Application Servers - BEA WebLogic Advanced IBM Cognos Application Configuration

Transcription

1 Proven Practice Application Servers - BEA WebLogic Advanced IBM Cognos Application Configuration Product(s): IBM Cognos 8.3, BEA WebLogic Area of Interest: Infrastructure DOC ID: AS16 Version

2 BEA WebLogic Advanced Cognos Application Configuration Copyright Your use of this document is subject to the Terms of Use governing the Cognos software products and related services which you have licensed or purchased from Cognos. The information contained in this document is proprietary information of Cognos Incorporated and/or its licensors and is protected under copyright and other applicable laws. You may use the information and methodologies described in this document 'as is' or you may modify them, however Cognos will not be responsible for any deficiencies or errors that result from modifications which you make. Copyright 2007 (c) Cognos Incorporated. All Rights Reserved. You can print selected pages, a section, or the whole book. Cognos grants you a non-exclusive, non-transferable license to use, copy, and reproduce the copyright materials, in printed or electronic format, solely for the purpose of providing internal training on, operating, and maintaining the Cognos software. This document is maintained by the Best Practices, Product and Technology team. You can send comments, suggestions, and additions to BestPractices- ProductandTechnology@cognos.com

3 BEA WebLogic Advanced Cognos Application Configuration TABLE OF CONTENT 1 Introduction Purpose Scope Definitions, Acronyms, and Abbreviations References Assumptions Secure Sockets Layer (SSL) Configure SSL for IBM Cognos Configure a Separate Framework Manager Install Enable SSL for WebLogic Set Up Shared Trust Between WebLogic and IBM Cognos Set Up Shared Trust Between IBM Cognos 8 and Other Servers Single Sign On (SSO) Create a new Security Realm Prepare your Authentication Provider Add Providers Add an LDAP Authentication Provider Add an Authorization Provider Add an Adjudication Provider Add a Role Mapping Provider Add a Credential Mapping Provider Add a Certification Path Provider Activate Changes to Security Realm Providers Modify the Domain Security Modify the IBM Cognos 8 and Servlet Gateway applications Modify the web.xml Deployment Descriptor IBM Cognos 8 Deployment Descriptor Example Servlet Gateway Deployment Descriptor Example Create the weblogic.xml Deployment Descriptor Modify the IBM Cognos Configuration Deploy IBM Cognos 8 and Servlet Gateway to WebLogic Server Web Server Plug-ins Apache HTTP Server Microsoft Internet Information Server Netscape Enterprise Server (aka iplanet or SunOne) Clustering Application Server References / Resources Troubleshooting (Application Server Logs) Web Sites Documentation...51 Appendix...52 A - Example web.xml for p2pd application for SSO...52 B - Example web.xml for Servlet Gateway application for SSO...55 C - Example of weblogic.xml for SSO...58

4 BEA WebLogic Advanced Cognos Application Configuration 1 1 Introduction 1.1 Purpose This document is for those who have limited experience with WebLogic and who wish to set up IBM Cognos 8 on a WebLogic Server environment. The primary goal is to set up a basic environment for testing purposes and not necessarily a high performance production environment. Except where noted, the primary focus of this document will be to cover the setup steps required for IBM Cognos Scope The instructions in this document will work cross platform however the examples shown will be based on a Windows install. UNIX installations require slight modifications to syntax but should otherwise be identical. For example, regarding the syntax for variables, use ${VARIABLE} for UNIX and %VARIABLE% for Windows. Consult your UNIX documentation for more information regarding commands, syntax and scripting. WebLogic is designed so that only one WebLogic Server instance in a domain can run the Administration Service. This server is called the Administration Server. All other servers in the domain are managed by the Administration Server and obtain their runtime configuration from it. These servers are called Managed Servers. IBM Cognos 8 is an application that will be deployed to a Managed Server. The Administration Server is the single point of control for the entire domain, and it must be running for you to make changes to the configuration of any of the Managed Servers running beneath it. This document will take you through the steps to configure WebLogic Server and IBM Cognos 8 in more advanced topics. 1.3 Definitions, Acronyms, and Abbreviations Term JVM J2SE JRE Definition Java Virtual Machine A software "execution engine" that safely and compatibly executes the byte codes in Java class files on a microprocessor (whether in a computer or in another electronic device). The JVM is responsible for the hardware and operating system independence of the J2SE platform, the small size of compiled code (bytecodes), and platform security. Java 2 Platform, Standard Edition There are two principal products in the J2SE platform family: J2SE Runtime Environment (JRE) and J2SE Development Kit (JDK). Java Runtime Environment The JRE provides the Java APIs, Java virtual machine, and other components necessary to run applets and applications written in the Java programming language. It is also the foundation for the technologies in the Java 2 Platform, Enterprise Edition (J2EE) for enterprise software development and deployment. The JRE does

5 BEA WebLogic Advanced Cognos Application Configuration 2 JDK J2EE WL WL_HOME WLS WebLogic Domain Administration Server Managed Server Administration Console Node Manager not contain tools and utilities such as compilers or debuggers for developing applets and applications Java Development Kit The JDK is a superset of the JRE, and contains everything that is in the JRE, plus tools such as the compilers and debuggers necessary for developing applets and applications. Java 2 Platform, Enterprise Edition Combines a number of technologies in one architecture with a comprehensive Application Programming Model and Compatibility Test Suite for building enterprise-class server-side applications. The Java 2 Platform, Enterprise Edition (J2EE) defines the standard for developing multitier enterprise applications. The J2EE platform simplifies enterprise applications by basing them on standardized, modular components, by providing a complete set of services to those components, and by handling many details of application behavior automatically, without complex programming. BEA WebLogic Server Path to the directory where WebLogic is installed (example e:\bea\) WebLogic Server A domain is a collection of resources, such as servers, clusters, database connections, security services, and J2EE applications, that you manage as a unit. A domain must contain at least a definition for an Administration Server and an administrative user. You can define additional resources as part of the domain-creation process or at any time after creating the domain. The Administration Server is the WebLogic Server used to configure and manage all the WebLogic Servers in its domain. A domain may include multiple WebLogic Server clusters and independent WebLogic Server instances. If a domain contains only one WebLogic Server, then that server is the Administration Server. In a domain with multiple instances of WebLogic Server, the first instance to start must be the Administration Server. For a typical production system, BEA recommends that you deploy your applications only on Managed Servers. This practice allows you to dedicate the Administration Server to configuration and monitoring of the domain, while one or more Managed Servers service your applications. The Managed Server is a WebLogic Server instance that retrieves its configuration data from the domain s Administration Server. There can be many Managed Servers in a domain, but only one Administration Server. Usually, you create and start server instances as Managed Servers to run your business applications in a production environment. In this standard scenario, the server instance that you start as the Administration Server does not run business applications. Instead, it only manages resources in the domain. The WebLogic Server Administration Console runs in a Web browser. It displays the components of the domain it administers, including clusters and independent WebLogic Servers, in a graphical tree in the left pane. The right pane displays details about the object selected in the left pane. Node Manager is a Java utility that runs as separate process from WebLogic Server and allows you to perform common operations

6 BEA WebLogic Advanced Cognos Application Configuration 3 SSL keytool Keystore tasks for a Managed Server, regardless of its location with respect to its Administration Server. Use of Node Manager is optional. Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message. By convention, URLs that require an SSL connection start with HTTPS instead of HTTP. Key and Certificate Management Tool It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. A keystore is a protected database that holds keys and certificates for an enterprise. Access to a keystore is guarded by a password (defined at the time the keystore is created, by the person who creates the keystore, and changeable only when providing the current password). In addition, each private key in a keystore can be guarded by its own password. 1.4 References Ref. ID Author/Paper Location ASCG01 Application Servers - BEA WebLogic Server: Installing the Application Server ASCG05 Application Servers - Installing and Configuring the IBM Cognos Application ASCG11 Application Servers - BEA WebLogic Server: Configuration and IBM Cognos Application Deployment IBM Cognos 8 Installation and Configuration Guide Product Documentation included with IBM Cognos 8 WebLogic Server documentation 1.5 Assumptions Before continuing, make sure the following prerequisites have been met. That you have already installed WebLogic Server and have followed the steps outlined in [ASCG01] Application Servers - BEA WebLogic Server: Installing the Application Server. That you have already installed IBM Cognos 8 and have followed the steps outlined in [ASCG05] Application Servers - Installing and Configuring the Cognos Application. That you have already configured WebLogic Server and have followed the steps outlined in [ASCG11] Application Servers - BEA WebLogic Server: Configuration and Cognos Application Deployment to deploy IBM Cognos 8 to WebLogic Server. That you have the necessary access rights to run WebLogic Server and IBM Cognos 8. It is best if the user used to install WebLogic Server is the same user used to setup and run IBM Cognos 8. You also need the userid and password required to access the WebLogic Administration Console.

7 BEA WebLogic Advanced Cognos Application Configuration 4 That you have the necessary system resources to perform the installation. There is considerably more memory, hard disk space and CPU power required to run any full Application Server than running Tomcat. The minimal requirements for WebLogic should be compared to available resources. Running with less than 768MB of RAM for the Max Heap Memory is not suggested (although it may be possible for testing purposes only), 1GB should be considered a minimum to ensure performance and reliability. For WebLogic 7.0.x, you should allot 500 MB of disk space for the application server installation to complete successfully. For WebLgoic 8.1.x, you should allot 1 GB of disk space for the application server installation. More space will be required for added Managed Servers and application files, logging and additional domains. WebLogic 9.x may require more than 1 GB. The JVM used is the one shipped with WebLogic or one that is supported by WebLogic and IBM Cognos 8. If you are using version 8.1.x, then you can use the JVM shipped with WebLogic or an existing JDK on the system. If you are using version 9, then you can use the JVM shipped with WebLogic or an existing JDK on the system. It is recommended that you use the JDK shipped with WebLogic, though. The WebLogic Server install for AIX does not provide a JVM. You must install this before installing WebLogic. Note: IBM Cognos 8 does not currently support JRockit. That you have the customer documentation available as a resource. You should have both the IBM Cognos 8 documentation as well as the BEA WebLogic documentation. That you are familiar with the operating system (OS) with which you are using. This document assumes you are familiar with the OS. This includes user commands at the command line, syntax and scripting. That you are familiar with IBM Cognos 8. You should already know how to setup and run the product using Tomcat. That you are familiar with SSL and security concepts. The WebLogic demonstration keystores are used as examples in this document. The user can obtain certificates from the appropriate sources. (For example, Verisign, Thawte, etc.) They are not provided by IBM Cognos. That you are familiar with web servers and web server plug-in concepts. That you are familiar with single signon and security concepts.

8 BEA WebLogic Advanced Cognos Application Configuration 5 2 Secure Sockets Layer (SSL) WebLogic provides demonstration keystores for SSL testing. These can be used or you can create your own keystore. If you wish to create your own, make sure you ve created them before trying to configure WebLogic or IBM Cognos 8 to use SSL. The default configuration for SSL in WebLogic Server is one-way SSL, where the Client Certs Not Requested value is applied. In this case, the server passes its identity to the client and does not require client certificates. The demonstration Identity and Trust keystores are already configured to use. For testing and development purposes, the WebLogic SSL configuration is complete. Two-way SSL is a more secure SSL connection. You can enable two-way SSL by setting Client Certs Requested But Not Enforced or Client Certs Requested And Enforced. With the Client Certs Requested But Not Enforced option, the server requests a certificate from the client, but the connection continues if the client does not present a certificate. With the Client Certs Requested And Enforced option, the server requires a client to present a certificate. However, if a certificate is not presented, the SSL connection is terminated. Tip: Before you import keys and certificates to either your WebLogic or IBM 8 keystores, you should back them up. The WebLogic keystores are DemoIdentity.jks and DemoTrust.jks. For IBM Cognos 8, simply create a copy of your configuration directory. You should also backup your Content Store by exporting an archive, if you have data you wish to keep. 2.1 Configure SSL for IBM Cognos 8 You can consult the IBM Cognos 8 user documentation for more information. 1. Start IBM Cognos Configuration. 2. In the Explorer window, click Environment. 3. In the Properties window, type the appropriate values for the Internal Dispatcher URI and External Dispatcher URI values: To configure SSL for internal connections only, for the Internal Dispatcher URI property, type https and a port for SSL communication. For the External Dispatcher URI property, type http and use the default or another available port. The ports in the Internal and External Dispatcher URIs must be different. To configure SSL for external connections only, for the External Dispatcher URI property, type https and a secure port. For the Internal Dispatcher URI property, type http and use the default or another available port. The ports in the Internal and External Dispatcher URIs must be different. To configure SSL for all connections, type the same URI for both the Internal Dispatcher URI and External Dispatcher URI properties. Type https and a secure port, such as In this case, the ports would be the same for the Internal and External Dispatcher URI s. Note: You do not have to use port 9343, the default SSL port. You can choose any available port. 4. Configure the SSL protocol for the other environment URIs, including the Content Manager URIs, the Dispatcher URI for external applications, the Dispatcher URI for gateway and Gateway URI. 5. To use SSL, you must specify passwords for the ReportNet encryption key stores. The passwords are found under Security -> Cryptography -> Cognos. If you are setting up

