Turning off that useSSOWithCAM is different from the https/http issue.
The https/http issue happens because the browser is trying to authenticate with the Cognos BI server directly. Whereas turning that flag off means, authentication will be handled by TM1.
The error that you have captured there now seems to be different from the last post you had. That usually happens when:
You do not have the Canvas xdomain files in the Cognos BI server
The URL in the xdomain configuration in the FTL file does not exactly match the host that you have in the clientCam URL in the instances.json file
Regarding point 2, if for example the clientCamUri is http://localhost:80/ibmcognos…, then the configuration must have the target host url exactly as it is - meaning it should have port 80 typed in as well → http://localhost:80.
For testing I configured Canvas, BI and TM1 to communicate only over HTTP.
I’ll test tomorrow points 1 and 2, but I’m almost sure it’s configured correcty in xdomain.
One more thing that I found out today is that the Cognos BI response returns an error: DPR-ERR-2079 (Firewall Security Rejection. Your request was rejected by the security firewall.). In order to solve it I set all the URIs settings to use the FQDN, added Valid domains and hosts and configured Domain in the Global Configuration - all found on IBM websites. However it still doesn’t work as expected.
Hi @jtuckerman,
I’ve seen your already and added servers to the “valid domains or hosts”. However, there must be still something wrong, because the request is blocked.
BI and Canvas are case sensitive. I changed all urls to use only small letters and it works on the server. I’ll keep you posted once I finish the configuration
Could be, but it can also be because of the port (443) that was added into the clientCAMURI property. The port number 443 is already the default port used by browsers for HTTPS connections.
The most probable culprit for that block connection error with Cognos is the header.script.init.ftl's ssoSlaves property configuration not having the same base URL as the clientCAMURI in instances.json file.
So if you do not have the 443 in ssoSlaves, the instances.json file should not have it as well.
Hi @plim,
yes, I can login to the model using Architect (SSO and SSL works fine).
the error I’m getting is: Possibly unhandled rejection: {"data":"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<head xmlns:fault=\"http://developer.cognos.com/schemas/xts/portal/iFaultHandler/1/\"><meta http-equiv=\"refresh\" content=\"0; URL=/ibmcognos/bi/?legacyLogin=%2fibmcognos%2fbi%2fv1%2fdisp%3f%26b_action%3dxts.run%26c_cmd%3dhttps%253a%252f%252fxe-s-tbmfe01t.xe.domain.com%253a8080%252fsamples%252f%26c_mode%3dget%26encoding%3dUTF-8%26m%3dportal%252fbridge.xts%26c_env%3dportal%252fvariables_TM1.xml\"/></head>","status":200,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"https://xe-s-tbmdb01t.xe.domain.com:443/ibmcognos/bi/v1/disp?b_action=xts.run&m=portal/bridge.xts&CAMNamespace=domain.com&c_env=portal/variables_TM1.xml&c_mode=get&c_cmd=https://xe-s-tbmfe01t.xe.domain.com:8080/samples/","headers":{"Accept":"application/json, text/plain, */*"},"withCredentials":true},"statusText":"OK"}
The instances.json looks as follows:
[
{
“name”:“dev”,
// For SSO Configuration
ssoSlaves = {
"https://xe-s-tbmdb01t.xe.domain.com:443": "/ibmcognos/xdomain.canvas.html"
};
// ADD YOUR CUSTOM ANGULAR MODULES HERE
// i.e. for adding the module of ngFileUpload to make it available on your Canvas application
// customAngularModules.push('ngFileUpload');
The configurstion looks alright. Looking at the response, it looks like Cognos BI may need some additional check.
You could start looking at the console, network tab. Lookup for that request that connects to Cognos BI. Once you see that, copy that link and paste it on another Chrome tab. That should give you a better look at what the possible error is.
Ideally, once that is fixed, it should redirect it to the Canvas app with the CAM passport usually visible in the URL.
Check the error in the console too. Like if there is a no cross origin request error.
As a start, check to see if it is able to redirect it to the Canvas app if you just copy over that URL into a new tab.
In summary, looking at the response, there seems to be some issue in the Cognos BI / CA. The response posted above is returning an XML, instead of a normal HTML. Then, looking at the content, there is no visible CAMPassport within that too.
The Canvas configuration that you have looks alright already. So it should only be a matter of when CA’s response is fixed.
Here are the following items to check:
Do check that Cognos BI is starting properly and no errors should be indicated in there as much as possible.
Ensure that you can login automatically at least via Architect
Set the instances.json file’s useSSOWithCAM property to false, and manually login by selecting the CAM Namespace, and then typing your username and password
Set the instances.json file’s useSSOWithCAM property to true, then go to a Canvas page that has TM1 data to trigger the login - if there is still an issue logging in, open Chrome’s Developer Console (if available), and go to Network tab to look for the Cognos BI / CA link and check the response (this should at least have the CAMPassport content) 4.1. To get a better look at the error, copy the link and paste it into another tab and see what the response is (it should redirect at least to your Canvas application)
Check for any errors on the console (i.g. no access origin). If you have this, either the ssoSlaves may not have been configured properly with the correct URL or the URL of the Canvas application needs to be added into the Cognos Application Firewall’s list of allowed domains / URLs (please see Jack’s post on this thread)
Thanks for the update! It was great that you found the fix and now Cognos Analytics is starting up without an issue and Architect can at least connect again and properly authorize without those errors.
Now we are left with what seems to be the new or error response by Cognos Analytics (item#4). Normally, the response is an HTML. But judging from the error posted, it looks like it posted an error - and is just returning a normal XML.
The contents of the XML does not return a CAMPassport as expected, but it seems to have a new bit of information similar to it - SecurityBlob.
We will check on the Canvas if it is possible to capture and be able to process that error. Reason for this is that it may be not all readable from the JavaScript side.
In the meantime, do check if you can configure or find out why Cognos Analytics is returning this faulty response as per the attribute it is header: xmlns:fault=“http://developer.cognos.com/schemas/xts/portal/iFaultHandler/1/”. Also, check if it can be configured to return the above request normally.
I asked the question re: Cognos Analytics/tm1web because we recently tried to get Canvas & SSO working with CA and hit a brick wall - but in this case tm1web wasn’t working with SSO and they are currently resolving that first.
I was trying to gather more information on the Cognos Analytics on whether this is a new structure with that new parameter in the error response named SecurityBlob and was wondering if someone had the same issue.
So when you mentioned that brick wall with CA, is that the same issue as what @mmioduski has been seeing on the console errors?