IntegratedSecurityMode
Here I would like to explain some moments of managing security with IntegratedSecurityMode=5.
When you configure Cognos TM1 to use IntegratedSecurityMode = 5, in Security -> Clients/Groups you can import clients and groups from Cognos BI security.
The only way to add TM1 native security group is to use TI process function: AddGroup(GroupName);
You can add clients to native TM1 security groups, but if you try to add it to Cognos BI group, the changes will be lost during the next synchronization.
The synchronization happens when the user logins to TM1. So if you just manually added a user (Client) and Cognos BI group, you see no check mark in Clients/Groups. But it will appear on the first user’s login. You don’t even need to add the users manually in TM1. Just add the users in Cognos BI and it will import all the users to TM1 and sets the mapping for each Cognos BI group (to keep the things small TM1 will sync all with the imported Cognos BI groups only).
If a user belong to some group in BI, they will be able to login to TM1Web, but will see nothing there if they are not added to TM1 group.
If you rename a group in Cognos BI, TM1 will not pick up that change and you will need to delete the old & import a new group and re-assign the security.
How to add the first user on a freshly installed TM1 server configured with CAM security.
When you install TM1 server you have just admin user there which is a native TM1 user, so you cannot use it with IntegratedSecurityMode=5.
You need to add your first power user from Cognos BI directory and assign it to ADMIN native TM1 security group.
To do this follow the next steps:
1. Set IntegratedSecurityMode=5, ServerCAMURI and ClientCAMURI in Tm1s.cfg and start TM1 server
2. Login with Cognos BI user.
3. Stop TM1 server, change IntegratedSecurityMode=1, start TM1 server
4. Login as admin (the default password is either blank or “apple”)
5. Right-click your server and go to Security > Client/Groups
6. You will see the BI user you tried to login with before. Add that user to ADMIN group
7. Set IntegratedSecurityMode=5 and restart TM1 server
8. Try logging in with BI user again and check it has admin rights.
Cognos/TM1 
Hi,
I am using IntegratedSecurityMode=5 but I am only getting the Active Directory login. Why can’t I access SData with admin/apple anymore? I am asking because I would like to add TM1 users.
I am using Cognos Express 10.2.2 and followed the documentation for Integration of Cognos BI and TM1. Unfortunately TM1 security is not working anmyore…
Thanks!
LikeLike
Hi Markus
I think you confused TM1 native authentication and TM1 native security. IntegratedSecurityMode=5 means you should use CAM security only, that’s why your TM1 admin account doesn’t work (TM1 native authentication). IntegratedSecurityMode=5 allows to use native TM1 groups to assign security for your Cognos BI users from configured Active Directory. However you will not be able to add new TM1 native groups through GUI, you need to use TI AddGroup() function for that.
If you need to use TM1 native users, consider IntegratedSecurityMode=1
But are you sure you need TM1 native users if you have already and Active Directory which I assume contains all of your users?
Vlad
LikeLike
Hi,
This blog i find it very useful. But currently we are using TM1 IntegratedSecurityMode=1 for TM1 web clients with our own datamodal. Now have to change the configuration setting as TM1 IntegratedSecurityMode=5, but I dont have IBM BI installed for this.
Now I have intalled and trying to add Namespace Under BI security but dont know have any clue on what Host,port, NamesapceID need to give for Active Directory .. I have configured the ServerCAMURI and ClientCAMURI in Tm1s.cfg. By the way am new to BI and TM1. kindly get back. Thanks
LikeLike
You need to follow Cognos BI (Analytics) doc on how to configure IBM Cognos Components to Use LDAP
LikeLike
Hi,
I have found the Activedirectory info, and it looks working now. But have another question, how the roles and groups which is defined in TM1 will be used/applied for the user.. Because i have login with windows username and pwd. How the access permissions will be applied for the user.
LikeLike
When i gave tm1 user-id and password its not logging in
LikeLike
Once you switched to IntegratedSecurityMode=5, you can use Cognos BI users only. Native TM1 users will not work.
LikeLike
thanks for your quick reply. Then its like i have to configure all the users, groups and roles in BI security namespace? If so, how can i assign those users according to tm1 permissions???
LikeLike
First of all read the difference between IntegratedSecurityMode = 4 and IntegratedSecurityMode = 5. The last one supports both Cognos BI and TM1 groups.
