This is what I understood, what you want todo:
External User with SSL -----[CA11 GW]------[CA11 APP-SERVER]
|
Internal User w/o SSL ---------------------
Unfortunately I am not a IIS (windows) guy.
So ... here my 5 cents how to work this out with Apache/IBM Http server or HAproxy.
Using FQDN becomes necesarry on separating GW and APP-Server components of the GW in order for the parts to be able to communicate.
The GW URI in the App.-Sevrer configuration points to the GW but is reverse proxied to the APP Server.
So on App.-Server Config we put: http(s)://cognosgw.mydomain.tldr:80/crn0/bi/v1/disp ... This is imho just for (internal) communication from App.-Server to the GW.
To communicate from the GW to the APP.-SERVER you can put
http://ashost0:9300/bi/v1/dispASHOST0 is resolved via /etc/hosts to IP x.z.y
root@amvara:/opt/IBM/cognos/crn0 : cat /etc/hosts | grep ashost
xx.xx.xx.xx cockpit03.ma. ad.fh-pforzheim.de ashost0 coghost0
xx.xx.xx.xx cockpit04.ma. ad.fh-pforzheim.de ashost1 coghost1
This has the benefit that hardware changes do not effect your configuration files. Just change /etc/hosts and you are done.
You can move CA installations around at any time.
Why does this work?
Because in the configuration (for IIS as well as Apache) on the GW we find ReverseProxy directives:
Alias /crn0 /opt/IBM/cognos/crn0/webcontent
RewriteRule ^/crn0/bi/($|[^/.]+(\.jsp)(.*)?) balancer://crn0cluster/bi/$1$3 [P]
RewriteRule ^/crn0/bi/v1/(login|disp)(/.*)? /crn0/cgi-bin/cognos.cgi/bi/v1/$1$2 [PT,L]
RewriteCond %{HTTP_REFERER} v1/disp [NC]
RewriteRule ^/crn0/bi/(ags|cr1|prompting|ccl|common|skins|ps)/(.*) /crn0/$1/$2 [PT,L]
RewriteRule ^/crn0/bi/rv/(.*)$ /crn0/rv/$1 [PT,L]
<Location /crn0/bi/v1>
ProxyPass balancer://crn0cluster/bi/v1
</Location>
<Proxy balancer://crn0cluster>
BalancerMember http://ashost0:9300 route=crn0_1
BalancerMember http://ashost1:9300 route=crn0_2
</Proxy>
See similar things on IBM documentation about
apache configuration.
@STEFAN VERMEULEN pointed it out.
This is how I would do it and save resources as I only have 1 Cognos installation:
External User with SSL -----[ReverseProxy]----[CA11 APP-SERVER]
|
Internal User w/o SSL ------------
The communication from App.-Server to GW is for searching Icons/Images when rendering PDF
The communication from GW to APP.-SERVER is a "reverse proxy" situation. This said, Apache and IBM http server and IIS are third party tools from the point of view of Cognos Analytics.
We have found hardware LoadBalancer, Apache, IIS and Haproxy acting as ReverseProxy / termination point for endusers.
So, if you want to follow this idea, just grab a docker image of haproxy or apache and configure your SSL and not SSL communication endpoints there + reverseProxy them to your dispatcher.
With the following Apache directive you can support even multiple CA installation on one server using the very same GW/ReverseProxy:
SetEnvIf Request_URI "^/(crn\d+)" ENVIRONMENT=$1
<If "%{REQUEST_URI} =~ m#^/(crn\d+)#">
Header set X-BI-PATH /%{ENVIRONMENT}e/bi/v1
RequestHeader set X-BI-PATH /%{ENVIRONMENT}e/bi/v1
</If>
Do your machines have more then one ethernet controller / connection? Maybe backup lans for ADMIN access? Or internal/external IPs on different interfaces?
Watch your logfiles of the App.-Server on this. CA11 looks for FQDN via java-system call to the interfaces and grabs the first IP with FQDN from there and then logs that domain/IP into the logfiles. So you might see FQDNs/IPs that you have not configured. This is imho just in the logfiles and inside the WLP. Cognos should work normally.
your second question:
Isn't usually the "internal dispatcher URI" is only for accessing the dispatcher from the same (local) machine?
yes
I attach a screenshot of such a configuration, haveing the "ASHOST0" topic in mind.
