Cognos Analytics 11.1.7

Microsoft Windows 2016 server


Can not create new Planning Analytics data source connections inside CA11.

You have changed the security on the PAL installation, in case it worked before.

When you test the data connection in Cognos Analytics administration page, you get an error like this:

Dynamic Failed XTR-ERR-0005 A request to TM1 resulted in error: “[400] PKIX path building failed: unable to find valid certification path to requested target”.


Add the TM1 default certificate to the CA11 certificate store in java.

Stop IBM cognos service

Go to D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\bin and start Ikeyman.exe as administrator.

Click on open icon.

Select the cacerts file in folder D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security

Set type as JKS

Click OK

Enter password: changeit

Select in Signer Certificates from the drop-down menu

Click on Add.

Select the ibmtm1.arm file (that you copied over from the Planning Analytics server)

Click OK.

Give it a name like TM1ServerCert.

Close IKEYMAN program.

Start Cognos service.

If you test the connection – the message should be similar to this:

Dynamic Succeeded XQE-DS-0015 TM1 Server Name: tm1ServerName: “11.8.01000.6”.


More information:


Cognos Analytics 11.1.7

Microsoft Windows 2016 server


How setup custom certificate in CA11?


Follow IBM recommendations, from here:


When configuring IBM® Cognos® Analytics to use an external certificate authority (CA), you must start with a stopped system and an empty key store.

Export the Cognos Configuration as plain text first, by use Select File – Export as, on all CA11 servers. Save as backup.xml in configuration folder.

Procedure to clean the keystore

  1. Open IBM Cognos Configuration as an administrator. Ensure HTTP is used under Environment.
  2. In the Explorer window, under Security > Cryptography, click Cognos.
  3. Under Certificate Authority settings, click the Use third party CA property, and ensure that its Value is set to False.
  4. From the File menu, click Save to save the configuration.
  5. Close Cognos Configuration.
  6. Go to the Cognos Analytics installation directory, and delete all content from the install_location\configuration\certs directory.


On Microsoft Windows installations, you can run the tool with the -java:local command to use the JRE that is provided with the installation, as shown in the following example: ThirdPartyCertificateTool.bat -java:local
-c -d ...

The default password is NoPassWordSet.

Procedure to request a new cert

  1. From the install_location\bin directory, run the ThirdPartyCertificateTool.
  2. Type the following command to create the certificate signing request for the crypto key:

On Windows from inside a Administrator Command Prompt, type

ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=MyCompany,C=CA" 
-r encryptRequest.csr -p keystore_password -a RSA
  • The distinguished name (DN) value in the command ("CN=Servername,O=MyCompany,C=SE") uniquely identifies the Cognos Analytics installation.

    You can add more information with use of a command line like this:

    ThirdPartyCertificateTool.bat -c -e -p NoPassWordSet -a RSA -r "encryptRequest.csr" -d ",OU=Finance,O=MyCompany,L=Stockholm,C=SE" -H ""

    The password that you enter for this key must be used again when you import the certificate, and again in IBM Cognos Configuration.

    You can ignore any warnings about logging.

    Backup your D:\Program Files\ibm\cognos\analytics\configuration folder to d:\temp
    (in case you start Cognos BI, you may need to go back to this settings before importing the certificates)
    Important: The certificates that are generated by your CA must be PEM (Base-64 encoded ASCII) format.


The command generates the following CSR files:

  • The CAMKeystore file in the install_location\configuration\certs directory.
  • The encryptRequest.csr file in the install_location\bin directory.
After the CSR files are generated, perform the following steps:

  • Share the crypto key file encryptRequest.csr, or its contents, with the external CA. Using this key, the CA produces a crypto key certificate, a root certificate, and an intermediate certificate for the request, and sends them back to you.
  • If you get a P7B file, you need to convert it to PEM with OPENSSL. Use this command

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

  • File certificate.cer can be open in Notepad++ and copy out to 3 certificate, one for each function. A pem certificate should not start with a blank line.
  • Copy the certificates from the external CA to the Cognos Analytics installation directory, such as install_location\configuration\bin.


You must import the certificates from the external certificate authority (CA) into your IBM® Cognos® Analytics key store.

The import must be done on each computer where the following Cognos Analytics components are installed: Content Manager, the Application Tier Components, the gateway, and the client components such as Framework Manager, and other components if you use them.


Procedure to import the cer files

  1. Go to the location where you saved the certificate files from the CA authority, and do the following:
    1. Create a copy of the crypto certificate, and name it encryptCertificate.cer.
    2. Create a copy of the root CA certificate, and name it ca.cer. (cer or pem files work equal good).
  2. If the files are not already there, copy the encryptCertificate.cer, and ca.cer files to the install_location/bin directory.
  3. From install_location/bin directory, start the ThirdPartyCertificateTool command line tool (as shown below).
  4. Type the following command to import the CA root certificate into the Cognos Analytics trust store:

On Windows operating systems, type

ThirdPartyCertificateTool.bat -i -T -r ca.cer -p keystore_password
  • The command reads the ca.cer file and imports the contents into the CAMKeystore file in the certs directory using the specified password.
  • If you use intermediate CA certificates, import all the intermediate certificates (ICA) into the Cognos Analytics trust store by using the same commands as in step 4. Like ThirdPartyCertificateTool.bat -i -T -r issuing.pem -p NoPassWordSet
  • Import the server crypto certificate into the Cognos Analytics encryption key store by typing the following command:

On Windows operating systems, type

ThirdPartyCertificateTool.bat -i -e -r encryptCertificate.cer -p 
keystore_password -t ca.cer
  1. Important: Ensure that the keystore_password is the same password that you entered when you exported the encryption key in the previous task.

    If you have intermediate and root certificate, they need to be merge into the text file chain.cer, that is used instead of ca.cer in above command.

    See how here:


The command reads the encryptCertificate.cer and ca.cer files in the install_location\bin directory and imports the certificates from both files into the CAMKeystore file in the install_location/configuration/certs directory using the specified password.

Ensure that the key store locations and passwords in IBM Cognos Configuration match the ones that you typed in the ThirdPartyCertificateTool tool.

Procedure to start CA with custom cert

  1. Open IBM Cognos Configuration as an administrator. Ensure HTTPS is used under Environment.
  2. In the Explorer window, under Security > Cryptography, click Cognos.
  3. Under Certificate Authority settings, click the Use third party CA property, and set its Value to True.
  4. For the Key store password property, enter the password that you used for the crypto key.
  5. Click File > Save to save the configuration.
  6. Restart your IBM Cognos services.



Test the IIS cert by browse to (or only browse to the Server name):

Test the Cognos BI cert by browse to (update with the port you use in Cognos Configuration):

If you have had the Cognos BI site running HTTP before, you must change in IIS webfarm to use the new HTTPS, and also update the port in use. Otherwise you will get 404 or 502 errors in Web browser.

Best is to clear the IIS configuration, and update the CA_IIS.Config.bat file with the new port number and rerun it. You should not need to delete the COGNOSCONTROLLERS folder, as long it uses a different application pool.

To remove IIS settings.

– Open IIS
– Click Application Pools
– Select the Cognos 11 App Pool and stop it
– Expand everything
– Select the ibmcognos -> sso application and remove it
– Select the ibmcognos application and remove it
– Click Application Pools, select the Cognos app pool, and delete it
– Close IIS

Open your file explorer
– Navigate to the Cognos gateway install directory
– Delete the following web.config files:

  • cgi-bin\web.config
  • webcontent\web.config
  • webcontent\bi\web.config

Edit the CA_IIS_Config.bat file with HTTPS and correct port

:: If more than one dispatcher is defined, a Server Farm will be created
set disp[1].protocol=https
set disp[1].name=servername
set disp[1].port=9300

:: Enable SSO (True/False)

Run the script again, to reconfigure the IIS setup.

You need also to add the certificate for your server to IIS Manager, simplest is if you get a PFX file with all information and import that to Windows server. Then you can in IIS manager bind it to your default web site.


More information:

Cognos Analytics 11.1.7
Cognos Controller 10.4.2
Microsoft Windows 2016 server

How setup SSL(TLS1.2) with Cognos Analytics, when i only got a PFX file from my company?


This is not the recommended way – you should use the IBM guides instead.

(This instructions will fail as the next time you start Cognos Configuration and click save, the CAMkeystore file is overwritten)



First, ensure Cognos Analytics is working with out issues. Check this log files and solve all errors before you start.
D:\Program Files\ibm\cognos\analytics\logs\p2pd_messages.log
D:\Program Files\ibm\cognos\analytics\logs\cognosserver.log
D:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\logs\messages.log

Second, always backup this folders – by copy them to a different folder like d:\temp
D:\Program Files\ibm\cognos\analytics\bin64\ssl
D:\Program Files\ibm\cognos\analytics\configuration\certs
D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security

and for cognos controller backup this folders
D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security
D:\Program Files\ibm\cognos\ccr_64\bin64\jre\8.0\lib\security

You should export a text file of the configuration in Cognos Configuration and create screen dumps of your setup in Cognos Controller Configuration, so you can apply them back in case something goes wrong. Use Select File – Export as.

Download OPENSSL to your windows laptop, with this program you can convert and check certificates. Download GIT for Windows to easy also get the OPENSSL tool. Download from
Run Git-2.37.3-64-bit.exe (with all defaults) to install GIT on you laptop.  Then you find openssl in folder: C:\Program Files\Git\mingw64\bin


IMPORTANT: Add a rule in the local windows defender firewall to allow inbound traffic on both port 80 and 443 on all cognos servers.

How install PFX in Windows (IIS)

Copy your PFX file to your server, place it in a folder like c:\cert
Right click on PFX file and select Install PFX

Select Local Machine and click Next

Click next on file to import.

Enter the password you got with the PFX file and click Next.

Click next on Certificate store, and let it be automatically selected.

Click Finish.

Start IIS (Internet Information Services Manager)

Click on the servername (home) and click on Server Certificates, to view that you have valid certificates. Check the Expiration Date to know witch one you can use.

In IIS manager, expand Sites, and mark Default Web Site. Click on bindings link on the right side.

Click ADD button.

Select HTTPS as type.

Select your certificate from the drop-down list SSL certificate, and press OK.

Later, when it is working, remove the support for port 80 in the bindings dialog.

Go to default web site\ibmcognos\bi folder and click on URL Rewrite icon

Double click on Reverse Proxy, to change it values.

Scroll down and edit the ReWrite URL to: https://ca_servers/bi/{R:0}

Click Apply on the right side.

Restart IIS.


If you have had the Cognos BI site running HTTP before, you must change in IIS webfarm to use the new HTTPS, and also update the port in use. Otherwise you will get 404 or 502 errors in Web browser.

Clear the IIS setup.

Update the CA_IIS_Config.bat file with HTTPS and correct port.

Run CA_IIS_Config.bat as a administrator in Command prompt.


How export the root and intermediate cer files from IIS

Go to server certificates, double click on your certificate.

Select Certificate Path tab, and select the middle certificate in the list, and click View Certificate button.

A new windows will open, in there go to the Details tab.

Select Subject row, and copy the CN line to the clipboard.

Click on the Copy to File button.

Click Next in the Certificate Export Wizard.

Mark Base-64 encoded X.509 and click next.

Enter a name and path, suggest use the CN name as name of the cer file. Click Next.

Click Finish.

Now, you need to repate this for the root certificate.

Click on Certificate path tab.

Click on top root cert and click on View Certificate button.

Go to Details tab and select Subject line.

Copy CN line to clipboard.

Click Copy to File button.

Click next in the Certification Export Wizard.

Mark Base-64 encoded X.509 and click Next.

Enter a file name like c:\cert\root.cer and click Next.

Click Finish to create the file.

Now you should have two cer files in your c:\cert folder.

You can test the certificate, by browse to your server at https://servername to see if you get errors in Internet Explorer.

Under Internet Options – Advance – you can uncheck “warn about certificate address mismatch” to suppress error messages.

Update the CAMstore

Before you change the certificate store in Cognos, stop all IBM Cognos services and java process.

Go to folder D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\bin

Right click on IKEYMAN.EXE and select “run as administator”.

Click on the open icon.

Browse to D:\Program Files\ibm\cognos\analytics\configuration\certs folder and select CAMkeystore file.

Set Key database type to PKC$12 and press OK.

Enter the password: NoPassWordSet

Mark encryption, and click rename, to change it to encryptionold.

Click on Export/import button.

Browse to your PFX file.

Select type to be PKCS12 and press OK.

Enter the password you got with the PFX file.

Click OK on the question to change labels.

Mark the new line, and click rename button. Change the name to encryption.

Press OK.

Double click on encryption to check that the certificate is valid. Check the date and the DNS name is the same as your servername.

Select Signer Certificates in the drop down list.

Check that the root and issuing certificate for your company is in the list, if not then click on ADD button, and select the two cer files we created before and import them.

Exit IKEYMAN.  All changes in IKEYMAN are saved directly to your key store file. That is why you need to backup the key store file before you open IKEYMAN program.

Add root cert to java key store

Start IKEYMAN program with Run as Administrator

Click on Open icon.

Browse to D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security and open cacerts as Type JKS.

Click OK and enter the password: changeit

Click on ADD button.

Find your issue cer file and import it.

Enter a name that describe the certificate and press OK.

Click on ADD button again, and import the root cer file.

Select the cer file and press OK.

Enter it a name and press OK.

Close IKEYMAN program.

Change CA11 to use custom certificate

Start Cognos Configuration program as Administrator.

At Local configuration, click on Advance properties.

Add the value StandaloneCerificateAuthority = True

Click OK

Go to Environment and change all HTTP to HTTPS.

Update the port number 80 to 443.

Keep the port-number 9300 for the other rows. We will use SSL over the port 9300.

Gateway should be:

Controller URI for gateway should be:

Content Manager URI should be:

Go to Cryptography – Cognos

Change Use Third Party CA? to True.

Save the configuration (this will update some key store files for WebSphere Liberty Profile).

Start the IBM Cognos service from inside Cognos Configuration.  This take around 10 minutes.

There should be no errors, when starting Cognos Analytics.

To test the certificate inside Cognos Analytics, start a web browser and go to

There should be no errors, and the padlock should be secure in the web browser.





Add the trusted ca root cert to java store

On the cognos controller client computer, start IKEYMAN from D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin  folder.

Click on OPEN icon and go to D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security folder

Select file cacerts mad key database type JKS. Click on OK.

Enter the password: changeit

Select Signer Certificates from the drop down list.

Click on ADD button, to add the root.cer and issuing.cer files you have created before from IIS.

After you have added both certs, exit IKEYMAN program.

Copy now the cacerts file to all cognos controller installations, and place the file in folder D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security.

If you are using ccrRemoteServer in file D:\Program Files\ibm\cognos\ccr_64\ControllerProxyServer\web.config

<add key=”ccrRemoteServer” value=”” />

That need to be updated with https, and the server need to be restarted.


Update Cognos Controller to support TLS 1.2

Go to the folder: d:\Program Files\ibm\cognos\ccr_64\server\
Open CCRProxy.options in NOTEPAD++
Add the following lines (at the end):

Save the file.

On the Cognos Controller server and Cognos Controller clients do this:
1. Open the registry editor, by clicking on ‘Start’ menu and typing:    REGEDIT
2. Navigate to the following path: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
3. Right-click on v4.0.30319 and select New –> DWORD (32-bit)
  • Set the name to: SchUseStrongCrypto
  • Set the value to 00000001


Go into Cognos Controller Configuration and update the Report Server dialog to use HTTPS instead of HTTP.

Report server should be:

Dispatcher URI should be:

Important to also update the Cognos Controller Client Distribution Server Configuration. All should use HTTPS.

WSSUrl should be:

Save the changes in Controller Configuration.

To test that the SSL is working on the server, from the cognos controller client start a web browser and browse to

There should be no errors.



(Please do not use this instructions – as they will not work – when you change in Cognos Configuration, the certificate store is replaced with the cognos default certificate – and the system will break)

Use this instructions instead:


More Information:


Cognos Analytics 11.1.7

Microsoft Windows 2019 server


After restart of Windows server for a windows patch, the CA11 is not responding.

If you go to you get a blank screen.

In log file D:\Program Files\ibm\cognos\analytics\logs\p2pd_messages.log you see error like this:

product = WebSphere Application Server (wlp-1.0.42.cl200720200625-0300)
wlp.install.dir = D:/Program Files/ibm/cognos/analytics/wlp/
java.home = D:\Program Files\ibm\cognos\analytics\ibm-jre\jre
java.version = 1.8.0_301
java.runtime = Java(TM) SE Runtime Environment ( – pwa6480sr6fp35-20210714_01(SR6 FP35))
os = Windows Server 2019 (10.0; amd64) (sv_SE)
[2022-08-18 20:43:41:231 CEST] 00000001 I CWWKE0002I: The kernel started after 3,435 seconds
[2022-08-18 20:43:41:481 CEST] 00000028 I CWWKF0007I: Feature update started.
[2022-08-18 20:43:43:530 CEST] 00000028 E CWWKF0003E: An exception was generated when installing or uninstalling bundle INSTALL file:/D:/Program%20Files/ibm/cognos/analytics/wlp/usr/extension/lib/logging-feature-log4j2.jar (resolved from:[1.0.0,2.0.0)@file:/D:/Program%20Files/ibm/cognos/analytics/wlp/usr/extension/lib/logging-feature-log4j2.jar). Exception: java.lang.NullPointerException
at java.util.concurrent.ThreadPoolExecutor.runWorker(
at java.util.concurrent.ThreadPoolExecutor$




Restart the IBM Cognos service again on all servers – start with the CA11 content manager first.

