Cognos Analytics with Watson

 View Only

Reenabling access to TLS1.0 JDBC Data Sources after patching to CA 11.1.7 FP4+

By Andrew Copeland posted 8 days ago

Recently, I have been undertaking a lot of patching for clients to cover off the log4j issues inside Cognos Analytics. This has led me to update a number of clients from earlier fix pack levels of CA to the latest 11.1.7 FP4+.

I have to say I haven't hit any issues as a direct result of the patch but an interesting gotcha has appeared between Fix Pack 3 and 4 with the disabling of TLS1.0 and TLS1.1 data source connections via JDBC. 

When you test a connection to a legacy data source (this example is SQL Server 2008 R2) the connection via JDBC fails with the error below. Previously, this has worked.

This issue is due to changes to the Java Runtime Environment deployed between Cognos Analytics 11.1.7 FP3 and FP4. The Java Security policy has added TLS1.0 and TLS1.1 to a list of disabled algorithms and SQL Server 2008 R2 defaults to using TLS1.0.

The first option is to configure SQL Server to use TLS1.2 instead which will resolve the issue but in this case you don’t know what else relies on connecting to the database server and this could break other systems outside of IBM Cognos.

Therefore, to permit TLS1.0 and TLS1.1 Algorithms you need to perform the following changes to each Cognos server:

  • In Windows Explorer, navigate to the ibm_jre\jre\lib\security folder inside your Cognos Analytics installation.

  • Edit the file I use NotePad++ for ease of use.
  • Search the file for the string ‘jdk.tls.disabledAlgorithms’.
  • Make a copy out of the line and comment out one of them using a #.
  • Alter the list to take out the references to TLSv1 and TLSv1.1.
  • Save the file overwriting the existing one.
  • Restart the IBM Cognos Service for the change to take effect.
  • Retest the Connection and now the client and JDBC connections should test successfully.


The existing line in should read:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \

       EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC


and the modified version should look like:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \

       EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC