Configuring Cognos for Smart Card and certificate login (OnCommand Insight 7.3.2 and earlier)

You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins for the Cognos server.

Before you begin

This procedure is for systems running OnCommand Insight 7.3.2 and earlier.

Steps

Add certificate authorities (CAs) to the Cognos trust store.
1. In a command window, go to ..\SANscreen\cognos\c10_64\configuration\certs\
2. Use the keytool utility to list the trusted CAs: C:\Program Files\SANscreen\java64\bin\keytool.exe -list -keystore CognosTruststore.jks -storepass changeit
  The first word in each line indicates the CA alias.
3. If no suitable files exist, supply a CA certificate file, usually a .pem file.
4. Optional: To include customer's CAs with OnCommand Insight trusted CAs, go to ..\SANscreen\cognos\c10_64\configuration\certs\.
5. Use the keytool utility to import the .pem fileC:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore CognosTruststore.jks -alias my_alias -file 'path/to/my.pem' -v -trustcacerts
  my_alias is usually an alias that would easily identify the CA in the keytool -list operation.
6. When prompted for a password, enter changeit, the default password.
7. Answer yes when prompted to trust the certificate.
Modify the reporting portal registry:
1. Use regedit to modify HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\com\netapp\sanscreen\reporting.
2. Change the portal_url value to https:\\DWHServer.name:8080/ibmcognos.
Redirect the reporting portal:
1. Open the ..\SANscreen\wildfly\standalone\deployments\dwh-redirect.war\redirect.html file in edit mode.
2. Change the URL value from https:\\DWHServer.name:9300/p2pd/servlet/dispatch to https:\\DWHServer.name:8080/ibmcognos.
Enable CAC mode:
1. Open the ..\SANscreen\cognos\c10_6\configuration\SANscreenAP.properties file in edit mode.
2. Change authentication.mode=form to authentication.mode=cac.
3. Save the file.
4. Restart the Cognos service: From the Windows Start menu, select All Programs > IBM Cognos > IBM Cognos configuration
Start the ServletGateway:
1. Go to ..\SANscreen\cognos\c10_64\wlp\bin.
2. Set the Java Home path: set java_home=..\SANscreen\cognos\c10_64\bin64\jre\7.0
3. Start the ServletGateway: server start servletgateway
Changing the ServletGateway port from the default port (8080) to a custom port requires repeating the following steps:
1. Update the reporting portal in registry entry.
2. Update the reporting portal redirect.
3. Restart the ServletGateway port.

After you finish

After enabling CAC, logging in to Cognos might fail with a TLS version issue. Enabling TLS1.0, 1.1, and 1.2 on IE corrects this problem. You might experience the same errors other browsers. You should be able to correct them by enabling TLS versions.
The ServletGateway must be stopped and started manually every time the server is rebooted or a command prompt session is closed because no ServletGateway service is available.
ETL must be built to reflect the new reporting portal URL in the OnCommand Insight server.
All of the manual steps might need to be performed after a Data Warehouse Cognos upgrade.