Configuring IBM Cognos Controller 8 to use Access Manager Authentication

Size: px

Start display at page:

Download "Configuring IBM Cognos Controller 8 to use Access Manager Authentication"

Brett Daniel
5 years ago
Views:

1 Guideline Configuring IBM Cognos Controller 8 to use Access Manager Product(s): IBM Cognos Controller 8.1 Area of Interest: Security

2 2 Copyright Copyright 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is an IBM Company. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Cognos does not accept responsibility for any kind of loss resulting from the use of information contained in this document. This document shows the publication date. The information contained in this document is subject to change without notice. Any improvements or changes to the information contained in this document will be documented in subsequent editions. This document contains proprietary information of Cognos. All rights are reserved. No part of this document may be copied, photocopied, reproduced, stored in a retrieval system, transmitted in any form or by any means, or translated into another language without the prior written consent of Cognos. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated) in the United States and/or other countries. IBM and the IBM logo are trademarks of International Business Machines Corporation in the United States, or other countries, or both. All other names are trademarks or registered trademarks of their respective companies. Information about Cognos products can be found at This document is maintained by the Best Practices, Product and Technology team. You can send comments, suggestions, and additions to cscogpp@ca.ibm.com.

3 3 Contents 1 INTRODUCTION PURPOSE APPLICABILITY EXCLUSIONS AND EXCEPTIONS CONFIGURING ACCESS MANAGER WITH CONTROLLER OVERVIEW DISABLE ANONYMOUS ACCESS RESTRICT USER ACCESS TO THE COGNOS NAMESPACE CONFIGURE IBM COGNOS 8 TO USE AN IBM COGNOS SERIES 7 NAMESPACE ENABLING SINGLE SIGNON BETWEEN IBM COGNOS SERIES 7 AND IBM COGNOS 8 CONTROLLER ADD IBM COGNOS CONTROLLER USERS TO THE IBM COGNOS CONTROLLER ROLES SETTING CONTROLLER TO USE ACCESS MANAGER SECURITY ADDITIONAL INFORMATION ABOUT USING ACCESS MANAGER MAP IBM COGNOS CONTROLLER USERS TO IBM COGNOS 8 USERS SWAPPING BETWEEN NATIVE AND WINDOWS SECURITY APPENDIX #1 - CONFIGURE NATIVE AUTHENTICATION APPENDIX #2 ADVANCED CONFIGURATION: APPENDIX #3 DELETE AN AUTHENTICATION PROVIDER. 33

4 4 1 Introduction 1.1 Purpose This document is a guide on how to configure a Controller 8 application server with Access Manager. 1.2 Applicability Controller Exclusions and Exceptions There are no known exclusions and exceptions at the time this document was created. 2 Configuring Access Manager with Controller Overview This document is a guide on how to configure a Controller 8 application server with Access Manager. Upon completion, your system will use Series 7 or 8 Access Manager users and classes inside the Controller 8 application.

5 5 For the purposes of this document, there is only one Controller 8 application server and Series 7 or 8 Access Manager is installed. For more information about the setting up your environment, see 01. Cognos Consulting - Installing & Configuring Directory Services _iplanet_ v1.0c.pdf (also available from the Proven Practices collection). IBM Cognos 8 Controller can use the following 3 types of security logon authentication methods: Native 1 (stored inside the Controller database) Series 8 Microsoft Windows 2 To configure IBM Cognos 8 Controller to run with Series 8 (or Windows ), you must configure Controller 8 to run with authenticated access 1 For more information, see Appendix #1 2 If you want to use Microsoft SQL Server as a data source and use single signon for authentication, you must use Active Directory as your authentication source.

6 6 add Controller users to the IBM Cognos roles map Controller roles to the IBM Cognos 8 users

7 7 2.2 Disable Anonymous Access By default, IBM Cognos 8 components, such as report server, do not require user authentication. On the Controller 8 application server, open IBM Cognos Configuration. In the Explorer window, go to Security > > Cognos. This is the Cognos namespace, which stores information about Cognos groups, such as the Anonymous User, contacts, and distribution lists, and refers to objects in other security namespaces. Set Allow anonymous access to False. From the File menu click Save. Users are now required to provide logon credentials when they access IBM Cognos resources such as IBM Cognos Connection. 2.3 Restrict User Access to the Cognos Namespace Access can be restricted to users belonging to any group or role defined in the IBM Cognos built-in namespace. All users belong to several built-in groups or roles. To restrict access, you must: enable the property to restrict access remove the Everyone group from the Cognos built-in roles and groups ensure that authorized users belong to at least one Cognos role or group

8 8 Open IBM Cognos Configuration and go to Security >. Change the value of Restrict access to members of the built-in namespace to True. From the File menu, click Save.

