Configuring Integrated Login for Cognos TM1 Web using Kerberos

You can set up IBM® Cognos® TM1® Web to use Integrated Login with the Kerberos security protocol. This is the type of authentication works with TM1 IntegratedSecurityMode=3.

About this task

In Cognos TM1 Web version 10.2, you must enter your Microsoft Windows authentication in the Cognos TM1 Web login dialog box. The login dialog box allows you to choose either native TM1 or Microsoft Windows login.

In order to run Cognos TM1 Web in a Kerberos environment, you must properly configure that environment for Kerberos to work with the Java™ Runtime that is running the Cognos TM1 Web service.

Cognos TM1 Web version 10.2 uses Java Generic Security Service (JGSS) to support Kerberos Windows Authentication. This is the type of authentication you get when you use the TM1 IntegratedSecurityMode=3. Additional information on how to set up a Kerberos Windows Authentication to work in a Java environment is available at the following link:

IBM Security information for Java V6 > Java Generic Security Service (JGSS) > Java Generic Security Service (JGSS) User's Guide Configuration and policy files (http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.60.doc%2Fsecurity-component%2FjgssDocs%2Fconfig_files.html)

Documentation about setting up the LoginModule for acquiring Kerberos Credentials for the IBM Java runtime is described at this link:

com.ibm.security.auth.module Class Krb5LoginModule (http://pic.dhe.ibm.com/infocenter/java7sdk/v7r0/index.jsp?topic=%2Fcom.ibm.java.security.component.70.doc%2Fsecurity-component%2FjgssDocs%2Fconfig_files.html)

Procedure

  1. Specify a Kerberos Configuration File.

    An example of the Kerberos Configuration File (krb5.ini):

    [libdefaults]
	default_realm = <REALM_NAME>
	default_tkt_enctypes = rc4-hmac des-cbc-crc
	default_tgs_enctypes = rc4-hmac des-cbc-crc
	ticket_lifetime = 1200
[realms]
	<REALM_NAME> = {
		kdc = 9.24.213.202
		admin_server = <server_name.domain_name>
		default_domain = <DOMAIN_NAME>
	}
[domain_realm]
	.<domain_realm_name> = <DOMAIN_REALM_NAME>
[appdefaults]
	autologin=true
	forward=true
	forwardable=true 
	encrypt=true
  2. Specify the JAAS login feature in the java.security file.

    Example of specifying the JAAS login feature in the java.security file:

    # Default login configuration file
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/login.config

    Example of the contents of the login configuration file for the IBM Java Runtime:

    TM1SignedOnUserLoginContext {
  com.ibm.security.auth.module.Krb5LoginModule required 
  useDefaultCcache=true;
};

    Example of the contents of the login configuration file for the SUN Java Runtime:

    TM1SignedOnUserLoginContext {
  com.sun.security.auth.module.Krb5LoginModule required 
  useTicketCache="true"
  useKeyTab="true" keyTab="krb5.keytab" ;
};
  3. Specify the login configuration file.
  4. Configure the IntegratedSecurityModuleName parameter in the tm1web_config.xml file.

    Ensure that the value associated with the IntegratedSecurityModuleName parameter is set to the name of the LoginModule that is associated with the Kerberos environment.

    <add key="IntegratedSecurityModuleName" value="name of the LoginModule"/>

  5. Ensure that the Windows service for the Cognos TM1 Server is owned by an authorized domain account.
  6. Ensure that the user that is logging in has the proper ticket set up via the kinit procedure.
Parent topic: Integrated Login