Proven Practice

Sharing a Secured IBM Cognos 8 BI Environment

Product(s): IBM Cognos 8 BI Area of Interest: Security

Sharing a Secured IBM Cognos 8 BI Environment

Copyright Copyright 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is an IBM Company. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Cognos does not accept responsibility for any kind of loss resulting from the use of information contained in this document. This document shows the publication date. The information contained in this document is subject to change without notice. Any improvements or changes to the information contained in this document will be documented in subsequent editions. This document contains proprietary information of Cognos. All rights are reserved. No part of this document may be copied, photocopied, reproduced, stored in a retrieval system, transmitted in any form or by any means, or translated into another language without the prior written consent of Cognos. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated) in the United States and/or other countries. IBM and the IBM logo are trademarks of International Business Machines Corporation in the United States, or other countries, or both. All other names are trademarks or registered trademarks of their respective companies. Information about Cognos products can be found at www.cognos.com This document is maintained by the Best Practices, Product and Technology team. You can send comments, suggestions, and additions to cscogpp@ca.ibm.com .

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment Contents

1 1.1 1.2 2 2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 3 3.1 3.1.1 3.1.2 3.1.3

INTRODUCTION ............................................................................................ 4 PURPOSE ............................................................................................................4 APPLICABILITY .....................................................................................................4 INSTALLATION.............................................................................................. 5 ARCHITECTURE .....................................................................................................5 Overview ..........................................................................................................5 Installing Report Server and Content Manager ......................................................5 Installing Gateways............................................................................................5 Configuring Report Server and Content Manager ...................................................7 Configuring the Gateways...................................................................................7 Configuring the Virtual Directories .......................................................................8 ADMINISTRATION ........................................................................................ 9 APPROACH ..........................................................................................................9 Unique Administrators ........................................................................................9 Common Administrator(s)................................................................................. 10 Zero Footprint ................................................................................................. 11

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

1
1.1

Introduction
Purpose This document provides a set of proven practices, to be taken into consideration when securing the IBM Cognos 8 BI reporting environment. The recommendations are designed to be used in an environment that requires more than one security source, but where the security sources are mutually exclusive. In other words, each security source is unaware of the existence of any additional security sources. The scenario for this document is that two organizations within a company, Sales and Finance, require the use of IBM Cognos 8. The intended audience for this white paper is IBM Cognos administrators, who will be responsible for designing the IBM Cognos 8 architecture and/or developing the project. The contents are not end user relevant as most of the recommendations need to be implemented prior to end user roll out.

1.2

Applicability Although written with both Windows and UNIX servers in mind, the document examples are Windows based. All techniques and recommendations are independent of the operating system. The environments used during the creation of this document were Sun One LDAP sources, but the outlined techniques apply to any supported authentication source. Two authentication providers were used, but the technique is scalable to any amount of providers. The key to the technique is that the authentication providers have a 1:1 relationship with the gateways. So if there are seven providers, seven gateways would have to be installed. All components were installed on one server for ease of use, but the technique supports using any amount of servers and/or platforms. For simplicity sake, just one Report Server and Content Manager, as well as two gateways, were installed for the creation of this document. The technique is not limited to one Report Server or Content Manager.

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

2
2.1 2.1.1

Installation
Architecture Overview The IBM Cognos 8 BI architecture is very different than the architecture shared by the IBM Cognos Series 7 family of products. With IBM Cognos Series 7, once a component was installed to a certain directory, a registry key was created and all future components would have to be installed to the location specified by that key. This meant that if multiple gateways were required, they would have to be installed on separate web servers. Another hurdle faced with this architecture was which gateway would be used and at which moment. Now with IBM Cognos 8, the ability to install components to the same server in different locations, presents more opportunities in how the product is deployed. Multiple entry points (gateways) are now supported with the new architecture, and all requests will be returned to the entry point that received the initial request. The technique described in this document uses two gateways, two authentication providers and one common Cognos Connection portal and Report Server.

2.1.2

Installing Report Server and Content Manager The first components to be installed are the Report Server and Content Manager. Select an install path, and then make sure that the following components are selected from the installable components menu. The path D:\cognos8 was used for the creation of this document.

Once the installation has completed, do not launch Cognos Configuration at this time. The configuration of the components will be covered in an upcoming section. 2.1.3 Installing Gateways After the installation of the Content Manager and Report Server components, the gateways can then be installed. Of course, the gateways will need to be installed on a supported web server. The key to this technique is the installation path used for each IBM Cognos 8 gateway. One gateway uses the D:\cognos8 gateways\Sales directory and the other, installed to the D:\cognos8 gateways\Finance directory. The install process will need to repeated for every desired gateway.

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

To select just the gateway component, make sure that the following option is selected from the installable components menu.

It is also important to specify different Shortcut Folder names. This needs to be done so that both Cognos Configuration GUIs can be launched via the Programs menu. For this install, Cognos 8 Sales Gateway and Cognos 8 Finance Gateway were used as the Shortcut Folder names.

Once the installation has completed, do not launch Cognos Configuration at this time. The configuration of the components will be covered in an upcoming section. The resulting directory structure should look like the following:

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

2.1.4

Configuring Report Server and Content Manager Now that the necessary components have been installed, the components must be properly configured. There are no special considerations to note when configuring the Report Server and Content Manager pieces. The only thing that is required to make the shared secure environments technique a success, is to ensure that the required authentication providers have been added.

To enable the authentication providers, make sure that anonymous access has been disabled in Cognos Configuration.

