ServletGateway on WAS 6.1 - Cognos 8.4 - Cognos Gateway Namespace issue

Cognos 8 Business Intelligence Installation and Configuration
1

I want to use only ‘Active Directory’ as my authentication source for this ServletGateway Gateway.

I installed Cognos Gateway Component on the machine where my WAS 6.1 is running :frowning:
I configured Cognos Gateway with
1. Dispatcher URL
2. Controller URL
3. Gateway Namespace with 'Active Directory’
Note: 1. My cognos environment (CAM) has two authentication sources configured (Active Directory & Shared Secret)

I Generated ServletGateway EAR file using the Cognos Gateway configuration wizard with all default values and
Deployed the ServletGateway EAR to my WAS 6.1

I tested the ServletGateway Application using the url
http://myhostname:9080/ServletGateway/servlet/Gateway

I get a blank page. Not sure what is happening :frowning:

To be precise
I get a blank page when tested in FireFox.
I get a HTTP 501/HTTP 505 page when tested with InternetExplorer

I checked my WAS 6.1 logs, There are no error/exception messages.
However I could see the CAM_TOKENID_101 & REMOTE_USER with proper values.

Can anyone help me resolve this ‘blank page’ issue?

Now for some reason, I took off the ‘Active Directory’ value from Gateway Namespace in the cognos gateway configuration. i.e. I left the Gateway Namespace property empty.
And I tested the servletGateway with same url i.e.
http://myhostname:9080/ServletGateway/servlet/Gateway

Surprisingly I get cognos page asking me to choose the ‘Authenticatin Source’ and it all works fine from there.

Again If I put the value ‘Active Directory’ in the Gateway Namespace property and test it
It gives the same blank page.

Am I missing / miss configured something here?

Requset your help to solve this problem.

2

Can anyone help me resolve this issue please?

3

Can you post a screenshot of your Active Directory namespace config?
Specifically I want to see the name and namespace ID.

You should be using the Namespace ID in the gateway config.

4

From the IBM Cognos 8 Installation and Configuration Guide

Problems Logging On to Cognos Portlets
There are several reasons why users with valid portal user IDs and passwords may not be able to log on to Cognos Portlets.

Multiple Namespaces
If IBM Cognos 8 is configured to use more than one authentication namespace, you must install a separate IBM Cognos 8 gateway and configure it to use the namespace for portal users.

You must also change the CPS connection point in the Cognos portlets:

For IBM Websphere, change the CPS Endpoint parameter in the portlet application.

IBM WebSphere Portal
If you use the IBM Websphere portal, ensure that the following is true.

The credentials for the portal user are available in the IBM Cognos 8 authentication namespace.

The server running the portal and the server running IBM Cognos 8 are both configured to use the IBM WebSphere Application server.

Both application servers are configured for single signon using one of the supported Active Credentials objects: HttpBasicAuth, LtpaToken, SiteMinderToken, or WebSealToken.

The selected Active Credentials method is indicated in the parameters for the Cognos portlet application.

If using Ltpa token as an Active Credentials object, the IBM Cognos 8 URL entry point is secured in IBM Cognos 8.

Create a secure URL to access the dispatcher servlet or servlet gateway.

5

Don’t use space in the Namespace ID. Change from “Active Directory” to “ActiveDirectory”. That’s a Known Bug in 8.4.
Also, I strongly recommend the Documentation http://public.dhe.ibm.com/software/dw/dm/cognos/security/design/deploy_a_secured_cognos_8_servlet_gateway_in_websphere_6.pdf

6

[quote=“Grim, post:3, topic:529”]Can you post a screenshot of your Active Directory namespace config?
Specifically I want to see the name and namespace ID.

You should be using the Namespace ID in the gateway config.[/quote]

Hello Grim,

I apologize for the delayed response.

Thank you & I appreciate your help.

I don’t have access to cognos - active directory configuration. I’ve asked my cognos administrator to provide me a screen shot so that I can share that with you.

However I’ve access to my cognos gateway only.
I used the string ‘Active Directory’ as the ‘namespace Id’ for ‘Gateway Namespace’ field in Cognos Gateway Configuration. I’ve attached the screenshot of my Gateway Configuration screen for your reference.

Can you please throw light on specific configuration [ parameters / values ] I should be looking for in cognos - active directory - namespace configuration?

Thanks & Regards
Shashir

7

[quote=“Thiago Teixeira, post:5, topic:529”]Don’t use space in the Namespace ID. Change from “Active Directory” to “ActiveDirectory”. That’s a Known Bug in 8.4.
Also, I strongly recommend the Documentation http://public.dhe.ibm.com/software/dw/dm/cognos/security/design/deploy_a_secured_cognos_8_servlet_gateway_in_websphere_6.pdf[/quote]

Hello Thiago,

Thank you for your response.
What are all the places I’ve to make this change? If I’ve to change the Namespace ID from ‘Active Directory’ to ‘ActiveDirectory’,

I did change the Namespace ID from ‘Active Directory’ to ‘ActiveDirectory’ in my Cognos Gateway Configuration and tried the url
http://gatewayhostname:9080/ServletGateway/servlet/Gateway
I get the following error
CAM-AAA-0135 - The user is already authenticated in all available namespaces.
[I’ve attached the screen shot for your quick reference]

Out of curiosity I tried the URL
http://gatewayhostname:9080/ServletGateway/servlet/Gateway?CAMNamespace=ActiveDirectory
I get the following error
CAM-AAA-0034 - The namespace ‘ActiveDirectory’ does not exist.

