Troubleshooting
Problem
If you are running Business Space, you might see the 403 BMWPX0006E error with some widgets. You might see this error if you are running Business Space with IBM Business Process Manager (BPM) Advanced or if you are integrating any IBM Business Process Manager product with Business Space.
Symptom
Some widgets in Business Space might display the following error message:
403 BMWPX0006E: The URL you tried to access through the proxy is not allowed.
Cause
Widgets use Java™Script to invoke REST services to exchange data or trigger actions. Browsers require the target endpoints of calls that are initiated by JavaScript to have the same host name and port as the page from which the JavaScript was loaded. This requirement is called the same origin policy. Business Space combines widgets from multiple sources (IBM products and those products from other vendors) on the same page. Each widget might require data from a different back-end system, which violates the same origin policy.
Even with a single stand-alone server, the same origin policy might block communication. Business Space defaults to the HTTPS prefix on the host name that you entered in your URL. For example, your browser is redirected from http://localhost:9080, in a default stand alone server to https://localhost:9443. The configured endpoint for a given REST service more likely contains the real host name of your machine and not localhost. These are examples in which browsers block communication to the REST endpoint.
Resolving The Problem
To make REST services consumable, Business Space includes an Ajax proxy. Authenticated users can reach the Ajax proxy on the same host and port from which the Business Space page was loaded. This Ajax proxy can forward any HTTP request from any source to any valid destination. Valid destinations include HTTP headers, such as cookies.
For security purposes, the Ajax proxy is restricted and can forward requests only to configured endpoint URLs. By default, all registered widget endpoints and a few additional targets can be routed through the Ajax proxy. If a widget must consume additional services, the widget must go through the Ajax proxy. For example, the task information widget has a number of endpoints configured, such as the task services. At run time, the task services can return a URL for rendering a coach. This URL was not known when the widget was deployed; therefore, the error message is shown.
You can use one of the following approaches to enable additional communication to pass through the Ajax proxy:
Registering additional URLs as endpoints
The Business Space Ajax proxy configuration contains a section that allows all registered endpoints to be handled by the proxy server. This configuration is stored in the following location:
<PROFILE_ROOT>/BusinessSpace/<DEPLOYMENT_TARGET>/mm.runtime.prof/config/proxy-config.xml
The following example shows this location:
C:\IBM\BPM\profiles\ProcCtr01\BusinessSpace\PCNode1\server1\mm.runtime.prof\config\proxy-config.xml
The following line in the proxy-config.xml file is the starting point for configuring how requests for registered endpoints are forwarded by the proxy:
<proxy:policy url="endpoint://*" acf="none" basic-auth-support="true">
Registering additional endpoints enables the proxy to handle requests through the proxy to these endpoints. To register additional endpoints, complete the following steps:
- Create an additionalEndpoints.xml file in any location.
- Add the URLs of the required endpoints to the file. For an example, see the endpoint.xml sample file that is attached at the bottom of this document.
- Open a wsadmin session by running the following command from the profile_dir/bin directory:
wsadmin -lang jython
- For stand-alone servers, run the following wsadmin command:
AdminTask.updateBusinessSpaceWidgets('[-serverName <SERVER_NAME> -nodeName <NODE_NAME> -endpoints <PATH_TO_ENDPOINTSFILE> ]')
The following example shows this command:
AdminTask.updateBusinessSpaceWidgets('[-serverName server1 -nodeName PCNode1 -endpoints
C:/temp/additionalEndpoints/additionalEndpoints.xml ]')
For a clustered environment, run the following wsadmin command:
AdminTask.updateBusinessSpaceWidgets('[-clusterName <CLUSTER_NAME> -endpoints <PATH_TO_ENDPOINTSFILE> ]')
The CLUSTER_NAME must be the name of the cluster where Business Space is configured.
The following example shows this command:
AdminTask.updateBusinessSpaceWidgets('[-clusterName webCluster -endpoints C:/temp/additionalEndpoints/additionalEndpoints.xml ]')
For more information, see the updateBusinessSpaceWidgets command documentation.
- Save the configuration and exit the wsadmin session using the following command:
AdminConfig.save() exit
- For a stand-alone server, restart the server. For a clustered environment, synchronize the configuration changes to your nodes and restart the cluster that you used in step 4.
- Verify that your endpoints were successfully registered. Review the list of endpoints in the WebSphere Administrative Console by selecting the following menu options: Resources > Resource Environment > Resource environment providers > Mashups_Endpoints > Custom properties
Adding proxy target URLs
Use the following steps to create a section in the proxy-config.xml configuration file to allow your additional target URLs:
- Locate the Business Space Ajax proxy configuration file in the following location: profile_dir/BusinessSpace/<DEPLOYMENT_TARGET>/mm.runtime.prof/config/proxy-config.xml
The following example shows this location:
C:\IBM\BPM\profiles\ProcCtr01\BusinessSpace\PCNode1\server1\mm.runtime.prof\config\proxy-config.xml
- Locate the section that relates to the context path="/proxy/*" as shown in the following example:
<proxy:mapping contextpath="/proxy/*"/>
- Add a new policy section relating to your additional target URL, as shown in the following example:
<proxy:policy url="https://<HOSTNAME>:<PORT>/teamworks/*"
acf="none" basic-auth-support="true">
<proxy:actions>
<proxy:method>GET</proxy:method>
<proxy:method>POST</proxy:method>
</proxy:actions>
<proxy:headers>
<proxy:header>Cache-Control</proxy:header>
<proxy:header>Pragma</proxy:header>
<proxy:header>User-Agent</proxy:header>
<proxy:header>Accept*</proxy:header>
<proxy:header>Content*</proxy:header>
<proxy:header>If-Match</proxy:header>
<proxy:header>If-None-Match</proxy:header>
<proxy:header>If-Modified-Since</proxy:header>
<proxy:header>If-Unmodified-Since</proxy:header>
<proxy:header>Slug</proxy:header>
</proxy:headers>
<proxy:cookies>
<proxy:cookie>LtpaToken</proxy:cookie>
<proxy:cookie>LtpaToken2</proxy:cookie>
<proxy:cookie>JSESSIONID</proxy:cookie>
</proxy:cookies>
</proxy:policy>
<proxy:policy url="https://<HOSTNAME>:<PORT>/portal/*"
acf="none" basic-auth-support="true">
<proxy:actions>
<proxy:method>GET</proxy:method>
<proxy:method>POST</proxy:method>
</proxy:actions>
<proxy:headers>
<proxy:header>Cache-Control</proxy:header>
<proxy:header>Pragma</proxy:header>
<proxy:header>User-Agent</proxy:header>
<proxy:header>Accept*</proxy:header>
<proxy:header>Content*</proxy:header>
<proxy:header>If-Match</proxy:header>
<proxy:header>If-None-Match</proxy:header>
<proxy:header>If-Modified-Since</proxy:header>
<proxy:header>If-Unmodified-Since</proxy:header>
<proxy:header>Slug</proxy:header>
</proxy:headers>
<proxy:cookies>
<proxy:cookie>LtpaToken</proxy:cookie>
<proxy:cookie>LtpaToken2</proxy:cookie>
<proxy:cookie>JSESSIONID</proxy:cookie>
</proxy:cookies>
</proxy:policy>
You can copy the existing section and modify the relevant parts, like the URL. You might also consider further restricting, or allowing, HTTP headers and cookies.
See the following links for more information about the proxy-config.xml file structure: - Configuring elements of proxy-config.xml : Mashup Center 2.0?
- Configuring the Business Space Ajax proxy?
- Open a wsadmin session by running the following command from the profile_dir/bin directory:
wsadmin -lang jython
- For stand-alone servers, run the following command to upload the modified configuration to the server:
AdminTask.updateBlobConfig('[-serverName <SERVER_NAME> -nodeName <NODE_NAME> -propertyFileName"<PATH_TO_PROXY_CONFIG_XML" -prefix "Mashups_"]')
The following example shows this command:
AdminTask.updateBlobConfig('[-serverName server1 -nodeName PCNode1 -propertyFileName "C:/IBM/BPM/profiles/ProcCtr01/BusinessSpace/PCNode1/server1/mm.runtime.prof/config/proxy-config.xml" -prefix "Mashups_"]')
For a clustered environment, run the following wsadmin command:
AdminTask.updateBlobConfig('[-clusterName <CLUSER_NAME> -propertyFileName "<PATH_TO_PROXY_CONFIG_XML>" -prefix "Mashups_"]')
The CLUSTER_NAME must be the name of the cluster where Business Space is configured.
The following example shows this command:
AdminTask.updateBlobConfig('[-clusterName webCluster -propertyFileName "C:/IBM/BPM/profiles/Dmgr/BusinessSpace/webCluster/mm.runtime.prof/config/proxy-config.xml" -prefix "Mashups_" ]')
For more information about the updateBlobConfig command see the Configuring the Business Space Ajax proxy topic in the product documentation.
- Save the configuration and exit the wsadmin session:
AdminConfig.save()
exit
- For a stand-alone server, restart the server. For a clustered environment, synchronize the configuration changes to your nodes and restart the cluster that you used in Step 5.
- Review your configuration change in the WebSphere Administrative Console. To review the configuration, select the following menu options: Resources > Resource Environment > Resource environment providers > Mashups_BlobConfigService > Custom properties.
endpoint.xmlProduct Synonym
BPM
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21570464