Cognos Express password management

[David Usherwood]

We have a client who is currently using CX (9.0) with 'inbuilt' user management ie not linking to Active Directory. (They'd like to use AD, but IBM have not responded to our queries about how to make this work.)
So, in the meantime, the client would like to enforce things like minimum length, expiry etc. And....
I have looked through the docs and the screens and I see _no_ information about any aspect of password management (over and above adding users, groups and users to groups).
What's going on? I don't think the inbuilt TM1 security is active here. Have IBM _really_ released a product so thoroughly SOX-hostile?

[jim wood]

Have you checked what the user look like in the control cube? If they have a name space my guess is the passwords are being handled in the same way that Cognos BI handles them.

[David Usherwood]

They are. What I'm trying to track down is where one can control size and expiry - or is is still in tm1s.cfg even though Excelerator isn't handling authentication? Can't see that it would be after all some customers might not be buying Excelerator.

[moby91]

All components of Cognos Express are by default configured to use Cognos Security.

That is the reason why in the Cognos Express Xcelerator Server configuration file tm1s.cfg the parameter "IntegratedSecurityMode=5" is set: To force Cognos Express Xcelerator to use Cognos Security.

Thus the password mgmt features you are looking for like minimum length or expiry cannot be configured in Cognos Express Xcelerator Server, because it neither performs user authentication nor passsword mgmt.

[moby91]

The information you are looking for, is it not included in the Cognos Express 9.5 manual "Cognos Express 9.5.0 Administration and Security" ?

http://publib.boulder.ibm.com/infocente ... g_cra.html
Administration and Security 9.5.0

[moby91]

We have a client who is currently using CX (9.0) with 'inbuilt' user management ie not linking to Active Directory. (They'd like to use AD, but IBM have not responded to our queries about how to make this work.)

There is a number of Cognos Proven Practices covering Cognos Security and AD:


http://www.ibm.com/developerworks/data/ ... page8.html
Troubleshooting Active Directory Server

Summary: Some additional troubleshooting techniques may need to be used to successfully configure the Active Directory Schema.

This document is an ongoing list of solutions to hurdles that have surfaced while trying to extend the Cognos schema or general maintenance after the successful creation of the Cognos namespace. Because Active Directory can be used to house the Cognos schema and namespace with both UNIX and Windows, this document is not operating system specific.

Topics covered include:

* Account changes
* Invalid credentials
* LAE files
* Manually creating the Cognos namespace
* Read only schemas

http://public.dhe.ibm.com/software/dw/d ... ectory.pdf



http://www.ibm.com/developerworks/data/ ... age64.html
The Active Directory Story

Summary: This document details how IBM Cognos ReportNet and IBM Cognos 8 BI fits into a multi domain Active Directory environment.

Part of a successful deployment of the IBM Cognos suite into an Active Directory environment, is the ability to understand the meaning of Microsofts terminology and how each component of Active Directory fits into the environment as a whole. Part of this document will focus on distinguishing between domains, domain trees (trees), and forests.


Topics covered include:

* Active Directory terminology
* The authentication process
* Configuring the Active Directory provider

http://public.dhe.ibm.com/software/dw/d ... _story.pdf



http://www.ibm.com/developerworks/data/ ... ge192.html
Configuring IBM Cognos 8 authentication against Microsoft ADAM

Summary: This document describes how to configure ADAM for use as an authentication source with Cognos ReportNet and Cognos 8.

This document provides a walkthrough of configuring Microsoft Active Directory Application Mode (ADAM) in a Windows environment to be used for authentication in IBM Cognos 8 BI or IBM Cognos ReportNet.

Topics covered include:

* INTRODUCTION
* MICROSOFT ADAM
* CONFIGURING IBM COGNOS 8 BI
* ENABLING LDAPS

http://public.dhe.ibm.com/software/dw/d ... 8_adam.pdf



http://www.ibm.com/developerworks/data/ ... ge555.html
Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Summary: This document describes and demonstrates the basic steps that are required in order to enable Integrated Sign On (or Single Sign On) with Active Directory in IBM Cognos Express using the Microsoft IIS 7 Web server on Windows Server 2008.

http://public.dhe.ibm.com/software/dw/d ... ws2008.pdf

[David Usherwood]

@moby91:
My question was about CX without AD security, however I think your links may assist to resolve what IBM couldn't with the AD piece, so thanks.
I had been through the 9.0 equivalent of the Administer and Deploy manual, which is broadly similar to the 9.5 version in your link.
The rather nasty conclusion, albeit by ommission, appears to be that if you use CX without AD (or similar), you cannot enforce password length or expiry - it's actually worse than native TM1 (not itself a star in the SOX firmament).
I feel another SR coming on....