9 BEA WebLogic Advanced Cognos Application Configuration 6 multiple servers, the passwords must be the same on each server included in the configuration. 6. From the File menu, click Save. Configure a Separate Framework Manager Install If you have IBM Cognos 8 running with SSL on a server and want to configure another component, you must disable SSL before configuring the new component. This applies when you have the new component installed on a separate server. For your UNIX installs, you will have IBM Cognos Framework Manager installed on your Windows machine. The following steps are specific to IBM Cognos Framework Manager. 1. You must disable SSL on the IBM Cognos 8 machine when configuring a new component. Once the keys have been generated, then SSL can be enabled, and the configuration can be saved with SSL. In your WebLogic configuration, the HTTP port on the Managed Server must be enabled and the server restarted. You do not need to disable the HTTPS port. 2. Open IBM Cognos Configuration for your Framework Manager install. Modify the Gateway URI and Dispatcher URI for external applications to the appropriate values. For example, if you re using the Dispatcher as the Gateway, set both the Gateway URI and Dispatcher URI for external applications to the Dispatcher using the HTTP port Modify the Crypto settings by entering the password you used when configuring your IBM Cognos 8 server. Save your changes. You will now have security keys. 4. Copy the exported certificates from your WebLogic Server. Refer to Steps to Set Up Shared Trust Between WebLogic and IBM Cognos 8 later in this document for the steps to export certificates. Import the certificates to your local keystore (Cognos8_location\configuration\signkeypair\jCAKeystore). 5. Stop WebLogic and change the IBM Cognos 8 configuration back to HTTPS. Save your changes in IBM Cognos Configuration. In the WebLogic Administration Console, make sure the HTTPS port is enabled and restart WebLogic Server. 6. Open IBM Cognos Configuration for your Framework Manager install. Change the Gateway URI and Dispatcher URI for external applications to use HTTPS and the SSL port. Save your changes. You should now be able to communicate with your IBM Cognos 8 server using SSL from Framework Manager. 7. Close IBM Cognos Configuration. 2.2 Enable SSL for WebLogic Note: If you selected a Single Server setup for WebLogic, you will modify the startweblogic file. If you selected Administration Server and Managed Server(s), you will modify the startmanagedweblogic file. (*.cmd files are for Windows, *.sh files are for UNIX platforms.) 1. For the script startup method, open the WebLogic Server startup script. Add the following to the JAVA_OPTIONS. -Djava.protocol.handler.pkgs=com.certicom.net.ssl For example, the Java environment would now use the following JAVA_OPTIONS: set JAVA_OPTIONS=- Dweblogic.security.SSL.trustedCAKeyStore=d:\bea\weblogic812\server\li

10 BEA WebLogic Advanced Cognos Application Configuration 7 b\cacerts -Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser - Djava.protocol.handler.pkgs=com.certicom.net.ssl 2. For the remote server startup method via the Administration Console and Node Manager, you would add the following to the Java parameters in the Arguments box. -Djava.protocol.handler.pkgs=com.certicom.net.ssl 3. Save the changes and start the WebLogic Server. 4. Open the WebLogic Server Console and select the server you wish to configure. 5. In the Configuration -> General tab, check the SSL Listen Port Enabled checkbox and enter a port number in the SSL Listen Port box. Make sure the port number is not already in use. Restart the server. 6. Test your SSL connection by connecting to the SSL port in a browser session. You should be prompted with a Security Alert dialog.

11 BEA WebLogic Advanced Cognos Application Configuration 8 You can view the certificate to verify its contents, and that it s using the correct certificate. Click Yes to use the certificate for that browser session Set Up Shared Trust Between WebLogic and IBM Cognos 8 1. You can export the keys and certificates using the keytool utility included with your JVM. The following examples show the syntax using the demo keystores provided by WebLogic. For the DemoIdentity.jks keystore: $JAVA_HOME/bin/keytool -export -alias demoidentity -file demoindenty.cer -rfc -keystore DemoIdentity.jks storepass DemoIdentityKeyStorePassPhrase You should see the following message in your command prompt. Certificate stored in file <demoindenty.cer> For the DemoTrust.jks keystore: $JAVA_HOME/bin/keytool -export -alias wlscertgencab -file demotrust.cer -rfc -keystore DemoTrust.jks storepass DemoTrustKeyStorePassPhrase You should see the following message in your command prompt. Certificate stored in file <demotrust.cer> You can find more information on the keytool utility from Search on keytool. 2. Copy the *.cer files to cognos8_location/bin. 3. You can import the keys and certificates using the ThirdPartyCertificateTool utility located in cognos8_location/bin. You must set your cryptography passwords in the IBM Cognos Configuration tool, prior to doing this.

12 BEA WebLogic Advanced Cognos Application Configuration 9 For the DemoIdentity.jks keystore: ThirdPartyCertificateTool.sh -T -i -r demoindenty.cer -k <cognos8_location>/configuration/signkeypair/jcakeystore -p your_password You should see the following message in your command prompt Using /system_1/java/1.4.2_04/bin/java Loaded CA certificate: 'CN=sunspot.cognos.com, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US'. Stored CA certificate(s). For the DemoTrust.jks keystore: ThirdPartyCertificateTool.sh -T -i -r demotrust.cer -k <cognos8_location>/configuration/signkeypair/jcakeystore -p your_password You should see the following message in your command prompt Using /system_1/java/1.4.2_04/bin/java Loaded CA certificate: 'CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US'. Stored CA certificate(s) For UNIX, use ThirdPartyCertificateTool.sh. On UNIX, you must use $ to refer to environment variables. (eg. $JAVA_HOME) Also, use forward slashes when providing the path to a file. For Windows, use ThirdPartyCertificateTool.cmd. On Windows, you must use % to refer to environment variables. (eg. %JAVA_HOME%) Also, use backward slashes when providing the path to a file