In case that does not help, stop the IBM Cognos service.

Erase the workarea content – that is under folder D:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea

Start the IBM Cognos service.

This to clean out any “corruption” in cognos websphere applications files.



More Information:



Cognos Analytics 11.1.7

Microsoft Windows 2019 server


What firewall ports should be open in windows firewall to make Cognos work?


These are the ports that is used by Cognos products:

Cognos Analytics 11.1.7

80 for client access to cognos portal
443 for client access (https/ssl/tls)
9300 Cognos dispatcher
4300 Sync configuration between CA11 servers
5701 Sync CA11 servers to a group of CA11 servers
9301 CA11 uses this port at start
9362 Cognos log server
9080 WebSphere transport port
8172 IIS Server Farms port to check windows servers


Cognos Controller 10.4.2

80 for controller client access to controller server
443 for client access (https/ssl/tls)
9300 Contact to CA dispatcher
9080 Client to controller web
9082 Client to controller report service
9081 if installed on same server as CA11
3000 Controller web backend port


Planning Analytics

80 for client access to PAW
443 for client access (https/ssl/tls) to PAW
9300 Contact to CA dispatcher
9510 Client access to TM1WEB
9511 Tm1 app web (pmpsvc)
9012 PAA agent
5495 Tm1 architect contact with TM1 Admin service
5498 Tm1 architect contact with TM1 Admin service (ssl)
5895 TM1 Admin Server -> TM1 REST API (HTTP)
5898 TM1 Admin Server -> TM1 REST API (HTTPS)
12300-12400 TM1 instance port range
8888 Administration port for PAW
9513 Shutdown port



More Information:


Cognos Analytics 11.1.7

Microsoft Windows 2019 server


After new installation, when you browse to http://servername/ibmcognos you get an error.

If you browse to http://servername:9300/bi/v1/disp, then CA11 works fine.

When it do not work, you see in the URL: http://localhost/ibmcognos/bi/bi

Error message:

The webpage cannot be found


You have run the CA_IIS_Config.bat file first, without installing requestrouter_amd64.msi or rewrite_amd64_en-US.msi. The Rewrite module need to be installed first.

CA_IIS_Config.bat file is found in folder D:\Program\ibm\cognos\analytics\cgi-bin\templates\IIS

Download the needed files, this is a new version for Windows 2019, from here:

Install them on the Microsoft Windows 2019 server.

You should have in control panel – “Program and Features”;

IIS URL Rewrite Module 2 version 7.2.1993

Microsoft Application Request Routing 3.0 version 3.0.05311

Then run the CA_IIS_Config.bat file, again from a command prompt.

Check in Internet Information Services (IIS) Manager that the URL rewrite exists.

(if rule SSO login is disabled – you do not have SSO with Cognos Analytics).

More Information:


Cognos Analytics 11.1.7

Microsoft Windows 2019 server


After upgrade of CA11 to a new version, the Dynamic Cubes does not load or work. When you test a JDBC connection in cognos portal you get a error.

Error message:

DPR-ERR-2072 Unable to load balance a request with absolute affinity, most likely due to a failure to connect to the remote dispatcher. See the remote dispatcher detailed logs for more information. Check the health status of the installed system by using the dispatcher diagnostics URIs


If you upgrade from 11.1.6 to 11.1.7 and you have before applied the log4j patch, then the upgrade will remove the jar file and replace the bootstrap_wlp_winx64.xml file.  But the file xqe.config.custom.xml will still be around. In this file there is a pointer to the log4jSafeAgent2021.jar file.

Stop Cognos Analytics services.

Remove or restore the original xqe.config.custom.xml file.

Start Cognos Analytics services.


More information:

If you before the upgrade have done this (listed below), then you can run into above issue.

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

The single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x.

The log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.

It effectively rewrites the “org/apache/logging/log4j/core/lookup/JndiLookup” class to remove its content during IBM Cognos Analytics start up.

To get the patch and detailed instructions, click this link: log4jSafeAgent

Bundle Customers can use the following link: log4jSafeAgent Bundled

In the install_location\configuration directory, edit the xqe.config.custom.xml file. Note: The xqe.config.custom.xml file might not exist and needs to be created. Should changes be made to the xqe.config.xml file (

In the xqe.config.custom.xml file, specify the javaagent parameter with a reference to the log4jSafeAgent2021.jar file. For IBM JRE, add the javaagent as follows:


Cognos Analytics 11.1.7

Microsoft Windows 2016


How remove the JNDI call from the log4j-core file?

Suggested solution:

(Test this first in your LAB environment)

Ensure where you have 7zip installed.

Find out what file to clean.  (Take a backup of the files to clean).

For cognos controller, we guess it is this file:

C:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-core-2.5.jar

For cognos analytics, it is several files, maybe this:

C:\Program Files\ibm\cognos\analytics\bin\log4j-core-2.7.jar
C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\88\0\.cp\log4j-core-2.7.jar

Create a new folder e.g. c:\fix

Create a text file, where you list the files to clean on this server e.g. c:\fix\filetofix.txt

Create a new powershell file,  jarupdate.ps1, with this content:

# set location of 7z program
$7zip = "C:\Program Files\7-Zip\7z.exe"
# run the script on the source machine
# get files from list to clean
$file2fix= Get-Content -Path "c:\fix\filetofix.txt" 
foreach ($thefile in $file2fix) 
Write-Host "Currently the script is cleaning " $thefile 
& $7zip d "$($thefile)" "org/apache/logging/log4j/core/lookup/JndiLookup.class"


Get approval to do the update on the Cognos server.

Stop all IBM Cognos services.

Check that no JAVA process is still around.
Start POWERSHELL as administrator

Go to you c:\fix folder

Enter command: .\jarupdate.ps1

The output will be similar to this;

Reboot the server.
Test that Cognos still works.

Repeat on all effected servers.

If you have checked the size of the jar file before clean, you should see a difference after clean.

More Information:

911 – Log4j Security Risk Affects IBM Planning Analytics, Cognos…

Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Should i do something for Cognos products because of the Log4j vulnerability?

There is now a “patch”….. read more here

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)


By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. The attacker must get the Cognos Logger software to process a string to the log file, that active the function JNDI to contact LDAP server xxxx and download information, that in real can be java code, and execute it. Gives the possibility to install Trojans and other software, but he need to trick cognos to send the information to the logger.

How Log4j Vulnerability Could Impact You

Suggested Solution:
First check what IBM say, if needed for cognos, they will release patch or instructions on there page.

Things you can do:
Ensure that the Cognos servers do not have contact with Internet, so any application on the server can reach out and download other software.
Creating a default-deny firewall rule will prevent servers from creating unapproved connections and can help reduce your risk of a compromise.

Ensure that only the people and computers that need it, have access to your cognos servers.

You can use tools, to see if you have the vulnerability;

Log4j is a tool to create log files, used by WebSphere and maybe Cognos software.
Check version of WebSphere with this command:

Above is from CA11.1.x  CM_version=11.1.7-41.
In a CMD prompt, go to the java bin folder (path depends on version of Cognos Analytics)
Enter command C:\Program Files\ibm\cognos\analytics\wlp\bin\productinfo  version
CA11 uses WebSphere Liberty Server, where the version number is the year it was released.
WebSphere Application Server (WAS) latest version is 9, that should correspond to WLP 20.

Above is from CA11.0.x  CM_version=

You can search your cognos folder, to see if you have Log4j files that can contain this issue.

You will find it in several folders, but it is only the top one \bin that is the default. The others are cached versions in folders like C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\61\data\cache\\.cache\WEB-INF\lib

Log4j-core and Log4j-api can contain this issue. Above picture from CA11, we see that we use version 2.7 of Log4j program. That is old, so the LOG4J_FORMAT_MSG_NO_LOOKUPS  parameter will not work.

Versions of Log4j is listed here:

If you can not wait for IBM instructions for Cognos,,  you can test this in your LAB.

“the mitigation is to remove the JndiLookup class from the classpath, with command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. ”

Stop the IBM Cognos service.

Copy the log4j-core-2.7.jar file to a new folder e.g. c:\tempfix

Unzip the jar file.

Go down in the unzipped folder structure to C:\tempfix\log4j-core-2.7\org\apache\logging\log4j\core\lookup folder

Remove the file JndiLookup.class

Go back to your top folder, and zip it again.

Rename your log4j-core-2.7.jar to ( to keep a backup ).

Rename your file to log4j-core-2.7.jar.

Copy the new log4j-core-2.7.jar file to your C:\Program Files\ibm\cognos\analytics\bin folder.

Start IBM Cognos.

Check that you can login and run reports.
The Log4j is used to create the cognosserver.log files, so carefully check that the log files work as expected.

If your test work out well, you can update the C:\Program Files\ibm\cognos\analytics\bin\log4j-core-2.7.jar file on your other CA11 servers.

PAW have a fix at:

Security bulletin: Security Bulletin: IBM Planning Analytics Workspace: Apache log4j Vulnerability (CVE-2021-44228)

For the latest Cognos Controller version there is a new version out…  but it may come more information from IBM.

Security bulletin: Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache log4j Vulnerability (CVE-2021-44228)

TM1 may also not use the affected version. You have to check with IBM Support, what they say.

IBM SPSS have a fix at

IBM ILMT have a different version of Log4j, and therefor a different workaround:

Most product will have a “patch” to upgrade to later Log4j versions.

Workaround 1. Manually upgrade Log4j library included in VM Manager Tool in versions – to version 2.15.0

  1. Download the Log4j library package in version 2.15.0 from this page: and extract them.
  2. Copy the following files to the <VM_Manager_Tool_home_dir>/lib/ directory.
    • log4j-api-2.15.0.jar
    • log4j-core-2.15.0.jar
  3. Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/|bat script. For more information, see: VM Manager Tool command-line options.
  4. Remove the following JAR files from the <VM_Manager_Tool_home_dir>/lib/ directory.
    • log4j-api-2.13.3.jar
    • log4j-core-2.13.3.jar
  5. Depending on your operating system, modify one of the following files.
    • LINUX: In the <VM_Manager_Tool_home_dir>/ file, find the following lines:
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.13.3.jarChange them to:
    • WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, find the following lines:
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.13.3.jar
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.13.3.jarChange them to:
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.15.0.jar
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.15.0.jar
  6. Start the VM Manager Tool by using -run switch of the <VM_Manager_Tool_home_dir>/|bat script. For more information, see: VM Manager Tool command-line options.

Workaround 2. Mitigate the issue on the current version of the Log4j library included in VM Manager Tool in versions – by the configuration change

  1. Depending on your operating system, run one of the following:
    • LINUX: In the <VM_Manager_Tool_home_dir>/ file, find the following line. It might not contain all the parameters starting with -D string, for example, it might not contain the substring.VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1”Add the following text at the end of the found line, just before the double quotation mark that ends this line.“ -Dlog4j2.formatMsgNoLookups=true” (including the space character at the beginning of the text)For example:
      VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dlog4j2.formatMsgNoLookups=true
    • WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, add the following entry as the last line of the ####### PROPERTIES DEFINITONS ####### section:SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dlog4j2.formatMsgNoLookups=true
  2. Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/|bat script. For more information, see: VM Manager Tool command-line options.
  3. Start the VM Manager Tool by using the -run switch of the <VM_Manager_Tool_home_dir>/|bat script. For more information, see: VM Manager Tool command-line options.



More Information:

Reference material can be found at the Apache.orgLog4j Security Vulnerability page.
IBM X-Force also has provided an analysis of the Log4j vulnerability, which can be found on the IBM Security Intelligence blog.

You have to decide how you will handle this possible threat in your organization.
This is only a list of information, on the subject.
You should check your logs from your antivirus / firewall software, if you are already compromise.

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

To get the patch, click this link: CA-11.x-Log4jSafeAgent

For detailed instructions, see Mitigate the Apache Log4j vulnerability (CVE-2021-44228) in Cognos Analytics 

Affected Version Fix Version Bundled Customers
IBM Cognos Analytics 11.2.x Cognos Analytics 11.2.1 Interim Fix 1


IBM Cognos Analytics 11.2.1 Interim Fix 2 (Bundled)
IBM Cognos Analytics 11.1.x


Cognos Analytics 11.1.7 Interim Fix 6


IBM Cognos Analytics 11.1.7 Interim Fix 7 (Bundled)
IBM Cognos Analytics 11.0.6 to 11.0.13 FP4


Cognos Analytics 11.0.13 Interim Fix 3


IBM Cognos Analytics 11.0.13 Interim Fix 4 (Bundled)

New version from 13 Jan 2022:

Affected Version Fix Version Bundled Customers
IBM Cognos Analytics 11.2.x IBM Cognos Analytics 11.2.1 Interim Fix 3


IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)
IBM Cognos Analytics 11.1.x


IBM Cognos Analytics 11.1.7 Interim Fix 8 IBM Cognos Analytics 11.1.7 Interim Fix 8 (Bundled)
IBM Cognos Analytics 11.0.6 to 11.0.13 FP4


IBM Cognos Analytics 11.0.13 Interim Fix 5


IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)


Cognos Analytics 11.1.7

Microsoft Windows 2016 server

How do i install CA11 on my Windows server?

Follow the IBM documentation. Here is only a list of things to think about.

Download the software from IBM

You need at least the analytics-installer-2.2.2-win.exe and

Check this before installation on your new windows server:

Check that you have remote access to all your Cognos servers
Install SQL 2012 native client for ODBC support to SQL databases

Install NET Framework 4.7.2

Turn DEP off in Windows control panel
Set Power Options to HIGH Performance in Windows control panel
Turn off IEESC (internet explorer enhanced security configuration)
Check what port your SQL server will use, for access to Content Store and Audit database.
Exclude cognos folders from anti-virus software scanning
Open firewall ports 80, 443 to end users
Open firewall ports 80, 443, 9300, 9362, 4300, 5701, 9301 between servers.
Open firewall ports 1433 for SQL, 25 for Mail, 389 for Active Directory.
Install 7zip and Notepad++ to edit xml files on the server.



Install IIS on the Windows Server 2016 select Web Server IIS, ASP.NET 4.6, HTTP Activation, TCP Port Sharing, HTTP Redirection, WebDav Publishing, ISAPI Extensions, Websocket, Windows Authentication, IIS Management Scripts and Tools.
Update regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp\MajorVersion to 9  (only if needed)
Install  or


Run the installation of Cognos Analytics manually

Get the CA_IIS_Config.bat script from folder D:\Program Files\ibm\cognos\analytics\cgi-bin\templates\IIS and copy it to its own folder, e.g. d:\install

Run the installation of the Cognos Analytics developer programs (framework manager)
Update the IIS script with the server name, and run the script CA_IIS_Config.bat
Copy file sqljdbc42.jar into folder d:\program files\ibm\cognos\analytics\drivers

Setup a Notification database in SQL, if you have many users in cognos and many scheduled jobs
Setup a Content Store and Audit database in your SQL server
Configure Cognos Analytics with FQDN, leave Websphere memory at 8182
Install the CA samples

Setup WebDav in IIS

Stop creation of dump files, open the cclWinSEHConfig.xml file from the install_location\configuration folder. Set “CCL_HWE_ABORT” value=”0″
Setup the audit database source and copy the D:\Program Files\ibm\cognos\analytics\samples\Audit_samples\ file to D:\Program Files\ibm\cognos\analytics\deployment folder. Import the audit samples.
Create a company logo in cognos The tags can be different for the different versions.
Tune logging to “Basic” in cognos connection
Activate SSO in Cognos Configuration by adding the advanced property
Name : singleSignonOption

Value: IdentityMapping

Set CAF to exclude * and tm1webserver:9510 and tm1webserver:9511
If you also have Cognos Controller then change Security – Authentication in CA11, Inactivity timeout in seconds to 36000
Update Windows TCP windows settings by import below reg values:

Windows Registry Editor Version 5.00




To get login to Planning Analytics with Cognos BI (CAM) you need to change a few files, as below:

Update tm1web.html with tm1web servername and port, like this

var tm1webServices = ["",""];

Copy tm1web.html to locations;

D:\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web

D:\Program Files\ibm\cognos\analytics\webcontent\tm1\web

Update pmhub.html with also paw servername and port, like this

var pmhubURLs = ["","",""];

Copy pmhub.html to locations;
D:\Program Files\ibm\cognos\analytics\webcontent

D:\Program Files\ibm\cognos\analytics\webcontent\bi

Update planning.html with also tm1servername and port, like this

var planningServices = ["",""];

Copy planning.html to same folders as pmhub.html listed above.

The content manager will look in folder D:\Program Files\ibm\cognos\analytics\webcontent for this files, but the Cognos Gateway will look in folder D:\Program Files\ibm\cognos\analytics\webcontent\bi for above files.


To prevent scriptable report error  when running sample custom control reports
you need to change the sample reports as below (they are written to only work on port 9300).

The global Sales Report is a sample showing how to use a javascript file with a custom control. These are authored to work ‘out of the box’ via dispatcher but not via a gateway.

To use with a gateway you need to edit the custom control in the report to point to the correct path.

1. Open the ‘Global Sales’ report in Edit mode.
2. select the custom control which is the thin blue box underneath the Prompts and view the properties.
3. In properties under General choose the ‘Module Path’ property and click the ellipsis.
4. By default this path is set to ‘/bi/samples/js/HideShowFilterPanel.js’
5. Please add your gateway to the front of this path so it reads something like:’/ibmcognos/bi/samples/js/HideShowFilterPanel.js’ (where ibmcognos is the name of your gateway virtual directory)
6. Save and re-execute the report.

Setup of jupyter notebook is not covered here, you have to follow the IBM documentation.


More information: