There are many installation scenarios that can cause TRIRIGA reports, especially BIRT reports, to fail to export due to timeout. Microsoft Excel exports are often the ones that you can observe because all of the file formatting happens during export.
Let’s focus on WebSphere Liberty installations, but this recommendation can be used for other web servers with some tweaks. Mostly, this is related to timeout settings, especially for HTTPS (SSL/TLS) connections. A good troubleshooting test is to perform the same action in a non-HTTPS (HTTP) connection. Does the report export? If so, take note of the time needed to export it and plan to extend the timeout in the HTTPS connection to at least double the time.
Refer to the IBM Knowledge Center > WebSphere Liberty > HTTP Endpoint topic. Look for the “sslOptions”, and also double-check the “httpOptions”, for timeouts.
[Admin: This post is related to the 04.20.17 post about setting the TRIRIGA session expiration warning in the portal. To see other related posts, use the Timeout tag.]
How do you determine what is the best mobile solution for your enterprise that will enable users to get the data and functionality they need? What software will integrate smoothly, assimilate large amounts of data, comply with your security requirements, give the end users an engaged experience, and ultimately make your business more effective and efficient?
Here are the answers to the top questions asked at the FieldFLEX booth during the recent IBM InterConnect 2017 conference.
What is the security level with the FieldFLEX mobile app?
At the device level, all data is encrypted for transport to and from the server over SSL. Any data stored on the mobile device resides in an encrypted mobile database. The FieldFLEX server stores no data. User access is controlled by username and password authentication or through mobile device management platform…
What back-end systems does FieldFLEX integrate with?
Our mobile platform integrates with IBM TRIRIGA, Maximo, and a variety of other products. It is the single mobile solution for corporate real estate, condition assessment, facilities management, operations, lease and capital projects…
How are drawings published?
Mobile drawings can be published directly from your AutoCAD or Revit floor plans. Customers can choose published content which offers layering visibility control. FieldFLEX drawing publisher reduces the CAD file size by up to 90% to improve download speed and performance in the mobile apps…
[Admin: To see other related posts, use the FieldFLEX tag.]
Does TRIRIGA support TLS 1.1 or TLS 1.2 or SSL? If yes, what steps do I need to take to make TRIRIGA use one of these protocols?
TLS and SSL, from a TRIRIGA perspective, are supported by certificate technology for security and use HTTPS URLs. TRIRIGA works with HTTPS: Does IBM TRIRIGA support HTTPS, SSL and TLS? As a result, TRIRIGA can be used with TLS and SSL, regardless of the version.
There is no TLS or SSL configuration necessary within TRIRIGA. If TLS 1.1 or TLS 1.2 or SSL is properly configured through your application server and web server, TRIRIGA can be used with it. TLS and SSL are security configurations using certificate installs that exist outside of TRIRIGA. The TRIRIGA Support team cannot assist with environmental configurations of these technologies. Clients should work with their application server vendors (e.g., WebSphere, WebLogic) as well as other infrastructure-related technologies (e.g., web servers, load balancers, etc.) to properly configure these.
[Admin: This post is related to the 09.30.14 post about whether TRIRIGA supports HTTPS, SSL, and TLS, and the 04.10.17 technote about TLS, SSL, and HTTP.]
If you are going to upgrade IBM TRIRIGA Platform or IBM TRIRIGA Portfolio Data Manager (Application), you might want to review the following checklist:
- (CK01) Third party considerations…
- (CK02) Sizing recommendations…
- (CK03) Preparing the environment…
- (CK04) Upgrading the platform…
- (CK05) Upgrading the application…
- (CK06) Tuning your product…
- (CK07) High availability considerations…
- (CK08) SSO & seamless login information…
- (CK09) TLS & SSL (HTTPS) support…
[Admin: This post is related to the 12.15.15 post about the latest 3.5.0 upgrade documentation, and the 06.16.15 post about the latest 3.4.2 upgrade documentation.]
We were recently asked for guidance on setting up Secure Sockets Layer (SSL) between the TRIRIGA application and TRIRIGA database. Although this may be technically possible, setting up SSL between the TRIRIGA application and TRIRIGA database is not recommended and it is not supported by IBM TRIRIGA Support. If you have a need for enhanced security for your IBM TRIRIGA solution, please contact IBM TRIRIGA Support for assistance. We will work with you to offer supported solutions that meet your needs.
[Admin: The same article is also posted in the Watson IoT Support blog. This post is related to the 09.30.14 post about supporting HTTPS, SSL, and TLS.]
The IBM TRIRIGA single sign-on (SSO) troubleshooting guide is found on the Troubleshooting SSO wiki page, under the SSO parent wiki page, in our IBM TRIRIGA developerWorks wiki.
Troubleshooting single sign-on
The single most important resource to use from the TRIRIGA Platform perspective is the requestTest.jsp page. This is a page internal to the TRIRIGA platform that will display the different areas of the HTTP header, and allow you to debug and set the third-party configuration correctly… Here are some issues that are known to occur with single sign-on, for example, if it is not configured properly.
- Invalid username or password error…
- Map labels are shown only in English…
- HTTP requests are no longer forwarded to TRIRIGA…
- Adding SSL/HTTPS into the mix…
- CA SiteMinder…
- CAD Integrator error reporting with IIS 7…
[Admin: This post is related to the 05.29.15 post about the latest information on TRIRIGA single sign-on (SSO), and the 04.06.16 post about performance issues seen with SSO-enabled environments. To see other related posts, use the SSO tag.]
When trying to login to CAD Integrator (CI), we get a generic error: https:// secure site, SSL related. We had recently upgraded to TRIRIGA Platform 220.127.116.11 and are running CAD Integrator 12.1.1. We have taken a patch for 18.104.22.168 to get the option to “Always Trust SSL Certificates”. But that did not resolve our login issue.
When attempting to login to CI, it is reporting a login failure:
2016-02-20 12:42:16,855 ERROR [com.tririga.ci.login.LoginServiceImpl](pool-1-thread-6) Login failed: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://FRONT_END_SERVER:443/pc/ci/dispatch":peer not authenticated; nested exception is javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
The cause is the incorrect version configuration for TLSv1. We requested that the customer provide us with a MustGather summary for our extended team to review the WebSphere configuration. Following the instructions for “Collecting Data Manually”, we were able to identify a disconnect in the version of TLSv1. The SSL trace shows:
[3/25/16 9:27:01:186 EDT] 000000bf SystemOut O WebContainer : 0, fatal error: 40: Client requested protocol TLSv1 not enabled or not supported javax.net.ssl.SSLHandshakeException:
Looking at the security.xml file for the node, we can see that it is set to use TLSv1.2 exclusively. Therefore, it is not able to accept the SSL handshake from the client, because it is trying to use TLSv1. To resolve this issue, it is necessary to either configure the client to use TLSv1.2, or configure the server to allow TLSv1.
[Admin: For convenience, here are the meanings of the acronyms: Secure Sockets Layer (SSL), Transport Layer Security (TLS).]
After upgrading to TRIRIGA 3.4.2, we get an error when changing tabs or running BIRT reports. Specifically, we found that after logging in, we cannot change tabs on any forms (Lease Abstract, as an example). Instead, we see a message indicating: “This document you requested has moved temporarily” and it shows a very long HTTP… URL. It changed from HTTPS to HTTP. The same error message is encountered when attempting to run BIRT Reports.
This issue did not occur in Internet Explorer 11, but was seen in Firefox and Chrome. Under Firefox and Chrome, the issue is not encountered when going to the TRIRIGA application directly. It was only seen in an environment using SSO, SSL, and a web server. The cause was due to an Oracle WebLogic configuration issue. It was found that TRIRIGA 3.4.2 is using Mbean attributes. The issue is resolved by enabling this WebLogic setting:
MBean attribute: WebAppContainerMBean.WeblogicPluginEnabled
[Admin: This post is related to the 07.08.15 post about having issues with TRIRIGA tabs and BIRT reports after upgrade.]
In some cases, additional layers of network devices will alter the HTTP or HTTPS traffic generated on the application server sent to the client’s browser. Here are some tips to help troubleshoot behavior:
- Have the direct connection to the application server temporarily unrestricted, and allow logins directly to the application server port. For example, access http://appserver01:8001, http://appserver01:9080, http://appserver01:7001. If the issue cannot be observed at that level, then step one layer back (Web Server) and run the test there. If it works, then step one layer back, and test on the Load Balancer, or Security Filter layer.
- Once the layer that introduces the problem has been identified, engage with the support team for that layer, and explain the situation. A network trace, Fiddler log, or screenshot of the browser with the developer tools console open greatly increases the chances of tracking down a specific configuration change on the load balancer or security filter layer.
Common issues encountered:
- Blocking some files from being downloaded from TRIRIGA, or being sent through notifications. For example, XLS or PDF files with Russian or Cyrillic characters.
- Blocking some requests that seemingly have special characters, or combination of characters. For example, a double slash ( // ) contained within the path or request string.
- Altering the protocol scheme from HTTPS to HTTP. Depending on the SSL termination point, browsers may request non-secure content when accessing secure HTTPS URLs.
Is there a means of configuring IBM TRIRIGA CAD Integrator so that the user passwords do not appear as clear text? By default, CAD Integrator (in fact, all web technologies) will send the user password in clear text. In environments where security is a very strong concern, this is typically not permitted.
Implementing Secure Sockets Layer (SSL) will cause traffic transmitted over the network (including passwords) to be encrypted, allowing for the desired level of security. It is common for clients to use Single Sign On (SSO) and SSL together, but it is possible to use just SSL if only password encryption is necessary.