Architecture and Deployment Guide: IBM Cognos Controller
Architecture and Deployment Guide: IBM Cognos Controller
Architecture and Deployment Guide: IBM Cognos Controller
Version 10.2.1
Note
Before using this information and the product it supports, read the information in “Notices” on page 49.
Product Information
This document applies to IBM Cognos Controller Version 10.2.1 and may also apply to subsequent releases.
Licensed Materials - Property of IBM
© Copyright IBM Corporation 2004, 2015.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Chapter 3. Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Microsoft .NET Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
COM+ application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Database connection management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Log messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Port usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Request flow processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 4. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Microsoft .NET Framework security policies . . . . . . . . . . . . . . . . . . . . . . . . 19
IBM Cognos authentication services . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Native security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
IBM Cognos security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Cognos namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Single signon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Content Manager authorization services . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Groups and roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Cryptographic services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Using certificate authority by other providers . . . . . . . . . . . . . . . . . . . . . . . 23
IBM Cognos Application Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
The chapters one to five describe the IBM Cognos Controller architecture from the
perspectives of structure, communications, security, and workflow. The chapters 6
to 9 provide information to help you plan to install and configure IBM Cognos
Controller.
Audience
This document is for the solutions architect who oversees the setup,
administration, and use of IBM Cognos Controller.
To use this guide effectively, you should be familiar with your information
technology infrastructure and with the business needs of the people in your
organization who will use IBM Cognos Controller.
Finding information
Forward-looking statements
Accessibility features
Accessibility features help users who have a physical disability, such as restricted
mobility or limited vision, to use information technology products. IBM Cognos
Controller has accessibility features. For information on these features, see the
accessibility section in the IBM Cognos Controller User Guide.
IBM Cognos HTML documentation has accessibility features. PDF documents are
supplemental and, as such, include no added accessibility features.
IBM Cognos Controller uses Microsoft.NET Framework so that clients can interact
with server-based components through the use of Web services. IBM
Cognos Controller provides the zero-administration and zero-deployment benefits
that are available for Microsoft .NET Framework applications.
IBM Cognos Controller supports multilingual reporting with components that are
designed for scalability, availability, and openness. These components use platform
independent, industry proven technology, such as Extensible Markup Language
(XML), and Web Services Definition Language (WSDL).
IBM Cognos Controller also uses other components “Other components” on page
10.
Interfaces
Several interfaces are available for using and configuring IBM Cognos Controller:
v Cognos Controller interface
v Cognos Connection
v Cognos Viewer
v Cognos Controller Configuration
v Cognos Configuration
Within IBM Cognos Controller, the IBM Cognos Controller Link for Microsoft
Excel extends the functionality of Microsoft Excel for creating individual forms and
provides templates for manual data entry.
For information about using IBM Cognos Controller, see the IBM Cognos Controller
User Guide.
It provides a single point of entry for querying, analyzing, and organizing data,
and for creating reports, scorecards, and events. Users can run all their Web-based
IBM Cognos (BI) applications through IBM Cognos Connection. Other business
intelligence applications, and URLs to other applications, can be integrated with
IBM Cognos Connection.
Cognos Viewer
IBM Cognos Viewer is a portlet in which you can view and interact with any type
of published IBM Cognos content.
It is accessible through IBM Cognos Connection and any existing enterprise portal.
For information about using Controller Configuration, see the IBM Cognos
Controller Configuration User Guide.
For information about using IBM Cognos Configuration, see the IBM Cognos
Business Intelligence Installation and Configuration Guide.
Gateway components
The IBM Cognos Controller gateway components provide Web communication
and access for client computers.
Gateways
Web communication in IBM Cognos Controller is typically through gateways,
which reside on one or more Web servers. A gateway is an extension of a Web
server program that transfers information from the Web server to another server.
Web communication can also occur directly with the Controller Web Services
Server “Controller Web Services Server” on page 7 or Report Server dispatcher
“Dispatcher” on page 7. This may provide improved performance in environments
where the gateway is not required for security purposes.
The Controller Client Distribution Server and Web Services Server support only IIS.
If a Controller Client Distribution Server is on the same computer as the gateway,
you must use CGI or ISAPI.
For information about configuring gateways, see the IBM Cognos Controller
Installation and Configuration Guide.
Controller Web Services Server handles requests for activities within IBM Cognos
Controller, such as working with accounts, consolidations, companies, and
dimensions. Controller Web Services Server also manages data source connections
and security information, as well as preparing data in the IBM Cognos Controller
database for reports.
Depending on how you have configured security, the Web Services Server may
access other components before processing requests, such as authenticating users.
A COM+ application is created when the Web Services Server is installed. This
application runs within the Microsoft component services and provides most of the
IBM Cognos Controller business logic, such as retrieving report templates and
preparing data in the Controller database for reports.
Report Server
The Report Server renders IBM Cognos Controller reports, in PDF and HTML
formats. It includes a dispatcher and several services.
Dispatcher
The dispatcher operates Report Server services and routes requests to these
services. If more than one Report Server is included in your installation, the
dispatcher routes requests to other Report Server dispatchers, as required.
The dispatcher starts all Report Server services configured and enabled on a
computer. The dispatcher is a multithreaded application that uses one or more
threads per request. Configuration changes are routinely communicated to all
running dispatchers. The dispatcher includes IBM Cognos Application Firewall to
provide security for reporting. For more information, see “IBM Cognos Application
Firewall” on page 23.
When you configure gateways, you can list the universal resource identifiers
(URIs) of target dispatchers in order of most to least preferred. If a dispatcher fails,
requests are routed to another dispatcher based on the list. The primary dispatcher
status is monitored by the gateway, and requests are routed back to this
component when it returns to service. For more information, see the IBM Cognos
Controller Installation and Configuration Guide.
Services
Content Manager
Content Manager is a service that manages the storage of IBM Cognos data,
including customer application data. Content Manager performs general functions,
such as add, query, update, delete, move, and copy. It also performs content store
management functions, such as export and import.
Access Manager
After installing IBM Cognos Controller, you must import the package into Content
Manager using IBM Cognos Connection. You must have Controller user or
administrative privileges (defined within IBM Cognos Connection) to import this
package.
You can use the Framework Manager model provided with Controller to author
custom reports. This Publish to Data Mart Framework Manager model is provided
as a template for reporting against a Controller data mart database. You can also
customize the model in IBM Cognos Framework Manager before creating the
reports in IBM Cognos Report Studio.
To use this model, you must install IBM Cognos Framework Manager from the CD
provided with IBM Cognos Controller, or use Framework Manager from your IBM
Cognos Business Intelligence installation.
Modeling components
Modeling components model data within data sources to structure and present
data in a way that is meaningful to users. IBM Cognos Controller uses the
following modeling components:
Framework Manager
Framework Manager is the IBM Cognos Business Intelligence (BI) modeling tool
for creating and managing business related metadata for use in IBM Cognos BI
analysis and reporting. Metadata is published for use by reporting tools as a
package, providing a single, integrated business view of any number of
heterogeneous data sources.
To author custom reports using the Controller Framework Manager model, you
must have access to Framework Manager. You can access Framework Manager in
an existing IBM Cognos Business Intelligence environment, or you can install
Framework Manager using the CD that is provided with IBM Cognos Controller.
Other components
IBM Cognos Controller requires some other components for its databases: the
content store, the Controller database, and the Controller data mart.
Content store
The content store is a relational database that contains data that IBM Cognos
Controller needs to operate, such as report packages and connection information
about the external namespace and the Cognos namespace.
The IBM Cognos application does not publish the content store schema, but
updates the schema periodically, isolating changes from the user through stable
user interfaces and APIs.
Much of the information in the content store is stored as binary large object
(BLOB) fields.
Controller database
The Controller database is a relational database that contains the data that clients
work with in IBM Cognos Controller.
The Controller Web Services Server uses data source connections to access
Controller databases. One data source connection is defined for each Controller
database. Data source connections are defined by administrators using Controller
Configuration.
At least one database and its data source connection must be available before users
can use IBM Cognos Controller. If more than one Controller database is available,
each database must be the same Controller database version. For more information
about database versions, see the IBM Cognos Controller Installation and Configuration
Guide.
To enable the Web Services Server to connect to the Controller database, ensure
that you install the database API software on each Web Services Server computer.
IBM Cognos Controller uses Microsoft .NET Framework to enable users' computers
to interact with IBM Cognos Controller server components for access to IBM
Cognos Controller and its features.
By default, Microsoft Windows does not allow smart clients to run outside of the
browser. Therefore, Microsoft .NET Framework Security Policies on every client
computer must be configured to allow IBM Cognos Controller to run. This
configuration allows the client computer to trust the computer on which Controller
Client Distribution Server is located. For information about configuring this trust,
see the IBM Cognos Controller Installation and Configuration Guide.
COM+ application
The Microsoft Component Object Model (COM+) application requires that you
configure an identity and users before it can run.
COM+ identity
The COM+ identity represents a dedicated user who has access rights to the
applications and services required by the COM+ application. The account that is
configured to represent this dedicated user can be a system account or a specific
user account, depending on the security requirements for the computer that the
COM+ application is running on.
For information about configuring the identity for the COM+ application, see the
IBM Cognos Controller Installation and Configuration Guide.
