Introduction

This blog article provides a detailed, step-by-step guide for configuring Lightweight Third-Party Authentication (LTPA) with Cognos Analytics 12.1.x. It outlines the prerequisites required for LTPA configuration and walks through the complete process from start to finish, supported by relevant examples and demonstrations.

Please note that this blog is intended as a proof of concept only. It should not be considered the sole or definitive approach for configuring LTPA on a Cognos server. The primary intent is to simplify the configuration process and reduce the time required to complete the setup.

Prerequisites

1. IBM WebSphere Application Server 9.0.5.25 

2. Cognos Analytics 12.1.x, Cognos Analytics 12.0.4, Cognos Analytics 11.2.4

Content Overview

The content is divided into two parts. The first part focuses on IBM WebSphere Application Server and provides insights into the steps required to configure LTPA authentication. This section does not cover other aspects of WebSphere Application Server, as they are outside the scope and intent of this blog. It includes only the relevant configuration steps necessary on the WebSphere side to complete LTPA authentication with Cognos Analytics.

The second part of the content focuses on configuring the Cognos Analytics server using the LTPA keys obtained from the IBM WebSphere Application Server, as described in the first part.

Configuring Websphere Application Server for LTPA

To implement LTPA, Cognos Analytics must be configured to use an authentication source that is also configured in the WebSphere Liberty container in which it runs. Lightweight Third-Party Authentication (LTPA) is an authentication mechanism provided by WebSphere Application Server security that uses a specific token format to enable single sign-on (SSO).

The purpose of LTPA token authentication is to allow an LTPA token, generated by an initial web application that authenticates the client, to be propagated to a downstream Cognos Analytics service. Cognos Analytics then validates the received LTPA token to ensure it has not been modified and has not expired.

For successful validation, the LTPA keys used to generate and validate the token must be identical on both the sending server and the receiving Cognos Analytics server.

Procedure

A.Configuring WebSphere Application server with LDAP 

1. Launch the WebSphere Application Server administrative console and navigate to Security → Global Security. Under Available realm definitions, select Standalone LDAP registry from the drop-down list, and then click Configure.

2.  In the following steps, we will configure the standalone LDAP registry using the LDAP server information.

Test the connection LDAP to ensure the connection tests successfully

B IBM WebSphere Application Server LTPA Configuration

 3.To begin, return to Global Security and then click LTPA authentication.

4. Configure LTPA authentication and export the LTPA keys.

5.The Ltpa keys will be typically exported under the WebSphere Installation directory specifically under \AppServer\profiles\AppSrv01 

The steps above demonstrate how the WebSphere Application Server is configured to use an authentication directory, such as LDAP, and how LTPA is selected as the authentication mechanism. The exported LTPA keys will be provided to the Cognos Analytics server in the next section, which further demonstrates the integration between WebSphere and Cognos.

Configuring Cognos Analytics with LTPA

To begin configuring LTPA in Cognos Analytics, ensure that the Cognos Analytics server is configured to use the same authentication directory namespace that was set up on the WebSphere Application Server in the previous section. Next, create an XML file named local-server.xml and place it in the cognos_install/configuration directory.

Procedure

C. LDAP SSO Configuration Prerequisite for Enabling LTPA in Cognos Analytics

6. Before configuring LTPA authentication in Cognos Analytics, the authentication namespace—LDAP in this case—must be correctly configured to support single sign-on (SSO) with LTPA.

Start by configuring the LDAP namespace with all required parameters and ensure that LDAP is explicitly enabled for SSO, as described in the official Cognos Analytics documentation:

https://www.ibm.com/docs/en/cognos-analytics/12.1.x?topic=ldap-enable-single-signon-between-cognos-components

https://www.ibm.com/docs/en/cognos-analytics/12.1.x?topic=authentication-configuring-ltpa-using-ldap-namespace

Additionally, verify that Use External Identity is set to True, and that User Lookup and External Identity Mapping are configured appropriately to support single sign-on as provided in the sample screen-cap provided below: 

7. Enable LTPA authentication in Cognos Analytics

To set up LTPA for Cognos Analytics 

1. On a computer where the Cognos Analytics server is installed, start IBM Cognos Configuration.
2. In the Explorer window, expand the Environment category, and then the IBM Cognos services category.
3. Click the IBM Cognos service.
4. In the properties pane, click the Enable IBM Lightweight Third Party Authentication (LTPA) property, and change its value to True.

8. Create an XML file named local-server.xml

Create an XML file named local-server.xml and place it in the install_location/configuration directory.In the local-server.xml file, enter values that are appropriate for your environment as provided in the sample below. Please note the provided sample format can we found in the official IBM documentation for setting up LTPA authentication with Cognos Analytics.

<?xml version="1.0" encoding="UTF-8"?>

<server>

<featureManager> 

<feature>ldapRegistry-3.0</feature>

<feature>appSecurity-2.0</feature>

</featureManager>

<ldapRegistry id="id" realm="realm" host="host" port="port" ignoreCase="true" baseDN="o=basedn" ldapType="Custom" sslEnabled="false">

<idsFilters userFilter="(uid=%v,ou=people)"

userIdMap="*:uid"

groupFilter='(objectclass=groupofnames)'

groupIdMap="*:cn" />

 </ldapRegistry>

<webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true"/>

<ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" expiration="120" />

</server>

A working sample configuration is provided below for reference and better understanding. Please note that the LDAP filter values must be obtained from the LDAP administrator based on the environment’s configuration. In some cases, these values can also be found in the LTPA Advanced Lightweight Directory Access Protocol (LDAP) user registry settings within the WebSphere Application Server administrative console, as illustrated in the example below.

Sample local-server.xml: 

<?xml version="1.0" encoding="UTF-8"?>

<server>

<featureManager>

<feature>ldapRegistry-3.0</feature>

<feature>appSecurity-2.0</feature>

</featureManager>

<ldapRegistry id="id" realm="realm" 

host="squad5.support.com" port="389" ignoreCase="true" 

baseDN="DC=squad5,DC=support,DC=com" bindDN="CN=Administrator,CN=Users,DC=squad5,DC=support,DC=com" 

bindPassword="<Bind Credentials for LDAP> " ldapType="Microsoft Active Directory" sslEnabled="false"> 

<activedFilters

userFilter="(&(sAMAccountName=%v)(objectcategory=user))"

groupFilter="(&(cn=%v)(objectcategory=group))" 

userIdMap="user:sAMAccountName" 

groupIdMap="*:cn" 

groupMemberIdMap="memberOf:member">

</activedFilters>

</ldapRegistry>   

<webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true"/>

 <ltpa keysFileName="resources/security/ltpacognos.keys" keysPassword="LTPA_PASSWORD_AT THE TIME OF EXPORT" expiration="120" />

</server>

9. Modify the special subject type in bi-service.xml

To use LTPA, open the install_location/configuration/bi-services/bi-service.xml file, and change the special subject type  from EVERYONE to ALL_AUTHENTICATED_USERS in the following way:

<special-subject type="ALL_AUTHENTICATED_USERS"/>. Make this change on all computers where Cognos Analytics servers are installed.

10. Copy the LTPA keys from Websphere into Cognos Analytics

To complete the setup, copy the LTPA keys generated on the WebSphere Application Server to the Cognos Analytics WebSphere Liberty location:

D.Note:The following section and recommendation apply only to Cognos Analytics versions 12.1.0 and 12.1.1. If you are running a version earlier than 12.1.x, please skip the steps below and start the Cognos Services.

• Locate the file bootstrap_wlp_xxx.xml.
• Create a backup of this file.
• Add the following parameters to it under " <param>jdk.naming.dns/com.sun.jndi.dns=ALL-UNNAMED</param>"

 <param>--add-exports</param>

<param>java.naming/com.sun.jndi.ldap=com.ibm.ws.jndi</param>

<param>--add-exports</param>

<param>java.naming/com.sun.jndi.ldap=ALL-UNNAMED</param>

<param>--add-opens</param>

<param>java.naming/com.sun.jndi.ldap=ALL-UNNAMED</param>

<param>--add-opens</param>

<param>java.naming/com.sun.jndi.ldap=com.ibm.ws.jndi</param>

• Save the file and start the Cognos services.

Conclusion

Start the Cognos services with LTPA authentication enabled. During access, the authentication flow is redirected to WebSphere, where LTPA-based authentication is performed. Upon successful validation of the LTPA token, Cognos Analytics establishes the user session and maps the external identity to the configured LDAP namespace, resulting in seamless single sign-on (SSO) without any additional credential prompts.

While this guide provides a comprehensive approach for configuring this setup, implementation details may vary depending on each organization’s specific requirements. Additionally, the steps outlined in this blog involve third-party vendors and services that fall outside IBM’s direct scope of support.

The objective of this blog is to provide a clear understanding of the configuration required to integrate Cognos Analytics with LTPA tokens supplied by a full IBM WebSphere installation. However, due to the evolving nature of technology, IBM cannot assume responsibility for future changes to third-party vendors’ technical specifications, configurations, or processes.

It is strongly recommended to consult the most up-to-date documentation from the relevant third-party vendor responsible for provisioning the LTPA tokens. This will help ensure continued compatibility as vendors introduce updates or enhancements over time.

#IBMCognosAnalytics#CognosAnalyticswithWatson#CognosAnalytics#Cognos#cognosanalyticssupport#GlobalBusinessAnalytics

#CognosAnalytics  #IBMWebSphere #Security  #LearnCognosAnalytics #resources #CognosAnalytics #IBMCognosAnalytics #cognosanalyticssupport #CognosAnalyticswithWatson