IBM COGNOS INTEGRATEDSECURITYMODE 5

IntegratedSecurityMode

Here I would like to explain some moments of managing security with IntegratedSecurityMode=5.

When you configure Cognos TM1 to use IntegratedSecurityMode = 5, in Security -> Clients/Groups you can import clients and groups from Cognos BI security.

The only way to add TM1 native security group is to use TI process function: AddGroup(GroupName);

You can add clients to native TM1 security groups, but if you try to add it to Cognos BI group, the changes will be lost during the next synchronization.

The synchronization happens when the user logins to TM1. So if you just manually added a user (Client) and Cognos BI group, you see no check mark in Clients/Groups. But it will appear on the first user’s login. You don’t even need to add the users manually in TM1. Just add the users in Cognos BI and it will import all the users to TM1 and sets the mapping for each Cognos BI group (to keep the things small TM1 will sync all with the imported Cognos BI groups only).

If a user belong to some group in BI, they will be able to login to TM1Web, but will see nothing there if they are not added to TM1 group.

If you rename a group in Cognos BI, TM1 will not pick up that change and you will need to delete the old & import a new group and re-assign the security.

How to add the first user on a freshly installed TM1 server configured with CAM security.

When you install TM1 server you have just admin user there which is a native TM1 user, so you cannot use it with IntegratedSecurityMode=5.
You need to add your first power user from Cognos BI directory and assign it to ADMIN native TM1 security group.
To do this follow the next steps:
1. Set IntegratedSecurityMode=5, ServerCAMURI and ClientCAMURI in Tm1s.cfg and start TM1 server
2. Login with Cognos BI user.
3. Stop TM1 server, change IntegratedSecurityMode=1, start TM1 server
4. Login as admin (the default password is either blank or “apple”)
5. Right-click your server and go to Security > Client/Groups
6. You will see the BI user you tried to login with before. Add that user to ADMIN group
7. Set IntegratedSecurityMode=5 and restart TM1 server
8. Try logging in with BI user again and check it has admin rights.

Recent Posts

Recent Comments

Meta

Written by:

111 Comments

  1. markus
    10/12/2015
    Reply

    Hi,
    I am using IntegratedSecurityMode=5 but I am only getting the Active Directory login. Why can’t I access SData with admin/apple anymore? I am asking because I would like to add TM1 users.
    I am using Cognos Express 10.2.2 and followed the documentation for Integration of Cognos BI and TM1. Unfortunately TM1 security is not working anmyore…
    Thanks!

  2. Vlad
    10/13/2015
    Reply

    Hi Markus
    I think you confused TM1 native authentication and TM1 native security. IntegratedSecurityMode=5 means you should use CAM security only, that’s why your TM1 admin account doesn’t work (TM1 native authentication). IntegratedSecurityMode=5 allows to use native TM1 groups to assign security for your Cognos BI users from configured Active Directory. However you will not be able to add new TM1 native groups through GUI, you need to use TI AddGroup() function for that.
    If you need to use TM1 native users, consider IntegratedSecurityMode=1
    But are you sure you need TM1 native users if you have already and Active Directory which I assume contains all of your users?

    Vlad

  3. kavitha
    4/10/2018
    Reply

    Hi,
    This blog i find it very useful. But currently we are using TM1 IntegratedSecurityMode=1 for TM1 web clients with our own datamodal. Now have to change the configuration setting as TM1 IntegratedSecurityMode=5, but I dont have IBM BI installed for this.

    Now I have intalled and trying to add Namespace Under BI security but dont know have any clue on what Host,port, NamesapceID need to give for Active Directory .. I have configured the ServerCAMURI and ClientCAMURI in Tm1s.cfg. By the way am new to BI and TM1. kindly get back. Thanks

    • Vlad
      4/10/2018
      Reply

      You need to follow Cognos BI (Analytics) doc on how to configure IBM Cognos Components to Use LDAP

  4. kavitha
    4/10/2018
    Reply

    Hi,
    I have found the Activedirectory info, and it looks working now. But have another question, how the roles and groups which is defined in TM1 will be used/applied for the user.. Because i have login with windows username and pwd. How the access permissions will be applied for the user.

  5. kavitha
    4/10/2018
    Reply

    When i gave tm1 user-id and password its not logging in

  6. Vlad
    4/10/2018
    Reply

    Once you switched to IntegratedSecurityMode=5, you can use Cognos BI users only. Native TM1 users will not work.

  7. kavitha
    4/10/2018
    Reply

    thanks for your quick reply. Then its like i have to configure all the users, groups and roles in BI security namespace? If so, how can i assign those users according to tm1 permissions???

