Export (0) Print
Expand All
1 out of 3 rated this helpful - Rate this topic

Managing Encryption Keys

SQL Server 2000

Reporting Services uses encryption keys to secure credentials, connection information, and accounts that are used in server operations. Encryption keys are created during setup. As soon as you finish installing Reporting Services, you should make a copy of the symmetric key that supports reversible encryption. If you ever need to repair a Reporting Services installation due to changes in computer name, instance name, or user account values, you can apply the key to make the report server database operational. If for some reason the keys cannot be restored, you can recover the database by deleting the encrypted data and respecifying any values that require encryption.

Copying Encryption Keys to Disk

Reporting Services provides the rskeymgmt utility that you can use to extract a copy of the encryption key from the report server database. The utility writes the key to a file that you specify, and then scrambles the key using a password that you provide. After the file is created, you must store it in a secure location and remember the password that is used to unlock the file. Follow these steps to create a backup of the encryption key.

  1. Insert a diskette into the floppy disk drive.
  2. Run rskeymgmt.exe locally on the computer that hosts the report server. You must use the -e extract argument to copy the keys, provide a fully-qualified file name, and specify a password. The following example illustrates the arguments you must specify:
    rskeymgmt -e -fa:\rsdbkey.txt -p<password>
    
  3. Store the diskette in a secure location.
Apply Encryption Keys to a Report Server Database

In some cases, modifications that you make to an existing Reporting Services installation can temporarily disable a report server database. The error message "rsReportServerDisabled" occurs when this condition is present. The following changes can produce this error:

  • Modifying the user account that is used to run the Report Server Web service.
  • Modifying the SQL Server instance name (a report server instance is based on a SQL Server instance name).
  • Modifying the computer name of an installation (for example, when a hardware failure or upgrade occurs, and you reinstall or apply a disk image to a new computer). Even if the new computer uses the same name as the old computer, the installation ID in RSReportServer.config will not be valid for the new computer.

To repair a Reporting Services installation, it helps if you have a copy of the encryption key on file. You must also know the password that unlocks the file. If you have the key and the password, you can run rskeymgmt utility to return the report server database to operation.

Note  You can still recover a report server database if you do not have key backup. In this case, you must delete encrypted data and respecify all encrypted values used in your installation. Deleting encrypted data is discussed later in this topic.

Follow these steps to apply the encryption key to the report server database:

  1. Insert the diskette that contains the backup copy of the encryption key.
  2. Run rskeymgmt.exe locally on the computer that hosts the report server. You must use the -a apply argument to copy the keys, provide a fully-qualified file name, and specify a password. The following example illustrates the arguments you must specify:
    rskeymgmt -a -fa:\rsdbkey.txt -p<password>
    
  3. Restart Internet Information Service (IIS).
Deleting Unusable Encrypted Content

If you cannot enable a report server database, you must delete the encrypted values that are used in your Reporting Services installation. You can use rskeymgmt utility to remove the values.

Follow these steps to apply the encryption key to the report server database:

  1. Run rskeymgmt.exe locally on the computer that hosts the report server. You must use the -d apply argument. The following example illustrates the argument you must specify:
    rskeymgmt -d
    
  2. Restart Internet Information Service (IIS).

After the values are removed, you must re-specify the values as follows:

  1. Run rsconfig utility to specify a report server connection. This step replaces the report server connection information. For more information, see Configuring a Report Server Connection and rsconfig Utility.
  2. If you are supporting unattended report execution for reports that do not use credentials, run rsconfig to specify the account used for this purpose. For more information, see Configuring an Account for Unattended Report Processing.
  3. For each report and shared data source that uses stored credentials, you must retype the user name and password. For more information, see Specifying Credential and Connection Information.
  4. Open and resave each subscription. Subscriptions retain residual information about the encrypted credentials deleted during the rskeymgmt delete operation. You can update the subscription by opening and saving it. You do not need to modify or recreate it.

For more information about encrypted values and how they are stored, see Storing Encrypted Data in a Report Server Database.

See Also

rskeymgmt Utility

Administering a Report Server Database

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.