How to setup SSO against Active Directory with TM1 and CAM security?

Product:
Cognos TM1 10.2.2
Cognos Controller 10.2.1
Windows 2012 R2 Server
Microsoft SQL database server

Problem:
How to setup SSO against Active Directory with TM1 and CAM security?

Possible Solution:
This describe the steps to setup for SSO in the Cognos BI and TM1 world.

Install the IIS on the Windows 2012 server to support Windows authentication.
Start server manager - go to local server - scroll down to roles and features, select add roles and features. Click next until you can expand Web Server - Security and select Windows Authentication.

Next you need to setup a connection to Active Directory inside Cognos Configuration.
Go to Security - authentication and right click new resource - namespace.
Enter name same as your domain e.g. AD and select type Active Directory.
Enter Namespace ID to same as domain, e.g. AD, keep all letters the same, this field is case sensitive.
Enter host and port to a DC server in your domain, e.g. domain.com:389
if you enter only the domain, the BI server will random contact on DC server and talk to for validate the user login.

At advance properties , for your namespace , you enter the key singleSignOnOption with the value IdentityMapping.
More information at http://www.ibm.com/developerworks/data/library/cognos/page64.html

Set authentication inside Cognos Configuration to not allow anonymous login. Save and restart Bi server.
If you are using Cognos Controller then you need to add users to the groups Controller Administrator and Controller users inside Cognos Connection. Click on "more" and "set members".

Then in Cognos Controller configuration you need to switch security to CAM authentication from Native.
Restart Cognos Controller server, and let only the ADMIN person login first and add the other users from inside Cognos Controller client.

On the TM1 server there is a file you need to copy to your BI or Cognos Controller server. Check folder C:\Program Files\IBM\cognos\tm1_64\bi_interop for the new bi_interop.zip file.
Extract and merge the content of the bi_interop.zip file into the root directory of your existing Cognos BI installation: For example: C:\Program Files\IBM\cognos\c10_64\
Note: The bi_interop.zip file contains a directory structure that merges files into the \templates and \webcontent subdirectories.
Follow these steps to configure IBM® Cognos® TM1® Web to use IBM Cognos authentication security:
You need to copy and unzip the files from c:\Program Files\ibm\cognos\tm1_64\webapps\tm1web\bi_files folder on the TM1 server, to the BI server.
The unzipped templates directory must be copied into the root of each Cognos BI Server application tier install. Merge with the existing ..\c10_64\templates directory.
The unzipped webcontent directory must be copied into the root of each Cognos BI gateway install. Merge with the existing ..\c10_64\webcontent directory.
Unzip ..tm1_64\webapps\tm1web\gateway_files\tm1web_gateway.zip in the TM1 install directory. This file should unzip into a templates and webcontent directory.
In newer versions of Cognos TM1 the above 3 steps may not be needed. The last step is needed if there is a Cognos Controller 10.2.1 installation of Cognos BI.
variables_TM1.xml.sample
This file is contained inside the compressed file tm1web_app.zip.
tm1web.html.new
This file is contained inside the compressed file tm1web_gateway.zip.
Rename the variables_TM1.xml.sample file to variables_TM1.xml.
Rename the tm1web.html.new file to tm1web.html.

Copy variables_TM1.xml file to <Cognos location>\templates\ps\portal on your Cognos BI system.
The variables_TM1.xml file should not be edit as of TM1 version 10.2.2

Copy tm1web.html file to <Cognos location>\webcontent\tm1\web on your Cognos BI system.
Edit the tm1web.html file to point to the server where Cognos TM1 Web is running.
var tm1webServices = ["http://SystemName:PortNumber"];
// Update the following to point to the location of the TM1Web service(s)
var tm1webServices = ["http://localhost:8080","http://localhost:9510"];
change to var tm1webServices = ["http://tm1server.domain.com:9510"];

These files are also installed with newer Cognos BI installations. If the files exist on your Cognos BI server, then you only need to edit them.
Open the C:\Program Files\ibm\cognos\ccr_64\webcontent\planning.html file and locate the following lines:
// Update the following to point to the location of the planning service(s)
var planningServices = ["http://machine.company.com:9510"];
Replace web_server_address with the fully qualified domain name (FQDN) for the computer where the Cognos TM1 Application Server is running. For example, myhost.example.com
var planningServices = ["http://web_server_address:9510"];

To ensure that Cognos TM1 Applications can properly detect a CAM session termination, set the pmpsvc session timeout to a value higher than the CAM session timeout.
The pmpsvc session timeout is the number of minutes of inactivity after which Cognos TM1 Applications terminates a user session. The default value is 60 minutes (1 hour).
The CAM session timeout is the number of seconds of inactivity after which Cognos security terminates a user session. The default value is 3600 seconds (1 hour).
When Cognos TM1 Applications is deployed with the Apache Tomcat that is provided with the Cognos TM1 installation, the fpmsvc_config.xml file is here:
C:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration
open the fpmsvc_config.xml file in notepad to edit it.
Enter a value for the timeout attribute of the service / session element.
Use the format for the service / session / timeout attribute as defined in the XML schema definition file fpmsvc_config.xsd located in the same directory.

