DPR-ERR-2079 Firewall Security Rejection.

[SGD]

Hi,

I am getting below error when I try to create datasource in FM or 'Data Source Connections' section in Cognos portal.

IBM Cognos 8


  An error has occurred.


   DPR-ERR-2079 Firewall Security Rejection. Your request was rejected by the security firewall. 

  CAF rejection details are available in the log. Please contact your administrator.

I have referred this https://www-304.ibm.com/support/docview.wss?uid=swg21339461 for the resolution of this issue but I have installed Cognos server on single machine.

There is only single Web & App Server and I have added the hostname:port entries for the same.

Any suggestion?

[AussiePete2011]

Hi there

What I'd suggest (if possible) is turn off caf just for testing so that you can see what the real error is.
Once you have the true error then work with this

If you cant and its a production environment, try testing via the dispatcher URI rather than the Gateway in your browser.

What database are you trying to connect to and what data source connection are you selecting?

Cheers
Peter B

[SGD]

Hi Peter,

I have already turned off CAF in Cognos Configuration and it started working temporarily however this is not a cognos standard to work with.

I am trying to connect to Oracle server which is installed on different server which is our Oracle database server. Actually this is SAN drive which we have map which acts as a local drive to Cognos server. TNS entries are also properly mentined in .ora file. I can connect with required database using Oracle SQL Plus from Cognos server.

I am selecting 'Oracle' as a datasource connection.

Please suggest.

[AussiePete2011]

Hi Shirish,

Thanks for the update.  I only suggested turning off CAF as a test and then only to see the underlying error, however, if turning off CAF allows this to work then the issue is likely to be a lookup issue as CAF encrypts the requests

See CAF
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/topic/com.ibm.swg.im.cognos.ug_cra.8.4.0.doc/ug_cra_id10940TheCognosApplicationFirewall.html#TheCognosApplicationFirewall

You could enable tracing of the CAF error
1.  Locate the ../<c8install>/configuration/ipfCAFclientconfig.xml.sample file
2.  Make a copy of this file
3.  Rename the copy to ipfclientconfig.xml
4.  Wait about a minute then test the data source connection with CAF on.
5.  Locate the ../<c8install>/logs folder and there shoulod now be a cogclient.log which should provide more details about the CAF error.

Make sure that
1.  All URI settings are using an Resolvable IP address or Server name
2.  The c8 services are started by a valid domain account.

Are you using Oracle as the Content store?  Is this able to connect successfully as this uses JDBC rather than SQLNet
I should also ask what version of Oracle are you attempting to connect to and on which version of Cognos...

Anyway there could be other issues with this but give the above some thought and provide fedback
Cheers
Peter B

[SGD]

Hi Peter,

My Cognos server is in Workgroup not in domain. I have made servername entries in Cognos configuration which works as expected. I am using Cognos 8.4 with SQL Server 2005 as a content store but Oracle 10g as data source for reports.

With CAF off, I am trying to connect to Oracle for creation of new datasource it shows me below error when I test the connection.

Name:

http://servername:9300/p2pd

Status:

Failed

Message:

Handler trace back: [the_dispatcher] com.cognos.pogo.handlers.performance.PerformanceIndicationHandler [the_dispatcher] com.cognos.pogo.handlers.logic.ChainHandler [service_lookup] com.cognos.pogo.handlers.engine.ServiceLookupHandler [load_balancer] com.cognos.pogo.handlers.logic.ChainHandler [lb_forwarder] com.cognos.p2plb.clerver.LoadBalanceHandler [mdaChainHandler] com.cognos.pogo.handlers.logic.ChainHandler [asyncMetadataServiceHandler] com.cognos.pogo.async.impl.AsyncHandler [metadataServiceHandler] com.cognos.metadataService.bibusHandler.MDSRVHandler

[SGD]

I get following error in cogserver.log file

IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      check signature failed: passport => null
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10      Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      check signature failed: salted => true
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      invalid context id: context id => CAFW00000070Q0FGQTNjMDAwMDAwMDlGQUFBQUtacG00djVaQ3VmWUFzVFRXbWZ6cW80ZE9vclhtWFM1ZGRBWlFkMDFXVXJ2WDZXUnJGalBQQV8zNjA5ODZ8cHM_
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      check context id failed
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      check signature failed: string => 360986|ps
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      check signature failed: hmac => FAAAAKZpm4v5ZCufYAsTTWmfzqo4dOorXmXS5ddAZQd01WUrvX6WRrFjPPA_
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      unwrap and check signature failed: web64 decoded value => CAFA3c00000009FAAAAKZpm4v5ZCufYAsTTWmfzqo4dOorXmXS5ddAZQd01WUrvX6WRrFjPPA_360986|ps
IPaddress:9300   6120   2011-03-08 13:52:25.109   +10   Thread-80   caf   6008   1   Audit.dispatcher.caf   Request         Failure      context id signature check failed: unwrap context id =>

[AussiePete2011]

Thanks for the details.
This logs tells me there is a permission issue with the access to the location where you are read the database from using the Cognos credentials.
When CAF is on the account creating the data source is failing to pass the session information

This is a good link to understand Authentication across the network with CAF
http://www.ibm.com/developerworks/data/library/cognos/security/cognos8_platform/page511.html?ca=drs-

Out of curiousity, are you able to make an ODBC connection to the Oracle database?

Cheers
Peter B

[SGD]

No, I have not tried to connect ODBC connection with Oracle. Could you please guide me how can I create and test the same?

[SGD]

I have uninstalled Cognos and reinstalled to the same SAN drive where Oracle is installed and it allowed me to create new Oracle data source connection keeping CAF off in Cognos Configuration.  :o

[AussiePete2011]

Hi Shirish,

Sorry about the delay... you know.. work got in the way ;-)

Anyway thats interesting in that you installed Cognos to the SAN and it allows a connection to succeed although this was also the case with having Cognos installed else where with the CAF off.  With Cognos now installed on the SAN, can you successfully test a connection to Oracle with CAF on?

Cheers
Peter B

[SGD]

No, it does not work with CAF 'ON' with Cognos installed on SAN drive and shows same error as mentioned at start of the post.  :(

[vybhav1908]

Hello SGD

Are you able to get rid of this issue? I am on 10.2.1 and getting the exact same issue, disabled the siteminder, ssl still no good. I get the error on Cognos Connection wherever I click "More", "Set Properties", "Test Connection" etc. I am also getting the same errors in the CAF logs. Please advise.

Vaibhav

[gvsp]

Hi , I too got same firewall security rejection error while opening the Report studio. To have this issue fixed, I have uninstalled CISCO anyconnect. Now, i am good to go with.

Thank you,
GVSP