...

Configuring IBM Cognos Controller 8 to use Access Manager Authentication

by user

on
Category: Documents
3

views

Report

Comments

Transcript

Configuring IBM Cognos Controller 8 to use Access Manager Authentication
Guideline
Configuring IBM Cognos
Controller 8 to use Access
Manager Authentication
Product(s): IBM Cognos Controller 8.1
Area of Interest: Security
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
Copyright
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC
is an IBM Company. While every attempt has been made to ensure that the
information in this document is accurate and complete, some typographical
errors or technical inaccuracies may exist. Cognos does not accept
responsibility for any kind of loss resulting from the use of information
contained in this document. This document shows the publication date. The
information contained in this document is subject to change without notice.
Any improvements or changes to the information contained in this document
will be documented in subsequent editions. This document contains
proprietary information of Cognos. All rights are reserved. No part of this
document may be copied, photocopied, reproduced, stored in a retrieval
system, transmitted in any form or by any means, or translated into another
language without the prior written consent of Cognos. Cognos and the
Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated)
in the United States and/or other countries. IBM and the IBM logo are
trademarks of International Business Machines Corporation in the United
States, or other countries, or both. All other names are trademarks or
registered trademarks of their respective companies. Information about
Cognos products can be found at www.cognos.com
This document is maintained by the Best Practices, Product and Technology
team. You can send comments, suggestions, and additions to
[email protected]
IBM Cognos Proprietary Information
2
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
3
Contents
1 INTRODUCTION ............................................................................................ 4
1.1 ........................................................................................................... PURPOSE... 4
1.2 ..................................................................................................... APPLICABILITY... 4
1.3 .................................................................................. EXCLUSIONS AND EXCEPTIONS... 4
2 CONFIGURING ACCESS MANAGER WITH CONTROLLER 8 ........................... 4
2.1 ......................................................................................................... OVERVIEW... 4
2.2 .................................................................................. DISABLE ANONYMOUS ACCESS... 7
2.3 ..................................................... RESTRICT USER ACCESS TO THE COGNOS NAMESPACE... 7
2.4 ......................... CONFIGURE IBM COGNOS 8 TO USE AN IBM COGNOS SERIES 7 NAMESPACE... 9
2.5 .. ENABLING SINGLE SIGNON BETWEEN IBM COGNOS SERIES 7 AND IBM COGNOS 8 CONTROLLER. 16
2.6 ................. ADD IBM COGNOS CONTROLLER USERS TO THE IBM COGNOS CONTROLLER ROLES. 17
2.7 .............................................. SETTING CONTROLLER TO USE ACCESS MANAGER SECURITY. 21
2.8 .............................................. ADDITIONAL INFORMATION ABOUT USING ACCESS MANAGER. 24
2.9 ..................................... MAP IBM COGNOS CONTROLLER USERS TO IBM COGNOS 8 USERS. 25
2.10................................................... SWAPPING BETWEEN NATIVE AND WINDOWS SECURITY. 28
2.11................................................... APPENDIX #1 - CONFIGURE NATIVE AUTHENTICATION. 28
2.12...................................................... APPENDIX #2 – ADVANCED CONFIGURATION:. 31
2.13................................................ APPENDIX #3 – DELETE AN AUTHENTICATION PROVIDER. 33
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
4
1 Introduction
1.1
Purpose
This document is a guide on how to configure a Controller 8 application
server with Access Manager Authentication.
1.2
Applicability
Controller 8.1
1.3
Exclusions and Exceptions
There are no known exclusions and exceptions at the time this document was
created.
2 Configuring Access Manager with Controller 8
2.1
Overview
This document is a guide on how to configure a Controller 8 application
server with Access Manager Authentication. Upon completion, your system
will use Series 7 or 8 Access Manager users and classes inside the Controller
8 application.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
5
For the purposes of this document, there is only one Controller 8 application
server and Series 7 or 8 Access Manager is installed.
For more information about the setting up your environment, see 01. Cognos
Consulting - Installing & Configuring Directory Services _iPlanet_ v1.0c.pdf
(also available from the Proven Practices collection).
IBM Cognos 8 Controller can use the following 3 types of security logon
authentication methods:
• Native1 (stored inside the Controller database)
• Series 8
• Microsoft Windows2
To configure IBM Cognos 8 Controller to run with Series 8 (or
Windows Authentication), you must
• configure Controller 8 to run with authenticated access
1
For more information, see Appendix #1
If you want to use Microsoft SQL Server as a data source and use single signon for
authentication, you must use Active Directory as your authentication source.
2
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
•
•
add Controller users to the IBM Cognos roles
map Controller roles to the IBM Cognos 8 users
IBM Cognos Proprietary Information
6
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2.2
7
Disable Anonymous Access
By default, IBM Cognos 8 components, such as report server, do not require
user authentication.
On the Controller 8 application server, open IBM Cognos Configuration. In the
Explorer window, go to Security > Authentication > Cognos. This is the
Cognos namespace, which stores information about Cognos groups, such as
the Anonymous User, contacts, and distribution lists, and refers to objects in
other security namespaces.
Set Allow anonymous access to False.
From the File menu click Save.
Users are now required to provide logon credentials when they access
IBM Cognos resources such as IBM Cognos Connection.
2.3
Restrict User Access to the Cognos Namespace
Access can be restricted to users belonging to any group or role defined in
the IBM Cognos built-in namespace. All users belong to several built-in
groups or roles. To restrict access, you must:
•
enable the property to restrict access
•
remove the Everyone group from the Cognos built-in roles and
groups
•
ensure that authorized users belong to at least one Cognos role
or group
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
•
8
Open IBM Cognos Configuration and go to Security >
Authentication. Change the value of Restrict access to members
of the built-in namespace to True. From the File menu, click
Save.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2.4
Configure IBM Cognos 8 to Use a Cognos Series 7 Namespace
First you must configure an IBM Cognos Series 7 namespace as the
authentication provider. Note that you cannot use a Local Authentication File
(.LAE) for use with IBM Cognos 8.
Upon completion of these steps you may need to reboot your computer.
On the application server, open IBM Cognos Configuration. Under Security,
right-click Authentication, and click New resource > Namespace.3
In the Name box, enter a name for your authentication namespace (for
example, Series7) and ensure the Type is set to IBM Cognos Series 74.
3
If you deleted this new namespace using IBM Cognos Configuration, you must
complete the process by also deleting it in the IBM Cognos Connection portal. For more info,
see Appendix #3
Important: You must not delete the Cognos namespace. It contains authentication
data that pertains to all users and is required to save the configuration.
4
IBM Cognos 8 Controller components support the following types of servers as
IBM Cognos Proprietary Information
9
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
0
For the Namespace ID property, specify a unique identifier. Use a short
name, with no spaces, for the identifier.
Specify the values for all other required properties to ensure that IBM Cognos
8 components can locate and use your existing authentication provider.
authentication sources:
• Active Directory Server, • IBM Cognos Series 7, • Custom Authentication Provider, •
LDAP, • Netegrity SiteMinder, • NTLM
If you use more than one Content Manager computer (you have more than one
application server), you must configure identical authentication providers on each
Content Manager computer. This means that the type of authentication provider you
select and the way you configure it must be identical on all computers for all platforms.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
1
In Access Manager, select the namespace and from the right-click menu
select Properties. Click the General tab to see the Namespace version.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
2
If the Namespace version is 16.0 ensure that the Data encoding property is
set to UTF-8. In addition, the computers where Content Manager is installed
must use the same locale as the data in the Series 7 namespace.
If the namespace version is 15.2, then you must disable the
Series7NamespacesAreUnicode setting.
In the Properties window, in the Advanced Properties value, click Edit.
In the Value - Advanced properties window, click Add.
In the Name box, type Series7NamespacesAreUnicode.
In the Value box, type False, and then click OK.
In the Properties window, under Cookie settings, ensure that the Path,
Domain, and Secure flag enabled properties match the settings configured
for IBM Cognos Series 7.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
3
Click File > Save.
Test the connection, by right-clicking the new authentication resource
and selecting Test.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
4
In the Explorer window, expand Local Configuration > Environment.
In the right pane, locate Controller URI for gateway and enter
http://(machinename):80/cognos8/controllerserver/CCRWS.asmx as the URI.
•
•
(original default = http://localhost:80/cognos8/cgi-bin/cognos.cgi)
If you want to restrict the number of namespaces to log on to, then you
configure the gateway namespace property.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
5
Now, you must restart your IBM Cognos 8 services. In some cases, you
may need to reboot your computer.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2.5
1
6
Enabling Single Signon between IBM Cognos Series 7 and IBM
Cognos 8 Controller
Open Configuration Manager and click Open the current configuration.
On the Components tab, expand Services > Access Manager – Runtime >
Cookie Settings.
In the Properties window, ensure that the Path, Domain and Secure Flag
Enabled properties match the settings configured for IBM Cognos 8
Controller.
Save and close Configuration Manager.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2.6
1
7
Add IBM Cognos Controller Users to the IBM Cognos Controller Roles
The next, step is to use the IBM Cognos Connection portal to:
Remove the group Everyone from the built-in role/groups called Controller
Users.
Ensure that all the authorized Access Manager users belong to at least one
IBM Cognos Controller built-in role or group5, for example Controller Users or
Controller Administrators.
NOTE: Some versions of Controller allow you to add Access Manager groups
inside the IBM Cognos Controller groups. However, many Controller
installations only work if you add each individual user’s name explicitly (not just
a group).
Steps
5
In Controller 8, you can use:
