When using Portal Services in a third-party portal, you must enable single signon to provide seamless integration between the third-party portal and Cognos 8 components.
Portal Services uses single signon to authenticate users. This means that users do not have to log on to other applications separately through the portal.
You must configure a URI into Cognos 8 components for each portlet in Portal Services.
To enable security between Cognos 8 components and the third-party portal, do the following:
 | Disable anonymous access to Cognos 8 components. If your security infrastructure requires you to use another method for single signon, use one of the following methods: |
| | Enable single signon for the third-party portal using shared secret. If your security infrastructure requires you to use another method for single signon, use one of the following methods: |
| | Configure Cognos 8 components for SSL access, if required. For instructions, see the Installation and Configuration Guide. |
Portal Services uses single signon for authentication. If anonymous logon is enabled in Cognos 8 components, Portal Services logs all portal users as anonymous. You must ensure that anonymous access is disabled in Cognos 8 components for single signon in Portal Services to be successful. However, you can test the Portal Services connections using anonymous logon to ensure that the portlets are working in the third-party portal.
If Portal Services fails to authenticate a user, the user receives an error message at the third-party portal.
Start Cognos Configuration.
In the Explorer window, under Security, Authentication, click Cognos.
In the Properties window, ensure that Allow anonymous access is set to False.
From the File menu, click Save.
Repeat steps 1 to 4 on all servers where you installed Cognos 8 components.
You can use shared secret for single signon between Cognos portlets and Cognos 8 components. The Cognos portlets send a message that contains an encrypted version of the portal user ID. The encryption key is determined by the value of a secret character string shared between the portlets and the custom Java security provider on the Cognos server.
You can use shared secret for the third-party portal only if portal user IDs can be looked up in an NTLM, LDAP, or Cognos Series 7 authentication namespace that is shared by Cognos 8 components.
Cognos 8 components must have access to a directory server that contains user IDs for all your portal users. Using Cognos Configuration, you must configure an authentication namespace so that the portal and Cognos 8 components share the same authentication source.
You must also create a Custom Java Provider namespace to register the shared secret Java provider that is provided with Cognos 8 components. Within the portlets or iViews, you must link the portlets or iViews to the Custom Java Provider namespace within your respective portal:
Cognos iViews (SAP EP)
Cognos Portlet Application (WebSphere Portal)
remote server (Plumtree Portal)
Cognos WebPart (SharePoint Portal)
You are not required to configure access to the Portal Services Web content. However, if you deploy the portlets to a third-party portal, you can configure access to an alternate URI for Portal Services images and Web content.
In Cognos Configuration, configure a namespace to authenticate portal users.
For instructions, see the topic about configuring LDAP, NTLM, or Cognos Series 7 authentication providers in the Installation and Configuration Guide.
For an LDAP namespace, configure the following properties:
For the Use external identity property, change the setting to True.
For the External identity mapping property, set it to
(uid=${environment("REMOTE_USER")})
Other properties may be required. For more information, see the topic about configuring Cognos 8 components to use LDAP in the Installation and Configuration Guide.
For a Cognos Series 7 namespace, map the portal user IDs to Cognos Series 7 user IDs using OS signons.
For more information, see the Cognos Series 7 documentation.
In Cognos Configuration, create and configure a Custom Java Provider namespace.
For instructions, see the topic about configuring a custom authentication namespace in the Installation and Configuration Guide.
For the Namespace ID property, specify any new ID.
For example, cpstrusted
This new ID must be used in the portlet configuration settings.
For the Java class name property, type
com.cognos.cps.auth.CPSTrustedSignon
Java class names are case-sensitive.
In Cognos Configuration, under Environment, Portal Services, configure the following properties:
For Trusted Signon Namespace ID, type the namespace ID of the LDAP, NTLM, or Cognos Series 7 namespace that you configured in step 1.
Tip: The trusted signon namespace acts as an intermediary and must be attached to a real directory-based namespace of type LDAP, NTLM, or Cognos Series 7.
For Shared Secret, type the key to be used for single signon.
This parameter represents the authorization secret that must be shared between the Cognos portlets and the Cognos server. Consider this as a secret password. You must use the same character string when you configure the portlet application. You must use a single word as the key.
For security reasons, we recommend you specify a non-null value.
Under Environment, for Gateway Settings, set the Allow Namespace Override property to true.
From the File menu, click Save.
Restart the Cognos 8 service.
On the computer where you installed the Application Tier Components, start Cognos Configuration.
In the Explorer window, under Environment, click Portal Services.
