How change TM1 App Web from Native to CAM security

Product:

Planning Analytics 2.0.9.16

Microsoft Windows 2019 server

Issue:

How change TM1 Application web (pmpsvc) to use CAM SSO security when it have been setup to use Native TM1 security before?

Solution:

If you only have one tm1 application connected to tm1 app web (common in new installations – like planning sample in our example).

Stop the “IBM Cognos TM1” service (pmpsvc web server).

Open the file fpmsvc_config.xml from D:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration folder.

Remove the planning sample line from between servers section.

So it looks like this;

<servers>
</servers>
</admin_host>
</tm1>

Save the file.

Change you planning sample tm1s.cfg file to have correct values like below:

IntegratedSecurityMode=5

ServerCAMURI=http://cognosserver.domain.com:9300/p2pd/servlet/dispatch
ClientCAMURI=http://cognosserver.domain.com:80/ibmcognos/bi/v1/disp

Save tm1s.cfg file and restart the planning sample service.

Test to login to planning sample in Tm1 Architect, it should work with CAM SSO if all is correct.

Then browse to your tm1 app web on:

http://planninganalyticsserver.domain.com:9510/pmpsvc

If all works well – you should get to the configuration page – where you can select Tm1 instance. Select a TM1 instance that will be up and use CAM security. All Tm1 applications that are used inside Tm1 Application web (contributor) must all have the same security settings, most common is IntegratedSecurityMode=5.

Save the settings and you should get into the IBM Cognos Tm1 Applications portal. If you need to edit the configuration later, click on the tools icon.

In Cognos TM1 Applications Configuration web page, click on Edit link, below the selected server names.

Then fill out the fields – for any change needed.

Admin host = should be the server-name of windows server where Tm1 Admin service is running (normally the tm1 server itself).

Server Name = should be the selected TM1 instance, that user will first be authenticated against. Should be using CAM SSO, as describe above.

Cognos BI Gateway URI = should be to the gateway like http://cognosserver.domain.com:80/ibmcognos/bi/v1/disp

Cognos BI Dispatchers URI = should be point to the CA11 server on port 9300 like http://cognosserver.domain.com:9300/p2pd/servlet/dispatch

Click OK to save, and there should not be any errors. If errors check in IE on server if you can browse to above URL for Cognos BI.

 

If you turn off the planning sample application and change it to IntegratedSecurityMode=5, without change in fpmsvc_config.xml file, then you get a Tm1 login dialog in TM1 App Web when you connect and you can not login. This becouse “pmpsvc” is setup for Native Security. You need to change planning sample back to IntegratedSecurityMode=1 to be able to login to Tm1 App Web again.

To clear a TM1 Application from TM1 APP WEB connections, so you can work with the TM1 instance in TM1WEB, you need to run TI process:

}tp_admin_delete_all

 

More Information:

https://www.ibm.com/docs/sr/planning-analytics/2.0.0?topic=web-configuring-tm1-application 

https://allthingscognos.wordpress.com/2014/08/26/configuring-performance-modeller-and-tm1-web-with-cam-security-for-tm1-10-2-n/ 

You can maybe edit pmpsvc_path\WEB_INF\configuration\log4j.properties file in the same folder to change log level to INFO or DEBUG to get a lot more info in WEB_INF\logs\pmpsvc.log… or check folder D:\Program Files\ibm\cognos\tm1_64\wlp\usr\servers\tm1\logs for messages.log files.

https://www.ibm.com/support/pages/how-manually-reset-deployed-tm1-applications 

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=mctaip-resetting-application-in-portal 

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-standard-cognos-tm1-authentication