FAQ: Security concerns regarding credentials stored in Content Store

Cognos 8/10 products need to store user credentials for two reasons:
- When scheduling reports for future execution it is necessary to store user credentials with the object, which shall be used for the planned execution.
- Data Source sign on credentials

This can raise concerns in regards to security, below you find answers to the most common questions

Q1: When IBM Cognos BI software stores credentials, where are those stored ?
A1: Credentials are stored in the Content Store (CS) database.
Database security can be applied to protect the contents of the CS tables. Only a dedicated account should have read permission on the Content Store.
The credentials for accessing the Content Store are saved in the IBM Cognos BI C8/C10 configuration file in encrypted form.

Q2: Are the credentials stored in clear text in the CS database ?
A2: Never. The credentials are encrypted with proven standard security algorithms. For obvious reasons, information on this encryption is considered and kept confidential IBM Cognos BI Private.

Q3: Where exactly are the credentials stored ?
The customer wants to verify the encrypted values.
A3: Please get in touch with Sales and Product Management to get a written statement, if there are some issue in confidence to IBM Cognos BI Software.
The exact location may change in every release and Content Store is considered a black box environment, regarded by IBM Cognos as completely unsupported for direct access.

Q4: Are the credentials dynamically updated upon password changes in the underlying external authentication source ?
A4: NO, if the user account referred to in the credential changes it's password, the credentials must be updated for Cognos as well. This applies all configured authentication namespaces referring to the External Authentication Source accounts. This can be done using the "Renew Credentials" option in the User properties of the Account Object in Cognos Connection, or through done in an automation process through the Software Development Kit (SDK).

Note that as of IBM Cognos BI version 10, any scheduled Job or Report will automatically update the stored credential in the schedule when run, eliminating the need for doing the "Renew Credentials" option by the user. This prevents the previous Failing of the Job or Report run when user changed the password in the Authentication Source.

Q5: Are the credentials accessible externally, like with Identity Management tools ?
A5: NO, since the credentials are encrypted and Content Store is considered a black box environment, one MUST NOT access the tables with anything but IBM Cognos BI functionality.
Besides, it is not possible through the SDK or other means to write directly to the Content Store that Credential. Doing so is considered a Security Audit Failure.