SSO is not working to CA11

by ·Comments Off on SSO is not working to CA11

Product:
Cognos Analytics 11.0.12
Microsoft Windows 2016 server

Problem:
The users can not login with SSO, they have to enter name and password at the IBMCOGNOS website.
Only a few Cognos CA11 gateway servers are affected.

Suggested solution:
Go into the Cognos Configuration on gateway servers and click save.
Does it help?

Recommend is to on all Cognos Configuration installation change the “common symmetric key lifetime in days” from 365 to a higher value like 1825 (5 years).

Inside Cognos Configuration on the CA11 servers
Go to Local Configuration -> Security -> Cryptography
Modify the value for: Common symmetric key lifetime in days
Also go to Local Configuration -> Security -> Cryptography -> Cognos
Modify the value for: Certificate lifetime in days
Save the configuration and start the services.
You must start the Content Manager first, then the gateway servers last.

The issue can also be caused by changes to IIS setup for the SSO part.

More Information:
By default, the cryptographic keys are valid for 365 days.

This value is configured inside Cognos Configuration
Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

If you miss above, you will get in a years time this error;
“The Cognos gateway is unable to connect to the Cognos BI server. The server may be unavailable, or the gateway may not be correctly configured”

https://www.ibm.com/support/pages/how-determine-when-cryptographic-keys-will-expire-and-are-cryptographic-key-and-ca-certificate-lifetime-settings-related
https://www.ibm.com/support/pages/cognos-gateway-unable-connect-cognos-bi-server-2
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_gateway_iis.html