Configuring the TM1 Server to use Cognos security

You can configure the IBM® Cognos® TM1® server to use IBM Cognos security for authentication instead of the default standard TM1 authentication.

Before you begin

To successfully complete these procedures, your IBM Cognos server must not be configured to allow anonymous access. If anonymous access is enabled on the IBM Cognos server, you cannot logon to a namespace from TM1 when importing Cognos groups into TM1.

About this task

To enable IBM Cognos security authentication on the IBM Cognos TM1 server, you must add or modify several configuration parameters in the server's Tm1s.cfg configuration file.

Note: If you want to re-configure a TM1 server that is already using Cognos security to use a different instance of Cognos, you must remove any existing Cognos users and groups that were imported from the first Cognos instance and then import users and groups from the new Cognos instance.

Procedure

  1. Open the Tm1s.cfg configuration file in a text editor.

    The Tm1s.cfg file is located in the TM1 server data directory. For more information, see The Tm1s.cfg Server Configuration File.

  2. Edit or add the following parameters to the configuration file.
    Table 1. TM1 server configuration parameters for Cognos security
    Parameter Name Description
    ServerCAMURI

    The URI for the internal dispatcher that the TM1 server should use to connect to IBM Cognos security. The URI is specified in the form

    http[s]://host IP address:port/p2pd/servlet/dispatch

    Examples:

    http://10.121.25.121:9300/p2pd/servlet/dispatch

    https://10.121.25.121:9300/p2pd/servlet/dispatch

    Note: To find the URI, ask your IBM Cognos administrator to perform the following steps:
    1. On the system hosting IBM Cognos, open IBM Cognos Configuration.
    2. Click to expand the Environment node.
    3. In the Properties pane, locate the Dispatcher Settings section and use the value from either the External dispatcher URI or the Internal dispatcher URI property.
    ClientCAMURI

    The URI for the IBM Cognos Server IBM Cognos Connection used to authenticate TM1 clients. The URI is specified in the form:

    http[s]://host/ibmcognos/cgi-bin/cognos.cgi

    Note: The values for host, ibmcognos, and cognos.cgi are variables and depend on the exact settings that have been used. Contact your IBM Cognos administrator for more information about these settings.

    For example: http://10.121.25.121/ibmcognos/cgi-bin/cognos.cgi

    If your Cognos system is using Microsoft Internet Information Services (IIS):

    http://10.121.25.121/ibmcognos/cgi-bin/cognosisapi.dll
    CAMSSLCertificate

    The full path and name of the SSL certificate to be used when connecting to the internal dispatcher.

    For example: C:\AxTM1\Install_Dir\ssl\CognosCert.cer

    This parameter is required only if the IBM Cognos server is configured to use SSL.
    SkipSSLCAMHostCheck

    Indicates whether the SSL certificate ID confirmation process can be skipped. The default is FALSE.

    Important: This parameter should be set to TRUE only if using a generic certificate for demonstration purposes.
    ClientPingCAMPassport

    Indicates the interval, in seconds, that a client should ping the IBM Cognos server to keep their passport alive.

    If an error occurs or the passport expires the user will be disconnected from the TM1 server.

    Example: ClientPingCAMPassport=900
    CAMPortalVariableFile

    The path to the variables_TM1.xml file in your Cognos installation. In most cases, the path will be:

    CAMPortalVariableFile = portal\variables_TM1.xml

    The variables_TM1.xml file is included for TM1 iWidgets. For details on installing and configuring iWidgets, see Cognos TM1 iWidgets and Cognos Workspace.

    The CAMPortalVariableFile parameter is required only when running TM1 Web.

    The Tm1s.cfg file should contain parameters similar to the following:

    ServerCAMURI=http://10.111.25.121:9300/p2pd/servlet/dispatch
ClientCAMURI=http://10.111.25.121/cognos_location/cgi-bin/cognos.cgi
ClientPingCAMPassport=900
CAMPortalVariableFile=templates\ps\portal\variables_TM1.xml
  3. Set the IntegratedSecurityMode parameter to the default mode of 1.

    IntegratedSecurityMode=1

    Note: Setting the IntegratedSecurityMode parameter to 1 allows you to complete additional configuration steps in TM1 using standard TM1 security before switching to Cognos security. After you complete these additional steps you can then change this parameter to either 4 or 5 to use Cognos security.
  4. Save and close the Tm1s.cfg file.
  5. Restart the Cognos TM1 server.
  6. Perform the required steps for your Cognos BI installation.
    • Define a Cognos user to function as a Cognos TM1 administrator.
    • Import Cognos groups into Cognos TM1.

    For details, see Managing TM1 users, groups, and objects when using Cognos security.

  7. Configure the Cognos TM1 server to start using Cognos authentication.
    1. Shut down the Cognos TM1 server.
    2. Open the Tm1s.cfg configuration file in a text editor.
    3. Set the IntegratedSecurityMode parameter to indicate that the server should use Cognos authentication.

      The exact parameter value depends on the specific Cognos TM1 components you are using:

      • If you are not using the Cognos TM1 Applications component, set the parameter to 4.

        IntegratedSecurityMode=4

      • If you are using Cognos TM1 Applications with Cognos security, set the parameter to 5 to support user groups from both Cognos TM1 and Cognos.

        IntegratedSecurityMode=5

    4. Save and close the Tm1s.cfg file.
    5. Restart the Cognos TM1 server.

What to do next

See the following configuration topics to complete the configuration:
Parent topic: Using Cognos security with Cognos TM1