Cognos 10.2.2 Single Sign-On

This post should be titled Cognos 10.2.2 SSO déjà vu.  Because in my previous post I figured out how to enable single sign-on with WebSphere Portal and Cognos 10.2.1.  Then 10.2.2 came out, and I needed to figure out how to enable SSO … again.

What’s the Same?

The concepts and practices behind WebSphere SSO are the exact same as my other article.  You’ll still be exporting an LTPA token, using the same registry across servers, and using fully qualified domain names.  You’ll also be configuring cogconfig to set up the external identify mapping.

What’s Different?

By default Cognos 10.2.2 uses WebSphere Liberty Profile.  This actually removes the need to install WebSphere Full Profile, but the WebSphere Liberty Profile lacks the default console application.  So you’ll need to manually edit the server.xml to configure the LDAP registry as well as set up the LTPA token.

Locate the file \cognos\c10_64\wlp\usr\servers\cognosserver\server.xml.  This defines the application server listening on 9300 and running p2pd.  We’ll simply update it to enable LDAP security.  I’ve bold faced the important settings.

<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed Materials - Property of IBM
 IBM Cognos Products: disp
 (C) Copyright IBM Corp. 2013 2014
 US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
-->
<server description="Cognos 10"> 
 <featureManager> 
 <feature>servlet-3.0</feature> 
 <feature>monitor-1.0</feature> 
 <feature>jsp-2.2</feature>
 <feature>appSecurity-2.0</feature>
 <feature>ldapRegistry-3.0</feature>
 </featureManager>
 <logging consoleLogLevel="ERROR" logDirectory="${install.dir}/logs" messageFileName="p2pd_messages.log"/> 
 <application autoStart="true" id="p2pd" location="${install.dir}/webapps/p2pd" name="p2pd" type="war"> 
 <classloader apiTypeVisibility="spec" privateLibraryRef="p2pd"/>
 </application> 
 <httpEndpoint id="defaultHttpEndpoint" httpPort="9300" host="*"/> 
 <library id="p2pd" apiTypeVisibility="spec"> 
 <fileset dir="${install.dir}/bin" includes="jcam_jni.jar"/> 
 </library> 
 <config monitorConfiguration="false"/> 
 <applicationMonitor dropins="${install.dir}/wlpdropins" updateTrigger="mbean" pollingRate="10s"/>
 <webContainer skipMetaInfResourcesProcessing="true" deferServletLoad="false" com.ibm.ws.webcontainer.servewelcomefilefromextendeddocumentroot="true" />
 <executor coreThreads="100" maxThreads="1500" />
 <ldapRegistry id="dominoLDAP" realm="defaultWIMFileBasedRealm" 
 host="domino.demos.ibm.com" port="389" ignoreCase="true" 
 baseDN="o=IBM" 
 ldapType="IBM Tivoli Directory Server"
 sslEnabled="false">
 <idsFilters
 userFilter="(&amp;(uid=%v)(objectclass=dominoPerson))" 
 groupFilter="(&amp;(cn=%v)(objectclass=dominoGroup))"
 userIdMap="*:uid" 
 groupIdMap="*:cn" 
 groupMemberIdMap="dominoGroup">
 </idsFilters> 
 </ldapRegistry>
 <ltpa keysFileName="F:\IBM\cognos\c10_64_2\wlp\usr\servers\cognosserver\resources\security\ltpakey.key" keysPassword="{xor}Lz4sLCgwLTs=" expiration="125" />
 <logging traceSpecification="com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.ws.wim.*=all:SASRas=all" />
</server>

First, we’re adding the security features using the <feature> nodes.  Then we configure an LDAP registry.  Couple of points on the ldapRegistry.

  • Use your other WebSphere server’s security.xml as a guide. This will be in the profile’s config folder under the cell name.  For example, the realm value will be defined in the LDAPUserRegistry_1 node of the security.xml as will the userFilters and etc.
  • Notice the userFilter uses the ampersand symbol followed by amp semicolon.  This is not an encoding mistake on the blog, it is required.
  • I could not get SSO working with my federated security WebSphere Portal server.  I think this is completely possible, but the system we finally tested SSO on was using a single user registry.  As such, the nature of the changes you see above are all that was needed.

Then you specify the LTPA token.  When you restart the server after adding ldapRegistry, the \cognos\c10_64\wlp\usr\servers\cognosserver\resources\security directory will be created.  Then you can copy the LTPA token file you exported from your WebSphere server.  After you’ve done this, then add the <ltpa> node with appropriate settings.  The keysPassword value can also be plaintext while you are testing.

Save, restart Cognos, and test SSO per my other article.

Something else I found is that the static resources like images are not contained in the p2pd web application by default.  Said differently, you’ll see a bunch of broken images if you go to http://cognos.demos.ibm.com:9300/p2pd/servlet/dispatch/ext.  In the past, we would have simply re-built the WAR from cogconfig and elected to include the static resources.  Unfortunately there is no build option in cogconfig for Liberty Profile.  And I ended up simply copying the contents of \cognos\c10_64\webcontent into \cognos\c10_64\webapps\p2pd\servlet.  (You’ll need to create the servlet directory.)  There is likely a supported process to follow, but this worked for testing purposes.

We also did not need to create the security roles as documented previously.

Summary

In Cognos 10.2.2 you’re really only configuring the Liberty Profile for SSO.  If you’ve done this before in Liberty, you should have Cognos SSO completed in no time.  If you haven’t, read my previous article as well as the Liberty documentation on LDAP registry and LTPA.

1 thought on “Cognos 10.2.2 Single Sign-On”

Leave a Reply

Your email address will not be published.