Monday, 21 April 2014

Integrating Tivoli Directory Server (TDS) with IBM Cognos BI to provide secure & multitenant environment


IBM Cognos Business Intelligence (BI) is a enterprise class, web-based, integrated business intelligence suite by IBM which provides toolset not only traditional BI capabilities like reporting, analysis, scorecarding, monitoring of events and metrics but also expands these capabilities with planning, scenario modeling, real-time monitoring, and predictive analytics. These capabilities deliver an easy-to-use and unified experience that is collaboration and social networking enabled. The IBM Cognos BI has Service-oriented architecture - designed for scalability, availability, and openness.

IBM Tivoli Directory Server (TDS) is a powerful and authoritative enterprise directory infrastructure that is a critical enabler for enterprise security. It is an important part of the IBM Security Integrated Identity Management portfolio. It plays a key role in building the enterprise identity data infrastructure for applications such as identity management, portals, and web services. It provides a server that stores directory information using a DB2 database. It also provides a proxy server for routing LDAP operations to directory servers with database. IBM Security Directory Server provides client utilities and graphical user interfaces (GUI), such as Instance Administration Tool (idsxinst) and Configuration Tool (idsxcfg), to manage servers.

IBM Tivoli Directory Server provides:

  • Industry-standard architecture and broad platform support for a range of operating systems and applications and a variety of heterogeneous environments.
  • Strong scalability and flexibility to support hundreds of millions of entries using IBM DB2 technology and a built-in proxy-server.
  • Availability to support an identity data infrastructure for global online applications such as consumer-driven web services.
  • The ability to help you manage identities in the cloud.
  • Robust auditing and reporting that provides insight with connectivity to IBM QRadar SIEM and greater visibility into repository with sample reports.

You can use IBM TDS to provide a trusted identity data infrastructure for authentication. As we know Cognos BI doesn’t provide its own authentication mechanism but leverage your existing mechanism which you are using across enterprise applications. In this blog article our objective is to leverage existing security features for authentication and data transfer of TDS based LDAP with IBM Cognos BI to order to secure BI assets and setup multi-tenancy environment.

This blog article describes the step by step procedure for –

1)     Setting up TDS 6.2 environment on Windows 7 OS

2)     Integrating IBM Cognos BI 10.2.1 Server with TDS 6.2.

3)     Enable Multitenancy for Cognos BI environment

Also see –





Setting up TDS 6.2 Environment on Windows 7 OS

1)     Installation steps are pretty easy and intuitive for TDS 6.2 by just double clicking install_tds.exe file but if you are using later editions then you need to install it thru IBM Installation Manager. Steps can be found here - http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc_6.3.1/concept/c_ig_InstallationWithIBMInstallationManager.html

2)     On the completion of installation, you can see ‘IBM Tivoli Directory …’ windows services (Start->Programs->Administrative Tools->Services). The default port used by TDS for LDAP service is 389.




3)     To create and manage directory instances click on “Instance Administration Tool” from “IBM Tivoli Directory Server 6.2” folder in Start Menu - > All Programs as shown in snapshot.




4)     Click on “Manage…” button. It’ll open TDS Configuration Tool. Besides getting info about your setup you can also perform many tasks listed on left side panel as shown in below snapshot. Click of “Manage suffixes” task.




5)     We need to add “dc=example,dc=com” as a new suffix before importing our example LDIF. After successful addition you would see it in “Current suffix DNs” list.


6)     Below given is the glimpse of sample LDIF, you can download the attachment (http://www.megafileupload.com/en/file/521432/IBM-TDS62-ldif.html) and change is as per your requirements. I’ve created 11 users having userid admin, user1 – user10 with password – “password”. Lets click on “Import LDIF data”.


7)     Import sample LDIF file.



8)     On successful restoration start the server instance from “Manage Server State” task on the left side, shown in below snapshot.




Integrating IBM Cognos 10.2.1  BI Server with TDS 6.2

It is assumed that Cognos 10.2 BI server is already installed and is in working condition. Open ‘IBM Cognos Configuration’ from Start -> All Programs -> IBM Cognos 10 – 64.

1)      In the Explorer window, under Security, right-click Authentication, and then click New resource -> Namespace.

In the Name box, type a name for your authentication namespace (we used ‘IBM_TDS62’ here) and in the Type list, select ‘LDAP – Default values for IBM Tivoli’ and click OK.




2)      Select the newly created namespace. In the ‘Resource Properties’ window in right, for the Namespace ID property, specify a unique identifier for the namespace as TivoliLDAP is assigned in the below screenshot. All entries with Red arrows are manually provided to integrate with the TDS environment we created in above section.




 3)     If you want the TDS to bind to the directory server using a specific Bind user DN (Distinguished Name) and password when performing searches, then specify these values.



If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property.

4)     You can use user attributes from TDS in namespace configuration. To configure this, you must map these attributes with appropriate property name as shown in below snapshot. ‘Custom properties’ would be available as session parameters through Framework Manager.

 

 5)     From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.



If you want to disable anonymous access, make sure you disable it by setting ‘Allow anonymous access?’ property for ‘Cognos’ namespace as shown below in snapshot. 



6)     Restart Cognos service from toolbar. 


7)     Now anyone who wants to access Cognos (http://localhost/ibmcognos), would be asked for authentication credential. Let us login with LDAP administrator credential.



Directory administrators would have Cognos admin privileges. Go to Cognos administration.


8)     In ‘IBM Cognos Administration’, explore ‘Users, Groups, and Roles’ under ‘Security’ tab. One can see the new namespace (IBM_TDS62). Click on it to view all users belongs to the directory.


Administrator now can assign different privileges and roles to these directory users as per application security requirements by setting relevant properties. Once security permissions are assigned, LDAP users are ready to use Cognos BI. For more information on security, please refer to “IBM Cognos BI Administration and Security Guide”.

Enable Multitenancy for Cognos BI environment

1) We need to set multitenant properties from IBM Cognos Configuration tool to enable this feature.  In IBM Cognos Configuration tool, select Security->Authentication->IBM_TDS62 in Explorer (left pane) window. Now select ‘Advanced Properties’ from right window (Resource properties) and add two new values before pressing OK button -

a)     Name – ‘multitenancy.TenantPattern’ value – ‘~/parameters/tenantID’

b)     Name – ‘AdditionalUserPropertiesToQuery’ value – ‘parameters’



2) Now, select ‘Custom Properties’ from right window (Resource properties) and add a new value –

Name – ‘tenantID’ value – ‘l’




3) From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.


4) Save the configuration and restart Cognos service. Your Cognos multitenancy feature is enabled. 

There are many tasks follows this step to realize benefits of multitenancy in BI project. Please refer to my previous blog article http://vmanoria.blogspot.in/2014/03/ibm-cognos-bi-setting-up-multi-tenancy.html to see how to manage/administrate multi-tenant environment.