PAW authentication with CAM redirection issue

Post Reply
HYTan
Posts: 5
Joined: Mon Apr 11, 2011 4:51 am
OLAP Product: TM1
Version: 9.0
Excel Version: 03_07

PAW authentication with CAM redirection issue

Post by HYTan »

Hi there,

Would like to bounce off the community with an issue we currently having with PAW authentication with CAM. We are using PAW 2.0.72 configured with Kerberos SSO in CA 11.2.1 FP3. Users accesses PAW via Load Balancer URL with SSL. However, with this current configuration in PAW to use Load Balancer URL (HTTPS) for authentication, PAW will issue a wrong URL with HTTP for redirection (instead of HTTPS).

Below is the summary of the issue:
++ Application Server (Servername: APPSERVER)
Installed with SQL Server
Installed with Cognos Analytics Content and Application Tier
CA is configured with two domains DomainA and DomainB without IdentityMapping (using Kerberos)
In CA IBM Cognos Configuration, Gateway URI is using https://LOADBALANCER:9443/ibmcognos/bi/v1/disp

++ Web Server (Servername: WEBSERVER)
Installed with Cognos Analytics Gateway Tier and deployed to IIS via CA Script
In PAW Admintool, IBMCognosGatewayURL is using https://LOADBALANCER:9443/ibmcognos/bi/v1/disp

++ IIS Configuration
IIS for CA is running on port 9443 (Using HTTP without SSL)
IIS binding configured with HTTP port 9443 with WEBSERVER hostname
IIS binding configured with HTTP port 9443 with LOADBALANCER url
IIS App Pool is configured using DomainA\SPNACCOUNT
IIS is configured with Windows Authentication with Kerberos (refer to https://cogknowhow.tm1.dk/archives/3111 on how we configured the Kerberos authentication)

++ Other Configuration
All BI Interoperability files are already configured with WEBSERVER and LOADBALANCER url
ClientCamURI in tm1s.cfg is configured with https://LOADBALANCER:9443/ibmcognos/bi/v1/disp

++Test Result
1) Accessing CA via https://LOADBALANCER:9443/ibmcognos/bi/v1/disp , Browser will prompt for Domain selection. After selecting the correct domain, user will be logged in without issue and user can reach CA page

2) Accessing PAW via https://LOADBALANCER , browser will show blue PAW page authenticating and redirect to https://LOADBALANCER:9443/ibmcognos/bi/ ... ADBALANCER
Noticed that the ps parameter is pointing to HTTP instead of HTTPS. In that page, user will still see the Domain selection. After selecting correct domain, user will be successfully authenticated in PA and will be redirected to http://LOADBALANCER/pmhub/pm/security/CAMbibus/login and the page shows “The information you’re about to submit is not secure” .

3) On Test #2, if user manually edit the url page with ps=https://LOADBALANCER (with HTTPS) and press enter, user will see the Domain selection. After selecting correct domain, user will be successfully authenticated in PA and redirected to PAW page successfully.

We have raised this point to IBM support and ask if there are any configs that we can modify, and their reply was to add in $env:EnableSSL=”true” and $env:ServerName=”yourPAWservername” into the paw.ps1 config.

This effectively means we need to then have an SSL cert between the load balancer and the webserver, which defeats the purpose of having a load balancer for SSL offloading. We have added the$env:ServerName=”yourPAWservername” into the config but it didnt seem to work.

As this is not the client's desired outcome, we need to be able to direct back to the corret HTTPS link. Hence seek the community's help to see if anyone has encountered this issue before and what was done to resolve it.

Thank you all!
burnstripe
Regular Participant
Posts: 151
Joined: Wed May 06, 2020 2:58 pm
OLAP Product: Planning Analytics
Version: 2.0.9
Excel Version: 2016

Re: PAW authentication with CAM redirection issue

Post by burnstripe »

In the pmhub.html do you have both http and https entered
http://LOADBALANCER...
https://LOADBALANCER...

What happens if you remove the http, left in the https and restarted iis, cleared the cache and tried again

If it's not this then look over iis for any manual redirects, I.e not those configured by the script
HYTan
Posts: 5
Joined: Mon Apr 11, 2011 4:51 am
OLAP Product: TM1
Version: 9.0
Excel Version: 03_07

Re: PAW authentication with CAM redirection issue

Post by HYTan »

@burnstripe,

Thank you very much for your suggestions. We tried it out by removing the http link and the necessary restarts. It actually resulted in an error that shows that the page could not be reached. That being the case, i think the links are necessary in the configuration.

We got a suggestion from IBM that a configuration in the load balancer might be able to help with this issue, namely
x-forwarded-proto (Proxy protocol e.g. http[s]) & x-forwarded-host (Proxy host)

May I know if you have any experience on that?
burnstripe
Regular Participant
Posts: 151
Joined: Wed May 06, 2020 2:58 pm
OLAP Product: Planning Analytics
Version: 2.0.9
Excel Version: 2016

Re: PAW authentication with CAM redirection issue

Post by burnstripe »

The https links are all you need in the pmhub.html, although it shouldn't hurt to have both listed.
Something is redirecting the link from https to http hence when you removed the http link it didn't work.

This doesn't sound like a configuration issue with Cognos but rather an configuration issue within the load balancer. It sounds like the load balancer has been set up for ssl offloading which would convert the link, if this isn't desired behaviour it'll need changing
HYTan
Posts: 5
Joined: Mon Apr 11, 2011 4:51 am
OLAP Product: TM1
Version: 9.0
Excel Version: 03_07

Re: PAW authentication with CAM redirection issue

Post by HYTan »

@burnstripe,

Thank you for your reply. Yes we also think it is a load balancer config that needs to be setup. We are looking from that angle as we have pretty much exhausted all the possible configs in IBM CA and they are seem to be correct.

Thanks for your input!
Post Reply