Product:
Planning Analytics 2.0.8
Microsoft Windows 2016 server

Problem:
What is the requirements for the windows service account to run TM1 servers?

Solution (from IBM web):

User accounts for running TM1 services on Windows

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1serviceaccount_n701df.html

The account must have the following privileges on the local computer:

Act as part of the operating system

Bypass traverse checking

Increase quotas (Adjust memory quotas for a process)

Replace a process level token

Log on as a service

Have read and write privileges on the Windows Registry item

If you use “local system” you will not be able to use Kerberos, or have access to read csv files from external file shares.

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_integratedlogin_nc0007.html#IntegratedLogin_NC0007

In integrated login mode (security mode 3), TM1 authentication compares the user’s domain-qualified Microsoft Windows login name to the contents of the UniqueID element of the }ClientProperties cube.

If there is a match, the user is authenticated to TM1. If Active Directory groups have been imported into the TM1 Server, Active Directory group memberships are honored.

If no match is found, TM1 displays an error message stating that the client name does not exist. TM1 Server does not prompt for login information.

Users who want to access TM1 data in a server that is configured for integrated login must authenticate to Microsoft Windows first and then use TM1 clients to access the TM1 Server.

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_settingupintegratedloginmanually_nc0644.html

1. Run ETLDAP and import the user and group information from your LDAP server, as described in Running ETLDAP. Or update the }ClientProperties cube with other TI scripts.
   
2. Shut down the TM1 Server.
3. Edit the following parameters in the tm1s.cfg file located in your TM1 Server data directory:
   • Set the IntegratedSecurityMode parameter to 3.
   • Set the SecurityPackageName parameter to the security protocol you use for integrated login.

   In the following example, the server is configured to use Kerberos.

   [TM1S]
   SecurityPackagename=Kerberos
   IntegratedSecurityMode=3
   Servername=myserver
   DatabaseDirectory=datafiles

4. Save and close the tm1s.cfg file.
5. Restart the TM1 Server.
6. Optional: Configure the TM1 clients to use integrated login by setting the Use Integrated Login option in the associated user interface.

Follow the directions from IBM knowledge articles for most accurate information.

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_parametersinthetm1s.cfgfile_n1503fe.html

More Information:

Enabling Cognos single signon to use Kerberos authentication with constrained delegation

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_inst_sso_active_drctry_constrained_del.html

You must configure the constrained delegation in the Active Directory Users and Computers administration tool. On the Delegation tab for all users (IISUser, CognosCMUser, and CognosATCUser), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation. Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.

Product:
Planning Analytics 2.0.8  TM1_version=TM1-AW64-ML-RTM-11.0.8.37-0
Microsoft Windows 2016 server

Problem:
During installation of Planning Analytics on a new server, the server reboots.
Further investigation show that if you do not select to install “Performance Modeler” then the installation works. There are no errors in the Windows Event log for this issue.

Solution:
Remove McAfee virus software totally from server.

If you copy out the performance modeler msi file and only run installation of that you get this message from the anti-virus software.

You can create a cmd file with this content to run the installation;
msiexec /i “c:\temp\PerformanceModeler64.msi” /L*V “c:\temp\mypm.log” TARGETDIR=”c:\Program Files\pm” ALLUSERS=1

That will give a log file in folder c:\temp, that you can check for errors.

When you run new Planning Analytics Workspace installation on the same Windows server 2016, it will give this error if McAfee is installed.

The Start.ps1 file uses the file Debug-ContainerHost.ps1 to check for the program. The McAfee program need to be removed, not only stopped for the PAW installation to proceed.
if ($null -ne (Get-Process mcshield -ErrorAction Ignore) -Or (Get-WmiObject -class Win32_SystemDriver -Filter “DisplayName LIKE ‘%McAfee%'” | Where-Object -Property State -eq ‘Running’ | Measure-Object).Count -ne 0) ….

More Information:

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_paw_install_prereq.html

https://docs.docker.com/engine/security/antivirus/

Product:
Planning Analytics for Excel 2.0.8
Microsoft Excel 365 ProPlus version 1902 (Build 11328.20480 Click-to-Run)
Windows 10

Problem:
New install of PAX to client computer with Excel. After login, some areas is blank, and you can not select the dimensions elements you want.

Suggested Solution:
Inside your excel program go to options.
Change the [General -> User Interface Options] setting in the Excel options to ‘Optimize for Compatibility’
Exit excel and start it again.

More Information:
https://www.ibm.com/mysupport/s/question/0D550000061n93lCAA/planning-analytics-for-excel-options-window-is-completely-blank?language=en_US

Product:
Planning Analytics 2.0.6
Microsoft Windows 2012 server

Problem:
How make a subset of a dimension, where i want all elements that start with BSA* and some other letters, like BSB and BSC?