Save the configuration settings and start the IBM Cognos 8 service. 2.1.5 Configuring the Gateways Configuring the gateways is the important step in obtaining a shared secure IBM Cognos 8 environment. There are not a lot of configuration parameters to modify, but they are important. The first parameter to modify is to set a default namespace for the gateway. Without the default gateway namespace, any requests received from this gateway will first prompt the user to select a namespace, which defeats the purpose of the technique.

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

To force a gateway to use a specific authentication provider, the gateway namespace parameter must be supplied. In addition to the gateway namespace, the Controller URI for the gateway must be changed to use the virtual directory that will be accessed by the Sales users.

It is important to note that the namespace ID must be specified, not the name of the provider. If the namespace ID is unknown, it can be obtained by verifying the namespace ID parameter in the Cognos Configuration interface for the Report Server and Content Manager components.

This step will have to be repeated for all subsequent gateways and namespace IDs, taking care to assign the proper namespace ID to its corresponding gateway. Note: When using the common administrator approach as outlined in section 3.1.2, a gateway must be installed in which no namespace is hardcoded. This will allow for logging into multiple namespaces. 2.1.6 Configuring the Virtual Directories Once both gateways have been configured to default to the appropriate namespace, a distinct set of virtual directories will have to be created within the web server. Each security namespace will have its own unique set of virtual directories.

These distinct entry points will be distributed to the appropriate end user groups. So all users from the Sales organization will be using http://webserver/sales/cgi-bin/cognos.cgi and users from Finance will be accessing Cognos Connection via http://webserver/finance/cgibin/cognos.cgi. As indicated in section 1.2, the gateways can be installed on different web servers if desired.

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

3
3.1

Administration
Approach Part of this technique hinges on how the administration of the namespaces and the IBM Cognos 8 environment will be handled. It first must be determined whether there will be individual administrators for each namespace, or an account(s) that will handle the administration for all namespaces. The following sections cover both scenarios; administrators for each namespace, and a single administrative account for all namespaces.

3.1.1

Unique Administrators This approach designates one (or more) administrator from each namespace to handle the security administration for their respective namespace. The assumption is made that each namespace is mutually exclusive, and therefore no reports or packages will be accessed by members from different namespaces. If some reports or packages need to be shared between namespaces, the technique outlined in section 3.1.2 would be a more suitable approach. Once the administrators have been defined, those accounts will need to be added to the System Administrators role in Cognos Connection. Because a member of the Sales namespace will not be able to access accounts in the Finance namespace, each administrator will have to log in and add their account(s) to the membership. After the last administrative account has been added, the Everyone group can be removed from the System Administrators role. In an environment with one administrative account per namespace, the membership of the System Administrators group would look similar to:

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

10

Notice that when logged in as the user from the Finance namespace, a second member will be visible, but no name will be displayed. This is because the finance user does not have access to see objects from the other namespace. After membership to the System Administrators group has been configured, each namespace administrator will be responsible for setting and maintaining object security for the objects tied to their corresponding namespace. 3.1.2 Common Administrator(s) This approach places one (or more) administrators in multiple namespaces and requires a separate gateway to be accessed for administrative purposes. (see note in section 2.1.5) Once the administrative gateway has been installed and accessed by the administrator, a namespace must be chosen. Because the administrator will have to log into both namespaces to maintain object security, any namespace can be selected.

The reason that a gateway with no set namespace must be installed, is because when logging into a namespace, all subsequent login attempts will default to the same gateway. This would prevent the ability to log into multiple namespaces. Once logged into a namespace, Sales LDAP in this example, Cognos Connection will be displayed. Login to the Finance LDAP namespace will be required and can be achieved by clicking on the Log On link.

Upon successful login to all namespaces, they will become active and navigating them will be possible by accessing the Tools -> Directory link.

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

11

Similar to the previous approach of having unique administrators, the membership of the System Administrators role will have to be defined. The System Administrators Members tab will appear and both account names will be visible. This is because the user logged in has access to see both namespaces.

3.1.3

Zero Footprint Certain shared environments require an elevated degree of confidentiality. These environments typically dictate that any one particular namespace should be oblivious to the existence of any other configured namespaces. To achieve this level of functionality, administrative users from each namespace should be added to the Directory Administrators role and not the System Administrators role. It is impossible to deny access to an object for any member of the System Administrators role. Note: At least one user account from each namespace will be required in the System Administrators role so that the technique can be executed. These user accounts should be specially created for this purpose and should not be used for any other purpose than to administer the system. In the following example, there are two namespaces that will co-exist in one environment while maintaining the appearance that only one namespace has been configured. One account from each namespace (ENT and SunOne) has been added to the System Administrators role.

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

12

ENT SunOne

Once the System Administrators membership has been decided, the user accounts that will be administering each namespace will have to be added to the Directory Administrators role. Adding one or more user account from each namespace into the Directory Administrators role will permit self administration of the namespace.

SunOne ENT

To ensure that directory administrators only see the namespace that they have access to administer, permissions on the namespace object will have to be modified. The default permissions set on a namespace tied to an external authentication provider, allows members from the Everyone group, as well as the members from the namespace itself, read access.

The first thing that should be done is to remove the Everyone group from the access control list. The next step, and this one is the most important, is to add all of the other namespaces to the list and DENY all permissions for them. The resulting dialog box for the SunOne namespace would be:

Cognos Proprietary Information

Sharing a Secured IBM Cognos 8 BI Environment

13

Whenever a user from the Directory Administrators logs in and accesses the Directory tool, only the namespace to which they are a member will be displayed. In the following screen capture, the directory administrator account from the SunOne namespace is logged in.

When a system administrator logs in and accesses the same tool, the resulting display will contain all namespace. The following screen capture shows a system administrator from the SunOne namespace.

NOTE: This functionality is only available out of the box in the IBM Cognos 8 MR2 release.

Cognos Proprietary Information