users, groups, and roles created in third-party authentication providers
and groups and roles created in Controller 8.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
8
1. Open IBM Cognos Connection in your web browser.
2. From the Tools menu, click Directory.
3. On the Users, Groups, and Roles tab, click the Cognos namespace.
4. In the Actions column, click the Properties button for the Controller
Administrators role.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
1
9
5. Click the Members tab.
6. To add members, click Add and choose how to select members. To
choose from listed entries, click the appropriate namespace (for
example, Series7).
7. If you cannot click the Series7 namespace, you may need to log on.
Access Manager user names and passwords are case sensitive.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
0
8. Select the check boxes next to the users, groups, or roles on the left
hand side of the screen:
NOTE: For some installations, it is possible to add Access Manager groups
inside the Controller roles (for example, Controller users and Controller
Administrators). However, you have to add each end user.
9. Click the right-arrow button and when the entries you want appear in
the Selected entries box, click OK.
10. On the Members tab, if there is an Everyone namespace, select it
and then click Remove.
11. Click OK.
Repeat the steps above for the Controller Users role, and click OK.
NOTE: The Controller Administrators role must be a member of the
Controller Users role. You must add the role Controller Administrators from
the Cognos namespace:
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2.7
2
1
Setting Controller to use Access Manager security
Open IBM Cognos Controller Configuration. In the Explorer window, click
IBM Cognos Controller Configuration > Web Server > Server
Authentication.
From the Select authentication method list select Series 8.
Set the Dispatcher URI to
http://machinename:9300/p2pd/servlet/dispatch
Click File > Save.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
2
If you launched Controller now, you may get the error, An error occurred
while trying to access server. To solve this, create a new user inside Access
Manager.
Open Access Manager.
Click Directory Servers > Server Name > Default. Right click
Users and select Add User.
In the Name text box enter Controller Administrator. In the First
Name text box enter Controller. In the Last name text box enter
Administrator.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
3
Click the User Signon tab. Select the Basic signon check box. In the
UserID text box enter ADM and enter the appropriate password.
Click the Memberships tab. Select the Root User Class check box.
Right click the Default namespace and select Properties. Click the Signons
tab. In the Active Signons section, click Both.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
4
Now, it’s time to test. Right-click the Access Manager key icon in your System
Tray and select Log Out.
Now open Access Manager, and log on as ADM.
2.8
Additional information about using Access Manager
If you use IBM Cognos Access Manager, optimise your user/userclass
structures, to avoid potential future performance problems. For example, you
should avoid using a flat user/userclass structure.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
5
Since an LDAP server is a hierarchical database, it makes use of smaller
parent:child ratios in the structure. For optimal performance, the following
should be done:
• For users, create folders (use the first letter of user name) and
sort the applicable users to these folders
• For user classes, create dummy user classes, in which the
existing user classes can be sorted in to get a better parent:child
ratio of user classes
• Try to avoid users belonging to too many user classes.
2.9
Map IBM Cognos Controller Users to IBM Cognos 8 Users
After you add IBM Cognos Controller users to the IBM Cognos Controller
roles, you must create an association between the users defined in the IBM
Cognos Controller application and those defined in the IBM Cognos 8
namespace roles.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
6
NOTE: Associations can only be created by a user who is a member of the
Controller Administrators role in IBM Cognos Connection6.
Steps
1. Open IBM Cognos Controller.
2. From the Maintain menu, click Rights, Users.
3. In the Create New box, click the drop-down arrow and then click
User.
4. Beside the first User Id box, click Browse and then select the user as
defined in the IBM Cognos 8 namespace roles.
5. Beside the second User Id box, click the Browse and then select the
user as defined in the IBM Cognos Controller database.
6. In the Name box, type the name of the IBM Cognos Controller user.
7. In the E-Mail Address box, type the email address for the IBM Cognos
Controller user.
8. Beside the User Group box, click Browse and then select the user
group for the Cognos Controller user.
9. Under Options, select the appropriate checkbox to identify the user.
6
For more information about setting user rights and limitations in IBM Cognos
Controller, see the
IBM Cognos Controller User Guide
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
7
10. You can identify the user as either an IBM Cognos Controller User or
IBM Cognos Controller Administrator. You can add optional comments
for the user, as well as the user’s location.
11. Click Save.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
8
2.10 Swapping between Native and Windows security
To change from Windows to Native, ensure that there are no users on the
system. Open Controller Configuration. Click Web Services Server >
Server Authentication. Change Authentication method from Windows
Authentication to Native.
Open IBM Cognos Configuration. Click Security > Authentication >
Cognos and set Allow Anonymous Access to True. Click File > Save and