In the Properties window, click the Value box next to Web Content URI.
Specify the host name or IP address of the gateway and a port number using the format
host_or_IP_address:port
From the File menu, click Save.
Open the iView editor for each Cognos iView.
In the Property Category box, select Show All.
For the cpsauthsecret: CPS Authorization Secret property, enter the secret character string that you used for the Shared Secret property when you configured the Custom Java Provider namespace.
For the cps: authentication namespace ID property, enter the Custom Java Provider namespace ID.
For the cpsserver: CPS Connection Server property, enter the URL path to access Portal Services components through the gateway.
The format of the URL is as follows:
For Cognos content portlets
Gateway_URI/wsrp/cps4/portlets/nav?wsdl&b_action=cps.wsdl
Example for a CGI gateway:
http://myserver/cognos8/cgi-bin/cognos.cgi/wsrp/cps4/portlets/nav?wsdl&b_action=cps.wsdl
Example for a servlet gateway:
http://172.0.16.1:9500/wsrp/cps4/portlets/nav?wsdl&b_action=cps.wsdl
For Cognos Extended Applications
Gateway_URI/wsrp/cps4/portlets/sdk?wsdl&b_action=cps.wsdl
Example for a CGI gateway:
http://myserver/cognos8/cgi-bin/cognos.cgi/wsrp/cps4/portlets/sdk?wsdl&b_action=cps.wsdl
Example for a servlet gateway:
http://172.0.16.1:9500/wsrp/cps4/portlets/sdk?wsdl&b_action=cps.wsdl
For Metrics Manager Watchlist portlets
Gateway_URI/wsrp/cps4/portlets/cmm?wsdl&b_action=cps.wsdl
Example for a CGI gateway:
http://myserver/cognos8/cgi-bin/cognos.cgi/wsrp/cps4/portlets/cmm?wsdl&b_action=cps.wsdl
Example for a servlet gateway:
http://172.0.16.1:9500/wsrp/cps4/portlets/cmm?wsdl&b_action=cps.wsdl
For each Cognos portlet application, click Modify Parameters.
For the cps_auth_secret property, enter the secret character string that you used for the Shared Secret property when you configured the Custom Java Provider namespace.
For the cps_auth_namespace property, enter the Custom Java Provider namespace ID.
For the CPS Endpoint property, enter the URL path to access Portal Services components through the gateway.
The format of the URL is as follows:
For Cognos content portlets
Gateway_URI/wsrp/cps4/portlets/nav?wsdl&b_action=cps.wsdl
Example for a CGI gateway:
http://myserver/cognos8/cgi-bin/cognos.cgi/wsrp/cps4/portlets/nav?wsdl&b_action=cps.wsdl
Example for a servlet gateway:
http://172.0.16.1:9500/wsrp/cps4/portlets/nav?wsdl&b_action=cps.wsdl
For Cognos Extended Applications
Gateway_URI/wsrp/cps4/portlets/sdk?wsdl&b_action=cps.wsdl
Example for a CGI gateway:
http://myserver/cognos8/cgi-bin/cognos.cgi/wsrp/cps4/portlets/sdk?wsdl&b_action=cps.wsdl
Example for a servlet gateway:
http://172.0.16.1:9500/wsrp/cps4/portlets/sdk?wsdl&b_action=cps.wsdl
For Metrics Manager Watchlist portlets
Gateway_URI/wsrp/cps4/portlets/cmm?wsdl&b_action=cps.wsdl
Example for a CGI gateway:
http://myserver/cognos8/cgi-bin/cognos.cgi/wsrp/cps4/portlets/cmm?wsdl&b_action=cps.wsdl
Example for a servlet gateway:
http://172.0.16.1:9500/wsrp/cps4/portlets/cmm?wsdl&b_action=cps.wsdl
Using a plain ASCII editor, such as Notepad, edit the cpspt.properties file in the c8_location/cps/plumtree/webapps/gadgets/WEB-INF/classes directory.
Configure the following settings.