COM+ users
For information about configuring accounts for the COM+ application, see the IBM
Cognos Controller Installation and Configuration Guide.
The Content Manager service accesses the content store. Content Manager uses one
database connection per request. Content Manager creates new database
connections as required, pools connections, and reuses existing connections when
possible. Content Manager maintains all database connections for the duration of
the Content Manager operation. The theoretical maximum number of concurrent
Content Manager requests is determined by the number of requests accepted by
the Java application server or Tomcat.
When other Report Server services are on the same computer as Content Manager,
requests may be divided between Content Manager and the other services. In this
case, the number of connections available to Content Manager may be fewer than
the maximum possible connections.
For some types of databases, such as Oracle, API client software must be installed
and configured on each Report Server.
Controller database
Controller Web Services Server and Report Server access the Controller database.
Controller Web Services Server interacts with the Controller database to respond to
user requests, to process SQL commands against the database, and to create data
views for reports. Report Server accesses the Controller database to retrieve data
for reports.
Controller Web Services Server and Report Server use one database connection per
request, creating new connections as required. Each server maintains its own
The API connection type is used between Controller Web Services Server or Report
Server and the Controller database. OLE DB in Microsoft ActiveX Data Objects
(ADO) connections are used.
For some types of databases, such as Oracle, API client software must be installed
and configured on each Controller Web Services Server or Report Server.
For information about defining database connections, see the IBM Cognos Controller
Installation and Configuration Guide.
Log messages
Log messages are an important diagnostic tool for investigating the behavior of
IBM Cognos Controller components.
In addition to error messages, log messages provide information about the status
of components. Log messages also provide a high-level view of important events,
such as successful completion of processing requests and fatal errors.
Log messages for IBM Cognos Controller components are recorded in the
Windows Event Log.
When you install reporting components, a log server is installed. The log server
uses a different port from the other IBM Cognos Controller components, and
continues to process events even if other services on the local computer, such as
the dispatcher, are disabled.
By default, all local reporting services send events to the local log server. When
you configure a log server, you can:
v Specify the level of detail to log for each logging category.
For more information, see the IBM Cognos Business Intelligence Administration and
Security Guide.
v Direct messages to an alternative destination, such as another database or the
Windows Event Viewer.
Port usage
All communication among reporting components, except for log server
communication, can take place through one incoming port.
Log server communication must take place through a unique port. The default port
is 9362.
For information about specifying where to send log messages, see the IBM Cognos
Controller Installation and Configuration Guide.
Chapter 3. Communications 15
Request flow processing
Request flow describes internal IBM Cognos Controller responses to user requests.
There are hundreds of types of requests and responses in IBM Cognos Controller.
To illustrate request flow, this section describes how IBM Cognos Controller
responds to a request to run a report.
When a user runs a report from IBM Cognos Controller, the following occurs:
1. The user clicks a report to run it, and the request goes to the gateway, which
forwards the request to Controller Web Services Server. If a gateway is not part
of your installation, the request is sent directly to Controller Web Services
Server.
2. Controller Web Services Server forwards the request to the Controller COM+
application for processing.
3. The COM+ application prepares the data in the Controller database for Report
Server to retrieve later.
To prepare the data, the COM+ application inserts data for the report into the
dedicated tables created during installation in the Controller database. When
Report Server generates the report, SQL queries are run against these tables.
4. The COM+ application retrieves the report template, which is an XML file
stored on the Controller Web Services Server computer. The COM+ application
updates the report template based on selections made by the user when
requesting the report. Updates include modifications to the data source,
formatting, and SQL queries.
Chapter 3. Communications 17
18 Architecture and Deployment Guide
Chapter 4. Security
IBM Cognos Controller provides a security architecture that is flexible and
compatible with your existing security model.
The content required to run IBM Cognos Controller is downloaded from the
Controller Client Distribution Server to the user's computer. Because IBM Cognos
Controller is based on Microsoft .NET technology, all client computers must be
configured to trust the Controller Client Distribution Server computer. This trust is
configured using the Microsoft .NET Framework Configuration tool. For
information about installing Microsoft .NET Framework and configuring this trust,
see the IBM Cognos Controller Installation and Configuration Guide.
Native security
Native security is the default authentication method.
When users start IBM Cognos Controller, they are prompted to choose a database
and log on. Only users who can provide the appropriate credentials are allowed to
log on to IBM Cognos Controller.
If you use native security to secure the Controller database, you must configure
anonymous access to the reporting components using IBM Cognos security.
For authenticated access, when users attempt to access IBM Cognos Controller,
they are prompted to log on to the application. Only users who provide the
appropriate application credentials are allowed access to IBM Cognos Controller.
