...

Series 7 Authentication Server Setup Tip or Technique

by user

on
Category: Documents
1

views

Report

Comments

Transcript

Series 7 Authentication Server Setup Tip or Technique
Tip or Technique
Series 7 Authentication Server
Setup
Product(s): IBM Cognos Series 7 Version 3
Area of Interest: Security
Series 7 Authentication Server Setup
2
Copyright
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC
is an IBM Company. While every attempt has been made to ensure that the
information in this document is accurate and complete, some typographical
errors or technical inaccuracies may exist. Cognos does not accept
responsibility for any kind of loss resulting from the use of information
contained in this document. This document shows the publication date. The
information contained in this document is subject to change without notice.
Any improvements or changes to the information contained in this document
will be documented in subsequent editions. This document contains
proprietary information of Cognos. All rights are reserved. No part of this
document may be copied, photocopied, reproduced, stored in a retrieval
system, transmitted in any form or by any means, or translated into another
language without the prior written consent of Cognos. Cognos and the
Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated)
in the United States and/or other countries. IBM and the IBM logo are
trademarks of International Business Machines Corporation in the United
States, or other countries, or both. All other names are trademarks or
registered trademarks of their respective companies. Information about
Cognos products can be found at www.cognos.com
This document is maintained by the Best Practices, Product and Technology
team. You can send comments, suggestions, and additions to
[email protected] .
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
3
Contents
1
INTRODUCTION ............................................................................................ 4
1.1
1.2
1.3
PURPOSE ............................................................................................................4
APPLICABILITY .....................................................................................................4
EXCLUSIONS AND EXCEPTIONS ..................................................................................4
2
ARCHITECTURE............................................................................................. 5
3
REQUEST FLOW............................................................................................. 5
4
CONFIGURING THE GATEWAY TIER TO USE THE AUTHENTICATION
SERVICE.................................................................................................................... 7
4.1
4.2
CHANGING THE CONFIGURATION TO USE THE AUTHENTICATION SERVICE ................................7
CONFIGURING THE EXISTING GATEWAYS TO USE THE AUTHENTICATION LOGIN .........................9
5
CONFIGURING THE APPLICATION TIER TO BECOME THE AUTHENTICATION
SERVICE.................................................................................................................. 10
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
4
1
Introduction
1.1
Purpose
This document outlines proven practices for using the IBM Cognos Series 7
Version 3 Authentication service.
This document addresses the configuration changes required in every level of
a three tier architecture.
1.2
Applicability
The techniques and product behaviours outlined in this document apply to
IBM Cognos Series 7 Version 3. These settings have been tested with the
MR3 windows install.
1.3
Exclusions and Exceptions
These configuration requirements may change in future releases.
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
2
5
Architecture
The login process communicates with an Access Manager Server
authentication service located in the application tier. The authentication
service communicates with both the directory server and the Access
Manager Server ticket service.
The following diagram represents an alternative authentication configuration.
3
Request Flow
If the alternative authentication configuration is implemented, the following
events occur when a Web user accesses a secure IBM Cognos product.
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
6
1. The Web browser passes the URL to a Web server
2. The Web server sends the request to the gateway
3. The gateway sends the request to a dispatcher
4. The dispatcher sends the request to a query server
5. The Access Manager runtime component checks to see if the user has a
valid ticket. If no valid ticket is available, a new ticket must be created
before the query server can process the user’s request.
In this example, a valid ticket is not available
6. The query server redirects to the Web logon program to retrieve the user's
authentication information
7. The Web logon program retrieves the authentication information.
Where it retrieves the information from depends on the signon strategy used
by the system
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
7
For example, the Web logon program may obtain user credentials by
prompting the user for a user ID and password or through an OS signon,
such as Integrated Windows Authentication
(formerly known as Windows NT Challenge Response) or a trusted services
plug-in. In this example, the namespace is set to use a basic signon so the
Web logon program prompts the user for a user ID and password
8. The Web logon program sends the submitted authentication information to
the Access Manager runtime component for verification. The runtime
component also checks the Authentication Service Configuration to see where
to locate the Authentication Service
9. The Access Manager runtime component calls the authentication service
10. The authentication service calls the directory server to verify the
credentials and to request the ticket service location
11. A ticket is created by the ticket service. The ticket creates the user
session
12. The ticket reference is stored in a cookie on the Web browser for future
requests in the same Web session. The user request is processed. The
cookie is destroyed when the Web browser is closed or when the user logs off
4
Configuring the Gateway Tier to Use the
Authentication Service
4.1
Changing the configuration to use the Authentication Service
By default the configuration will use the Access Manager Runtime
Configuration to point to the LDAP Server directly. To change the
configuration to use the Authentication Service:
1. Open Configuration Manager and display the current configuration.
2. Within the Components tab expand Access Manager – Web
authentication\Authentication Services\Primary Authentication Service
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
8
3. Within the right side of the screen, type in the host name of the
server that will have the authentication service
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
9
4. Click yes on the informational message that this property is derived
from another property.*
5. In the left hand window click on the Primary Authentication Service
element and select the apply button from the tool bar**
* Since the property is not visibly linked to a parent property this message is
incorrect.
**Doing a top level apply will result in numerous Access Manager
Authentication errors about not being able to connect to the Directory Server.
Since the Directory Server is not being used, these errors are false.
4.2
Configuring the existing gateways to use the Authentication login
The authentication service uses its own gateway component to communicate.
The other Series 7 gateways will need to be configured to use this new
gateway.
1. Within the left hand window of Configuration Manager, select the
Server Configuration tab
2. Expand All Server Groups and select AccManLogon
3. Change the gateway URL for AccManLogon from
http://GatewayTierHostName/cognos/cgi-bin/login.exe
to
http://GatewauTierHostName/cognos/cgi-bin/aslogin.exe *
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
10
4. From the Action Menu select Apply Topology and select OK
* The aslogin gateway comes in nsapi, isapi, cgi, mod and exe formats.
5
Configuring the Application Tier to Become the
Authentication Service
On the application tier the Access Manager Server needs to be changed from
acting as an Authentication Service or and Authentication and Ticket Service.
1. Open Configuration Manager and display the current configuration
2. Within the Components tab expand Access Manager –Server and click
highlight General
3. In the right hand window, change the Services property from Ticket
Service to Authentication Service or Both
If the Services setting is set to Both, the Authentication Service will do the
work of a Ticket Service and the Authentication Service. If the setting is set
to Authentication Service, the Ticket Service registered in the namespace will
be used.
4. Ensure that the Access Manager – Runtime settings are correctly set
to point to the LDAP server
IBM Cognos Proprietary Information
Series 7 Authentication Server Setup
11
5. Click on the top level (ServerName) and issue the apply to commit the
changes
IBM Cognos Proprietary Information
Fly UP