IBM Cognos Analytics SQL Server Content Store Connections Via Windows Authentication Version 11.1.4

IBM Cognos Analytics

IBM Cognos Analytics SQL Server Content Store connections via Windows Authentication Version 11.1.4

Prepared by: IBM Cognos Analytics Advocates Team Document Last Updated: December 2, 2019

IBM Cognos Analytics

Table of Contents

IBM COGNOS ANALYTICS ...... 1 SQL SERVER CONTENT STORE CONNECTIONS VIA WINDOWS AUTHENTICATION ...... 1

VERSION 11.1.3 ...... 1 ABOUT THIS DOCUMENT ...... 3

PURPOSE ...... 3 DISCLAIMER ...... 3 OVERVIEW OF SQL AUTHENTICATION TYPES ...... 4

MICROSOFT SQL SERVER DATABASE ...... 4 Security ...... 5 Service Startup Method ...... 5 MICROSOFT SQL SERVER DATABASE (WINDOWS AUTHENTICATION) ...... 6 Security ...... 6 Service Startup Method – Control Panel ...... 6 Service Startup Method – Cognos Configuration ...... 7 Service Startup Method – Cognos Configuration ...... 8 Service Startup Method – Close Cognos Configuration ...... 9 DISCUSSION POINTS ...... 9

INITIAL STARTUP ATTEMPT ...... 9 CONFIGURATION TESTING...... 10

Page 2 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

About this document

Purpose

IBM Cognos Analytics stores metadata in a database repository. There are a number of metadata repositories including: Content Store, Notification Store, Audit Store, and Mobile Store. When configuring Cognos Analytics, a database connection is specified to these repositories. The security for this connection when using SQL server can either be SQL Server Authentication, or Windows Authentication. When using Windows Authentication, it can be difficult to troubleshoot connections when testing and starting the application if the application administrator does not understand the user context of the connection attempt. This document attempts to explain what user context will be used in different scenarios. Administrators can use this knowledge to avoid confusion and streamline installation and upgrade processes.

Disclaimer

This document was compiled by the IBM Cognos Advocates team and is based on their field experiences. It is intended for sharing field knowledge only and does not necessarily represent the views or any formal promises of the IBM Product Management team. Information within this document is taken from a simple installation of Cognos Analytics version 11.1.4. With newer releases, functionality may be moved to or replicated in the new user interface, use this document as a point in time indicator and check back for updates.

Page 3 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

Overview of SQL Authentication Types

When we create a connection to a metadata repository, be it the Content Store, Audit Store, Mobile Store, or Notification Store, there are several database connection types to choose from. For SQL server there are two types:

 Microsoft SQL Server database  Microsoft SQL Server database (Windows Authentication)

Microsoft SQL Server database

When using this method of connection, the properties of your Content Manager Component will include the necessity to enter a username and password to establish the connection.

Page 4 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

Security Making repository connections using a static User ID and password may be considered less secure.

 The database user ID and password must never change (unless also making the change in Cognos Configuration and restarting services).  The database password will be known to the application administrator who enters the password into Cognos Configuration  Although the password is encrypted from Cognos Configuration when it is saved, it can always be decrypted by an application administrator with rights to launch Cognos Configuration and perform an “Export” Service Startup Method Regardless of the method you use to start the Cognos Analytics service, connections to the SQL server will always be made with the User ID and Password that has been entered into and saved in Cognos Configuration.

Page 5 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

Microsoft SQL Server database (Windows Authentication)

When using this type of connection, resource properties for the Database connection do not include any provision to provide a user ID or password. Connections to SQL server will be made via Windows Authentication.

The user ID that will be used to make this connection may vary depending on the context in which you attempt to test or start the configuration. Security Since there is no manual entry of the password into the application configuration there is no exposure of application administrators knowing or becoming able to know the database password. If using a Service Account, a domain or machine administrator would need to configure the service to run as that account. This may include the administrator entering the password during the initial configuration of the service. The domain Service Account would need to have a non- expiring password. The application administrator would therefore never see nor be able to later decrypt the password. Service Startup Method – Control Panel In order to run the IBM Cognos Analytics service as a domain account, Windows administrators use the services control panel utility to set the properties of the service. In this example the

Page 6 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

IBM Cognos CA 11.1.1 service is running as an account from the Advocates domain:

Starting the IBM Cognos Analytics service from the services control panel utility will always result in the operating system process being run as the domain account specified in service properties. As a result, all database connections to the metadata repositories configured with “Microsoft SQL Server (Windows Authentication)” will be made as the account running the process. In this example services have been started from the services control panel utility. Process is running in Windows under the service account:

and Content Store connections are made using the service account:

Service Startup Method – Cognos Configuration When using Cognos Configuration, an admin user can use the “Play” button within the tool to start services and monitor the startup sequence. Connections to metadata repositories will be made in the context of the user who launched Cognos Configuration. In this instance the user does not have access to the SQL server instance:

Page 7 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

Service Startup Method – Cognos Configuration When using Cognos Configuration, an administrator can right click on the service itself and select start. In this instance the service is started as configured in the services control panel utility, and connections are made as the service account:

Page 8 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

Service Startup Method – Close Cognos Configuration Application administrators may occasionally launch Cognos Configuration in order to make changes. When changes are applied, the application administrator will be prompted to save the configuration. If the administrator attempts to close the application without first saving the configuration, they will be prompted to save the configuration. Similarly, when closing the application after making changes, or if the Cognos service is not started, the administrator will be prompted to start the service.

In this case, the service will start with the account configured within the properties of the service in Windows because the application is shutdown, the user context can only be that which is configured in service properties.

Discussion Points

Initial Startup Attempt

An application administrator may be installing the application. Saving the configuration does not create the service within the Windows operating system. Attempting to start the configuration for the first time will register the service. In most cases this initial startup attempt will fail because the user attempting to start the configuration does not have access to the SQL server database and there is no other context for the connection attempt to be made.

Page 9 of 10 IBM Cognos Analytics Nov 7, 2018 IBM Cognos Analytics

It is expected that this initial attempt will fail, but it will register the service, allowing for a domain administrator to then configure the service properties and enter the domain account that will run the service and therefor connect to the database.

This means the log file will by nature have entries for service startup failure. To avoid confusion, it is often best to archive the log files from the initial service configuration and startup attempt, as we know it will fail and this information can sometimes be confusing when attempting to troubleshoot any other issues that may arise during subsequent startup attempts. Configuration Testing

We have seen with attempting to start the entire configuration, connections to the SQL server database will be made as the user who launched Cognos Configuration. Similarly, when attempting to test a connection, there is no user context other than the user who launched Cognos Configuration and is performing the test.

This means we need to be very careful when troubleshooting issues where Windows Authentication is in use for SQL server connections. Be aware of the user context that is in use when attempting to start services or test connections. If necessary, launch the application as a user who has SQL server access in order to test connections from Cognos Configuration.

Page 10 of 10 IBM Cognos Analytics Nov 7, 2018