adhere to FIPS or any other standard. You are responsible for this verification.

If you use an existing content store, some legacy encrypted data that was persisted use algorithms that were configured when they where generated. Currently, the only method of re-encrypting data in the content store is to do a full deployment export/import. If possible, this import should be into an empty content store.

Note:

Your authentication provider must use the CAMKeystore method for LDAPS authentication. LDAPS that uses the legacy certutil database (NSPR networking) is not supported with FIPS.

If you try to use certutil LDAPS with FIPS, this error message appears:

CAM-AAA-0026 The function call to 'ldap_simple_bind_s' failed with error code: '81'

By default, Cognos Analytics FIPS mode is not enabled, as it can result in slightly reduced product performance.

Procedure

  1. Add a FIPS-certified security encryption module to your list of service providers.
    1. Go to the installation_location/ibm-jre/lib/jre/security folder.
    2. Open the file java.security in a text editor.
      A list of security providers is displayed. Each entry contains a number that indicates the ranked preference for that provider. Here is an example:
      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.crypto.plus.provider.IBMJCEPlus
      Important: The existing provider IBMJSSEProvider2 must remain first in the list. You must now add IBMJCEPlusFIPS as the second provider in the list.
    3. Add a new line to the second position of the list that defines IBMJCEPlusFIPS as the service provider. Then re-number each provider's rank to reflect the new order.
      Using the previous example, the expanded list now appears as follows:
      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus
  2. Enable the FIPS service provider.
    1. Go to the installation_location/bin64 folder.
    2. Open the file bootstrap_wlp_xxxx.xml in a text editor.
    3. Add the following two lines in the <start> section: 
      <param condName="${java_vendor}" condValue="IBM">-Dcom.ibm.jsse2.usefipsprovider=true</param>
<param condName="${java_vendor}" condValue="IBM">-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS</param>
  3. Specify FIPS conformance in Cognos Configuration.
    1. In Cognos Configuration, select Security > Cryptography.
    2. Set the Standard conformance property to FIPS 140-2.
    3. Save the configuration.