Authentication providers determine the users, groups, and roles used for
authentication. User names, IDs, passwords, regional settings, and personal
preferences are some examples of information stored in the authentication source
accessed by the provider. An authentication namespace is an instance of a
configured authentication provider.
Cognos namespace
IBM Cognos has its own namespace, which is in addition to the external
namespaces that represent other authentication providers.
The Cognos Namespace does not replicate the groups and roles defined in your
authentication provider. Instead, you may want to use the Cognos Namespace to
define groups and roles that can span multiple other authentication providers. This
practice can add value to your existing groups and roles by reorganizing them for
IBM Cognos Controller without changing them in your authentication provider or
existing Controller security definitions.
You can use the Cognos Namespace to set up security that links easily with client
security systems. For more information, see the IBM Cognos Administration and
Security Guide.
Single signon
Depending on the type of authentication you implement, you can configure IBM
Cognos Controller for single signon.
Users can then sign on once to an environment that includes IBM Cognos
Controller and other programs, without having to sign on each time they move
between programs. Implementation of a single signon solution depends on the
environment and authentication provider or IBM Cognos Controller native security
configuration.
For more information, see the IBM Cognos Controller Installation and Configuration
Guide.
Permissions are related to the users, groups, and roles defined in other
authentication providers. Permissions define access rights to objects, such as
directories, folders, and other content, for each user, group, or role. Permissions
also define the activities that can be performed with these objects.
Chapter 4. Security 21
v groups and roles created in the Cognos Namespace in the Content Manager for
IBM Cognos Controller. These groups and roles are referred to as IBM Cognos
groups and IBM Cognos roles.
v entire namespaces, users, groups, and roles created in other authentication
providers
Users
A user entry is created and maintained in a other authentication source to uniquely
identify an account belonging to a person or a computer.
The user entry stored in the authentication source may include information such as
first and last names, passwords, IDs, locales, and email addresses. However, IBM
Cognos Controller may require additional information, such as the location of the
users' personal folders or their format preferences for viewing reports in the portal.
This additional information is stored in IBM Cognos Controller.
You can assign users to groups and roles defined in the authentication provider
and in IBM Cognos Controller. A user can belong to one or more groups or roles.
If users are members of more than one group, their access permissions are merged.
For more information about users, see the IBM Cognos Administration and Security
Guide.
Roles differ from groups in several ways. Members of roles can be users, groups,
and other roles. Role membership is not part of the user basic identity.
For more information about groups and roles, see the IBM Cognos Administration
and Security Guide.
Cryptographic services
Cryptographic services ensure that sensitive data and communications in the
gateway, Report Server, and Content Manager are secure.
Two categories of encryption strength are available for IBM Cognos Controller.
Basic encryption using Standard OpenSSL is the standard IBM Cognos
cryptographic service included with IBM Cognos Controller. It uses signatures to
digitally sign some messages to ensure that they come from a recognized Report
Server service.
You can add enhanced encryption after you start using IBM Cognos Controller
with standard encryption. However, after you install enhanced encryption and
configure IBM Cognos Controller to use it, you cannot return to standard
encryption.
When you implement the standard or enhanced IBM Cognos encryption provider,
the IBM Cognos certificate authority (CA) is used by default. You can also use any
other CA that generates Base-64 encoded X.509 certificates. For more information,
see the IBM Cognos Controller Installation and Configuration Guide.
IBM Cognos Application Firewall does not affect non-reporting requests, which are
not sent to the dispatcher.
For information about configuring IBM Cognos Application Firewall, see the IBM
Cognos Controller Installation and Configuration Guide.
Chapter 4. Security 23
24 Architecture and Deployment Guide
Chapter 5. Workflow for IBM Cognos Controller
The workflow for IBM Cognos Controller is shown in the following diagram.
The series of tasks that people in your organization will perform to understand,
install, configure, and use IBM Cognos Controller include the following:
v Planning for deployment
Deployment planning should be done before installing and configuring IBM
Cognos Controller. It is typically carried out by a team assembled and led by the
business intelligence solutions architect.
v Installing and configuring IBM Cognos Controller.
Technical personnel install and configure IBM Cognos Controller, typically
under the direction of the business intelligence solutions architect. The
installation and configuration process is not complete until a Controller database
is available and the Controller Framework Manager Model has been imported
into Content Manager.
v Administering IBM Cognos Controller.
Administrators must ensure that client computers are configured with the
appropriate trust permissions to access IBM Cognos Controller. Administrators
also establish and maintain security, set up multilingual capabilities, and
perform ongoing administration.
v Using IBM Cognos Controller.
User can access IBM Cognos Controller and begin working with their data and
viewing reports. For more information, see the IBM Cognos Controller User Guide.
Report users view and print reports through IBM Cognos Connection. For more
information, see the IBM Cognos Connection User Guide.
When you install IBM Cognos Controller using the Installation wizard, you
specify where to install each of these components:
v gateway components, including gateways “Gateway components” on page 5,
Controller Client Distribution Server “Controller Client Distribution Server” on
page 6, IBM Cognos Connection Integration Enabler “IBM Cognos Connection
Integration Enabler” on page 8, and Gateway Integration Enabler “Gateway
Integration Enabler” on page 6
v application tier components, which include Report Server “Report Server” on
page 7 and Controller Web Services Server “Controller Web Services Server” on
page 7
v Content Manager components, which include Content Manager “Content
Manager” on page 8 and Controller Framework Manager Model “Controller
Framework Manager model” on page 10
To deploy the Publish to Data Mart model that is provided with IBM Cognos
Controller, you must also install Framework Manager.
You can install the components on one computer, or distribute them across a
network. Before installing IBM Cognos Controller, choose the appropriate
installation and configuration option Chapter 7, “Installation options,” on page 33.
You use these tools immediately after installation to set the initial IBM Cognos
Controller configuration. You can configure the following:
v logging
You can specify the destination log for messages generated by the gateway and
reporting components “Log messages” on page 15.
The Web Services Server records log messages in the Microsoft Windows Event
Log.
v security
You can run IBM Cognos Controller with or without security. By default, native
security is configured for the Controller database and IBM Cognos Application
Firewall is enabled for the Report Server. If you want to set up security, you
should configure security settings immediately after installing IBM Cognos
Controller Chapter 4, “Security,” on page 19.
v data access
You must specify database connection information “Database connection
management” on page 14 for the content store and at least one Controller
database.
For information about initial configuration, see the IBM Cognos Controller
Installation and Configuration Guide. For information about using IBM Cognos
Configuration, see the IBM Cognos Controller User Guide. For information about
using Controller Configuration, see the IBM Cognos Controller help.
Packages are model subsets that provide users with data that is appropriate for the
reporting they need to do, and ensure that the data is structured in ways that
make sense from a business perspective.
The client computer downloads the content required to run IBM Cognos
Controller, including the IBM Cognos Controller Link for Microsoft Excel module,
from the Controller Client Distribution Server. After the content is downloaded to a
cache on the client computer, IBM Cognos Controller runs on the computer.
Because IBM Cognos Controller is based on the Microsoft .NET Framework
technology, the client computer must be configured to trust the computer from
which this content is downloaded. This trust must be configured using the
Microsoft .NET Framework Configuration tool on every computer that runs IBM
Cognos Controller. For information about installing Microsoft .NET Framework
and configuring this trust, see the IBM Cognos Controller Installation and
Configuration Guide.
For more information about the cogstartup.xml file, the coglocale.xml file, and
troubleshooting, see the IBM Cognos Controller Installation and Configuration Guide.
Configuring Security
IBM Cognos Controller can provide security by using native security, by
integrating with an existing security infrastructure to provide user authentication,
or by using Microsoft Windows authentication.
IBM Cognos Controller can secure content by using the user and group definitions
from your security system, without any changes required. A Cognos namespace is
included to provide the optional ability to define additional groups for securing
content. These groups can simplify security administration by including users and
groups from one or more authentication providers.
Cognos Controller includes IBM Cognos Application Firewall, which validates and
filters incoming and outgoing reporting traffic for the Report Server dispatcher. By
default, IBM Cognos Application Firewall is enabled.
If you intend to set up security for IBM Cognos Controller, it should be the first
thing you do after installation Chapter 4, “Security,” on page 19. For information
about setting up and maintaining security, see the IBM Cognos Administration and
Security Guide.
You must also configure the language in Controller Configuration for interfaces
and reporting templates.
After IBM Cognos Controller is installed and configured, you can use IBM Cognos
Connection “IBM Cognos Connection” on page 5 or your other software portal to
v monitor and administer servers
v back up data
v maintain security
v deploy IBM Cognos Controller from one environment to another
For information about using IBM Cognos Connection, see the IBM Cognos
Connection User Guide. For information about administration, see the IBM Cognos
Administration and Security Guide.
If users plan to use forms from earlier versions of IBM Cognos Controller, they
must upgrade the forms. The tool used to upgrade forms is provided with IBM
Cognos Controller and must be installed by the Administrator. For information
about choosing consolidation models and upgrading forms, see the IBM Cognos
Controller Installation and Configuration Guide.
This means installing and configuring IBM Cognos Controller so that it integrates
with your information technology infrastructure and meets your financial
consolidation and reporting requirements.
When you complete your planning and are ready to install and use IBM
Cognos Controller, refer to the other IBM Cognos Controller documents for
step-by-step instructions “Introduction” on page v.
The installation and configuration choices that produce the best performance
depend on your reporting requirements, resources, and preferences.
When you install IBM Cognos Controller, you specify where to install the
following components:
v gateway components, which include the gateway, Controller Client Distribution
Server, and Gateway Integration Enabler
v application tier components, which include Controller Web Services Server,
Report Server, and IBM Cognos Connection Integration Enabler.
v Content Manager components, which include Content Manager and Controller
Framework Manager Model
You can install all IBM Cognos Controller components on one computer, or
distribute them across a network.
In the following diagram, all IBM Cognos Controller components are installed on
one computer, along with a Web server. The content store and Controller database
may be located on the same or different computers.
Both the gateway components computer and the computer with the remaining IBM
Cognos Controller components must include a Web server.
In the following diagram, remote users access the gateway components computer
and internal clients access the servers directly. Incoming requests from remote
clients are passed to the gateway and forwarded to the appropriate component on
either the gateway or server computer. To enable internal clients to access IBM
Cognos Controller from within the firewall, one gateway component (the
Controller Client Distribution Server) is installed on the server computer. Internal
clients access IBM Cognos Controller by typing the URL of the Controller Client
Distribution Server directly in their Web browsers.
When you distribute components on several computers, you must ensure that the
components are configured so that they can access the required components on the
other computers. On each computer, you must configure properties and set up
virtual directories.
In the following diagram, the Controller Client Distribution Server and Gateway
Server components are on one computer, the Controller Web Services Server
component is on another computer, and the remaining IBM Cognos components
are on a third computer.
After your initial planning and installation is complete, regularly monitor and tune
performance as an IBM Cognos Controller environment changes over time. As
user populations grow, processing requests tend to increase in number and
complexity, and network capacity and other aspects of infrastructure may be
modified. Maintaining IBM Cognos Controller performance is an ongoing task.
Performance planning
Performance is a measure of how effectively a system completes the tasks it was
designed to accomplish.
Planning for capacity means determining the hardware needed for your system to
perform well under its anticipated workload. Capacity planning is a challenge,
because it involves many variables, some of which are difficult or impossible to
measure. It is the science of measuring known variables and developing an
educated estimate of resource requirements on the basis of those measurements. It
is also the art of allowing for unknown variables and assessing their impact on the
estimates derived from the known variables.
As a result, when planning adequate capacity for IBM Cognos Controller, estimate
the number of people who will use IBM Cognos Controller and determine when
they will use it. This can help you decide not only how much hardware you need,
but also how to make the best use of the hardware you have.
The only users placing load on IBM Cognos Controller are those who are actually
performing processing.
These are concurrent users. You can estimate the number of concurrent users,
based on your total user population, by distinguishing between named, active, and
concurrent users:
v named users
Named users are all of the users authorized to use IBM Cognos Controller; that
is, your total user population.
v active users
A subset of named users, active users are logged on to IBM Cognos Controller
and can demand system resources.
v concurrent users
A subset of active users, concurrent users are simultaneously demanding system
resources. This includes users submitting requests and users waiting for a
response to a request.
As a general rule, the ratio of named to active to concurrent users for business
intelligence applications is about 100:10:1. In other words, for every 1000 named
users there are 100 active users and 10 concurrent users.
The concurrency ratio can vary over time, and is affected by many factors. For
example, the number of concurrent users relative to active and named users tends
to be higher when the user population is small. However, the most important
determinant of the concurrency ratio is how processing demand is distributed over
time. During the process of closing books at year-end, the number of concurrent
users is significantly higher than at other times of the year.
Load distribution
By determining when users are most likely to be using IBM Cognos Controller and
submitting processing requests, you can decide when to schedule automated
processes. This allows you to distribute the processing load evenly over time, so
that you make the best use of your system resources to maintain optimal
performance. The key to doing this is estimating the number of concurrent users
that will be applying load to your IBM Cognos Controller system at any time.
Factors such as business hours, business practices, and the geographic distribution
of users can determine how the concurrency rate changes over time, and how you
choose to ensure adequate capacity.
On the other hand, if your user population is distributed across several time zones,
user load on the system tends to be spread out over more hours, and there are
fewer available non-peak hours for scheduled activities. In this situation, you may
choose to dedicate separate hardware resources for interactive and noninteractive
use.
The greater the complexity of a request, the more time is needed to process the
request. In general, hardware resources can process more requests in a given time
period when the requests are simple rather than complex. As a result, application
complexity is an important determinant of the number of concurrent users that can
be supported on a given hardware infrastructure.
By identifying reports run at peak times, and improving their efficiency while
meeting user requirements, you can improve performance during peak times.
Because reporting patterns change over time, assessing application complexity and
improving reporting efficiency should be ongoing activities.
Use true server computers, rather than fast workstations. True server computers
run business applications faster and provide systems that are less likely to fail.
Will Web and application servers be dedicated solely for use by IBM
Cognos Controller, or shared by other software products? If other applications are
sharing the resources, these applications must be taken into account when
determining capacity requirements.
Install only gateway components on server computers that are dedicated to Web
server processing. Web servers are designed to handle many small requests.
Application servers often handle larger requests.
The complexity of your security infrastructure can increase response time. As your
security infrastructure becomes more complex, a user request must be validated
more frequently. For example, if you implement multiple network firewalls, each
firewall must validate every request that passes through it. This can increase the
time taken to complete the request.
Citrix can be used to provide Windows client access to IBM Cognos Controller
applications in distributed environments that have limited network bandwidth.
This type of access is typically required only for remote application administrators.
IBM Cognos Controller also provides a Web client for normal user access.
The following table shows the minimum and recommended configuration for
terminal emulation services.
Table 1. Minimum and recommended configuration for terminal emulation services
Component Minimum Recommended
Hard drive SCSI RAID
CPU 1 CPU, 2 GHz 2 CPU, 3 GHz
Free disk space 500 MB 10 GB (up to 30 GB for
cubes)
Memory 2 GB 2 GB
Scalability
IBM Cognos products are easily expanded to adapt to the changing requirements
of an application.
IBM Cognos Controller scales vertically using more powerful computers, and
horizontally using a greater number of computers.
You can load balance the consolidation functions of IBM Cognos Controller by
installing Controller Web Services Server on two computers and then moving the
COM+ components that are used for consolidation to the second computer. The
first computer accepts user requests but does not perform consolidation tasks. The
second computer acts as the consolidation server.
Performance tuning
Because changes to your IBM Cognos Controller environment can affect
performance, it is important to monitor and tune performance regularly.
Database tuning
IBM Cognos Controller uses a relational database management system, such as
Microsoft SQL Server, or Oracle.
For information about tuning your database, see the documentation provided by
your database vendor.
Before tuning a DB2 content store, allocate sufficient log space to restructure the
database.
IBM Cognos Controller installs and uses Tomcat as the application server for
reporting components. To enhance and maintain reporting performance, you
should monitor memory settings and connection limits and tune them based on
IBM Cognos Controller usage characteristics.
The memory allocation strategy for your application server depends on the
available capacity of your resources, and on the resource needs of other
applications running on the server. In general, we recommend that you configure
your application server with a minimum of 512 megabytes of memory for
multi-user applications. You may be able to reduce application server memory to
256 kilobytes, but you should only consider this for single users, or for proof of
concept or demonstration applications.
To configure Apache Tomcat memory settings, use IBM Cognos Configuration. For
information about using IBM Cognos Configuration, see the IBM Cognos Controller
Installation and Configuration Guide.
If the value of this application server setting is too low, users may encounter
difficulties when making reporting requests. It is a good practice to monitor the
application server process and its use of connections.
If a user views a one-page document on an idle system, the CPU time is often less
than one second. However, PDF files vary in size, and response time is limited by
your network speed.
If you have users who access IBM Cognos Controller using a dial-up connection,
we recommend that you change PDF rendering settings to improve performance.
For more information about PDF documents, see the documentation provided with
Adobe Acrobat.
Batch processing
Batch processing provides a way to run large jobs during off-peak times.
For example, running consolidations takes a significant amount of time. You can
schedule this job to run as an overnight batch process.
For Microsoft Excel reports that contain a large amount of data, performance may
be improved with enhanced reporting optimization. When this feature is enabled,
bulk insert technology is used to insert data into the database, which allows for
faster data transfer. This option only affects the IBM Cognos Controller Link for
Microsoft Excel reports and Controller Report Generator reports.
This is important to assess the occurrence and impact of paging, memory use, and
other measures of an efficient system.
Depending on the size of reports and the amount of available memory, Report
Servers may access a physical disk when processing reports. To improve
performance, you can ensure that report processing uses available memory rather
than disk space.
To ensure that Report Servers use memory instead of disk space, in the
rsvpproperties.xml file, edit the VirtualMemoryDiagnostics property to use
unlimited memory (value = 2) rather than limited memory (value = 0):
<property>VirtualMemoryDiagnostics</property>
<value type="long">2</value>
For information about using the rsvpproperties.xml file, see “Changing report
processing behavior.”
You can change the default processing behavior for the Report Server by
modifying entries in the rsvpproperties file.
Settings in the rsvpproperties.xml file are very sensitive to change. Changing these
properties may greatly impact the behavior of IBM Cognos Controller. As a result,
you should use discretion when changing these values. For more information,
contact Cognos Software Services for support.
You can configure the IBM Cognos Controller user interfaces for your preferred
supported language and regional settings, or any combination of supported
languages.
To configure IBM Cognos Controller for a global environment, you must use
Controller Configuration to customize the language support for the IBM Cognos
Controller and Cognos Viewer user interfaces and for the report templates.
You can control the language setting for the IBM Cognos Controller and Cognos
Viewer user interfaces and for report templates. This setting is available in
Controller Configuration.
A locale specifies linguistic information and cultural conventions for character type,
collation, format of date and time, currency unit, and messages. More than one
locale can be associated with a particular language, which allows for regional
differences.
Product locale
The product locale controls the language of the IBM Cognos Connection user
interface and all messages, including error messages.
Server locale
The server locale ensures that all log messages generated by reporting components
are in one language. It is configured during installation. In a distributed
environment, reporting components obtain the server locale from Content Manager.
This material may be available from IBM in other languages. However, you may be
required to own a copy of the product or product version in that language in order
to access it.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service. This document may
describe products, services, or features that are not included in the Program or
license entitlement that you have purchased.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “ Copyright and
trademark information ” at www.ibm.com/legal/copytrade.shtml.
Notices 51
52 Architecture and Deployment Guide
Index
Special characters COM+ Server (continued)
component 7
.xml configuration files 27 COM+ users
communications 14
common gateway interface 5
A communications 13
Access Manager components
component 9 Content Manager 8
active users 37 distributing for consolidation load balancing 40
administration 29 installing on multiple computers 34
IBM Cognos Connection 29 installing on one computer 33
Apache Tomcat startup configuration 26
memory settings 42 components,
application complexity 39 See gateway components
application servers concurrent users 37
multiple server access to reporting database 40 configuration
tuning 42 Cognos Configuration 5
application tier components 7 for multilingual reporting 28
architecture Microsoft .NET Framework security policies 19, 27
communications 13 monitoring changes 27
security 19 of Web browsers 28
workflow 25 planning 31
authentication providers report processing 44
security 20 security 28
authentication services 19 startup 26
authorization services 21 configuration files 27
configuration requirements
Citrix 39
B connecting to database 14
connection limits
batch processing 43 setting 42
BI Bus API 13 Content Manager
browsers Access Manager 9
configuring 28 component 8
importing IBM Cognos Controller standard reports
package 27
C Content Manager service 7
capacity planning 37 content providers 10
infrastructure components 39 content store
certificate authority 22 component 10
third-party 23 database connection management 14
CGI, Controller
See common gateway interface server components 4
Citrix 39 Controller Client Distribution Server
coglocale.xml 27 component 6
Cognos Application Firewall 23 configuring trust 19
Cognos Configuration Controller Configuration
configuration 5 user interfaces 4
Cognos Controller Controller Data Mart database 13
security 19 Controller database
Cognos Controller solution 1 component 11
Cognos namespace 21, 28 database connection management 14
Cognos security 20 native security 19
Cognos Viewer Controller standard reports package
language of user interface 47 component 10
user interfaces 4 Controller Web Services Server
cogstartup.xml 27 COM+ Server 7
COM+ identity component 7
communications 14 cryptographic keys 23
COM+ Server cryptographic providers
communications 14 enhanced 22
H M
maintaining disks 44
HTML reports
memory settings
running 16
Apache Tomcat 42
Hypertext Transfer Protocol 13
Microsoft .NET Framework
communications 13
configuring security policies 19, 27
I other component 10
IBM Cognos Application Firewall 28 multilingual reporting
IBM Cognos Configuration 26 configuring for 28
server components 5 multiple computer installation 34, 35
user interfaces 4
IBM Cognos Connection
language of user interface 47
server components 5
R T
rendering PDF reports 43 third-party certificate authority 23
Report Server tuning
component 7 application servers 42
dispatcher 7 databases 41
monitoring 44 DB2 content store 42
services 7 performance 41
temporary disk space 44
report service 7
report templates
language 47 U
report types unattended installation 26
and capacity planning 37 user community
reporting database size 37
access from multiple application servers 40 user interfaces 4
reports user load
enhanced optimization 43 estimating 37
running 16 users 22
request flow processing 16 active 37
roles 22 concurrent 37
rsvpproperties.xml 44 named 37
running reports 16
W
S Web browsers
scalability 40 configuring 28
secure logging 23 Windows authentication 21
secure sockets layer 22 workflow 25
SecureError 23
security
See also cryptographic keys X
authentication providers 20 XML configuration files 27
Cognos Controller 19
Index 55