IntegratedSecurityMode
Here I would like to explain some moments of managing security with IntegratedSecurityMode=5.
When you configure Cognos TM1 to use IntegratedSecurityMode = 5, in Security -> Clients/Groups you can import clients and groups from Cognos BI security.
The only way to add TM1 native security group is to use TI process function: AddGroup(GroupName);
You can add clients to native TM1 security groups, but if you try to add it to Cognos BI group, the changes will be lost during the next synchronization.
The synchronization happens when the user logins to TM1. So if you just manually added a user (Client) and Cognos BI group, you see no check mark in Clients/Groups. But it will appear on the first user’s login. You don’t even need to add the users manually in TM1. Just add the users in Cognos BI and it will import all the users to TM1 and sets the mapping for each Cognos BI group (to keep the things small TM1 will sync all with the imported Cognos BI groups only).
If a user belong to some group in BI, they will be able to login to TM1Web, but will see nothing there if they are not added to TM1 group.
If you rename a group in Cognos BI, TM1 will not pick up that change and you will need to delete the old & import a new group and re-assign the security.
How to add the first user on a freshly installed TM1 server configured with CAM security.
When you install TM1 server you have just admin user there which is a native TM1 user, so you cannot use it with IntegratedSecurityMode=5.
You need to add your first power user from Cognos BI directory and assign it to ADMIN native TM1 security group.
To do this follow the next steps:
1. Set IntegratedSecurityMode=5, ServerCAMURI and ClientCAMURI in Tm1s.cfg and start TM1 server
2. Login with Cognos BI user.
3. Stop TM1 server, change IntegratedSecurityMode=1, start TM1 server
4. Login as admin (the default password is either blank or “apple”)
5. Right-click your server and go to Security > Client/Groups
6. You will see the BI user you tried to login with before. Add that user to ADMIN group
7. Set IntegratedSecurityMode=5 and restart TM1 server
8. Try logging in with BI user again and check it has admin rights.
Cognos/TM1 
Hi,
am calling websheet from tm1. url below:
http://localhost:9510/tm1web/UrlApi.jsp#Action=Open&Type=WebSheet&Workbook=Applications/websheet&TM1Server=servername&AdminHost=localhost
Response: Websheet opened in my application but it is empty. Data not populated.
Below Error were also popped-up for ie browser: JavaScript run-time error
1)An exception was thrown: at line 71, column 210 in http: //localhost: 9510 / tm1web / scripts / tm1web / workbook / Workbook.js.
0x800a139e – JavaScript runtime error: dojo.date.locale.format: invalid pattern char: General
2)//localhost: 9510 / tm1web / dwr / engine.js(dynamically generated file)
0x800a138f – JavaScript run-time error: Unable to get split property of undefined or null pointer.
Any idea???
LikeLike
Above Javascript Error happens in Internet Explorer not in Chrome. But before implementation of IntegratedSecuritymode to 5, it was working in ie as well. Dont have any clue what went wrong.
LikeLike
I passed the url api in browser using Sessiontoken, it gives the below error.
main.js:157 Request cannot be completed: no widget has been opened.
Uncaught TypeError: Cannot read property ‘execute’ of undefined
I have read in one document as
For CAM authenticated TM1 Servers, pass the username and password on the command line such as:
http://TM1WebHostName:TM1WebPort/tm1web/TM1WebWebSheeterCAM.jsp?WebSheet=TM1WebSheetName&ServerName=TM1ServerName&HostName=TM1ServerHostName&UserName=TM1UserName&Password=TM1Password&AccessType=PUBLIC
where
TM1WebHostName is the name of the host on which TM1web is running
TM1WebPort is the port on which TM1Web is running
TM1WebSheetName is the TM1 websheet path such as Applications/Planning%20Sample/Bottom%20Up%20Input/Budget%20Input
TM1ServerName is the name of the TM1 Server
TM1ServerHostName is the name of the host on which the TM1 Server is running
I have tried this too, but got below error
An exception was raised from the application class ‘com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionProcessor.findWrapper: 456’.
java.io.FileNotFoundException: JSPG0036E: The resource /TM1WebWebSheeterCAM.jsp was not found.
at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionProcessor.findWrapper (AbstractJSPExtensionProcessor.java:456)
at [internal classes]
—–Problem with websheet—-
LikeLike
Check if your IE version is supported in all the JS libraries you are using.
LikeLike
“The resource /TM1WebWebSheeterCAM.jsp was not found” this is what you need to fix. Try opening manually in browser the full url to TM1WebWebSheeterCAM.jsp
What Web Server are you using? Check the configured virtual directories match the location of “/TM1WebWebSheeterCAM.jsp”
LikeLike
I am using jQuery 3.2.1 and jstree, bootstrap which dependent on Jquery 1.11.3.. so there may be any Jquery conflicts… ??? Now i have uncheckedd all the Javascript runtime exceptions to avoid this pop-up 0x800a138f – JavaScript run-time error and etc..
Is it ok??
Should I use urlapi.jsp or TM1WebWebSheeterCAM.jsp to open the websheet for IntegratedSecurityMode=5??? IBM cognos BI using IIS and for application i am using built-in kestrel web server.
TM1WebWebSheeterCAM.jsp file not available in in tm1/….webapps/…. only urlapi is available…
LikeLike
Hi,
At last web url api opened the websheet using Urlapi.jsp, What you suggested was rite. I used the below url http://tm1webhost:9510/tm1web/UrlApi.jsp#Action=Open&Type=CubeViewer&Cube=CubeName&View=ViewName&AdminHost=TM1AdminHost&TM1Server=TM1ServerName
After logged in into the web application using AD credenticals, only for the first request to cube or websheet prompted with IBM Cognos BI logon, but i dont want any authentication after logging in to my web application.
LikeLike
Another question too, When i try to open the websheet using urlapi behind the screen it make a request to the Gatewayurl cgi-bin and finally returned with the requested websheet, but in fiddler between request and response i have seen
Error 404: javax.servlet.ServletException: java.io.FileNotFoundException: SRVE0190E: file not found: /scripts/tm1web/api/url/main.js.map
Error 404: javax.servlet.ServletException: java.io.FileNotFoundException: SRVE0190E: file not found: /scripts/tm1web/api/url/WorkbookController.js.map
any idea????
LikeLike
I just checked in my environment and I don’t see /scripts/tm1web/api/url/main.js.map either. just “main.js”
I would try to create a copy of main.js and rename it as main.js.map, then it and check for that error again.
LikeLike
Hi,
I am planning to implement SSO configuration for integratedSecuritymode=5.
I follwed these below steps:
http://ip-192-169-200-21.ip.secureserver.net/index.php/knowledge-articles/61-ibm-cognos-tm1/585-how-to-setup-sso-against-active-directory-with-tm1-and-cam-security
But it not working:( Could you suggest any blog or doc to configure the SSO with Windows. If i configure the SSO, even my c# application will be accessed without prompting for user credentials. Currently am giving AD username and password for my c# application login.
LikeLike
just follow IBM doc, all is very well documented there: http://www-01.ibm.com/support/docview.wss?uid=swg21958925
LikeLike
The link which you have shared related to integratedSecurityMode=5, for Tm1web and tm1 config file. I have already configured this what u have suggested
But I have asked for Single Sign on config.
LikeLike
did you search/try IBM SSO doc for your Cognos BI version?
LikeLike
No. May be i will look tomorrow. I am back to the issue with Javascript runtime error.
Question:
At the moment I am login to the web c# application using resturl as
http://localhost:8000/api/v1/ActiveSession/User”
type=post
“Authorization”, “CAMNamespace ”
So when I first open the report or cube it prompted for ibm cognos Logon, screen for authentication but i dont want this in my application.
Can i login using http://localhost:9150/tm1web/dwrx/jsonp/TM1Service/login instead to aviod ibm cognos logon screen. If so what would be the parameters should i give for tm1 cam security. Kindly post ur suggestion
LikeLike
One quick question: In browser when I give the web url api for cube its opening perfectly, but for websheet its saying error: “”Open target workbook failed. Make sure that the file has not been renamed or deleted””.
But am opening the websheet in my local and tm1 is in cloud environment.
Url used:
http://cloudhost/tm1web/UrlApi.jsp#Action=Open&Type=WebSheet&Workbook=Applications/xxxxxxxxl&TM1Server=abc&cam_passport=
I think there is a problem in path of workbook. How i have to give. But in tm1web same workbook opening perfectly.
Any idea??
LikeLike
ISSUE:
In browser when I give the web url api for cube its opening perfectly, but for websheet its saying error: “”Open target workbook failed. Make sure that the file has not been renamed or deleted””.
Fix:
Switch your browser to English Local. It worked well now
LikeLike
I have a question, how can i invoke the IBM Cognos BI Login screen in my c# application login.
The idea behind when the user logs in user has to get the cam namespace to access both the web urlapi and restapi. Currently am giving resturl+”/api/v1/ActiveSession/User and xhr.setRequestHeader(“Authorization”, “CAMNamespace ” + base64credentials); so when I open the reports, it prompted with ibm Cognos Logon for the first time.
Any suggestion??
LikeLike
1. For opening websheets using UrlApi you need to encode url (for example, replace spaces with ‘%20’)
2. For Cognos BI login you need to use Cognos REST API. Check the doc for your Cognos version, for instance this article is for CA11: http://www-01.ibm.com/support/docview.wss?uid=swg21660206
LikeLike
Thanks for your response. Heading to response 2: I want to invoke the IBM Cognos BI login screen in one button control from my application same page as http://localhost/ibmcognos/cgi-bin/cognos.cgi. Then after authentication I have to redirect to my application home page. Any idea how to do..
