You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins for the Cognos server.
Before you begin
This procedure is for systems running OnCommand Insight 7.3.2 and earlier.
Procedure
-
Add certificate authorities (CAs) to the Cognos trustore.
-
In a command window, go to ..\SANscreen\cognos\c10_64\configuration\certs\
-
Use the keytool utility to list the trusted CAs: C:\Program Files\SANscreen\java64\bin\keytool.exe -list -keystore CognosTrustore.jks -storepass changeit
The first word in each line indicates the CA alias.
-
If no suitable files exist, supply a CA certificate file, usually a .pem file.
- Optional:
To include customer's CAs with OnCommand Insight trusted CAs, go to ..\SANscreen\cognos\c10_64\configuration\certs\.
-
Use the keytool utility to import the .pem fileC:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore CognosTrustore.jks -alias my_alias -file 'path/to/my.pem' -v -trustcacerts
my_alias is usually an alias that would easily identify the CA in the keytool -list operation.
-
When prompted for a password, enter changeit, the default password.
-
Answer yes when prompted to trust the certificate.
- Modify the reporting portal registry:
- Use regedit to modify HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\com\netapp\sanscreen\reporting.
- Change the portal_url value to https:\\DWHServer.name:8080/ibmcognos.
- Redirect the reporting portal:
- Open the ..\SANscreen\wildfly\standalone\deployments\dwh-redirect.war\redirect.html file in edit mode.
- Change the URL value from https:\\DWHServer.name:9300/p2pd/servlet/dispatch to https:\\DWHServer.name:8080/ibmcognos.
- Enable CAC mode:
- Open
the ..\SANscreen\cognos\c10_6\configuration\SANscreenAP.properties
file in edit mode.
- Change authentication.mode=form to
authentication.mode=cac.
- Save the file.
- Restart the Cognos service: From the Windows Start menu, select
- Start the ServletGateway:
- Go to ..\SANscreen\cognos\c10_64\wlp\bin.
- Set the Java Home path: set
java_home=..\SANscreen\cognos\c10_64\bin64\jre\7.0
- Start the ServletGateway: server start servletgateway
- Changing the ServletGateway port from the default port (8080) to a custom port requires repeating the following steps:
- Update the reporting portal in registry entry.
- Update the reporting portal redirect.
- Restart the ServletGateway port.
After you finish
- After enabling CAC, logging in to Cognos might fail with a TLS version issue. Enabling TLS1.0, 1.1, and 1.2 on IE corrects this problem. You might experience the same errors other browsers. You should be able to correct them by enabling TLS versions.
- The ServletGateway must be stopped and started manually
every time the server is rebooted or a command prompt session is closed because
no ServletGateway service is available.
- ETL must be built to reflect the new reporting portal URL in the
OnCommand Insight server.
- All of the manual steps might need to be
performed after a Data Warehouse Cognos upgrade.