Wednesday 20 February 2013

Using Apache Directory Server (ApacheDS) based LDAP to secure IBM Cognos 10.2 BI environment



IBM Cognos 10.2 Business Intelligence (BI) is a enterprise class, web-based, integrated business intelligence suite by IBM which provides toolset not only traditional BI capabilities like reporting, analysis, scorecarding, monitoring of events and metrics but also expands these capabilities with planning, scenario modeling, real-time monitoring, and predictive analytics. These capabilities deliver an easy-to-use and unified experience that is collaboration and social networking enabled. The IBM Cognos BI has Service-oriented architecture - designed for scalability, availability, and openness. 

The Apache Directory Project (http://directory.apache.org/ ) is an open source project of the Apache Software Foundation, provides directory solutions entirely written in Java. These include a directory server, which has been certified as LDAP v3 compliant by the Open Group (ApacheDS), and Eclipse-based directory tools (Apache Directory Studio). In below sections, we’ll use both in our integration steps. 

ApacheDS is an extensible and embeddable directory server entirely written in Java, which has been certified LDAPv3 compatible by the Open Group. Besides LDAP (Lightweight Directory Access Protocol) it supports Kerberos 5 and the Change Password Protocol. It has been designed to introduce triggers, stored procedures, queues and views to the world of LDAP which has lacked these rich constructs.

Apache Directory Studio is an Eclipse RCP application and a complete directory tooling platform intended to be used with any LDAP server however it is particularly designed for use with the ApacheDS.

This blog article describes the step by step procedure for –
1)     Setting up ApacheDS environment
2)     Integrating IBM Cognos 10.2  Business Intelligence Server with ApacheDS 2.0.0-M10.

Using ApacheDS (LDAP repository) with IBM Cognos 10.2 BI one can leverage existing security features for authentication and data transfer.  

Setting up ApacheDS & Apache Directory Studio Environment

1) ApacheDS is a multi-platform application and runs on Mac OS X, Linux and Windows. Open http://directory.apache.org/apacheds/downloads.html in browser and download installer (~10MB) for your platform. Also download users guide from ‘Documentation’ section shown below in screenshot.


2) Installation process should be started by double clicking on downloaded .exe file (in case of Windows. Installation steps are easy to follow. Attention needed on below shown screen that asks to locate the java run time (JRE 1.6). Users who don’t have JRE installed should abandon the install (click Cancel). Install the JRE and re-run the ApacheDS install. In case JRE is already installed, assign the path and complete the installation.


3) On the completion of installation, you can see ‘ApacheDS – default’ as a new windows service (Start->Programs->Administrative Tools->Services). The default port used by ApacheDS for ldap service is 10389.


4) Installer (~140 MB) for Apache Directory Studio can be downloaded from http://directory.apache.org/studio/downloads.html. Also download user guide from ‘Documentation’ section shown below in screenshot. Installation steps are similar to ApacheDS.


5) Once installed you can find folders & icons in ‘Start -> Program Files’ as shown below. Click on ‘Apache Directory Studio’ link in ‘Apache Directory Studio’ folder. First time it should show you Welcome screen. You may close it.


 










6) Create Connection with LDAP server –

The bottom left corner shows all of the LDAP connections. As can be seen, the view is empty, meaning a connection still needs to be specified. To create a new connection, click the New Connection button.


In the wizard's first page enter a connection name as well as the hostname and the port of the LDAP server. To check the connection parameter you entered you may click to Check Network Parameter. Click Next when done.
Here is a list of common directory servers and the ports they use by default: 
Directory Server
Default Port
Apache Directory Server
10389
OpenDS
1389
OpenLDAP, Fedora, Sun, Active Directory
389




In the wizard's second page select the authentication method. If you choose the simple bind method also enter your bind DN or user and bind password. To check the authentication parameter you entered you may click to Check Authentication. Click Finish when done.

Here is a list of common directory servers and the administrator's bind DN and password they use by default:
 

Directory Server
Default Bind DN
Default Bind Password
Apache Directory Server
uid=admin,ou=system
secret
OpenDS, Sun, Fedora
cn=Directory Manager
specified at setup
OpenLDAP
specified at setup, see slapd.conf
specified at setup, see slapd.conf


Observe that the Connections view now shows the created connection. You can view and change its configuration by right clicking and selecting ‘Open Configuration’.

6) Browse the directory –

The LDAP Browser view is on the top left. The category DIT shows the hierarchical content of the directory. You may expand and collapse the tree. When selecting an entry its attributes and values will be displayed in an Entry editor.

In the DIT category the directory information tree of the LDAP directory is displayed in its natural hierarchical structure. The first hierachy level contains the base entries, the Root DSE and the schema entry. When expanding an entry its direct children are fetched from directory. To expand and collapse an entry you could also double-click.
The following icons are used to distinguish entry types:

Icon
Description
Entry with object class person, inetOrgPerson, posixAccount, user
Entry with object class groupOfNames, groupOfUniqueNames, posixGroup, group
Entry with object class organization, organizationalUnit, container
Entry with object class domain, domainComponent, country, locality
Entry with object class alias
Entry with object class referral
The schema entry.
The root DSE entry.
All other entries

Below screenshot showing the attributes for User admin (uid=admin). To add more attributes as per your needs, click on ‘New Attribute…’ icon (pointed with arrow below).


7) Create a sample hierarchy structure in “dc=eaxmple,dc=com” domain –
By default, there’s no entry under dc=eaxmple,dc=com
Right click on  dc=eaxmple,dc=com and select New > New Entry... that Opens the ‘New Entry wizard’. This wizard helps you to create a new entry. The creation of a new LDAP entry is a four-step process:

  1. Select entry creation method.
  2. Specify object classes of the new entry.
  3. Specifiy the distinguished name of the new entry.
  4. Enter attributes and values of the new entry.

Final structure should look as shown in screenshot below. Also note that many attributes are added for every user. Please refer to user guide in case more information required.




Integrating IBM Cognos 10.2  BI Server with ApacheDS

1. It is assumed that Cognos 10.2 BI server is already installed and is in working condition. Open ‘IBM Cognos Configuration’ from Start -> All Programs -> IBM Cognos 10 – 64.

In the Explorer window, under Security, right-click Authentication, and then click New resource -> Namespace.





In the Name box, type a name for your authentication namespace (we used ‘ADS’ here) and in the Type list, select ‘LDAP – General default values’ and click OK.

Select the newly created namespace. In the ‘Resource Properties’ window in right, for the Namespace ID property, specify a unique identifier for the namespace as LDAP_ADS is assigned in the below screenshot. All entries with Red arrows are manually provided to integrate with the ApacheDS environment we created in above section.


If you want the ApacheDS to bind to the directory server using a specific Bind user DN (Distinguished Name) and password when performing searches, then specify these values. 
If no values are specified, the LDAP authentication provider binds as anonymous.
If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property.
You can use user attributes from ApacheDS in namespace configuration. To configure this, you must map these attributes with appropriate property name as shown in below snapshot.
‘Custom properties’ would be available as session parameters through Framework Manager.



From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.


If you want to disable anonymous access, make sure you disable it by setting ‘Allow anonymous access?’ property for ‘Cognos’ namespace as shown below in snapshot.



Restart Cognos service from toolbar.  
Now anyone who wants to access Cognos (http://localhost/ibmcognos), would be asked for authentication credential. Let us login with LDAP administrator credential.
                                                                                                                

Directory administrator would have Cognos admin privileges. Go to Cognos administration.



In ‘IBM Cognos Administration’, explore ‘Users, Groups, and Roles’ under ‘Security’ tab. One can see the new namespace (ADS). Click on it to view all users belongs to the directory.


Administrator now can assign different privileges and roles to these directory users as per application security requirements by setting relevant properties. Once security permissions are assigned, LDAP users are ready to use Cognos BI. For more information on security, please refer to “IBM Cognos BI Administration and Security Guide”.






13 comments:

  1. Great post. My friend suggested that I use cognos bi for my business. She was trying to explain it but she didn't so well. This was very helpful, I will have to bookmark this. Thanks so much for sharing.

    ReplyDelete
  2. Thanks Vikas alot, this page really help me a lot.....

    ReplyDelete
  3. Thanks for your comments Lauren and Satya.

    ReplyDelete
  4. Cool Vikas, awesome! I was struggling to get the same done in TM1. Now I've got a way through TM1.I dowloaded ADS a couple of days back and was trying to use with TM1. But was getting some issues which I'm yet unable to resolve. But I've got a new way now. BTW, any idea how we can generate the keystore from ADS for SSL? I could not find a feature that does this?

    ReplyDelete
  5. Amazing Post !! Very useful !!

    ReplyDelete
  6. Thanks Vikas ,for example really good

    ReplyDelete
  7. Vikas, I was struck at Bind DN and password.
    I was unable to authenticate. What ID and password should i give?

    ReplyDelete
    Replies
    1. Hi Cquash,

      Please use default Bind ID (uid=admin,ou=system) and password (secret) for Apache Directory Server.

      Delete
  8. Hello Vikas, thank you for this great post. After configuring the ApacheDS in the Cognos Configuration I only can see the users in the IBM Cognos Administration, but not the organizationalUnits. Do you have any ideas for this issue? I already checked the mappings in the Cognos Configuration.

    ReplyDelete
  9. Hi ManfredC, Glad to know that this blog was helpful. When you say OrganizationalUnits, do you mean "User groups"?

    ReplyDelete
  10. The things I don't see in the IBM Cognos Administration right now are the Folders (mapped from object class 'organizationalUnit' in ApacheDS) and the User Groups (mapped from object class 'groupOfUniqueNames" in ApacheDS).
    I'm wondering if this is a bug in Cognos BI 10.2.1.1 or if i did something wrong in the configuration. My Folder/Group mappings are the same as yours.

    ReplyDelete
  11. Hello Vikas...Great post.. Really helped me. Thanks a lot ...

    ReplyDelete