PAW authentication with CAM redirection issue
Posted: Thu Jul 07, 2022 5:14 am
Hi there,
Would like to bounce off the community with an issue we currently having with PAW authentication with CAM. We are using PAW 2.0.72 configured with Kerberos SSO in CA 11.2.1 FP3. Users accesses PAW via Load Balancer URL with SSL. However, with this current configuration in PAW to use Load Balancer URL (HTTPS) for authentication, PAW will issue a wrong URL with HTTP for redirection (instead of HTTPS).
Below is the summary of the issue:
++ Application Server (Servername: APPSERVER)
Installed with SQL Server
Installed with Cognos Analytics Content and Application Tier
CA is configured with two domains DomainA and DomainB without IdentityMapping (using Kerberos)
In CA IBM Cognos Configuration, Gateway URI is using https://LOADBALANCER:9443/ibmcognos/bi/v1/disp
++ Web Server (Servername: WEBSERVER)
Installed with Cognos Analytics Gateway Tier and deployed to IIS via CA Script
In PAW Admintool, IBMCognosGatewayURL is using https://LOADBALANCER:9443/ibmcognos/bi/v1/disp
++ IIS Configuration
IIS for CA is running on port 9443 (Using HTTP without SSL)
IIS binding configured with HTTP port 9443 with WEBSERVER hostname
IIS binding configured with HTTP port 9443 with LOADBALANCER url
IIS App Pool is configured using DomainA\SPNACCOUNT
IIS is configured with Windows Authentication with Kerberos (refer to https://cogknowhow.tm1.dk/archives/3111 on how we configured the Kerberos authentication)
++ Other Configuration
All BI Interoperability files are already configured with WEBSERVER and LOADBALANCER url
ClientCamURI in tm1s.cfg is configured with https://LOADBALANCER:9443/ibmcognos/bi/v1/disp
++Test Result
1) Accessing CA via https://LOADBALANCER:9443/ibmcognos/bi/v1/disp , Browser will prompt for Domain selection. After selecting the correct domain, user will be logged in without issue and user can reach CA page
2) Accessing PAW via https://LOADBALANCER , browser will show blue PAW page authenticating and redirect to https://LOADBALANCER:9443/ibmcognos/bi/ ... ADBALANCER
Noticed that the ps parameter is pointing to HTTP instead of HTTPS. In that page, user will still see the Domain selection. After selecting correct domain, user will be successfully authenticated in PA and will be redirected to http://LOADBALANCER/pmhub/pm/security/CAMbibus/login and the page shows “The information you’re about to submit is not secure” .
3) On Test #2, if user manually edit the url page with ps=https://LOADBALANCER (with HTTPS) and press enter, user will see the Domain selection. After selecting correct domain, user will be successfully authenticated in PA and redirected to PAW page successfully.
We have raised this point to IBM support and ask if there are any configs that we can modify, and their reply was to add in $env:EnableSSL=”true” and $env:ServerName=”yourPAWservername” into the paw.ps1 config.
This effectively means we need to then have an SSL cert between the load balancer and the webserver, which defeats the purpose of having a load balancer for SSL offloading. We have added the$env:ServerName=”yourPAWservername” into the config but it didnt seem to work.
As this is not the client's desired outcome, we need to be able to direct back to the corret HTTPS link. Hence seek the community's help to see if anyone has encountered this issue before and what was done to resolve it.
Thank you all!
Would like to bounce off the community with an issue we currently having with PAW authentication with CAM. We are using PAW 2.0.72 configured with Kerberos SSO in CA 11.2.1 FP3. Users accesses PAW via Load Balancer URL with SSL. However, with this current configuration in PAW to use Load Balancer URL (HTTPS) for authentication, PAW will issue a wrong URL with HTTP for redirection (instead of HTTPS).
Below is the summary of the issue:
++ Application Server (Servername: APPSERVER)
Installed with SQL Server
Installed with Cognos Analytics Content and Application Tier
CA is configured with two domains DomainA and DomainB without IdentityMapping (using Kerberos)
In CA IBM Cognos Configuration, Gateway URI is using https://LOADBALANCER:9443/ibmcognos/bi/v1/disp
++ Web Server (Servername: WEBSERVER)
Installed with Cognos Analytics Gateway Tier and deployed to IIS via CA Script
In PAW Admintool, IBMCognosGatewayURL is using https://LOADBALANCER:9443/ibmcognos/bi/v1/disp
++ IIS Configuration
IIS for CA is running on port 9443 (Using HTTP without SSL)
IIS binding configured with HTTP port 9443 with WEBSERVER hostname
IIS binding configured with HTTP port 9443 with LOADBALANCER url
IIS App Pool is configured using DomainA\SPNACCOUNT
IIS is configured with Windows Authentication with Kerberos (refer to https://cogknowhow.tm1.dk/archives/3111 on how we configured the Kerberos authentication)
++ Other Configuration
All BI Interoperability files are already configured with WEBSERVER and LOADBALANCER url
ClientCamURI in tm1s.cfg is configured with https://LOADBALANCER:9443/ibmcognos/bi/v1/disp
++Test Result
1) Accessing CA via https://LOADBALANCER:9443/ibmcognos/bi/v1/disp , Browser will prompt for Domain selection. After selecting the correct domain, user will be logged in without issue and user can reach CA page
2) Accessing PAW via https://LOADBALANCER , browser will show blue PAW page authenticating and redirect to https://LOADBALANCER:9443/ibmcognos/bi/ ... ADBALANCER
Noticed that the ps parameter is pointing to HTTP instead of HTTPS. In that page, user will still see the Domain selection. After selecting correct domain, user will be successfully authenticated in PA and will be redirected to http://LOADBALANCER/pmhub/pm/security/CAMbibus/login and the page shows “The information you’re about to submit is not secure” .
3) On Test #2, if user manually edit the url page with ps=https://LOADBALANCER (with HTTPS) and press enter, user will see the Domain selection. After selecting correct domain, user will be successfully authenticated in PA and redirected to PAW page successfully.
We have raised this point to IBM support and ask if there are any configs that we can modify, and their reply was to add in $env:EnableSSL=”true” and $env:ServerName=”yourPAWservername” into the paw.ps1 config.
This effectively means we need to then have an SSL cert between the load balancer and the webserver, which defeats the purpose of having a load balancer for SSL offloading. We have added the$env:ServerName=”yourPAWservername” into the config but it didnt seem to work.
As this is not the client's desired outcome, we need to be able to direct back to the corret HTTPS link. Hence seek the community's help to see if anyone has encountered this issue before and what was done to resolve it.
Thank you all!