🗺️ Fixing Map Visibility in Maximo MAS 9.1: A Hidden CSP Hiccup

After upgrading most of our internal Maximo Application Instances to MAS 9.1, I ran into a frustrating issue: maps were no longer being displayed. Whether using Spatial, ArcGIS, or OpenStreetMap, the visualization layer was broken. Here’s a breakdown of the issue, why it happened, and how to fix it.

🔍 The Problem

After setting up my usual use cases in MAS 9.1, I noticed that no map layers appeared. A quick inspection using browser developer tools revealed the cause:

Content Security Policy (CSP) was blocking resources from key domains:

• *.arcgisonline.com (Spatial / ArcGIS)

• *.openstreetmap.org

• *.arcgis.com

This issue isn’t entirely new—versions MX 7.6 and MAS 8.10 had similar problems. IBM resolved it in MAS 8.11 by extending the mxe.sec.header.Content_Security_Policy property. So naturally, I tried to do the same in MAS 9.1.

🧱 Roadblock: Property Missing in the UI

I quickly hit a snag. The mxe.sec.header.Content_Security_Policy property wasn’t available in the MAS 9 frontend UI. Yet I confirmed it existed in the database (MAXPROP MBO). Trying to modify it led to a frustrating #system#invalidfetch error.

Looking deeper into the logs, I found a likely culprit:

The length of the MAXPROP.CACHEDVALUE field had changed in MAS 9.1.
It was now too short (1024 characters) to handle long CSP strings via the UI.

This explains why it was accessible in the backend but not manageable through the valuation layer—likely added during installation via DBC or direct SQL injection, bypassing UI validation.

✅ The Workaround That Works

To restore map visibility, here’s the solution:

1. Extend the Field Length

Update the MAXPROP.CACHEDVALUE length from 1024 to 4192 in your database schema.

• Then run the configdb utility (via frontend or terminal).

2. Update the CSP System Property

Update mxe.sec.header.Content_Security_Policy with the following value:

rust



KopiërenBewerken





font-src 'self' data: https://1.www.s81c.com *.walkme.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.walkme.com *.{{DOMAIN_NAME}} *.qualtrics.com *.siteintercept.qualtrics.com https://1.www.s81c.com *.ibm.com tags.tiqcdn.com *.trustarc.com;
style-src 'self' 'unsafe-inline' 'unsafe-eval' *.walkme.com *.{{DOMAIN_NAME}} 1.www.s81c.com *.ibm.com tags.tiqcdn.com *.tealium.com *.tags.tiqcdn.com *.trustarc.com prefmgr-cookie.truste-svc.net;
img-src 'self' d2qhvajt3imc89.cloudfront.net data: *.walkme.com *.{{DOMAIN_NAME}} *.trustarc.com *.qualtrics.com *.siteintercept.qualtrics.com;
object-src 'self' *.walkme.com;
worker-src 'self' blob:;
frame-src *.{{DOMAIN_NAME}} 'self' localhost:* *.walkme.com *.segment.com *.trustarc.com *.qualtrics.com *.siteintercept.qualtrics.com *.ibm.com;
default-src https://* 'self' *.{{DOMAIN_NAME}} *.tealium.com *.tags.tiqcdn.com;
connect-src 'self' *.{{DOMAIN_NAME}} *.qualtrics.com *.siteintercept.qualtrics.com *.ibm.com *.walkme.com *.arcgisonline.com *.openstreetmap.org *.arcgis.com

🔧 Replace {{DOMAIN_NAME}} with your actual domain value.

3. Refresh & Test

After saving the new property:

• Log out

• Clear cache (optional but recommended)

• Log back in

Et voilà—maps should now display correctly across all instances!

🚨 Final Thoughts & Feedback

I’ve reported this as a "bug/hidden feature" to the Maximo product development team. While it's possible to work around, it's not intuitive—and can hinder upgrade efforts in production environments.

If you’re upgrading to MAS 9.1 or planning to, this is a must-check. Happy mapping! 🗺️✨