Product:
Cognos Controller 10.4.2
Microsoft Windows 2019 server

Issue:
After apply HTTPS and TLS 1.2 users can not login to Cognos Controller Client.

They get a error like:

an error occurred while trying to access the server.

Solution:

1. Open the registry editor, by clicking on ‘Start’ menu and typing:    REGEDIT
2. Navigate to the following path: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
3. Right-click on v4.0.30319 and select New –> DWORD (32-bit)
  • Set the name to: SchUseStrongCrypto
  • Set the value to 00000001

4. Navigate to the following path: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

5. Right-click on v4.0.30319 and select New –> DWORD (32-bit)
  • Set the name to: SchUseStrongCrypto
  • Set the value to 00000001

More information:

https://www.ibm.com/support/pages/how-configure-force-controller-use-tls-12

Product:
Cognos Controller 10.4.2
Microsoft Windows 2019 server

Issue:

When setup HTTPS for Cognos Controller web, need to convert the jks file to keyfile.key and cert.cer

https://www.ibm.com/support/pages/how-install-controller-web

https://www.ibm.com/support/pages/how-configure-controller-web-use-ssl-https

Solution:

If you setup HTTPS/TLS/SSL for Cognos Analytics on the same server as you have Cognos Controller installed, then you may want to use that certificate for the Controller Web installation.

(This is a summary of some of the steps – you may need to do additional steps to get HTTPS to work for you).

CA11 is setup with commands like this:

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=cmica-configuring-cognos-analytics-components-use-another-certificate-authority

ThirdPartyCertificateTool.bat -c -e -p NoPassWordSet -a RSA -r "request.csr" -d "CN=servername.domain.com,OU=department,O=company,L=place,C=SE" -H "servername.domain.com"

Above to create a certificate request, that you can send to your company CA. This will update the CAMKeystore file in the install_location\configuration\certs directory.

The pem file you get from the company CA, needs to be separated up into 4 files with a certificate in each. You can use Notepad++ for this.

Then import the pem files with below command.

ThirdPartyCertificateTool.bat -i -T -r root.pem -p NoPassWordSet

ThirdPartyCertificateTool.bat -i -T -r issuing.pem -p NoPassWordSet

ThirdPartyCertificateTool.bat -i -e -r server.pem -t chain.pem -p NoPassWordSet

Update Cognos Configuration to HTTPS/443 and under Certificate Authority settings, click the Use third party CA property, and set its Value to True.

Save and restart CA11 service.

Import the p7b cert into IIS, and configure its bindings to use HTTPS.

Update the IIS settings with the file CA_IIS_CONFIG.BAT.

How to properly clear Microsoft’s Internet Information Service (IIS) configurations to setup new configuration of IIS to support IBM Cognos

Change Cognos Controller Configuration to support HTTPS.

https://www.ibm.com/support/pages/how-enable-ssl-https-cognos-controller

To get a key.jks file from the CAMkeystore, start IKEYMAN.EXE as administrator.

Open the D:\Program Files\ibm\cognos\analytics\configuration\certs\CAMkeystore file.

Select personal certificate: encryption and click on export button.

Select Export Key.

Select the folder where you want to store the key.jks file.

Press OK and set a new password: changeit

Then you have a key.jks file with the content of the CAMkeystore.

Put the *.pem files you created before in c:\cert\ folder and use below commands to import them in a key.jks file for controller web.

Start a DOS prompt and change to controller web folder:

cd d:\Program Files\ibm\cognos\ccr_64\fcmweb\jre\bin

keytool -keystore key.jks -importcert -file C:\Cert\issuing.pem -alias issuing1

keytool -import -trustcacerts -alias root1 -file C:\Cert\root.pem -keystore key.jks

keytool -importkeystore -destkeystore key.jks -srckeystore C:\Cert\key.jks -srcstorepass changeit

Restart the Controller Web service. Copy key.jks file in folder D:\Program Files\ibm\cognos\ccr_64\fcmweb\jre\bin to folder ..\lib\security.

 

Open d:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\server.xml in Notepad++
Remove brackets around  “<feature>ssl-1.0</feature>”
Add below line last

</webApplication>
<keyStore id="defaultKeyStore" password="changeit" sslProtocol="SSL_TLS" />
</server>

Save the file and restart the Controller Web services.

Copy the file …jre\bin\key.jks to D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security folder.

Edit the file d:\Program Files\IBM\cognos\ccr_64\analytics\templates\ps\portal\variables_CCRWeb.xml to use correct port number 9081.

