Cognos Analytics

 View Only
Expand all | Collapse all

SSL Setup / Content Manager not Found

  • 1.  SSL Setup / Content Manager not Found

    Posted Tue January 19, 2021 06:32 AM
    Hi Everyone,

    I'm trying to setup Cognos 11.1 with an internal dispatcher on http and external dispatcher on https.
    According to the manual, I need to setup all URIs with FQDN, and set https and a different port number on external dispatcher URI and Dispatcher URI for external applications.
    Now my Server won't start any more, because the Content Manager doesn't start anymore.
    I get the errors below (sorry it's German, but I added a google translation)

    What makes me wonder is that on one hand the instruction is to replace all localhosts with FQDN, and on the other hand the manual says that if you use the application server provided with cognos, you need to set the "URI of the internal dispatcher" to localhost.
    Is that the same as the "Internal dispatcher URI" or where can I find it? Is it now localhost or FQDN?

    Does anyone have an idea why this happens?

    Thanks a lot and kind regards....
    Stefan

    screenshot




    2021-01-19T11:49:18.226+0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5090 Content Manager-Build 11.1.4.126 wurde gestartet (11.1.4.126;20191023192926, Schemaversion 7.00641, Implementierung: CMDbStore - Java CMCache). Success ContentManagerService
    2021-01-19T11:49:18.227+0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5159 Content Manager wird im aktiven Modus ausgeführt. Info ContentManagerService
    2021-01-19T11:49:18.865+0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA CM-REQ-4296 Das Zeitlimit einer HTTP-Anforderung an Connector "{connector}" wurde überschritten. Warning
    2021-01-19T11:49:20.036+0100 ERROR com.ibm.bi.health.BISvcHealthCheck [healthcheck-async-executor-1] NA com.cognos:type=ServiceOperationalStatus,dispatcher="https://cockpit03.ma.ad.fh-pforzheim.de:9441/p2pd"
    2021-01-19T11:49:23.069+0100 INFO startup.Audit.Other.DISP.com.cognos.pogo.contentmanager.coordinator.CMBootstrap [Thread-64] NA getActiveContentManager Failure ContentManager <messages><message><messageString>DPR-CMI-4006 Der aktive Content Manager kann nicht festgestellt werden. Es werden regelmäßige Neuversuche durchgeführt.</messageString></message></messages>


    (google translation):
    2021-01-19T11: 49: 18.226 + 0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5090 Content Manager build 11.1.4.126 was started (11.1.4.126; 20191023192926, schema version 7.00641, Implementation: CMDbStore - Java CMCache). Success ContentManagerService 2021-01-19T11: 49: 18.227 + 0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA StartService CM-SYS-5159 Content Manager is running in active mode. Info ContentManagerService 2021-01-19T11: 49: 18.865 + 0100 INFO startup.Audit.RTUsage.CM [Thread-64] NA CM-REQ-4296 The time limit of an HTTP request to connector "{connector}" has been exceeded. Warning 2021-01-19T11: 49: 20.036 + 0100 ERROR com.ibm.bi.health.BISvcHealthCheck [healthcheck-async-executor-1] NA com.cognos: type = ServiceOperationalStatus, dispatcher = "https://cockpit03.ma. ad.fh-pforzheim.de:9441/p2pd " 2021-01-19T11: 49: 23.069 + 0100 INFO startup.Audit.Other.DISP.com.cognos.pogo.contentmanager.coordinator.CMBootstrap [Thread-64] NA getActiveContentManager Failure ContentManager <messages><message> <messageString> DPR -CMI-4006 The active content manager cannot be determined. Regular retries are carried out. </messageString> </message> </messages>

    ------------------------------
    Stefan Held
    ------------------------------

    #CognosAnalyticswithWatson


  • 2.  RE: SSL Setup / Content Manager not Found

    Posted Tue January 19, 2021 08:04 AM

    Assuming that this is a single server/single CA install, you cannot have the single WebSphere Liberty Profile engine running both http and https, nor run separate ports.
    You need to update all environment variables to https and 9441.  



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------



  • 3.  RE: SSL Setup / Content Manager not Found

    Posted Tue January 19, 2021 08:46 AM
    Hi,

    actually it's a 2 server install, there's a 2nd server running just a gateway, but everything else is on 1 server.
    Do I still need to put everything on https? this is wanted to avoid...

    Thanks
    Stefan​

    ------------------------------
    Stefan Held
    ------------------------------



  • 4.  RE: SSL Setup / Content Manager not Found

    Posted Tue January 19, 2021 09:01 AM

    On your Content manager/dispatcher single server install you can keep everything on http 9300.
    Then on your second server (assuming windows here) where your gateway is installed (I assume that your label "external dispatcher" is therefore not correct) can be configured to run on https by itself.

    Then the reverse proxy in rule IIS will point to http://fqdn:9300   



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------



  • 5.  RE: SSL Setup / Content Manager not Found

    Posted Tue January 19, 2021 09:47 AM
    Isn't usually the "internal dispatcher URI" is only for accessing the dispatcher from the same (local) machine?
    Then the "external dispatcher" would be for accessing dispatcher from another server , like my gateway in DMZ.

    Or am I on the wrong path here?

    ------------------------------
    Stefan Held
    ------------------------------



  • 6.  RE: SSL Setup / Content Manager not Found

    Posted Wed January 20, 2021 09:55 AM
    Edited by System Fri January 20, 2023 04:42 PM

    I now see where your steps are coming from. In Cognos Configuration, the helptext for the Internal Dispatcher URI:

    This property defines the HTTP endpoint through which the dispatcher receives requests from the local computer. It must have the same value as External dispatcher URI unless you choose to use SSL only for external requests. In that case, External dispatcher URI will specify 'https' and Internal dispatcher URI will specify 'http'

    I can't help you with that way of configuration as I never used it like that. I simply leave them all on http, or all https with the same port.



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------



  • 7.  RE: SSL Setup / Content Manager not Found

    Posted Thu January 21, 2021 04:24 AM
    Well, then, ok. I've changed both to SSL, now it's starting again. Still some issues with the connection between the Gateway on the other machine and the Server/Dispatcher....

    Thanks

    ------------------------------
    Stefan Held
    ------------------------------



  • 8.  RE: SSL Setup / Content Manager not Found

    Posted Thu January 21, 2021 04:57 AM

    Make sure to update your reverse proxy rule from http to https.
    In ibmcognos/bi click the url rewrite button to see the rules.
     



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------



  • 9.  RE: SSL Setup / Content Manager not Found

    IBM Champion
    Posted Thu January 21, 2021 06:36 AM

    This is what I understood, what you want todo:
    External User with SSL -----[CA11 GW]------[CA11 APP-SERVER]
    |
    Internal User w/o SSL  ---------------------



    Unfortunately I am not a IIS (windows) guy.
    So ... here my 5 cents how to work this out with Apache/IBM Http server or HAproxy.

    Using FQDN becomes necesarry on separating GW and APP-Server components of the GW in order for the parts to be able to communicate.
    The GW URI in the App.-Sevrer configuration points to the GW but is reverse proxied to the APP Server. 

    So on App.-Server Config we put: http(s)://cognosgw.mydomain.tldr:80/crn0/bi/v1/disp ... This is imho just for (internal) communication from App.-Server to the GW.

    To communicate from the GW to the APP.-SERVER you can put http://ashost0:9300/bi/v1/disp
    ASHOST0 is resolved via /etc/hosts to IP x.z.y
    root@amvara:/opt/IBM/cognos/crn0 : cat /etc/hosts | grep ashost
    xx.xx.xx.xx cockpit03.ma. ad.fh-pforzheim.de ashost0 coghost0
    xx.xx.xx.xx cockpit04.ma. ad.fh-pforzheim.de ashost1 coghost1
    This has the benefit that hardware changes do not effect your configuration files. Just change /etc/hosts and you are done.
    You can move CA installations around at any time.

    Why does this work?
    Because in the configuration (for IIS as well as Apache) on the GW we find ReverseProxy directives:

    Alias /crn0 /opt/IBM/cognos/crn0/webcontent

    RewriteRule ^/crn0/bi/($|[^/.]+(\.jsp)(.*)?) balancer://crn0cluster/bi/$1$3 [P]
    RewriteRule ^/crn0/bi/v1/(login|disp)(/.*)? /crn0/cgi-bin/cognos.cgi/bi/v1/$1$2 [PT,L]
    RewriteCond %{HTTP_REFERER} v1/disp [NC]
    RewriteRule ^/crn0/bi/(ags|cr1|prompting|ccl|common|skins|ps)/(.*) /crn0/$1/$2 [PT,L]
    RewriteRule ^/crn0/bi/rv/(.*)$ /crn0/rv/$1 [PT,L]

    <Location /crn0/bi/v1>
    ProxyPass balancer://crn0cluster/bi/v1
    </Location>

    <Proxy balancer://crn0cluster>
    BalancerMember http://ashost0:9300 route=crn0_1
    BalancerMember http://ashost1:9300 route=crn0_2
    </Proxy>

    See similar things  on IBM documentation about apache configuration@STEFAN VERMEULEN pointed it out.

    This is how I would do it and save resources as I only have 1 Cognos installation:
    External User with SSL -----[ReverseProxy]----[CA11 APP-SERVER]
     |
    Internal User w/o SSL  ------------


    The communication from App.-Server to GW is for searching Icons/Images when rendering PDF

    The communication from GW to APP.-SERVER is a "reverse proxy" situation. This said, Apache and IBM http server and IIS are third party tools from the point of view of Cognos Analytics.

    We have found hardware LoadBalancer, Apache, IIS and Haproxy acting as ReverseProxy / termination point for endusers.

    So, if you want to follow this idea, just grab a docker image of haproxy or apache and configure your SSL and not SSL communication endpoints there + reverseProxy them to your dispatcher.

    With the following Apache directive you can support even multiple CA installation on one server using the very same GW/ReverseProxy:
    SetEnvIf Request_URI "^/(crn\d+)" ENVIRONMENT=$1
    <If "%{REQUEST_URI} =~ m#^/(crn\d+)#">
    Header set X-BI-PATH /%{ENVIRONMENT}e/bi/v1
    RequestHeader set X-BI-PATH /%{ENVIRONMENT}e/bi/v1
    </If>

    Do your machines have more then one ethernet controller / connection? Maybe backup lans for ADMIN access? Or internal/external IPs on different interfaces?
    Watch your logfiles of the App.-Server on this. CA11 looks for FQDN via java-system call to the interfaces and grabs the first IP with FQDN from there and then logs that domain/IP into the logfiles. So you might see FQDNs/IPs that you have not configured. This is imho just in the logfiles and inside the WLP. Cognos should work normally. 

    your second question:
    Isn't usually the "internal dispatcher URI" is only for accessing the dispatcher from the same (local) machine?
    yes

    I attach a screenshot of such a configuration, haveing the "ASHOST0" topic in mind.

    APP.-SERVER

    Btw: the Gateway URI points to http://fqdn:80/foo ... In this setup this URL is not reachable for endusers. It can only be reached from the App.-Server.
    So, you might put http://foo/ there. App.-Server will then not be able to look for images on the GW to render inside the HTML or PDF data stream, if they are not on disk.


    Hope this helped.




    ------------------------------
    Ralf Roeber
    ------------------------------



  • 10.  RE: SSL Setup / Content Manager not Found

    Posted Thu January 21, 2021 06:55 AM
    @Ralf:

    thanks a lot for your explanations.
    Unfortunately, this all works fine on http protocol, like in the example you've shown, and I've tested it for quite a while without any problems.
    Now I've switched to https, it doesn't connect anymore, I've already checked certificates / trust status between the servers which looks fine.
    I don't have any setup in IIS, everything's handled by the standard liberty setup, which works fine so far. It's only the connection between GW and Server.





    ------------------------------
    Stefan Held
    ------------------------------



  • 11.  RE: SSL Setup / Content Manager not Found

    Posted Thu January 21, 2021 07:59 AM

    So on the application server you installed the Content Manager and the Application server tier.
    On the gateway server you installed the Application tier and the gateway tier.
    On that same gateway server you are not using a webserver like IIS, apache or IHS, but would like to use the application tier as a https webserver?

    If that is the case, then that is an interesting architecture choice.
    You will have to import the ssl certificate used on the gateway server into the camkeystore for the application server also, or they cannot communicate.
    I take it the dispatcher list in cognos administration shows 2 dispatchers? 



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------