Planning Analytics 2.0.5
Microsoft Windows server 2016

When open the tm1server.log file, the time is 2 hour off the local time or so. This is because default all tm1 logging is done in GMT time.

Create a file with below content and place it in same folder as your tm1s.cfg file.

# Enable INFO level logging through the shared memory appender, by default. The server # will write informational messages, as well as errors and warnings to the log file.

log4j.logger.TM1=INFO, S1

# S1 is set to be a SharedMemoryAppender
# Specify the size of the shared memory segment
log4j.appender.S1.MemorySize=5 MB
# Specify the max filesize
log4j.appender.S1.MaxFileSize=100 MB
# Specify the max backup index
# Specify GMT or Local timezone
# adds info about process locks to the tm1 server log file

More Information:

Planning Analytics 2.0.5
Microsoft Windows 2016 Server

How move NTFS and File Share security to a new server? We have shared a MANUALINPUT folder on the TM1 server, where selected users can update text files with data. This csv file are read into the TM1 application with use of a TI process. Now we setup a bigger Windows server and want to move over the windows security setup.

Suggested solution:
Test this steps in a test server first, to ensure they work in your environment.

You have created the folder d:\tm1app\manualinput
Login on your old TM1 server and open a command prompt as administrator.
Enter this command to save the security:
icacls d:\tm1app\manualinput /save ntfspermissions.txt /c
Copy the txt file over to the new PAL server
Enter this to restore the security:
icacls d:\tm1app /restore ntfspermissions.txt /c

/t parameter to icacls will include all subfolders in the security file.

The user that have access to the file share is stored in the registry, so on your old TM1 server you need to open REGEDIT.

Expand Regedit to the following location:
Right-click the Shares registry key and select Export. Enter a file name like sharepermissions.reg.
Copy the reg file to the new PAL server.
Open the reg file in notepad, to ensure you only got the SHARES you want to be there.
If there are extra shares you do not want on the new server, erase this lines and save the file.

Open Regedit and go to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
Right-click the Shares registry key and select Export. Enter a file name like backuppermissions.reg. This to have a backup of the settings in registry before you apply the new values.
Double click on the reg file from the other server, to import the values.

After the file is imported, you have to reboot the windows server to make the change take affect.

Note that the servers need to be in the same domain, for this to work, so the users are the same in both servers.

More information:

Planning Analytics Workspace 39
Linux Centos (similar to Red Hat)

How upgrade PAW to version 39?

Download the latest version of PAW from here

Backup will restart the services.
Login to the Linux server with PUTTY
Change to the docker user with command sudo su – dockeruser
go to the paw folder, in our example that is /ibm/paw
cd /ibm/paw

go to the scripts folder, and run the backup script
cd scripts

After the backup is done, the PAW should work as before.

The backup is stored in folders under /backup as shown above.

Create folders

To be able to change owner of file you need to be root, change to root user with command:
su –

Create the new folder for paw39 with command mkdir /ibm/paw39
Start WINSCP to copy the file to your linux server from windows.
Move to the folder where the ipa file is stored, and to the folder where you want it. Drag the file over in the WINSCP program.

Set the rights for the file in the WINSCP program, so the others have access to the file.

Go back into PUTTY.

Go to the folder and unzip the file with command:
unzip  -d /ibm/paw39

Go into the folder /ibm/paw39 and set the owner of all the files in the folder and sub-folders with this command
chown -R  dockeruser:docker ./*

Copy config files from old installation

Copy the <paw_install_location>/config/paw.env file from your current installation to the new
installation folder.
cd /ibm/paw/config
cp /ibm/paw/config/paw.env   /ibm/paw39/config/paw.env

Copy the certs folders files
cp /ibm/paw/config/certs/*.* /ibm/paw39/config/certs/

Copy the pa-workspace.pem file to the new folder
cd /ibm/paw39/config
mv pa-workspace.pem pa-org-workspace.pem
cp /ibm/paw/config/pa-workspace.pem /ibm/paw39/config/pa-workspace.pem

