Integrating Tivoli Directory Server (TDS) with IBM Cognos BI to provide secure & multitenant environment

IBM Cognos Business Intelligence (BI) is a enterprise class, web-based, integrated business intelligence suite by IBM which provides toolset not only traditional BI capabilities like reporting, analysis, scorecarding, monitoring of events and metrics but also expands these capabilities with planning, scenario modeling, real-time monitoring, and predictive analytics. These capabilities deliver an easy-to-use and unified experience that is collaboration and social networking enabled. The IBM Cognos BI has Service-oriented architecture - designed for scalability, availability, and openness.

IBM Tivoli Directory Server (TDS) is a powerful and authoritative enterprise directory infrastructure that is a critical enabler for enterprise security. It is an important part of the IBM Security Integrated Identity Management portfolio. It plays a key role in building the enterprise identity data infrastructure for applications such as identity management, portals, and web services. It provides a server that stores directory information using a DB2 database. It also provides a proxy server for routing LDAP operations to directory servers with database. IBM Security Directory Server provides client utilities and graphical user interfaces (GUI), such as Instance Administration Tool (idsxinst) and Configuration Tool (idsxcfg), to manage servers.

IBM Tivoli Directory Server provides:

• Industry-standard architecture and broad platform support for a range of operating systems and applications and a variety of heterogeneous environments.
• Strong scalability and flexibility to support hundreds of millions of entries using IBM DB2 technology and a built-in proxy-server.
• Availability to support an identity data infrastructure for global online applications such as consumer-driven web services.
• The ability to help you manage identities in the cloud.
• Robust auditing and reporting that provides insight with connectivity to IBM QRadar SIEM and greater visibility into repository with sample reports.

You can use IBM TDS to provide a trusted identity data infrastructure for authentication. As we know Cognos BI doesn’t provide its own authentication mechanism but leverage your existing mechanism which you are using across enterprise applications. In this blog article our objective is to leverage existing security features for authentication and data transfer of TDS based LDAP with IBM Cognos BI to order to secure BI assets and setup multi-tenancy environment.

This blog article describes the step by step procedure for –

1)     Setting up TDS 6.2 environment on Windows 7 OS

2)     Integrating IBM Cognos BI 10.2.1 Server with TDS 6.2.

3)     Enable Multitenancy for Cognos BI environment

Also see –

1)      Using Apache Directory Server (ApacheDS) based LDAP to secure IBM Cognos 10.2 BI environment

2)      Setting up IBM Cognos BI security using Java based Custom Authentication Provider

3)      Setting up multi-tenancy environment in IBM Cognos 10.2 BI using LDAP

4)      IBM Cognos BI: Setting up multi-tenancy environment using Custom Java Provider

Setting up TDS 6.2 Environment on Windows 7 OS

1)     Installation steps are pretty easy and intuitive for TDS 6.2 by just double clicking install_tds.exe file but if you are using later editions then you need to install it thru IBM Installation Manager. Steps can be found here - http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc_6.3.1/concept/c_ig_InstallationWithIBMInstallationManager.html

2)     On the completion of installation, you can see ‘IBM Tivoli Directory …’ windows services (Start->Programs->Administrative Tools->Services). The default port used by TDS for LDAP service is 389.

3)     To create and manage directory instances click on “Instance Administration Tool” from “IBM Tivoli Directory Server 6.2” folder in Start Menu - > All Programs as shown in snapshot.

4)     Click on “Manage…” button. It’ll open TDS Configuration Tool. Besides getting info about your setup you can also perform many tasks listed on left side panel as shown in below snapshot. Click of “Manage suffixes” task.

5)     We need to add “dc=example,dc=com” as a new suffix before importing our example LDIF. After successful addition you would see it in “Current suffix DNs” list.

6)     Below given is the glimpse of sample LDIF, you can download the attachment (http://www.megafileupload.com/en/file/521432/IBM-TDS62-ldif.html) and change is as per your requirements. I’ve created 11 users having userid admin, user1 – user10 with password – “password”. Lets click on “Import LDIF data”.

7)     Import sample LDIF file.

8)     On successful restoration start the server instance from “Manage Server State” task on the left side, shown in below snapshot.

Integrating IBM Cognos 10.2.1  BI Server with TDS 6.2

It is assumed that Cognos 10.2 BI server is already installed and is in working condition. Open ‘IBM Cognos Configuration’ from Start -> All Programs -> IBM Cognos 10 – 64.

1)      In the Explorer window, under Security, right-click Authentication, and then click New resource -> Namespace.

In the Name box, type a name for your authentication namespace (we used ‘IBM_TDS62’ here) and in the Type list, select ‘LDAP – Default values for IBM Tivoli’ and click OK.

2)      Select the newly created namespace. In the ‘Resource Properties’ window in right, for the Namespace ID property, specify a unique identifier for the namespace as TivoliLDAP is assigned in the below screenshot. All entries with Red arrows are manually provided to integrate with the TDS environment we created in above section.

 3)     If you want the TDS to bind to the directory server using a specific Bind user DN (Distinguished Name) and password when performing searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property.

4)     You can use user attributes from TDS in namespace configuration. To configure this, you must map these attributes with appropriate property name as shown in below snapshot. ‘Custom properties’ would be available as session parameters through Framework Manager.

 

 5)     From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

If you want to disable anonymous access, make sure you disable it by setting ‘Allow anonymous access?’ property for ‘Cognos’ namespace as shown below in snapshot. 

6)     Restart Cognos service from toolbar. 

7)     Now anyone who wants to access Cognos (http://localhost/ibmcognos), would be asked for authentication credential. Let us login with LDAP administrator credential.

Directory administrators would have Cognos admin privileges. Go to Cognos administration.

8)     In ‘IBM Cognos Administration’, explore ‘Users, Groups, and Roles’ under ‘Security’ tab. One can see the new namespace (IBM_TDS62). Click on it to view all users belongs to the directory.

Administrator now can assign different privileges and roles to these directory users as per application security requirements by setting relevant properties. Once security permissions are assigned, LDAP users are ready to use Cognos BI. For more information on security, please refer to “IBM Cognos BI Administration and Security Guide”.

Enable Multitenancy for Cognos BI environment

1) We need to set multitenant properties from IBM Cognos Configuration tool to enable this feature.  In IBM Cognos Configuration tool, select Security->Authentication->IBM_TDS62 in Explorer (left pane) window. Now select ‘Advanced Properties’ from right window (Resource properties) and add two new values before pressing OK button -

a)     Name – ‘multitenancy.TenantPattern’ value – ‘~/parameters/tenantID’

b)     Name – ‘AdditionalUserPropertiesToQuery’ value – ‘parameters’

2) Now, select ‘Custom Properties’ from right window (Resource properties) and add a new value –

Name – ‘tenantID’ value – ‘l’

3) From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

4) Save the configuration and restart Cognos service. Your Cognos multitenancy feature is enabled. 

There are many tasks follows this step to realize benefits of multitenancy in BI project. Please refer to my previous blog article http://vmanoria.blogspot.in/2014/03/ibm-cognos-bi-setting-up-multi-tenancy.html to see how to manage/administrate multi-tenant environment.

Using Apache Directory Server (ApacheDS) based LDAP to secure IBM Cognos 10.2 BI environment

IBM Cognos 10.2 Business Intelligence (BI) is a enterprise class, web-based, integrated business intelligence suite by IBM which provides toolset not only traditional BI capabilities like reporting, analysis, scorecarding, monitoring of events and metrics but also expands these capabilities with planning, scenario modeling, real-time monitoring, and predictive analytics. These capabilities deliver an easy-to-use and unified experience that is collaboration and social networking enabled. The IBM Cognos BI has Service-oriented architecture - designed for scalability, availability, and openness. 

The Apache Directory Project (http://directory.apache.org/ ) is an open source project of the Apache Software Foundation, provides directory solutions entirely written in Java. These include a directory server, which has been certified as LDAP v3 compliant by the Open Group (ApacheDS), and Eclipse-based directory tools (Apache Directory Studio). In below sections, we’ll use both in our integration steps. 

ApacheDS is an extensible and embeddable directory server entirely written in Java, which has been certified LDAPv3 compatible by the Open Group. Besides LDAP (Lightweight Directory Access Protocol) it supports Kerberos 5 and the Change Password Protocol. It has been designed to introduce triggers, stored procedures, queues and views to the world of LDAP which has lacked these rich constructs.

Apache Directory Studio is an Eclipse RCP application and a complete directory tooling platform intended to be used with any LDAP server however it is particularly designed for use with the ApacheDS.

This blog article describes the step by step procedure for –

1)     Setting up ApacheDS environment

2)     Integrating IBM Cognos 10.2  Business Intelligence Server with ApacheDS 2.0.0-M10.

Using ApacheDS (LDAP repository) with IBM Cognos 10.2 BI one can leverage existing security features for authentication and data transfer.  

Setting up ApacheDS & Apache Directory Studio Environment

1) ApacheDS is a multi-platform application and runs on Mac OS X, Linux and Windows. Open http://directory.apache.org/apacheds/downloads.html in browser and download installer (~10MB) for your platform. Also download users guide from ‘Documentation’ section shown below in screenshot.

2) Installation process should be started by double clicking on downloaded .exe file (in case of Windows. Installation steps are easy to follow. Attention needed on below shown screen that asks to locate the java run time (JRE 1.6). Users who don’t have JRE installed should abandon the install (click Cancel). Install the JRE and re-run the ApacheDS install. In case JRE is already installed, assign the path and complete the installation.

3) On the completion of installation, you can see ‘ApacheDS – default’ as a new windows service (Start->Programs->Administrative Tools->Services). The default port used by ApacheDS for ldap service is 10389.

4) Installer (~140 MB) for Apache Directory Studio can be downloaded from http://directory.apache.org/studio/downloads.html. Also download user guide from ‘Documentation’ section shown below in screenshot. Installation steps are similar to ApacheDS.

5) Once installed you can find folders & icons in ‘Start -> Program Files’ as shown below. Click on ‘Apache Directory Studio’ link in ‘Apache Directory Studio’ folder. First time it should show you Welcome screen. You may close it.

 

6) Create Connection with LDAP server –

The bottom left corner shows all of the LDAP connections. As can be seen, the view is empty, meaning a connection still needs to be specified. To create a new connection, click the New Connection button.

In the wizard's first page enter a connection name as well as the hostname and the port of the LDAP server. To check the connection parameter you entered you may click to Check Network Parameter. Click Next when done.

Here is a list of common directory servers and the ports they use by default: 

Directory Server	Default Port
Apache Directory Server	10389
OpenDS	1389
OpenLDAP, Fedora, Sun, Active Directory	389

In the wizard's second page select the authentication method. If you choose the simple bind method also enter your bind DN or user and bind password. To check the authentication parameter you entered you may click to Check Authentication. Click Finish when done.

Here is a list of common directory servers and the administrator's bind DN and password they use by default:

 

Directory Server	Default Bind DN	Default Bind Password
Apache Directory Server	uid=admin,ou=system	secret
OpenDS, Sun, Fedora	cn=Directory Manager	specified at setup
OpenLDAP	specified at setup, see slapd.conf	specified at setup, see slapd.conf

 

Observe that the Connections view now shows the created connection. You can view and change its configuration by right clicking and selecting ‘Open Configuration’.

6) Browse the directory –

The LDAP Browser view is on the top left. The category DIT shows the hierarchical content of the directory. You may expand and collapse the tree. When selecting an entry its attributes and values will be displayed in an Entry editor.

In the DIT category the directory information tree of the LDAP directory is displayed in its natural hierarchical structure. The first hierachy level contains the base entries, the Root DSE and the schema entry. When expanding an entry its direct children are fetched from directory. To expand and collapse an entry you could also double-click.

The following icons are used to distinguish entry types:

Icon	Description
	Entry with object class person, inetOrgPerson, posixAccount, user
	Entry with object class groupOfNames, groupOfUniqueNames, posixGroup, group
	Entry with object class organization, organizationalUnit, container
	Entry with object class domain, domainComponent, country, locality
	Entry with object class alias
	Entry with object class referral
	The schema entry.
	The root DSE entry.
	All other entries

Below screenshot showing the attributes for User admin (uid=admin). To add more attributes as per your needs, click on ‘New Attribute…’ icon (pointed with arrow below).

7) Create a sample hierarchy structure in “dc=eaxmple,dc=com” domain –

By default, there’s no entry under dc=eaxmple,dc=com

Right click on  dc=eaxmple,dc=com and select New > New Entry... that Opens the ‘New Entry wizard’. This wizard helps you to create a new entry. The creation of a new LDAP entry is a four-step process:

1. Select entry creation method.
2. Specify object classes of the new entry.
3. Specifiy the distinguished name of the new entry.
4. Enter attributes and values of the new entry.

Final structure should look as shown in screenshot below. Also note that many attributes are added for every user. Please refer to user guide in case more information required.

Integrating IBM Cognos 10.2  BI Server with ApacheDS

1. It is assumed that Cognos 10.2 BI server is already installed and is in working condition. Open ‘IBM Cognos Configuration’ from Start -> All Programs -> IBM Cognos 10 – 64.

In the Explorer window, under Security, right-click Authentication, and then click New resource -> Namespace.

In the Name box, type a name for your authentication namespace (we used ‘ADS’ here) and in the Type list, select ‘LDAP – General default values’ and click OK.

Select the newly created namespace. In the ‘Resource Properties’ window in right, for the Namespace ID property, specify a unique identifier for the namespace as LDAP_ADS is assigned in the below screenshot. All entries with Red arrows are manually provided to integrate with the ApacheDS environment we created in above section.

If you want the ApacheDS to bind to the directory server using a specific Bind user DN (Distinguished Name) and password when performing searches, then specify these values. 

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property.

You can use user attributes from ApacheDS in namespace configuration. To configure this, you must map these attributes with appropriate property name as shown in below snapshot.

‘Custom properties’ would be available as session parameters through Framework Manager.

From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

If you want to disable anonymous access, make sure you disable it by setting ‘Allow anonymous access?’ property for ‘Cognos’ namespace as shown below in snapshot.

Restart Cognos service from toolbar.  

Now anyone who wants to access Cognos (http://localhost/ibmcognos), would be asked for authentication credential. Let us login with LDAP administrator credential.

                                                                                                                

Directory administrator would have Cognos admin privileges. Go to Cognos administration.

In ‘IBM Cognos Administration’, explore ‘Users, Groups, and Roles’ under ‘Security’ tab. One can see the new namespace (ADS). Click on it to view all users belongs to the directory.

Administrator now can assign different privileges and roles to these directory users as per application security requirements by setting relevant properties. Once security permissions are assigned, LDAP users are ready to use Cognos BI. For more information on security, please refer to “IBM Cognos BI Administration and Security Guide”.