We received request to configure Single Sign On between IBM Cognos and IBM Websphere Portal servers of the customer’s development environment, so the reports being published in IBM Cognos can be viewed inside Cognos Portlets on IBM Websphere Portal.
The IBM Cognos BI Server was installed on Apache Tomcat and the IBM Websphere Portal Server was installed on Websphere Application Server so we used the Shared-Secret Method with CGI-Gateway as Intermediate authority to intercept, extract and forward tokens coming from Cognos Portlets on IBM Websphere Portal TO IBM Cognos Report Net Server’s full namespace for authentication.
A. Install the alternate gateway and configure your web server. (Refer to Appendix A)
Note: The Gateway can be on the same machine but it is mandatory to install it on a different folder e.g ‘cpsgateway’ in our case.
– Create An Application Pool.
Note: Normally there is no much difference in 32 or 64 bit we just need to enable 32 bit mode in App Pool settings and run the copyGateMod.bat 32bit command.
– Create The IBM Cognos 10 Virtual Directory.
– Create an Application for cgi-bin
– Configure IIS 7 for IBM Cognos CGI.
– Setting the CGI Restrictions for the Web Server.
– Updating the Module Mapping Parameter by setting allowPathInfo in the Module Mapping Handlers.
– Testing the CGI installation
Note: Please remember that there are two namespace ids. One is the CPSTrusted and the other is AD1 as per our environment. The CPSTrusted is of type Custom Java Provider and the AD1 is of Active Directory type.
Excerpts from Source:
“Shared Secret” is a Cognos-specific method for handling SSO. The Cognos Portlets pick up the enterprise portal’s User ID and sends it to the IBM Cognos ReportNet server for authentication”.
On the IBM Cognos ReportNet end, an additional second namespace (a Trusted Signon Provider) is used to retrieve the encrypted information and pass it on to a full namespace like LDAP, AD, NTLM or IBM Cognos Series7 which then does the actual authentication.
Note: In our case The CPSTrusted will take the token and decrypt it and then pass it on to AD1 for actual authentication.
On every installed instance of IBM Cognos ReportNet in your system which runs Content Manager Component open Cognos Configuration and adjust configuration using the following steps.
Under Security/Authentication, add a new namespace.
For the namespace properties, enter the following:
(Note: The values for id and class name are case sensitive and must be entered as is whenever referred to).
Save the configuration at this point.
In Cognos Configuration, configure the following fields:
The gateway namespace value should be the ID (and not the name) of the target namespace.
If you are using the “Shared Secret” SSO method, then the gateway namespace needs to be the
ID of the Custom Java Provider or “Shared Secret” namespace.
On every installed instance in your system running the Dispatcher component adjust CPS properties by following the steps outlined here.
– Open [<install dir>/webapps/p2pd/WEB-INF/classes/cps_trustedsignon.properties file for editing and change the following values. If it is not present create a new file.
• <ID of your authentication namespace> is the ID of the namespace associated with the IBM Cognos ReportNet namespace used to authenticate users. It can be of type LDAP, IBM Cognos Series 7, NTLM or Active Directory.
Excerpts from Source:
This is not the “CPSTrusted” namespace set above but the “target” namespace which does the final authentication to IBM Cognos ReportNet, and in our case the final authentication namespace is AD1.
• <The shared secret string> is any text string without spaces or special characters. This is the secret key for User ID encryption. Remember this string as it will be needed when configuring the Cognos Portlets in WebSphere portal.
Note: If your “target” namespace is of type LDAP, enable External User mapping. See Appendix B – Enable External Identity Mapping for LDAP Namespace for details.
If your “target” namespace is of type AD, enable Identity Mapping. See Appendix C – Enabling Identity Mapping for AD Namespaces for details.
1. Login to WebSphere Portal as an administrator
2. Go to Administration Portlet Management Applications and locate the three
Cognos portlet applications:
3. For each IBM Cognos application, set the following fields:
The connection server is to contain the URI to access the WSDL location via a gateway. The Connection Server URI to help determine the proper value based on your Gateway type and the Portlet type.
The Authorization secret must be the same as the one set in “Step 3” above. When using Shared secret, it is a good idea to leave Active Credential Type as “(none)”.
Excerpts from Source:
From Appendix D: For CGI Gateway:
IMP Note: The connection URI will differs depending on the type of Gateway and the type of Portlet.
Type of Portlet:
Each portlet group has a different entry point for the WSDL address. In the examples below, the /nav?… section of the URI needs to be changed accordingly:
Portlet Type End Point Example
Cognos Navigator /nav? http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi/cps2/nav
Cognos Search /nav? Same as above
Cognos Viewer /nav? Same as above
Metric Manager /cmm? http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi/cps2/cmm
Cognos Extended /sdk? http:// Cognos_ReportNet_Server/cpsgateway/cgi-bin/cognos.cgi/cps2/sdk