Cognos Analytics 11.0.13

kit_name=IBM Cognos Analytics

Microsoft Windows 2012 server

What is Director Administrator counted as kind of license?

Guessed Solution:
Director Administrator is classified as a administrator license.

Inside Cognos Analytics you can get a list of the users that have access to the system.
Go to Manage – Licenses – Export to get a list of user.

The view show only users who have logged into Cognos.
If you change a user from Administrator to User, that person must login to Cognos, before above list is updated with his correct license status.

The exported csv file, list all people that have somehow connected to cognos security.

The level 3 is a Analytic Administrator and level 1 is a Analytic User.
-1 in level show the user have not logged into Cognos, but he is listed in the security groups.

To be sure about license talk to a IBM partner or read the license documents:

More information:

To get a detailed report of users capabilities, you can install and use Cognos 11 audit extensions;

Planning Analytics 2.0.9 TM1_version=TM1-AW64-ML-RTM-
Cognos Analytics 11.1.7 Product_version=11.1 R7 (LTS)

Microsoft Windows 2019 server with CA11 and PA
Red Hat Linux with PAW

How add SSL certificates to the Cognos servers?

Use the official documentation in the first place, this is only a suggestion.
This instruction may not cover all the steps you need to do.

The TM1 certificate need to be added to the CA11 keystore once, to be able to run reports on TM1 data.

Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe as administrator

Select Open a key database file, and navigate to the cacerts keystore located in <Cognos Analytics installation>\jre\lib\security. As type select JKS.

On prompt enter password changeit

In the drop down, switch from Personal Certificates to Signer Certificates

On the right select Add

Browse for the certificate file ibmtm1.arm located in <Planning Analytics Install>\bin64\ssl.
On prompt enter an alias for the certificate in the keystore, exempli gratia: TM1Server.
Click OK
Exit ikeyman.

Suggested Solution:

Backup configuration and ssl and security folders before you do any changes.

Go to Internet Information Service Manager.
Select the server and click on Server Certificates icon.
Click Create Certificate Request.
Fill in the Distinguished Name properties, important that COMMON NAME is the servername.
Select “Microsoft RSA SChannel Cryptographic Provider” and Bit Length: 2048
Save the result in a request.txt file.
Send this request to your Certificate Authority, or if you use Microsoft CA, go to the website and click Certificate Request link. Mostly named “Request a certificate”.
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Copy the text from you request.txt file and paste it into the Saved Request field.
Select “Web Server” in the Certificate Template dropdown.
Enter the DNS servername in Additional attributes, like
Click Submit.
Requesting for certificate in Windows 2012 – Deep Security (

In the Certificate Issued dialog you select Base 64 encoded.
Download the certificate  (certnew.cer) and the certificate chain.
In IIS manager go to “complete certificate request”
Select the cer file you got.
Enter the Friendly name to your servername:
Leave certificate store to be personal and click OK.

If this is a new server, you need to import the root and issuing certificates to the Trusted Root Certification Authorities tab inside Certificate Manager. To access Certificate Manager, click the Start button, type certmgr.msc in the search field, and click the Enter key. More info in link;

Go to IIS Manager, select “Default Web site” and click on Bindings.
Click Add.
Select Type HTTPS and select your server certificate.

Click OK.
Remove the HTTP binding and any old HTTPS certificates.
Click Close.

Inside Cognos Configuration change Gateway URI to point to
Inside TM1S.CFG file change ClientCAMURI to be the same (

Inside C:\ProgramData\Applix\TM1\tm1p.ini you may need to update; CognosGatewayURI =

You may need to export a pfx file with the key value from inside Certificate Manager on your windows server, right click on servername in Server Certificate and select export.

Stop the cognos service.
Inside Cognos Configuration, change to HTTPS on all points under environment tab.
Click on save in Cognos Configuration, this will create the new cert and place it in CA keystore.
Open a command prompt as administrator.
Go to folder d:\Program Files\ibm\cognos\analytics\bin and enter below command, to export the cert:

ThirdPartyCertificateTool.bat -E -T -p NoPassWordSet -r ca.cer

Go to certmgr.msc, go to Trusted Root Certification Authorities tab, right click to import the ca.cer certificate.

If you not already have done so, you need to export the root and indeterminate certificates from your IIS Cognos website. Open a web browser, and on the certificate click – view and then export for each cert.

