Configuring SSO between IBM Cognos and IBM WebSphere Portal using Shared-Secret Method

By -
Share:

Background:

We received request to configure Single Sign On between IBM Cognos and IBM Websphere Portal servers of the customer’s development environment, so the reports being published in IBM Cognos can be viewed inside Cognos Portlets on IBM Websphere Portal.

The IBM Cognos BI Server was installed on Apache Tomcat and the IBM Websphere Portal Server was installed on Websphere Application Server so we used the Shared-Secret Method with CGI-Gateway as Intermediate authority to intercept, extract and forward tokens coming from Cognos Portlets on IBM Websphere Portal TO IBM Cognos Report Net Server’s full namespace for authentication.

Sources:

ftp://public.dhe.ibm.com/software/dw/dm/cognos/security/general/enabling_sso_between_reportnet_and_websphere_portal.pdf

http://www.ibm.com/developerworks/data/library/cognos/infrastructure/web_servers/page599.html

Step 1 – Install and Configure an Alternate Gateway: (CGI gateway on IIS).

A. Install the alternate gateway and configure your web server. (Refer to Appendix A)

Note: The Gateway can be on the same machine but it is mandatory to install it on a different folder e.g ‘cpsgateway’ in our case.

- Create An Application Pool.

  • Open IIS (right click and run as Admin).
  • Create App Pool, if already created select the pool, click advance settings on right.
  • Check that start automatically is set to true.
  • If you are configuring 32 bit gateway then enable it in advance settings and run copyGateMod.bat 32bit in command prompt.
  • Else run the copyGateMod.bat 64bit command from cgi-bin directory of cognos.

Note: Normally there is no much difference in 32 or 64 bit we just need to enable 32 bit mode in App Pool settings and run the copyGateMod.bat 32bit command.

- Create The IBM Cognos 10 Virtual Directory.

  • Right click on Default Web Site.
  • Click add virtual directory.
  • Give ‘cpsgateway’ as alias.
  • Specify the location of the webcontent directory from IBM Cognos install location.

- Create an Application for cgi-bin

  • Right click on cpsgateway and click add application.
  • Give ‘cgi-bin’ as alias.
  • Select app pool.
  • Click ok to save changes.

- Configure IIS 7 for IBM Cognos CGI.

  • Select ‘cgi-bin’ from cpsgateway.
  • Click handler mappings.
  • Click add module mapping in actions pane on the right.
  • Field (request path= cognos.cgi)
  • Field (module=cgiModule).
  • Field (Executable= leave this blank).
  • Field (Name=IBMCOGNOS-CGI)
  • Click ok and verify that IBMCOGNOS-CGI handler mapping is enabled.
  • Double click and make sure that it (IBMCOGNOS-CGI) handler mapping has executable permission selected.

- Setting the CGI Restrictions for the Web Server.

  • Select the WEB Server.
  • Double click on ISAPI and CGI Restrictions feature.
  • Click Add from actions pane on right hand side.
  • ISAPI or CGI Path=path of cognos.cgi.
  • Description=IBMCOGNOS-CGI.
  • Ensure that ‘Allow extension path to execute’ is checked.

- Updating the Module Mapping Parameter by setting allowPathInfo in the Module Mapping Handlers.

  • Navigate to the cgi-bin virtual directory located under ‘cpsgateway’.
  • In the Features View, double click Configuration Editor in the Management subsection.
  • Locate the Section dropdown. Click the dropdown to expand the various sections, expandsystem.webServer and select Handlers.
  • Click on the (Collections) row, then click on Edit Items within the Action pane on the far right.
  • Within the Items pane of Collection Editor, click on the handler that was created in the Configuring IIS 7 for IBM Cognos CGI section. In this document the handler’s name IBMCOGNOS-CGI.
  • Within the Properties pane, locate the allowPathInfo property and change it from False to True.
  • Close the Collection Editor window, then under the Actions pane at the far right, click Apply.

- Testing the CGI installation

  • There are two ways to call the IBM Cognos 10 CGI Gateway module,
  • By calling http:// Cognos_ReportNet_Server/cpsgateway
  • By calling http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi
  • Set default.htm as default document in cpsgateway virtual directory if you want the first link above to work.

Step 2 – Cognos Configuration.

Note: Please remember that there are two namespace ids. One is the CPSTrusted and the other is AD1 as per our environment. The CPSTrusted is of type Custom Java Provider and the AD1 is of Active Directory type.

Excerpts from Source:

“Shared Secret” is a Cognos-specific method for handling SSO. The Cognos Portlets pick up the enterprise portal’s User ID and sends it to the IBM Cognos ReportNet server for authentication”.

On the IBM Cognos ReportNet end, an additional second namespace (a Trusted Signon Provider) is used to retrieve the encrypted information and pass it on to a full namespace like LDAP, AD, NTLM or IBM Cognos Series7 which then does the actual authentication.

Note: In our case The CPSTrusted will take the token and decrypt it and then pass it on to AD1 for actual authentication.

1. Create and Configure the Trusted Sign on Namespace:

On every installed instance of IBM Cognos ReportNet in your system which runs Content Manager Component open Cognos Configuration and adjust configuration using the following steps.

Under Security/Authentication, add a new namespace.

  • Name = SharedSecret
  • Type = Custom Java Provider

For the namespace properties, enter the following:

  • Namespace ID = CPSTrusted
  • Java class name = com.cognos.cps.auth.CPSTrustedSignon

(Note: The values for id and class name are case sensitive and must be entered as is whenever referred to).

2. Configure ActiveDirectory Namespace.

  • Note down the Active Directory Namespace ID as we need to enter that in cps_trustedsignon.properties file later on, in our case it is AD1.
  • Add singleSignonOption in advance properties in ActiveDirectory Namespace and give IdentityMapping as value.
  • Make sure that the Directory Server host and port in Namespace is the same as used in IBM Websphere Portal Server. In our case it is LdapServer:389

3. Under Security > Authentication > Cognos, set “use anonymous access” to false.

Save the configuration at this point.

4. Configure for the alternate gateway.

    In Cognos Configuration, configure the following fields:

The gateway namespace value should be the ID (and not the name) of the target namespace.

If you are using the “Shared Secret” SSO method, then the gateway namespace needs to be the

ID of the Custom Java Provider or “Shared Secret” namespace.

5. In the Environment section, set the following fields:

6. Save and close Cognos Configuration.

Step 3 – Configure CPS properties:

On every installed instance in your system running the Dispatcher component adjust CPS properties by following the steps outlined here.

- Open [<install dir>/webapps/p2pd/WEB-INF/classes/cps_trustedsignon.properties file for editing and change the following values. If it is not present create a new file.

  •  namespace_id=AD1
  • auth_cookie_name=cps_auth_user
  • cps_auth_secret=mysecret8854

Where:

• <ID of your authentication namespace> is the ID of the namespace associated with the IBM Cognos ReportNet namespace used to authenticate users. It can be of type LDAP, IBM Cognos Series 7, NTLM or Active Directory.

Excerpts from Source:

This is not the “CPSTrusted” namespace set above but the “target” namespace which does the final authentication to IBM Cognos ReportNet, and in our case the final authentication namespace is AD1.

• <The shared secret string> is any text string without spaces or special characters. This is the secret key for User ID encryption. Remember this string as it will be needed when configuring the Cognos Portlets in WebSphere portal.

Note: If your “target” namespace is of type LDAP, enable External User mapping. See Appendix B – Enable External Identity Mapping for LDAP Namespace for details.

If your “target” namespace is of type AD, enable Identity Mapping. See Appendix C – Enabling Identity Mapping for AD Namespaces for details.

Step 4 – Configure the Cognos Portlet applications in WebSphere portal:

1. Login to WebSphere Portal as an administrator

2. Go to Administration Portlet Management Applications and locate the three

Cognos portlet applications:

  • Cognos BI Content Portlets
  • Cognos Extended Applications Portlets
  • Cognos Metric Manager Portlets

3. For each IBM Cognos application, set the following fields:

  • CPS Endpoint <connection server URI>
  • cps_auth_secret <The shared secret string> e.g. = mysecret8854
  • Active Credential Type (none)

Important:

The connection server is to contain the URI to access the WSDL location via a gateway. The Connection Server URI to help determine the proper value based on your Gateway type and the Portlet type.

The Authorization secret must be the same as the one set in “Step 3” above. When using Shared secret, it is a good idea to leave Active Credential Type as “(none)”.

Excerpts from Source:

From Appendix D: For CGI Gateway:

IMP Note: The connection URI will differs depending on the type of Gateway and the type of Portlet.

Type of Portlet:

Each portlet group has a different entry point for the WSDL address. In the examples below, the /nav?… section of the URI needs to be changed accordingly:

Portlet Type                      End Point            Example

Cognos Navigator            /nav?                    http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi/cps2/nav
Cognos Search                  /nav?                    Same as above
Cognos Viewer                  /nav?                    Same as above
Metric Manager                /cmm?                 http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi/cps2/cmm
Watchlist
Cognos Extended             /sdk?                    http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi/cps2/sdk
Applications

Step 5 – Test the Cognos Portlets:

  •  1. Place the Cognos Portlets on a page and grant access permissions for these portlets to the WebSphere Portal users that will be using IBM Cognos.
  • 2. Logon to WebSphere Portal with a User ID that is common to both WebSphere and IBM Cognos.
  • 3. View the page and notice that the Cognos portlets actually show up.
Share:
  • camelia_waxman

    Useful piece ! I loved the information ! Does anyone know where my
    assistant could possibly locate a template Chevron Job Safety Analysis
    Form version to fill out ?