  8. Vlad
    4/10/2018
    Reply

    First of all read the difference between IntegratedSecurityMode = 4 and IntegratedSecurityMode = 5. The last one supports both Cognos BI and TM1 groups.
    You are right, you create groups in Cognos BI then you can import them in TM1., again it is well documented. You can also create groups in TM1 using TI function AddGroup(). I would suggest to import at least one BI group, then see }Groups TM1 system dimension for names used for BI groups

  9. Vlad
    4/10/2018
    Reply

    to wrap it up:
    1). You create groups in Cognos BI
    2). You add users to those groups in Cognos BI
    3). You import those groups in TM1. (or use AddGroup() function in TI)
    4). You set security for those imported groups in TM1

  10. kavitha
    4/11/2018
    Reply

    Thanks for your response and i clearly understood.. As i said earlier i very new to BI and TM1, I dont know how to add groups for AD Namepace in Cognos BI.. I know i cant create any new users under this, i have just assign users to the new groups which i created…

  11. kavitha
    4/11/2018
    Reply

    How to add gruops in ADS and assign users

  12. Vlad
    4/11/2018
    Reply

    Do create groups in “Cognos” directory (Cognos Administration > Security > Cognos). But you add “Members” to those groups from LDAP namespace (or whatever you called it). See Cognos doc on how to Add or Remove Members of a Cognos Group or Role.

  13. kavitha
    4/11/2018
    Reply

    thanks. I have added a new group in Cognos namespace, and added the AD users into
    new group. But I set anonymous access as false in cognos namesapce. so i cant add groups when I login as AD users in TM1 server bcoz cognos is another namespace. In IBM configuration, i have a seperate namespace of type ADS.
    So I directly added from AD namespace user into TM1 .. is it ok???

    Now another problem is with TM1 web client.. I did the necessary config but when i log in error as : “The TM1Web service parameter was not specified or is not one of the configured locations ‘”.. any suggestion?? in tm1wen.html i have added tm1webServices with servername:port – localhost:9510

  14. Vlad
    4/11/2018
    Reply

    1. You cannot directly add the users in TM1.. Anonymous access must be set to false. The user will appear in TM1 after the first login to TM1 (via any TM1 client). Read this post explaining exactly this situation, setting up ADMIN permissions for Cognos BI user

    2. You have to add tm1web host / port in TM1Web.html located in < %BI_INSTALL_DIR%>\webcontent\tm1\web
    var tm1webServices = [“http://your_TM1Webhost_fully_qualified_domain_name:9510”];

  15. kavitha
    4/11/2018
    Reply

    Thanks for your reply..
    1. Ya thats ture. User has appeared in TM1 }clients, When user first logged in. Then I manually assign the user to the groups in TM1.

    Currently i dont have any user groups in BI. I didnt install BI using easy install , so cant create user in BI so I have created AD authentication provider Namespace in BI from there i have imported users to TM1, then assign the TM1 groups to them… Is it right.
    ** i will go through the post ***

    2. I have given the FQDN in tm1web.html and variables_tm1.xml but its showing “DPR-ERR-2079 Firewall Security Rejection. Your request was rejected by the security firewall.”

    while testing the tm1web client : needd to give the “”http://FQDN:port/tm1web”” rite

    3. we have an “web application” which uses the tm1 data. so for i worked with integratedsecuritymode = 1 with “http://localhost:9510/tm1web/dwrx/jsonp/TM1Service/login”, but hereafter it should work with integratedsecuritymode =5. Do u have any idea of how to configure the login page of web appliation.

  16. kavitha
    4/11/2018
    Reply

    small correction }clients are stored with CAMID(namespace:u:15digitalphanumeric) for every user

  17. kavitha
    4/12/2018
    Reply

    **** Now TM1 webclient is working with integratedsecuritymode =5. Ingore the above question 2.

  18. kavitha
    4/12/2018
    Reply

    Question 3: Currently from my application Iam making ajax request and passing the “clientCAMURI” and “Authorization: CAMNamespace base64(user:password:namespace)” set in Http header but its shows 401. errror . How can I validate the cam passport against the ServerCAMURI ????

  19. Vlad
    4/12/2018
    Reply

    Are you trying to use TM1 REST API? If yes, you need to set ‘Authorization’ header to ‘CAMNamespace ‘ + btoa( YOUR_USER_NAME + ‘:’ + ‘YOUR_USER_PASSWORD’ + ‘:’ + YOUR_LDAP_NAMESPACE );
    and of course set ‘Content-type’ to ‘application/json; charset=utf-8’

  20. kavitha
    4/12/2018
    Reply

    btoa means what??? I am passing like that only but server responds as
    HTTP/1.1 401 Unauthorized
    Content-Type: text/plain
    Content-Length: 0
    Connection: keep-alive
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: http://
    Access-Control-Expose-Headers: Set-Cookie, WWW-Authenticate
    Set-Cookie: TM1SessionId=fHAvAYqL0q-IIIV39JA6oA; Path=/api/; HttpOnly
    WWW-Authenticate: CAMPassport http://localhost/ibmcognos/cgi-bin/cognos.cgi, CAMNamespace

  21. kavitha
    4/12/2018
    Reply

    ajax call as
    $.ajax({
    type: “POST”,
    url: “http://localhost/ibmcognos/cgi-bin/cognos.cgi”,
    dataType: “json”,
    beforeSend: function (xhr: any) {
    xhr.setRequestHeader(“Authorization”, “CAMNamespace ” + base64credentials);
    xhr.setRequestHeader(“Content-Type”, “application/json”);
    },
    xhrFields: {
    withCredentials: true
    },

  22. Vlad
    4/12/2018
    Reply

    1. Google is your friend for “btoa javascript”
    2. From what I see you are trying to login to Cognos BI, not to TM1 REST API. I don’t remember exactly the syntax to authenticate to Cognos BI, but it should be all documented. What are you trying to achieve after?