You are right, you create groups in Cognos BI then you can import them in TM1., again it is well documented. You can also create groups in TM1 using TI function AddGroup(). I would suggest to import at least one BI group, then see }Groups TM1 system dimension for names used for BI groups
LikeLike
to wrap it up:
1). You create groups in Cognos BI
2). You add users to those groups in Cognos BI
3). You import those groups in TM1. (or use AddGroup() function in TI)
4). You set security for those imported groups in TM1
LikeLike
Thanks for your response and i clearly understood.. As i said earlier i very new to BI and TM1, I dont know how to add groups for AD Namepace in Cognos BI.. I know i cant create any new users under this, i have just assign users to the new groups which i created…
LikeLike
How to add gruops in ADS and assign users
LikeLike
Do create groups in “Cognos” directory (Cognos Administration > Security > Cognos). But you add “Members” to those groups from LDAP namespace (or whatever you called it). See Cognos doc on how to Add or Remove Members of a Cognos Group or Role.
LikeLike
thanks. I have added a new group in Cognos namespace, and added the AD users into
new group. But I set anonymous access as false in cognos namesapce. so i cant add groups when I login as AD users in TM1 server bcoz cognos is another namespace. In IBM configuration, i have a seperate namespace of type ADS.
So I directly added from AD namespace user into TM1 .. is it ok???
Now another problem is with TM1 web client.. I did the necessary config but when i log in error as : “The TM1Web service parameter was not specified or is not one of the configured locations ‘”.. any suggestion?? in tm1wen.html i have added tm1webServices with servername:port – localhost:9510
LikeLike
1. You cannot directly add the users in TM1.. Anonymous access must be set to false. The user will appear in TM1 after the first login to TM1 (via any TM1 client). Read this post explaining exactly this situation, setting up ADMIN permissions for Cognos BI user
2. You have to add tm1web host / port in TM1Web.html located in \webcontent\tm1\web
var tm1webServices = [“http://your_TM1Webhost_fully_qualified_domain_name:9510”];
LikeLike
Thanks for your reply..
1. Ya thats ture. User has appeared in TM1 }clients, When user first logged in. Then I manually assign the user to the groups in TM1.
Currently i dont have any user groups in BI. I didnt install BI using easy install , so cant create user in BI so I have created AD authentication provider Namespace in BI from there i have imported users to TM1, then assign the TM1 groups to them… Is it right.
** i will go through the post ***
2. I have given the FQDN in tm1web.html and variables_tm1.xml but its showing “DPR-ERR-2079 Firewall Security Rejection. Your request was rejected by the security firewall.”
while testing the tm1web client : needd to give the “”http://FQDN:port/tm1web”” rite
3. we have an “web application” which uses the tm1 data. so for i worked with integratedsecuritymode = 1 with “http://localhost:9510/tm1web/dwrx/jsonp/TM1Service/login”, but hereafter it should work with integratedsecuritymode =5. Do u have any idea of how to configure the login page of web appliation.
LikeLike
small correction }clients are stored with CAMID(namespace:u:15digitalphanumeric) for every user
LikeLike
**** Now TM1 webclient is working with integratedsecuritymode =5. Ingore the above question 2.
LikeLike
Question 3: Currently from my application Iam making ajax request and passing the “clientCAMURI” and “Authorization: CAMNamespace base64(user:password:namespace)” set in Http header but its shows 401. errror . How can I validate the cam passport against the ServerCAMURI ????
LikeLike
Are you trying to use TM1 REST API? If yes, you need to set ‘Authorization’ header to ‘CAMNamespace ‘ + btoa( YOUR_USER_NAME + ‘:’ + ‘YOUR_USER_PASSWORD’ + ‘:’ + YOUR_LDAP_NAMESPACE );
and of course set ‘Content-type’ to ‘application/json; charset=utf-8’
LikeLike
btoa means what??? I am passing like that only but server responds as
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://
Access-Control-Expose-Headers: Set-Cookie, WWW-Authenticate
Set-Cookie: TM1SessionId=fHAvAYqL0q-IIIV39JA6oA; Path=/api/; HttpOnly
WWW-Authenticate: CAMPassport http://localhost/ibmcognos/cgi-bin/cognos.cgi, CAMNamespace
LikeLike
ajax call as
$.ajax({
type: “POST”,
url: “http://localhost/ibmcognos/cgi-bin/cognos.cgi”,
dataType: “json”,
beforeSend: function (xhr: any) {
xhr.setRequestHeader(“Authorization”, “CAMNamespace ” + base64credentials);
xhr.setRequestHeader(“Content-Type”, “application/json”);
},
xhrFields: {
withCredentials: true
},
LikeLike
1. Google is your friend for “btoa javascript”
2. From what I see you are trying to login to Cognos BI, not to TM1 REST API. I don’t remember exactly the syntax to authenticate to Cognos BI, but it should be all documented. What are you trying to achieve after?
