TM1 10.2 - Integrated Login For Perspectives Using An AIX 7.1 Web Server?

[Stuart]

Hello,

I have been asked to look into removing the need for our users to enter their credentials when using TM1 Perspectives.
We have IBM Cognos TM1 (10.2.00100.39992) installed across 2 AIX 7.1 servers. Unfortunately I wasn’t involved in the installation of this system and have very little AIX knowledge.

I have found a note from the person that did the installation, stating that single sign on wasn’t implemented due to the REMOTE_USER variable not being available. And that the mod_auth_vas module would need to be installed for IBM HTTP Server 7.0 to generate REMOTE_USER. Which sounds very similar to this post:
http://businessintelligence.ittoolbox.c ... nt-3047179

If I type set on the TM1 Web server I do not see REMOTE_USER. How can I confirm whether or not REMOTE_USER is missing? And is this advice to install the mod_auth_vas module correct?

I have opened the IBM Cognos Configuration application and can see that this document has been followed correctly:
http://www-01.ibm.com/support/knowledge ... er?lang=en

On the TM1 Admin server, the tm1s.cfg file has the entry IntegratedSecurityMode=5, and we are using Active Directory.

Thanks
Stuart

[moby91]

As you refer to env variable REMOTE_USER what about External Identity Mapping ?

http://www-01.ibm.com/support/docview.w ... wg21423007
tm1srvstop.exe does not work with CAM integration

http://www-01.ibm.com/support/docview.w ... wg21649894
Specifying User Lookup and External Identity Mapping strings for IBM Cognos BI LDAP authentication provider

[Stuart]

Thanks for the reply Moby, someone has created this script within the "/opt/ibm/cognos/c10_64/cgi-bin" directory to show the CGI Environment variables.

Code: Select all

#!/usr/bin/perl

print "Content-type:text/html\n\n";
print <<EndOfHTML;
<html><head><title>Print Environment</title></head>
<body>
EndOfHTML
foreach $key (sort(keys %ENV)) {
    print "$key = $ENV{$key}<br>\n";
}
print "</body></html>";

When I execute this REMOTE_USER does not appear, how can I generate this ?

With reference to "Example 1: Using Apache web server to provide REMOTE_USER for SSO token" in this document, should I be following the "Using SetEnvironment" or "Using Apache authentication for MOD Gateway + REMOTE_USER"? I'm confused about the difference.

http://www.ibm.com/developerworks/libra ... m-page651/

Thanks
Stuart

[Stuart]

After reading this article again, the methods described in "Appendix B – Simulating security systems to provide an SSO token" are just for simulating single-sign on, not implementing it.

http://www.ibm.com/developerworks/libra ... m-page651/

Does anyone have the instructions for implementing SSO for TM1 10.2 on UNIX?

Thanks
Stuart

[Stuart]

Please refer to this post for the answer to this question:

https://www.ibm.com/developerworks/comm ... defd&ps=25

there are two options here:


A) go with mod_auth_vas

This module will provide a solution for the SSO from your windows based clients to Apache. Thus you can then leverage REMOTE_USER for SSO to BI.
Downside is, IBM Cognos Support will not be of assistance in setting up mod_auth_vas nor troubleshoot SSO issues in that environment. Basically it's good luck !
Personally I consider this a valid option as it will allow you to leverage your AIX installs as-is. Mind that on the BI configuration you would need to use an LDAP authentication provder
which connects to AD by LDAP. If your users are from a single domain only, attach to that domain. I your users are from a domain tree or even different forests, you moved out of the frying pan
into the fire unfortunately, as you would need to connect to the GC of each forest. GC access is not officially supported either, and per LDAP namespace you can attach to a single GC only.
Technically this will most probably just work fine. You can research on similar context with a BI focus, as all of the above has nothing to do with TM1 any more


B) move required components to Windows

If you would prefer to operate in an all supported environment, you would need to move the Cognos BI GW and the BI Content Manager components to Windows. Then configure "normal" WIA
SSO from your client's to IIS, then Kebreros based SSO to an Active directory provider for BI. This is part of core BI documentation, can become tricky here and there.
The AD provider configured in Cognos BI supports multiple domains in a single forest. So unless your users originate form multiple forests, this should be a straight forward setup.