Embedding or sharing links to Cognos Analytics reports and dashboards
To allow links to Cognos Analytics reports and dashboards on Cloud Pak for Data, set up a reverse proxy to secure your Cloud Pak for Data server.
About this task
With Cognos Analytics, you can embed or share links to your reports and dashboards. When your users follow a link to a report or dashboard on a Cognos Analytics instance that is running on Cloud Pak for Data, those users must log in to Cloud Pak for Data before they can view your reports or dashboards. That is, anonymous acccess to Cloud Pak for Data is not allowed. In addition, for security purposes, Cloud Pak for Data does not allow embedded links in a web page with a different fully qualified domain name (FQDN).
If you are running Cloud Pak for Data in your own data center, you might also want to embed or share links by using any of the following methods:
- Use the HTML iFrame embedded element in an internal web page.
- Embed reports and dashboards in web pages on other internal domains.
- Show a different internal domain for embedded or shared links to hide your Cloud Pak for Data applications and Cognos Analytics instances from your users.
To embed or share links to your reports and dashboards without any of these issues, use a reverse proxy in front of the Cloud Pak for Data OpenShift® route in the control plane namespace. You can configure the reverse proxy on a web server to secure your Cloud Pak for Data server in the following ways:
- Hide the real URL to access Cloud Pak for Data from your users by making it appear as if the proxy server is hosting Cloud Pak for Data.
- Configure third-party authorization to allow access to Cloud Pak for Data as a certain user account to imitate anonymous access by any user.
- Allow access to a limited number of Cognos Analytics URLs in certain projects.
- Configure a web server in a different domain with a content security policy to allow the proxy URL to the shared report or dashboard.
The following steps to configure a reverse proxy are based on the following assumptions:
- The control plane namespace for Cloud Pak for Data is
cpd-instance
. - A route was created on Cloud Pak for Data for the
ibm-nginc-svc service so the entrypoint to Cloud Pak for Data is
cpd-cpd-instance.apps.example.com
. The route has a termination type ofreencrypt
and has a validDestination CA Certificate
entry. - The Cognos
Analytics instance is provisioned in a
separate tethered namespace (
PROJECT_CPD_INSTANCE_TETHERED
) and you can access Cognos Analytics by using the following URL:https://cpd-cpd-instance.apps.example.com/cognosanalytics/PROJECT_CPD_INSTANCE_TETHERED/bi/
- Users in Cloud Pak for Data were granted access to the
Cognos
Analytics instance in the
PROJECT_CPD_INSTANCE_TETHERED
namespace by using Cloud Pak for Data user management to add these users into the Cognos Analytics groups and roles. - IAM is not enabled in Cloud Pak for Data.
- Users that access the specific Cognos
Analytics
instance in the
PROJECT_CPD_INSTANCE_TETHERED
namespace do not have access to the other Cloud Pak for Data services or instances from this proxy server. - TLS 1.2 is enabled in all servers.
Procedure
What to do next
Reverse proxy is not the only mechanism to access the Cognos
Analytics instance in Cloud Pak for Data. All the original security is still required;
however, using a reverse proxy means that you can easily embed Cognos
Analytics reports and dashboards in pages with the
example.com
domain.
For example, another web server myotherserver.example.com
might have a web page
with an iFrame element that embeds a Cognos
Analytics
dashboard. A content security policy for myotherserver.example.com
would allow URLs
in an iFrame element for myproxy.example.com
, and not show the URL directly to the
Cognos
Analytics instance.