Wizard setup of CA 11.0.6 for SSO on Windows 2012 R2 server.

Product:
Cognos Analytics 11.0.6
Microsoft Windows 2012 R2 server
Microsoft SQL 2014 database server

Problem:
How setup IIS for SSO with CA 11.0.6?

Solution:
This solution is using the tool provided by IBM for configuration of the IIS.
http://www-01.ibm.com/support/docview.wss?uid=swg22000097

In this example, everything is setup on the same Microsoft Windows 2012 R2 server. You may need to check that the web server you use, have Trusted Delegation on the Domain Controller. Enter GPEDIT or SETSPN -L  ServerName at CMD prompt to see some information. More instructions here for Windows Kerberos;

https://technet.microsoft.com/en-us/library/ff646925(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc771131(v=ws.11).aspx

https://technet.microsoft.com/en-us/library/cc731241(v=ws.11).aspx

https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx

On the Microsoft Windows 2012 R2 server;

– turn off DEP
– turn off UAC
– turn off ‘On access scan’ of anti-virus software
– turn off IEESC (internet explorer enhanced security configuration)
– Set Power Option to ‘High Performance’
– in Folder Options – view – untick ‘Hide extensions for known file types’
– Internet Options, under General – Settings, mark ‘Every time I start Internet Explorer’
– Internet Options, under Security – Local Intranet – sites, Advanced, add the CA 11 servers to the zone.

Create a empty database named “contentstore” on the Microsoft SQL server. Create a SQL login name cognos with password cognos204. Set the SQL user cognos to be DBOWNER of the database “contentstore”.

Setup CA 11
Download the CA 11.0.6 files from here
http://www-01.ibm.com/support/docview.wss?uid=swg24043412

Run installation of all tools, including IBM Cognos Software Development Kit 11, on the server. Start with the IBM Cognos Analytics Server 11.0.6.0 Microsoft Windows Multilingual (CNIN2ML). The new license, allow the administrator to use all tools.

ca_installfrom

Right click on ca_srv_win64_11.0.6.17031315.exe file and select “run as administrator”.
Click next to run the installation in English.
Select IBM Cognos Analytics, and click Next.
Select to Accept the license agreement, and click Next.
Enter the installation directory to d:\program files\ibm\cognos\analytics and click Next.
Select the Custom installation type, and click Next.
Select the First Install option and click Next.
Select all components and click Next.
Click on Install.
If you get a warning from the Windows firewall, check all and click on “Allow access” to continue the program installation.
When finish, click on Done

In later versions of CA11 you must copy file sqljdbc42.jar into folder d:\program files\ibm\cognos\analytics\drivers before configuration.

Start up Cognos Configuration by right click and select “run as administrator”
Check that the CAservername is already filled in at all the fields, at Environment.

ca_services

The Content store need to be change from IBM DB2 to a SQL Server database. Under Data Access – Content manager, right click ‘Content Store’. Select ‘Delete’ and confirm deletion.
Right-click New Resources -Database. Name the database ‘Content Store’ and select the type ‘Microsoft SQL Server database’.
In the right-hand pane at ‘Resource Properties’, fill in;
Database server name with port number (the sql servernamn:1433)
User ID and password (in our example cognos and Cognos204)
Database name (in our example contentstore)
Click on save icon and wait.

ca_websphere

Above the default values for CA11 WebSphere Liberty Profile. Ensure the server have enough memory.

To enable login to Active Directory, you need under Security and Authentication,
Right-click New Resource – Namespace. Provide a name of the domain ‘AD’ and select ‘Active Directory’. Click OK.
Enter the Namespace ID to be the same as the namespace properties ‘AD’.
Enter the host and port to the domain: domain.com:389
Click the save icon.
Right click and test to see that the AD connection works, you must provide an existing AD users name and password for the test.

Click save and click on start (triangle) to start the CA 11 service.
Surf to http://BIservername:9300/bi/v1/disp to test the program.
You should get to the page without the need to login.

In Cognos Configuration – namespace “Change allow anonymous access” to ‘False’.
Save the change and restart the Cognos services from the restart icon.
Test to surf again to http://servername:9300/bi, this time you should get a login dialog.

When installing the developer tools, you must enter the server name in lower case in Cognos Configuration for Cognos Cube Designer, otherwise it will not work to publish a cube.

ca_icons

You can “pin to start”, your most used programs, to make them easy to find.

Install IIS
Ensure that IIS is installed on the Microsoft Windows 2012 R2 server.
Click on Server Manager icon, normally in lower left corner of screen.
Click on Local Server, on the left in the Server Manager.
Scroll down to Roles And Features, click on Tasks icon and select Add Role and Features.
Click Next 3 times to you get to “Select Server Roles”.

Select Web Server (iis) and click “Add features” to any question about installing additional features.
Click Next 3 times to you get to “Role Services”.
Scroll down and select

ca_iis_2
– Security – Request Filtering (already filled in) and Windows Authentication

ca_iis_1
– (expand) Application Development Features – CGI, ISAPI Extentions and Isapi Filters

Click Next and click Install.