Suggested Solution:
In your prolog section of the TI process, use UNION, similar to this:

sSubset=’export’;
pDim13=’company’;

StringMDX = ‘ (UNION(
(UNION (
{UNION( { TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSA*” ) } ,
{ TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSB*” ) } )} ,
{UNION( { TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSC*” ) } ,
{ TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSD*” ) } )} )) ,
(UNION (
{UNION( { TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSE*” ) } ,
{ TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSF*” ) } )} ,
{UNION( { TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSH*” ) } ,
{ TM1FILTERBYPATTERN( {TM1FILTERBYLEVEL( {TM1SUBSETALL( [ ‘ | pDim13 | ‘ ] )}, 0)}, “BSJ*” ) } )} ))
)) ‘;

SubsetCreatebyMDX( sSubset ,StringMDX);

This can be solved in other ways, this is only a suggestion.

More Information:

http://www.wimgielis.com/tm1_mdxstatements_EN.htm

https://www.bihints.com/book/export/html/68

https://www.ibm.com/support/knowledgecenter/en/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_ref.10.2.2.doc/c_tm1-specificmdxfunctions_n20311.html

Product:
Planning Analytics 2.0.6
Microsoft Windows 2016 server
Planning Analytics Administration Agent version 1.0.36.736

Problem:
When starting the PAA Agent in windows after change from local system to a windows service account, you get a error. The service account works on the other IBM Cognos TM1 services, only the IBM Planning Analytics Administration Agent that does not start.

Error msg in Windows event log can be:
The IBM Planning Analytics Administration Agent service terminated with the following service-specific error:
Incorrect function.

Solution:
Check that the Windows Service account is local administrator on the Planning Analytics server.
The PA Agent needs more local rights to read the files in folder D:\Program Files\ibm\cognos\tm1_64\paa_agent, than the other IBM Cognos TM1 service does.

You can find the message.log file here D:\Program Files\ibm\cognos\tm1_64\paa_agent\wlp\usr\servers\kate-agent\logs, that can contain more error messages.

The python code that can give some of the message is in folder; d:\Program Files\ibm\cognos\tm1_64\paa_agent\wlp\usr\servers\kate-agent\kateagent\scripts\status.py

More information:

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_install_paa_local_on_windows.html

Instructions to configure and start PAA Agent:

1. Open Windows “Services” desktop application
2. Stop “IBM Planning Analytics Administration Agent” service, if running
3. Navigate to <PA install directory>\paa_agent\wlp\usr\servers\kate-agent
4. Open the bootstrap.properties file in a text editor
5. Set the full path of directory containing TM1 databases data directories to SERVERS_DIR. Multiple paths must be separated by semicolon.
E.g. SERVERS_DIR=C:\tm1\samples\tm1\;C:\prod\servers\
6. Save and close the bootstrap.properties file
7. Start “IBM Planning Analytics Administration Agent” Windows service
8. PAA Agent is now ready to use

Product:
Cognos Analytics 11.1.3
Planning Analytics 2.0.6
Microsoft Windows 2016 server

Problem:
When run a CA11 report against a Tm1 Cube, you get this error;
XQE-MD-0007 Unable to establish a metadata connection to data source /content/package
DIM-ERR-1007 Det gick inte att efterfråga kubinformation för datakällan. Kontrollera anslutningssträngen och se till att servern är tillgänglig.

Solution:
The user who runs the CA11 report must have access to data in the TM1 cube.
Go in to TM1 Architect, and right click and select Rights – clients/groups dialog.
Check the user belongs to some of the security groups.
For a quick test, mark your user as ADMIN.
Click OK.
And log out from CA11 and in again, try the same report again.

If you get the below error when you run a Cognos Analytics 11 report;
QE-DEF-0157 The model or package /content/folder does not exist or you are not allowed to use if because of security settings.

Then it can be that the FM package is deleted.

Click on search icon on the left in Cognos 11, and search for the package name. If you find it, check that the user group the user belongs to have “run” rights, on the package.
More Information:
https://www.ibm.com/support/pages/dim-err-1007-failed-query-cube-information-data-source-when-using-planning-analytics-data-server-connection
https://www.ibm.com/support/pages/dim-err-1007-failed-query-cube-information-data-source-tm1

https://www.ibm.com/support/pages/package-permissions-errors-qe-def-0157

Product:
Planning Analytics 2.0.8 workspace
Microsoft Windows 2016 datacenter

Problem:
When surf to paw (on a windows 2016) server and you enter name and password for the TM1 native login method. The screen flickers, and nothing happens. You see the blank login screen again.
If you surf from a local computer it works fine, it is only when you surf over a VPN tunnel from a partners laptop, you can not login.
If you surf to the PAW (http://servername.domain.com/) from a server, there is no problem – it works fine.