<session timeout="65"/>

On your Cognos BI system, configure the CAM session timeout using IBM Cognos Configuration.
Leave the value to 3600 in the Inactivity timeout in seconds field in the Security/Authentication section of Cognos Configuration.

Configure Cognos TM1 Applications with values for the IBM Cognos Gateway URI and IBM Cognos Dispatcher URI . Open Cognos TM1 Applications using the format of the following link:
http://tm1servername.domain.com:9510/pmpsvc
Log in and open the Cognos TM1 Applications Configuration page:
If you are running Cognos TM1 Applications for the first time, the Configuration page opens after you log in.

If you already configured Cognos TM1 Applications, open the Configuration page by clicking the Administer IBM Cognos TM1 Applications (the icon to the right) on the toolbar of the TM1 Applications portal page.

In some case you do not see the fields, this can be because we have already used a TM1 application with Native security, this has to be removed first before you can add a TM1 application with CAM security and setup this values.
To make a TM1 application use CAM security, you need to update there TM1S.CFG file with this values.
IntegratedSecurityMode=5
ServerCAMURI=http://biservername:9300/p2pd/servlet/dispatch
ClientCAMURI=http://biservername/ibmcognos/cgi-bin/cognosisapi.dll
ClientPingCAMPassport=900

Save tm1s.cfg and restart the TM1 instance.
You need to add users to the TM1 instance from inside TM1 Architect.

Open IBM Cognos Configuration for TM1 and check that the Environment properties for Gateway URI and Content Manager URI point to the BI server.
If you are using Cognos Controller FAP, then you need to change that to also use CAM security.
Open C:\Program Files\ibm\cognos\ccr_64\Server\FAP\FAPservice.properties in notepad and unmark the clientcamuri value, update it to point to the Cognos BI Gateway URL.

Save and restart the FAP service. Then you need to update the login values inside Controller FAP manager for the TM1 data mart to be using AD\username instead of the native logins used before.

On the Cognos BI Gateway installation, that you point out in Cognos Analysis for Excel installation, navigate to Cognos_root\templates\ps\portal\ folder, where Cognos_root is the directory that Cognos Controller BI has been installed to.
Open the file C:\Program Files\ibm\cognos\ccr_64\templates\ps\portal\variables_plan.xml.
Verify that the <url>../pmhub.html</url> tag exists below <url>../planning.html</url>. The following text is an example of the variables_plan.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<CRNenv>
<urls>
<url>../planning.html</url>
<url>../pmhub.html</url>
</urls>
<cookies>
<param name="cam_passport"/>
<param name="CRN"/>
</cookies>
</CRNenv>

Close the file.
Open C:\Program Files\ibm\cognos\ccr_64\webcontent\pmhub.html in notepad to edit it.
Edit this file to include all possible pmhub locations to the pmhubURL variable (see line 51). This enables SSO to operate.
// Update the following to point to the location of the pmhub service(s)
var pmhubURLs = ["http://mypmhubserver1:9510","http://mypmhubserver1.domain.com:9510"];

Make sure that the user account that is running the web server has permission to access pmhub.html. If you cannot access the pmhub.html in a web browser, check the pmhub.html file properties.
Edit the PMHub configuration screen.
In Internet Explorer, enter http://servername:port number/pmhub/pm/admin to open the configuration screen.
For example: http://tm1servername.domain.com:9510/pmhub/pm/admin
Expand the node for configurations > com.ibm.ba.pm.resource.security.dictionary and enter values for the following properties (you find the values to use inside Cognos Configuration):
CAMBIURL = http://biservername.domain.com:9300/p2pd/servlet/dispatch
CAMGatewayURL = http://biservername.domain.com:80/ibmcognos/cgi-bin/cognosisapi.dll

The values in PMHUB is saved automatic after a few seconds.
Then you need to test and ensure that Cognos Controller and Tm1web and FAP are working after this changes.
If you see the error "The planning service parameter was not specified or is not one of the configured locations", review your settings for the planningServices parameter in the planning.html file on the Cognos BI server.


More information:

http://www-01.ibm.com/support/docview.wss?uid=swg21661585

http://www-01.ibm.com/support/docview.wss?uid=swg21958925
http://www-01.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/
t_tm1_inst_tm1web_cogsecurity.html?lang=nl
https://www-304.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/
t_tm1_inst_sso_cafe.html%23t_tm1_inst_sso_cafe?lang=sv
https://www-304.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/
t_tm1_inst_app_server_config.html?cp=SS9RXT_10.2.2%2F0-2-11-0-3&lang=sv
https://www-304.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/
t_tm1_inst_contrib_c8security_session_timeout_vals.html?lang=sv
https://www-304.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/
t_config_tm1_cont.html%23config_tm1_cont?lang=sv
https://www-304.ibm.com/support/knowledgecenter/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.doc/
c_tm1_inst_new_10_2_2_bi_interop_kit_removed.html

http://www-01.ibm.com/support/docview.wss?uid=swg21341889
http://www-01.ibm.com/support/knowledgecenter/SSMR4U_10.2.2/com.ibm.swg.ba.cognos.express_migration.10.2.2.doc/
t_express_inst_mig_install_configure_add_ad_user.html
http://www-01.ibm.com/support/docview.wss?uid=swg21882701