IBM Support

"The server sent HTTP status code 401: Unauthorized" error when using JAVA-based functionality, caused by APAR PH19793

Troubleshooting


Problem

User launches Controller classic client. User launches any JAVA-based menu item, for example:
  • "Group - Command Center"
  • "Maintain - Sytem Audit Log - Configuration"
An error appears.

Symptom

The exact error will vary, for example:
image-20191115150011-1
However it will include the following phrase:
Caused by: com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized

Cause

There are several known causes for similar errors.
  • TIP: See separate IBM Technote #1107495 for more examples.
This Technote specifically relates to the scenario where the cause is a limitation (reference APAR PH19793) in some later versions of Controller.
More Information:
The limitation was introduced as part of the security updates (reference APAR IJ13344) to the JAVA run-time inside the Controller client. Specifically:
  • The security updates introduced in October 2019 (to fix CVE-2019-2426) meant that IBM JAVA was upgraded (to a version 8.0.5.30, or later)
  • This contained a third-party (Oracle) change to fix a security problem with NTLM authentication.

Environment

The Controller website has been customised (non-default settings) to use Windows authentication.
  • Specifically, the website is using NTLM authentication. [This is typically only done to enable Single Sign On (SSO)].
  
The problem affects the following versions of Controller:
  • Controller 10.3.0 FP1 IF13 (and later patches)
  • Controller 10.3.1 IF12(and later patches)
  • Controller 10.4.0 IF4 (and later patches)
  • Controller 10.4.1 IF1 (and later patches)
  • Controller 10.4.2 (and later versions)
For example, in one real-life case the problem occurred immediately after the customer upgraded from Controller 10.3.1 IF8 to IF12.

Resolving The Problem

Fix:
Reconfigure the relevant JAVA (JRE) portion of the Controller client, so that it trusts Internet Explorer 'trusted zone' servers.
  • Then make sure that the Controller application server is in the IE trusted zone.
Steps:
Perform the following on each-and-every client device:
1. Browse to the following folder:   ...\jre\lib
  • TIP: By default this is here:   C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\jre\lib
2. As a precaution, create a backup copy of the file:  net.properties
3. Edit the following file (for example in Notepad):   net.properties
4. Scroll down to the very end, where you should see the default settings:     jdk.http.ntlm.transparentAuth=disabled
  
For example:
image 2306
5. Modify its value to be:      jdk.http.ntlm.transparentAuth=trustedHosts
6. Save changes  
7. Browse to the following folder:   ...\Integration\configuration
  • TIP: By default this is here:   C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\configuration
8. As a precaution, create a backup copy of the file:   config.ini
9. Edit the following file (for example in Notepad):   config.ini 
10. Add the following line:    jdk.http.ntlm.transparentAuth=trustedHosts
  • TIP: This should go near the top, in the following place:
image 2307
  
11. Save changes
12. Make sure that the Controller application server is added to Internet Explorer's 'Trusted' zone.
  • TIP: For instructions, see separate IBM Technote #280411.
13. Test.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Workaround:
There are several possible workarounds:
Method #1 (easiest):
Reconfigure the Controller-related IIS portion to use anonymous authentication.
  • However, leave the Cognos Analytics (CA) IIS portion to still use Windows authentication.
Steps:
1. Logon to the Controller application server
2. Launch Internet Information Services (IIS) Manager
3. Expand 'Default Website' until (eventually) you can highlight:   controllerserver
4. On the right-hand side, double-click on 'Authentication':
image-20190717164114-1
5. Enable "Anonymous Authentication"
6. Disable "Windows Authentication":
image-20190717164310-2
7. Test.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Method #2:
Reconfigure the relevant JAVA (JRE) portion of the Controller client, so that it trusts ALL servers (for NTLM).
Steps:
Perform similar steps to those described inside 'Fix' section (above), but:
(a) Inside 'net.properties' change 'jdk.http.ntlm.transparentAuth' to be:   allHosts
(b) Inside 'config.ini' change 'jdk.http.ntlm.transparentAuth' to be:   allHosts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.3.1;10.4.0;10.4.1;10.4.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 February 2020

UID

ibm11119885

Page Feedback