Question & Answer
Question
Answer
The credential refresh behaviour is controlled by the Security > Authentication > Automatically renew trusted credential setting in IBM Cognos Configuration. The default time interval for the renewal of trusted credentials is once per day. The administrator can change the value (in days) in the Advance properties, but the minimum is one day. See the core documentation on Trusted Credentials for more information. Keep in mind, if you change your password during the day and have missed the window of opportunity to have your credential automatically renewed, you will need to renew them manually in order to not have any schedules using the credentials fail. For example, you log into Cognos Analytics in the morning. The automatic renewal takes place. In the afternoon, you change your password and log into Cognos Analytics again. Since the automatic renewal already took place in that 24 hour period, it will not occur again and your credentials will not be renewed. In this case you would need to renew manually to ensure any schedules later that day do not fail.
The three different settings for renewing credentials are as follows:
· Primary namespace only (default setting): When you log on to the first namespace of your session, that is considered the Primary namespace for the Cognos Analytics session. The account you logged into is considered the container for the trusted credentials you will create or renew for that session. If you have trusted credentials for that account, the credentials are updated for this account only. All other credentials from other namespaces that you may log into are not updated.
· Off: Credentials are not updated in any namespace.
· All namespaces: When you log on to the first namespace, your credentials are updated as described for “Primary namespace only”. When you log on to additional namespaces, if your trusted credentials associated with the primary namespace account contain logon information for the additional namespaces, then those trusted credentials are updated as well. Using this option is typically done for scenarios where a schedule needs to be run that requires credentials from multiple namespaces. For example an administrator may want to run a scheduled consistency check which spans across multiple namespaces. This setting is a system wide setting and should only be considered if necessary.
NOTE: It is not recommended to use the All namespaces option if users authenticate into secondary namespaces as different users as this may cause conflicts in the credentials that are renewed for the namespace.
It is not possible to use SSO with the feature ‘Automatically renew trusted credential’ unless using IdentityMapping for REMOTE_USER because of the following:
A trusted credential is special because the namespace credentials it stores must be usable at any time, not depending on any timestamp. This rules out SSO tickets like Kerberos tokens or SAP tokens as they will expire after a short time and will become unusable. A suitable trusted credential therefore usually is a pair consisting of a user name and a password. However, for SSO based authentication, there is no password available to the namespace that can be stored into the trusted credential. Therefore, this feature will only work for basic authentication, when the user provides a user name and password to the login screen. The exception to this rule is when IdentityMapping for REMOTE_USER is configured. See the core documentation for more information: https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_stp_sso_active_drctry_remote_user.html
Related Information
Was this topic helpful?
Document Information
Modified date:
01 May 2019
UID
swg21998776