Gotchas — Process Portal fails to load after PFS configuration

Issue scenario:

After configuring the PFS for BAW, by following the roadmap for PFS installation and configuration documentation — Process Portal fails to load the artifacts by showing “Could not connect to the server” error on the screen after login.

The PFS validation page shows all the status as validated (pfs-validate), however the network log shows failed requests.

After reviewing the network logs from the browser, all the requests to fetch required artifacts on Process Portal to PFS is blocked with status blocked:csp.

Remediation:

IBM Business Automation Workflow provides configuration at the deployment environment level to harden security that mitigates web application threats, including cross-site request forgery (CSRF), network sniffing, clickjacking, and uploading malicious documents.

Set the value of the Content-Security-Policy HTTP response header fields with Security.ContentSecurityPolicyHeaderValue property. Business Automation Workflow returns this value to client requests. The value instructs the browser to load and run assets in the context of Business Automation Workflow user interfaces only from a set of allowed origins.

Using wsadmin AdminTask’s setBPMProperty to set the property to an appropriate value

1. Start the wsadmin scripting tool from Dmgr profile.
2. Use AdminTask as below:
   
   AdminTask.setBPMProperty([‘-de’, ‘BAWPROD’, ‘-name’, ‘Security.ContentSecurityPolicyHeaderValue’, ‘-value’, “default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ pfs.server.com:443; frame-ancestors ‘self’; img-src ‘self’ data:”])
   
   Where BAWPROD is the deployment environment and pfs.server.com is where the PFS is hosted. This the same URL that is configured in 100Custom.xml under Portal node of <bpm-data-endpoint></bpm-data-endpoint> as part of PFS configuration roadmap.