Access Manager Documentation Updates

The following topics explain product enhancements, best practices, or troubleshooting tips that will be added the appropriate Access Manager document in a future release.

Detect Corrupted Namespaces

In certain cases, such as an unexpected hardware failure, a namespace can become corrupted. If this occurs, unexpected behavior can result.

You can test your namespaces to determine whether they have become corrupted by using a command line tool. If your namespace has become corrupted, you should contact customer support to correct the problem.

Steps

1. In a command prompt window on the computer where Cognos Series 7 is installed, go to the installation_location\bin directory.
2. Type the following command:

AM_NamespaceCorruptionDetect -t <type> -f <LAE filename> 
-h <host> -p <port> -s -C <cert7.db> -r <baseDN> -n <namespace> 
-D <username> -w <password>

where

• -t <type> indicates the type. Set the type as LAE for a namespace in an LAE file, or LDAP for namespace in a directory server. The default is LDAP.

• -f <LAE filename> indicates the path to the LAE file, if you specified LAE for -t. Include this option only if your namespace is in an LAE file.

• -h <host> indicates the computer name of the directory server. The default host is localhost.

• -p <port> indicates the port number of the directory server. The default is 389.

• -s indicates that SSL is enabled. Do not include -s if SSL is not enabled.

• -C indicates where the cert7.db file is located. This option is mandatory if SSL is enabled

• -r <baseDN> indicates the base DN of the directory server. The default is o=Cognos, c=CA.

• -n indicates the name of the namespace to report against. The namespace set as the default is used if a namespace name is not specified

• -D indicates the username to use to authenticate into the namespace. The default is OSSignons.

• -w indicates the password for the user indicated by -D. If the password is blank, do not include this option.

A message is displayed indicating that the namespace has no corruption or that it is corrupted. If your namespace is corrupted, you should contact customer support.

nbna

Show Expired Passwords and Last Changed Dates for Passwords

You use the AM_NamespaceReport command line utility to create an XML report that lists all users or user classes in a namespace. New output options have been added to show expired passwords and when a user last changed their password.

Steps to Show Expired Passwords

1. Using a command prompt, go to the installation_location/bin directory.
2. Type the following command:

AM_NamespaceReport -D "Admin User Name" -w "Admin Password" -t users 
-f expiredpassword -o Outputfile.xml

The new output is available by adding including -f expiredpassword .

For more information about using this command, see the Access Manager Administrator Guide.

Steps to Show When a User Last Changed Their Password

1. Using a command prompt, go to the installation_location/bin directory.
2. Type the following command:

AM_NamespaceReport -D "Admin User Name" -w "Admin Password" -t users  
-o Outputfile.xml -b

The new output is available by adding including -b.

The pwLastChanged value appears in the same tag as the BasicSignon name value in the report.

For more information about using this command, see the Access Manager Administrator Guide.

nbna

Enhanced Namespace Auditing

The Audit Logging function included with the Access Manager Trusted Services Plug-in Software Development Kit has been enhanced to generate log entries for changes to access to data source connections and changes to data source signons.

nbna

Improved Flexibility for Web Single Signon

In previous releases, operating system signons in Web deployments were validated against the contents of a CGI environment variable named REMOTE_USER. You can now use other variables or cookies to obtain signon information.

You can also apply limited expression editing to the variable or cookie used.

The variable or cookie used and any processing that needs to be applied can be defined in Access Manager Administration, or using the Batch Maintenance Tool or OLE.

Steps

1. Open Access Manager Administration.
2. Right-click a directory server namespace, and click Properties.

You may be prompted to log in before you can view the properties for the namespace.

3. In the namespace properties dialog box, click the Signons tab.
4. Type the Web signon variable in the External identity mapping box.

You can use any of the following formats:

• ${environment("variable_name")}

where the full content of the environment variable is used to map into the namespace OS Signon database. No processing is performed to the content of the variable.

• ${cookie("cookie_name")}

where the full content of the cookie is used to map into the namespace OS Signon database. No processing is preformed on the content of the cookie.

In addition, you can use a replace operation to edit the value returned by the variable or cookie. For example:

• ${replace(${environment("variable_name")},"value1","value2")}

where the provided values are replaced in the content of the variable. In this example, "value1" is replaced with "value2", and the final string result after replacement is used to map into the namespace OS Signon database.

• ${replace(${cookie("cookie_name")},"value1","value2")}

where the provided values are replaced in the content of the cookie. In this example, "value1" is replaced with "value2", and the final string result after replacement is used to map into the namespace OS Signon database.

For example, if you entered

${replace(${environment("REMOTE_USER")}, "NetID1\\", "NetID1-")}

and the value of the environment variable REMOTE_USER is "NetID1\User1", the result passed to the namespace OS signon database would be "NetID1-User1".

If you entered

${replace(${environment("REMOTE_USER")}, "NetID1\\", "")

and the value of environment variable REMOTE_USER is "NetID1\User2", the result used would be "User2".

Tip: The \ character is used to escape special characters, such as $, {, }, (, ), <, >, \, single quote, and double quote.

Steps for Batch Maintenance Tool

• Use the ExtIdentityMapping namespace attribute keyword in your script. For example:

SetNamespaceProperty, <NamespaceName>, ExtIdentityMapping, "${environment("REMOTE_USER")}"

Steps for OLE

• Use the ExtIdentityMapping property for the Document object in your script. For example:

Document1.ExtIdentityMapping = "${environment('REMOTE_USER')}"

nbna

Configure External User Support for Secondary Directory Server

You can configure your Cognos namespace to link to a list of users that are defined in a secondary directory server. The primary directory server that contains the Cognos namespace must be one of the directory servers listed on the Cognos support Web site (http://support.cognos.com). The secondary directory server can be any LDAP v3-compliant directory server.

Steps

1. Select one of the following options based on your environment:
   • If your primary directory server is Sun Java System Directory Server, IBM Tivoli Directory Server, or a Microsoft Active Directory that was never configured for use with Cognos products, continue with the following steps.
   • If your primary directory server is a Microsoft Active Directory previously configured for Cognos products, run the update utility and then continue with the following steps.
   For more information, se the steps in the next section.
2. Start Configuration Manager and open the current configuration.

You can use any instance of Configuration Manager in the Cognos Series 7 Version 3 MR1 environment.

3. Go to Services.Access Manager - Directory Server.General.External user support and change the required properties to enable and configure external user support with a secondary directory server.

For more information, see the Configuration Manager User Guide.

Steps to Update a Previously Configured Microsoft Active Directory

Cognos Series 7 Version 3 MR1 includes a command-line tool that you must use if both of the following criteria apply to your installation:

• You want to enable external user support from a secondary directory server.
• You are using an Active Directory that was previously configured for use with Cognos products.

If you are configuring Cognos Series 7 Version 3 MR1 to use a Microsoft Active Directory that was not previously configured for use with Cognos products, you do not have to run this tool.

You must run the command-line tool before enabling and configuring external user support in Configuration Manager. This tool is only available on Windows.

Steps to Run the Command-line Tool

1. From a command prompt window on the computer where Cognos Series 7 Version 3 MR1 is installed, go to the installation_location\bin directory.
2. Run the command-line tool. The command format is:
   amADUpdate [-h <host>] [-p <port>] -D <username> [-w <password>] -r <baseDN>

You can use the following case-sensitive parameters with the amADUpdate command.

-h host Optional. Specifies the computer where the Active Directory is installed. If a host is not specified, localhost is used by default.

-p port Optional. Specifies the port used by the Active Directory. If a port number is not specified, 389 is used by default.

-r baseDN Mandatory. Specifies the base distinguished name.

-D username Mandatory. Specifies the user name to use to authenticate when accessing the Active Directory.

-w password Optional. Specifies the password for the authenticated user. If no password is specified, you will be prompted for the password when you run the tool.

3. Complete the remaining steps to configure external user support for a secondary directory server as explained in the previous section.

nbna