13 BEA WebLogic Advanced Cognos Application Configuration Set Up Shared Trust Between IBM Cognos 8 and Other Servers If you want the connection between IBM Cognos 8 and the other server to be mutually authenticated, you must also copy the certificate from your certificate authority to the trust store for Cognos 8. Steps to Copy the IBM Cognos 8 certificate to another Server 1. Go to the crn_location/bin directory. 2. Extract the IBM Cognos 8 certificate using the ThirdPartyCertificateTool found in the Cognos 8 bin directory. Type the appropriate command for the OS you are using. UNIX: ThirdPartyCertificateTool.sh -E -T -r destination_file k c8_location/configuration/signkeypair/jcakeystore -p password Windows: ThirdPartyCertificateTool.bat -E -T -r destination_file k c8_location\configuration\signkeypair\jcakeystore -p password 3. Import the certificate to the trust store on your server. For information on updating the server trust store, see the documentation for your server. Steps to Copy the CA Certificate to IBM Cognos 8 1. Copy the certificate from your certificate authority to a secure location on the IBM Cognos 8 server. Ensure that the CA certificate is in Base-64 encoded X.509 format. 2. Import the CA certificate by typing the following command: UNIX: ThirdPartyCertificateTool.sh -T -i -r CA_certificate_file k c8_location/configuration/signkeypair/jcakeystore -p password Windows: ThirdPartyCertificateTool.bat -T -i -r CA_certificate_file k c8_location\configuration\signkeypair\jcakeystore -p password

14 BEA WebLogic Advanced Cognos Application Configuration 11 3 Single Sign On (SSO) WebLogic Server uses security realms to simplify the configuration and management of security in the WebLogic domain. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. You can configure multiple security realms in a domain, but only one can be the active security realm. The default security realm is called myrealm and is preconfigured using an embedded LDAP. When setting up single signon (SSO) on WebLogic Server for use with IBM Cognos 8, we do not recommend using the default security realm. You should create a new realm. For this example, we have created a new domain called c8sso to demonstrate how to configure a new security realm in WebLogic Server. Refer to the BEA WebLogic Server: Installing the Application Server (ASCG01_BEA_WebLogic_Setup.doc) document for information on how to create a new domain using the Domain Configuration Wizard. 3.1 Create a new Security Realm 1. WebLogic Server should already be running. Start WebLogic s Administration Console from the browser and login. The default address is Use the userid and password created when you created the domain. 2. Once authenticated, you will see the Administration Console UI. The following view is the Home page. In the left pane, click on the Security Realms link.

15 BEA WebLogic Advanced Cognos Application Configuration You will see the Summary of Security Realms page for this domain. In order to edit the page, you must click the Lock & Edit button.

16 BEA WebLogic Advanced Cognos Application Configuration Once in Edit mode, click on the New button to start creating a new realm. 5. In the Create a New Realm page, enter a unique name for the realm. Click OK. 6. In order to activate the changes, click on the Activate Changes button. This will also release the configuration from Edit mode. Also, this is an opportunity to revert the changes. To do so, you can click the Undo All changes button to restore the previous settings.

17 BEA WebLogic Advanced Cognos Application Configuration The security realm has been created.

18 BEA WebLogic Advanced Cognos Application Configuration 15 You should now restart the Administration Server. If you look in the console output or WebLogic logs, you should see messages similar to those below. ####<Feb 14, :55:29 PM EST> <Warning> <Management> <SERVERNAME> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.default (selftuning)'> <weblogic> <> <> < > <BEA > <The non-dynamic attribute Realms on ecurityconfiguration[c8sso]) has been changed. This may require redeploying or rebooting configured entities> ####<Feb 14, :55:29 PM EST> <Warning> <Management> <SERVERNAME > <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.default (selftuning)'> <weblogic> <> <> < > <BEA > <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> 3.2 Prepare your Authentication Provider In WebLogic, security providers are modular components that handle specific aspects of security, such as authentication and authorization. You must have at least one Authentication provider in a security realm. They allow WebLogic Server to establish trust by validating the identity of a user. WebLogic Server requires that an Administrators group exist in the Authentication provider, along with a userid and password to use as the administrator userid. The administrative user must be a member of the Administrators group. The Authentication provider must be created and active prior to setting up a security realm for use with SSO. This provider will be the same security source used for your 3rd party namespace setup in the IBM Cognos Configuration tool. For this example, we have created a new domain called c8sso, with a default administrator userid called weblogic. In this example, we have added the same userid with the same password to the Authentication provider to be used for single signon. The provider used in this example will be an LDAP Authentication provider. The Base DN is o=cognos.com. 3.3 Add Providers A valid security realm requires an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, a Role Mapping provider, and a CertPathBuilder. Refer to the WebLogic Server documentation for more information regarding the different supported providers.

19 BEA WebLogic Advanced Cognos Application Configuration Add an LDAP Authentication Provider 1. Once the Administrative Server has been restarted, login to the Administration Console. In the Administration Console, navigate to Security Realms and select the security realm you created. In the example, we have selected newrealm. Select the Providers tab. 2. Select the Lock & Edit button to enter Edit mode. Click on the New button to create a new Authentication provider.

20 BEA WebLogic Advanced Cognos Application Configuration Enter a name for the new Authentication provider and select the provider type. Since we are using an LDAP directory server, we will select the LDAPAuthenticator type. Click OK. 4. The LDAPAuthenticator has been created successfully. Select the LDAPAuthenticator to configure properties.

21 BEA WebLogic Advanced Cognos Application Configuration On the Common tab under the Configuration tab, set the Control flag to REQUIRED. Click Save. Now, click the Provider Specific tab. 6. Enter information specific to your LDAP Directory Server instance in the appropriate fields. In our example, the Group Base DN is o=cognos.com and the User Name Attribute is uid.

22 BEA WebLogic Advanced Cognos Application Configuration 19 Scroll down the page and enter any other relevant information for your LDAP directory server. Important settings are the Port number, User Base DN, and Host. Here, we enter 222 for the LDAP directory server instance s port number and o=cognos.com for the User Base DN. For the Host setting, you can enter either the IP Address or the server name, depending on your platform and how your network domain is configured. 7. Once you have entered all the required information for your LDAP directory server, click the Save button to save changes to the tab. Click Activate Changes to save the changes to the domain.

23 BEA WebLogic Advanced Cognos Application Configuration 20 The LDAPAuthenticator is now configured for use with the security realm. You should now restart the Administration Server. If you look in the console output or WebLogic logs, you should see messages similar to those below. ####<Feb 14, :58:25 PM EST> <Warning> <Management> <SERVERNAME> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.default (selftuning)'> <weblogic> <> <> < > <BEA > <The non-dynamic attribute AuthenticationProviders on on[c8sso]/realms[newrealm]) has been changed. This may require redeploying or rebooting configured entities> ####<Feb 14, :58:25 PM EST> <Warning> <Management> <SERVERNAME > <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.default (selftuning)'> <weblogic> <> <> < > <BEA > <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> Add an Authorization Provider When you create a new security realm, you need to configure an Authorization provider. By default, security realms in newly created domains include the XACML Authorization provider. The XACML Authorization provider uses XACML, the extensible Access Control Markup Language. 1. In the Administration Console, navigate to Security Realms and select the security realm you created. Select the Providers tab.