Copy the privatekey.pem to the new folder
cd /ibm/paw/
cp privatekey.pem /ibm/paw39/privatekey.pem

The files you copy depend on your installation.
Stop PAW services
Go to the scripts folder and enter command:
./ stop

Check that all is stopped with command:
docker ps

Rename folders

mv paw paw35
mv paw39 paw

Start paw
Change to dockeruser with command
sudo su – dockeruser

Update the paw.env file with the ip address that should be used

nano -w paw.env

Update the file with the path to the docker-compose folder if it is not accessible as default

nano -w
export PATH=$PATH:/ibm/comp/

Enter ctrl+o to save the file, press enter.
Enter ctrl+x to exit nano text editor.

Enter command below in PAW folder to start paw upgrade.


Press Y to upgrade
Press Y to start IBM Planning Analytics Workspace Administration Tool.

Scroll down and and accept the IBM License and Non-IBM License to continue.

Check that the TM1 Application Server Gateway URI and the other values is correct, and press Validate.

Click on Status tab and click on Restart button.  Wait until all is started and test that it is working.

Stop the Administration Tool from PUTTY before you leave the Linux server.

To go into the linux container to run ping from inside the docker, enter this command:
docker exec -ti admintool bash

Install the new Agent

Surf to you new Planning Analytics Workspace and login. If you are administrator there is a new icon to administrate the TM1 instances. Click on the icon.

On the left lower corner you can see the version of PA Agent at your server. If you run TM1_version=TM1-AW64-ML-RTM- TM1_name=IBM Cognos TM1, you have agent
Click on the download link to download the PA Agent that ships with PAW 39 to your computer.

Click on Download and save the file to a new folder on your computer.

Copy the file to a folder on the PAL server and unzip it. Open a CMD window as administrator, and go to the folder where you have the new PAA Agent files. Enter this command to install the new agent:

UpdatePAAAgent.bat  “c:\program files\ibm\cognos\tm1_64\”

You need to add the path to your TM1 instances folders in the file, the TM1 samples work as they are already added at default.

To make mail notifications to work, you need to update this lines in above file;


Enter values for your SMTP server, also update the PAA_EMAIL_ADDRESS ( ) field.
Restart the “IBM Planning Analytics Administration Agent” to make the changes take affect.

More information:
How set a static ip address on Linux

How install docker on Linux
To Install required packages before docker, enter this:
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager –add-repo

To download the latest version of docker download this:
sudo yum install docker-ce docker-ce-cli

To start and make docker stay started after reboot enter this:
systemctl start docker
systemctl enable docker

To download docker-compose enter this exact command:
sudo curl -L “$(uname -s)-$(uname -m)” -o /usr/local/bin/docker-compose

To change to execute, for this file:
sudo chmod +x /usr/local/bin/docker-compose

Check the version, with this command, to see that it works:
docker-compose version

Planning Analytics Workspace version 38
Planning Analytics 2.0.5
Linux Red Hat 7

A security scan show that the PAW on port 443 try to use old ciphers sets.

The server is configured to support ciphers known as static key ciphers. These ciphers don’t support “Forward Secrecy”. In the new
specification for HTTP/2, these ciphers have been blacklisted.
Negotiated with the following insecure cipher suites:
TLS 1.1 ciphers:
TLS 1.2 ciphers:

Possible Solution:
Configure the server to disable support for static key cipher suites.

Login to the PAW Linux server with PUTTY.
Change to the user who have access to the paw folder (e.g. dockeruser).
Go to the /ibm/paw/config folder.
Check the content of defaults.env with the command  more defaults.env  to see the current used values.
Open paw.env file with command  nano paw.env
Add below two rows;
export SSLProtocol=”all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1″
Save the file with ctrl+o
Exit nano program with ctrl+x
Restart the PAW server.

