Integrated security between IBM Cognos BI and TM1

This post is taken from an old blog that I don’t update anymore. Please note we are talking June 2011 and are still in a TM1 9.5 and BI 8 world. I noticed many people still consulting the article, therefore I retake it here. Here we go ….

The manual is not that clear about what exactly you should do in order to be able to use C8 or C10 security with TM1. One thing I know is that if you want to use BI or want to use Contributor, you have to. I see BI as a logical extension of TM1 so I never use the TM1 security anymore in its standalone form.

Now before we start make sure you have the following in working order:

  1. An installation of C8 or C10 BI that is working (working as in tested properly, installing it without errors does NOT qualify as working)
  2. The same for your TM1 server
  3. A TM1 server model running

With my limited social skills I will try to explain the problem as I understand it:

  • TM1 has its own security that works completely independent from BI
  • But in order to access the Cognos groups and users from within  TM1, TM1 needs to know where to find those and TM1 needs to gain access to them
  • Gaining access means that you have a user that has access to BI AND to TM1, and this is the pickle…
  • As you install a new model, the model doesn’t know that BI exists and vice versa

So the following is my method that works for me, maybe there are others, if so feel free to share.

1. Open the Tm1s.cfg file of your model and manipulate the following parameters:

– Change “IntegratedSecurityMode” to “5″.

– Add the following parameters where the URL’s are taken from Cognos Configuration:

ServerCAMURI=http://TM1WORLD:9300/p2pd/servlet/dispatch
ClientCAMURI=http://TM1WORLD:80/cognos10/cgi-bin/cognosisapi.dll

– My file then looks like this:

[TM1S]
IntegratedSecurityMode=5
SecurityPackageName=Kerberos
ServerName=”TM1World”
DataBaseDirectory=C:\TM1\TM1World
AdminHost=TM1WORLD
PortNumber=99999
Protocol=TCP
Language=ENG
UseSSL=F
GroupsCreationLimit=1000
EnableSandboxCache=T
LoggingDirectory=C:\TM1\TM1World\Logs
ServerCAMURI=http://TM1WORLD:9300/p2pd/servlet/dispatch
ClientCAMURI=http://TM1WORLD:80/cognos10/cgi-bin/cognosisapi.dll
CAMPortalVariableFile=portal\variables_TM1.xml
SkipSSLCAMHostCheck=TRUE
ClientPingCAMPassport=900
ViewConsolidationOptimization=T
MessageCompression=T
UseStargateForRules=F

This way we make TM1 think it is linked to BI. Save the file and close it.

2. Restart your server, open architect, double-click on your server. Your are now presented with the C8/C10 login screen.

IBM Cognos BI and TM1 Integrated Security

3. Crucial here is that you do not log in with the TM1 default (user:admin, pw: nothing or apple) but with your C8/10 admin user/pw.

4. No worries, because what just happened is that TM1 took note of you trying to log in. This allows us now to log in with the default user admin  and then change the settings of our C8/C10 user. So if you got an error, that means you are doing the right thing.

5. Before doing so we first have to change the “IntegratedSecurityMode”  to 1 making TM1 believe it is alone in the world. Change the parameter, save the file and restart the server.

6. Log in via architect. You will now be presented with the TM1 legacy security login screen, login with admin. Go to the “client/group properties” again.  As you will notice our failed login is visible and we can change the settings of it. Now make it a proper TM1 administrator.

IBM Cognos BI and TM1 Integrated Security

IBM Cognos BI and TM1 Integrated Security

IBM Cognos BI and TM1 Integrated Security

7. Next, open the Tm1s.cfg file again and change the “IntegratedSecurityMode”  back to 5, thus stating that we are going to use C8/C10 security.

8. Restart your server once again, and reopen TM1 Architect, double-click on the server. If everything goes to plan you should now see the C8/C10 splash screen appearing and you should be able to logon with your C8/C10 user.

IBM Cognos BI and TM1 Integrated Security

Cognos Service