Secure Reports
This topic describes how to secure pixel-perfect reporting.
Use Digital Signatures in PDF Reports
You can apply a digital signature to a PDF report.
Digital signatures enable you to verify the authenticity of the documents you send and receive. You can upload your digital signature file to a secure location, and at runtime sign the PDF report with the digital signature. The digital signature verifies the signer's identity and ensures that the document hasn't been altered after it was signed.
For additional information, refer to the Verisign and Adobe websites.
Prerequisites and Limitations of Digital Signatures
When you use digital signatures with PDF reports in Publisher, you must be aware of a few limitations.
A digital signature is obtained from a public certificate authority or from a private/internal certificate authority (if for internal use only).
Keep the following limitations in mind:
-
Only the reports scheduled in Publisher can include the digital signature.
- You can register multiple digital signatures and enable a digital signature at the instance level. At the report level, you can choose the digital signature you want to apply for the report. Multiple templates assigned to the same report share the digital signature properties.
Obtain Digital Certificates
You can obtain a digital certificate either by purchasing one or by using the self-sign method.
- To obtain a digital certificate, perform one of the following:
- Purchase a certificate from an authority, verify and trust the authenticity of the certificate, and then use Microsoft Internet Explorer to create a PFX file based on the certificate you purchased.
- Create a self-signed certificate using a software program such as Adobe Acrobat, Adobe Reader, OpenSSL, or OSDT as part of a PFX file, and then use the PFX file to sign PDF documents by registering it with Publisher. Bear in mind that anyone can create a self-signed certificate, so use care when verifying and trusting such a certificate.
Create PFX Files
If you obtained a digital certificate from a certificate authority, you can create a PFX file using that certificate.
You don't need to create a PFX file if a self-signed certificate PFX file already exists.
To create a PFX file with Microsoft Internet Explorer:
- Ensure that your digital certificate is saved on your computer.
- Open Microsoft Internet Explorer.
- From the Tools menu, click Internet Options and then click the Content tab.
- Click Certificates.
- In the Certificates dialog, click the tab that contains your digital certificate and then click the certificate.
- Click Export.
- Follow the steps in the Certificate Export Wizard. For assistance, refer to the documentation provided with Microsoft Internet Explorer.
- When prompted, select Use DER encoded binary X.509 as your export file format.
- When prompted, save your certificate as part of a PFX file to an accessible location on your computer.
After you create your PFX file, you can use it to sign PDF documents.
Apply a Digital Signature
You can set up and sign your PDF reports with a digital signature.
- Upload the digital signature files in Upload Center.
- Register the digital signature in the Publisher Administration page and specify the roles that are authorized to sign reports.
- If you have registered multiple digital signatures, set one as the default signature for the instance.
- In the Administration page, navigate to Security Center, and click Digital Signature.
- In the Digital Signature tab, select the digital signature file you want to set as default, and click Set as Default.
- In the Runtime Configuration page, set the Enable Digital Signature property to true.
- To configure a digital signature for a report, select the report and set the digital signature properties.
- In the Report Properties dialog, select the Formatting tab.
- Set the Enable Digital Signature property to true for the report.
- Select the digital signature for the report.
- Specify the display field name and location.
- Log in as a user with an authorized role and submit the report through the Publisher scheduler, choosing the PDF report. When the report completes, it's signed with your digital signature in the specified location of the report.
Register Your Digital Signature and Assign Authorized Roles
Register a digital signature and assign roles that can have the authority to sign documents with this digital signature.
- On the Administration tab, under Security Center, click Digital Signature.
- Select the digital signature file you uploaded in Upload Center and enter the password for the digital signature.
- Enable the Roles that must have the authority to sign documents with this digital signature. Use the shuttle buttons to move Available Roles to the Allowed Roles list.
- Click Apply.
Specify the Signature Display Field or Location
You must specify the location for the digital signature to appear in the completed document. The methods available depend on whether the template type is PDF or RTF.
If the template is PDF, use one of the following options:
-
Specify a template field in a PDF template for the digital signature.
-
Specify the location for the digital signature in the report properties.
If the template is RTF, specify the location for the digital signature in the report properties.
Specify a Template Field in a PDF Template for the Digital Signature
Include a field in the PDF template for digital signatures.
Report authors can add a new field or configure an existing field in the PDF template for the digital signature. See Add or Designate a Field for a Digital Signature.
Specify the Location For the Digital Signature in the Report
You can specify the location for the digital signature in the report.
When you specify a location in the document to place the digital signature, you can either specify a general location (Top Left, Top Center, or Top Right) or you can specify x and y coordinates in the document.
You can also specify the height and width of the field for the digital signature by using runtime properties. You don't need to alter the template to include a digital signature.
Run and Sign Reports with a Digital Signature
If you've been assigned a role that's been granted the digital signature privilege, you can sign a generated report with a signature, if the report has been configured to include signatures. You can sign only scheduled reports with signatures.
To sign reports with a digital signature:
Use PGP Keys for Encrypted Report Delivery
You can deliver PGP encrypted reports through FTP server or Content server.
You can configure the FTP server and Content server delivery channels to use the PGP public keys to deliver PGP encrypted files in binary or ASCII format.
Use Security Center to upload and download the PGP keys. The "BI Publisher Public Key" file is verifying the signature on signed files. If you configure a delivery channel to send signed documents, download the "BI Publisher Public Key" file (either in binary or ASCII format), and import the keys in the destination PGP system used to verify signature and decrypt the files delivered by Publisher.
Manage PGP Keys
You can upload and delete your PGP keys.
- From the Administration page, under Security Center, select PGP Keys.
- To upload PGP keys to keystore, click Choose File, select the PGP key file, and then click Upload.
- To delete the PGP keys you uploaded, in the PGP Keys table, click the delete icon corresponding to the PGP keys.
- To download the PGP public keys for signature verification, click the download icon corresponding to the public key file.
Encrypt PDF Documents
You can encrypt PDF documents to prevent unauthorized access to the file content.
The security level you set in the Encryption level PDF output property specifies the encryption algorithm used for the PDF document encryption. Define encryption for PDF documents at the server level or at the report level. See PDF Output Properties.
Publisher supports AES-256 encryption for:
- PDF documents generated from RTF and XPT templates using the FOProcessor or PDFGenerator utilities.
- PDF documents generated from PDF templates (PDF forms) using the FormProcessor utility. Publisher doesn’t support encrypted form input.
- PDF documents without password protection that are printed using either PDF to PostScript or PDF to PCL print filter. You can’t send an encrypted PDF document to a CUPS printer or an IPP printer without a filter.
Publisher uses the AES implementation of JCE (Java Cryptography Extension) for encrypting and decrypting documents. If you want to use the AES 256-bit encryption for PDF documents, you need the JCE Unlimited Strength Jurisdiction Policy installed on the JVM that runs the container that has the Publisher installation, but this policy isn't required for the AES 128-bit encryption.
Publisher doesn't support encrypted input.
PDF Document Encryption Algorithms
Publisher uses an encryption algorithm based on the PDF document security setting.
Security Level | Encryption Scheme | PDF Version | Acrobat Version |
---|---|---|---|
Low | RC4 (40bit) | 1.1 | 3.0 |
Medium | RC4 (128bit) | 1.4 | 5.0 |
High | AES (128bit) | 1.5 | 7.0 |
Highest | AES (256bit) | 1.7 (extension level 5) | X |