All of a sudden for everyone in the company, if we open the Operator Console (OC) and go to Reports, and choose one of the reports and run it, the CABI login page loads rather than the report.

This was working fine, then all of a sudden the login page is coming up now. Also, we ARE running the UIM 20.3.3 JUNE release. This was working as of Tuesday for everyone. Now this morning, all of a sudden anyone who tries to run a report gets the CABI login page now.

• Release: 20.3
• Component: UIM - CABI
• UIM 20.3.3 June release

-  Most likely due to recent security changes in the Chrome browser (since it was working as expected previously).

Use Firefox browser (if possible).

In the customer's Test environment, this issue was occurring when using Chrome so I asked the customer to try Firefox and it did not occur. Fortunately, Firefox was already installed on the customer's server - their official machine image and it was the latest version of Firefox v92.0.

In the customer's Test environment, the 'LAX' settings were configured as per the documentation but the LAX (relaxed) settings were meant only for the Chrome browser.

See LAX settings here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-3/installing/ca-business-intelligence-with-ca-uim/installing-and-upgrading-ca-business-intelligence-jasperreports-server-with-ca-uim/install-or-upgrade-for-a-bundled-ca-business-intelligence-jasperreports-server.html 

When using Firefox in the Test environment, if the LAX settings were configured, the prompt to login still occurred. In Test, we had to set the LAX settings to 'None' to get it to stop prompting for CABI Login when accessing Reports in OC.

In the customer's PROD environment, the settings were already-currently set to 'None' not 'LAX.' They were always set this way in PROD.

Using the Chrome browser, when accessing Reports, after login using superuser/superuser to cabi when prompted, logging in when prompted the first time could avoid the issue. Unfortunately, all 500 users would have to be notified to login via email with instructions to login as superuser/superuser at least once. This is a NEW development and was not required before in the environment.

The customer also tried logging in as a normal user but that didn't serve as a workaround because we tested it and it wouldn't allow them to login and threw an 'Invalid credentials supplied' error on the CABI login page.

In Prod, when using Firefox and accessing the reports via OC, it worked without being prompted to login to CABI. Note that in PROD the LAX settings were still set to 'None' not LAX. So, when using Firefox in PROD the issue did not occur.

This recent issue appears a result of Google/Chrome's efforts to "Secure the internet."

The belief/philosophy driving this behavior in Chrome browser (which filters its way down to IE/Chromium as well generally) is that all internet sites should be HTTPS only, with signed certificates.  

Google Chrome may continue adding this type of functionality, the ultimate goal of which is to discourage the use of HTTP and 'self-signed' certificates Internet-wide.

The permanent fix for this issue is to configure wasp cabi with HTTPS and a signed certificate.

1. Open Infrastructure Manager
2. Navigate to the cabi robot
3. Press the Ctrl key as you right-click the wasp probe, and then select Raw Configure.
4. With the setup section highlighted, locate the https_port key, and click the Edit Key to specify a port, e.g., 443. If necessary, click New Key and enter-> https_port.
    The maximum port value that you can set is 65535
5. Restart the wasp probe

Configure the Operator Console and CABI (JasperServer) with HTTPS:

Configure CABI Server to Use HTTPS

The following steps, taken from the end of the CABI probe troubleshooting section can be used if the OC and CABI URLs are accessed within the same domain/sub-domain

(Optional settings) Only if the Operator Console URL and the CABI URL can be accessed with the same domain and sub-domain, you may decide to perform the below settings:

• For example, Operator Console URL: http://OpCon.subdomain.com/operatorconsole_portlet/overview and CABI URL: http://cabirobot.subdomain.com/cabijs have same sub-domain and domain subdomain.com.
  
  Another example, if CABI and Operator Console are installed on the same system, Operator Console URL: http://OpCon.subdomain.com/operatorconsole_portlet/overview and CABI URL:
  
  http://OpCon.subdomain.com/cabijs have same sub-domain and domain subdomain.com
  
  
• You may change sameSiteCookies settings from "None" (default) to "Lax" and other changes as given below.
  
  
• On the CABI robot:
  
  
  • Deactivate the cabi probe.
  • Set the CABI configuration parameter cabi_url to http://<URLwithMatchingSubdomainAndDomain>:<port>/cabijs.
  • Deactivate the wasp probe.
  • Modify nimsoft/probes/service/wasp/webapps/cabijs/META-INF/context.xml with
    <CookieProcessor class="org.apache.tomcat.util.http.Rfc6265CookieProcessor" sameSiteCookies="Lax" />.
  • Activate the cabi probe.
  • Activate the wasp probe
  • On the Operator Console robot:
    
    
    • Deactivate the wasp probe.
    • Modify nimsoft/probes/service/wasp/webapps/cabi/META-INF/context.xml with
      <CookieProcessor class="org.apache.tomcat.util.http.Rfc6265CookieProcessor" sameSiteCookies="Lax" />.
    • Activate the wasp probe

For more detailed information on Chrome browser updates please refer to the following urls:

Chrome Enterprise release notes (as of August 31, 2021)

A safer default for navigation: HTTPS