Planning Analytics

 View Only
Expand all | Collapse all

TI Process against Database, how to secure the password ?

  • 1.  TI Process against Database, how to secure the password ?

    Posted Mon May 18, 2020 12:43 PM
    Hello Community,
    I was wondering how you manage to secure database credentials (user/password) when you're using TM1 and a RDBMS.
    When you need to feed a cube from a relational database, no big deal, you just have to type in the credentials in the datasource tab of the TI process and the password is hidden, only the user is exposed. So it's secure.
    But when you need to push back data from a TM1 cube to a database table, we've found to way to do this :
    • First solution, use the ODBC TI functions but the bad thing about this is the fact that you have to provide the user password to the ODBCOpen function....
    • Second solution, use a tier program (SQLLoader in my case as I'm dealing with Oracle) and here again we'll have to have the password visible at a point of time but at this time, it's no more a TM1 topic
    The first solution, even if the performance is quite poor, would have been compliant with basic security standard if you didn't need to do an ODBCOpen and be able instead to use the ODBC credentials declared in the datasource to perform the ODBCOutput SQL commands.

    How are you dealing with this kind of topic ?
    Regards,
    Bob
    #PlanningAnalyticswithWatson


  • 2.  RE: TI Process against Database, how to secure the password ?

    Posted Tue May 19, 2020 08:14 AM
    Hi Robert,

    I've never seen a good way to do this.  Very interested to hear if anyone has a legitimate solution.  I've tried using the PASSWORD field in the }ClientProperties cube and abusing the DatasourcePassword variable in the past.  In both cases the encrypted string value was passed.

    I think we are overdue for a feature in TM1 Server that would allow encrypted passwords to be stored as part of the TI process for use in ODBCOutput.   Or support for encryption and decryption of string cell values at runtime of a TI based on some privileged.


    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message


  • 3.  RE: TI Process against Database, how to secure the password ?

    Posted Wed May 20, 2020 07:36 AM

    This would not be a nice clean replacement, but I wonder whether using the Windows Credential Manager would be possible. To be clear, there is no direct interface from TM1, but Marius Wirtz has samples in TM1PY which look good to me. If you are one of the < 1% who don't run your TM1 server on Windows, the python keyring library supports the equivalent features in other environments ( and of course you don't need to run your TM1PY script _on_ your TM1 server).

    https://github.com/cubewise-code/tm1py-samples/blob/master/Samples/credentials_best_practice.py



    ------------------------------
    David Usherwood
    ------------------------------

    Original Message


  • 4.  RE: TI Process against Database, how to secure the password ?

    Posted Fri May 22, 2020 09:34 AM
    We use tool called 'Intouch' to run our TI processes, Chores
    Passwords are stored in Intouch and admins runs tm1 jobs using Intouch web interface.

    Internally Intouch calls tm1runti

    ------------------------------
    Saiabhilash Reddibhatini
    ------------------------------

    Original Message


  • 5.  RE: TI Process against Database, how to secure the password ?

    Posted Fri May 22, 2020 09:57 AM
    HI Saiabhilash, I believe this is probably the best solution!  This would work well if you were running the TI process on a schedule or from a 3rd party tool.  I think there is still a gap if the process is run when a button is clicked by a user in TM1Web, Worksapce, or PAfE.  I'm assuming the password is being passed as a TI process parameter.

    I believe you could do the exact same thing with Cognos Command Center (which is provided with Planning Analytics).

    ------------------------------
    Stuart King
    IBM Planning Analytics Offering Manager
    ------------------------------

    Original Message


  • 6.  RE: TI Process against Database, how to secure the password ?

    Posted Fri May 22, 2020 10:32 AM
    Hi Stuart,

    To run TI processes through button, we use architect interface to hide passwords. Currently there is no central place to host/hide/encrypt passwords like datastage. When there is a database password change, we have to modify all TI processes to reflect new password. For strict data governance apps we are facing this pain.

    For some apps we put our passwords in a control cube and use CELLGET into odbc-TI process. This eases pain of changing passwords across all TI's.


    ------------------------------
    Saiabhilash Reddibhatini
    ------------------------------

    Original Message


  • 7.  RE: TI Process against Database, how to secure the password ?

    Posted Fri May 22, 2020 10:48 AM
    Edited by System Fri January 20, 2023 04:38 PM
    Hi Saiabhilash,
    We had the same password update issue when we're deploying TI across environments and we solved it with a Powershell script I wrote which rely on the TM1 REST API to change the password, in batch mode, for all the processes of a TM1 server. 
    I really want to get rid of the CellGet user/password for security reason.
    We don't use Intouch but another quite similar tool called Automic. Same thing here, I'm not a big fan of TM1RunTi so our Automic workflows, which are dealing with many other processes beside TM1 needs, are launching TM1 TI & Chores through TM1 Rest API calls.

    By the way, I'm glad to see I'm not the only one who worries about having a secure system.
    I've got one track to try to follow is the API publish by our corporate Password manager https://teampasswordmanager.com/ and see if I can embed all this together.
    Regards,



    ------------------------------
    Bob
    ------------------------------

    Original Message


  • 8.  RE: TI Process against Database, how to secure the password ?

    Posted Tue June 09, 2020 06:23 AM
    I have now built a PoC for using TM1PY for managing ODBCOutput credentials. As I suspected there are a lot of moving parts, but I believe it works.

    https://www.tm1forum.com/viewtopic.php?f=21&t=15347

    ------------------------------
    David Usherwood
    ------------------------------

    Original Message


  • 9.  RE: TI Process against Database, how to secure the password ?

    Posted Thu May 21, 2020 04:28 PM
    Hi

    These days I work with MS SQL Server so I don't have this problem. I just used Windows Authentication. However, Oracle is not so well integrated with WIndows. I suggest that you look at a utility called TM1Crypt.exe which you will find in the bin64 folder. This allows the password to be stored in a keyed file pair.

    Regards

    Paul Simon


    ------------------------------
    Paul Simon
    ------------------------------

    Original Message


  • 10.  RE: TI Process against Database, how to secure the password ?

    Posted Thu September 16, 2021 08:56 AM
    Hello,

    We had the same requirement, and since it is not supported, TM1 is prohibited from pushing data to any database in one of my clients. We had to export to text files and then import to Oracle from Text files using Hadoop (since it is big TM1 data). 

    https://ibm-data-and-ai.ideas.ibm.com/ideas/PAOC-I-287  This is marked for future consideration. More votes might help to get it implemented. 

    Regards,
    Mucahit




    ------------------------------
    Mucahit Erdal
    ------------------------------

    Original Message