Monday, November 9, 2009

HTTP 403 Error with Siteminder and Apache in Cognos 8.4

If you are having siteminder configuration in your environment and if you are getting below error message :

You are not authorized to view this page

You might not have permission to view this directory or page using the credentials you supplied.
If you believe you should be able to view this directory or page, please try to contact the Web site by using any e-mail address or phone number that may be listed on the Website.url home page.
You can click Search to look for information on the Internet.

HTTP Error 403 - Forbidden Internet Explorer

Symptoms : Some of the Cognos 8.4 features when clicked giving HTTP 403 error like
1) when clicking on Folders inside Cognos default security namespace
2) when clicking on Datasources to view signon connection.

Solution : Go to Cognos Configuration and enable following settings :

Local Configuration > Security > IBM Cognos Application Firewall

Enable CAF Validation : True ( By Default)
Is third party XSS checking enabled : True

If the page is still giving HTTP 403 error,go to siteminder logs and see if its giving Invalid Characters error.If so,check for the naming convention of folders/datasource and correct it.Also it can be corrected from Siteminder side if those naming conventions are absolutely necessary.

Wednesday, June 24, 2009

Enabling WebDEV for Cognos 8.4 in Apache 2.2

Initial requirement : WebServer should be up and running.

Problem : While browsing the images its giving error like Error 405 : Method Not Allowed


Assumption : You already have created Images virtual directory.

Solution : Need to Enable WebDEV for Cognos,so that images directory can be browsed safely.

Background : WebDEV( Web Based Distributed Authoring and Versioning) is a set of extensions to HTTP protocol,that allows users to edit and manage files on remote servers.In Cognos,if we are storing images in common location,that location should be available to users via web to read.So WebDEV need to be enabled with security in place.

Ways to implement :

Step 1: Append following lines in httpd.conf file.The file is located in /conf.

Include conf/extra/httpd-dav.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

Mod_dav.so and mod_dav_fs.so are the modules used by apache for WebDAV.This is the good way to make changes in httpd-dav.conf file instead of appending the code in httpd.conf file.

Step 2: Take the backup of original httpd-dav.conf file before making changes,just to keep original copy.The final http-dav.conf file should look like this :



===============================================================
#
# Distributed authoring and versioning (WebDAV)
#
# Required modules: mod_dav, mod_dav_fs, mod_setenvif, mod_alias
# mod_auth_digest, mod_authn_file
#

# The following example gives DAV write access to a directory called
# "uploads" under the ServerRoot directory.
#
# The User/Group specified in httpd.conf needs to have write permissions
# on the directory where the DavLockDB is placed and on any directory where
# "Dav On" is specified.

DavLockDB "E:/Program Files/Apache Software Foundation/Apache2.2/var/DavLock"

Alias /cognos8/images "E:/cognos_projects/Images"


Dav On

AuthType Basic
AuthName DAV
AuthUserFile "E:/Program Files/Apache Software Foundation/Apache2.2/user.passwd"


require user admin



#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully



Explaination : First thing is the specify the lock database location by specifying DavLockDB parameter as above.The directory containing the lock database file should have permission for user and group under which Apache is running.
Second thing is to Specify DAV ON .

NOTE : It is important to limit the http method like POST, PUT and DELETE as it exposes to potential security risk.Best Practice is to use limit except option.Alternatively Limit option can be used with options enabled.Check the Apache documentation for more details.

Wednesday, June 17, 2009

Apache How to Create Virtual Directory Inside ?

Task : To create Virtual Directory like in IIS in apache.

Step 1 : Go to httpd.conf file located in location : install_directory/conf

Step 2 : At End of the file add the directory name and alias as follows :

Alias /ABCName/images "E:/SomeDirectory/Images"

Options Indexes FollowSymLinks
AllowOverride FileInfo
Order Allow,Deny
Allow from All


Note : By Default the Options are as below
Options FollowSymLinks (Wrong Way)
Options Indexes FollowSymLinks (Correct Way)

However if you forgot to add Indexes in it,it will give you Directory index Forbidden error.

Step 3 : Restart Apache Web server.

Step 4 : Test the URL http://whatevername/ABCName/images . The page should come up.