24 BEA WebLogic Advanced Cognos Application Configuration Under the Providers tab, select the Authorization tab. 3. Select the Lock & Edit button to enter Edit mode. Click on the New button to create a new Authorization provider.

25 BEA WebLogic Advanced Cognos Application Configuration Enter a name for the new Authorization provider and select the provider type. We will be using the XACMLAuthorizor. Click OK The Authorization provider is successfully created.

26 BEA WebLogic Advanced Cognos Application Configuration Add an Adjudication Provider Each security realm requires an Adjudication provider, and can have no more than one active Adjudication provider. 1. In the Administration Console, navigate to Security Realms and select the security realm you created. Select the Providers tab. Under the Providers tab, select the Adjudication tab. In Edit mode, click on the New button to create a new Adjudication provider.

27 BEA WebLogic Advanced Cognos Application Configuration Enter a name for the new Adjudication provider. We will use the DefaultAdjudicator type. Click OK The Adjudication provider is successfully created Add a Role Mapping Provider Role Mapping providers compute the set of roles granted to a subject for a given resource. By default, a WebLogic security realm is configured with the XACML Role Mapping provider, and most configuration options for the XACML Role Mapping provider are already defined.

28 BEA WebLogic Advanced Cognos Application Configuration In the Administration Console, navigate to Security Realms and select the security realm you created. Select the Providers tab. Under the Providers tab, select the Role Mapping tab. In Edit mode, click on the New button to create a new Role Mapping provider. 1. Enter a name for the new Role Mapping provider and select the type. We will use the XACMLRoleMapper. Click OK The Role Mapping provider is successfully created.

29 BEA WebLogic Advanced Cognos Application Configuration Add a Credential Mapping Provider Credential mapping is the process whereby the authentication and authorization mechanisms of a remote system obtain a valid set of credentials to authenticate remote users to a target WebLogic resource. The WebLogic Credential Mapping provider maps WebLogic Server objects to the username/password pairs to be used when accessing such resources. By default, most configuration options for the WebLogic Credential Mapping provider are defined. 1. In the Administration Console, navigate to Security Realms and select the security realm you created. Select the Providers tab. Under the Providers tab, select the Credential Mapping tab. In Edit mode, click on the New button to create a new Credential Mapping provider.

30 BEA WebLogic Advanced Cognos Application Configuration Enter a name for the new Credential Mapping provider and select the type. We will use the DefaultCredentialMapper type. Click OK The Credential Mapping provider is successfully created Add a Certification Path Provider WebLogic Server requires each security realm to have a Certification Path provider configured to validate digital certificates as part of its Certificate Lookup and Validation (CLV) framework. The key elements of the CLV framework are the CertPathBuilder and the CertPathValidators. When WebLogic Server receives

31 BEA WebLogic Advanced Cognos Application Configuration 28 a certificate, the CLV framework uses the security provider configured as the CertPathBuilder to look up and validate the certificate chain. The WebLogic CertPath provider requires no configuration, other than its Current Builder attribute, which indicates whether the CertPath provider should be used as the active certificate chain builder. 1. In the Administration Console, navigate to Security Realms and select the security realm you created. Select the Providers tab. Under the Providers tab, select the Certification Path tab. In Edit mode, click on the New button to create a new Certification Path provider. 2. Select the type of Certification Path provider. We will use the WebLogicCertPathProvider. Click Next.

32 BEA WebLogic Advanced Cognos Application Configuration Enter a name for the new Certification Path provider. We will use the default name provided, WebLogicCertPathProvider. Click Next. 4. Check the Replace Existing Builder checkbox. Click Finish The Certification Path provider is successfully created.

33 BEA WebLogic Advanced Cognos Application Configuration Activate Changes to Security Realm Providers In order for the changes to take effect in the domain, you must activate the changes by clicking the Activate Changes button. The security providers are now configured for use with the security realm. You should now restart the Administration Server. If you look in the console output or WebLogic logs, you should see messages similar to the following. ####<Feb 14, :58:25 PM EST> <Warning> <Management> <SERVERNAME > <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.default (self-tuning)'> <weblogic> <> <> < > <BEA > <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> 3.4 Modify the Domain Security Once your security realm is configured and you ve restarted the Administration Server, you can set it as the active realm to be used by your WebLogic domain. Only one security realm can be active at a time for a domain.

34 BEA WebLogic Advanced Cognos Application Configuration Login to the Administration Console. To access the domain properties, you can select the Domain link on the main pane, or, in the left pane, you can select the domain name link. 2. Select the Security tab. 3. Click the Lock & Edit button to switch to Edit mode. In the Default Realm drop-down list, select the name of your security realm. In the example, we select newrealm. Click the Save button.

35 BEA WebLogic Advanced Cognos Application Configuration In order for the changes to take effect, you must activate the changes by clicking the Activate Changes button.

36 BEA WebLogic Advanced Cognos Application Configuration 33 The default security realm has been reset to use the newly configured realm. You should now restart the Administration Server. If you look in the console output or WebLogic logs, you should see messages similar to the following. ####<Feb 14, :04:58 PM EST> <Warning> <Management> <SERVERNAME> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.default (selftuning)'> <weblogic> <> <> < > <BEA > <The non-dynamic attribute DefaultRealm on ecurityconfiguration[c8sso]) has been changed. This may require redeploying or rebooting configured entities> ####<Feb 14, :04:58 PM EST> <Warning> <Management> <SERVERNAME> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.default (selftuning)'> <weblogic> <> <> < > <BEA > <A non-dynamic change has been made which affects the server AdminServer. This server must be rebooted in order to consume this change.> When you restart the Administration Server, you should see messages similar to the following in your WebLogic console.

37 BEA WebLogic Advanced Cognos Application Configuration 34 The next time you access the Administration Console and navigate to Security Realms, the default realm should now be your new security realm and not the WebLogic installed default, myrealm.

