Multiple Namespaces from Series 7 Access Manager in Cognos 8.4.1 Planning?

[jeffowentn]

We are using Cognos 8.4.1 for BI and Planning (primarily planning), and we have security set up against Series 7 Access Manager.  In an attempt to possibly improve performance for some of our users, I am attempting to create a second namespace in Series 7 Access Manager that only has a handful of user classes.  I can see the new namespace in Cognos Connection, under Security in the Administration section of the portal.  However, there is no hyperlink on it.  I've defined the namespace in Access Manager and also in Cognos Configuration.  I've restarted all services/servers in the instance, but I still cannot access anything in this namespace.

I don't believe this is the issue, but further points to something above, but when I try to login to the 2nd namespace, it says that I'm already authenticated in all available namespaces. 

Obviously, I'm missing something here.  Is it that I've not added anything directly in the Sun One Directory Server?  I would have thought adding the namespace in AM would have handled that.  ???

Any help would be greatly appreciated.

Jeff

[RobsWalker68]

Hi Jeff,

A total stab in the dark on this but are the host and port settings different so you don't get any conflicts between the existing namespace?

Rgds

Rob

[jeffowentn]

Seems like a great stab!

Yes, they are the same.  Where do I change that?  AM?  I can change it in Cognos Configuration, but I suspect it needs to be changed in AM, somewhere.  I looked in Runtime Configuration and in the namespace properties.  I guess I need to create a new Directory Server and move the new namespace to the new Directory Server - is that correct?

Jeff

[RobsWalker68]

Jeff,

I'm afraid I haven't touched Sun One for many a year but creating a new directory server does sound familiar and perhaps the obvious solution.

Cheers

Rob

[jeffowentn]

Rob,

Thanks for your feedback.  When you suggest a different host/port, are you referring to something similar to server:389 or the ticketing service of server:9010?  I went into Sun One and added a Directory Server with port 402, but when I try to create the new Directory Server in Access Manager, it does not find the new one on port 402.  ???

Jeff

[smiley]

After creating a new sun one instance, you need to initialise it for cognos use via Configuration manager.

[RobsWalker68]

Hi Jeff,

First, treat all this with a bit of skeptisim as I haven't done a Sun One/Access Manager install for many years so this is a vague recollection  ;D

Yes, I was referring to the directory server which has a default port of 389, and therefore set up a different server with at least a different port number.  I guess if your using the supplementary software that was once bundled with Cognos installs this will extend the schema for Access Manager use or give you the appropriate parameters.

As Smiley mentioned this still needs to be configured for use by Access Manager.  What I'm not sure about is whether one ticket server installation can handle multiple directory servers?  Something you may need to look into.

Cheers

Rob 



   

[SomeClown]

If the second instance of Sun/Accman is on the same server, then the ports for both LDAP (389) and ticket server (9010) need to be different.  Basically, the host:port designation of each security provider (all portions) needs to be unique.

Access Manager hosts the ticket service so ticket service is exclusive to the Accman instance

[jeffowentn]

Great.  Let me try using a different port for the ticket service, too...thanks!  I'll let you know.

[jeffowentn]

Does the host need to be unique or just the port on the host?  In other words, can I have two directory servers that look like this:

server1.domain.com:389
server1.domain.com:402

And, then my ticket service would look something like this:

server1.domain.com:9010
server1.domain.com:9020

Therefore, the combinations are unique, but the host, itself is always the same.

Jeff

[SomeClown]

Host+port combination needs to be unique (network requirement for routing traffic appropriately). Your example should work for the network.
That said, I've personally not installed two Sun directory servers on the same machine.  The old installs do allow you to specify a custom install location so if Sun is well behaved, then it should work from that perspective.

The second issue would be if you can install a second Access Manager instance to the same server - I've no personal experience in doing that

In looking back through your notes, it would seem I misread your original intent and where you started (wasn't paying attention to the first notes that closely).

You don't get a hyperlink on the second namespace because you are not authenticated into that namespace.  On initial login, you get popped into one C10 security provider.  To get into second and subsequent, you have to click on the Logon link in one of the top menu bars.

The problem is that there is no account with security or sysadmin rights from the new space to add user/userclasses to role.  The only way I know to add the admin account from the second namespace is to add Everyone back to a system role, signon with the second account (the login button), add the second namespace user to the admin role, then remove the Everyone role.  There may be a different way, but I didn't have time to find one.  It was easier to make the change on a Sunday morning when no one was on.

[jeffowentn]

SomeClown,

I appreciate your feedback and you raise some new issues I have questions on.

1.  It sounds like I would need to have an additional install of Sun One in order to create a 2nd Directory Server, regardless of whether it is on the same server or not.  Do you know if that is correct?  If so, I have a 2nd EP App server, so I could leverage that for the additional install.

2.  Can Cognos 8.4.1 only leverage the "default" namespace in Access Manager, even if other namespaces exist, according to what is configured in Cognos Configuration?  Or, can multiple namespaces be leveraged even when only one of them is defined as the default namespace?

As for the hyperlink comments and below, I cannot login to the second namespace, as of yet, and continue to get an error suggesting that I am already logged into all available namespaces.  It seems I need to have things setup properly first before I can worry about the hyperlink, etc., although I had hoped that might point someone in the right direction as to what the issue is.

Thank you, in advance, for your assistance.

Jeff

[SomeClown]

1 - Maybe - I haven't tried it myself to run a second one, but my guess is that you would need it if you want the click-and-go configuration wizard for Accman
2 - I cannot remember  (my recent Accman stuff has been with CF and S7.5 installs) - but if S7 namespace is a parm in the definition in Cognos configuration, then I would think you can use different namespaces as different security providers.  (I seem to recall it is.)