Product:
Cognos Controller 10.4.2 fix pack 2
CONTRL_UPDATE_version=CCR-AW64-ML-RTM-10.4.2200.70-0
CONTRL_UPDATE_name=IBM Cognos Controller Update
Microsoft Windows 2019 server
Issue:
Inside Cognos Controller Client, when using java menu like jobs – define or command center, you get a error.
Caused by: com.ibm.cognos.ccr.common.FatalException: Failed to launch!
When try to connect to database in DBconv program, you get a error.
org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “The server selected protocol version TLS10 is not accepted by client preferences [TLS12]”. ClientConnectionId:ab713261-e19e-4c2d-b02b-8e7bce540fae DSRA0010E: SQL State = 08S01, Error Code = 0
Error Code: 0
You can check controller web error in files in folder C:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs
Solution:
The java version that is shipped with Cognos Controller 10.4.2 fp2, is set default to only allow TLS 1.2 communication.
Upgrade SQL server to support TLS 1.2 or as a workaround change the java 8 system to support TLS 1.0 and TLS 1.1
Go into the folder C:\Program Files\ibm\cognos\ccr_64\bin64\jre\8.0\lib\security open the file java.security in notepad++
Change this line:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
To this line:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
by remove the TLSv1, TLSv1.1 value, the system will support TLS 1, TLS 1.1.
Also go into the Controller Web folder, and do the same change.
Open C:\Program Files\ibm\cognos\ccr_64\fcmweb\jre\lib\security\java.security file in notepad++
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including
# protocol version negotiation, cipher suites selection, signature schemes
# selection, peer authentication and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
# building and validation, including algorithms used in certificates, as
# well as revocation information such as CRLs and signed OCSP Responses.
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
#
# See the specification of “jdk.certpath.disabledAlgorithms” for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
Save the file.
Reboot the windows controller server to make the change take effect.
More information:
https://www.ibm.com/support/pages/how-configure-force-controller-use-tls-12