Logging and Monitoring
You can configure CAF to log access to a specific file or to use IBM Cognos log application (IPF) logging. If logging is enabled, all requests that fail validation by CAF are logged.
For more information, see the Installation and Configuration Guide.
You can use the Web server request log to obtain detailed information about the IP address of the source client in a suspected attack.
Cross-Site Scripting (XSS) Encoding
Many customers use other applications, such as eTrust SiteMinder, to check for cross-site scripting vulnerabilities. These products block HTTP get requests that contain specific characters.
CAF encodes characters in Cascading Style Sheets (CSS) with URLs to prevent other cross-site scripting tools from blocking the characters.
The CAF XSS encoding feature applies only to customers who use the IBM Cognos Connection portal.
CAF XSS encoding is disabled by default. To enable this feature, use IBM Cognos Configuration.
For more information, see the Installation and Configuration Guide.
Filtering of Error Messages
Some error messages may contain sensitive information, such as server names. By default, error message details in IBM Cognos software are routed to IPF log files, and the secure error message option is enabled. The information presented to users indicates only the occurrence of an error, without any details.
You can specify who can retrieve full error details that may include sensitive information by changing the Detailed Errors capability in IBM Cognos administration. Typically, this capability is assigned to directory administrators, but you can assign it to other users as well. For more information, see Secured Functions and Features.
For information about retrieving full error details, see View Full Details for Secure Error Messages.
Parameter Signing
Parameter signing protects parameter values against tampering when they are sent to a Web browser. CAF can sign parameters or specific parts of data. Signing is used only in specific situations. It is enabled when CAF is enabled.