Applied Dimensionality

TM1 application maintenance utility and SingleSignOn

Posted at — Sep 10, 2014
TM1 application maintenance utility and SingleSignOn

IBM reworked the way approval hierarchies work quite a bit in TM1 10.2. Refreshing any changes to approval hierarchies or updating application security now requires calling a special application maintenance utility. It’s all fairly straightforward, you do the approval subset changes as usual and then run the command line to trigger app_maintenance.bat file. You can even grab a copy Infocube’s TI’s to run this utility to do it in a more ’bundled-in TM1’ approach (just don’t forget to change ExecuteCommand Wait parameter to 0 in most of them). Application maintenance works nice and easy up until you start using it against CAM secured TM1 with Single SignOn configured.

You run exactly the same command, but get an error like:

com.ibm.cognos.fpmsvc.exception.FPMSVCException: INVALID_IDENTITY
exitCode=700

Turning off SSO makes everything work.

And I’m not alone in encountering this error and I expect a lot of others just don’t bother raising the voice. After all, SSO is a good thing, TM1 10.2 is a good thing, shouldn’t they just work together? ;)

I danced the whole IBM APAR ritual that ended up with a fairly standard ‘it’s by design’ answer. I’ll quote it here:

“Customer Statement: This tool is essentially a Cognos SDK tool that uses cognos SDK logon to manage applications.

An SDK logon is credentials that consist of user:password:namespace. The Cognos SDK does not support SDK logon when SSO is used.Customers using the Cognos SDK can write applications that use a web logon. It is some what difficult.

An SDK developer described one way to do this as –

  1. create a custom web application in the same domain as Cognos, and log into Cognos in same browser session (SSO creates Cognos Cookies).
  2. have your new web app put ALL the Cognos cookies in the right location in the BIBus SOAPHeader with no CAM section, and send a query to CM with SDK.
  3. It should return a SOAP response with a valid CAM_PASSPORT; take that BIBus SOAPHeader use it to call SDK APIs.

If you use a procedure such a above to get a CAM_PASSPORT value you can use this value to run the app_maintenance tool.instead of specifying -useruid -userpwd -CAMNamespace, use the -credentials option and prefix the cam passort value with CAM:.i.e. -credentials CAM:MTsxMDE6MGNlMzIyMzMtYTc0Yi05YWFkLWNlNmMtOTg4YWNjNmJiMWIxOjM5NjE5NjQxNTU7MDszOzA7” " The first 10 times I read that, I thought: “SDK, web application, all this is definitely complicated and requires additional SDK licenses”. Running the app_maintenance with -credential parameter works, but writing a whole application to get CAM? Who in the world has the time to write that?

So we had a choice between forcing all users to input passwords all the time, or having to press the Refresh Rights button every time something changes. It’s obvious what we chose and fast forward 6 months and a lot of pressing refresh rights, I found a working solution to this problem on the weekend.

Updated 2017/09/01: Please see this post for the updated scripts.

The main idea is fairly simple (if you’re traumatised with VBscript enough):

  1. run Internet Explorer via vbscript
  2. login to Cognos BI by using LogonAs URL parameter
  3. grab the cookie that IE gets once authenticated to Cognos Connection portal
  4. strip the CAM passport out of that cookie
  5. run app_maintenance with -credentials and that CAM passport
  6. logoff user from Cognos Connection portal using the Logoff URL

Easy, right?

A sample VBScript would look like:

sLogonUrl = cognos_gateway_url & "?b_action=xts.run&encoding=UTF-8&m=portal/main.xts&CAMNamespace="&CAMNameSpace&"&CAMUsername="&CAMUser&"&CAMPassword="&CAMPassword&"&h_CAM_action=logonAs"
sLogoffUrl = cognos_gateway_url & "?b_action=xts.run&encoding=UTF-8&m=portal/main.xts&h_CAM_action=logoff"
logToFile "Logon URL " & sLogonUrl

Set IE = CreateObject("InternetExplorer.Application")
IE.visible=false
IE.navigate sLogonUrl
while IE.Busy
WScript.Sleep 555
wend
sCAMPassport = ""
aCookie = split(IE.Document.cookie,";")
for i=0 To ubound(aCookie)
    ' a name/value pair (a crumb) is separated by an equal sign
aCrumb = split(aCookie(i),"=")
     '     WSCript.Echo aCrumb(0)
    if ("cam_passport" = trim(aCrumb(0))) then  if (ubound(aCrumb) = 1) then sCAMPassport=unescape(aCrumb(1))
NEXT
LogToFile "CAM Passport " & sCAMPassport


IF (sCAMPassport <> "") THEN

     'create an execute string to run app_maintenance
     sExecString = chr(34) & app_maintenance_path & "\app_maintenance.bat" & chr(34) & " -serviceURL "&  serviceURL & " -credentials " & "CAM:" & sCAMPassport & " -applicationid "& chr(34) & application_id & chr(34) & " -op refreshrights " &"-logfile " & chr(34) &sLogFileLocation &application_id & "_refresh_rights_debug.txt "  & chr(34) &" -loglevel DEBUG" 
     WSCript.Echo sExecString
     Set WshShell = WScript.CreateObject("WScript.Shell")
     WshShell.Run sExecString,1,true
     LogToFile sExecString
     Set WshShell = Nothing
else
     LogToFile ("Couldn't authenticate and get CAM passport")
end if


' Logging off Cognos
IE.navigate sLogoffUrl
logToFile "Logoff URL " & sLogoffUrl
while IE.Busy
     WScript.Sleep 555
wend
IE.Quit

I can share the full VBS or even the TIs we use (we’ve updated the original Infocube’s ones a while ago and added more stuff to support this), drop me a line if you need it.

Images by Sebastien Million, check him out, he’s awesome!

Update 27/04/2016: If you’re running into issues with IE logging and grabbing the cookie, it might be related to ‘modern’ IE techniques of silently relaunching the process when you go to Local Intranet or Trusted sites. Try using Set IE = GetObject(“new:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}”) as per this post

comments powered by Disqus