Parameter | Value |
cps_endpoint | The URL to connect to the report server and extract the WSDL information. Specify the URI to the gateway. For a servlet or ISAPI gateway, replace the localhost/cognos8/cgi-bin/cognos.cgi portion with the values to target the gateway. For example, http://host_name/cognos8/cgi-bin/cognos.isapi/wsrp/cps4/portlets/[package]?wsdl&b_action=cps.wsdl For instructions, see the topic about changing the gateway in the Installation and Configuration Guide. |
forward_cookies= | The names of the cookie that should be sent to the report server for single signon. Leave blank. |
cps_auth_secret | The shared secret code Cognos 8 uses to encrypt an HTTP header variable that carries the user identity. This parameter represents the authorization secret that must be shared between the Cognos portlets and the Cognos 8 server. Consider this as a secret password. Use the same value that you used for Shared Secret in Cognos Configuration. For security reasons, we recommend you specify a non-null value. |
cps_auth_namespace | The namespace ID for the Custom Java Provider. |
Go to the c8_location/cps/plumtree directory and run the following build file:
On UNIX or Linux, build.sh
On Windows, build.bat
This creates a cps-pt.war file in the c8_location/cps/plumtree/gadgets directory.
If Cognos 8 components are running using Tomcat,
Stop Cognos 8.
Copy the cps-pt.war file to the c8_location/webapps directory.
Tomcat automatically expands the WAR file and starts the remote server.
Start Cognos 8.
If Cognos 8 components are running under another type of application server, copy the cps-pt.war file to the application server.
For instructions, see the administration guide for your application server.
Single signon is configured.
Using a plain ASCII editor, such as Notepad, edit the web.config file in the drive\Program Files\Common Files\Microsoft Shared\web server extensions\60\CONFIG directory.
Find the following string:
<SSO cps_auth_namespace="" cps_auth_secret="" />
Set cps_auth_namespace to the namespace ID for the Custom Java Provider namespace.
Set cps_auth_secret to the value that you used for Shared Secret in Cognos Configuration.
If you enable single signon with the SAP Logon Ticket, you must configure Cognos 8 components with an SAP namespace that links to an SAP BW server.
Then you must copy the certificate that was generated during SAP EP installation to the SAP BW personal security environment.
Users must have the same user ID in all SAP systems that are accessed through single signon.
Before you start, ensure that you have
configured Cognos 8 components to use an SAP authentication source
For more information, see the Installation and Configuration Guide.
enabled single signon between Cognos 8 components and SAP BW
For more information, see the Installation and Configuration Guide.
installed the latest service packs on the SAP BW server
Service packs can be downloaded from SAPNET.
installed the latest hot patches for the SAP portal
installed the Enterprise Portal plug-in that corresponds to the SAP EP release or SAP BW server
For SAP releases earlier than 6.2, on SAPNET, download EP50_PLUG-IN for Basis 620 (SAPKINE32A). Using transaction SAINT, install SAPKINE32A.
installed the SAP Security Library on the SAP BW servers
From sapservX, under /general/misc/security/SAPSECU/platform, download sapsecin and sepsecu.dll and place both files in the /run directory of the SAP BW server.
To enable SSO for SAP EP, complete the procedures for single signon with SAP logon tickets in the SAP Enterprise Portal Security Guide.
If you enable single signon with user mapping, you define a Cognos data source in SAP EP. Individual users or an administrator can enter the user IDs and passwords for Cognos 8 components in the data source. You must map the users logon credentials in the data source to an LDAP or Cognos Series 7 or NTLM namespace. Portal Services iViews transmit the logon credentials to Cognos 8 components using HTTP Basic Authentication.
Configure the gateway URI that will be used by Portal Services to require authentication using HTTP Basic Authentication.
For information about configuring a URL to use HTTP Basic Authentication, see the documentation for the gateway or for your Web server.
Adjust the iView configuration to access the secure URL.
For information, see the documentation for your Web server.
In Cognos Configuration, configure a namespace to authenticate portal users.
For instructions, see the topic about configuring LDAP, NTLM, or Cognos Series 7 authentication providers in the Installation and Configuration Guide.
If you use an LDAP namespace, configure the following properties:
For the Use external identity property, change the setting to True.
For the External identity mapping property, set it to
(uid=${environment("REMOTE_USER")})
Other properties may be required. For more information, see the topic about configuring Cognos 8 components to use LDAP in the Installation and Configuration Guide.
In the SAP portal, ensure that the following properties are configured for the data source in the /PortalContent/other_vendors/every_user/com.cognos.pct.c8/systems/Cognos 8 directory:
Logon Method = UIDPW
server name = the name of the Cognos server
port number = port number of the gateway
Protocol of Target system = HTTP
User Mapping Type = admin,user
system alias (Create a system alias)
For more information, see the SAP Enterprise Portal Administration Guide.
For each Cognos iView, enable user mapping for the data source by entering the name of the system alias at the iView level, in an attribute called CPS: User Mapping Datasource.
For more information, see the SAP Enterprise Portal Administration Guide.
For each Cognos iView, set the CPS: Authentication Namespace ID property to the namespace that you want to use for authentication.
Register the Cognos credentials for the portal users.
Users can enter their own user IDs and passwords.
For more information, see the SAP Enterprise Portal Administration Guide.
We recommend that you enable secure communication between SAP EP and Cognos 8.
A secure connection, using SSL, is not required between SAP EP and Cognos 8 components. It is more important if you enabled single signon with user mapping.
The SSL security supported by SAP uses encryption above 56 bits. By default, Cognos 8 components use an encryption algorithm up to 56 bits. Cognos provides an enhanced encryption module as a complementary product. To enable SSL, you must purchase and install the Enhanced Encryption Module for OpenSSL on top of Cognos 8 components. For more information, see the Cognos Enhanced Encryption Module for OpenSSL Installation and Configuration Guide.
To enable SSL between SAP EP and Cognos 8 components, see your SAP EP security documentation.
For more information about configuring SSL in Cognos 8 components, see the topic about configuring the SSL protocol in the Installation and Configuration Guide.
After SSL is enabled, edit properties for the all iViews so that the cpsserver: CPS Connection Server property uses https instead of http.
The Portal Services portlets can use the Active Credentials objects provided by WebSphere Portal to connect to Cognos 8 components. Portal Services supports the following Active Credentials objects: HttpBasicAuth, LtpaToken, SiteMinderToken, and WebSealToken.
Credentials for the portal user are passed to the gateway using this object. For more information about Active Credential objects, see the documentation for IBM WebSphere Portal.
To use application server single signon, see the documentation for IBM WebSphere Application Server.
For information about SSL for Cognos 8 components on a WebSphere Application Server, see the topic about enabling SSL in the application server chapter of the Installation and Configuration Guide.
You can configure a portlet in Plumtree Portal to send the username and password as an HTTP Basic authentication header. The header can be used with an NTLM, LDAP, or Cognos Series 7 authentication namespace to provide single signon.
In Cognos Configuration, configure a namespace to authenticate portal users.
For instructions, see the topic about configuring LDAP, NTLM, or Cognos Series 7 authentication providers in the Installation and Configuration Guide.
Install an alternate CGI or ISAPI or servlet gateway in Cognos 8.
For instructions, see the topic about installing Cognos 8 in the Installation and Configuration Guide.
Configure the gateway.
For instructions, see the Installation and Configuration Guide.
In the administration console of the Web server, configure the virtual directories to access the gateway.
For more information, see the documentation for your Web server.
Configure the Plumtree remote server to access Cognos 8:
Edit the cpspt.properties file in the c8_location/cps/plumtree/webapps/gadgets/WEB-INF/classes directory.
Change the cps_endpoint property to indicate the URL of the gateway.
For a CGI gateway, you can use the default setting if the gateway and the remote server are on the same computer. Otherwise, replace the localhost portion with host_name:port
For a servlet or ISAPI gateway, replace the localhost/cognos8/cgi-bin/cognos.cgi portion with the values to target the gateway.
For example,
http://host_name:port/cognos8/cgi-bin/cognos.isapi/wsrp/cps4/portlets/[package]?wsdl&b_action=cps.wsdl
Set the cps_auth_namespace property to the namespace that you want to use for authentication.
If you use eTrust SiteMinder to provide single signon in your security infrastructure, you can also use it for single signon with Plumtree Portal.
You must configure a SiteMinder authentication namespace in Cognos 8. Plumtree Portal sends the SiteMinder active authentication token to the remote server, which sends the token to the Cognos 8 gateway.
In Cognos Configuration, configure a SiteMinder authentication namespace.
For instructions, see the topic about configuring SiteMinder authentication namespaces in the Installation and Configuration Guide.
Configure the remote server to forward the authentication token:
Edit the cpspt.properties file in the c8_location/cps/Plumtree/webapps/gadgets/WEB-INF/classes directory.
Change the forward_cookies property to include the name of the active authentication token that SiteMinder provides.
Change the cps_endpoint property to indicate the URL of the gateway.
For a CGI gateway, you can use the default setting if the gateway and the remote server are on the same computer. Otherwise, replace the localhost portion with host_name:port.
For a servlet or ISAPI gateway, replace the localhost/cognos8/cgi-bin/cognos.cgi portion with the values to target the gateway.
For example,
http://host_name:port/cognos8/cgi-bin/cognos.isapi/wsrp/cps4/portlets/[package]?wsdl&b_action=cps.wsdl
Change the cps_auth_namespace property to the namespace that you want to use for authentication.
