SSRS Encryption Keys - Initialize a Report Server
In Reporting Services, an initialized server is one that can encrypt and decrypt data in a report server database. Initialization is a requirement for report server operation. Initialization occurs when the Report Server service is started for the first time. It also occurs when you join the report server to the existing deployment, or when you manually recreate the keys as part of the recovery process. For more information about how and why encryption keys are used, see Configure and Manage Encryption Keys (Report Server Configuration Manager) and Store Encrypted Report Server Data (Report Server Configuration Manager).
Encryption keys are based partly on the profile information of the Report Server service. If you change the user identity used to run the Report Server service, you must update the keys accordingly. If you are using the Reporting Services Configuration tool to change the identity, this step is handled for you automatically.
If initialization fails for some reason, the report server returns an RSReportServerNotActivated error in response to user and service requests. In this case, you may need to troubleshoot the system or server configuration. For more information, see SSRS: Troubleshoot Issues and Errors with Reporting Services (https://social.technet.microsoft.com/wiki/contents/articles/1633.aspx) in Technet Wiki.
Overview of the Initialization Process
The initialization process creates and stores a symmetric key used for encryption. The symmetric key is created by the Microsoft Windows Cryptographic Services and subsequently used by the Report Server service to encrypt and decrypt data. The symmetric key is itself encrypted with an asymmetric key.
The following steps describe the initialization process:
At initial start up, the Report Server service reads the RSReportServer.config file to get the installation identifier and database connection information.
The Report Server service requests a public key from Cryptographic Services. Windows creates a private and public key and sends the public key to the Report Server service.
The Report Server service connects to the report server database and stores the installation identifier and public key values.
The Report Server service calls into Cryptographic Services again, this time to request a symmetric key. Windows creates the symmetric key.
The Report Server service connects to the report server database again, and adds the symmetric key to the public key and installation identifier values that were stored in step 3. Before storing it, the Report Server service uses its public key to encrypt the symmetric key. Once the symmetric key is stored, the report server is considered initialized and available to use.
Initializing a Report Server for Scale-out Deployment
Reporting Services supports a scale-out deployment model that shares a single report server database among multiple report server instances. To join a scale-out deployment, a report server must create and store its copy of the symmetric key in the shared database. Although a single symmetric key is used by servers that use the database, each report server has its copy of the key. Each copy varies in that it is uniquely encrypted using the public key it owns.
The first set of steps for initializing a report server for scale-out deployment are identical to the first three steps that describe initialization for a single server and database combination.
The initialization process for a scale out deployment differs in how the report server gets the symmetric key. When the first server is initialized, it gets the symmetric key from Windows. When the second server is initialized during configuration for scale-out deployment, it gets the symmetric key from the Report Server service that is already initialized. The first report server instance uses the public key of the second instance to create an encrypted copy of the symmetric key for the second report server instance. The symmetric key is never exposed as plain text at any point in this process.
How to Initialize a Report Server
To initialize a report server, use the Reporting Services Configuration tool. Initialization occurs automatically when you create and configure the report server database. For more information, see Configure a Report Server Database Connection (Report Server Configuration Manager).
To initialize a report server for scale-out deployment, you can use the Initialization page in the Reporting Services Configuration tool or the RSKeymgmt utility. To follow step-by-step instructions, see Configure a Native Mode Report Server Scale-Out Deployment (Report Server Configuration Manager).
RSKeymgmt is a console application that you run from a command line on a computer that hosts a report server instance that is already part of a scale-out deployment. When you run the utility, you specify arguments to select a remote report server instance that you want to initialize.
A report server will be initialized only if there is a match between the installation identifier and the public key. If the match succeeds, a symmetric key is created that permits reversible encryption. If the match fails, the report server is disabled, in which case you may be required to apply a backup key or delete the encrypted data if a backup key is unavailable or not valid. For more information about encryption keys used by a report server, see Configure and Manage Encryption Keys (Report Server Configuration Manager).
You can also use the Reporting Services Windows Management Instrumentation (WMI) provider to initialize a report server programmatically. For more information, see Access the Reporting Services WMI Provider.
How to Confirm a Report Server Initialization
To confirm report server initialization, ping the Report Server Web service by typing https://<servername>/reportserver in the command window. If the RSReportServerNotActivated error occurs, the initialization failed.