Configuring IBM Cognos components to use IBM Cognos Application Firewall

Using IBM® Cognos® Configuration, you can change settings for other XSS tool support, and you can add host and domain names to the IBM Cognos list of valid names.


  1. Start IBM Cognos Configuration in each location where Application Tier Components are installed.
  2. In the Explorer window, under Security, click IBM Cognos Application Firewall.
  3. In the Properties window, for the Enable CAF validation property, set the appropriate values.

    By default, IBM Cognos Application Firewall is enabled.

    Important: The IBM Cognos Application Firewall is an essential component of IBM Cognos security, helping to provide protection against penetration vulnerabilities. Disabling the IBM Cognos Application Firewall will remove this protection. Under normal circumstances, do not disable the IBM Cognos Application Firewall.
  4. If you are using another XSS tool that checks for specific characters in GET request parameters, in the Properties window, for the Is third party XSS checking enabled property, change the value to True.

    For SiteMinder, when this property is set to True, the default values for BadURLChars and BadCSSChars are masked by Cognos Analytics. The HTTP verbs PUT and DELETE are also masked.

    Examples of BadURLChars and BadCSSChars are: a tilde (~), a period (.), period and a forward slash (./), greater than sign (>), and more. For more information, see the SiteMinder documentation.

  5. Add host and domain names to the IBM Cognos list of valid names:
    • For the Valid domains and hosts property, click the value and then click the edit icon Actions icon.
    • In the Value - Valid domains or hosts dialog box, click Add.

      You must include the domains from all hyperlinks that are added in the portal. For more information, see the topic about creating a URL in the IBM Cognos Analytics Administration and Security Guide.

      Tip: If you are using drill-through from IBM Cognos Series 7 to reports in IBM Cognos Analytics, add the host names of the IBM Cognos Series 7 gateway servers to the list.
    • In the blank row of the table, click and then type the host or domain name.

      To allow a domain and all its sub-domains, use a wildcard character at the beginning of the domain name. For example, *

      If you are using the collaboration features with IBM Connections, you must add the host, domain, and port number for the IBM WebSphere® profile where you have installed IBM Connections. For example, if you installed IBM Connections on a computer named myserver, and your domain is, you would add, where 9080 is the IBM WebSphere port number on which IBM Connections is running.

    • Repeat the previous two bulleted steps for each name to be added.
    • Click OK.
    IBM Cognos Application Firewall validates domain and host names to protect URLs that are created. By default, IBM Cognos Application Firewall considers domain names derived from the environment configuration properties to be safe domain names. Adding names to the list of valid names and hosts is useful when you need to redirect requests to non-IBM Cognos computers using the Back or Cancel functions or when using drill-through to different IBM Cognos product installations.
  6. Save the configuration.
  7. Restart the services.