The one which you specified in 2, doesnt have any idea how to use
LikeLike
I have done the following : Dont know whats the error: but not logged on
function login_CAM() : void {
let user = $(“#user”).val();
let password = $(“#password”).val();
let CAMNamespace = $(“#CAMNamespace”).text();
let cognosURL = “http://localhost/ibmcognos/cgi-bin/cognos.cgi”;
//build the xml credentials element
var xmlData = “” + “CAMNamespaceNamespace:”;
xmlData += “” + CAMNamespace + “” + “”;
xmlData += “CAMUsername User ID: ” + ” ” + user + ” ”
xmlData += ” CAMPassword Password: ” + “” + password + ” ”
xmlData += “”;
// authentication resource
var rdsLogonUrl = cognosURL + ‘/rds/auth/logon’;
//var request = new Ajax.Request(rdsLogonUrl, { asynchronous: false, method: ‘get’, parameters: { xmlData: xmlData }, onSuccess: function (aTransport) { return aTransport.responseText; }, onFailure: function (aTransport) { var regex = /(RDS-ERR-)(\d*)/; var err = aTransport.responseText.match(regex); if (err != null) { alert(aTransport.responseText); } });
$.ajax({
type: “POST”,
url: rdsLogonUrl,
dataType: “json”,
data: {
xmlData: xmlData,
},
beforeSend: function (xhr: any) {
//xhr.setRequestHeader(“Authorization”, “CAMNamespace ” + base64credentials);
xhr.setRequestHeader(“Content-Type”, “application/json”);
},
xhrFields: {
withCredentials: true
},
success: async function (aTransport: any) {
//Anmeldedaten an Server übertragen
return aTransport.responseText;
//window.location.href = “/Home/Mainpage”;
},
error: function (aTransport: any) {
// Lizenzfehler
var regex = /(RDS-ERR-)(\d*)/;
var err = aTransport.responseText.match(regex);
if (err != null) {
alert(aTransport.responseText);
}
}
});
}
LikeLike
At present, I am trying to achieve : invoking the IBM Cognos BI login Screen first from my application and after successfully logged-in I would like to redirect to our Application main page.
Is it possible??
By doing so, in HTTP header cam_passport will be set in cookie. Then no need to login again when opening the reports right.
LikeLike
Any updates on getting the campassport from IBM Cognos BI Login page in my c# application ???
LikeLike
Do I need to install IBM cognos SDK???
LikeLike
Hi, I finally configured the SSO to fix the above problems.
Now custom application doesnt prompt for user credentials.
Thanks for all your response.
LikeLike
Just a quick clarification on N_CONNECT. I have changed the TM1 IntegratedSecurityMode as 5, so N_connect is not working. It was used to connect from Excel VBA to TM1 perspectives when TM1 IntegratedSecurityMode as 1.
I have used N_CONNECT_CAM for TM1 cam Security. But its not connecting to TM1 perspectives.
Do you have any suggestions, kindly write it back.
LikeLike
Hi again. Sorry I’ve never worked with connecting to TM1 from VBA. Seems there are some issues when TM1 using IntegratedSecurityMode 4 or 5. Have you checked this article? http://www-01.ibm.com/support/docview.wss?uid=swg21959177
LikeLike
Thanks. I am also referencing to this article only, but dont know how to implement it:(
LikeLike
A quick question: Active directory is always up and running but frequently disconnecting in IBM cognos. Do you have any idea why. So TM1 server explorer is not connecting.
LikeLike
check your timoputs in tm1s.cfg and in Cognos Configuration:
ClientPingCAMPassport
IdleConnectionTimeOutSeconds
LikeLike
“timeouts”
ClientPingCAMPassport should be more than the value in your Cognos BI configuration
LikeLike
I tried the above option, but again end up with same issue.
tm1 ClientPingCAMPassport=3900
IBM Config under Authentication, IdleConnectionTimeOutSeconds=3600(default value)
LikeLike
try setting your ClientPingCAMPassport to something big, like 36000
In Cognos BI configuration, what is the value of “Security > Authentication > Inactivity timeout in seconds”?
LikeLike
“Security > Authentication > Inactivity timeout 3600
LikeLike
I have stopped the IBM cognos service using services.msc, then restarted again now it not frequently disconnecting the Active directory connection.
Have you ever used function TM1SystemServerConnectWithCAMNamespace from tm1api.dll in application, if so give me some direction. Thanks in advance.
LikeLike
No, I haven’t, sorry
LikeLike
Hi
Is there a way to get the element name using the attributes name in }ElementsAttributesCube using MDX.
