10.2.2 to PA TM1Web iFrame Issue
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
10.2.2 to PA TM1Web iFrame Issue
Guys,
We are (finally) in the process of upgrading from 10.2.2 to PA 2.0.7. We have the install complete but we are now testing integration with Share Point. Share Point is running HTTPS and it connects to the TM1 Web API using iFrames. In 10.2.2 this worked without issue. In PA we are hitting an issue with the iFrame not being rendered (blocked). We have found this is to do with mixing HTTPS and HTTP. We are not 100% sure why this worked in 10.2.2 and now not in PA. We've examined the IIS setup on both the 10.2.2 server and the PA server and there is no difference.
We have narrowed this down to a few possible reasons:
1) The server is moving from Server 2012 R2 to Server 2016
2) The move to PA and the change to Web Sphere could have changed something
3) There is something in IIS that we have missed
BTW we have tried META tags on pages to try and resolve the issue without success. We did get HTTP working by adding a X-Frame Options parameter in to IIS.
Any help or pointers would be greatly appreciated,
Jim.
We are (finally) in the process of upgrading from 10.2.2 to PA 2.0.7. We have the install complete but we are now testing integration with Share Point. Share Point is running HTTPS and it connects to the TM1 Web API using iFrames. In 10.2.2 this worked without issue. In PA we are hitting an issue with the iFrame not being rendered (blocked). We have found this is to do with mixing HTTPS and HTTP. We are not 100% sure why this worked in 10.2.2 and now not in PA. We've examined the IIS setup on both the 10.2.2 server and the PA server and there is no difference.
We have narrowed this down to a few possible reasons:
1) The server is moving from Server 2012 R2 to Server 2016
2) The move to PA and the change to Web Sphere could have changed something
3) There is something in IIS that we have missed
BTW we have tried META tags on pages to try and resolve the issue without success. We did get HTTP working by adding a X-Frame Options parameter in to IIS.
Any help or pointers would be greatly appreciated,
Jim.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
-
- Regular Participant
- Posts: 197
- Joined: Wed May 06, 2020 2:58 pm
- OLAP Product: Planning Analytics
- Version: 2.0.9
- Excel Version: 2016
Re: 10.2.2 to PA TM1Web iFrame Issue
Set x-frame options to 2 and edit crossdomainaccesslist to * for any site or list your allowable sites in the tm1web config file, then restart the Web service.
Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
Re: 10.2.2 to PA TM1Web iFrame Issue
If you're mixing http inside https (which it sounds you do), the X-Frame setting wouldn't be enough in our experience, you'd get a SameOrigin communicated by tm1web and your https window will cut the iframe out, you need to add tm1web.origin= parameter to show where're you're embedding.
Try something along the lines of this for your embedded URL:
Cheers,
Y
Try something along the lines of this for your embedded URL:
Code: Select all
http://tm1webserser/tm1web/UrlApi.jsp?tm1web.origin=" + window.location.protocol + "//" + window.location.hostname +"#action=Open&type=Websheet&Workbook=A
Y
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
Yeh we did this as well. It's never getting as far as hitting TM1. The iFrame never gets that far. We tracked the page progress in the browser. Thanks for getting back to me though,burnstripe wrote: ↑Fri Oct 30, 2020 12:16 am Set x-frame options to 2 and edit crossdomainaccesslist to * for any site or list your allowable sites in the tm1web config file, then restart the Web service.
Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
Jim.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
Interesting. I'll compare this to the embedded link that we have right now.ykud wrote: ↑Fri Oct 30, 2020 4:38 am If you're mixing http inside https (which it sounds you do), the X-Frame setting wouldn't be enough in our experience, you'd get a SameOrigin communicated by tm1web and your https window will cut the iframe out, you need to add tm1web.origin= parameter to show where're you're embedding.
Try something along the lines of this for your embedded URL:Cheers,Code: Select all
http://tm1webserser/tm1web/UrlApi.jsp?tm1web.origin=" + window.location.protocol + "//" + window.location.hostname +"#action=Open&type=Websheet&Workbook=A
Y
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
-
- MVP
- Posts: 2832
- Joined: Tue Feb 16, 2010 2:39 pm
- OLAP Product: TM1, Palo
- Version: Beginning of time thru 10.2
- Excel Version: 2003-2007-2010-2013
- Location: Atlanta, GA
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
My advice to you is not to mix HTTP and HTTPS. I have a good bit of web experience (not PA) and I have had nothing but problems when trying to mix the two so I never do it anymore. Is there a specific reason why you don't have TM1Web and Sharepoint both rendered via HTTPS? That is pretty much the default nowadays anyway.
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
So I put this in:
I'm not sure if I put it in right?
Thanks,
Jim.
Code: Select all
http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin="+http+"//"+uat.reporting.panynj.gov+"#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
Thanks,
Jim.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
I hear you. Share Point is configured to HTTPS. Both CA and PA have been installed as HTTP. SO we're trying to avoid completely over hauling the full install and all connections. But it's not off the table if we have no choice.tomok wrote: ↑Fri Oct 30, 2020 1:12 pm My advice to you is not to mix HTTP and HTTPS. I have a good bit of web experience (not PA) and I have had nothing but problems when trying to mix the two so I never do it anymore. Is there a specific reason why you don't have TM1Web and Sharepoint both rendered via HTTPS? That is pretty much the default nowadays anyway.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Re: 10.2.2 to PA TM1Web iFrame Issue
Almost, but if you’re hard coding, it should look like this:jim wood wrote: ↑Fri Oct 30, 2020 1:18 pm So I put this in:
I'm not sure if I put it in right?Code: Select all
http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin="+http+"//"+uat.reporting.panynj.gov+"#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
Thanks,
Jim.
Code: Select all
http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin=http://uat.reporting.panynj.gov#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
That worked like a charm. Thank you so much for your help,
JIm.
JIm.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Re: 10.2.2 to PA TM1Web iFrame Issue
Happy to help,
Y
I do second the run it through https suggestion by tomok, but I’m a big fan of not doing this configuration on pa side and using a reverse proxy like f5 in front of it to handle https. Certificates have mandatory 2 year expiry gap and updating them in 3 places (tm1web, paw and ca) is a chore. Having a central proxy makes it someone else’s problem )
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
I agree with you and Tomok. We don't have it in place as there are different standards at play at the customer site. We didn't have SSL in place for 10.2.2 or HTTPS as they were deemed not needed as this was all fully behind the firewall. Yet on the Share Point side they were told that HTTPS was the standard install. We're happy to move up but we've told to hold off on that for now.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
-
- MVP
- Posts: 3654
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: 10.2.2 to PA TM1Web iFrame Issue
As an immediate (and/or long term) using a reverse proxy such as SweetSSL or NGINX is the best way to go to ensure that all content is secure and on the same domain.
All the recent chromium based browsers enforce by default that to display content sites must include “SameSite=None; Secure” in their cookies, and as yet TM1Web doesn't and therefore won't display in iFrames (like in SharePoint, CA, PAW) if the domain is different.
This issue must be affecting A LOT of customers so I'm sure that IBM are aware of it and will fix it (although probably only for the latest release of "spreadsheet services" and not for past versions of Tm1Web). But regardless of any forthcoming fix the best way to be sure is to set up a reverse proxy. (Although I may just be repeating what Yuri already said using a reverse proxy is also the best and easiest way to ensure that what you are exposing to the users and outside world is using https/SSL without needing to bother with setting up CA, PAW, TM1Web all separately to use SSL which can be a PITA. Just do it once, centrally, using whatever certificates you choose.)
All the recent chromium based browsers enforce by default that to display content sites must include “SameSite=None; Secure” in their cookies, and as yet TM1Web doesn't and therefore won't display in iFrames (like in SharePoint, CA, PAW) if the domain is different.
This issue must be affecting A LOT of customers so I'm sure that IBM are aware of it and will fix it (although probably only for the latest release of "spreadsheet services" and not for past versions of Tm1Web). But regardless of any forthcoming fix the best way to be sure is to set up a reverse proxy. (Although I may just be repeating what Yuri already said using a reverse proxy is also the best and easiest way to ensure that what you are exposing to the users and outside world is using https/SSL without needing to bother with setting up CA, PAW, TM1Web all separately to use SSL which can be a PITA. Just do it once, centrally, using whatever certificates you choose.)
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
- jim wood
- Site Admin
- Posts: 3951
- Joined: Wed May 14, 2008 1:51 pm
- OLAP Product: TM1
- Version: PA 2.0.7
- Excel Version: Office 365
- Location: 37 East 18th Street New York
- Contact:
Re: 10.2.2 to PA TM1Web iFrame Issue
Thanks for the follow up lotsaram and the detailed explanation. I'll keep this in mind. Hopefully soon we'll move away from TM1Web but the client needs a work space license first, so there is that.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7