Start a Administrative Power Shell

ca_iisbackup
Enter this to make a backup of IIS settings
backup-webconfiguration -name MyIISbackup

Download ARR from here
https://www.iis.net/downloads/microsoft/application-request-routing

Run ARRv3:0.exe

ca_arr1

Click Install

ca_arr2
Click I accept

ca_arr3
Wait

ca_arr4
Click Finish.

Run the script
Download the script from here
http://www-01.ibm.com/support/docview.wss?uid=swg22000097

Unpack the file CA_IIS_Config(6.22.17).zip
Open the file CA_IIS_Config.bat in Notepad++

ca_script1

set ca_path Set the location of the Cognos Analytics gateway folder d:\Program Files\ibm\cognos\analytics
set ca_disp This section is where all application dispatcher(s) in entered. (Do not enter servers that are only Content Managers)

• set disp[x]=server_name is where you would put the fully qualified dispatcher name
ex. set disp[0]= CAservername.domain.com

• set disp[x].port is where you would put the dispatcher port number.
ex. set disp[0].port= 9300

set enable_SSO To enable single sign-on capabilities in IIS, set this to True.

Save the BAT file.

ca_scriptA

In Windows Explorer, right click on CA_IIS_config.bat file and select Run as Administrator
A command windows will open with the variables that you have configured. If they are incorrect then press ‘n’ to exit and reopen the bat file to correct the issue. If everything is correct, then press ‘y’.

ca_scriptB

If all is well, there should not be any errors.

Surf to : Http://CAservername.domain.com:80/ibmcognos

If the SSO does not work after above script is run, check first that Windows Authentication is Enabled in IIS Manager. Open IIS Manager and go to the Default Web Site – ibmcognos. Click on Authentication. Mark Windows Authentication and click Enable. Ensure that Anonymous Authentication is Disabled on ibmcognos.

iis_windows

Then add singleSignOnOption=IdentityMapping in Cognos Configuration at Security – Authentication – AD – Namespace – Resource Properties. Click on Advanced properties above Account mappings (advanced) to enter the singleSignOnOption value. Save and restart the Cognos services.

ca_namespace

Restart the server, if it still does not work then you need to manually check out all the steps to ensure it works.

Note: that for pictures to be displayed in PDF reports, you often have to in IIS manager set Authentication to allow (enabled) Anonymous Authentication on the picture folder like /ibmcognos/bi/samples/images.

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_gateway_iis.html

Change of GateWay
Inside Cognos Configuration for Framework manager or other tools, or for Internet Shortcut you need to update to use this link
Http://CAservername.domain.com:80/ibmcognos
to get SSO
http://CAservername.domain.com:9300/bi/v1/disp
will give you the login without SSO.

The URI Gateway for Transformer or Framework Manager clients should be:
http://CAservername.domain.com:80/ibmcognos/bi/v1/disp

The URI external dispatcher for Transformer should be:
http://CAservername:9300/p2pd/servlet/dispatch

The URI external dispatcher for Framework Manager should be:
http://CAservername:9300/bi/v1/disp

The URLs in Cognos Configuration for Cognos Analytics 11 can use the fully qualified domain name (FQDN).
The Gateway URL in Cognos Configuration for Cognos Analytics is configured as follows (gateway.domain.com is the FQDN for the Cognos Analytics gateway server and is the alias that was set in CA_IIS_config.bat before running the script.)

http://gateway.domain.com:80/ibmcognos/bi/v1/disp

ca_default

If you examine the .\\webcontent\default.htm and .\\webcontent\index.html file. They have no reference to cgi as before.

Database Issues

With CA11.0.6 only database driver sqljdbc42.jar is in folder d:\program files\ibm\cognos\analytics\drivers, that should be good enough to connect to a Microsoft SQL database server. You should install a Microsoft SQL Server Native client (msncli.msi) to allow CQM reports to work.

ca_installedprogram

Setup Audit database and import the sample_audit.zip deployment package.
Ensure Audit is configured in Cognos Configuration.
Create the data source connection to Audit database in Cognos Connection. Click on Test to test the data source link.

ca_datasource_check
Click on the Success text (if possible) in test connection to see more information.

ca_data_error
If you get a error XQE-DAT-0001, when you build a new report against the Audit database.
Then you may have forgotten to enter the database name, test will only check to the database server, not to the database you are going to query.

ca_jdbc
Ensure the JDBC connection have all fields filled out, for Microsoft SQL datasources.

When you test a data source to a TM1 server, you may get a error like below when you use AD authentication.
IBM Cognos TM1  / Dynamic  Failed   XQE-CM-0008
If you change to NO Authentication, then the data source test works. Set it back to AD external namespace authentication and build a report  and test that that works to get data from the TM1 cube.

 

More information:
http://www-01.ibm.com/support/docview.wss?uid=swg27047187
http://www.cognoise.com/index.php?topic=32835.0

https://msdn.microsoft.com/en-us/library/ee825145(v=cs.20).aspx