LikeLike
sry instead of giving tm1 resturl api in url, i have given cognos gateway uri .
currently am using integratedsecuritymode = 5 right, so thought of giving cognos uri,
to make it work.
How to find the path for tm1 intance which am connecting??
ex: localhost/tm1/api/test
LikeLike
I have changed the url with TM1 REST API, but again same problem
but server responds as
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://
Access-Control-Expose-Headers: Set-Cookie, WWW-Authenticate
Set-Cookie: xxxxxx Path=/api/; HttpOnly
WWW-Authenticate: CAMPassport http://localhost/ibmcognos/cgi-bin/cognos.cgi, CAMNamespace
LikeLike
First you can start with telling what you are trying to achieve
LikeLike
Currently our application is in integratedSecurityMode=1 using TM1 and we didnt use Cognos BI so for. Now we are planning to switch integratedSecurityMode=5. I am new to TM1 and BI as well. Intially i tried to install Bi, configuration and creating namespace now TM1 server and web client is working integratedSecurityMode=5.
We do have our own web application in which we use web uri and restapi. Now web application should also work with integratedSecurityMode=5. For the we application, we have login screen. so when i made an ajax call to above its showing error.
Hope you understand the scenario… Do post your suggestion for this error.
LikeLike
I have come across this blog for the above HTTP 401 error for TM1 server and Cognos BI
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W181f1083f3dd_455f_b2f8_f63c4a9c8010/page/Using%20CAM%20authentication%20with%20TM1's,%20OData%20compliant,%20RESTful%20API
Two options:
1) Either web proxy or
2) invoke CAM login in
Do post your suggestion
LikeLike
Hi,
The problem is fixed. There was a problem in FQDN resturl which I passed and NamespaceId. Initially I passed the Namespace Name, so it was not working. Now it looks working but end up with another problem:)
LikeLike
Hi,
Currently am using web url api for opening the CUBE and worksheet in my application. Earlier I was using web url api with session token when IntegratedSecuritymode=1, but now i have changed IntegratedSecuritymode=5, how can i achieve the same.
Do i need to pass CAM passport in each request. Dont have any clue.
Now my request is http://localhost/tm1web/UrlApi.jsp#Action=Open&Type=CubeViewer&Cube=cubename&View=viewname&AccessType=Public&SessionToken=” –> not working
Do post your suggestion
LikeLike
With the CAM passport, is it possible to request TM1 web url api for opening the websheet and cubeviewer???
LikeLike
With IntegratedSecuritymode=5, you do not need to pass CAM. Users just open the url like:
http://tm1webhost:9510/tm1web/UrlApi.jsp#Action=Open&Type=CubeViewer&Cube=CubeName&View=ViewName&AdminHost=TM1AdminHost&TM1Server=TM1ServerName
If not authenticated, they will be redirected to the login page
LikeLike
ok..thank you. Oh, yeah.. native TM1 web login page is coming, then when I click login, some 0x80070005 – Runtime Error in JavaScript: Access denied. I think problem with … But in the application it tries to load IBM cognos Logon page… its not loading properly,
What could be the problem??
May be next I will integrate SSO. once this above problem is fixed.
LikeLike
**may be problem with
LikeLike
iframe
LikeLike
1. That error says nothing, First of all try adding TM1Web host to the trusted websites.
2. What do you mean “in the application”?
LikeLike
Are you using SSL? I would also suggest to check for possible cross-domain communication issues with iframes
LikeLike
1. Tm1 web host to trusted websites- in Internet explorer, i have added.
You mean “UseSSL” parameter in tm1s.cfg. That is set to UseSSL=F. Do you mean this?