38 BEA WebLogic Advanced Cognos Application Configuration Modify the IBM Cognos 8 and Servlet Gateway applications Before building your IBM Cognos 8 or Servlet Gateway application, changes must be made to implement declarative security in the web applications. The deployment descriptors define security requirements by mapping the application's logical security requirements to its runtime definitions in the web.xml and weblogic.xml files. Essentially, we will map security roles and policies between our application and WebLogic Server. The examples provided will demonstrate how to setup basic authentication for web browsers with WebLogic Server. For more information, refer to the WebLogic Server Security documentation Modify the web.xml Deployment Descriptor With basic authentication, the web browser prompts the user with a login screen in response to a WebLogic resource request, for example, connecting to the Servlet Gateway deployed to WebLogic Server. The following steps outline how to configure a web application to provide basic authentication in the web.xml file. The steps are the same for IBM Cognos 8 and Servlet Gateway, and should be completed prior to building the application with the Build Application Wizard. Examples are provided below and in the Appendix. You should backup the original web.xml file before you make any changes. The web.xml file for the IBM Cognos 8 application can be found under <c8_install_root>\webapps\p2pd\web-inf. The web.xml file for the Servlet Gateway application can be found under <c8_install_root>\war\gateway 1. Open the web.xml file for your application and scroll to the bottom of the file. 2. Using the <security-constraint> element, a security constraint must be defined for the Web application resources, that is, the URL resources that you plan to protect. This section should be placed just before the </web-app> end tag. <web-app>... <security-constraint> <web-resource-collection>... </web-resource-collection> <auth-constraint>... </auth-constraint> <user-data-constraint>... </user-data-constraint> </security-constraint>... </web-app> 3. Within the security constraint, the <web-resource-collection> element identifies a subset of the resources using the <url-pattern> element and the HTTP methods on those resources within a Web application to which the security constraint applies using the <http-method> element. The URL pattern points to the p2pd or servlet gateway and the HTTP methods identify the access allowed to the URL resource. We will specify the POST and GET methods.

39 BEA WebLogic Advanced Cognos Application Configuration 36 <web-resource-collection> <web-resource-name/> <description/> <url-pattern>/servlet/dispatch/ext</url-pattern> <http-method>get</http-method> <http-method>post</http-method> </web-resource-collection> 4. Within the security constaint, the <auth-constraint> element defines which groups or principals have access to the collection of Web resources defined using the <role-name> element. <auth-constraint> <description/> <role-name>roletest</role-name> </auth-constraint> 5. Within the security constraint, the <user-data-constraint> element defines how data communicated between the client and the server should be protected using the <transportguarantee> element. In our example, we have set it to NONE, meaning the application does not require any transport guarantees. <user-data-constraint> <description/> <transport-guarantee>none</transport-guarantee> </user-data-constraint> 6. Use the <login-config> element to define the type of authentication you want to use, identified by the <auth-method> element and the security realm to which the security constraints will be applied using the <realm-name> element. We will be using basic authentication for the default realm. <login-config> <auth-method>basic</auth-method> <realm-name>default</realm-name> </login-config> 7. Use the <security-role> element to define one or more security roles and map them to your security constraints. The role name you define with the <role-name> element here must have a corresponding entry in the WebLogic-specific deployment descriptor, weblogic.xml. The weblogic.xml file maps roles to principals in the security realm. In the example, only one role name, roletest, is defined in the security role, however, several roles can be defined. 8. Save changes. <security-role> <description/> <role-name>roletest</role-name> </security-role>

40 BEA WebLogic Advanced Cognos Application Configuration IBM Cognos 8 Deployment Descriptor Example The changes that need to be made to the p2pd application, before building the application for deployment to WebLogic Server are shown below. The web.xml file for the IBM Cognos 8 application can be found under <c8_install_root>\webapps\p2pd\web-inf. Example of changes to web.xml file for the IBM Cognos 8 application (aka p2pd): <! - example --> <security-constraint> <display-name/> <web-resource-collection> <web-resource-name/> <description/> <url-pattern>/servlet/dispatch/ext</url-pattern> <http-method>get</http-method> <http-method>post</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>roletest</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>none</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>basic</auth-method> <realm-name>default</realm-name> </login-config> <security-role> <description/> <role-name>roletest</role-name> </security-role>

41 BEA WebLogic Advanced Cognos Application Configuration Servlet Gateway Deployment Descriptor Example The changes that need to be made to the Servlet Gateway application, before building the application for deployment to WebLogic Server are shown below. The web.xml file for the Servlet Gateway application can be found under <c8_install_root>\war\gateway. Example of changes to web.xml file for Servlet Gateway: <! - example --> <security-constraint> <display-name/> <web-resource-collection> <web-resource-name/> <description/> <url-pattern>/servlet/gateway/*</url-pattern> <http-method>get</http-method> <http-method>post</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>roletest</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>none</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>basic</auth-method> <realm-name>default</realm-name> </login-config> <security-role> <description/> <role-name>roletest</role-name> </security-role>

42 BEA WebLogic Advanced Cognos Application Configuration Create the weblogic.xml Deployment Descriptor In the weblogic.xml file, you map security role names to users and groups. This file must be used as part of the setup for declarative security in web applications deployed to WebLogic Server. The weblogic.xml file must be placed in the same location as the web.xml file for IBM Cognos 8 or Servlet Gateway before the application is created using the Build Application Wizard. For IBM Cognos 8, the web.xml file can be found in <c8_install_root>\webapps\p2pd\web-inf. For the Servlet Gateway, the web.xml file can be found in <c8_install_root>\war\gateway. The <security-role-assignment> element declares a mapping between a security role and one or more principals in the WebLogic Server security realm. The <role-name> element defines the name of the security role that is used. The name you use here must have a corresponding entry in the web.xml deployment descriptor. The <principal-name> element specifies one or more principals for the security role name. Principals can be either users or groups, and you can list several principals per role name. The principals must exist in your authentication provider s schema. An example of a weblogic.xml file is shown below that maps the roletest security role defined in the <security-role> element in the web.xml file to an LDAP group named c8group. With this configuration, WebLogic Server will only allow users in c8group to access the protected URL resource. This weblogic.xml file can be used for both the IBM Cognos 8 and Servlet Gateway applications. Example of weblogic.xml: <?xml version='1.0' encoding='utf-8'?> <weblogic-web-app xmlns=" <security-role-assignment> <role-name>roletest</role-name> <principal-name>c8group</principal-name> </security-role-assignment> </weblogic-web-app> 3.6 Modify the IBM Cognos Configuration Before deploying your modified IBM Cognos 8 or Servlet Gateway application to WebLogic Server, you need to modify the Security configuration in the IBM Cognos Configuration tool. In our example, we ve used an LDAP namespace. The LDAP directory server instance must be the same one that was used to setup the LDAPAuthenticator in WebLogic Server. The following properties need to be modified for the LDAP namespace. User lookup Specify the string that is used to construct the fully qualified DN for authentication. In the example, it has been set to (uid=${userid}). Use external identity? When set to true, the user is authenticated by an external source and the user s identity is provided to the product from the external source. In the example, it has been set to True. External identity mapping Use this mapping to construct a DN or search filter to locate a user in the LDAP directory server. It is only used when Use external identity? is set to True. In the example, it has been set to (uid=${environment( REMOTE_USER )}).

43 BEA WebLogic Advanced Cognos Application Configuration Deploy IBM Cognos 8 and Servlet Gateway to WebLogic Server The steps for IBM Cognos 8 deployment and Servlet Gateway deployment to WebLogic Server are described in the Application Servers - BEA WebLogic Configuration and Cognos Application Deployment [ASCG11] document and in the IBM Cognos 8 Installation and Configuration Guide.

44 BEA WebLogic Advanced Cognos Application Configuration 41 4 Web Server Plug-ins WebLogic Server plug-ins are modules that you add to your third-party Web server installation and configure to enable interactions between WebLogic Server and applications running on Apache HTTP Server, Netscape Enterprise Server, and Microsoft Internet Information Server. With the exception of Weblogic Server 9.0, WebLogic plug-ins are installed along with the WebLogic Server software. For version 9.0, plug-ins are an install option in the custom install which you must check in order to install them. A user application running on a third-party Web server generates an HTTP request, which the Web server routes to the WebLogic Server plug-in. The plug-in sends the HTTP request based on configuration information that specifies a WebLogic Server instance or cluster. The WebLogic Server instance processes the request and returns a response to the user application through the plug-in. 4.1 Apache HTTP Server The steps for Standard Apache Version 2.x are outlined. The Apache plug-in is distributed as a shared object (.so) for the Solaris, Linux, Windows, and HPUX11 platforms. WebLogic supplies versions of shared object files that vary according to platform, to whether or not SSL is to be used between the client and Apache, and to the SSL encryption strength. You install the Apache HTTP Server Plug-In as an Apache module in your Apache HTTP Server installation. 1. In your WebLogic Server installation, locate the shared object directory for your platform. Operating System Solaris Linux HPUX11 AIX Windows Shared Object Location $WL_HOME/Server/lib/solaris $WL_HOME/Server/lib/linux $WL_HOME/Server/lib/hpux11 Warning: If running Apache 2.0.x server on HP-UX11, set the environment variables specified below before you build the Apache server. Because of a problem with the order in which linked libraries are loaded on HP-UX, a core dump can result if the load order is not preset as an environment variable before building. Set the following environment variables before proceeding with the Apache configure, make, and make install steps, (re. Apache HTTP Server documentation at export EXTRA_LDFLAGS="-lstd -lstream -lcsup -lm - lcl -ldld -lpthread" $WL_HOME/Server/lib/aix %WL_HOME%\server\bin 2. Identify the plug-in shared object file for your version of Apache. For Standard Apache Version 2.x, you would use mod_wl_20.so for Regular Strength Encryption. Copy the mod_wl_20.so file to the APACHE_HOME/modules directory and add the following line to your APACHE_HOME/conf/httpd.conf file manually: LoadModule weblogic_module modules/mod_wl_20.so

45 BEA WebLogic Advanced Cognos Application Configuration Verify that the WebLogic Server Apache HTTP Server Plug-In mod_so.c module is enabled. The Apache HTTP Server Plug-In will be installed in your Apache HTTP Server installation as an Apache Dynamic Shared Object (DSO). DSO support in Apache is based on a module mod_so.c, which must be enabled before mod_wl.so can be loaded. If you installed Apache HTTP Server using the script supplied by Apache, mod_so.c is already enabled. Verify that mod_so.c is enabled by executing the following command: For Windows: %APACHE_HOME%/bin/apache l (Where APACHE_HOME is the directory containing your Apache HTTP Server installation.) For UNIX: $APACHE_HOME/bin/apachectl l This command lists all enabled modules. If mod_so.c is not listed, you must rebuild your Apache HTTP Server, making sure that the following options are configured:... --enable-module=so --enable-rule=shared_core In httpd.conf, you must define additional parameters for the Apache HTTP Server Plug-In. Refer to the online documentation for WebLogic Server for more details regarding parameters. The following examples assume that the default context root for Cognos 8 (p2pd) has been used. Example for a single server setup: <IfModule mod_ssl.c> Include conf/ssl.conf </IfModule> # add entries for Weblogic <IfModule mod_weblogic.c> WebLogicHost ServerName WebLogicPort 7021 KeepAliveEnabled ON KeepAliveSecs 60 </IfModule> <Location /p2pd> SetHandler weblogic-handler WebLogicHost ServerName WebLogicPort 7021 </Location> Example for multiple component applications: <IfModule mod_ssl.c> Include conf/ssl.conf </IfModule> # add entries for Weblogic <IfModule mod_weblogic.c>

46 BEA WebLogic Advanced Cognos Application Configuration 43 WebLogicCluster ServerName1:7031,ServerName2:7041 KeepAliveEnabled ON KeepAliveSecs 60 </IfModule> <Location /p2pd> SetHandler weblogic-handler WebLogicCluster ServerName1:7031,ServerName2:7041 </Location> 5. Restart Weblogic Server. 6. Start (or restart if you have changed the configuration) Apache HTTP Server. 7. Test the plug-in by opening a browser and setting the URL to the Apache Server:port + "/p2pd/", which should bring up the IBM Cognos Connection portal. For example: Microsoft Internet Information Server The WebLogic Server plug-in module for the Microsoft Internet Information Server is a dynamic link library called iisproxy.dll. It is supported by an iisproxy.ini file that contains name=value pairs that define configuration parameters for the plug-in. To install the Microsoft Internet Information Server Plug-In: 1. Copy the iisproxy.dll and iisforward.dll files from the %WL_HOME%\server\bin directory of your WebLogic Server into a convenient directory that is accessible to IIS. For example, create a directory called weblogic under C:\Inetpub\wwwroot and place them in that location. 2. Start the Internet Information Service Manager by selecting it from the Start menu. 3. In the left panel of the Service Manager, select your IIS Web site. 4. Open the properties for the selected Web site by right-clicking the Web site selection in the left panel and selecting Properties. 5. Add the iisforward.dll file as a filter service in IIS (WebSite Properties > ISAPI Filters tab > Add the iisforward dll). On the ISAPI Filters tab, click the Add button.

47 BEA WebLogic Advanced Cognos Application Configuration 44 Define a name for the filter and browse to the iisforwaed.dll. Click OK. 6. Register.wlforward as a special file type to be handled by iisproxy.dll. In the Properties panel, select the Home Directory tab, and click the Configuration button in the Applications Settings section.