Solution:
Check your antivirus program – so it is not stopping the connection because it is unsecured.

For example; Bitdefender internet Security can have a policy: Feature: Online Threat Prevention
“Privacy threat blocked
An attempt to send your password unencrypted was about to occur on servername. We blocked the connection to stop your private data from being exposed and tampered with.”

Click on Add to exceptions, and add the PAW server to you internet security programs exceptions list.
Other solution is to add HTTPS to you paw server.
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_paw_enable_ssl.html

Ensure also that you are not using the same sub-net as the paw docker network. Normally docker paw network is a 172.x.x.x network.
You update docker network in file C:\ProgramData\docker\config\daemon.json with the following contents:
{
“fixed-cidr”: “192.168.80.0/24”
}

You need to restart docker.

More information:
https://www.ibm.com/support/pages/troubleshooting-planning-analytics-workspace-related-docker-issues
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_paw_trbl_cant_access_over_vpn_ip_address.html

https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture

https://forums.docker.com/t/ip-address-for-container/27454/4

https://www.eiseverywhere.com/file_uploads/b16ad176a58e3a9a360d66f1a4009c4e_Plan_IBMPlanningAnalyticsLocal_SoufianeAzizi.pdf

http://www.pantarhei.at/wp-content/uploads/2018/06/PAW-Local-Distributed-Soufiane-Azizi.pdf

Product:
Planning Analytics 2.0.8
Planning Analytics Workspace 45
Microsoft Windows 2016 server

https://www.ibm.com/support/pages/ibm-planning-analytics-pa-workspace-and-pa-microsoft-excel-fix-list

Problem:
After a reboot of the server, the docker service does not start. If you login to server and click on start in the service manager it will start. Ensure that you wait 5 min before testing with “start”.

Suggested Solution:
Check the format of the c:\programdata\docker\config\daemon.json file.
If it contain illegal characters, the docker service will not start.

If you enter docker ps or docker version to see running containers you get this message:

If you check the C:\ProgramData\docker\panic.log you may see this:

Failed to fire hook: The interface is unknown lock: = it did not get the response it needed in time, but windows service will try again in a few minutes,  so wait an see if it starts.

If you check the windows event log, you may see this:

Open the file c:\programdata\docker\config\daemon.json in NOTEPAD++
ensure it looks correct, and do not have any errors.

Debug parameter will write more information in the Windows Event log for Docker. When you have issues with Docker, check the Windows Event log for any errors.

You can copy the text in the json file to this site, to validate https://jsonformatter.curiousconcept.com/

There can be other causes, for this problem, that the docker service does not start.

Ensure that one network cards is prioritize, and that your DNS is working from this server.

You need also at least 4 cpu and 32 GB ram on the PAW server.

More information:
https://blogs.msdn.microsoft.com/jikuma/2018/03/19/error-pipedocker_engine-access-is-denied-in-the-default-daemon-configuration-on-windows/
https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group
https://www.reddit.com/r/docker/comments/82myaw/invalid_character_in_string_escape_code/
https://docs.docker.com/v17.09/engine/admin/#start-the-daemon-manually

https://success.docker.com/article/error-streaming-logs-invalid-character-after-object-key-value-pair

Product:
Planning Analytics 2.0.8
Planning Analytics Workspace 45
Microsoft Windows 2012 server

Problem:
When you surf to your PAW, and go to Administrator page, tab – Databases. It says the Agent is not available.

Solution:
Even do you are on the same server. You need to open the Windows Firewall inbound port 9012 to make the PAW have access to the PA Agent.

Go to Control Panel
Go to Administrative tools
Go to Windows Firewall
Click Inbound Rules
Click New Rule
Select Port
Enter 9012 (and the other TM1 ports) at Specific Local ports
Click next for Allow the connection
Click next to keep that the rule apply to all domains
Enter a name like “Cognos TM1”
Click Finish

Now it should work.

When you check a previous made firewall rule it can look like this;

More Information:

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_prism_gs.2.0.0.doc/c_paw_administer_servers.html
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_defaultvaluesfortm1installation.html

Product:
Planning Analytics 2.0.6 Workspace
Microsoft Windows 2016 Server

Problem:
How to use OPENSSL to convert certificates from company CA pfx file to the pem format needed by PAW?

