IBM WebSphere Application Server SSO sets REMOTE_USER incorrectly on Cognos BI 10.2.1

by

I am running IBM Cognos Business Intelligence Server 10.2.1 (no other extra software products) on WebSphere Application Server 7, both softwares on an AIX server. I am trying to configure LTPA SSO through basic HTTP authentication from WebSphere to Cognos. For authentication, I am using my company’s LDAP server on both Cognos and WebSphere.

After doing the changes to .../war/gateway/web.xml and .../war/gateway/application.xml.template, building new application EARs and deploying them with the option of defining my login , login works otherwise just fine… except that when I enter my username and password, it seems like the wrong information is passed on to Cognos because I get the plain ordinary login dialog with my employee name on the username field (we use our intranet mail addresses as usernames).

I have tried reading IBM’s documentation on that matter. What I sort of got was that the LTPA token passed on to Cognos contains the user credentials, but I couldn’t find anything conclusive on how to define the user credentials passed from WAS to Cognos or how to configure Cognos to read the appropriate credentials from the LTPA token.

Update: After doing a lot of reading on the topic and scouring like one third of the internet, I finally managed to narrow down the issue to the REMOTE_USER environment variable set on Cognos by WebSphere, which is somehow getting filled in with my employee name instead of my actual username. Next step on the list is therefore to figure out where or how can I tell WebSphere to fill in the right info on REMOTE_USER.

My web.xml and application.xml.template modifications are as follows.

web.xml

    <!-- WAS SSO configuration begin -->
    <security-constraint>
             <web-resource-collection>
                     <web-resource-name>10.2.1FP3_Gateway_WASlogin</web-resource-name>
                     <url-pattern>/servlet/Gateway/*</url-pattern>
                     <http-method>GET</http-method>
                     <http-method>POST</http-method>
             </web-resource-collection>
             <auth-constraint>
                     <role-name>was_sso</role-name>
             </auth-constraint>
    </security-constraint>
    <login-config>
             <auth-method>BASIC</auth-method>
             <realm-name>10.2.1FP3_Gateway_WASlogin</realm-name>
    </login-config>
    <security-role>
             <role-name>was_sso</role-name>
    </security-role>
    <!-- WAS SSO configuration end -->

application.xml.template

     <security-role id="SecurityRole_Cognos_BI_User">
             <description/>
             <role-name>was_sso</role-name>
     </security-role>

Answer

Attribution
Source : Link , Question Author : RAKK , Answer Author : Community

Leave a Comment