Troubleshooting
Problem
Kerberos based SSO to IBM Cognos BI deployed to Apache Tomcat via an IIS deployed Gateway reproducingly fails for some, but not all users. The same was working for older versions of IBM Cognos BI (8.4.x) in the same environment. The issue can occur due to a change in the Tomcat server configuration introduced as of IBM Cognos BI 10.x. The same is potentially applicable to IBM Cognos BI deployed to other Application Servers as well.
Symptom
Kerberos based SSO to IBM Cognos BI deployed to Apache Tomcat via an IIS deployed Gateway reproducingly fails for some, but not all users.
The affected users get "HTTP 400 Bad Request" error in Browser
or even
"The IBM Cognos gateway is unable to connect to the IBM Cognos BI server. The server may be unavailable or the gateway may not be correctly configured."
- Without SSO the affected users can authenticate without issue.
- The SSO was working for older versions of IBM Cognos BI ( 8.4.x ) in the very same environment.
- The affected users are members of many groups/roles in the AD.
Cause
For Kerberos based SSO the IBM Cognos BI runs through a Kerberos delegation protocol. During this process the user's Kerberos token is eventually transmitted between the IBM Cognos BI Gateway component and the IBM Cognos BI Content Manager component as a protected HTTP header. If a user belongs to many AD groups that Kerberos token may become large in size and further adds to the size of the HTTP headers which then potentially exceed the configured maximum HTTP header size configured for the Application server.
Due to code changes in IBM Cognos 10 BI the requests exchanged during the SSO handshake internally have grown in size. A large Kerberos token makes them exceed the threshold configured.
Environment
IBM Cognos BI 10.x Gateway deployed to Microsoft Internet Information Services.
IBM Cognos BI 10.x configured for Authentication using an Active Directory Namespace configured for Kerberos based SSO (default)
IBM Cognos BI deployed to Apache Tomcat (or any other supported Application server) which enforces a limit to the HTTP header size.
Diagnosing The Problem
- Ensure the affected users can authenticate without error without SSO (disabling SSO or hitting Dispatcher URI directly)
- Enable Gateway trace and scan logs for something like:
ERROR t:6688 HTTPException. details: <Exception "The IBM Cognos Gatew"The IBM Cognos Gateway is "ay is "
Name="HTTPException" Error="1009" Severity="Error"><Messages><Message
Name="CCLMessage" File="" Severity="Error" Nesting="0"
><MessageText><Message Name="CCLMessage" File="" Severity="Error"
Nesting="0" ><MessageComponents ID="0000"
></MessageComponents></Message></MessageText></Message></Messages><Trace
Info><Trace Text="httpclient.cpp(168): HTTPException: CCL_THROW: int
HTTPClient::readHTTPResponseLine(IBJBufferedInputStream &is,
CSTD_STD_NAME::string& sResponseLine )" /></TraceInfo></Exception>
19:30:37.152 - 4984 ERROR t:6688 HTTPException in
communicateWithDispatcher()
Resolving The Problem
- Stop IBM Cognos BI
- Create backup of <COG_ROOT>\tomcat\conf\server.xml.
- Open the file in editor, locate the Connector element:
<Connector port="19300" protocol="HTTP/1.1" maxThreads="500"
enableLookups="true" acceptCount="500" debug="0"
connectionTimeout="60000"
disableUploadTimeout="true" maxHttpHeaderSize="16384"
maxProcessors="500"
minProcessors="5" useURIValidationHack="false"/>
- Change the maxHttpHeaderSize to 32768 and save
- Restart IBM Cognos BI
For IBM Cognos BI Application Tier Components and Content Manager deployed to other application servers, consult the documentation to identify the parameter controlling the HTTP header size.
- Stop IBM Cognos BI
- Increase the identified parameter to 32768.
- Restart IBM Cognos BI
Related Information
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21516226