  23. kavitha
    4/12/2018
    Reply

    sry instead of giving tm1 resturl api in url, i have given cognos gateway uri .
    currently am using integratedsecuritymode = 5 right, so thought of giving cognos uri,
    to make it work.

    How to find the path for tm1 intance which am connecting??
    ex: localhost/tm1/api/test

  24. kavitha
    4/12/2018
    Reply

    I have changed the url with TM1 REST API, but again same problem

    but server responds as
    HTTP/1.1 401 Unauthorized
    Content-Type: text/plain
    Content-Length: 0
    Connection: keep-alive
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Origin: http://
    Access-Control-Expose-Headers: Set-Cookie, WWW-Authenticate
    Set-Cookie: xxxxxx Path=/api/; HttpOnly
    WWW-Authenticate: CAMPassport http://localhost/ibmcognos/cgi-bin/cognos.cgi, CAMNamespace

  25. Vlad
    4/12/2018
    Reply

    First you can start with telling what you are trying to achieve

  26. kavitha
    4/12/2018
    Reply

    Currently our application is in integratedSecurityMode=1 using TM1 and we didnt use Cognos BI so for. Now we are planning to switch integratedSecurityMode=5. I am new to TM1 and BI as well. Intially i tried to install Bi, configuration and creating namespace now TM1 server and web client is working integratedSecurityMode=5.

    We do have our own web application in which we use web uri and restapi. Now web application should also work with integratedSecurityMode=5. For the we application, we have login screen. so when i made an ajax call to above its showing error.

    Hope you understand the scenario… Do post your suggestion for this error.

  27. kavitha
    4/13/2018
    Reply

    Hi,
    The problem is fixed. There was a problem in FQDN resturl which I passed and NamespaceId. Initially I passed the Namespace Name, so it was not working. Now it looks working but end up with another problem:)

  28. kavitha
    4/16/2018
    Reply

    Hi,
    Currently am using web url api for opening the CUBE and worksheet in my application. Earlier I was using web url api with session token when IntegratedSecuritymode=1, but now i have changed IntegratedSecuritymode=5, how can i achieve the same.

    Do i need to pass CAM passport in each request. Dont have any clue.
    Now my request is http://localhost/tm1web/UrlApi.jsp#Action=Open&Type=CubeViewer&Cube=cubename&View=viewname&AccessType=Public&SessionToken=” –> not working

    Do post your suggestion

  29. kavitha
    4/16/2018
    Reply

    With the CAM passport, is it possible to request TM1 web url api for opening the websheet and cubeviewer???

  30. kavitha
    4/16/2018
    Reply

    ok..thank you. Oh, yeah.. native TM1 web login page is coming, then when I click login, some 0x80070005 – Runtime Error in JavaScript: Access denied. I think problem with … But in the application it tries to load IBM cognos Logon page… its not loading properly,

    What could be the problem??

    May be next I will integrate SSO. once this above problem is fixed.

  31. kavitha
    4/16/2018
    Reply

    **may be problem with

  32. kavitha
    4/16/2018
    Reply

    iframe

  33. Vlad
    4/16/2018
    Reply

    1. That error says nothing, First of all try adding TM1Web host to the trusted websites.
    2. What do you mean “in the application”?

  34. Vlad
    4/16/2018
    Reply

    Are you using SSL? I would also suggest to check for possible cross-domain communication issues with iframes

  35. kavitha
    4/16/2018
    Reply

    1. Tm1 web host to trusted websites- in Internet explorer, i have added.
    You mean “UseSSL” parameter in tm1s.cfg. That is set to UseSSL=F. Do you mean this?

  36. kavitha
    4/16/2018
    Reply

    2. Application where will show data from TM1, so make a call to TM1 Rest api for some business purpose and load the cube, reports from TM1 web client developed in c#

  37. kavitha
    4/17/2018
    Reply

    Hi, I still struck with the same problem. In my application “0x80070005 – Runtime Error in JavaScript: Access denied” error is coming but loading the IBM cognos BI Logon but system got hanged everytime. I think you are right problem may be cross-domain communication issues with iframes, what is the fix???

  38. Vlad
    4/17/2018
    Reply

    The default SSL certificates that come with TM1 server installation, do not provide a “proper subject” (representing the hostname) and such will not pass browser’s and other web libraries host verification feature. In addition the ApplixCA which signs those certificates is not trusted by anything but Windows (if the certificate was added to the box’s keystore during install, which they are by default). You should install and configure custom SSL, which basically means to create proper certificates for the TM1 server instances and sign them with a trusted certificate authority.
    For possible cross-domain communication issues search on google, this question should be address to web developers

  39. kavitha
    4/17/2018
    Reply

    error shown in “contentWindow.document.body” in worksheetcontroller.js dynamically generated file.

  40. Vlad
    4/17/2018
    Reply

    That definitely requires to have a closer look, but unfortunately I don’t have time now. You can continue your investigation and post your findings, I will try to help as much as I can

  41. kavitha
    4/17/2018
    Reply

    Thanks for your reply and support.