Solution:
Download OPENSSL from http://slproweb.com/products/Win32OpenSSL.html
or from https://github.com/git-for-windows/git/releases/tag/v2.23.0.windows.1 – get the file Git-2.23.0-64-bit.exe Run the installation with all default values.
When installing GIT you will get a local openssl tool, that you can access from the command line:
“c:\program files\git\mingw64\bin\openssl.exe”

If you get a certificatechainfile.pfx file that you should use, you can convert it with the following command in CMD:
openssl  pkcs12  -in  c:\temp\your.pfx  -out  c:\temp\good.pem  -nodes

Then you need to open good.pem in Notepad++ and remove the lines not needed, and save it as pa-workspace.pem. It should have this certs in the file;
—–BEGIN RSA PRIVATE KEY—–
(Your Private Key: your_domain_name.key)
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
(Your Server certificate: your_domain_name.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Intermediate certificate: IntermediateCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Root certificate: TrustedRoot.crt)
—–END CERTIFICATE—–

How setup TLS (SSL) for PAW:

(Do the steps in your TEST environment first, to ensure they work for you.)

Export the root and intermediate certificates first.
Start Internet Explorer and surf to company internal site.
Click on the PAD lock icon.
Click view certificates.
Click Certificate Path tab.

Mark root cert and click view certificate.
Click Details tab.
Click “copy to file” button.
Click Next.

Select Base-64 encoded X.509 (.CER) and click Next.
Browse to your c:\temp folder and enter a name.

Click next and finish.
Repeat above steps for the intermediate cert.

Copy this two cer files to the d:\ibm\paw\config\certs folder.
Rename the cer files to pem.
Start Powershell as administrator.
Go to folder d:\ibm\paw\scripts.
Run .\process_certs.ps1 to include the root cert in the cacerts file.

Stop the paw with command d:\ibm\paw\scripts\paw.ps1 stop.
Go to the d:\ibm\paw\config\ssl folder.
Rename pa-workspace.pem to pa-workspace.pem.org.

If you got a .pfx file from the company that include the privatekey, servercert and  intermediate and root certs. You convert it with this command:
openssl pkcs12 -in your.pfx -out good.pem -nodes

Open good.pem in notepad, and remove lines above the —-BEGIN CERTIFICATE—- but after the —- END line.
Save the file. Now only with the cryptic binary text.

Copy the good.pem file to folder d:\ibm\paw\config\ssl and rename it to pa-workspace.pem

Open d:\ibm\paw\config\paw.ps1 file in notepad++.
Change all HTTP to HTTPS.

Add last in the file, this two lines:
$env:EnableSSL=”true”

$env:ServerName=”yourPAWservername”

Save the file.
Go to the d:\ibm\paw\ folder.
Run ./Start.ps1 to start the PAW administration.
Click on Validate button. Ensure all URL are correct, does they point to correct CA11 or TM1 servers?
Click on the Update button.
Restart PAW, can also be done from powershell with commando  d:\ibm\paw\scripts\paw.ps1

You must add ibmtm1.arm cert to your CA11 servers:
https://www.ibm.com/support/pages/configure-datasource-ibm-planning-analytics-20x-ibm-cognos-analytics-1106

You must add SSL (TLS) cert to your TM1WEB servers:

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_pa_use_ibmkeymgmt.html

https://www.ibm.com/support/pages/how-obtain-planning-analytics-tm1-server-certificate

More Information:

https://knowledge.digicert.com/solution/SO26449.html
https://www.feistyduck.com/
https://www.ibm.com/support/pages/how-transform-pem-and-pfx-keystore-public-key-cryptography-standard-12-pkcs12-keystore
https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_paw_enable_ssl.html
https://www.sslshopper.com/article-most-common-openssl-commands.html

Common OPENSSL commands (from SSL Shopper):

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

• Generate a new private key and Certificate Signing Request

  openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

• Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)

  openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

• Generate a certificate signing request (CSR) for an existing private key

  openssl req -out CSR.csr -key privateKey.key -new

• Generate a certificate signing request based on an existing certificate

  openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

• Remove a passphrase from a private key

  openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using SSL Shopper online tools.

• Check a Certificate Signing Request (CSR)

  openssl req -text -noout -verify -in CSR.csr

• Check a private key

  openssl rsa -in privateKey.key -check

• Check a certificate

  openssl x509 -in certificate.crt -text -noout

• Check a PKCS#12 file (.pfx or .p12)

  openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Shopper SSL Checker.

• Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

  openssl x509 -noout -modulus -in certificate.crt | openssl md5
  openssl rsa -noout -modulus -in privateKey.key | openssl md5
  openssl req -noout -modulus -in CSR.csr | openssl md5

• Check an SSL connection. All the certificates (including Intermediates) should be displayed

  openssl s_client -connect www.paypal.com:443

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use SSL Shopper SSL Converter to convert certificates without messing with OpenSSL.

• Convert a DER file (.crt .cer .der) to PEM

  openssl x509 -inform der -in certificate.cer -out certificate.pem

• Convert a PEM file to DER

  openssl x509 -outform der -in certificate.pem -out certificate.der

• Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

  openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

  You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

• Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

  openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAC
  
  https://www.sslshopper.com/ssl-faq.html