APP.-SERVER
Btw: the Gateway URI points to
http://fqdn:80/foo ... In this setup this URL is not reachable for endusers. It can only be reached from the App.-Server.
So, you might put
http://foo/ there. App.-Server will then not be able to look for images on the GW to render inside the HTML or PDF data stream, if they are not on disk.
Hope this helped.
------------------------------
Ralf Roeber
------------------------------
Original Message:
Sent: Tue January 19, 2021 06:32 AM
From: Stefan Held
Subject: SSL Setup / Content Manager not Found
Hi Everyone,
I'm trying to setup Cognos 11.1 with an internal dispatcher on http and external dispatcher on https.
According to the manual, I need to setup all URIs with FQDN, and set https and a different port number on external dispatcher URI and Dispatcher URI for external applications.
Now my Server won't start any more, because the Content Manager doesn't start anymore.
I get the errors below (sorry it's German, but I added a google translation)
What makes me wonder is that on one hand the instruction is to replace all localhosts with FQDN, and on the other hand the manual says that if you use the application server provided with cognos, you need to set the "URI of the internal dispatcher" to localhost.
Is that the same as the "Internal dispatcher URI" or where can I find it? Is it now localhost or FQDN?
Does anyone have an idea why this happens?
Thanks a lot and kind regards....
Stefan
2021-01-19T11:49:18.226+0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5090 Content Manager-Build 11.1.4.126 wurde gestartet (11.1.4.126;20191023192926, Schemaversion 7.00641, Implementierung: CMDbStore - Java CMCache). Success ContentManagerService
2021-01-19T11:49:18.227+0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5159 Content Manager wird im aktiven Modus ausgeführt. Info ContentManagerService
2021-01-19T11:49:18.865+0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA CM-REQ-4296 Das Zeitlimit einer HTTP-Anforderung an Connector "{connector}" wurde überschritten. Warning
2021-01-19T11:49:20.036+0100 ERROR com.ibm.bi.health.BISvcHealthCheck [healthcheck-async-executor-1] NA com.cognos:type=ServiceOperationalStatus,dispatcher="https://cockpit03.ma.ad.fh-pforzheim.de:9441/p2pd"
2021-01-19T11:49:23.069+0100 INFO startup.Audit.Other.DISP.com.cognos.pogo.contentmanager.coordinator.CMBootstrap [Thread-64] NA getActiveContentManager Failure ContentManager <messages><message><messageString>DPR-CMI-4006 Der aktive Content Manager kann nicht festgestellt werden. Es werden regelmäßige Neuversuche durchgeführt.</messageString></message></messages>
(google translation):
2021-01-19T11: 49: 18.226 + 0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5090 Content Manager build 11.1.4.126 was started (11.1.4.126; 20191023192926, schema version 7.00641, Implementation: CMDbStore - Java CMCache). Success ContentManagerService 2021-01-19T11: 49: 18.227 + 0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5159 Content Manager is running in active mode. Info ContentManagerService 2021-01-19T11: 49: 18.865 + 0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA CM-REQ-4296 The time limit of an HTTP request to connector "{connector}" has been exceeded. Warning 2021-01-19T11: 49: 20.036 + 0100 ERROR com.ibm.bi.health.BISvcHealthCheck [healthcheck-async-executor-1] NA com.cognos: type = ServiceOperationalStatus, dispatcher = "https://cockpit03.ma. ad.fh-pforzheim.de:9441/p2pd " 2021-01-19T11: 49: 23.069 + 0100 INFO startup.Audit.Other.DISP.com.cognos.pogo.contentmanager.coordinator.CMBootstrap [Thread-64] NA getActiveContentManager Failure ContentManager <messages><message> <messageString> DPR -CMI-4006 The active content manager cannot be determined. Regular retries are carried out. </messageString> </message> </messages>
------------------------------
Stefan Held
------------------------------
#CognosAnalyticswithWatson