Any clues / ideas to resolve this issue?

I followed the article you have recommended for installation, deployment & securing the SerlvetGateway application.

Thanks & Regards
Shashir

8

The problem is probably due to the “Gateway Namespace” not matching what the actual Namespace ID is. Get the actual name of the Namespace ID from the Primary Content Manager install and use that.
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/index.jsp?topic=/com.ibm.swg.im.cognos.inst_cr_winux.8.4.0.doc/inst_cr_winux_id17170ConfiguretheGatewaytoUseaNamespace.html

In Cog Config on the CM:
Security>Authentication>[Whatever the name of your AD/LDAP Auth is]
On the right side look for the “Namespace ID” property.

NOTE: This property, Namespace ID, should NOT contain any special characters or spaces. Cognos has had issues with these in the past. Just good practice to avoid problems.

9

[quote=“MartijnC, post:4, topic:529”]From the IBM Cognos 8 Installation and Configuration Guide

Problems Logging On to Cognos Portlets
There are several reasons why users with valid portal user IDs and passwords may not be able to log on to Cognos Portlets.

Multiple Namespaces
If IBM Cognos 8 is configured to use more than one authentication namespace, you must install a separate IBM Cognos 8 gateway and configure it to use the namespace for portal users.

You must also change the CPS connection point in the Cognos portlets:

For IBM Websphere, change the CPS Endpoint parameter in the portlet application.

IBM WebSphere Portal
If you use the IBM Websphere portal, ensure that the following is true.

The credentials for the portal user are available in the IBM Cognos 8 authentication namespace.

The server running the portal and the server running IBM Cognos 8 are both configured to use the IBM WebSphere Application server.

Both application servers are configured for single signon using one of the supported Active Credentials objects: HttpBasicAuth, LtpaToken, SiteMinderToken, or WebSealToken.

The selected Active Credentials method is indicated in the parameters for the Cognos portlet application.

If using Ltpa token as an Active Credentials object, the IBM Cognos 8 URL entry point is secured in IBM Cognos 8.

Create a secure URL to access the dispatcher servlet or servlet gateway.[/quote]

Hello MartijnC,

I apologize for the delayed response.
Thank you for your reply.

I’m pretty new to this Cognos, so took some time to understand your comments and then tried to validate it with my Cognos Environment.

So let me explain my cognos environment and what I’m trying to achieve.

Note: I don’t have any portlets here, Neither WebSphere Portal Nor Cognos Portlets

I’m trying to achieve Single Sign On between WebSphere App Server 6.1.x (WAS 6.1.x) and Cognos 8.4 running on Tomcat.

The primary Cognos 8.4 install is distributed between three different physical machines as described below

Gateway Machine: The default gateway i.e. Apache HTTP Server, Cognos Gateway Component
Content Manager Machine: Cognos Content Manager and other cognos components
Database Machine: Cognos database

Cognos is configured with Two Authentication Sources, 1. Active Directory and 2. SharedSecret

Some of my Web Applications are running on WAS 6.1.x (this is on a different machine altogether so lets say WAS Machine)
and I’ve to enable Single Sign On between my Web Applications running on WAS 6.1.x and Applications running on Cognos 8.4.

To achieve this, I installed Cognos Gateway Component on my WAS Machine and generated the ServletGateway EAR application, deployed it, secured it (basic authentication) and enabled Single Sign On with LTPA.

I configured Cognos Gateway component running on my WAS Machine with ‘Active Directory’ Namespace ID.

I configured my WAS to use the same Active Directory i.e. the one used by my Cognos.

Note: My WAS does not have any other Cognos related applications deployed except ServletGateway EAR Application.

The trouble started as I want to use only ‘Active Directory’ for all the users who use ServletGateway gateway.
So as explained in my initial post, with the this configuration when ever I hit the url
http://gatewayhostname:9080/ServletGateway/servlet/Gateway
I get a blank page.

Please let me know if you need further details to help me address this issue.

I appreciate your time and help.

Thanks & Regards
Shashir

10

[quote=“Grim, post:8, topic:529”]The problem is probably due to the “Gateway Namespace” not matching what the actual Namespace ID is. Get the actual name of the Namespace ID from the Primary Content Manager install and use that.
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/index.jsp?topic=/com.ibm.swg.im.cognos.inst_cr_winux.8.4.0.doc/inst_cr_winux_id17170ConfiguretheGatewaytoUseaNamespace.html

In Cog Config on the CM:
Security>Authentication>[Whatever the name of your AD/LDAP Auth is]
On the right side look for the “Namespace ID” property.

NOTE: This property, Namespace ID, should NOT contain any special characters or spaces. Cognos has had issues with these in the past. Just good practice to avoid problems.[/quote]

Hello Grim,

Thank you for your response.

I’m trying to change the Namespace ID from ‘Active Directory’ to ‘ActiveDirectory’ in the primary cognos content manager.
[As you said without any spaces and special characters in the Namespace ID]

Once this Namespace ID change is completed on my primary cognos content manager,
I’ll use the same Namespace ID in my Cognos Gateway component installed on my WAS Machine and test it.

Will Keep you posted on the test results.

Thanks & Regards
Shashir