In TSCO, getting 'Error Code 403' when clicking link to access TSPS but can log into TSPS directly successfully

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    APPLIES TO:

    TrueSight Capacity Optimization 11.3.01 TrueSight Presentation Server all versions



    PROBLEM:

    In TrueSight Capacity Optimization (TSCO version 11.3.01 the Capacity Views Plugin has been successfully deployed but when clicking the Access TrueSight console here link from TSCO home page it displays a Error Code: 403" Please contact Administrator or try again screen.  
    But, simply reloading that page or accessing the TrueSight Presentation Server (TSPS) directly works fine.

    On the TSPS side the following error is reported in the TSPS TrueSight.log:
    ERROR 12/19 20:15:36.046 [https-jsse-nio-8043-exec-10] c.b.t.s.c.CSRFHeaderRefererCheckFilter CSRF Filter - Header Referer is not matched. Blocking the call for TSPS UI console !!!        [java.lang.Thread:Thread.java:getStackTrace:1559]->[com.bmc.truesight.logging.LogManager:LogManager.java:getLocalizedLogMessage:59]->[com.bmc.truesight.logging.Log:Log.java:error:149]->[com.bmc.truesight.secure.csrf.CSRFHeaderRefererCheckFilter:CSRFHeaderRefererCheckFilter.java:doFilter:109]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:internalDoFilter:193]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:doFilter:166]->[com.bmc.tsps.common.services.server.HighAvailabilityFilter:HighAvailabilityFilter.java:doFilter:29]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:internalDoFilter:193]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:doFilter:166]->[org.apache.catalina.filters.HttpHeaderSecurityFilter:HttpHeaderSecurityFilter.java:doFilter:124]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:internalDoFilter:193]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:doFilter:166]->[com.bmc.rsso.agent.RSSOFilter:RSSOFilter.java:doFilter:65]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:internalDoFilter:193]->[org.apache.catalina.core.ApplicationFilterChain:ApplicationFilterChain.java:doFilter:166]->[org.apache.catalina.core.StandardWrapperValve:StandardWrapperValve.java:invoke:198]->[org.apache.catalina.core.StandardContextValve:StandardContextValve.java:invoke:96]->[org.apache.catalina.authenticator.AuthenticatorBase:AuthenticatorBase.java:invoke:613]->[org.apache.catalina.core.StandardHostValve:StandardHostValve.java:invoke:140]->[org.apache.catalina.valves.ErrorReportValve:ErrorReportValve.java:invoke:81]->[org.apache.catalina.valves.AbstractAccessLogValve:AbstractAccessLogValve.java:invoke:650]->[org.apache.catalina.core.StandardEngineValve:StandardEngineValve.java:invoke:87]->[org.apache.catalina.connector.CoyoteAdapter:CoyoteAdapter.java:service:342]->[org.apache.coyote.http11.Http11Processor:Http11Processor.java:service:803]->[org.apache.coyote.AbstractProcessorLight:AbstractProcessorLight.java:process:66]->[org.apache.coyote.AbstractProtocol$ConnectionHandler:AbstractProtocol.java:process:790]->[org.apache.tomcat.util.net.NioEndpoint$SocketProcessor:NioEndpoint.java:doRun:1459]->[org.apache.tomcat.util.net.SocketProcessorBase:SocketProcessorBase.java:run:49]->[java.util.concurrent.ThreadPoolExecutor:ThreadPoolExecutor.java:runWorker:1149]->[java.util.concurrent.ThreadPoolExecutor$Worker:ThreadPoolExecutor.java:run:624]->[org.apache.tomcat.util.threads.TaskThread$WrappingRunnable:TaskThread.java:run:61]->[java.lang.Thread:Thread.java:run:748]


    SOLUTION:

    A workaround for this behavior is to add the TrueSight Capacity Optimization (TSCO) Web Application Server to the tspsProxyHosts property within the TrueSight Presentation Server (TSPS) configuration.
    The problem is related to CSRF Filter functionality: the tspsProxyHosts property defines servers as a trusted hosts whitelist for the CSRF filtering.


    From the TSPS documentation (https://docs.bmc.com/docs/display/TSPS113/TrueSight+console+is+not+displayed):

      Cross-Site Request Forgery (CSRF) validation - The TrueSight Presentation Server validates all incoming requests to prevent CSRF attacks. If you are connecting to the TrueSight Presentation Server with an alias or a proxy name.  
     
    Solution  
     
    Use the following commands to configure all hosts, aliases, or proxies for CSRF validation:  
        tssh properties set tspsProxyHosts alias1,alias2,proxy1,proxy2,loadbalancername
      tssh properties reload
      

    Workaround

    (1) Run this command to list the current tspsProxyHosts property value: 

    $ ./tssh properties list | grep tspsProxyHosts

    That will output something like this: 

    |  tspsProxyHosts                                            tsps.domain.com             

    Next, add the TSCO Application Server to that list: 

    So, for example, if the TSCO Application Server was 'as.domain.com' run the following command to add that to the existing tspsProxyHosts list: 

      tssh properties set tspsProxyHosts tsps.domain.com,as.domain.dom

    Now when the"  ./tssh properties list | grep tspsProxyHosts" command should output both hostnames in the list.  

    Alternate Workaround

    An alternate workaround would be to disable CSRF filtering which is described here: 
     000147410: Truesight RSSO Login Problem on Presentation Server (  https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000147410

    For TSPS tspsProxyHost settings, please refer to official TSPS documentation. 

      

     


    Article Number:

    000162394


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles