Enabling cognos security

Cognos 8 components run with two levels of logon: anonymous and authenticated. By default,anonymous access is enabled .You can use both types of logon with your installation. If you choose to use only authenticated logon, you can disable anonymous access .For authenticated logon , you must configure Cognos 8 components with an appropriate namespace for the type of authentication provider in your environment. You can configure multiple namespaces for authentication and then choose at run time which namespace you want to use. Cognos 8 components support the following types of servers as authentication sources:

● Active Directory Server

● Cognos Series 7

● Custom Authentication Provider

● LDAP

● eTrust SiteMinder

● NTLM

● SAP.

      After you configure an authentication provider for Cognos 8 components, you can enable single signon between your authentication provider environment and Cognos 8 components. This means that a user logs on once and can then switch to another application without being asked to log on again.

To use an authentication provider

Disable Anonymous Access

By default, Cognos 8 components do not require user authentication. Users can log on anonymously.If you want to use authenticated logon only, you can use Cognos Configuration to disable anonymous access.

Steps

1. On each Content Manager computer, start Cognos Configuration.

2. In the Explorer window, under Security, Authentication, click Cognos.The Cognos resource represents the Cognos namespace. The Cognos namespace stores information about Cognos groups, such as the Anonymous User, contacts, and distribution

3. In the Properties window, click the box next to the Allow anonymous access property and then click False.

4. From the File menu, click Save. Now, users are required to provide logon credentials when they access Cognos resources.

Restrict User Access to the Cognos Namespace

Access can be restricted to users belonging to any group or role defined in the Cognos built-in

namespace. By default, all users belong to several built-in groups or roles. To restrict access, you

must:

● enable the property to restrict access

● remove the Everyone group from the Cognos built-in roles and groups

● ensure that authorized users belong to at least one Cognos role or group

Steps

1. On each Content Manager computer, start Cognos Configuration.

2. In the Explorer window, under Security, click Authentication.

3. In the Properties window, change the value of Restrict access to members of the built-in

namespace to True.

4. From the File menu, click Save.

You must now use the portal to remove the Everyone group from the Cognos built-in roles and

groups and then ensure that authorized users belong to at least one Cognos built-in role or group.

For information about adding or removing members of a Cognos group or role.

Configuring Cognos 8 Components to Use Active Directory Server

If you install Content Manager on a Windows computer, you can configure Active Directory as your authentication source using an Active Directory namespace.If you install Content Manager on a UNIX computer, you must instead use an LDAP namespace to configure Active Directory as your authentication source. If you install Content Manager on Windows and UNIX computers, you must use an LDAP namespace to configure Active Directory on all Content Manager computers. When you use an LDAP namespace to authenticate against Active Directory Server, you are limited to LDAP features only. By default, Active Directory Server uses port 389.

To use an Active Directory Server namespace and to set up single signon, do the following:

 Configure Cognos 8 components to use an Active Directory Server namespace

 Enable secure communication to the Active Directory Server, if required

 Enable single signon between Active Directory Server and Cognos 8 components

Configure an Active Directory Namespace

You can use Active Directory Server as your authentication provider. You also have the option of making custom user properties from the Active Directory Server available to Cognos 8 components. For Cognos 8 to work properly with Active Directory Server, you must ensure that the Authenticated users group has Read privileges for the Active Directory folder where users are stored.

Steps

1. On every computer where you installed Content Manager, open Cognos Configuration.

2. In the Explorer window, under Security, right-click Authentication, and then click New resource,Namespace.

3. In the Name box, type a name for your authentication namespace.

4. In the Type list, click the appropriate namespace and then click OK. The new authentication provider resource appears in the Explorer window, under the Authentication component.

5. In the Properties window, for the Namespace ID property, specify a unique identifier for the

namespace.

6. Specify the values for all other required properties to ensure that Cognos 8 components can

locate and use your existing authentication provider.

7. Specify the values for the Host and port property. To support Active Directory Server failover, you can specify the domain name instead of a specific domain controller. For example, use mydomain.com:389 instead of dc1.mydomain. com:389.

8. If you want to be able to search for details when authentication fails, specify the user ID and

password for the Binding credentials property.Use the credentials of an Active Directory Server user who has search and read privileges for that server.

9. From the File menu, click Save.

10. Test the connection to a new namespace. In the Explorer window, under Authentication,

right-click the new authentication resource and click Test.Cognos 8 loads, initializes, and configures the provider libraries for the namespace.

Make Custom User Properties for Active Directory Available to Cognos 8 Components

You can use arbitrary user attributes from your Active Directory Server in Cognos 8 components.

To configure this, you must add these attributes as custom properties for the Active Directory

namespace.The custom properties are available as session parameters through Framework Manager. For more information about session parameters, see the Framework Manager User Guide The custom properties can also be used inside command blocks that are used to configure Oracle sessions and connections. The command blocks can be used with Oracle light-weight connections and virtual private databases.

Steps

1. On every computer where you installed Content Manager, open Cognos Configuration.

2. In the Explorer window, under Security, Authentication, click the Active Directory namespace.

3. In the Properties window, click in the Value column for Custom properties and click the edit

button.

4. In the Value - Custom properties window, click Add.

5. Click the Name column and enter the name you want Cognos 8 components to use for the session parameter.

6. Click the Value column and enter the name of the account parameter in your Active Directory

Server.

7. Repeat steps 4 to 6 for each custom parameter.

8. Click OK.

9. From the File menu, click Save.

Enabling Secure Communication to the Active Directory Server

If you are using an SSL connection to the Active Directory Server, you must copy the certificate

from the Active Directory Server to the Content Manager computer.

Steps

1. On every Content Manager computer, use your Web browser to connect to the Active Directory

Server and copy the CA root certificate to a location on the Content Manager computer.

2. Add the CA root certificate to the certificate store of the account that you are using for the current Cognos session:

● If you are running the Cognos session under a user account, use the same Web browser as

in step 1 to import the CA root certificate to the certificate store for your user account.

For information, see the documentation for your Web browser.

● If you are running the Cognos session under the local computer account, use Microsoft Management Console (MMC) to import the CA root certificate to the certificate store for the local computer.

3. In Cognos Configuration, restart the service:

● In the Explorer window, click Cognos 8 service, Cognos 8.

● From the Actions menu, click Restart.

Include or Exclude Domains Using Advanced Properties

When you configure an authentication namespace for Cognos 8, users from only one domain can log in. By using the Advanced properties for Active Directory Server, users from related (parent-child) domains and unrelated domain trees within the same forest can also log in.

Authentication in One Domain Tree

If you set a parameter named chaseReferrals to true, users in the original authenticated domain and all child domains of the domain tree can log in to Cognos 8. Users above the original authenticated domain or in a different domain tree cannot log in.

Authentication in All Domain Trees in the Forest

If you set a parameter named MultiDomainTrees to true, users in all domain trees in the forest can

log in to Cognos 8.

Steps

1. On every computer where you installed Content Manager, open Cognos Configuration.

2. In the Explorer window, under Security, Authentication, click the Active Directory namespace.

3. In the Properties window, specify the Host and port property:

● For users in one domain, specify the host and port of a domain controller for the single

domain.

● For users in one domain tree, specify the host and port of the top-level controller for the

domain tree.

● For users in all domain trees in the forest, specify the host and port of any domain controller

in the forest.

4. Click in the Value column for Advanced properties and click the edit button.

5. In the Value - Advanced properties window, click Add.

6. Specify two new properties, chaseReferrals and MultiDomainTrees, with the following values:

Authentication for chaseReferrals MultiDomainTrees

One domain False False

One domain tree True False

All domain trees in the forest True True

7. Click OK.

8. From the File menu, click Save.