10.2.2 to PA TM1Web iFrame Issue

Post Reply
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

Guys,

We are (finally) in the process of upgrading from 10.2.2 to PA 2.0.7. We have the install complete but we are now testing integration with Share Point. Share Point is running HTTPS and it connects to the TM1 Web API using iFrames. In 10.2.2 this worked without issue. In PA we are hitting an issue with the iFrame not being rendered (blocked). We have found this is to do with mixing HTTPS and HTTP. We are not 100% sure why this worked in 10.2.2 and now not in PA. We've examined the IIS setup on both the 10.2.2 server and the PA server and there is no difference.

We have narrowed this down to a few possible reasons:

1) The server is moving from Server 2012 R2 to Server 2016
2) The move to PA and the change to Web Sphere could have changed something
3) There is something in IIS that we have missed

BTW we have tried META tags on pages to try and resolve the issue without success. We did get HTTP working by adding a X-Frame Options parameter in to IIS.

Any help or pointers would be greatly appreciated,

Jim.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
burnstripe
Regular Participant
Posts: 197
Joined: Wed May 06, 2020 2:58 pm
OLAP Product: Planning Analytics
Version: 2.0.9
Excel Version: 2016

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by burnstripe »

Set x-frame options to 2 and edit crossdomainaccesslist to * for any site or list your allowable sites in the tm1web config file, then restart the Web service.

Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by ykud »

If you're mixing http inside https (which it sounds you do), the X-Frame setting wouldn't be enough in our experience, you'd get a SameOrigin communicated by tm1web and your https window will cut the iframe out, you need to add tm1web.origin= parameter to show where're you're embedding.

Try something along the lines of this for your embedded URL:

Code: Select all

http://tm1webserser/tm1web/UrlApi.jsp?tm1web.origin=" + window.location.protocol + "//" + window.location.hostname +"#action=Open&type=Websheet&Workbook=A
Cheers,
Y
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

burnstripe wrote: Fri Oct 30, 2020 12:16 am Set x-frame options to 2 and edit crossdomainaccesslist to * for any site or list your allowable sites in the tm1web config file, then restart the Web service.

Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
Yeh we did this as well. It's never getting as far as hitting TM1. The iFrame never gets that far. We tracked the page progress in the browser. Thanks for getting back to me though,

Jim.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

ykud wrote: Fri Oct 30, 2020 4:38 am If you're mixing http inside https (which it sounds you do), the X-Frame setting wouldn't be enough in our experience, you'd get a SameOrigin communicated by tm1web and your https window will cut the iframe out, you need to add tm1web.origin= parameter to show where're you're embedding.

Try something along the lines of this for your embedded URL:

Code: Select all

http://tm1webserser/tm1web/UrlApi.jsp?tm1web.origin=" + window.location.protocol + "//" + window.location.hostname +"#action=Open&type=Websheet&Workbook=A
Cheers,
Y
Interesting. I'll compare this to the embedded link that we have right now.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
tomok
MVP
Posts: 2831
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by tomok »

My advice to you is not to mix HTTP and HTTPS. I have a good bit of web experience (not PA) and I have had nothing but problems when trying to mix the two so I never do it anymore. Is there a specific reason why you don't have TM1Web and Sharepoint both rendered via HTTPS? That is pretty much the default nowadays anyway.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

So I put this in:

Code: Select all

http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin="+http+"//"+uat.reporting.panynj.gov+"#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
I'm not sure if I put it in right?

Thanks,

Jim.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

tomok wrote: Fri Oct 30, 2020 1:12 pm My advice to you is not to mix HTTP and HTTPS. I have a good bit of web experience (not PA) and I have had nothing but problems when trying to mix the two so I never do it anymore. Is there a specific reason why you don't have TM1Web and Sharepoint both rendered via HTTPS? That is pretty much the default nowadays anyway.
I hear you. Share Point is configured to HTTPS. Both CA and PA have been installed as HTTP. SO we're trying to avoid completely over hauling the full install and all connections. But it's not off the table if we have no choice.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by ykud »

jim wood wrote: Fri Oct 30, 2020 1:18 pm So I put this in:

Code: Select all

http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin="+http+"//"+uat.reporting.panynj.gov+"#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
I'm not sure if I put it in right?

Thanks,

Jim.
Almost, but if you’re hard coding, it should look like this:

Code: Select all

http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin=http://uat.reporting.panynj.gov#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

That worked like a charm. Thank you so much for your help,

JIm.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by ykud »

jim wood wrote: Fri Oct 30, 2020 8:58 pm That worked like a charm. Thank you so much for your help,

JIm.
Happy to help,
Y

I do second the run it through https suggestion by tomok, but I’m a big fan of not doing this configuration on pa side and using a reverse proxy like f5 in front of it to handle https. Certificates have mandatory 2 year expiry gap and updating them in 3 places (tm1web, paw and ca) is a chore. Having a central proxy makes it someone else’s problem )
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

I agree with you and Tomok. We don't have it in place as there are different standards at play at the customer site. We didn't have SSL in place for 10.2.2 or HTTPS as they were deemed not needed as this was all fully behind the firewall. Yet on the Share Point side they were told that HTTPS was the standard install. We're happy to move up but we've told to hold off on that for now.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by lotsaram »

As an immediate (and/or long term) using a reverse proxy such as SweetSSL or NGINX is the best way to go to ensure that all content is secure and on the same domain.

All the recent chromium based browsers enforce by default that to display content sites must include “SameSite=None; Secure” in their cookies, and as yet TM1Web doesn't and therefore won't display in iFrames (like in SharePoint, CA, PAW) if the domain is different.

This issue must be affecting A LOT of customers so I'm sure that IBM are aware of it and will fix it (although probably only for the latest release of "spreadsheet services" and not for past versions of Tm1Web). But regardless of any forthcoming fix the best way to be sure is to set up a reverse proxy. (Although I may just be repeating what Yuri already said using a reverse proxy is also the best and easiest way to ensure that what you are exposing to the users and outside world is using https/SSL without needing to bother with setting up CA, PAW, TM1Web all separately to use SSL which can be a PITA. Just do it once, centrally, using whatever certificates you choose.)
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: 10.2.2 to PA TM1Web iFrame Issue

Post by jim wood »

Thanks for the follow up lotsaram and the detailed explanation. I'll keep this in mind. Hopefully soon we'll move away from TM1Web but the client needs a work space license first, so there is that.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Post Reply