In TrueSight Capacity Optimization, getting 'Error Code 403' when clicking link to access TrueSight Presentation Server (TSPS) but can log into TSPS directly successfully

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    TrueSight Capacity Optimization


    TrueSight Capacity Optimization 11.5.01, 11.3.01 TrueSight Presentation Server all versions


    In TrueSight Capacity Optimization (TSCO version 11.3.01 the Capacity Views Plugin has been successfully deployed but when clicking the Access TrueSight console here link from TSCO home page it displays a Error Code: 403" Please contact Administrator or try again screen.  
    But, simply reloading that page or accessing the TrueSight Presentation Server (TSPS) directly works fine.

    On the TSPS side the following error is reported in the TSPS TrueSight.log:
    ERROR 12/19 20:15:36.046 [https-jsse-nio-8043-exec-10] c.b.t.s.c.CSRFHeaderRefererCheckFilter CSRF Filter - Header Referer is not matched. Blocking the call for TSPS UI console !!!        []->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[]->[org.apache.coyote.AbstractProtocol$]->[$]->[]->[]->[java.util.concurrent.ThreadPoolExecutor$]->[org.apache.tomcat.util.threads.TaskThread$]->[]


    A workaround for this behavior is to add the TrueSight Capacity Optimization (TSCO) Web Application Server to the tspsProxyHosts property within the TrueSight Presentation Server (TSPS) configuration.
    The problem is related to CSRF Filter functionality: the tspsProxyHosts property defines servers as a trusted hosts whitelist for the CSRF filtering.

    From the TSPS documentation (

      Cross-Site Request Forgery (CSRF) validation - The TrueSight Presentation Server validates all incoming requests to prevent CSRF attacks. If you are connecting to the TrueSight Presentation Server with an alias or a proxy name.


    Use the following commands to configure all hosts, aliases, or proxies for CSRF validation:
    •   tssh properties set tspsProxyHosts alias1,alias2,proxy1,proxy2,loadbalancername
    •   tssh properties reload


       (1) Run this command to list the current tspsProxyHosts property value:

    $ ./tssh properties list | grep tspsProxyHosts

    That will output something like this:

    |  tspsProxyHosts                                               

    Next, add the TSCO Application Server to that list:

    So, for example, if the TSCO Application Server was '' run the following command to add that to the existing tspsProxyHosts list:

      tssh properties set tspsProxyHosts,as.domain.dom

    Now when the"./tssh properties list | grep tspsProxyHosts" command should output both hostnames in the list.

    Alternate Workaround

       An alternate workaround would be to disable CSRF filtering which is described here:
     000147410: Truesight RSSO Login Problem on Presentation Server (

    For TSPS tspsProxyHost settings, please refer to official TSPS documentation.



    Article Number:


    Article Type:

    Solutions to a Product Problem

      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles