You can configure the IBM®
TM1® Server to use IBM
Cognos® security for authentication instead of the default
standard TM1 authentication.
Before you begin
To successfully complete these procedures, your IBM
TM1 Server must not be configured to allow anonymous
access. If anonymous access is enabled on the TM1 Server, you
cannot log on to a namespace from TM1 when you import Cognos groups into TM1.
About this task
To enable IBM
Cognos security authentication on the IBM
TM1 Server, you must add or modify several configuration
parameters in the server's tm1s.cfg configuration file.
Note: If you want to reconfigure a TM1 Server that is already
using Cognos security to use a different instance of Cognos, you must remove any existing Cognos users and groups that were imported from the first Cognos instance and then import users and groups from the new Cognos instance.
The Cognos Analytics gateway is optional. You can set up Cognos Analytics without the gateway for
CAM authentication. Some configuration steps different when the Cognos Analytics gateway is used.
See also step 3.
Procedure
- Open the tm1s.cfg configuration file in a text
editor.
- Edit or add the following parameters in the tm1s.cfg configuration
file.
- Configure the ServerCAMURI parameter.
The URI for the
internal dispatcher that the TM1 Server should use to connect
to IBM
Cognos security. The URI is specified in the
form:
http[s]://host IP
address:port/p2pd/servlet/dispatch
Note: To find the URI,
ask your IBM
Cognos administrator to perform the following steps:
- On the system hosting IBM
Cognos, open IBM
Cognos Configuration.
- Click to expand the Environment node.
- In the Properties pane, locate the Dispatcher
Settings section and use the value from either the External dispatcher
URI or the Internal dispatcher URI property.
Note: In Planning Analytics version 2.0.9 or later, you can configure your TM1
Server CAM URI with a Server Name
Indication (SNI). The SNI can be set using the existing ServerCAMURI parameter in the format of
SNI;URI.
For example, without a Cognos Analytics gateway:
ServerCAMURI=http://cognos-analytics.ibm.com:9300/p2pd/servlet/dispatch
For example, with a Cognos Analytics gateway:
ServerCAMURI=http://cognos-analytics.ibm.com:9300/p2pd/servlet/dispatch
- Configure the ClientCAMURI parameter.
The value for
the IBM Cognos Analytics Gateway URI used to authenticate TM1 clients. The URI is specified in the
form:
http[s]://host:port/ibmcognos/bi/v1/disp
or http[s]://host:port/bi/v1/disp
Note: The values for host and ibmcognos are variables and
depend on the exact settings that are used. Contact your IBM
Cognos administrator for more information about these
settings.
For example, without a Cognos Analytics gateway:
ClientCAMURI=http://cognos-analytics.ibm.com:9300/bi/v1/disp
For example, with a Cognos Analytics gateway:
ClientCAMURI=http://cognos-analytics.ibm.com:80/analytics/bi/v1/disp
For example, if your Cognos system is using Microsoft Internet Information Services (IIS):
ClientCAMURI=http://10.121.25.121/ibmcognos/bi/v1/disp
- Configure the ClientPingCAMPassport
parameter.
Indicates the interval, in seconds, that a client should ping the IBM
TM1 Server to keep their passport alive.
If an error occurs
or the passport expires, the user will be disconnected from the TM1 Server.
For
example:
ClientPingCAMPassport=900
- Configure the CAMPortalVariableFile parameter.
The
path to the
variables_TM1.xml file in your installation. In most cases, the
path will be:
CAMPortalVariableFile = <portal>\variables_TM1.xml
The
CAMPortalVariableFile parameter is required only when running TM1 Web.
CAMPortalVariableFile=templates\ps\portal\variables_TM1.xml
- Take note of configuration differences with or without a
Cognos Analytics gateway.
- Without a Cognos Analytics gateway
- The tm1s.cfg file would typically be configured as follows:
ServerCAMURI=http://cognos-analytics.ibm.com:9300/p2pd/servlet/dispatch
ClientCAMURI=http://cognos-analytics.ibm.com:9300/bi/v1/disp
- In the Cognos Analytics app tier install, the
planning.html and pmhub.html files are stored in the
<Cognos Analytics>/webcontent directory. The
tm1web.html file is stored in the <Cognos
Analytics>/webcontent/tm1/web/ directory.
- With a Cognos Analytics gateway
- The tm1s.cfg file would typically be configured as follows:
ServerCAMURI=http://cognos-analytics.ibm.com:9300/p2pd/servlet/dispatch
ClientCAMURI=http://cognos-analytics.ibm.com:80/analytics/bi/v1/disp
- In the Cognos Analytics gateway install, the
planning.html and pmhub.html file are stored in the
<Cognos Analytics>/webcontent/bi/ directory. The
tm1web.html file is stored in the <Cognos
Analytics>/webcontent/bi/tm1/web/ directory
- Set the IntegratedSecurityMode parameter to the default mode of
1.
Note: Setting the IntegratedSecurityMode parameter to 1 allows you to complete
additional configuration steps in TM1 using standard TM1 security before switching to Cognos security. After you complete these additional steps, you can change
this parameter to either 4 or 5 to use Cognos
security.
For example:
IntegratedSecurityMode=1
- Save and close the tm1s.cfg file.
- Restart the TM1 Server.
- Perform the required steps for your Cognos Analytics installation.
- Define a Cognos user to function as a Planning Analytics
administrator.
- Import Cognos groups into Planning Analytics.
- Configure the TM1 Server to start using Cognos authentication.
- Shut down the TM1 Server.
- Open the tm1s.cfg configuration file in a text
editor.
- Set the IntegratedSecurityMode parameter to indicate that the
server should use Cognos authentication.
The
exact parameter value depends on the specific TM1 components
you are using:
- If you are not using the TM1 Applications component, set
the parameter to 4.
IntegratedSecurityMode=4
- If you are using TM1 Applications with Cognos security, set the parameter to 5 to support user groups from both
Planning Analytics and Cognos.
IntegratedSecurityMode=5
- Save and close the tm1s.cfg file.
- Restart the TM1 Server.
What to do next
See the following configuration topics to complete the configuration: