I’m currently investigating a longstanding issue with html reports that defies explanation (for the moment).
Right now, we have a globally load balanced 2 server set up with all cognos components installed on both servers. The content manager is running only on one server at a time. We have SSO enabled through the OEM application and not configured directly in Cognos (8.3).
Right now, whenever a report is rendered in HTML, the dynamic report graphs are rendered as “red x” instead of the picture file it should be.
Interestingly enough, we have this same set up running in our test environment, excepting the load balancing aspect (single server only). We have compared the cogconfig entries for each and noticed a production specific anomaly – the Gateway URI is set to the “internal” domain id for the server instead of the external (internet facing) domain.
Can anyone tell me if the integration with SSO might impact the rendering of the image files for html reports based on these values? It seems that whenever a report is rendered, the SSO agent attempts to do a session check when a dynamic picture file is being rendered to the user (this is for interactive reports).
Due to Single Sign On being used and applied to the images directory??? where the used images were stored, the permissions do not exist for all users running the report to access the images. Therefore, during the rendering phase in report generation, file system level authentication fails and hence disallowing the access to the images in the directory.
There are a few possible ways to resolve this issue:
Allow anonymous access to the directory where the images are located
or
Allow anonymous access to the virtual folder referenced by the web server
Steps for IIS:
Browse to the image folder location or virtual folder in IIS, right-click and select Properties.
Click the ‘Directory Security’ tab
Click ‘Edit’ under the Authentication and access control section
Ensure the check-box for ‘Enable anonymous access’ is checked and no other check-boxes are selected.
Click ‘OK’ and 'OK again to close the dialog boxes.
Modify the access control list at file system level (or file security/permissions in Windows) to provide the list of users who will be running the reports as well as user accounts that will be used to start the report server component of Cognos 8. Ensure these users (or group(s) they belong to) are listed as having at least read access to these images.
Sorry, I should have mentioned. My webserver is Apache, not IIS. The installation is on two Unix (Solaris 10) servers.
Additionally, in my test environment SSO is protecting 100% of the domain url from root onward. The same applies to the production servers. Yet, the same behavior is not evident in test.
did you try the environment script ShowCGIEnv.cgi? just copy this file in the cognos 8 web directory and open a webbrowser.
http:///cognos8/ShowCGIEnv.cgi
I attached it for you to try en see if there are difference in the variables for test and production. First rename the file ShowCGIEnv.txt to ShowCGIEnv.cgi
and did you double check the httpd.conf files of both webservers?
I have checked the httpd.conf files for both webservers in production as well as the test one. The aliases/permissions are virtually identical. We have cognos installed under a “user_a”, with apache running under a “user_b” that switches to the nobody user upon startup.
Cognos issues the following to try to pull the image of the report chart:
I presume the storeID entrie points to the image for the chart. Interestingly enough, If I run the report, and get the red x problem, and I use the back arrow key and run the report again with the same parameters (with the same SSO session), the images render (and even this behavior is spotty).
We believe to have found out what the issue is re: the images being replaced with a “broken image” red x.
It turns out the query that Cognos uses to render a dynamic image in an html report includes the double quote character at the start and end of the search string. This is being blocked by our SSO BadCCSChars ruleset that blocks specific characters in URLs. As the SSO application intercepts all GET calls, the images are rendered as broken.
Is there any Cognos configuration parameter that would allow us to use a different character other than the following:
back tick - ` - %60
Null - %00
Pipe - | - %7c
Double Quote – “ - %22
Single Quote – ‘ -- %27
Less Than - < -- ,%3c
Greater Than - > -- %3e