  42. kavitha
    4/18/2018
    Reply

    In IBM it stated that for tm1 web url api:

    Login request parameters
    Use the session token approach by sending a set of parameters in the request for the type of authentication that you are using with Cognos TM1.

    For TM1 standard authentication and integrated login, use the following parameter format:
    a)
    param0=TM1_Admin_host
    param1=TM1_server_name
    param2=username
    param3=password
    For example:

    param0=localhost&param1=SData&param2=admin&param3=apple

    If you are using IBM® Cognos Business Intelligence security for authentication, use the following format to include a value for the camPassport:
    b)
    param0=TM1_Admin_host
    param1=TM1_Server_name
    param2=camPassport

    Which means do i need to pass b) set of parameters to get the session token, only with the help of session token can I access the cube and websheet from tm1,

    Still with same issue…

  43. kavitha
    4/18/2018
    Reply

    Hi,
    I have a question. Im my web application when I make a login as *///ActiveSession/User/ request to REST API with username:password:namespaceId – but it returns JSON response as Name=””, IsActive=true etc… and logged in successfully. But it doesnt return the cam_passport. How can i get the CAM Passport???

    As suggested in IBM above i have passed the cam_passport, admin and servername for getting the SessionToken from tm1web as follows

    http://localhost:9510/tm1web/UrlApi.jsp#Ation=Open&Type=WebSheet&Workbook==&TM1Server=xyz&Adminhost=local&SessionToken=bsgsg-4542-45fe-8f40-131bc08f948b
    . But responded with SessionToken, Is it something like i have to pass sessiontoken for every request to web url api

  44. kavitha
    4/18/2018
    Reply

    Hi,

    so set in tm1web_config.xml

    Now page is loading but data not loaded in reports, only websheet templates is shown. Any idea??? but 0x800a138f – JavaScript run-time error: Unable to get split property of undefined or null pointer. and 0x80070005 – Runtime Error in JavaScript: Access denied are still exists. Any idea???

  45. kavitha
    4/18/2018
    Reply

    –Ignore the above
    Hi,
    —- IBM TM1—- When performing CAM authentication, optional redirection url override example http://127.0.0.1:9510/tm1web
    add key=”ExternalUrl” value=”http://localhost:9510/tm1web”
    so set the “ExternalURL” in tm1web_config.xml

    Now page is loading but data not loaded in reports, only websheet templates is shown. Any idea??? but 0x800a138f – JavaScript run-time error: Unable to get split property of undefined or null pointer. and 0x80070005 – Runtime Error in JavaScript: Access denied are still exists. Any idea???

  46. kavitha
    4/19/2018
    Reply

    Hi, while working on Javascript issues, jquery.js lib file was corrupted. I dont have any clue why, using bower when i try to install the Jquery but its not working anymore. In Visual studio its saying jQuery not installed. and showing jquery/dist/jquery.min.js error 0x800a139e. Do you have any idea??

  47. Vlad
    4/19/2018
    Reply

    Search on google or ask on stackoverflow.com. I don’t use visual studio

  48. kavitha
    4/20/2018
    Reply

    Hi,
    am calling websheet from tm1. url below:
    http://localhost:9510/tm1web/UrlApi.jsp#Action=Open&Type=WebSheet&Workbook=Applications/websheet&TM1Server=servername&AdminHost=localhost
    Response: Websheet opened in my application but it is empty. Data not populated.
    Below Error were also popped-up for ie browser: JavaScript run-time error
    1)An exception was thrown: at line 71, column 210 in http: //localhost: 9510 / tm1web / scripts / tm1web / workbook / Workbook.js.
    0x800a139e – JavaScript runtime error: dojo.date.locale.format: invalid pattern char: General
    2)//localhost: 9510 / tm1web / dwr / engine.js(dynamically generated file)
    0x800a138f – JavaScript run-time error: Unable to get split property of undefined or null pointer.

    Any idea???

  49. kavitha
    4/20/2018
    Reply

    Above Javascript Error happens in Internet Explorer not in Chrome. But before implementation of IntegratedSecuritymode to 5, it was working in ie as well. Dont have any clue what went wrong.

  50. kavitha
    4/20/2018
    Reply

    I passed the url api in browser using Sessiontoken, it gives the below error.
    main.js:157 Request cannot be completed: no widget has been opened.
    Uncaught TypeError: Cannot read property ‘execute’ of undefined

    I have read in one document as

    For CAM authenticated TM1 Servers, pass the username and password on the command line such as:
    http://TM1WebHostName:TM1WebPort/tm1web/TM1WebWebSheeterCAM.jsp?WebSheet=TM1WebSheetName&ServerName=TM1ServerName&HostName=TM1ServerHostName&UserName=TM1UserName&Password=TM1Password&AccessType=PUBLIC
    where
    TM1WebHostName is the name of the host on which TM1web is running
    TM1WebPort is the port on which TM1Web is running
    TM1WebSheetName is the TM1 websheet path such as Applications/Planning%20Sample/Bottom%20Up%20Input/Budget%20Input
    TM1ServerName is the name of the TM1 Server
    TM1ServerHostName is the name of the host on which the TM1 Server is running

    I have tried this too, but got below error

    An exception was raised from the application class ‘com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionProcessor.findWrapper: 456’.
    java.io.FileNotFoundException: JSPG0036E: The resource /TM1WebWebSheeterCAM.jsp was not found.
    at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionProcessor.findWrapper (AbstractJSPExtensionProcessor.java:456)
    at [internal classes]

    —–Problem with websheet—-

  51. Vlad
    4/20/2018
    Reply

    Check if your IE version is supported in all the JS libraries you are using.