Edit the file com.ibm.cognos.fcm.web.properties in Notepad++ to have https instead of http.

Reboot the Cognos Controller Web server.

For the Cognos Controller Web frontend you need to extract the key and certificate from your jks file.

To extract the certificate for the server use this command:

keytool -export -alias encryption -file C:\Cert\cert.crt -keystore C:\Cert\key.jks

(The alias was encryption in the CAMkeystore file, therefor is it the same in the key.jks file)

To find if a certificate for a server exist in a jks file use this command:

keytool -list -v -srckeystore C:\Cert\key.jks | findstr "server001"

 

To extract the key from a jks file, you must first convert it to a pck12 file with this command:

keytool -importkeystore -srckeystore C:\Cert\key.jks -srcstorepass changeit -srckeypass changeit -srcalias encryption -destalias encryption -destkeystore C:\Cert\identity.p12 -deststoretype PKCS12 -deststorepass changeit -destkeypass changeit

Now you have the file identity.p12 that you can copy to a server where you have openssl installed, so you can export the key with command:

"D:\Program Files\Git\mingw64\bin\openssl.exe" pkcs12 -in D:\install\cert\prod\identity.p12 -nocerts -out D:\install\cert\prod\keyfile2.key

Copy both of the above resulting files (cert.crt keyfile2.key) to the following folder D:\Program Files\ibm\cognos\ccr_64\frontend.

Open config.js from folder D:\Program Files\ibm\cognos\ccr_64\frontend

Edit to

  • Proxies – options – target – port : 3443
  • Proxies – options – target – protocol : “https:
  • Proxies – options – secure : false
  • expressJs – port : “9081
  • Enable the ssl section, by uncommenting out the relevant lines

Save the file and and restart the Controller web service.

Check for errors in folder D:\Program Files\ibm\cognos\ccr_64\frontend\logs and D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs

Error like: Error: error:0906D06C:PEM routines:PEM_read_bio:no start line

Then you have to do the steps again – as one of the files are wrong.

 

In case the above jks does not work – do it again but with a pfx-file.

You can export a p12 file from IKEYMAN, then only rename the p12 file to pfx. Then you have a pfx file.

cd d:\Program Files\ibm\cognos\ccr_64\fcmweb\jre\bin

keytool -keystore key.jks -importcert -file C:\Cert\fromcamkey\issuecert.arm -alias issuing2

keytool -import -trustcacerts -alias root2 -file C:\Cert\fromcamkey\rootcert.arm -keystore key.jks

keytool -importkeystore -destkeystore key.jks -srckeystore C:\Cert\fromcamkey\camkey.pfx -srcstoretype PKCS12 -srcstorepass changeit

Then copy the pfx to your computer where OPENSSL is installed, and do this commands to get out the files to frontend folder.

"D:\Program Files\Git\mingw64\bin\openssl.exe" pkcs12 -in D:\install\cert\prod\camkey.pfx -clcerts -nokeys -out D:\install\cert\prod\cert3.crt

"D:\Program Files\Git\mingw64\bin\openssl.exe" pkcs12 -in D:\install\cert\prod\camkey.pfx -nocerts -out D:\install\cert\prod\keyfile3.key

Copy the cert3.crt and keyfile3.key to the folder D:\Program Files\ibm\cognos\ccr_64\frontend on controller web server.

Update the config.js file for above new file names.

Reboot the cognos controller web server.

 

 

More information:

https://security.stackexchange.com/questions/98282/difference-between-openssl-and-keytool

Keytool is a tool that comes with Java that works with KeyStores – it can create KeyStores and manipulate keys and certificates inside them. It can also create keys and sign certificates. So it is both a key generation and a KeyStore-file-administration tool.

OpenSSL works with standard formats (PEM/CER/CRT/PKCS/etc) but does not manipulate KeyStore files. It is possible to generate a key and/or certificate with OpenSSL, and then import that key/cert into a KeyStore using keytool, but you can’t put the key/cert into the KeyStore directly using OpenSSL.

Both OpenSSL and keytool have the same purpose: generating/storing keys and certificate(s) (chaines). The thing is that Java can only work with certificates/keys contained within its keystore (JKS). Those certificates and keys are generated using the keytool library, not by using openssl.

Java keytool will always need a keystore in order to store the certificates and keys it has generated, where this is not the case for openssl. Do note that OpenSSL can also be used to create a similar container, namely PKCS12 (.p12). This is a password protected container containing keys and certificates (just like Java’s keystore). However, it’s not compatible with Java… You’d need to convert the .p12 container to .jks before your Java application will be able to work on the certificates.

https://www.ibm.com/support/pages/controller-web-windows-services-keep-shutting-down-when-using-windows-server-2019-unsupported-controller-1031-or-1040

https://www.ibm.com/support/pages/how-export-private-key-and-public-key-keystore

https://dzone.com/articles/extracting-a-private-key-from-java-keystore-jks

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

https://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html

 

 

Product:

Cognos Controller 10.4.2

Microsoft Windows 2019 server

Issue:

When testing the access to controllerserver application in iis you get an error (after you active HTTPS for the IIS website):

This when you test by browse to address: http://controllerservername.domain.com/ibmcognos/controllerserver/ccrws.asmx

Suggested solution:

Restart the Cognos Controller server or

Change the IIS manager to only use HTTPS bindings and not both port 80 and 443 on the default web site.

Clear the cache in your web browser before you test again.

 

More Information:

https://www.ibm.com/support/pages/how-upgrade-controller-1042x-later-interim-fix-if-fix-pack-patch-level

https://www.ibm.com/support/pages/how-enable-ssl-https-cognos-controller

https://www.ibm.com/docs/en/SS9S6B_10.4.2/com.ibm.swg.ba.cognos.ctrl_inst.doc/m_ctrl_inst_ibmbook.pdf

https://support.google.com/accounts/answer/32050

Product:

Cognos Controller 10.4.2

Microsoft Windows 2019 server

Issue:

When login to Cognos Controller client you get a error:

System.Web.Services.Protocols.SoapException: Server was unable to process request. —> System.ArgumentNullException: Value cannot be null.

Parameter name: uriString

at System.Uri..ctor(String uriString)

at System.Web.Services.Protocols.WebClientProtocol.set_Url(String value)

at Cognos.Controller.Common.CRNBridge.CRNBridge.set_EndPointURL(String sURL)

at Cognos.Controller.Proxy.CCRWS.GetUserInfo(String sGuid, String sUser, String passportId)

— End of inner exception stack trace —

at Cognos.Controller.Forms.Common.Main.DoLoginCognos8(Form& frm)

at CCR.AppContext.DoLogin()

at CCR.AppContext.Login()

Solution:

Check the IIS settings, you can be missing the ibmcognos or controllerserver application folder.

Check if you can browse from your Web browser to the server at https://controllerservername/ibmcognos/controllerserver/ccrws.asmx

If missing, reinstall them with ca_iis_config.bat or in IIS manager like;

Add the controllerserver application
• Right click on the ibmcognos entry, select Add Application from the popup menu
• Enter controllerserver in the Alias edit field
• Change the ‘Application Pool’ to be “.NET v4.5”
• Browse to the (CCR_installdir)\ControllerProxyServer path (typically d:\Program
Files\ibm\cognos\ccr_64\ControllerProxyServer) and click OK

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-verifying-configuration-iis-cognos-analytics-110

More information:

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=services-configuring-iis-in-cognos-analytics

https://www.ibm.com/docs/en/cognos-controller/10.4.2?topic=controller-configure-cognos

Product:
Cognos Controller 10.4.2
Microsoft Windows 2019 server

Issue:
How does the data flow in a FAP solution?

https://www.ibm.com/docs/en/cognos-controller/10.4.2?topic=format-fap-overview

Explanation:

 

The FAP database is the central point of the FAP process, of copying data from a cognos controller database to a tm1 cube.

Step 1) The Cognos Controller users enter data for the company, and it is stored in the Cognos Controller database on the SQL server. Inside the Cognos Controller database is data about the companies, accounts and values. The Cognos Controller users use the Cognos Controller client software on there laptop or a citrix server to interact with the system.

Step 2) It is the Cognos Controller server that communicate with the Cognos Controller database, and update and reads all the tables in there.

Step 3) The FAP windows service monitor the cognos controller database for any updates of data, if there is a update of data, then the FAP windows service copy that value over to the FAP database. It also update a reference number, so it know what values have already been copied over before from cognos controller database to the FAP database.

This reference number can come out of sync when you restart the TM1 instance, and then you need to reset it.

Step 4) The FAP windows service writes the controller data to the FAP database, and at regular intervals it calls to the TM1 instance to tell it to get more data from the FAP database. The FAP windows service create and active a TI process in the TM1 instance to collect data from the FAP database.

