Page 1 of 1
10.2.2 to PA TM1Web iFrame Issue
Posted: Thu Oct 29, 2020 9:48 pm
by jim wood
Guys,
We are (finally) in the process of upgrading from 10.2.2 to PA 2.0.7. We have the install complete but we are now testing integration with Share Point. Share Point is running HTTPS and it connects to the TM1 Web API using iFrames. In 10.2.2 this worked without issue. In PA we are hitting an issue with the iFrame not being rendered (blocked). We have found this is to do with mixing HTTPS and HTTP. We are not 100% sure why this worked in 10.2.2 and now not in PA. We've examined the IIS setup on both the 10.2.2 server and the PA server and there is no difference.
We have narrowed this down to a few possible reasons:
1) The server is moving from Server 2012 R2 to Server 2016
2) The move to PA and the change to Web Sphere could have changed something
3) There is something in IIS that we have missed
BTW we have tried META tags on pages to try and resolve the issue without success. We did get HTTP working by adding a X-Frame Options parameter in to IIS.
Any help or pointers would be greatly appreciated,
Jim.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 12:16 am
by burnstripe
Set x-frame options to 2 and edit crossdomainaccesslist to * for any site or list your allowable sites in the tm1web config file, then restart the Web service.
Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 4:38 am
by ykud
If you're mixing http inside https (which it sounds you do), the X-Frame setting wouldn't be enough in our experience, you'd get a SameOrigin communicated by tm1web and your https window will cut the iframe out, you need to add
tm1web.origin= parameter to show where're you're embedding.
Try something along the lines of this for your embedded URL:
Code: Select all
http://tm1webserser/tm1web/UrlApi.jsp?tm1web.origin=" + window.location.protocol + "//" + window.location.hostname +"#action=Open&type=Websheet&Workbook=A
Cheers,
Y
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 12:37 pm
by jim wood
burnstripe wrote: ↑Fri Oct 30, 2020 12:16 am
Set x-frame options to 2 and edit crossdomainaccesslist to * for any site or list your allowable sites in the tm1web config file, then restart the Web service.
Important note though, chrome's latest release has prevented the use of crossdomain sites so you may need to make some design changes. Internet explorer should be fine though
Yeh we did this as well. It's never getting as far as hitting TM1. The iFrame never gets that far. We tracked the page progress in the browser. Thanks for getting back to me though,
Jim.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 12:43 pm
by jim wood
ykud wrote: ↑Fri Oct 30, 2020 4:38 am
If you're mixing http inside https (which it sounds you do), the X-Frame setting wouldn't be enough in our experience, you'd get a SameOrigin communicated by tm1web and your https window will cut the iframe out, you need to add
tm1web.origin= parameter to show where're you're embedding.
Try something along the lines of this for your embedded URL:
Code: Select all
http://tm1webserser/tm1web/UrlApi.jsp?tm1web.origin=" + window.location.protocol + "//" + window.location.hostname +"#action=Open&type=Websheet&Workbook=A
Cheers,
Y
Interesting. I'll compare this to the embedded link that we have right now.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 1:12 pm
by tomok
My advice to you is not to mix HTTP and HTTPS. I have a good bit of web experience (not PA) and I have had nothing but problems when trying to mix the two so I never do it anymore. Is there a specific reason why you don't have TM1Web and Sharepoint both rendered via HTTPS? That is pretty much the default nowadays anyway.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 1:18 pm
by jim wood
So I put this in:
Code: Select all
http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin="+http+"//"+uat.reporting.panynj.gov+"#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
I'm not sure if I put it in right?
Thanks,
Jim.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 1:25 pm
by jim wood
tomok wrote: ↑Fri Oct 30, 2020 1:12 pm
My advice to you is not to mix HTTP and HTTPS. I have a good bit of web experience (not PA) and I have had nothing but problems when trying to mix the two so I never do it anymore. Is there a specific reason why you don't have TM1Web and Sharepoint both rendered via HTTPS? That is pretty much the default nowadays anyway.
I hear you. Share Point is configured to HTTPS. Both CA and PA have been installed as HTTP. SO we're trying to avoid completely over hauling the full install and all connections. But it's not off the table if we have no choice.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 8:23 pm
by ykud
jim wood wrote: ↑Fri Oct 30, 2020 1:18 pm
So I put this in:
Code: Select all
http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin="+http+"//"+uat.reporting.panynj.gov+"#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
I'm not sure if I put it in right?
Thanks,
Jim.
Almost, but if you’re hard coding, it should look like this:
Code: Select all
http://uat.reporting.panynj.gov:9510/tm1web/UrlApi.jsp?tm1web.origin=http://uat.reporting.panynj.gov#Action=Open&Type=WebSheet&Workbook=Applications/Project%20OnBoarding/1.Onboarding%20Financial%20Forecast%20Data%20Entry&TM1Server=UAT_Project_OnBoarding_Financials&AccessType=Public&Title_OnBoarding%20-%20Version=Forecast&Title_OnBoarding%20-%20Projects=CA04-739%22/%3E
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Oct 30, 2020 8:58 pm
by jim wood
That worked like a charm. Thank you so much for your help,
JIm.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Sat Oct 31, 2020 11:42 am
by ykud
jim wood wrote: ↑Fri Oct 30, 2020 8:58 pm
That worked like a charm. Thank you so much for your help,
JIm.
Happy to help,
Y
I do second the run it through https suggestion by tomok, but I’m a big fan of not doing this configuration on pa side and using a reverse proxy like f5 in front of it to handle https. Certificates have mandatory 2 year expiry gap and updating them in 3 places (tm1web, paw and ca) is a chore. Having a central proxy makes it someone else’s problem )
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Tue Nov 03, 2020 1:58 pm
by jim wood
I agree with you and Tomok. We don't have it in place as there are different standards at play at the customer site. We didn't have SSL in place for 10.2.2 or HTTPS as they were deemed not needed as this was all fully behind the firewall. Yet on the Share Point side they were told that HTTPS was the standard install. We're happy to move up but we've told to hold off on that for now.
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Tue Nov 03, 2020 4:49 pm
by lotsaram
As an immediate (and/or long term) using a reverse proxy such as SweetSSL or NGINX is the best way to go to ensure that all content is secure and on the same domain.
All the recent chromium based browsers enforce by default that to display content sites must include “SameSite=None; Secure” in their cookies, and as yet TM1Web doesn't and therefore won't display in iFrames (like in SharePoint, CA, PAW) if the domain is different.
This issue must be affecting A LOT of customers so I'm sure that IBM are aware of it and will fix it (although probably only for the latest release of "spreadsheet services" and not for past versions of Tm1Web). But regardless of any forthcoming fix the best way to be sure is to set up a reverse proxy. (Although I may just be repeating what Yuri already said using a reverse proxy is also the best and easiest way to ensure that what you are exposing to the users and outside world is using https/SSL without needing to bother with setting up CA, PAW, TM1Web all separately to use SSL which can be a PITA. Just do it once, centrally, using whatever certificates you choose.)
Re: 10.2.2 to PA TM1Web iFrame Issue
Posted: Fri Nov 13, 2020 5:57 pm
by jim wood
Thanks for the follow up lotsaram and the detailed explanation. I'll keep this in mind. Hopefully soon we'll move away from TM1Web but the client needs a work space license first, so there is that.