Configuring Cognos for Smart Card and certificate login (OnCommand Insight 7.3.10 and later)

You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins for the Cognos server.

Before you begin

This procedure is for systems running OnCommand Insight 7.3.10 and later.

Procedure

  1. Add certificate authorities (CAs) to the Cognos truststore.
    1. In a command window, go to ..\SANscreen\cognos\analytics\configuration\certs\
    2. Use the keytool utility to list the trusted CAs: ..\..\ibm_jre\jre\bin\keytool.exe -list -keystore CAMKeystore.jks -storepass NoPassWordSet
      The first word in each line indicates the CA alias.
    3. If no suitable files exist, supply a CA certificate file, usually a .pem file.
    4. Optional: To include customer's CAs with OnCommand Insight trusted CAs, go to ..\SANscreen\cognos\analytics\configuration\certs\.
    5. Use the keytool utility to import the .pem file: ..\..\ibm_jre\jre\bin\keytool.exe -importcert -keystore CAMKeystore.jks -alias my_alias -file 'path/to/my.pem' -v -trustcacerts
      my_alias is usually an alias that would easily identify the CA in the keytool -list operation.
    6. When prompted for a password, enter NoPassWordSet.
    7. Answer yes when prompted to trust the certificate.
  2. To enable CAC mode, do the following:
    1. Configure CAC logout page: Logon to Cognos portal (user must be part of System Administrators group i.e. cognos_admin). Click Manage -> Configuration -> System -> Security. Enter cacLogout.html against Logout Redirect URL -> Apply. Close browser.
    2. Execute ..\SANscreen\bin\cognos_cac\enableCognosCAC.bat
    3. Start IBM Cognos service. Wait for Cognos service to start.
  3. To disable CAC mode, do the following:
    1. Execute ..\SANscreen\bin\cognos_cac\disableCognosCAC.bat
    2. Start IBM Cognos service. Wait for Cognos service to start.
    3. Unconfigure CAC logout page: Logon to Cognos portal (user must be part of System Administrators group i.e. cognos_admin). Click Manage -> Configuration -> System -> Security. Enter cacLogout.html against Logout Redirect URL -> Apply. Close browser