Automate Renewal of User Credentials

[cdallum]

I'm looking for a way to automate the process of renewing user credentials in Cognos.  We know the manual process of renewing credentials via the user's My Preferences section.  However, we have a general company policy requiring users to change their network password (in Active Directory) on a regular basis.  Although we can continue to ask them to additionally renew their Cognos credentials, they often forget.  And of course this causes extra internal support time and angry users... >:(

Does anyone know of a way to automate this process, so an end user isn't required to perform the renewal in Cognos?  Is this something that might be fixed in a future release (a.k.a. 8.3)?  We're currently on 8.2.

Thanks!

[VisioX]

What is the basis of your user management for Cognos?

I asked myself the same question abut 2 weeks ago, after i had to take over the whole Cognos part (so i'm a newbie).
I found one server running SUN-Directory, which was used to authenticate users. After thinking about it for about 2 hours i switched over to AD.

[cdallum]

Our users are managed via an Active Directory server.

[VisioX]

Why renewing the user credentials in Cognos?
If the password is all that changes, there should be no need.
...or did I missed something?

[biejorrun]

If your password changes, your scheduled reports and jobs run into failures.

I find this an interesting discussion, I also don't know the answer to this one, but am sure interested in the answer...

[CognosPolzovatel]

I'm interested in this as well. We too are currently on Cognos 8.2. However, we are not using AD. Instead, we are doing our user management in Cognos (via LDAP). We too have a requirement to change our passwords regularly (after password expires). As far as I know, I have never heard of anyone having an issue after a password change (of scheduled reports failing, etc.) Is this only an issue with an AD namespace? We are actually currently considering switching our user management to AD. However, if this is an unresolvable issue: this may be the factor that causes for us to not perform the switch. We certainly wouldn't want to have users perform a manual renewal of credentials each time their password changes. Let us know if you discover a solution to this.

[cdallum]

I'm not sure if this is specific to Active Directory only, but the Cognos KB 1008887.11 explains the manual workaround I referenced in the original post.  I first noticed this issue when I had scheduled reports failing.

On another note, I also noticed this week that a user's reports that were run manually were stuck in an Executing status, even though she successfully received the report output in a reasonable amount of time.  She had recently updated her password, so I had her renew her credentials.  Any reports she ran manually after that updated the status to Succeeded as expected.

[biejorrun]

Edit: deleted my post. I didn't read carefully enough, and noone appreciates dumb or foolish comments. Sorry, my mistake...

[Rocks]

We are running 8.1MR2 and this is a major problem in our environment.  Everytime a user schedules a report, and then changes their AD password, all of their past scheduled objects will now fail, with the following error:

CNC-SEC-3403 The user account information is invalid, or it is missing in Content Manager. CAM-AAA-0194 Authentication to the namespace 'ADS' failed. The provided credentials are invalid. Logon failure: unknown user name or bad password.

You can manually work around this by going into My Preferences and renewing, but as one of the past post's said....its a real pain in the a$$, and users always forget.

After working with Cognos for almost a year now, to try and resolve this issue, it was determined that a jsp page had to be added to your front end, so that when users logged in, this JSP page would automatically renew their credentials in the background, and then redirect them to Cognos Connection.  In order to do this you need SDK installed.  I have not gotten it to work yet, but that is because of lack of time to test.  If you do, please let me know.

Here are the instructions from Cognos:

The page can be run from any application server (that has access to the c8 sdk).  Typically, it would be run from tomcat, but that is up to you.
For tomcat, copy the page to <c8 install>\webapps\samples
To run it, simply copy the jsp page to the app server.  Modify the following code at the top of the page:
        String C8 = "http://servername/C8MR2/cgi-bin/cognos.cgi";
        String endPoint = "http://servername:9305/p2pd/servlet/dispatch";
        String namespaceID = "ntlm"; // NOTE: this is the namespace id, not the namespace name.
Open a browser, and type in the url to the jsp page
For tomcat it would be:
http://servername:9300/samples/C8Logon.jsp  (note the jsp page name is case sensitive).
You will be prompted for a username and password.
Enter the username and password and click submit.   
The jsp page will logon to c8, renew the credentials and then redirect the browser to cognos connection.


Here is teh JSP page from Cognos:

<%@ page import="com.cognos.developer.schemas.bibus._3.*"%>
<%@ page import="org.apache.axis.client.Stub"%>
<%
   // connection to the ReportNet service
   //----------------------------------------------------
   //NOTE:  IMPORTANT:
   // Change the next 3 variables to suit your environment.
   //----------------------------------------------------
   String C8 = "http://wottcs-loehrdlp/C8MR2/cgi-bin/cognos.cgi";
   String endPoint = "http://wottcs-loehrdlp:9305/p2pd/servlet/dispatch";
   String namespaceID = "ntlm"; // NOTE: this is the namespace id, not the namespace name.
   

   String userID =  request.getParameter("userID");
   String password = request.getParameter("password");
   if ( userID != null)
   {

      // if this is the first time into the page, the username will be null, after the user submits the form,
      // userid and password will have values.
      
      // System.out.println("UserID: " + userID + " Password: " + password );
      
      // step 1 is to logon on to c8. 

      ContentManagerService_ServiceLocator cmServiceLocator = new ContentManagerService_ServiceLocator();
      ContentManagerService_Port cmService = cmServiceLocator.getcontentManagerService(new java.net.URL(endPoint));

      StringBuffer credentialXML = new StringBuffer();
      credentialXML.append("<credential>");
      credentialXML.append("<namespace>").append(namespaceID).append("</namespace>");
      credentialXML.append("<username>").append(userID).append("</username>");
      credentialXML.append("<password>").append(password).append("</password>");
      credentialXML.append("</credential>");
      String encodedCredentials = credentialXML.toString();

      cmService.logon(new XmlEncodedXML(encodedCredentials), new SearchPathSingleObject[]{});
      
      // get the cam_passport from the biBusHeader
      // the cam_passport is used later to assume this session when we redirect to cognos connection.
      
      BiBusHeader bibus = (BiBusHeader)((ContentManagerServiceStub)cmService).getHeaderObject("", "biBusHeader");
      String passport = bibus.getCAM().getCAMPassport().getId();


   
      // now renew the credentials:
      // credentials are renewed by changing the action in the bibusheader to "generateTC", and executing
      // a query of the content store.

      try
      {
         String search = "~/*";
         
            PropEnum[] props = {PropEnum.searchPath};
                                   
            // the bibus was retrieved from the cmService earlier.
           
            if(bibus != null)
            {
               CAM newCam = bibus.getCAM();
               if(newCam != null)
               {
                  newCam.setAction("generateTC");
                  
                  bibus.setCAM(newCam);
                  BiBusHeader bibus2 = (BiBusHeader)((Stub)cmService).getHeaderObject("","biBusHeader");
                  CAM c = bibus.getCAM();
               }

               ((Stub)cmService).setHeader("","biBusHeader", bibus);
            }

         BaseClass[] objects2 = cmService.query(new SearchPathMultipleObject(search), props,
               new Sort[] {}, new QueryOptions());
         System.out.println("Credentials generated for :" + objects2[0].getSearchPath().getValue());
        }
        catch(Exception e)
        {
            System.out.println("Login exception message: " + e.getMessage() );
        }
      
   
   

      // set the cam_passport cookie:  if this jsp page is on another server, use fully qualified machine
      // names in all urls above.  or set the domain property of the cookie.
      
      Cookie camPassport = new Cookie("cam_passport", passport);
      camPassport.setMaxAge(-1);
      camPassport.setPath("/");
      response.addCookie(camPassport);
   

      String reportURL =  C8 ;
         //m_tab = p or m or w or id for new page

      System.out.println("Re-direct sent.");
   
%>
<SCRIPT type="text/javascript" >
   this.location.href = "<%=response.encodeRedirectURL(reportURL)%>";
</SCRIPT>
<%
}
else
{
%>

<html>
<body>
<form action="\samples\C8Logon.jsp" method=post><table>
<tr><td>User Name</td><td><input type=text name=userID></input></td></tr>
<tr><td>Password</td><td><input type=password name=password></input></td></tr>
<tr><td></td><td><input type=submit value=submit></input></td></tr>
</table>
</form>
</body></html>

<%
}

%>

[DL20852]

Are you using "Single Sign On"...?

[Darek]

Actually, you don't have to have the SDK installed. All the libraries you need are already in webapps/p2pd/WEB-INF/lib.

[Rocks]

No, we are not using single sign-on.

[josepherwin]

We use Active Directory in our company and users must change their password every 90 days.

However, as i recall, i never have to do anything from Cognos Administrative perspective to update user password or any sort.

If you are using AD, then in your Cognos Configuration, under the Security > Authentication > AD, enter the following in the Advanced properties column

Name: singleSignonOption
Value: IdentityMapping

NOTE: It is Case Sensitive.

In this case, when user is trying to access Cognos application, Cognos will always try to login the user using their LAN credentials which is stored in AD

[sambit]

Can please anyone tell us what is the namespace error on the gateway while on the same timestamp in the logs we have AD account not available???
Currently we are in 10.1 basic version of Cognos.It's creating hell lot of problem with server outage automatically regularly in a 5 -7 days time