Check this link for what values to set in SSLCipherSuite:
If it does not work, revert back to the original settings shown below, by simple remove the two lines from the paw.env file.

export SSLProtocol=”all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1″
above means all protocols except the one listed after the minus, so no SSLv2 or SSLv3 or TLSv1 or TLSv1.1, leaving only TLSv1.2 to show.

The way you created the certificate request when you setup SSL(TLS) for PAW, can affect the ciphers you can use.

More Information:

Planning Analytics 2.0.5
Microsoft Windows 2016 server

A security audit list that the access to TM1 Admin service is not enough secure. Port 5498 and 5898 show this;
Negotiated with the following insecure cipher suites:
TLS 1.0 ciphers:
TLS 1.1 ciphers:

Vulnerability Solution:
Enable support for at least one of the ciphers listed below:

Possible solution:
Inside the Cognos Configuration the TM1 Admin server value for Support pre-TLS v1.2 clients are set to TRUE, this should be set to False to solve above issue.

Change to FALSE,
Save settings.
At the restart of the TM1 Admin Server, all the TM1 running instances will be restarted, this can take time. Do this at a planned date.

More information about ports:

Ports used by CA11

Ports used by PAL

This can also help secure the TM1 Admin service;

TM1 Admin Server Certificate Version Specifies which version of the TM1 generated certificates to use.

By default, the 1024-bit encryption version of the TM1 generated certificates is used.

Change this property only if you want to use the new 2048-bit encryption version of the default certificates. You can use the new version with old and new TM1 clients, but you must configure the clients to use the new certificate authority file.

Note This property does not apply if you are using your own certificates.

Valid values include:

  • 1 – Enables certificate authority for 1024-bit encryption with sha-1 (default value)
  • 2 – Enables certificate authority for 2048-bit encryption with sha-256

Planning Analytics 2.0.5
Planning Analytics Workspace 2.0.38

Error message when I on some TI processes in PAW, right click and select Edit Process. Other process work fine to open in PAW.

Error Message:

{“errorMessage”. “Error: Internal Server Error\r\nSystemOutOfMemory\r\n\r\n”, “/api/v1/Cubes (‘cubename’)/Views(‘All’)/tm1.Execute”,”httpStatusCode”:500)

The paw is try to show a to large preview of the selection. If the process have a cube view as data source, and that is large, like All, then you can get this error. It will work for a smaller cube view. When you edit a TI process in TM1 Architect, this error does not show.
If you check the TM1SERVER.LOG you will find this message;
8024 [34] WARN 2019-03-04 09:30:44.083 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “0” – pool# “0” – poolsize “201318656.000000”

You can get same behavior in TM1 Architect, if you open a cube, and try to view all content.
TM1 Error
All: Maximum memory for action exceeded.
View may be too large.
Operation aborted.

Then in TM1SERVER.LOG the error is like this:
4908 [22] WARN 2019-03-04 11:52:24.469 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “326” – pool# “0” – poolsize “201318656.000000”

You can still edit the TI process, so this warning should not be of a concern.
Check your TM1S.CFG file so the value MaximumViewSize is not set to a low value. In most cases you should manage with the default values.

More Information:

Planning Analytics 2.0.5
internet Explorer 11
Firefox Quantum

After apply SSL in TM1WEB, the node for a contributor application show a blank page in IE. But it works fine in Chrome.
No error message in IE, but in Firefox you get this message:
The information you have entered on this page will be sent over an insecure connection and could be read by a third party. Are you sure you want to send this information?

Background – how to setup SSL in TM1WEB for Planning Analytics;

Go to the pmpsvc start page at
Click on the icon for “Administrator IBM Cognos TM1 Applications”

Under clients mark the “TM1 Application Web” and click on blue Edit link.

Change the URL from

Click OK
Click OK

Try now again to open the node in TM1 Application Web with Internet Explorer.

The servername and port number should be changed to the ones you are using in your setup of PA2.

