The following procedure describes how to set up LTPA for Cognos®
Analytics
with Microsoft Active Directory as the authentication source.
Procedure
- In every location where you installed
Content Manager, open IBM® Cognos Configuration.
- In the Explorer window,
under Security, right-click Authentication,
and then click New resource > Namespace.
- In the Name box,
type a name for your authentication namespace.
-
In the Type list, select LDAP - Default values for Active
Directory and then click OK.
The new authentication provider resource appears in the Explorer window,
under the Authentication component. Default values are generated for you.
Check them and make changes as needed.
-
In the Properties window, for the NamespaceID
property, specify a unique identifier for the namespace.
Tip: Do not use colons (:) in the Namespace ID property.
-
Specify the values for all other required properties to ensure that IBM
Cognos components can locate and use your existing
authentication provider.
- For User lookup, enter
(sAMAccountName=${userID})
- If you use single sign-on, for Use external identity, set the value to
True.
- If you use single sign-on, for External identity mapping, enter
(sAMAccountName=${environment("REMOTE_USER")})
If you want to remove the domain name from the REMOTE_USER variable, enter
(sAMAccountName=${replace(${environment("REMOTE_USER")},
"domain\\","")}).
Important: Ensure that you use
only the variable REMOTE_USER. Using another variable can cause a security vulnerability.
- For Bind user DN and password, enter
user@domain.
- For Unique identifier, enter objectGUID
-
Create an XML file named local-server.xml and place it in the
install_location/configuration directory.
-
In the local-server.xml file, enter values that are appropriate for your
environment:
<?xml version="1.0" encoding="UTF-8"?>
<server>
<featureManager>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<ldapRegistry id="id" realm="realm"
host="host" port="port" ignoreCase="true"
baseDN="DC=dc,DC=dc,DC=dc" bindDN="CN=doejohn,
OU=Users,DC=dc,DC=dc,DC=dc"
bindPassword="password" ldapType="Microsoft Active Directory" sslEnabled="false">
<activedFilters
userFilter="(&(sAMAccountName=%v)(objectcategory=user))"
groupFilter="(&(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName"
groupIdMap="*:cn"
groupMemberIdMap="memberOf:member">
</activedFilters>
</ldapRegistry>
<webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true"/>
</server>
-
If Cognos
Analytics
is configured to use SSL, see Configuring the SSL protocol for IBM Cognos components for
more information.
-
To verify the configuration, log on to
http://host:port/bi or
https://host:port/bi for SSL enabled
systems, where host is the fully qualified Cognos
Analytics
host domain.
You should not see the Cognos
Analytics
logon page. Instead, you should be prompted by the browser to log on.
What to do next
If you want to configure single sign-on (SSO) between the Cognos
Analytics
application that was set up with LTPA authentication, and the application is deployed into a
WebSphere instance, install the WebSphere key on each Cognos
Analytics
dispatcher where LTPA was set up, and update the local-server.xml file with the
following <ltpa>
element:
<ltpa keysFileName="yourLTPAKeysFileName.keys"
keysPassword="keysPassword" expiration="120" />
For more information, see the WebSphere Liberty documentation. The root directory of the
automatically generated LTPA keys file
${server.output.dir}/resources/security/ltpa.keys that is mentioned in this
document is
cognos_analytics_location/wlp/usr/servers/cognosserver.