Step 5) The TM1 instance run a TI process to read the controller data from the FAP database tables, via a hard coded ODBC connection called: FAP. The ODBC FAP connection must point to the FAP database. The controller data is stored in a cube inside the TM1 instance. The name of the FAP cube is defined in the FAP configuration.

Step 6) in most solution, a TM1 consultant, have added extra TM1 TI process, that do additionally handling of the controller data in the TM1 cube. This TI process normally start with the name: ccr_ip_after_

https://www.ibm.com/docs/en/cognos-controller/10.4.2?topic=1042-fap-extension-points

Step 7) The FAP manager client only talks to the FAP database. It configure all tables that tell the FAP windows service what to do and when.

The source tab in FAP client, should point to the cognos controller database you want to read data from.

The data mart tab in FAP client, should point to the TM1 instance, where you want the cognos controller data to be published.

The FAP client settings, tells how often the data will be updated, and when the FAP service should clean out old log values from the log tables, and clean the temporary tables.

On the TM1 server it must exist a odbc connection named FAP, that point to the FAP database.

In many installations, there is also a odbc connection named controller, that should point to the cognos controller database.

More Information:

https://www.ibm.com/docs/en/cognos-controller/10.4.2?topic=ucfap1-introduction

https://www.element61.be/en/resource/why-engage-ibm-tm1-fap-top-your-consolidation

HAYNE Analytics

https://www.aramar.co.uk/ibm-analytics-suite/ibm-cognos-controller/

https://www.ibm.com/support/pages/how-perform-fap-reset-sequence-re-synchronise-controller-data-publishing-tm1

Many IBM partners have develop there own extension to the FAP solution.

https://addedo.com/wp-content/uploads/2020/05/addedo.Express.pdf

Product:
Cognos Controller Web 10.4.2
Microsoft Windows 2016 Server

Issue:
User can not login to Cognos Controller Web after update to HTTPS.

In folder D:\Program Files\ibm\cognos\ccr_64\frontend\logs

error in log file can be;

error from web proxy: { Error: Client network socket disconnected before secure TLS connection was established at TLSSocket.onConnectEnd (_tls_wrap.js:1088:19)
at Object.onceWrapper (events.js:277:13)
at TLSSocket.emit (events.js:194:15)

Solution:

Check that the local windows firewall allow connections on port 3443.

Add a inbound rule that allow communications on port 9080,9081,3443,3000.

Controller web ports are set in the config.js and server.xml file.

<httpEndpoint host="*" httpPort="3000" httpsPort="3443" id="defaultHttpEndpoint">
<httpOptions removeServerHeader="true" />
</httpEndpoint>

More information:

https://www.ibm.com/support/pages/server-not-reachable-or-still-initializing-handshake-failure-signer-might-need-be-added-local-trust-store-ccr-ws-api-not-initialized-yet-errors-controller-web-caused-keystore-file-keyjks-containing-wrong-information

https://www.ibm.com/support/pages/node/883036

https://www.ibm.com/support/pages/controller-web-does-not-work-when-installed-same-server-cognos-analytics

https://www.ibm.com/support/pages/how-configure-controller-web-use-ssl-https

Product:

Cognos Controller Web 10.4.2

Microsoft Windows 2016 server

Issue:

When change Controller Web configuration, user can not login to Controller web. You get a error in the log file that it does not work.  There could be error like this:

[ERROR   ] CWPKI0033E: The keystore located at d:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks did not load because of the following error: Keystore was tampered with, or password was incorrect…

Check log file D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs\messages.log

Check log file D:\Program Files\ibm\cognos\ccr_64\frontend\logs\fcmwebui-stderr.2022-09-13.log

Server ip written in backend-url.js!
Express server listening on port 9080
error from web proxy: { Error: connect ECONNREFUSED 192.168.1.71:3443
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
errno: ‘ECONNREFUSED’,
code: ‘ECONNREFUSED’,
syscall: ‘connect’,

 

Solution:

Check that you use the same password for your PFX file you import certificate from as you use for the key.jks file you created for the Controller Web setup.

Update the file config.js in folder D:\Program Files\ibm\cognos\ccr_64\frontend to correct password

…..

},
“secure”: false //set this to false when you use custom certificates for Controller Web
}
}],

…..
“ssl”: {
// certificates
“key”: fs.readFileSync(__dirname+”/keyfile.key”), //__dirname points to ccr_64\frontend
“cert”: fs.readFileSync(__dirname+”/cert.crt”),
“passphrase”:”TheNewPasswordHere
}…..

Update the file server.xml in folder D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web to correct password

….

</webApplication>
<keyStore id=”defaultKeyStore” password=”TheNewPasswordHere” sslProtocol=”SSL_TLS” />
</server>…..

Save the changes and restart all 3 IBM Cognos Controller Web services.

Wait at least 20 minutes for it to load fully, before you test.

 

More information:

https://www.ibm.com/support/pages/server-not-reachable-or-still-initializing-handshake-failure-signer-might-need-be-added-local-trust-store-ccr-ws-api-not-initialized-yet-errors-controller-web-caused-keystore-file-keyjks-containing-wrong-information

https://www.ibm.com/support/pages/node/883036

https://www.ibm.com/support/pages/controller-web-does-not-work-when-installed-same-server-cognos-analytics

https://www.ibm.com/support/pages/how-configure-controller-web-use-ssl-https

Product:

Cognos Controller 10.4.2
Microsoft Excel 2013
Microsoft Windows 2019 server

Issue:

Data entry does not work in Cognos Controller Client for a few users on the Citrix platform.

Error message:

ControllerForms12 … Object variable or With block variable Object reference not set … ActivateDataEntryForm…

Error launching menu item “Controller Link”

Unable to get the FullName property of the addin class at System.Runtime.Type.ForwardCallToInvokeMember .. a WrapperTypes.

Suggested solution:

Open Excel that is used with Cognos Controller for the user who have issues.

Go to Options – Add-ins, click on the Go button at the bottom for Excel Add-Ins.

Uncheck the link for “Cognos Controller Link for Microsoft Excel” add-in, press OK, and exit excel.
Log off Citrix session and log off Citrix Connection Center.
Log out from your computer and log in again.
Start Excel in Citrix as before.

Go to Options – Add-ins – Go button for Excel Add-ins.

Click on Browse

Find C:\Program Files\ibm\IBM Cognos Controller Local Client\adxloader.Controller.ExcelLink.dll
Click Open.
On question that “a file named C:\Program Files\ibm\IBM Cognos Controller Local Client\adxloader.Controller.ExcelLink.dll  already exists in this location. Do you want to replace it?” Click YES.
Remove any other add in, that can interfere, like Thinkcell.
Click OK
Exit Excel.

Start Cognos Controller client and try again.

Ensure the user have the same version of Excel on Citrix as on other Citrix servers or on her laptop.

More Information:

https://www.ibm.com/support/pages/apar/PI49914

https://www.ibm.com/support/pages/unable-get-fullname-property-addin-class-when-attempting-log-controller-link-within-controller 

https://www.ibm.com/support/pages/standard-error-controllerforms-openworkbook-object-reference-not-set-when-opening-or-switching-between-data-entry-forms

https://www.ibm.com/support/pages/standard-error-number-5-server-was-unable-process-request-different-menu-items

Product:
Cognos Controller Web 10.4.2
Microsoft Windows 2019 server

Issue:

After applied a DNS alias to the Cognos Controller server, the users can not login to the Controller Web.

They get a error like Server is not reachable or still initializing, please refresh the page in a few seconds

Solution:

You must update the D:\Program\ibm\cognos\ccr_64\frontend\config.js file with the URL the end user will use to access Cognos Controller Web.

If you change it from a server-name to a DNS alias, then open config.js in notepad++

 //Details for Controller UI service 
"expressJs": {
"host": "cognoscontroller.domain.com", //interface used by Controller Web UI Service
"port": "9080", //port used by Controller Web UI Service
"options": {

Change the interface value to your DNS alias. The controller web backend connection at line 14 can be left with the server host name.

Save the file.

Restart the 3 Controller web services.

More Information:

https://www.ibm.com/support/pages/troubleshooting-server-not-reachable-or-still-initializing-please-refresh-page-few-seconds-error-launching-controller-web

Product:
Cognos Controller 10.4.2
Microsoft Windows 2019 server

Issue:
After upgrade of Cognos Controller to a new version, the users get a error message when they start Cognos Controller Client program.

“The version of Controller requires database version 992.”

Solution:

Wait for the IT department to upgrade the Cognos Controller Client installation on the Citrix server you are using. Cognos Controller 10.4.2 use database version 1010.

More Information:

https://www.ibm.com/support/pages/ibm-cognos-controller-builds-ccr-name-and-database-version

https://www.ibm.com/support/pages/how-install-controller-local-client