LikeLike
In order to get anything from }ElementsAttributes you need to specify which element and which attribute. What are trying to do and where?
LikeLike
MDX is just to select some elements. Then you may use either Name or alias in subsets or you can use DimensionElementPrincipalName function in TI process or DimNm( dim, DimIx( dim, elm ) ) in Perpsectives or rules to get the element name
LikeLike
Hi Thanks for the reply on MDX. I have fetched element name and alias, pushed into the array..and it worked ..
1) Do have another question related to IBM cognos Campassport, where Campassport is actually stored in browser. In cookies? I am using camPassport for Tm1 Rest call in my application, and in another browser tab, if IBM cognos is opened and logged off, my application is not working, because of campassport been deleted.
2) I have installed the IBM Cognos in virtual machine, and Active directory configuration is done, but it showing the below error. But the same working in local.
[ERROR] CAM-AAA-0055 User input required.
[ERROR] CAM-AAA-0036 Authentication failed because the credentials are invalid.
[ERROR] Login Failed: The user does not have the required login type on this computer.
But all the information are right.
Virtual machine is another machine and Active directory resides on another directory.
LikeLike
1. Yes, CAMpassport is stored in cookies. The cookies are not shared between different websites./domains/ports (see Cross Origin Resource Sharing). So if you have different URLs like:
tm1.company.com
cognosbi.company.com
yourapp.company.com
you need to use a proxy and configure it to be like:
company.com/tm1
company.com/cognosbi
company.com/yourapp
You can read this article for more details:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W181f1083f3dd_455f_b2f8_f63c4a9c8010/page/Using%20CAM%20authentication%20with%20TM1's,%20OData%20compliant,%20RESTful%20API
2. Were do you get that error?
As I remember you have already managed to login from your app to Cognos BI and get some BI content, right?
LikeLike
@Question 2: Ya, I have already did the setup in my local machine, but now i am trying to do it in virtual machine for testing. There I see problem with AD connection problem.
@Question 1: For now I have installed tm1 and IBM cognos in single machine, So using same host. I have already gone through the link which you have shared, need to set up the iginx for proxy.? Its not very clear for me.
sorry Question@1 was bit wrongly proposed, I opened my application and in same browser another tab I opened the Cognos BI or tm1 web and logged off.
For Tm1 Restapi request, in Http header am setting the Authorization CAmPassport campassportId. So if I do the logout in same browser another Tab Ex: cognos BI will it break my application in any ways.
Question@3: While doing logout in my application, shal i clear the cookie so that campassport will be removed and for next login, will prompt with BI login screen. Kindly confirm me. Is this ok.
LikeLike
Hi,
I have a question reg. TM1 Restapi. I want to get the list of top-level parent elements from the dimension.
Is there any way..Thanks
LikeLike
I don’t know straight from my head, but you should be able to use somehow a MDX to get the element and you need this one:
{Filter({TM1SubsetAll([ YourDimName ])},[ YourDimName ].CurrentMember.Parent.Name=””)}
LikeLike
Thanks. But will this give the first parent of the member??
LikeLike
it will give you what you asked for: top-level elements
if you want the consolidation element only, then you need use EXCEPT o exclude the leaf elements, something like:
{EXCEPT( {Filter({TM1SubsetAll([ YourDimName ])},[ YourDimName ].CurrentMember.Parent.Name=””)}, {TM1FILTERBYLEVEL( {Filter({TM1SubsetAll([ YourDimName ])},[ YourDimName ].CurrentMember.Parent.Name=””)}, 0)} )}
But I have not tested it
LikeLike
I am a new bee for MDX statements. Is it possible if I pass only the Dimension name, to get the top level parent-elements. Bcoz for the first load, i will load the Dimension elements which has no parents ??
LikeLike
Hi one quick question, Is there a way to get the components for a particular element in TM1 Rest api? For example Element A has Child A1 and A2. When i pass dimension name ans elementName A —> it results to A1 and A2 element.
Is it possible??
Thanks in advance.
LikeLike
I used {DRILLDOWNLEVEL( {[DimName].[elementName]})} its gives the immediate descendants but how to use this in Tm1 REst api call.. any idea?
LikeLike
Issue with Tm1 RestApi. In Remote server Tm1 is installed and from client machine making a logging-in into Tm1 restapi via application works and for further call to Tm1 restapi is not working,
Using port 8000 for restapi
What Could be the problem?
Port 8000 blocked or conflict or cookies problem
or Access-Control-Allow-Origin-Header ??? any idea??
Thanks in advance.
LikeLike
One quick question??
Environment set up as
Client Machine — Proxy Machine —- Server Machine (Tm1 installed)
But in this above set up, Tm1 Rest api call not happening .. but tm1 web urlapi is working… will the tm1rest api call be rejected via proxy??
LikeLike