IIS 10 Exporting/Importing SSL Certificates |
Rename the certificate files to not have space in there names.
Copy the certificate files to your Cognos server folder d:\Program Files\ibm\cognos\analytics\bin
Open a command prompt as administrator and go to folder C:\Program Files\ibm\cognos\analytics\bin
Enter command to import (the order of import is crucial)
ThirdPartyCertificateTool.bat -i -T -r Root.cer -p NoPassWordSet
ThirdPartyCertificateTool.bat -i -T -r Issuing.cer -p NoPassWordSet
ThirdPartyCertificateTool.bat -i -T -r Servername.cer -p NoPassWordSet

Start Cognos BI.

Go to IIS Manager, select \ibmcognos\bi folder.
Click on URL Rewrite.
Click on Reverse Proxy rule.
Edit the rule to use HTTPS instead of HTTP.{R:0}
Click apply in top right corner.
Exit IIS manager.


Stop TM1 services.

Change TM1S.CFG to have;


Copy your ca.cer file to the Planning Analytics folder d:\Program Files\ibm\cognos\tm1_64\bin64\ssl;

Open a command prompt as administrator and go to folder C:\Program Files\ibm\cognos\tm1_64\bin64

Import to Tm1 admin server with command:

gsk8capicmd_64 -cert -add -db “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb” -stashed -label caRoot -file “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer” -format ascii -trust enable

Open a command prompt as administrator and go to folder C:\Program Files\ibm\cognos\tm1_64\jre\bin

Import to Tm1 App Web (PMPSVC) server with command:
keytool.exe -import -trustcacerts -file “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer” -keystore “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store” -alias caRoot -storepass applix

Change the file D:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration\fpmsvc_config.xml to have https at 3 places:

<external uri=”″/>

<gateway uri=””/>

<dispatcher uri=””/>

Save the file.

Go to d:\program files\ibm\cognos\tm1_64\jre\bin and execute ikeyman.exe as administrator.
Open D:\Program Files\ibm\cognos\tm1_64\configuration\certs\CAMkeystore file as PKC$12 type.
Enter password NoPassWordSet.
Rename encryption to encryptionold.
Click Export/import button:
Mark Import Key.
Select your server pfx file and click OK.
Enter the password you got at the export of the pfx file.
Change label to encryption and click apply.

Switch to Signer Certificates.
Click Add.
Select your root.cer file from the file system and click OK.
Enter a name e.g. rootcert
Repeat for any intermediate certificates
Click Add.
Select your issuing.cer file from the file system and click OK.
Enter a name e.g. issuingcert

Click Add.
Select  D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.arm file.
On prompt enter an alias for the certificate in the keystore, e.g. TM1Server.

Exit ikeyman program.
Use IKeyMan to Configure Custom SSL Certificates for TM1Web (

Open Cognos Configuration for TM1 (planning analytics).
Add the StandaloneCertificateAuthority property under the Local Configuration > Advanced Properties
section and set it to True.

Under Environment change Gateway URI to
and Content Manger URI to

Under TM1 Applications change TM1 Application Server gateway URI to
and change External server URI to
and change TM1 Application Server Dispatcher URI to

Under Security > Cryptography > Cognos set Use third party CA? to True.

Save and start TM1 services.

If this is a new installation, you need to update the d:\Program Files\ibm\cognos\analytics\webcontent\bi\planning.html and d:\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web\tm1web.html files with HTTPS.


Copy your previous created pfx file (that contain the hole chain of certificates) to folder d:\Program Files\ibm\cognos\tm1web\bin64\ssl.

Stop the IBM Planning Analytics Spreadsheet Service.
Open d:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\ in notepad++.
Update this row to set your https port
<httpEndpoint id=”defaultHttpEndpoint” httpPort=”-1″ httpsPort=”9511″ host=”*” removeServerHeader=”true”>
Add this row to point out the certificate pfx file to use
<keyStore id=”defaultKeyStore” location=”${wlp.user.dir}/../../bin64/ssl/cert.pfx” password=”cognos” />
Change cognos to the password you have for your pfx file.
Save the file as server.xml
In a command prompt go to folder d:\Program Files\ibm\cognos\tm1web\jre\bin
Enter this command to import the standard TM1 server cert to the new keystore
keytool -importcert -keystore ..\..\bin64\ssl\cert.pfx -storepass cognos -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\ibmtm1.arm

Copy your Root and Intermediate certificate files to your \tm1web\bin64\ssl\ directory

Import the Root and Intermediate certificates with this command:
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\root.cer” -keystore “..\..\bin64\ssl\tm1store” -alias ca -storepass applix
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\issuing.cer” -keystore “..\..\bin64\ssl\tm1store” -alias intca -storepass applix

CER or PEM files should both work.

Start your IBM Planning Analytics Spreadsheet Service.

You need to browse to you TM1 APP WEB ( application, and click on Administration icon. Mark the TM1 Application Web client row, and click on edit.
Change the thinclient URL to be
Click OK and OK, to exit the settings.


Connect to your Linux server with PUTTY program.
Stop your paw with command: sudo ./ stop
Go to your /data/ibm/paw63 folder.
Run below command to request a certificate:
sudo openssl req -newkey rsa:2048 -nodes -keyout privatekey.pem -out paw.csr
Answer the questions, and you have your file.
Copy the paw.csr file to your CA authority, or IIS website, and repeat previous process to get a certificate. Save the file as Base 64 encoded certificate chain.

Copy your certnew.p7b file to linux server folder /data/ibm/paw63.

Copy your private key to a new pem file:
sudo cp privatekey.pem pa_workspace.pem
Change access to files with command:
sudo chmod 777 pa_workspace.pem

Add the certificates to the pem file:
sudo openssl pkcs7 -print_certs -in certnew.p7b >> pa_workspace.pem
Erase the not needed lines, with servernames etc, in the pem file:

sudo nano pa_workspace.pem


Copy the pa_workspace.pem file to the config folder:
sudo cd /data/ibm/paw63/config
sudo mv pa-workspace.pem pa-old-workspace.pem
sudo cp /data/ibm/paw63/pa_workspace.pem pa-workspace.pem

Add lines to paw.env file:

sudo nano paw.env

add this lines

export EnableSSL=true


also change to HTTPS instead of HTTP, in lines like export TM1ApplicationsLocation=”″

Save the file.
Copy the ca.cer, issuing.cer and root.cer files to folder /data/ibm/paw63/config/certs.
Go to the scripts folder
sudo cd /data/ibm/paw63/scripts
Run the process to import the certificate in the paw keystore:
sudo ./

Start paw with command:
sudo ./

If this is a new installation, you need to update D:\Program Files\ibm\cognos\analytics\webcontent\bi\pmhub.html file with HTTPS values.

// Update the following to point to the location of the pmhub service(s)
var pmhubURLs = [“https://pawservername”,””];


Open a cmd prompt as administrator.
Go to “C:\Program Files (x86)\ibm\cognos\fm\bin\” folder.
Copy the ca.cer file to the same folder.
Enter this command:
ThirdPartyCertificateTool.bat -i -T -r ca.cer -p NoPassWordSet

More information:

Securing Jupyter Notebook Server – IBM Documentation

TM1WEB, an error has occurred when using TLS

Planning Analytics Workspace 63
Red Hat Linux
Need more space for the PAW installation. Docker will create is files in /var/ sub-folder.

Use df -h command to check space on your linux server.

Looks like something went wrong in step “installing/updating IBM planning analytics Docker images”… Check the log file /…..
in images.log : no space left on device


Create folders, where you have space, sudo mkdir /data/docker

Stop docker service sudo systemctl stop docker

Update the file /etc/docker/daemon.json with sudo nano daemon.json

“graph” : “/data/docker”

Save with CTRL+O and exit with CTRL+X.

Start docker with sudo systemctl start docker

To restart the full Linux server enter: sudo reboot

Then run the installation of PAW ./ script again.

More information:

Storage requirements can vary, you need at least 100 GB for the /var/lib/docker directory and sufficient space for at least two Planning Analytics Workspace installation packages wherever you choose to install them.

How install docker:

If you have Red Hat Enterprise Linux Server release 7.9 (Maipo) then you may need to do this steps to be able to install docker before paw.
(to check Linux version enter cat /etc/redhat-release)

(this is if you get the error message: No package docker available.)

subscription-manager repos –enable=rhel-7-server-rpms

subscription-manager repos –enable=rhel-7-server-extras-rpms

subscription-manager repos –enable=rhel-7-server-optional-rpms

yum -y install docker

systemctl start docker

systemctl enable docker

How To Install Docker on CentOS 7 / RHEL 7

sudo docker version gives:

Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-205.git7d71120.el7_9.x86_64
Go version: go1.10.3
Git commit: 7d71120/1.13.1
Built: Wed Mar 31 06:52:27 2021
OS/Arch: linux/amd64

Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-205.git7d71120.el7_9.x86_64
Go version: go1.10.3
Git commit: 7d71120/1.13.1
Built: Wed Mar 31 06:52:27 2021
OS/Arch: linux/amd64
Experimental: false

This is a supported docker version to be used with PAW.

Planning Analytics Workspace 63
Red Hat Linux 7

After you login to PAW with Internet Explorer, you get a stuck screen.


Use Chrome instead of IE.

The IE browser that comes with Windows server 2019 is not using Chrome engine as default.

More information:

To troubleshoot docker containers on Linux you can use this commands:

To change to root user:
sudo -i
To find all error files in the log folder (go to log folder first):
find . -print | grep -i error
To list all containers:
sudo docker ps -a
To list only the ID number for containers:
sudo docker ps -q
To show the last lines of a log file:
tail error.log
To move into a running container:
docker exec -it pa-gateway /bin/bash
To check space:

df -h

To exit out from a container:

Planning Analytics
Planning Analytics Workspace 63
Microsoft Windows 2019 server

In PAW, when you create a new book, and insert a Websheet from a TM1 application, you only get a blank box after a long time. This is in a new installation, where you are using the new TM1WEB service (IBM Planning Analytics Spreadsheet Services).


You need to in IBM Planning Analytics Workspace Administration Tool ensure that the TM1 Application Server Gateway URI point to the new TM1WEB server and it correct port.

Change and save. Then restart the PAW from inside the status tab.

If you click validate you will still get the 404 error on this line, this is OK, as they validate try to find pmhub parts that is not in PAL at this later versions.

This value is also in the paw.env file, on your PAW linux server. You can edit direct in the file, too.

Change value export TM1ApplicationsLocation=”″
The file is in your /ibm/paw/config folder.

Stop PAW with command (from your /paw/scripts/ folder):

sudo ./ stop

Check if PAW is stopped with command:

sudo docker ps

Start PAW with command:

sudo ./

Wait 10 min before you test to browse, to your paw installation in chrome.

More information:

Cognos Analytics 11.1.7
Microsoft Windows 2019 Server

After change to use HTTPS in Cognos Configuration, you get a error when you save.

[Populate authentication settings] [ WARNING ] Failed to populate the authentication settings to server

When change values in Cognos Configuration that have with certificates, you need to first stop the “IBM Cognos” windows service.
Then you can save the configuration without warnings.


More Information:

To active Cognos internal certificate, you need to inside Cognos Configuration on your Content Manager server change HTTP to HTTPS under environment – group properties.
Check that server FQDN is at Cognos – Cryptography ;DNS names and Server common name.
Save will create the certificate files.

Start CMD, and move to folder C:\Program Files\ibm\cognos\analytics\bin
Run this to export the Cognos certificate
ThirdPartyCertificateTool.bat -E -T -p NoPassWordSet -r ca.cer

Start MMC on your Windows server where Cognos Gateway is installed, and certificates and go to “Trusted Root Certification Authority”. Right click to Import certs.
Select the ca.cer file and import it.

Inside IIS manager, go to \ibmcognos\bi folder and click on URL Rewrite icon.
Click on Reverse proxy Rules to edit.
At action properties – Rewrite URL: change the http to https{R:0}
Click apply in the right corner.
Exit IIS manager.

On PA server open Command Prompt as an Administrator and navigate to the \bin64\ directory.

Execute the following command to import/trust the certificate for Tm1 admin:
gsk8capicmd_64 -cert -add -db “C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb” -stashed -label caRoot -file “C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer” -format ascii -trust enable

Go to \bin64\jre\bin\ to import it to PMPSVC java keystore.
keytool.exe -import -trustcacerts -file “C:\Program
Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer” -keystore “C:\Program
Files\ibm\cognos\tm1_64\bin64\ssl\tm1store” -alias caRoot -storepass applix

You need also to add the ca.cer file to the correct keystore for TM1WEB.

Configure Planning Analytics 2.0 TM1 Server with SSL Cognos BI Dispatcher (

How to Configure Planning Analytics to Connect to an SSL Secured Cognos Dispatcher (

Configuring TM1 Server to trust the SSL certificate on CA Side (

Microsoft Windows 2019 server

Problem to connect to Remote Desktop from old laptop.


Newer Microsoft Windows server has the possible to harden the communication, to not use old security protocols, then it will not allow connections from Windows 2012 or Windows 7 computers.

Try to connect from a Windows 10 computer with the latest service packs.


More information:

Planning Analytics 2.0.9
Cognos Analytics 11.1.7
Microsoft Windows 2019 server

After import of the full content store to a new installed Cognos server, the icons for Tm1 App Web (PMPSVC) is not working.

The old Cognos BI 10 solution may have used SKINS for the users.
Check the old server in folder d:\program files\ibm\cognos\c10_64\webcontent\skins for any unique folders that you do not have in your new cognos server. Copy that unique folder over to d:\program files\cognos\tm1_64\webapps\pmpsvc\skins folder.
Looks like the new TM1 needs the old custom skins files to work.

You can also click on icon for My Preferences and change Style to “modern” and click OK.

Below the default style skins that come with the product. If you have more folders in your Cognos BI installation, then they should be copied over to the new cognos server.

More information:
Inside Cognos Analytics – Administrator page – if you are only see text and miss the icons and color, it is possible the same issue, you need to copy the company unique skins folder to the new server.

What you’re seeing is related to content (images and css files) not being found.
The person who has selected a custom skin as their default will get this.

If your custom skin is named MyCustomSkin, which doesn’t exist on the Cognos Analytics server.

On the Cognos Analytics server…
Copy <install_location>\webcontent\skins\corporate to <install_location>\webcontent\skins\MyCustomSkin.
Copy <install_location>\webcontent\bi\skins\corporate to <install_location>\webcontent\bi\skins\MyCustomSkin.

No restart is required. Once these are in place, the browser will find the styles and images and Cognos Analytics will be functional and more aesthetically pleasing.

Planning Analytics 2.0.97  (file tm1_winx64h_2.0.97.6_ml.tar)
Microsoft Windows 2019 server

Error when installing PA on Windows server.


Uninstall Planning Analytics.

Go to control panel – administrative tools – services.

Go to Printer Spooler service, right click and select properties and change it to Automatic.

Click to start the Printer Spooler.

Run the installation of Planning Analytics again.

More information:

Cognos Controller 10.4.2
Microsoft Windows 2012 R2 Server

In Cognos Controller the IBM license is for users and servers. The user part is divided in Administrators and Standard Users.  The limit is that the Standard Users should not have access to all the menu points on the Maintain menu. How do we set this up?

Create a security group called ST = standard user, and limit access to menu items as shown below.

Then use this menu group as template when you create other menu security groups in Cognos Controller- if you want the data entry people only to have access to less number of menus.

Log into Cognos Controller Client as a administrator (ADM) user.

Go to maintain – rights – security groups.

Create a new security group, by click on new icon.

Name it ST, Standard User and scroll down to select all menu points that should be set to Not Available.

Then for each menu a standard user, should not see, you need to select it and click “Not Available”.

Important, that Jobs menu above is set to red “Not Available”.

When all fields need are set to “Not Available” click save icon.

Now click on save as icon to create a new security group with this as base;

Give it a good name, and then select the menu points your data entry users should not see, and also mark them as Not Available.

Here you need to decide what menu point your different users groups need. Save the new group.

Then you go to Maintain – Rights – Users.
On each user go to limitations and select your new security group.

Click on Save icon.
Now it may be needed, that you run a optimization of the database for the changes to take affect.

Go to maintain – rights – reports and click on Generate (to get a License Management Report as PDF)

Save the pdf to a folder you can find.
Open the UserReport.pdf file in your Adobe reader or web browser.

Now you should have more standard active users in the report.

The information is also stored in a SLMT tag file for each database, in a unique folder for each database, on the Cognos Controller main server.

C:\Program Files\ibm\cognos\ccr_64\SLMTagData\UK, is the folder for the UK database.

Where you can see historical values from your Controller installation.

In folder C:\Program Files\ibm\cognos\ccr_64\swidtag you find the file that the ILMT tool should check to find what version of Cognos Controller you have installed.


More Information: