by ·Comments Off on The server principal ‘fastnet’ already exists

Product:
Cognos Controller 10.4.2
Microsoft Windows server 2012 R2
Microsoft SQL Server 2016

Problem:
After restore of one old Cognos Controller database backup, you get this error when you try to create a SQL account for the database.

Error:
The server principal ‘fastnet’ already exists

Solution:
Go into Microsoft SQL Server Management Studio as Administrator
Mark your newly restored controller database
Expand the Tables and check the schema name (mostly it is fastnet)
Click on “New Query”
Past in this code (edit the name and update the ‘ to be correct symbol)
EXEC sp_change_users_login ‘Auto_Fix’, ‘fastnet’
Click on Execute.

The row for user ‘fastnet’ will be fixed by updating its login link to a login already in existence.
The number of orphaned users fixed by updating users was 1.
The number of orphaned users fixed by adding new logins and then updating users was 0.

This should create and update the SQL server with the account used for the controller database.

More information:
https://sqlserverbuilds.blogspot.com/
https://www.crestwood.com/2017/05/24/error-creating-new-sql-user-server-principal-already-exists/

by ·Comments Off on chmod: cannot access ‘/srv/proxy.key’: No such file or directory

Product:
Cognos Analytics 11.1.5 Jupyter notebook
Linux Red Hat Server 7.7

Problem:
During setup of SSL(TLS) support on the jupyter notebook, we can not run the build script.

Error message:
chmod: cannot access ‘/srv/proxy.key’: No such file or directory

Solution:
On the linux jupyter server. Connect to it with PUTTY or WinSCP.
Open the Dockerfile_hub file (it is in the folder where you unpacked the jupyter files e.g. /ibm/jupyter/dist/scripts)
check that after first “USER root” command there is this command line;
 COPY build-tmp/hub  /srv
if it is not, add it and remark out the same command line later in the file.

Save the file.
Then go to the /ibm/jupyter/dist/scripts/unix folder
Run ./build.sh

if there is no errors
Run ./startup.sh

Then continue with the setup of SSL for jupyter notebook.

More Information on how setup HTTPS for jupyter notebook:
https://www.ibm.com/support/pages/node/6116296
https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_inst_jupyter.html

https://www.ibm.com/support/pages/jupyter-notebooks-1115-does-not-work-when-proxykey-has-insufficient-permissions

by ·Comments Off on A SAX error with the message ‘Invalid document structure’ occurred while processing the request

Product:
Cognos Analytics 11.1.5 framework manager
Product_version=11.1 R5
Microsoft Windows 2016 server

Problem:
When saving FM cognos configuration changes, you get a error.

Error message:
BMT-MD-0003 CST-AOM-0016 A SAX error with the message ‘Invalid document structure’ occurred while processing the request.

Solution:
Check the values Dispatcher URI for External Applications in Framework Manager configuration (<fm_home>/bin/cogconfigw.exe)
Under Environment locate setting Dispatcher URI for External Applications
check it to be in format: http://dispatcher.server.sample:9300/p2pd/servlet/dispatch

The value for http://dispatcher.server.sample:9300//p2pd/servlet/dispatch have a extra slash, change to http://dispatcher.server.sample:9300/p2pd/servlet/dispatch
and the save should work.

by ·Comments Off on Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired.

Product:
Cognos Analytics 11.1.5 framework manager
Product_version=11.1 R5
Microsoft Windows 2016 server
Problem:
When inside Framework Manager you select language, to create a new FM project, you get a error.
This after a install of FM to a new server, and try to connect to a BI server that was upgraded from CA 11.0.12 to CA 11.1.5 by an in-place upgrade.

Error message:
BMT-MD-0003 CCL-BIT-0005 A socket reported a communication error.
CAM_Connect=0xfffffff4 -12CAM-CRP-0026 The underlying socket: ‘xx.xx.xx.xx:9300’ returned an error.10056Could not connect the socket, errno: 0x2748(10056)

error in file cognosserver.log
[ ERROR ] CAM-CRP-1193 An error occurred while attempting to contact the active Content Manager to update the local CA information. Check your configuration to ensure that the configured URIs are valid and that there are services running at those locations. Reason: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
or in C:\Program Files\ibm\cognos\analytics\logs\p2pd_messages.log
[5/7/20 12:44:52:435 CEST] 0000029d com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker E CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: no cipher suites in common

Solution:
Go into the Cognos Configuration on the CA11 server and in the Framework Manager Configuration on the client computer.
Compare the listed of supported ciphersuites.

If the FM configuration is missing the setup on the CA11 server, add the missing chiper sets.
Save and try again.
In most cases you must have the same list on both FM configuration and the CA11 server cognos configuration.
Change the FM configuration to be exact as the CA11 server.
Save and try again.

Above the default setting for FM 11.1.5 version.

Above the default setting for CA 11.0.13 FP1.

More information:

https://www.ibm.com/support/pages/support-256-bit-cipher-suites-cognos-configuration

by ·Comments Off on BMT-IMP-0002 Failed to execute metadata request. DPR-ERR-2079 Firewall Security Rejection.

Product:
Cognos Analytics 11.1.5 framework manager
Product_version=11.1 R5
Microsoft Windows 2016 server

Problem:
When using the Framework Manager you get a error, when you try to use a oracle database connection. A planning analytics data source is working fine.
When testing the oracle data source in cognos connection it is working fine for both CQM and DQM.

Error message:
BMT-IMP-0002 Failed to execute metadata request. DPR-ERR-2079 Firewall Security Rejection. Your request was rejected by the security firewall.

Solution:

Update Framework Manager configuration
Under Environment locate setting Dispatcher URI for External Applications
and update it to be in format:
http://dispatcher.server.sample:9300/p2pd/servlet/dispatch
change it from the old value of
http://dispatcher.server.sample:9300/bi/v1/disp

More information:
https://www.ibm.com/support/pages/framework-manager-bmt-imp-0002-failed-execute-metadata-request-dpr-err-2079-firewall-security-rejection-your-request-was-rejected-security-firewall

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_reviewthedefaultsettings.html

Default port settings for Cognos Analytics components

The following table lists the default ports and URI settings for IBM Cognos Analytics.

Table 1. Default port settings for Cognos Analytics components
Setting Default Value Description
Content Manager URI http://localhost:9300/p2pd/servlet The URI to Content Manager.
Gateway URI http://computer_name:port/bi/v1/disp The URI to the gateway.
Dispatcher URI

(Internal, External)

 http://localhost:9300/p2pd/servlet/dispatch The URI to the dispatcher.
Dispatcher URI for external applications http://localhost:9300/bi/v1/disp The URI to the dispatcher.

by ·Comments Off on Exclude folders from anti-virus program

Product:
Planning Analytics Workspace
Microsoft Windows 2016 server

Problem:
PAW take long time to start when anti-virus software is running.
https://success.docker.com/article/endpoint-security-for-windows-containers

Suggested solution:
Depending on your anti virus program, the settings are different.

Please try this:
exclude this folders and sub-folders from scanning
c:\programdata\docker
c:\Program Files\ibm\cognos\tm1_64
c:\Program Files\ibm\cognos\analytics\temp\
c:\ProgramData\Microsoft\Windows\HNS
d:\ibm\paw
d:\docker
d:\tm1applications folder ( can be d:\tm1server\app1\data )

Folders name depend on the installation made of docker and PAW on your server.

For McAfee you can setup the exclude like this:
On-Access Default Processes Policies
**\Docker\*
**\ProgramData\Microsoft\Windows\HNS\*
**\Install\ipa_workspace_local_win*\*

Exclude also all “active scanning” and instead run a scan on the disk once a week, when you have stopped the PAW and Docker. Turn off Windows Defender Real-Time Protection.

Exclude scan of the processes used by docker and cognos, like java.exe.

 

Upgrade your anti virus software to latest version and see if that helps.

More information:
https://docs.docker.com/engine/security/antivirus/
https://ashleypoole.co.uk/2017/common-issue-pulling-windows-docker-images/
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/anti-virus-optimization-for-windows-containers
Redundant scanning problem

There will likely be many containers depending on the same package layers. The same data stream of a given package file will provide the data for placeholders on multiple container system volumes. As a result, there is potential for redundant AV scans of the same data in every container. This has an unnecessary negative impact on the performance of containers. This is a signification cost given that containers are expected to start quickly and may be short-lived.

https://www.windowscentral.com/how-exclude-files-and-folders-windows-defender-antivirus-scans
https://github.com/moby/moby/issues/38582

https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/anti-virus-optimization-for-windows-containers

https://success.docker.com/article/endpoint-security-for-windows-containers

https://support.symantec.com/us/en/article.tech183201.html

https://support.symantec.com/us/en/article.tech246815.html

https://kc.mcafee.com/corporate/index?page=content&id=KB90041

https://www.ibm.com/support/pages/which-cognos-files-need-be-excluded-virus-scan

by ·Comments Off on Limits exceeded

Product:
Planning Analytics 2.0.8
Microsoft Windows server 2016

Problem:
Open a tm1web view in the new PA version give error, it worked in the old TM1 server.

Error message:
Limits exceeded
The action has been terminated because it exceeds the configured maximum memory limit.

Solution:

Open tm1web_config.xml file in Notepad++. It is in folder C:\Program Files\IBM\cognos\tm1_64\webapps\tm1web\WEB-INF\configuration\

Having WorkbookMaxCellCount blank or setting it to less than 0 indicates that an unlimited cell count for workbooks is allowed.
Before IBM Planning Analytics version 2.0.7, the default value is -1, which indicates an unlimited number of cells are allowed in a workbook.
After IBM Planning Analytics version 2.0.7, the default value is 500000.
Setting this parameter to 0 indicates that workbooks cannot have any cells.
You must set it to above 0.

You must do a restart of the application server for the change to take affect.

If WorkbookMaxCellCount parameter is in tm1web_config.xml and it is not the default, when the user opens a workbook, the server validates its cell count against WorkbookMaxCellCount. If the cell count of the workbook exceeds WorkbookMaxCellCount, an error message is logged and the workbook is not opened.

Can also be other values that affect how tm1 show cells.

More information:
https://www.ibm.com/support/pages/tm1-error-maximum-memory-action-exceeded-view-may-be-too-large
https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1web_cfg_params_v10r2.html

by ·Comments Off on Connection with the server was lost

Product:
Cognos Controller 10.3.1
Microsoft Windows 2012 server

Problem:
Several controller users are thrown out of the cognos controller client at reporting week.

Error message:

Solution:
Check the firewall between the servers, controller servers and citrix servers.
Is there any new rules that have been implemented?

Does other application that also use citrix servers have issues with connection losses?

Turn off aggressive Aging in your firewall.

 

Also check if the Windows SQL server demand TLS 1.2, and you need to update the Windows registry to not use TLS 1.2 communication on the cognos servers. Set this values on cognos server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000000

If it does not help, then also try to change the DoS attacks settings in Windows;

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6859390e-7047-41d2-930e-a1ecd87ba3bb&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

A change in TCP/IP service are going to enable DoS protection.

  1. Run regedit.exe
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter the name TcpMaxHalfOpen, then press Enter.
  5. Double-click the new value, set it to 100, then click OK.
  6. Enter the name TcpMaxHalfOpenRetried, then press Enter.
  7. Double-click the new value, set it to 80, then click OK.
  8. Enter the name SynAttackProtect, then press Enter.
  9. Double-click the new value, set it to 1, then click OK.
  10. Reboot the machine.

If above is set, try to remove it with SynAttackProtect value set to 0.

When SynAttackProtect value is 0, it offers no protection. Value 1 indicate to delay the response Notification untill three way handshake is complete by the received by the SYN packet. By default, this is not invoke untill it exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values. The values TcpMaxHalfOpen and TcpMaxHalfOpenRetried could be changed, and I strongly recommend to test with different settings in your environment, then choose the best ones.

https://www.informit.com/articles/article.aspx?p=371702

More Information:
https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm

Understanding Aggressive Aging

To increase gateway stability, aggressive Aging helps manage the capacity of the connection table and gateway memory consumption.

Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout, it is marked as “eligible for deletion”. When the connections table or memory consumption reaches a user defined threshold, Aggressive Aging begins to delete “eligible for deletion” connections until memory consumption or connection capacity falls to the desired level.

Aggressive Aging lets the Security Gateway handle large amounts of unexpected traffic, for example during a Denial of Service attack.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the “Eligible for Deletion” list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no “Eligible for Deletion” connections, no connections are deleted but the list is checked for each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently.

Best Practice: When memory consumption exceeds its threshold, work with shorter timeouts that can maintain the connectivity for the majority of the traffic.

In the Aggressive Aging Timeouts are enforced when section, select whether they will be enforced if the Connections table exceeds a limit, if Memory exceeds a limit, or if both exceed their limits.

If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the “Eligible for Deletion” list being deleted if either the Connections table or Memory consumption passes this limit.

Note – The limits for the Connections table and Memory consumption are set for each profile. The Aggressive Aging timeouts are global. Therefore: different gateways may enforce the same timeouts at different thresholds.

Activate this protection in either Prevent or Detect mode.

by ·Comments Off on cannot connect to TM1 Admin server

Product:
Cognos TM1 10.2.2
Microsoft Windows 2008 server

Problem:
Can not connect to TM1 server from client TM1 Architect.
Error:  TM1 Perspectives cannot connect to TM1 Admin server

Solution:
Check that you have access to the TM1 admin server, by run telnet from the DOS prompt your client computer;

TELNET  servername  5498

if you get a black screen, and no error message, then you have a open connection.

Then check that you have the same version on you client as on the TM1 server.

You can check the file tm1api.dll in folder C:\Program Files\ibm\cognos\tm1_64\bin

Above the 10.2.2 TM1 client in RTM version.

Above the TM1 10.2.2 fix pack 7 version.  Version number 10.2.20700

https://www.ibm.com/support/pages/how-determine-exact-version-tm1-installed

If you do not have correct version, uninstall the TM1 client from your computer.

Install the correct program and update, and try again.

Run tm1_64b_10.2.2_win_ml.tar.gz and then up_tm1client_win64_10.2.5270.109_ml.tar.gz to install the needed software.

More Information:

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_defaultvaluesfortm1installation.html

https://www.ibm.com/support/pages/ibm-cognos-tm1-ssl-expiration-manual-fix-approach-landing-page

https://www.ibm.com/support/pages/node/553505

https://www.ibm.com/support/pages/e4-cannot-connect-admin-server-host-and-port-caused-expired-ssl-certificates

by ·Comments Off on IBM Cognos Controller has stopped working

Product:
IBM Cognos Controller 10.3.1
Microsoft Windows 2008 R2 server
Microsoft Excel 2008

Problem:
When inside Cognos Controller click on the icon to start excel, you get a error;
APPCRASH. CCR.exe

Error:

Solution:
Install a newer version of Excel.

Cognos Controller 10.3.1 only supports excel version 2010, 2013 and 2016.

 

https://www.ibm.com/support/pages/ibm-cognos-controller-1031-supported-software-environments