SSO not working for (SSL) selfsigned cert for Planning Analytics via Cognos Analytics(Mode5)

[kavitha2002]

Hello Everyone,

I am configuring the SSL(https) selfsigned certificate for CA and PA. As a initial step, I have configured for PA tm1web and TM1 Server which is working fine.

Then I have configured SSL(https) for Cognos Analytics, it is also working fine with https+SSO. Till this point everything went well.

But after the configuration of CA SSL, Architect is not working and its keep loading and Tm1web is also not working its keep redirecting to cognos homepage itself.
The error was captured in fiddler is below:

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 03 Mar 2022 14:09:09 GMT
Content-Length: 0
Proxy-Support: Session-Based-Authentication


I believe the problem is with IIS, so as a first try I used Gateway url then everything is working fine except SSO, its a expected behaviour (IIS for SSO in short)

What is missing in the IIS configuration? Could be the Certificate Issue? I could not able to import the ibm CA root certificate in IIS right?

In IIS Server Certificate I have imported the selfsigned domain-specific certificate generated in my local.

Problem 1: Architect logging-in keep loading not logged-in
Problem 2: Tm1web is redirecting to Cognos Homepage

Any suggestions are welcome:)

Thanks in advance

[burnstripe]

Where are you accessing Architect or TM1Web from. Is this from the same machine that you can successfully login to CA with SSO?

For TM1 to use Cognos Analytics for authentication there are some bi interop files. Have these been updated to https? When you authenticate in tm1 under cam security it finds the Clientcamuri and servercamuri in the tm1s.cfg sending you to CA for authentication, then the bi_interop files should send you back to tm1.

If you're accessing planning analytics through https then the bi_interop files will need to contain the https addresses.

For tm1web there should be a file tm1web.html found in ca install/webcontent/bi/tm1/tm1web.html

Architect I believe uses the planning.html which should be located here
CA install/webcontent/bi/planning.html

If any of these files needed updating, restart iis once you're done for the changes to take effect.

[kavitha2002]

Hi Burnstripe,

Thanks for you response.

Yes, both CA + PA installed in same machine.

Actually the scenario is, I have already configured CA with PA as protocol 'http and IntegratedSecurityMode 5', its working fine. Now I have changed SSL(self-signed certificate) for CA and PA. For Tm1web and TM1server, SSL works fine independently. The problem is encountered when CA with SSL in place(tm1s.cfg) with Architect and TM1web.

Normally the url for CA with SSO via IIS is https://FQDN:443/ibmcognos/bi/ --> works well

There is another gateway url for CA without SSO is https://FQDN:9300/bi/v1/disp --> works well

When I give gateway url in 'ClientCAMURI=https://FQDN:9300/bi/v1/disp' in tm1s.cfg, Architect and tm1web works fine as expected without SSO. But when i specify 'ClientCAMURI=https://FQDN:443/ibmcognos/bi/' in tm1s.cfg the Architect and tm1web not working.

I have got some trace in the fiddler, says

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Proxy-Support: Session-Based-Authentication

Could be the certificate problem with IIS? But I have added the self-signed certificate in 'Server Certificate' in IIS.

[burnstripe]

Check out the bi_interop files aka, planning.html and tm1web.html. Now you've switched to ssl, these redirects will need to be using https instead of http. Without this you'll never be able to complete the sign in as the redirect will fail.

[kavitha2002]

I have double checked the bi_interop step. Checked all urls are being set with https. But no luck.

[burnstripe]

The fiddler trace is interesting and not what I would have expected since you can sign into ca fine. Have you tried clearing your cache and are both pa and ca https sites in your list of trusted/local intranet sites?

[kavitha2002]

Site addresses are already added under the 'Local Intranet Sites' in browser.

Regarding the certificate, for Cognos I have CA root Certificate(from IBM) under which my selfsigned certificate present. Attached the screenshot for the same. The request is via Gataway. url: https://win2016ca.domainname.local:9300/bi/

cognos-cert_LI.jpg (857.65 KiB) Viewed 2216 times

Is there any other way to configure the selfsigned certificate for cognos without CA root? So that problem can be fixed I think?

In IIS I have imported only my 'selfsigned certificate' under the 'Server Certificate'.

IIS-server-cert.png (12.8 KiB) Viewed 2216 times

The certticate shown in the picture is Cognos via IIS. Url: https://win2016ca.domainname.local:443/bi/

Cognos-via-IIS.png (3.83 KiB) Viewed 2216 times

This could be one of the reason 'the certificate conflict' via IIS not working for Architect and tm1web.

[burnstripe]

I believe the certificates are the problem given what you've just shared, and it might be this

https://www.ibm.com/support/pages/confi ... te-ca-side

If Sso is working on it's own and the bi_interop files are in the right place it shouldn't be iis related. If in doubt though you can trace the url links with fiddler to see where it is becoming unstuck.

[kavitha2002]

Followed the instructions suggested by you.

Got the below in the lock file under logs, there is no such error stated about the 'Certification Validation error'

2022-03-18 15:40:27 local Shared memory reader PID 12960 started, for shmem "tm1s.exe-1880_2"

So no idea where the actual problem sits.