IBM Cognos Analytics SQL Server Content Store Connections Via Windows Authentication Version 11.1.4
Total Page:16
File Type:pdf, Size:1020Kb
IBM Cognos Analytics IBM Cognos Analytics SQL Server Content Store connections via Windows Authentication Version 11.1.4 Prepared by: IBM Cognos Analytics Advocates Team Document Last Updated: December 2, 2019 IBM Cognos Analytics Table of Contents IBM COGNOS ANALYTICS ................................................................................................................................. 1 SQL SERVER CONTENT STORE CONNECTIONS VIA WINDOWS AUTHENTICATION ................................................ 1 VERSION 11.1.3 ........................................................................................................................................................... 1 ABOUT THIS DOCUMENT ................................................................................................................................. 3 PURPOSE ...................................................................................................................................................................... 3 DISCLAIMER .................................................................................................................................................................. 3 OVERVIEW OF SQL AUTHENTICATION TYPES .................................................................................................... 4 MICROSOFT SQL SERVER DATABASE .................................................................................................................................. 4 Security ................................................................................................................................................................. 5 Service Startup Method ........................................................................................................................................ 5 MICROSOFT SQL SERVER DATABASE (WINDOWS AUTHENTICATION) ....................................................................................... 6 Security ................................................................................................................................................................. 6 Service Startup Method – Control Panel .............................................................................................................. 6 Service Startup Method – Cognos Configuration ................................................................................................. 7 Service Startup Method – Cognos Configuration ................................................................................................. 8 Service Startup Method – Close Cognos Configuration ........................................................................................ 9 DISCUSSION POINTS ........................................................................................................................................ 9 INITIAL STARTUP ATTEMPT .............................................................................................................................................. 9 CONFIGURATION TESTING.............................................................................................................................................. 10 Page 2 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics About this document Purpose IBM Cognos Analytics stores metadata in a database repository. There are a number of metadata repositories including: Content Store, Notification Store, Audit Store, and Mobile Store. When configuring Cognos Analytics, a database connection is specified to these repositories. The security for this connection when using SQL server can either be SQL Server Authentication, or Windows Authentication. When using Windows Authentication, it can be difficult to troubleshoot connections when testing and starting the application if the application administrator does not understand the user context of the connection attempt. This document attempts to explain what user context will be used in different scenarios. Administrators can use this knowledge to avoid confusion and streamline installation and upgrade processes. Disclaimer This document was compiled by the IBM Cognos Advocates team and is based on their field experiences. It is intended for sharing field knowledge only and does not necessarily represent the views or any formal promises of the IBM Product Management team. Information within this document is taken from a simple installation of Cognos Analytics version 11.1.4. With newer releases, functionality may be moved to or replicated in the new user interface, use this document as a point in time indicator and check back for updates. Page 3 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics Overview of SQL Authentication Types When we create a connection to a metadata repository, be it the Content Store, Audit Store, Mobile Store, or Notification Store, there are several database connection types to choose from. For SQL server there are two types: Microsoft SQL Server database Microsoft SQL Server database (Windows Authentication) Microsoft SQL Server database When using this method of connection, the properties of your Content Manager Component will include the necessity to enter a username and password to establish the connection. Page 4 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics Security Making repository connections using a static User ID and password may be considered less secure. The database user ID and password must never change (unless also making the change in Cognos Configuration and restarting services). The database password will be known to the application administrator who enters the password into Cognos Configuration Although the password is encrypted from Cognos Configuration when it is saved, it can always be decrypted by an application administrator with rights to launch Cognos Configuration and perform an “Export” Service Startup Method Regardless of the method you use to start the Cognos Analytics service, connections to the SQL server will always be made with the User ID and Password that has been entered into and saved in Cognos Configuration. Page 5 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics Microsoft SQL Server database (Windows Authentication) When using this type of connection, resource properties for the Database connection do not include any provision to provide a user ID or password. Connections to SQL server will be made via Windows Authentication. The user ID that will be used to make this connection may vary depending on the context in which you attempt to test or start the configuration. Security Since there is no manual entry of the password into the application configuration there is no exposure of application administrators knowing or becoming able to know the database password. If using a Service Account, a domain or machine administrator would need to configure the service to run as that account. This may include the administrator entering the password during the initial configuration of the service. The domain Service Account would need to have a non- expiring password. The application administrator would therefore never see nor be able to later decrypt the password. Service Startup Method – Control Panel In order to run the IBM Cognos Analytics service as a domain account, Windows administrators use the services control panel utility to set the properties of the service. In this example the Page 6 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics IBM Cognos CA 11.1.1 service is running as an account from the Advocates domain: Starting the IBM Cognos Analytics service from the services control panel utility will always result in the operating system process being run as the domain account specified in service properties. As a result, all database connections to the metadata repositories configured with “Microsoft SQL Server (Windows Authentication)” will be made as the account running the process. In this example services have been started from the services control panel utility. Process is running in Windows under the service account: and Content Store connections are made using the service account: Service Startup Method – Cognos Configuration When using Cognos Configuration, an admin user can use the “Play” button within the tool to start services and monitor the startup sequence. Connections to metadata repositories will be made in the context of the user who launched Cognos Configuration. In this instance the user does not have access to the SQL server instance: Page 7 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics Service Startup Method – Cognos Configuration When using Cognos Configuration, an administrator can right click on the service itself and select start. In this instance the service is started as configured in the services control panel utility, and connections are made as the service account: Page 8 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics Service Startup Method – Close Cognos Configuration Application administrators may occasionally launch Cognos Configuration in order to make changes. When changes are applied, the application administrator will be prompted to save the configuration. If the administrator attempts to close the application without first saving the configuration, they will be prompted to save the configuration. Similarly, when closing the application after making changes, or if the Cognos service is not started, the administrator will be prompted to start the service. In this case, the service will start