48 BEA WebLogic Advanced Cognos Application Configuration 45 On the Mappings tab, click the Add button. In the Add dialog box, browse to the iisproxy.dll file. Set the Extension to.wlforward. If you are configuring for IIS 6.0 or later, be sure to uncheck the "Verify that file exists" check box. The behaviour of this check has changed from earlier versions of IIS. Click OK. 7. When you finish configuring file types, click the OK button to close the Properties panel. 8. Create an iisproxy.ini file. BEA recommends that you locate the iisproxy.ini file in the same directory that contains the iisproxy.dll file. The iisproxy.ini file contains name=value pairs that define configuration parameters for the plug-in. Use the example iisproxy.ini file in this section as a template for your iisproxy.ini file. Define the WebLogic Server host and port number to which the Microsoft Internet Information Server Plug-In proxies requests. If you are proxying requests to a single WebLogic Server instance, define the WebLogicHost and WebLogicPort parameters in the iisproxy.ini file. For example, a host called MyServer using Managed Server port 7021 would be:

49 BEA WebLogic Advanced Cognos Application Configuration 46 WebLogicHost=MyServer WebLogicPort=7021 If you are proxying requests to a cluster of WebLogic Servers, define the WebLogicCluster parameter in the iisproxy.ini file. For example: WebLogicCluster=Server1:7011,Server2:7021 Where Server1 and Server2 are instances of Weblogic Server running in a cluster. Define the property WlForwardPath in iisproxy.ini. WlForwardPath defines the path that is proxied to WebLogic Server, for example: WlForwardPath=/p2pd. Note: Parameters changes will not go into effect until you restart the "IIS Admin Service" in Services. Example of an iisproxy.ini file for a single server install: # This file contains initialization name/value pairs # for the IIS/WebLogic plug-in. WebLogicHost=ServerName WebLogicPort=7021 ConnectTimeoutSecs=30 ConnectRetrySecs=3 WLForwardPath=/p2pd Example for multiple server applications: # This file contains initialization name/value pairs # for the IIS/WebLogic plug-in. WebLogicCluster=ServerName1:7031,ServerName2:7041 ConnectTimeoutSecs=30 ConnectRetrySecs=3 WLForwardPath=/p2pd Hint: To debug your application, set the Debug=ON parameter in iisproxy.ini. A c:\tmp\iisforward.log is generated containing a log of the plug-in's activity. Refer to the Weblogic Server documentation for details regarding the parameters for Web Server Plug- Ins.

50 BEA WebLogic Advanced Cognos Application Configuration The installed version of IIS with its initial settings does not allow the iisproxy.dll. Use the IIS Manager console to enable the Plug-In: Open the IIS Manager console. Select Web Service Extensions. Set "All Unknown ISAPI Extensions" to Allowed. Note: Step 9 is applicable only if you are trying to configure IIS Netscape Enterprise Server (aka iplanet or SunOne) The WebLogic NES plug-in module is distributed as a shared object (.so) on UNIX platforms and as a dynamic-link library (.dll) on Windows. These files are respectively located in the $WL_HOME/server/lib or $WL_HOME/server/bin directories of the WebLogic Server installation. The server directory contains installation files for WebLogic Server. The modules are: Linux: lib/linux/i686/libproxy.so AIX: lib/aix/libproxy4x.so or lib/aix/libproxy4x_128.so Solaris: lib/solaris/libproxy.so Windows: server/bin/proxy36.dll The Netscape plug-in works for Netscape, iplanet and Sun One Web Servers. To install the Netscape plug-in: 1. Copy libproxy.so from the WebLogic Server installation to the plugins directory under /<sunone_install_dir>/servers. For example, for WebLogic 8.1.x on Solaris, $WL_HOME/weblogic81/server/lib/solaris.

51 BEA WebLogic Advanced Cognos Application Configuration Create a new web server instance in the web server s Administration Console. Login to the console and click Add Server. (Do not use the default instance created by the install.) In the Add Server dialog, enter the appropriate information regarding the Server Identifier and port number. Click OK to create the web server instance.

52 BEA WebLogic Advanced Cognos Application Configuration Modify the obj.conf file under /<sunone_install_dir>/servers/https-<instance_name>/config. The obj.conf file defines which requests are proxied to WebLogic Server as well as other configuration information. Create an <Object> tag to proxy requests by URL. Specify a name for this object inside the opening <Object> tag using the name attribute. The name attribute is informational only and is not used by the Netscape Enterprise Server Plug-In. For example: <Object name=myobject...> Specify the URL to be proxied within the <Object> tag, using the ppath attribute. For example: <Object name=myobject ppath="*/p2pd/*> The value of the ppath attribute can be any string that identifies requests intended for Weblogic Server. When you use a ppath, every request that contains that path is redirected. For example, a ppath of "*/p2pd/*" redirects every request that begins " to the NES Plug-In, which sends the request to the specified Weblogic Server instance or cluster. Begin the Service directive with Service fn=wl_proxy, followed by valid name=value pairs of parameters for the target servers. For a non-clustered WebLogic Server, use the WebLogicHost and WebLogicPort parameters. For a cluster of WebLogic Server instances, use the WebLogicCluster parameter. For example, if the default context root is used and the managed server port is 7021, the following would be added to the obj.conf file. <Object name="p2pd" ppath="*/p2pd/*"> Service fn=wl_proxy WebLogicHost=server_name WebLogicPort=7021 </Object> For multiple WebLogic Server targets, where Host1 uses port 7021 and Host2 uses 7031, the following would be added to the obj.conf file. <Object name="p2pd" ppath="*/p2pd/*"> Service fn=wl_proxy WebLogicCluster= Host1:7021,Host2:7031 </Object> 4. Add the following at the beginning of the magnus.conf file. It can also be found in under /<sunone_install_dir>/servers/https-<instance_name>/config. These lines instruct NES to load the native library (the.so or.dll file) as an NES module. Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/<sunone_install_dir>/servers/plugins/libproxy.so Init fn="wl_init" The function "load-modules" tags the shared library for loading when NES starts up. The values "wl_proxy" and "wl_init" identify the functions that the Netscape Enterprise Server Plug-In executes. 5. To test the Netscape Enterprise Server Plug-In: Start WebLogic Server. Start Netscape Enterprise Server. If NES is already running, you must either restart it in order for the new settings to take effect.

53 BEA WebLogic Advanced Cognos Application Configuration 50 To test the NES Plug-In, open a browser and set the URL to the Netscape Enterprise Server + /p2pd/, which should bring up the Cognos Connection portal. For example: 5 Clustering A WebLogic Server cluster consists of multiple WebLogic Server server instances running simultaneously and working together to provide increased scalability and reliability. WebLogic clustering is not supported by IBM Cognos 8 at this time.