  52. Vlad
    4/20/2018
    Reply

    “The resource /TM1WebWebSheeterCAM.jsp was not found” this is what you need to fix. Try opening manually in browser the full url to TM1WebWebSheeterCAM.jsp
    What Web Server are you using? Check the configured virtual directories match the location of “/TM1WebWebSheeterCAM.jsp”

  53. kavitha
    4/22/2018
    Reply

    I am using jQuery 3.2.1 and jstree, bootstrap which dependent on Jquery 1.11.3.. so there may be any Jquery conflicts… ??? Now i have uncheckedd all the Javascript runtime exceptions to avoid this pop-up 0x800a138f – JavaScript run-time error and etc..

    Is it ok??

    Should I use urlapi.jsp or TM1WebWebSheeterCAM.jsp to open the websheet for IntegratedSecurityMode=5??? IBM cognos BI using IIS and for application i am using built-in kestrel web server.

    TM1WebWebSheeterCAM.jsp file not available in in tm1/….webapps/…. only urlapi is available…

  54. kavitha
    4/23/2018
    Reply

    Hi,
    At last web url api opened the websheet using Urlapi.jsp, What you suggested was rite. I used the below url http://tm1webhost:9510/tm1web/UrlApi.jsp#Action=Open&Type=CubeViewer&Cube=CubeName&View=ViewName&AdminHost=TM1AdminHost&TM1Server=TM1ServerName

    After logged in into the web application using AD credenticals, only for the first request to cube or websheet prompted with IBM Cognos BI logon, but i dont want any authentication after logging in to my web application.

  55. kavitha
    4/23/2018
    Reply

    Another question too, When i try to open the websheet using urlapi behind the screen it make a request to the Gatewayurl cgi-bin and finally returned with the requested websheet, but in fiddler between request and response i have seen

    Error 404: javax.servlet.ServletException: java.io.FileNotFoundException: SRVE0190E: file not found: /scripts/tm1web/api/url/main.js.map

    Error 404: javax.servlet.ServletException: java.io.FileNotFoundException: SRVE0190E: file not found: /scripts/tm1web/api/url/WorkbookController.js.map

    any idea????

  56. Vlad
    4/23/2018
    Reply

    I just checked in my environment and I don’t see /scripts/tm1web/api/url/main.js.map either. just “main.js”
    I would try to create a copy of main.js and rename it as main.js.map, then it and check for that error again.

  57. kavitha
    4/24/2018
    Reply

    Hi,
    I am planning to implement SSO configuration for integratedSecuritymode=5.
    I follwed these below steps:
    http://ip-192-169-200-21.ip.secureserver.net/index.php/knowledge-articles/61-ibm-cognos-tm1/585-how-to-setup-sso-against-active-directory-with-tm1-and-cam-security

    But it not working:( Could you suggest any blog or doc to configure the SSO with Windows. If i configure the SSO, even my c# application will be accessed without prompting for user credentials. Currently am giving AD username and password for my c# application login.

  58. kavitha
    4/24/2018
    Reply

    The link which you have shared related to integratedSecurityMode=5, for Tm1web and tm1 config file. I have already configured this what u have suggested

    But I have asked for Single Sign on config.

  59. Vlad
    4/25/2018
    Reply

    did you search/try IBM SSO doc for your Cognos BI version?

  60. kavitha
    4/25/2018
    Reply

    No. May be i will look tomorrow. I am back to the issue with Javascript runtime error.
    Question:
    At the moment I am login to the web c# application using resturl as

    http://localhost:8000/api/v1/ActiveSession/User
    type=post
    “Authorization”, “CAMNamespace ”

    So when I first open the report or cube it prompted for ibm cognos Logon, screen for authentication but i dont want this in my application.

    Can i login using http://localhost:9150/tm1web/dwrx/jsonp/TM1Service/login instead to aviod ibm cognos logon screen. If so what would be the parameters should i give for tm1 cam security. Kindly post ur suggestion

  61. kavitha
    4/26/2018
    Reply

    One quick question: In browser when I give the web url api for cube its opening perfectly, but for websheet its saying error: “”Open target workbook failed. Make sure that the file has not been renamed or deleted””.

    But am opening the websheet in my local and tm1 is in cloud environment.

    Url used:
    http://cloudhost/tm1web/UrlApi.jsp#Action=Open&Type=WebSheet&Workbook=Applications/xxxxxxxxl&TM1Server=abc&cam_passport=

    I think there is a problem in path of workbook. How i have to give. But in tm1web same workbook opening perfectly.

    Any idea??

  62. kavitha
    4/27/2018
    Reply

    ISSUE:

    In browser when I give the web url api for cube its opening perfectly, but for websheet its saying error: “”Open target workbook failed. Make sure that the file has not been renamed or deleted””.

    Fix:

    Switch your browser to English Local. It worked well now

  63. kavitha
    4/27/2018
    Reply

    I have a question, how can i invoke the IBM Cognos BI Login screen in my c# application login.

    The idea behind when the user logs in user has to get the cam namespace to access both the web urlapi and restapi. Currently am giving resturl+”/api/v1/ActiveSession/User and xhr.setRequestHeader(“Authorization”, “CAMNamespace ” + base64credentials); so when I open the reports, it prompted with ibm Cognos Logon for the first time.

    Any suggestion??

  64. Vlad
    4/27/2018
    Reply

    1. For opening websheets using UrlApi you need to encode url (for example, replace spaces with ‘%20’)
    2. For Cognos BI login you need to use Cognos REST API. Check the doc for your Cognos version, for instance this article is for CA11: http://www-01.ibm.com/support/docview.wss?uid=swg21660206

  65. kavitha
    5/2/2018
    Reply

    Thanks for your response. Heading to response 2: I want to invoke the IBM Cognos BI login screen in one button control from my application same page as http://localhost/ibmcognos/cgi-bin/cognos.cgi. Then after authentication I have to redirect to my application home page. Any idea how to do..

    The one which you specified in 2, doesnt have any idea how to use

  66. kavitha
    5/2/2018
    Reply

    I have done the following : Dont know whats the error: but not logged on

    function login_CAM() : void {

    let user = $(“#user”).val();
    let password = $(“#password”).val();
    let CAMNamespace = $(“#CAMNamespace”).text();

    let cognosURL = “http://localhost/ibmcognos/cgi-bin/cognos.cgi”;

    //build the xml credentials element
    var xmlData = “” + “CAMNamespaceNamespace:”;
    xmlData += “” + CAMNamespace + “” + “”;
    xmlData += “CAMUsername User ID: ” + ” ” + user + ” ”
    xmlData += ” CAMPassword Password: ” + “” + password + ” ”
    xmlData += “”;
    // authentication resource
    var rdsLogonUrl = cognosURL + ‘/rds/auth/logon’;

    //var request = new Ajax.Request(rdsLogonUrl, { asynchronous: false, method: ‘get’, parameters: { xmlData: xmlData }, onSuccess: function (aTransport) { return aTransport.responseText; }, onFailure: function (aTransport) { var regex = /(RDS-ERR-)(\d*)/; var err = aTransport.responseText.match(regex); if (err != null) { alert(aTransport.responseText); } });

    $.ajax({
    type: “POST”,
    url: rdsLogonUrl,
    dataType: “json”,
    data: {
    xmlData: xmlData,
    },
    beforeSend: function (xhr: any) {
    //xhr.setRequestHeader(“Authorization”, “CAMNamespace ” + base64credentials);
    xhr.setRequestHeader(“Content-Type”, “application/json”);
    },
    xhrFields: {
    withCredentials: true
    },
    success: async function (aTransport: any) {
    //Anmeldedaten an Server übertragen
    return aTransport.responseText;
    //window.location.href = “/Home/Mainpage”;
    },
    error: function (aTransport: any) {
    // Lizenzfehler
    var regex = /(RDS-ERR-)(\d*)/;
    var err = aTransport.responseText.match(regex);

    if (err != null) {
    alert(aTransport.responseText);
    }
    }

    });
    }

  67. kavitha
    5/2/2018
    Reply

    At present, I am trying to achieve : invoking the IBM Cognos BI login Screen first from my application and after successfully logged-in I would like to redirect to our Application main page.

    Is it possible??

    By doing so, in HTTP header cam_passport will be set in cookie. Then no need to login again when opening the reports right.

  68. kavitha
    5/3/2018
    Reply

    Any updates on getting the campassport from IBM Cognos BI Login page in my c# application ???

  69. kavitha
    5/3/2018
    Reply

    Do I need to install IBM cognos SDK???

  70. kavitha
    5/15/2018
    Reply

    Hi, I finally configured the SSO to fix the above problems.
    Now custom application doesnt prompt for user credentials.
    Thanks for all your response.

  71. kavitha
    5/16/2018
    Reply

    Just a quick clarification on N_CONNECT. I have changed the TM1 IntegratedSecurityMode as 5, so N_connect is not working. It was used to connect from Excel VBA to TM1 perspectives when TM1 IntegratedSecurityMode as 1.

    I have used N_CONNECT_CAM for TM1 cam Security. But its not connecting to TM1 perspectives.

    Do you have any suggestions, kindly write it back.

  72. kavitha
    5/17/2018
    Reply

    Thanks. I am also referencing to this article only, but dont know how to implement it:(

  73. kavitha
    5/17/2018
    Reply

    A quick question: Active directory is always up and running but frequently disconnecting in IBM cognos. Do you have any idea why. So TM1 server explorer is not connecting.

  74. Vlad
    5/17/2018
    Reply

    check your timoputs in tm1s.cfg and in Cognos Configuration:
    ClientPingCAMPassport
    IdleConnectionTimeOutSeconds

  75. Vlad
    5/17/2018
    Reply

    “timeouts”
    ClientPingCAMPassport should be more than the value in your Cognos BI configuration

  76. kavitha
    5/22/2018
    Reply

    I tried the above option, but again end up with same issue.

    tm1 ClientPingCAMPassport=3900
    IBM Config under Authentication, IdleConnectionTimeOutSeconds=3600(default value)

  77. Vlad
    5/22/2018
    Reply

    try setting your ClientPingCAMPassport to something big, like 36000
    In Cognos BI configuration, what is the value of “Security > Authentication > Inactivity timeout in seconds”?

  78. kavitha
    5/25/2018
    Reply

    “Security > Authentication > Inactivity timeout 3600

  79. kavitha
    5/25/2018
    Reply

    I have stopped the IBM cognos service using services.msc, then restarted again now it not frequently disconnecting the Active directory connection.

    Have you ever used function TM1SystemServerConnectWithCAMNamespace from tm1api.dll in application, if so give me some direction. Thanks in advance.

  80. Vlad
    5/25/2018
    Reply

    No, I haven’t, sorry

  81. kavitha
    6/20/2018
    Reply

    Hi
    Is there a way to get the element name using the attributes name in }ElementsAttributesCube using MDX.

  82. Vlad
    6/20/2018
    Reply

    In order to get anything from }ElementsAttributes you need to specify which element and which attribute. What are trying to do and where?

  83. Vlad
    6/20/2018
    Reply

    MDX is just to select some elements. Then you may use either Name or alias in subsets or you can use DimensionElementPrincipalName function in TI process or DimNm( dim, DimIx( dim, elm ) ) in Perpsectives or rules to get the element name

  84. kavitha
    7/17/2018
    Reply

    Hi Thanks for the reply on MDX. I have fetched element name and alias, pushed into the array..and it worked ..

    1) Do have another question related to IBM cognos Campassport, where Campassport is actually stored in browser. In cookies? I am using camPassport for Tm1 Rest call in my application, and in another browser tab, if IBM cognos is opened and logged off, my application is not working, because of campassport been deleted.

    2) I have installed the IBM Cognos in virtual machine, and Active directory configuration is done, but it showing the below error. But the same working in local.

    [ERROR] CAM-AAA-0055 User input required.
    [ERROR] CAM-AAA-0036 Authentication failed because the credentials are invalid.
    [ERROR] Login Failed: The user does not have the required login type on this computer.

    But all the information are right.

    Virtual machine is another machine and Active directory resides on another directory.

  85. Vlad
    7/17/2018
    Reply

    1. Yes, CAMpassport is stored in cookies. The cookies are not shared between different websites./domains/ports (see Cross Origin Resource Sharing). So if you have different URLs like:
    tm1.company.com
    cognosbi.company.com
    yourapp.company.com
    you need to use a proxy and configure it to be like:
    company.com/tm1
    company.com/cognosbi
    company.com/yourapp
    You can read this article for more details:
    https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W181f1083f3dd_455f_b2f8_f63c4a9c8010/page/Using%20CAM%20authentication%20with%20TM1's,%20OData%20compliant,%20RESTful%20API

    2. Were do you get that error?

    As I remember you have already managed to login from your app to Cognos BI and get some BI content, right?

  86. kavitha
    7/18/2018
    Reply

    @Question 2: Ya, I have already did the setup in my local machine, but now i am trying to do it in virtual machine for testing. There I see problem with AD connection problem.

    @Question 1: For now I have installed tm1 and IBM cognos in single machine, So using same host. I have already gone through the link which you have shared, need to set up the iginx for proxy.? Its not very clear for me.

    sorry Question@1 was bit wrongly proposed, I opened my application and in same browser another tab I opened the Cognos BI or tm1 web and logged off.

    For Tm1 Restapi request, in Http header am setting the Authorization CAmPassport campassportId. So if I do the logout in same browser another Tab Ex: cognos BI will it break my application in any ways.

    Question@3: While doing logout in my application, shal i clear the cookie so that campassport will be removed and for next login, will prompt with BI login screen. Kindly confirm me. Is this ok.

  87. kavitha
    8/16/2018
    Reply

    Hi,

    I have a question reg. TM1 Restapi. I want to get the list of top-level parent elements from the dimension.

    Is there any way..Thanks

  88. Vlad
    8/16/2018
    Reply

    I don’t know straight from my head, but you should be able to use somehow a MDX to get the element and you need this one:
    {Filter({TM1SubsetAll([ YourDimName ])},[ YourDimName ].CurrentMember.Parent.Name=””)}

  89. kavitha
    8/16/2018
    Reply

    Thanks. But will this give the first parent of the member??

  90. Vlad
    8/16/2018
    Reply

    it will give you what you asked for: top-level elements
    if you want the consolidation element only, then you need use EXCEPT o exclude the leaf elements, something like:
    {EXCEPT( {Filter({TM1SubsetAll([ YourDimName ])},[ YourDimName ].CurrentMember.Parent.Name=””)}, {TM1FILTERBYLEVEL( {Filter({TM1SubsetAll([ YourDimName ])},[ YourDimName ].CurrentMember.Parent.Name=””)}, 0)} )}
    But I have not tested it

  91. kavitha
    8/16/2018
    Reply

    I am a new bee for MDX statements. Is it possible if I pass only the Dimension name, to get the top level parent-elements. Bcoz for the first load, i will load the Dimension elements which has no parents ??

  92. kavitha
    8/20/2018
    Reply

    Hi one quick question, Is there a way to get the components for a particular element in TM1 Rest api? For example Element A has Child A1 and A2. When i pass dimension name ans elementName A —> it results to A1 and A2 element.

    Is it possible??

    Thanks in advance.

  93. kavitha
    8/20/2018
    Reply

    I used {DRILLDOWNLEVEL( {[DimName].[elementName]})} its gives the immediate descendants but how to use this in Tm1 REst api call.. any idea?

  94. kavitha
    8/23/2018
    Reply

    Issue with Tm1 RestApi. In Remote server Tm1 is installed and from client machine making a logging-in into Tm1 restapi via application works and for further call to Tm1 restapi is not working,
    Using port 8000 for restapi

    What Could be the problem?

    Port 8000 blocked or conflict or cookies problem
    or Access-Control-Allow-Origin-Header ??? any idea??

    Thanks in advance.

  95. kavitha
    8/24/2018
    Reply

    One quick question??

    Environment set up as
    Client Machine — Proxy Machine —- Server Machine (Tm1 installed)

    But in this above set up, Tm1 Rest api call not happening .. but tm1 web urlapi is working… will the tm1rest api call be rejected via proxy??

  96. Vlad
    8/28/2018
    Reply

    Can you disable proxy and try again?
    Can you try your script locally on TM1 server machine?

  97. kavitha
    8/31/2018
    Reply

    Ok . I can try your option.
    Environment set up as
    Client Machine — Proxy Machine —- Remote Server Machine 1 (Tm1 installed using port 8000)
    —- Remote Server Machine 2 (Tm1 installed using port 8000)
    Tm1 Rest api and Tm1 weburl api request from client to Remote Server Machine 1 is working as expected.
    Tm1 web url api is working fine but Tm1 Rest api calls are not working with REmote Server Machine 2.
    I checked in the wireshark, which shows the network traffic, but I can see only the Tm1 web url request. Tm1 REST api call trace was not there. It may be the port problem??
    What could be the problem? Any guess?

  98. kavitha
    9/3/2018
    Reply

    Hi,

    Is there any search option available in Tm1 REST api? I would like to search the elements in Dimension as search string “G0*” with respect to alias.

  99. kavitha
    9/3/2018
    Reply

    Hi Vald I found some below,

    http://host:8001/api/v1/Dimensions('DimName‘)/Hierarchies(‘DimName’)?$expand=Elements($select=Name, Attributes,Type;$filter = contains(Name, ’00’))

    This gives the matching elements on ‘Elements Name’. But I have to search on attributes[L01]. Any idea how to do that??

  100. kavitha
    9/11/2018
    Reply

    It was helpful and filterbyAttribute working as expected in mdx, but the same is not working using TM! rest api.

    I have another quick question:
    Is there a way to collapse and expand a particular element in dimension using mdx statement.

    I have used
    TM1DRILLDOWNMEMBER( {[dimname].[element]}, ALL ),
    TM1SUBSETALL( [dimname] ), ALL

    but it doesnt work as i expect.

    I would like to pass the element to drill down the particular element in dimension and save to subset or dimension itself.

    Example;

    A1 Consolidated
    A2 Consolidated
    A3 Consolidated

    When i passs A2 drilldown, then the result should be

    A1
    A2
    -….. A21
    …. A22
    ……A23
    A3

  101. Vlad
    9/11/2018
    Reply

    To expand only one level:
    { [dimname].[A1 Consolidated], [dimname].[A2 Consolidated].children, [dimname].[A3 Consolidated]}
    To expand all the levels use {TM1DRILLDOWNMEMBER( {[dimname].[A2 Consolidated]}, ALL, RECURSIVE )}

  102. kavitha
    9/15/2018
    Reply

    k..Thanks for your reply. I am clear with TM1DRILLDOWNMEMBER() function, but for the first example which you have specified, its something like I have to specify all the root elements available in dimension???

  103. Vlad
    9/17/2018
    Reply

    If you want to expand all the elements just use {TM1SUBSETALL( [dimname] )}
    If you want to select all root elements and expand just one level, you can use
    {TM1DRILLDOWNMEMBER( {Filter({TM1SubsetAll([dimName])},[dimName].CurrentMember.Parent.Name=””)} , ALL )}

  104. kavitha
    11/26/2018
    Reply

    Hello,
    I would like to implement securitymode=3. But struggling with SPN registration.

    >setspn -U -F -S HTTP/host.domain.com domain\user
    host.domain.com – Tm1 server FQDN

    but it says..
    Error 0x2098 / 8344 -> The access rights are not sufficient for this process.

    I have admin rights.
    Run the cmd as adminstrator.

    Do I need to run the cmd in the machine where Active Directory is installed?

    Dont have idea how to proceed further.

Leave a Reply

Your email address will not be published. Required fields are marked *