LikeLike
2. Application where will show data from TM1, so make a call to TM1 Rest api for some business purpose and load the cube, reports from TM1 web client developed in c#
LikeLike
Hi, I still struck with the same problem. In my application “0x80070005 – Runtime Error in JavaScript: Access denied” error is coming but loading the IBM cognos BI Logon but system got hanged everytime. I think you are right problem may be cross-domain communication issues with iframes, what is the fix???
LikeLike
The default SSL certificates that come with TM1 server installation, do not provide a “proper subject” (representing the hostname) and such will not pass browser’s and other web libraries host verification feature. In addition the ApplixCA which signs those certificates is not trusted by anything but Windows (if the certificate was added to the box’s keystore during install, which they are by default). You should install and configure custom SSL, which basically means to create proper certificates for the TM1 server instances and sign them with a trusted certificate authority.
For possible cross-domain communication issues search on google, this question should be address to web developers
LikeLike
error shown in “contentWindow.document.body” in worksheetcontroller.js dynamically generated file.
LikeLike
That definitely requires to have a closer look, but unfortunately I don’t have time now. You can continue your investigation and post your findings, I will try to help as much as I can
LikeLike
In my application, I have div tag my container, in which i have iframe as follows
$(“#myTabContainer”).append(“”);
afterwards its adding the $(“#iframe”).attr(‘src’, url);
url =>
http://tm1webhost:9510/tm1web/UrlApi.jsp#Action=Open&Type=CubeViewer&Cube=CubeName&View=ViewName&AdminHost=TM1AdminHost&TM1Server=TM1ServerName.
LikeLike
Thanks for your reply and support.
LikeLike
In IBM it stated that for tm1 web url api:
Login request parameters
Use the session token approach by sending a set of parameters in the request for the type of authentication that you are using with Cognos TM1.
For TM1 standard authentication and integrated login, use the following parameter format:
a)
param0=TM1_Admin_host
param1=TM1_server_name
param2=username
param3=password
For example:
param0=localhost¶m1=SData¶m2=admin¶m3=apple
If you are using IBM® Cognos Business Intelligence security for authentication, use the following format to include a value for the camPassport:
b)
param0=TM1_Admin_host
param1=TM1_Server_name
param2=camPassport
Which means do i need to pass b) set of parameters to get the session token, only with the help of session token can I access the cube and websheet from tm1,
Still with same issue…
LikeLike
Hi,
I have a question. Im my web application when I make a login as *///ActiveSession/User/ request to REST API with username:password:namespaceId – but it returns JSON response as Name=””, IsActive=true etc… and logged in successfully. But it doesnt return the cam_passport. How can i get the CAM Passport???
As suggested in IBM above i have passed the cam_passport, admin and servername for getting the SessionToken from tm1web as follows
http://localhost:9510/tm1web/UrlApi.jsp#Ation=Open&Type=WebSheet&Workbook==&TM1Server=xyz&Adminhost=local&SessionToken=bsgsg-4542-45fe-8f40-131bc08f948b
. But responded with SessionToken, Is it something like i have to pass sessiontoken for every request to web url api
LikeLike
Hi,
so set in tm1web_config.xml
Now page is loading but data not loaded in reports, only websheet templates is shown. Any idea??? but 0x800a138f – JavaScript run-time error: Unable to get split property of undefined or null pointer. and 0x80070005 – Runtime Error in JavaScript: Access denied are still exists. Any idea???
LikeLike
–Ignore the above
Hi,
—- IBM TM1—- When performing CAM authentication, optional redirection url override example http://127.0.0.1:9510/tm1web
add key=”ExternalUrl” value=”http://localhost:9510/tm1web”
so set the “ExternalURL” in tm1web_config.xml
Now page is loading but data not loaded in reports, only websheet templates is shown. Any idea??? but 0x800a138f – JavaScript run-time error: Unable to get split property of undefined or null pointer. and 0x80070005 – Runtime Error in JavaScript: Access denied are still exists. Any idea???
LikeLike
Hi, while working on Javascript issues, jquery.js lib file was corrupted. I dont have any clue why, using bower when i try to install the Jquery but its not working anymore. In Visual studio its saying jQuery not installed. and showing jquery/dist/jquery.min.js error 0x800a139e. Do you have any idea??
LikeLike
Search on google or ask on stackoverflow.com. I don’t use visual studio
LikeLike