Integrating Tivoli Directory Server (TDS) with IBM Cognos BI to provide secure & multitenant environment

IBM Cognos Business Intelligence (BI) is a enterprise class, web-based, integrated business intelligence suite by IBM which provides toolset not only traditional BI capabilities like reporting, analysis, scorecarding, monitoring of events and metrics but also expands these capabilities with planning, scenario modeling, real-time monitoring, and predictive analytics. These capabilities deliver an easy-to-use and unified experience that is collaboration and social networking enabled. The IBM Cognos BI has Service-oriented architecture - designed for scalability, availability, and openness.

IBM Tivoli Directory Server (TDS) is a powerful and authoritative enterprise directory infrastructure that is a critical enabler for enterprise security. It is an important part of the IBM Security Integrated Identity Management portfolio. It plays a key role in building the enterprise identity data infrastructure for applications such as identity management, portals, and web services. It provides a server that stores directory information using a DB2 database. It also provides a proxy server for routing LDAP operations to directory servers with database. IBM Security Directory Server provides client utilities and graphical user interfaces (GUI), such as Instance Administration Tool (idsxinst) and Configuration Tool (idsxcfg), to manage servers.

IBM Tivoli Directory Server provides:

• Industry-standard architecture and broad platform support for a range of operating systems and applications and a variety of heterogeneous environments.
• Strong scalability and flexibility to support hundreds of millions of entries using IBM DB2 technology and a built-in proxy-server.
• Availability to support an identity data infrastructure for global online applications such as consumer-driven web services.
• The ability to help you manage identities in the cloud.
• Robust auditing and reporting that provides insight with connectivity to IBM QRadar SIEM and greater visibility into repository with sample reports.

You can use IBM TDS to provide a trusted identity data infrastructure for authentication. As we know Cognos BI doesn’t provide its own authentication mechanism but leverage your existing mechanism which you are using across enterprise applications. In this blog article our objective is to leverage existing security features for authentication and data transfer of TDS based LDAP with IBM Cognos BI to order to secure BI assets and setup multi-tenancy environment.

This blog article describes the step by step procedure for –

1)     Setting up TDS 6.2 environment on Windows 7 OS

2)     Integrating IBM Cognos BI 10.2.1 Server with TDS 6.2.

3)     Enable Multitenancy for Cognos BI environment

Also see –

1)      Using Apache Directory Server (ApacheDS) based LDAP to secure IBM Cognos 10.2 BI environment

2)      Setting up IBM Cognos BI security using Java based Custom Authentication Provider

3)      Setting up multi-tenancy environment in IBM Cognos 10.2 BI using LDAP

4)      IBM Cognos BI: Setting up multi-tenancy environment using Custom Java Provider

Setting up TDS 6.2 Environment on Windows 7 OS

1)     Installation steps are pretty easy and intuitive for TDS 6.2 by just double clicking install_tds.exe file but if you are using later editions then you need to install it thru IBM Installation Manager. Steps can be found here - http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc_6.3.1/concept/c_ig_InstallationWithIBMInstallationManager.html

2)     On the completion of installation, you can see ‘IBM Tivoli Directory …’ windows services (Start->Programs->Administrative Tools->Services). The default port used by TDS for LDAP service is 389.

3)     To create and manage directory instances click on “Instance Administration Tool” from “IBM Tivoli Directory Server 6.2” folder in Start Menu - > All Programs as shown in snapshot.

4)     Click on “Manage…” button. It’ll open TDS Configuration Tool. Besides getting info about your setup you can also perform many tasks listed on left side panel as shown in below snapshot. Click of “Manage suffixes” task.

5)     We need to add “dc=example,dc=com” as a new suffix before importing our example LDIF. After successful addition you would see it in “Current suffix DNs” list.

6)     Below given is the glimpse of sample LDIF, you can download the attachment (http://www.megafileupload.com/en/file/521432/IBM-TDS62-ldif.html) and change is as per your requirements. I’ve created 11 users having userid admin, user1 – user10 with password – “password”. Lets click on “Import LDIF data”.

7)     Import sample LDIF file.

8)     On successful restoration start the server instance from “Manage Server State” task on the left side, shown in below snapshot.

Integrating IBM Cognos 10.2.1  BI Server with TDS 6.2

It is assumed that Cognos 10.2 BI server is already installed and is in working condition. Open ‘IBM Cognos Configuration’ from Start -> All Programs -> IBM Cognos 10 – 64.

1)      In the Explorer window, under Security, right-click Authentication, and then click New resource -> Namespace.

In the Name box, type a name for your authentication namespace (we used ‘IBM_TDS62’ here) and in the Type list, select ‘LDAP – Default values for IBM Tivoli’ and click OK.

2)      Select the newly created namespace. In the ‘Resource Properties’ window in right, for the Namespace ID property, specify a unique identifier for the namespace as TivoliLDAP is assigned in the below screenshot. All entries with Red arrows are manually provided to integrate with the TDS environment we created in above section.

 3)     If you want the TDS to bind to the directory server using a specific Bind user DN (Distinguished Name) and password when performing searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property.

4)     You can use user attributes from TDS in namespace configuration. To configure this, you must map these attributes with appropriate property name as shown in below snapshot. ‘Custom properties’ would be available as session parameters through Framework Manager.

 

 5)     From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

If you want to disable anonymous access, make sure you disable it by setting ‘Allow anonymous access?’ property for ‘Cognos’ namespace as shown below in snapshot. 

6)     Restart Cognos service from toolbar. 

7)     Now anyone who wants to access Cognos (http://localhost/ibmcognos), would be asked for authentication credential. Let us login with LDAP administrator credential.

Directory administrators would have Cognos admin privileges. Go to Cognos administration.

8)     In ‘IBM Cognos Administration’, explore ‘Users, Groups, and Roles’ under ‘Security’ tab. One can see the new namespace (IBM_TDS62). Click on it to view all users belongs to the directory.

Administrator now can assign different privileges and roles to these directory users as per application security requirements by setting relevant properties. Once security permissions are assigned, LDAP users are ready to use Cognos BI. For more information on security, please refer to “IBM Cognos BI Administration and Security Guide”.

Enable Multitenancy for Cognos BI environment

1) We need to set multitenant properties from IBM Cognos Configuration tool to enable this feature.  In IBM Cognos Configuration tool, select Security->Authentication->IBM_TDS62 in Explorer (left pane) window. Now select ‘Advanced Properties’ from right window (Resource properties) and add two new values before pressing OK button -

a)     Name – ‘multitenancy.TenantPattern’ value – ‘~/parameters/tenantID’

b)     Name – ‘AdditionalUserPropertiesToQuery’ value – ‘parameters’

2) Now, select ‘Custom Properties’ from right window (Resource properties) and add a new value –

Name – ‘tenantID’ value – ‘l’

3) From the File menu, click Save. Test connectivity to the namespace by right clicking on the name under Security, Authentication and selecting test. If the test is successful, this message box will appear.

4) Save the configuration and restart Cognos service. Your Cognos multitenancy feature is enabled. 

There are many tasks follows this step to realize benefits of multitenancy in BI project. Please refer to my previous blog article http://vmanoria.blogspot.in/2014/03/ibm-cognos-bi-setting-up-multi-tenancy.html to see how to manage/administrate multi-tenant environment.

IBM Cognos: Understanding tenant wise utilization of your BI Assets for Billing and Provisioning

In one of my previous blog, we saw how to set up IBM Cognos BI security using Java based Custom Authentication Provider and how to set up multi-tenancy environment in IBM Cognos BI using Custom Java Provider. We’ll use this work as base for the activity steps mentioned in this blog so it is highly recommended to go thru previous blog before proceeding further.

Now let’s take it one step forward. Suppose you have deployed Cognos BI in cloud environment for multiple customers by enabling multitenancy. Now the question is: How to understand BI asset/infrastructure utilization (A) for billing purpose (B) for provisioning purpose. Here in this blog we try to answer it. Now one way of answering it is to enable Auditing. To see detailed steps on how to set-up auditing in Multitenant Environment of IBM Cognos BI environment please refer my previous blog. As you can see there its purpose is to provide access to following information in the form of ready Cognos reports which can be customized and shared with customers.

·         Capacity planning

·         Planning down time by identifying quiet periods.

·         Justifying additional infrastructure requirements.

·         Tenant specific usage and activity tracking

·         Support for Pay-as-use model

·         Licensing conformance reporting

·         Performance monitoring

·         Identifying unused content

So the feature (introduced in Cognos BI 10.2.1) which we are going to talk about today is not going to replace Audit feature but to complement it by providing object level details.

Creating and running content store utilization tasks

You can determine how many instances of each object type users from your tenants have in the content store and the amount of space that those instances are taking. You can also determine more detailed information, such as the size of every object.

This information can be used for billing and provisioning purposes. For example, billing decisions can be based on the instance count of particular object types, such as reports. Provisioning decisions can be made by determining which tenants should be moved to a different IBM Cognos instance because of the amount of space that they are using.

To get this information with the help of content store utilization tasks set for tenants. Once these tasks are created, you can run them on demand, at a scheduled time, or based on a trigger. The resulting .csv files can be used as data sources to create reports in IBM Cognos BI. Let’s create a utilization task for one of our two tenants – Customer – A.

1)     Go to Multitenancy tab In IBM Cognos Administration and Click the “create content utilization” iconin the tenant Actions drop-down menu.

2)     Specify the task name, and optionally a description and screen tip. For the Tenant property, click Set to select the tenant ID that you want to be associated with this task. If you do not select the tenant at this point, the task will be created with the current session tenant ID.

3)     Select the tenant or tenants that you want to include in this content utilization task by using the arrows icons to move the tenants from the Available box to the Selected box.

4)     In the Options section, specify how to save the information to the log files after this task is run.

a.      Under File, if you select ‘One for all tenants’, the information for all tenants is saved in a single file. If you select ‘One per tenant’, the information for each tenant is saved in a separate file.

b.      Under Granularity, if you select ‘By object type and tenant’, a high-level summary of information about each tenant is saved. The summary includes an instance count and the total size of each object type in the content store grouped by tenant. If you select All objects, a detailed summary of information about each object in the content store is saved. The summary includes the object tenantID, name, storeID, parentStoreID, and size.

5)     To run the task now or later, click ‘Save and run once’ or ‘Save and schedule’ respectively. Creation of task is over.

6)     The new task ‘UtilA’ appears on the Configuration tab, in Content Administration. You can modify or run the task from here.

The log files that result from running the content store utilization tasks are saved in the logs directory that is specified in IBM Cognos Configuration with the following names:

• cmUtilization_date_stamp.csv when the One for all tenants option was used.
• cmUtilization_date_stamp_tenant_ID.csv when the One per tenant option was used.

  

 

Based on the resource consumption and asset utilization data some formula for billing and provisioning can be planned and shared with customers.

References - 

IBM Cognos Business Intelligence 10.2.1 Administration and Security Guide 
Hint: On Windows Cognos server you'll find it here - C:/Program Files/IBM/cognos/c10_64/webcontent/documentation/en/ug_cra.pdf

Cognos 10.1 installation and configuration steps on Windows XP 32-bit

Here IBM Cognos 10.1 BI Server installation & configuration steps are shown thru snapshots for Windows XP SP3 - 32 bit environment. However steps should not be very different for Windows 2000/2K3/2K8 on 32-bit or 64-bit environment. 

Step-1) Please unzip the package and run 'issetup.exe' from 'win32' folder.

Step-2) From below shown screen you can download Installation guide which is very helpful if you are doing so first time.

Step-3) Read the license agreement carefully and accept terms.

Step-4) Select the location where you want to install it.

Step-5) Select components to be installed. If you want to create content store in DB2/Oracle/MSSQL Server then you need to select last option as shown below. Otherwise select all options (Recommended). I am going to create content store in IBM DB2 9.7 here.

Step-6) With last screen installation is complete successfully. Select the check box to open IBM Cognos Configuration. However you can also open it from Start -> All Programs -> IBM Cognos 10 -> IBM Cognos Configuration.

Step-7) This is the place where you can see & change the configuration for C10 BI server. I am going to set content store in DB2 9.7. If during installation you had selected all 4 components then you need not to follow below steps, directly go to Step-10. If you don't have IBM DB2 installed on machine, you can download express edition of DB2 from http://www.ibm.com/developerworks/downloads/im/udbexp/ and install it. Its free and easy to install.

Set environment variables ( first 4) as shown below. 

Step-8) Create DB as instructed below and set Db name, user id and password in Cognos Configuration as shown in snapshot.

Start-> Run Program-> type 'db2cmd' and press enter.

C:\Program Files\IBM\SQLLIB\BIN>db2 create db cm pagesize 32 k

DB20000I  The CREATE DATABASE command completed successfully.

C:\Program Files\IBM\SQLLIB\BIN>db2 connect to cm

   Database Connection Information

 Database server        = DB2/NT 9.7.2

 SQL authorization ID   = VMANORIA

 Local database alias   = CM

C:\Program Files\IBM\SQLLIB\BIN>db2 update db configuration using applheapsz 102

4

DB20000I  The UPDATE DATABASE CONFIGURATION command completed successfully.

C:\Program Files\IBM\SQLLIB\BIN>db2 update db configuration using locktimeout 24

0

DB20000I  The UPDATE DATABASE CONFIGURATION command completed successfully.

SQL1363W  One or more of the parameters submitted for immediate modification

were not changed dynamically. For these configuration parameters, all

applications must disconnect from this database before the changes become

effective.

C:\Program Files\IBM\SQLLIB\BIN>db2stop force

11/15/2010 20:22:30     0   0   SQL1064N  DB2STOP processing was successful.

SQL1064N  DB2STOP processing was successful.

C:\Program Files\IBM\SQLLIB\BIN>db2start

11/15/2010 20:22:37     0   0   SQL1063N  DB2START processing was successful.

SQL1063N  DB2START processing was successful.

CREATE BUFFERPOOL BP32K IMMEDIATE  SIZE 250 PAGESIZE 32 K ;

CREATE BUFFERPOOL BP4K IMMEDIATE  SIZE 250 PAGESIZE 4 K ;

CREATE  SYSTEM TEMPORARY  TABLESPACE TBS32K PAGESIZE 32 K  MANAGED BY AUTOMATIC STORAGE EXTENTSIZE 16 OVERHEAD 10.5 PREFETCHSIZE 16 TRANSFERRATE 0.14 BUFFERPOOL  BP32K ;

CREATE  USER TEMPORARY  TABLESPACE TBS4K1 PAGESIZE 4 K  MANAGED BY AUTOMATIC STORAGE EXTENTSIZE 16 OVERHEAD 10.5 PREFETCHSIZE 16 TRANSFERRATE 0.14 BUFFERPOOL  BP4K ;

CREATE  USER TEMPORARY  TABLESPACE TBS4K2 PAGESIZE 4 K  MANAGED BY AUTOMATIC STORAGE EXTENTSIZE 16 OVERHEAD 10.5 PREFETCHSIZE 16 TRANSFERRATE 0.14 BUFFERPOOL  BP4K ;

CREATE SCHEMA VMANORIA AUTHORIZATION VMANORIA;

CREATE SCHEMA ADMINISTRATOR AUTHORIZATION ADMINISTRATOR;

GRANT  DBADM,CREATETAB,CONNECT,IMPLICIT_SCHEMA,SECADM ON DATABASE  TO USER ADMINISTRATOR;

GRANT  CREATEIN,DROPIN,ALTERIN ON SCHEMA VMANORIA TO USER ADMINISTRATOR WITH GRANT OPTION;

GRANT USE OF TABLESPACE TBS32K TO USER ADMINISTRATOR WITH GRANT OPTION;

GRANT USE OF TABLESPACE TBS4K1 TO USER ADMINISTRATOR WITH GRANT OPTION;

GRANT USE OF TABLESPACE TBS4K2 TO USER ADMINISTRATOR WITH GRANT OPTION;

GRANT USE OF TABLESPACE TEMPSPACE1 TO USER ADMINISTRATOR WITH GRANT OPTION;

GRANT USE OF TABLESPACE USERSPACE1 TO USER ADMINISTRATOR WITH GRANT OPTION;

GRANT USE OF TABLESPACE SYSCATSPACE TO USER ADMINISTRATOR WITH GRANT OPTION;

Step - 9) Copy DB2 drivers from 'C:\Program Files\IBM\SQLLIB\java' folder to 'C:\Program Files\IBM\Cognos\c10\webapps\p2pd\WEB-INF\lib' as shown below.

Step-10) Test the connection in IBM Cognos Configuration before we start the service. Once its OK we can start the service.

 

Start the Cognos service by clicking on the Play button.

 You will get a “test phase warning” that the testing of the mail server failed.  No mail server has been configured, click OK and then Continue.

 

When the Cognos service has started, click Close.

 Step-11) Now, we are ready to configure IIS server to run Cognos application. If IIS server is not installed on your machine, please follow these steps - 

1.                   Open Control Panel.  Double-click Add or Remove Programs.
2.                   Click Add/Remove Windows Components.
3.                   Ensure the Internet Information Services (IIS) check box is selected.
4.                   Highlight Internet Information Services (IIS), and then click Details.
5.                   Ensure all of the check boxes for the subcomponents are selected.
6.                   If any of the check boxes are grayed out, highlight the subcomponent, click Details, and then select all of the check boxes.
7.                   When you are finished, click Next>, then wait for the configuration.  Click Finish, then close the Add or Remove Programs dialog box, and then close Control Panel.

Once its up and running, Open Control Panel.  Double-click Administrative Tools.  When the Administrative Tools window comes up, double-click Internet Information Services:

 In Internet Information Services, in the left pane, expand Default Web Site, right-click Default Web Site, point to New, and then click Virtual Directory.

Click Next. Under Alias, type ibmcognos, and then click Next.

Browse to C:\Program Files\IBM cognos\c10\webcontent, click OK, and then click Next.

Deselect the Run scripts check box, so only Read is selected; click Next.

 Click Finish. 

Right-click the ibmcognos virtual directory folder, point to New, and then click Virtual Directory. Click Next.

 

Under Alias, type cgi-bin, and then click Next. 

Browse to C:\Program Files\IBM\cognos\c10\cgi-bin, click OK, and then click Next.:

Step-12) Once done with above steps, Open IE (I am using IE8) and open link http://localhost/ibmcognos 

It would show you below screen. With this IBM Cognos 10.1 is installed & configured successfully and its ready for use.