restart your IBM Cognos 8 service.
To change from Native to Windows, ensure that there are no users on the
system. Open Controller Configuration. Click Web Services Server >
Server Authentication. Change Authentication method from Native to
Windows Authentication.
Open IBM Cognos Configuration. Click Security > Authentication >
Cognos and set Allow Anonymous Access to False. Click File > Save
and restart your IBM Cognos 8 service.
2.11 Appendix #1 - Configure Native Authentication
Native authentication is the default authentication method. Login information
is configured in the IBM Cognos Controller databases and in the IBM Cognos
Controller user interface. Native authentication is the authentication method
used in previous versions of IBM Cognos Controller.
If Native authentication is enabled, when users log on to IBM Cognos
Controller from IBM Cognos Connection or from a URL and have selected a
database to log on to, they are prompted to log in. Users are prompted with
the same login window when they log on to IBM Cognos Controller using the
IBM Cognos Controller Microsoft Excel Add-in.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
2
9
If you want to use Native authentication in your IBM Cognos 8 Controller
environment, the reporting components must run under anonymous access.
When the reporting components run under anonymous access, no login is
required. In IBM Cognos Connection, anonymous access is enabled by
default. Native authentication provides minimal security in your IBM Cognos 8
Controller environment.
Steps to Configure Native Authentication
1. Open IBM Cognos Controller Configuration.
2. In the Explorer window, under Web Server, click Server Authentication.
3. In the Server Authentication window, in the Select authentication
method box, click the arrow in the drop-down list and select Native.
4. From the File menu, click Save.
Series 8 Authentication
Series 8 authentication is authentication that is shared between IBM Cognos
Controller and the reporting components.
When you configure Series 8 authentication, you can use the built-in
namespace to restrict access to defined users, or you can create an appropriate
namespace for the type of authentication provider in your environment. Access
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
3
0
is then restricted to users belonging to any group or role defined in the
namespace.
If Series 8 authentication is enabled, when users log on to IBM Cognos
Controller from IBM Cognos Connection or from a URL and have selected a
database to log on to, they are prompted to log on. Users are prompted with
the same login window when they log on to IBM Cognos Controller using the
Microsoft Excel Add-in.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
3
1
2.12 Appendix #2 – ADVANCED CONFIGURATION:
Include or Exclude Domains Using Advanced Properties
When you configure an authentication namespace for IBM Cognos 8 Controller,
users from only one domain can log in. By using the advanced properties for
Active Directory Server, users from related (parent-child) domains and
unrelated domain trees within the same forest can also log in.
Authentication in One Domain Tree
If you set a parameter named chase_referrals to true, users in the original
authenticated domain and all child domains of the domain tree can log in IBM
Cognos 8 Controller. Users above the original authenticated domain or in a
different domain tree cannot log in.
Authentication in All Domain Trees in the Forest
If you set a parameter named multi_domain_tree to true, users in all domain
trees in the forest can log in to IBM Cognos 8 Controller.
Steps
1. On every computer where you installed Content Manager, open IBM
Cognos Configuration.
2. In the Explorer window, under Security, Authentication, click the
Active Directory namespace.
3. In the Properties window, specify the Host and port property:
• For users in one domain, specify the host and port of a domain
controller for the singledomain.
• For users in one domain tree, specify the host and port of the toplevel controller for the domain tree.
• For users in all domain trees in the forest, specify the host and port
of any domain controller in the forest.
4. Click in the Value column for Advanced properties and click Edit.
5. In the Value - Advanced properties window, click Add.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
3
2
6. Specify two new properties, chaseReferrals and MultiDomainTrees,
with the following values:
7. Click OK.
8. From the File menu, click Save.
IBM Cognos Proprietary Information
Configuring IBM Cognos Controller 8 to use Access Manager
Authentication
3
3
2.13 Appendix #3 – Delete an Authentication Provider
You can delete namespaces that you added or not configured namespaces
that IBM Cognos 8 Controller components detected after an upgrade.
You must not delete the Cognos namespace. It contains authentication data
that pertains to all users and is required to save the configuration.
When you delete a namespace, you can no longer log on to the namespace.
Security data for the namespace remains in Content Manager until you
permanently delete it in the portal. For more information, see the
Administration and Security Guide.
After you delete a namespace, it appears as inactive in the portal.
Steps
1. On a computer where you installed Content Manager, open IBM
Cognos Configuration.
2. In the Explorer window, under Security > Authentication,
right-click the namespace and click Delete.
3. Click Yes to confirm.
4. The namespace disappears from the Explorer window and you
can no longer log on to the namespace on that computer.
5. Click File > Save.
6. Repeat steps 1 to 4 for each computer where you installed
Content Manager. You must now log on to the portal and
permanently delete the data for the namespace. For more
information, see the Administration and Security Guide.
IBM Cognos Proprietary Information
Fly UP