9 9 2.4 Configure IBM Cognos 8 to Use a Cognos Series 7 Namespace First you must configure an IBM Cognos Series 7 namespace as the authentication provider. Note that you cannot use a Local File (.LAE) for use with IBM Cognos 8. Upon completion of these steps you may need to reboot your computer. On the application server, open IBM Cognos Configuration. Under Security, right-click, and click New resource > Namespace. 3 In the Name box, enter a name for your authentication namespace (for example, Series7) and ensure the Type is set to IBM Cognos Series If you deleted this new namespace using IBM Cognos Configuration, you must complete the process by also deleting it in the IBM Cognos Connection portal. For more info, see Appendix #3 Important: You must not delete the Cognos namespace. It contains authentication data that pertains to all users and is required to save the configuration. 4 IBM Cognos 8 Controller components support the following types of servers as

10 0 1 For the Namespace ID property, specify a unique identifier. Use a short name, with no spaces, for the identifier. Specify the values for all other required properties to ensure that IBM Cognos 8 components can locate and use your existing authentication provider. authentication sources: Active Directory Server, IBM Cognos Series 7, Custom Provider, LDAP, Netegrity SiteMinder, NTLM If you use more than one Content Manager computer (you have more than one application server), you must configure identical authentication providers on each Content Manager computer. This means that the type of authentication provider you select and the way you configure it must be identical on all computers for all platforms.

11 1 1 In Access Manager, select the namespace and from the right-click menu select Properties. Click the General tab to see the Namespace version.

12 2 1 If the Namespace version is 16.0 ensure that the Data encoding property is set to UTF-8. In addition, the computers where Content Manager is installed must use the same locale as the data in the Series 7 namespace. If the namespace version is 15.2, then you must disable the Series7NamespacesAreUnicode setting. In the Properties window, in the Advanced Properties value, click Edit. In the Value - Advanced properties window, click Add. In the Name box, type Series7NamespacesAreUnicode. In the Value box, type False, and then click OK. In the Properties window, under Cookie settings, ensure that the Path, Domain, and Secure flag enabled properties match the settings configured for IBM Cognos Series 7.

13 3 1 Click File > Save. Test the connection, by right-clicking the new authentication resource and selecting Test.

http://(machinename):80/cognos8/controllerserver/ccrws.asmx as the URI.

14 4 1 In the Explorer window, expand Local Configuration > Environment. In the right pane, locate Controller URI for gateway and enter as the URI. (original default = If you want to restrict the number of namespaces to log on to, then you configure the gateway namespace property.

15 5 1 Now, you must restart your IBM Cognos 8 services. In some cases, you may need to reboot your computer.

16 Enabling Single Signon between IBM Cognos Series 7 and IBM Cognos 8 Controller Open Configuration Manager and click Open the current configuration. On the Components tab, expand Services > Access Manager Runtime > Cookie Settings. In the Properties window, ensure that the Path, Domain and Secure Flag Enabled properties match the settings configured for IBM Cognos 8 Controller. Save and close Configuration Manager.

17 Add IBM Cognos Controller Users to the IBM Cognos Controller Roles The next, step is to use the IBM Cognos Connection portal to: Remove the group Everyone from the built-in role/groups called Controller Users. Ensure that all the authorized Access Manager users belong to at least one IBM Cognos Controller built-in role or group 5, for example Controller Users or Controller Administrators. NOTE: Some versions of Controller allow you to add Access Manager groups inside the IBM Cognos Controller groups. However, many Controller installations only work if you add each individual user s name explicitly (not just a group). Steps 5 In Controller 8, you can use: users, groups, and roles created in third-party authentication providers and groups and roles created in Controller 8.

8 1 1. Open IBM Cognos Connection in your web browser. 2.

On the Users, Groups, and Roles tab, click the Cognos namespace.

18 Open IBM Cognos Connection in your web browser. 2. From the Tools menu, click Directory. 3. On the Users, Groups, and Roles tab, click the Cognos namespace. 4. In the Actions column, click the Properties button for the Controller Administrators role.

To choose from listed entries, click the appropriate namespace (for example,

19 Click the Members tab. 6. To add members, click Add and choose how to select members. To choose from listed entries, click the appropriate namespace (for example, Series7). 7. If you cannot click the Series7 namespace, you may need to log on. Access Manager user names and passwords are case sensitive.

20 Select the check boxes next to the users, groups, or roles on the left hand side of the screen: NOTE: For some installations, it is possible to add Access Manager groups inside the Controller roles (for example, Controller users and Controller Administrators). However, you have to add each end user. 9. Click the right-arrow button and when the entries you want appear in the Selected entries box, click OK. 10. On the Members tab, if there is an Everyone namespace, select it and then click Remove. 11. Click OK. Repeat the steps above for the Controller Users role, and click OK. NOTE: The Controller Administrators role must be a member of the Controller Users role. You must add the role Controller Administrators from the Cognos namespace:

21 Setting Controller to use Access Manager security Open IBM Cognos Controller Configuration. In the Explorer window, click IBM Cognos Controller Configuration > Web Server > Server. From the Select authentication method list select Series 8. Set the Dispatcher URI to Click File > Save.

2 2 If you launched Controller now, you may get the error, An error occurred while trying to access server. To solve this, create a new user inside Access Manager. Open Access Manager.

22 2 2 If you launched Controller now, you may get the error, An error occurred while trying to access server. To solve this, create a new user inside Access Manager. Open Access Manager. Click Directory Servers > Server Name > Default. Right click Users and select Add User. In the Name text box enter Controller Administrator. In the First Name text box enter Controller. In the Last name text box enter Administrator.

Click the Memberships tab. Select the Root User Class check box.

23 3 2 Click the User Signon tab. Select the Basic signon check box. In the UserID text box enter ADM and enter the appropriate password. Click the Memberships tab. Select the Root User Class check box. Right click the Default namespace and select Properties. Click the Signons tab. In the Active Signons section, click Both.

4 2 Now, it s time to test. Right-click the Access Manager key icon in your System Tray and select Log Out. Now open Access Manager, and log on as ADM. 2.8 Additional information about using Access Manager If you use IBM Cognos Access Manager, optimise your user/userclass structures, to avoid potential future performance problems.

24 4 2 Now, it s time to test. Right-click the Access Manager key icon in your System Tray and select Log Out. Now open Access Manager, and log on as ADM. 2.8 Additional information about using Access Manager If you use IBM Cognos Access Manager, optimise your user/userclass structures, to avoid potential future performance problems. For example, you should avoid using a flat user/userclass structure.

25 5 2 Since an LDAP server is a hierarchical database, it makes use of smaller parent:child ratios in the structure. For optimal performance, the following should be done: For users, create folders (use the first letter of user name) and sort the applicable users to these folders For user classes, create dummy user classes, in which the existing user classes can be sorted in to get a better parent:child ratio of user classes Try to avoid users belonging to too many user classes. 2.9 Map IBM Cognos Controller Users to IBM Cognos 8 Users After you add IBM Cognos Controller users to the IBM Cognos Controller roles, you must create an association between the users defined in the IBM Cognos Controller application and those defined in the IBM Cognos 8 namespace roles.

26 6 2 NOTE: Associations can only be created by a user who is a member of the Controller Administrators role in IBM Cognos Connection 6. Steps 1. Open IBM Cognos Controller. 2. From the Maintain menu, click Rights, Users. 3. In the Create New box, click the drop-down arrow and then click User. 4. Beside the first User Id box, click Browse and then select the user as defined in the IBM Cognos 8 namespace roles. 5. Beside the second User Id box, click the Browse and then select the user as defined in the IBM Cognos Controller database. 6. In the Name box, type the name of the IBM Cognos Controller user. 7. In the Address box, type the address for the IBM Cognos Controller user. 8. Beside the User Group box, click Browse and then select the user group for the Cognos Controller user. 9. Under Options, select the appropriate checkbox to identify the user. 6 For more information about setting user rights and limitations in IBM Cognos Controller, see the IBM Cognos Controller User Guide

27 You can identify the user as either an IBM Cognos Controller User or IBM Cognos Controller Administrator. You can add optional comments for the user, as well as the user s location. 11. Click Save.

28 Swapping between Native and Windows security To change from Windows to Native, ensure that there are no users on the system. Open Controller Configuration. Click Web Services Server > Server. Change method from Windows to Native. Open IBM Cognos Configuration. Click Security > > Cognos and set Allow Anonymous Access to True. Click File > Save and restart your IBM Cognos 8 service. To change from Native to Windows, ensure that there are no users on the system. Open Controller Configuration. Click Web Services Server > Server. Change method from Native to Windows. Open IBM Cognos Configuration. Click Security > > Cognos and set Allow Anonymous Access to False. Click File > Save and restart your IBM Cognos 8 service Appendix #1 - Configure Native Native authentication is the default authentication method. Login information is configured in the IBM Cognos Controller databases and in the IBM Cognos Controller user interface. Native authentication is the authentication method used in previous versions of IBM Cognos Controller. If Native authentication is enabled, when users log on to IBM Cognos Controller from IBM Cognos Connection or from a URL and have selected a database to log on to, they are prompted to log in. Users are prompted with the same login window when they log on to IBM Cognos Controller using the IBM Cognos Controller Microsoft Excel Add-in.

9 2 If you want to use Native authentication in your IBM Cognos 8 Controller environment, the reporting components must run under anonymous access.

29 9 2 If you want to use Native authentication in your IBM Cognos 8 Controller environment, the reporting components must run under anonymous access. When the reporting components run under anonymous access, no login is required. In IBM Cognos Connection, anonymous access is enabled by default. Native authentication provides minimal security in your IBM Cognos 8 Controller environment. Steps to Configure Native 1. Open IBM Cognos Controller Configuration. 2. In the Explorer window, under Web Server, click Server. 3. In the Server window, in the Select authentication method box, click the arrow in the drop-down list and select Native. 4. From the File menu, click Save. Series 8 Series 8 authentication is authentication that is shared between IBM Cognos Controller and the reporting components. When you configure Series 8 authentication, you can use the built-in namespace to restrict access to defined users, or you can create an appropriate namespace for the type of authentication provider in your environment. Access

30 0 3 is then restricted to users belonging to any group or role defined in the namespace. If Series 8 authentication is enabled, when users log on to IBM Cognos Controller from IBM Cognos Connection or from a URL and have selected a database to log on to, they are prompted to log on. Users are prompted with the same login window when they log on to IBM Cognos Controller using the Microsoft Excel Add-in.

31 Appendix #2 ADVANCED CONFIGURATION: Include or Exclude Domains Using Advanced Properties When you configure an authentication namespace for IBM Cognos 8 Controller, users from only one domain can log in. By using the advanced properties for Active Directory Server, users from related (parent-child) domains and unrelated domain trees within the same forest can also log in. in One Domain Tree If you set a parameter named chase_referrals to true, users in the original authenticated domain and all child domains of the domain tree can log in IBM Cognos 8 Controller. Users above the original authenticated domain or in a different domain tree cannot log in. in All Domain Trees in the Forest If you set a parameter named multi_domain_tree to true, users in all domain trees in the forest can log in to IBM Cognos 8 Controller. Steps 1. On every computer where you installed Content Manager, open IBM Cognos Configuration. 2. In the Explorer window, under Security,, click the Active Directory namespace. 3. In the Properties window, specify the Host and port property: For users in one domain, specify the host and port of a domain controller for the singledomain. For users in one domain tree, specify the host and port of the toplevel controller for the domain tree. For users in all domain trees in the forest, specify the host and port of any domain controller in the forest. 4. Click in the Value column for Advanced properties and click Edit. 5. In the Value - Advanced properties window, click Add.

32 Specify two new properties, chasereferrals and MultiDomainTrees, with the following values: 7. Click OK. 8. From the File menu, click Save.

33 Appendix #3 Delete an Provider You can delete namespaces that you added or not configured namespaces that IBM Cognos 8 Controller components detected after an upgrade. You must not delete the Cognos namespace. It contains authentication data that pertains to all users and is required to save the configuration. When you delete a namespace, you can no longer log on to the namespace. Security data for the namespace remains in Content Manager until you permanently delete it in the portal. For more information, see the Administration and Security Guide. After you delete a namespace, it appears as inactive in the portal. Steps 1. On a computer where you installed Content Manager, open IBM Cognos Configuration. 2. In the Explorer window, under Security >, right-click the namespace and click Delete. 3. Click Yes to confirm. 4. The namespace disappears from the Explorer window and you can no longer log on to the namespace on that computer. 5. Click File > Save. 6. Repeat steps 1 to 4 for each computer where you installed Content Manager. You must now log on to the portal and permanently delete the data for the namespace. For more information, see the Administration and Security Guide.