Disable Cognos Login Page over HTTP

[bpm]

We run our Cognos analytics machines behind a load balancer, but a pentest conducted recently shows the login page being served up over HTTP/port 80. Is there a way within Cognos to disable the login page being served over HTTP and instead only served over HTTPS? Normally, our load balancer has taken care of this for us by redirecting HTTP requests for the /bi/? endpoint to HTTPS, but the pentesters had access behind the load balancer and insist that the login page must not be accessible over HTTP.

We are using Cognos 11.1.7 FP4 IF8

[dougp]

I think we need more specifics about your environment.  What is receiving the request?  Is it a Cognos gateway, or is something else (like IIS) in front of it?  SSO?  What happens when you request http://cognosserver:9300?  Are any of your URIs in Cognos Configuration still using http?

When you say "load balancer", that's not load balancing in Cognos Analytics, right?  That's something like NetScaler?

I use SSO through IIS, have configured IIS to use https, have a rewrite rule to change http to https, have installed SSL certificates in Cognos Analytics, and changed all of the URIs to https in Cognos Configuration.  I'm not a pen tester, but I don't see any way someone using a web browser can get to anything in my environment using http.

[bpm]

Hi dougp,

The load balancer is an AWS ALB. We have a load balancer in front of our cognos gateway servers. The cognos gateway servers are running on EC2 MS Windows Server 2016 instances as provided by AWS. When our main application requests a cognos report, the app communicates with Cognos strictly through the ALB over https. This is not a problem, even from our overly scrupulous pentesters.

If I run cogconfig application, under Local Configuration\Environment, both the Dispatcher URI for gateway (p2pd/servlet/dispatch/ext) and controller URI for gateway (ibmcognos/controllerServer) are using HTTP.

All that to say that this scenario is a hypothetical dreamed up by our pentesters and they are insistent that we "fix" this. We terminate HTTPS at load balancers, per AWS recommendations. What is happening is the pentesters are able to get onto the EC2 instances behind the AWS ALB, and when they request http://localhost/bi they are served the Cognos Analytics logon page over HTTP, and claim that the credentials could be sniffed out over HTTP. This would never happen of course because the only people who can login to the server with a powerful set of credentials would definitely not waste time going into an EC2 instance to do so; we'd just use the Load balancer URL!

 

[dougp]

both the Dispatcher URI for gateway (p2pd/servlet/dispatch/ext) and controller URI for gateway (ibmcognos/controllerServer) are using HTTP.

What about the other URIs?


So what you're saying is that the pen testers have determined that anyone on the planet can get into the EC2 instances behind the AWS ALB.  I'm just a Cognos guru, so I don't know what all of that means, but it sounds bad.