IBM Support

403 (Forbidden) is returned when accessing Cognos Analytics via SSO and a WebSeal Junction.

Troubleshooting


Problem

When attempting to access Cognos Analytics via SSO, through a Webseal junction a 403 error message is returned.

Symptom

403 response is returned for a URL that passes through Webseal to Cognos Analytics.

An example from the Webseal pdweb debug (but Fiddler or the Browser's Developer Tools should show the same response):

Request:

GET /ibmcognos/bi/v1/configuration/keys/Glass/installMode HTTP/1.1
accept: */*
accept-language: en-US
connection: close
content-type: application/json; charset=utf-8
host: <cognos webserver>
iv-user: <some user>
referer: <external junction URL>/ibmcognos/bi/
user-agent: <user agent>
via: HTTP/1.1 <external URL>:443
iv_server_name: <server>
x-requested-with: XMLHttpRequest
Cookie: cookieEnabledPersist=true; cookieEnabledSession=true; <cookie_name>=<value>; <cookie_name>=<value>; IV_JCT=%2Fibmcognos; XSRF-TOKEN=<xsrf-token-value>

Response:

HTTP/1.1 403 Forbidden
connection: close
content-language: en-US
date: Tue, 31 Jul 2018 16:36:57 GMT
cache-control: must-revalidate
expires: Thu, 01 Jan 1970 00:00:00 GMT
x-powered-by: Servlet/3.1
x-bi-xsrf: Rejected
x-ca-affinity: <value> 
 

Cause

Webseal is currently configured to append the junction name to the cookie names of the cookies that are set by Cognos.
 

Environment

Cognos Analytics

Webseal

IHS

Diagnosing The Problem

Reviewing the pdweb debug tracing, or fiddler should show you the change of the cookie names.

In this case, the XSRF-TOKEN cookie is being renamed.

Below is the cookie as set by Cognos Analytics:
Set-Cookie: XSRF-TOKEN=<Token Value>; Path=/ibmcognos/bi

Below is the XSRF-TOKEN cookie having been renamed by WebSeal:
Set-Cookie: <JUNCTION_IDENTIFIER>!%2Fibmcognos!XSRF-TOKEN=<Token value>; Path=/
 

Resolving The Problem

Preserve the cookies that are set by Cognos Analytics to ensure that the product functions appropriately by adding the cookie for preserve-cookie-names in the Webseal configuration file.

[preserve-cookie-names]
name = XSRF-TOKEN

For more information, please contact your Webseal Administrator.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
09 August 2018

UID

ibm10725451

Page Feedback