More Information:

Planning Analytics 2.0.4
Microsoft Windows 2012 R2
Cognos Analytics 11.0.9
IE 11

When use surf to the TM1 Web Applications portal (pmpsvc) there are no applications listed. If you access the portal from inside Performance Modeler, the applications are listed, so the users have access rights inside the TM1 applications. In PM you use the link

Inside Internet Explorer untick the use of compatibility view settings;
In IE go to the icon for settings menu.
Click on Compatibility View Settings.
Deselect Display intranet sites in Compatibility View.
Deselect Use Microsoft compatibility lists.
Click Close.
Close your Internet Explorer browser.
Launch your Internet Explorer 11 browser and clear the cache.

Surf to to test again.

Planning Analytics 2.0.5
Microsoft Windows 2016 Server

I want a list of all TM1SERVER.LOG files on the servers D drive, to find what TM1 instances applications logs I should inspect with my log file monitor software.

Suggested Solution:
On one of the servers, log in as a local administrator, that also are  admin on all the other servers.
Create a text file with the names of the servers.
Enter one server name per row, like this
Save the file as tmservers.txt

Create a CMD file with this content:
for /F %%a in (tmservers.txt) do (
net use z: \\%%a\d$
cd \
dir /s /b tm1server.log > d:\temp\%%a.txt
net use z: /d
Save the file as tm1list.cmd

Go to a DOS prompt as administrator and run above file.

It will create a file for each server in the d:\temp folder on the server where you run the cmd file.
Each file will have the servername as filename, in the file will be a list looking something like this;


Z is the D drive on the server.

The path is different, depends on where you store the TM1 instances.

More information

Planning Analytics for Excel (PAX) version 35
CORREDIST_name=IBM Planning Analytics for Excel
Microsoft Excel 365 64 bit Version 1803 (Build 9126.2336 Click-to- run)

After installation of PAX on Windows 7 with Office 365, you only can get PAX add in to work if you start Excel as “Run as Administrator”. If you start Excel as normal user you are missing the add-in “IBM Framework for Office”.

Suggested solution:

If you can not manually add the COM Add-ins, you can create a file and add below values to registry on client computer:

Windows Registry Editor Version 5.00

@=”Connect Class”


“Description”=”IBM Framework for Office”
“FriendlyName”=”IBM Framework for Office”

“Description”=”IBM Framework for Office”
“FriendlyName”=”IBM Framework for Office”

You can save above in NOTEPAD, name the file addvalues.reg. Then if you double click (to run it) on it it will add the values to registry on your computer (if you have the rights to do so).

More information:

Planning Analytics for Microsoft Excel is available as a 32-bit or 64-bit installation. The corresponding installation must be installed on either the 32-bit or 64-bit version of Microsoft Office.

Before you update and install components, ensure that the following statements are true:

You have administrative privileges on the computer.
Microsoft .NET Framework 4.6.1 or later is installed.
Any previous version of IBM Planning Analytics for Microsoft Excel is uninstalled.
If you are installing a version of Planning Analytics for Microsoft Excel that is older than the version currently installed, back up your connection data. Replacing a newer version of Planning Analytics for Microsoft Excel with an older version might cause your connection data to be lost.
Acquire the appropriate license to use your IBM Cognos for Microsoft Office product.
Configure your antivirus software to allow or unblock connections from the following two applications:
Microsoft .NET Runtime
Microsoft Excel

Depending on version of PAX office click-to-run is supported:

How Check NET framework

To find .NET Framework versions by viewing the registry (.NET Framework 4.5 and later)
  1. On the Start menu, choose Run.
  2. In the Open box, enter regedit.exe.

    You must have administrative credentials to run regedit.exe.

  3. In the Registry Editor, open the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

    Note that the path to the Full subkey includes the subkey Net Framework rather than .NET Framework.


    If the Full subkey is not present, then you do not have the .NET Framework 4.5 or later installed.

    Check for a DWORD value named Release. The existence of the Release DWORD indicates that the .NET Framework 4.5 or newer has been installed on that computer.