Certificate authentication

If your web server is configured to require client certificate authentication, you can use a client SSL certificate (client X509v3 certificate) to provide a seamless signon and secure communication between the IBM® Cognos® BI server and the native apps.

Tip: This type of authentication is also known as two-way SSL authentication or mutual authentication.

The certificate file must be in the PKCS12 format (extension .pkcs12) and must contain the identity of the client, in the form of a certificate and a private key. An administrator must set up a secure mechanism for importing the certificate file into the native apps and provide the certificate password to the users so that they can enter it when importing the certificate.

An administrator can provide the following mechanisms to import the client SSL certificate for Cognos Mobile iOS and Android apps:

A link to the certificate file from a website.
An administrator must direct users to a website that contains a link to the .pkcs12 file. Users tap on the link to import the file into the app. On Android devices, the users are prompted to save the file.
An email with the attached certificate file.
Users must download the attached .pkcs12 file. On Android devices, the users are prompted to save the file.
Copying the certificate file to the device.
In this scenario, the mobile device is tethered to a personal computer. For Android, the .pkcs12 file can be manually copied from the personal computer, to which an administrator securely supplies the file, to the mobile device. For iOS, the administrator or user can provide the .pkcs12 file through iTunes, by placing the file in the IBM Cognos Documents folder.

This method is not scalable and useful only to resolve one-time issues or perform one-time setups.

When selecting the .pkcs12 file on their mobile devices, users must select IBM Cognos Mobile from the Open With dialog box. The users are then prompted for the password associated with the .pkcs12 file in the Client Certificate dialog box. After the app opens, the certificate is stored in the password storage system, such as Keychain on iOS devices, on the user's mobile device.

Tip: On Android, if the Gmail app is unable to open a PKCS12 certificate, a possible workaround is to use another mail client, such as the default Email app. If that is not possible, using the .p12 certificate extension might allow the app to import it properly. When importing a certificate through a hyperlink, the .pkcs12 extension should be used.