Description:
How do you configure a Siteminder Namespace? Solution: When
configuring a Siteminder Namespace several points need special
attention. This document gives a brief rundown of steps on how to
configure a Siteminder Namespace in Cognos Configuration.
For a more comprehensive explanation see the references in the Related Documents section. It is assumed that - There is more than one Userdirectory defined in Siteminder's configuration or The level of security required implies the use of a Siteminder namespace
as opposed to the more simpler approach of having just one Usedirectory as described in the Installation and Configuration Guide. Refer to the documents listed in the related Documents section.
There
are no namespaces defined in Cognos ReportNet's configuration
corresponding to the Userdirectories in the Siteminder configuration.
Ensure
that SiteMinder is configured correctly to protect the CRN Alias. Use
the SiteMinder test tool provided with the SiteMinder installation to
verify that the resource is protected, authenticated and authorized.
See the Siteminder documentation for details. In
case of multiple ReportNet Gateways being configured, ensure that
all Webservers hosting Gateways have Siteminder Web Agent installs
running which all refer to the same Web Agent Configuration Object in
Siteminder's configuration so that they all share the same Agent
Name. The
following pieces of information are needed for Siteminder
Namespace configuration and need to be looked up in Siteminder Policy
Server Administration tool.
The parathesis denote some aliases which are used throughout the steps to refer to those pieces. The "Shared Secret" (WA-SS)
used for the communication between WebAgents and the Policy Server
configured in the Agent Object within Siteminder's Policy Store,
usually some case-sensitive string. The Name of the WebAgent (WA-Name) as defined in the AgentConf Object in Siteminder Policy Server Admin Console. The Ports which the Policy Server uses for Accounting, Authentication and Authorisation (defaults are 44441,44442,44443). The Names of the "User Directories" configured in Siteminder Policy Server Admin Console (UD1-Name, UD2-Name,.....) and their types (either LDAP , AD or NTLM).
For Cognos ReportNet versions before 1.1.MR1 (build < 1.1.316.16) only v erify in the Web Agent's Configuration Objects properties in SiteMinder Policy Server Admin console that: SetRemoteUser is activated. BadCssChars is deactivated. DisableSessionVars is deactivated.
Steps:
On every computer running a Content Manager open Cognos Configuration and repeat the following steps Repeat
steps 1 - 5 for each User Directory configured in SiteMinder. This will
define one Namespace for each Userdirectory configured in Siteminder
configuration. Those will later be referred to from the Siteminder
Namespace. So finally there has to be one Namespace corresponding to
each Userdirectory in Siteminder.
In the Explorer Window, under Security, right-click Authentication, and select New Resource -> Namespace. - In the upcoming dialog
Specify
a Name and select the correct type which has to be one of NTLM or
LDAP. If SiteMinder uses a Userdirectory of type Active Directory you
have to select LDAP here and configure the LDAP Namespace against the
Active Directory. (see Related Documents). Click OK.
Best
Practice: Use a name which allows you to differenciate the sources of
the user information, for example "MyLDAP Users". This should NOT
be the same as UD-Name1,UD-Name2 as looked up in the prerequisites to
avoid confusion when troubleshooting.
- For the newly created Namespace specify a unique Namespace ID
Best Practice: Use something like SMUD1, SMUD2
- If the new Namespace is of type LDAP...
set "Use external Identity" to TRUE and provide the default value which is "${environment("REMOTE_USER")}". (without the outer quotes). You may want to use "reset to default" by right-clicking on this property if unsure you typed correct.
- Fill
in all the other properties for this Namespace which connect this
Namespace exactly the same way they do in Siteminder. So for rxample
use the same connection and bind users parameters.
Tip:
If you use Series 8, facilitate the "test" functionality by
right-clicking on the Namespace to check for any configuration errors
at this point.
- In the Explorer Window, under Security
, right-click Authentication, and select New Resource -> Namespace- Specify a name for the Namespace. For Example "Siteminder Namespace", as this is not used anywhere else, anything goes.
- For type select "Netegrity SiteMinder" and click OK.
- Specify all the properties for the newly created namespace in the properties pane
- Namespace ID : choose any you like - Agent Name : the Name from the Agent Configuration Object (s. prerequisites (WA-Name)) - Shared Secret : the secret from the Agten Object (s. prerequisites (WA-SS))
Repeat steps 10 - 14 for any Policy Server configured in Siteminder's configuration which is part of either a load balancing or failover clustering defined in Siteminder
- Right-Click the new Siteminder Namespace in the Explorer Pane and select
New Resource -> SiteMinder Policy Server - Enter a unique arbitrary name and click OK
- Select the new Policy Server Resource and provide a value for the host property.
This has to be the hostname of a box running a Siteminder Policy Server.
Repeat steps 13 & 14 for each User Directory configured in SiteMinder !
- Right-Click the new Policy Server Resource and select New Resource -> User Directory.
Specify
the name exactly (case sensitive) like named in the SiteMinder Policy
Server Administration Console and as looked up during prerequesits
(i.e. UD1-Name). Don't mix this up with the name chosen in Step 2, it's the one from the Siteminder Configuration which goes here. The type is fixed to SiteMinder user directory so click OK.
- Select
the new User Directory resource and fill in the Namespace ID reference
to one of the separately defined corresponding Namespaces of step
3. (for example SMUD1). Click Ok.
If
all set and done save configuration and restart CRN so the Namespaces
become available. Any errors regarding to the namespaces will be logged
to the crnserver.log (CRN 1.1) or cogserver.log (S8).
Related Documents: - Series 8/CRN Installation and Configuration Guide
- Siteminder Agent Guide
- KB 1014767 - Configure Siteminder SSO without Siteminder Namespace
- KB 1008368 - How do you configure Single Signon with Active Directory Server (ADS) running
in mixed mode? - KB 1012623 - How do you configure Cognos ReportNet for Active Directory as an LDAP provider?
Keywords: Siteminder "Shared Secret" Namespace "User Directory" SSO "Single Signon" integrate |