Embedding or sharing links to Cognos Analytics reports and dashboards

To allow links to Cognos Analytics reports and dashboards on Cloud Pak for Data, set up a reverse proxy to secure your Cloud Pak for Data server.

With Cognos Analytics, you can embed or share links to your reports and dashboards. When your users follow a link to a report or dashboard on a Cognos Analytics instance that is running on Cloud Pak for Data, those users must log in to Cloud Pak for Data before they can view your reports or dashboards. That is, anonymous acccess to Cloud Pak for Data is not allowed. In addition, for security purposes, Cloud Pak for Data does not allow embedded links in a web page with a different fully qualified domain name (FQDN).

If you are running Cloud Pak for Data in your own data center, you might also want to embed or share links by using any of the following methods:

  • Use the HTML iFrame embedded element in an internal web page.
  • Embed reports and dashboards in web pages on other internal domains.
  • Show a different internal domain for embedded or shared links to hide your Cloud Pak for Data applications and Cognos Analytics instances from your users.

To embed or share links to your reports and dashboards without any of these issues, use a reverse proxy in front of the Cloud Pak for Data OpenShift® route in the control plane namespace. You can configure the reverse proxy on a web server to secure your Cloud Pak for Data server in the following ways:

  • Hide the real URL to access Cloud Pak for Data from your users by making it appear as if the proxy server is hosting Cloud Pak for Data.
  • Configure third-party authorization to allow access to Cloud Pak for Data as a certain user account to imitate anonymous access by any user.
  • Allow access to a limited number of Cognos Analytics URLs in certain projects.
  • Configure a web server in a different domain with a content security policy to allow the proxy URL to the shared report or dashboard.

The following steps to configure a reverse proxy are based on the following assumptions:

  • The control plane namespace for Cloud Pak for Data is cpd-instance.
  • A route was created on Cloud Pak for Data for the ibm-nginc-svc service so the entrypoint to Cloud Pak for Data is cpd-cpd-instance.apps.example.com. The route has a termination type of reencrypt and has a valid Destination CA Certificate entry.
  • The Cognos Analytics instance is provisioned in a separate tethered namespace (PROJECT_CPD_INSTANCE_TETHERED) and you can access Cognos Analytics by using the following URL: https://cpd-cpd-instance.apps.example.com/cognosanalytics/PROJECT_CPD_INSTANCE_TETHERED/bi/
  • Users in Cloud Pak for Data were granted access to the Cognos Analytics instance in the PROJECT_CPD_INSTANCE_TETHERED namespace by using Cloud Pak for Data user management to add these users into the Cognos Analytics groups and roles.
  • IAM is not enabled in Cloud Pak for Data.
  • Users that access the specific Cognos Analytics instance in the PROJECT_CPD_INSTANCE_TETHERED namespace do not have access to the other Cloud Pak for Data services or instances from this proxy server.
  • TLS 1.2 is enabled in all servers.
  1. Copy the https://cpd-cpd-instance.apps.example.com/cognosanalytics/PROJECT_CPD_INSTANCE_TETHERED/bi/ route as Destination CA Certificate to the /etc/ssl/certs/cpd-cpd-instance.crt file.
  2. Add the following locations into the https server section of the nginx web server.
    # This location allows access to cognos analytics in the PROJECT_CPD_INSTANCE_TETHERED tethered namespace only
           location ~ ^/cognosanalytics/PROJECT_CPD_INSTANCE_TETHERED/(.*)$  {
                    proxy_ssl_verify off;
                    proxy_set_header Host cpd-cpd-instance.apps.example.com;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_ssl_protocols TLSv1.2;
                    proxy_ssl_server_name on;
                    proxy_ssl_trusted_certificate /etc/ssl/certs/cpd-cpd-instance.crt;
                    client_body_buffer_size     3m;
                    client_max_body_size 100m;
                    proxy_pass       https://backend/cognosanalytics/PROJECT_CPD_INSTANCE_TETHERED/$1$is_args$args;
            }
    
    # The following three locations allow CPD users to access login pages to authenticate:
            location ~ ^/zen-(.*)$ {
                    proxy_ssl_verify off;
                    proxy_set_header Host cpd-cpd-instance.apps.example.com;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_ssl_protocols TLSv1.2;
                    proxy_ssl_server_name on;
                    proxy_ssl_trusted_certificate /etc/ssl/certs/cpd-cpd-instance.crt;
                    proxy_pass       https://backend/zen-$1$is_args$args;
            }
    
            location ~ ^/auth/(.*)$ {
                    proxy_ssl_verify off;
                    proxy_set_header Host cpd-cpd-instance.apps.example.com;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_ssl_protocols TLSv1.2;
                    proxy_ssl_server_name on;
                    proxy_ssl_trusted_certificate /etc/ssl/certs/cpd-cpd-instance.crt;
                    proxy_pass       https://backend/auth/$1$is_args$args;
            }
    
            location ~ ^/v1/preauth/(.*)$ {
                    proxy_ssl_verify off;
                    proxy_set_header Host cpd-cpd-instance.apps.example.com;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_ssl_server_name on;
                    proxy_ssl_protocols TLSv1.2;
                    proxy_ssl_trusted_certificate /etc/ssl/certs/cpd-cpd-instance.crt;
                    proxy_pass       https://backend/v1/preauth/$1$is_args$args;
            }
    
    # This is added into nginx configuration at the same level as the server section:
    
    upstream backend {
            server cpd-cpd-instance.apps.example.com:443;
    }
  3. Log in to Cloud Pak for Data at https://cpd-cpd-instance.apps.example.com/cognosanalytics/PROJECT_CPD_INSTANCE_TETHERED/bi/.

    Use the provisioning user Admin or another member of the Analytics Administrators or System Administrators roles.

  4. Click Manage > Configuration > System settings and edit the Logout redirect URL parameter.

    Replace the hostname in https://cpd-cpd-instance.apps.example.com/auth/doLogout with the hostname of the proxy web server.

    For example, if your proxy server is named myproxy, specify the following URL: https://myproxy.example.com/auth/doLogout

Reverse proxy is not the only mechanism to access the Cognos Analytics instance in Cloud Pak for Data. All the original security is still required; however, using a reverse proxy means that you can easily embed Cognos Analytics reports and dashboards in pages with the example.com domain.

For example, another web server myotherserver.example.com might have a web page with an iFrame element that embeds a Cognos Analytics dashboard. A content security policy for myotherserver.example.com would allow URLs in an iFrame element for myproxy.example.com, and not show the URL directly to the Cognos Analytics instance.