Product:
Planning Analytics Workspace version 38
Planning Analytics 2.0.5
Linux Red Hat 7

Problem:
A security scan show that the PAW on port 443 try to use old ciphers sets.

The server is configured to support ciphers known as static key ciphers. These ciphers don’t support “Forward Secrecy”. In the new
specification for HTTP/2, these ciphers have been blacklisted.
Negotiated with the following insecure cipher suites:
TLS 1.1 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

Possible Solution:
Configure the server to disable support for static key cipher suites.

Login to the PAW Linux server with PUTTY.
Change to the user who have access to the paw folder (e.g. dockeruser).
Go to the /ibm/paw/config folder.
Check the content of defaults.env with the command  more defaults.env  to see the current used values.
Open paw.env file with command  nano paw.env
Add below two rows;
export SSLCipherSuite=”ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSAAES256-
GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256″
export SSLProtocol=”all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1″
Save the file with ctrl+o
Exit nano program with ctrl+x
Restart the PAW server.

Check this link for what values to set in SSLCipherSuite:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
If it does not work, revert back to the original settings shown below, by simple remove the two lines from the paw.env file.

export SSLProtocol=”all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1″
above means all protocols except the one listed after the minus, so no SSLv2 or SSLv3 or TLSv1 or TLSv1.1, leaving only TLSv1.2 to show.

The way you created the certificate request when you setup SSL(TLS) for PAW, can affect the ciphers you can use.

More Information:
https://electricenergyonline.com/print_article.php?ID=779

http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295
https://wiki.mozilla.org/Security/Server_Side_TLS
http://support.microsoft.com/kb/245030/
https://tools.ietf.org/html/rfc7540/

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 server

Problem:
A security audit list that the access to TM1 Admin service is not enough secure. Port 5498 and 5898 show this;
Negotiated with the following insecure cipher suites:
TLS 1.0 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.1 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Vulnerability Solution:
Enable support for at least one of the ciphers listed below:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Possible solution:
Inside the Cognos Configuration the TM1 Admin server value for Support pre-TLS v1.2 clients are set to TRUE, this should be set to False to solve above issue.

Change to FALSE,
Save settings.
At the restart of the TM1 Admin Server, all the TM1 running instances will be restarted, this can take time. Do this at a planned date.

More information about ports:
http://www.practicallynetworked.com/sharing/app_port_list.htm
http://www.networksorcery.com/enp/protocol/ip/ports04000.htm

Ports used by CA11
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_reviewthedefaultsettings.html

Ports used by PAL
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_defaultvaluesfortm1installation.html

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_configuringthetm1adminservertousessl_n12010f.html

This can also help secure the TM1 Admin service;

Product:
Planning Analytics 2.0.5
Planning Analytics Workspace 2.0.38

Problem:
Error message when I on some TI processes in PAW, right click and select Edit Process. Other process work fine to open in PAW.

Error Message:

{“errorMessage”. “Error: Internal Server Error\r\nSystemOutOfMemory\r\n\r\n”, “/api/v1/Cubes (‘cubename’)/Views(‘All’)/tm1.Execute”,”httpStatusCode”:500)

Background:
The paw is try to show a to large preview of the selection. If the process have a cube view as data source, and that is large, like All, then you can get this error. It will work for a smaller cube view. When you edit a TI process in TM1 Architect, this error does not show.
If you check the TM1SERVER.LOG you will find this message;
8024 [34] WARN 2019-03-04 09:30:44.083 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “0” – pool# “0” – poolsize “201318656.000000”

You can get same behavior in TM1 Architect, if you open a cube, and try to view all content.
TM1 Error
All: Maximum memory for action exceeded.
View may be too large.
Operation aborted.

Then in TM1SERVER.LOG the error is like this:
4908 [22] WARN 2019-03-04 11:52:24.469 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “326” – pool# “0” – poolsize “201318656.000000”

You can still edit the TI process, so this warning should not be of a concern.
Check your TM1S.CFG file so the value MaximumViewSize is not set to a low value. In most cases you should manage with the default values.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=swg21380704
https://www-01.ibm.com/support/docview.wss?uid=swg21639609
https://www.ibm.com/support/knowledgecenter/en/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.1.doc/c_maximumviewsize_1.html

Product:
Planning Analytics 2.0.5
internet Explorer 11
Firefox Quantum

Problem:
After apply SSL in TM1WEB, the node for a contributor application show a blank page in IE. But it works fine in Chrome.
No error message in IE, but in Firefox you get this message:
The information you have entered on this page will be sent over an insecure connection and could be read by a third party. Are you sure you want to send this information?

Background – how to setup SSL in TM1WEB for Planning Analytics;
http://www-01.ibm.com/support/docview.wss?uid=swg22004239

Solution:
Go to the pmpsvc start page at
https://pawebservername.domain.com:9510/pmpsvc/applications.jsp?portal=1
Click on the icon for “Administrator IBM Cognos TM1 Applications”

Under clients mark the “TM1 Application Web” and click on blue Edit link.

Change the URL from
http://pawebservername.domain.com:9510/tm1web/Contributor.jsp
to
https://pawebservername.domain.com:9510/tm1web/Contributor.jsp

Click OK
Click OK

Try now again to open the node in TM1 Application Web with Internet Explorer.

The servername and port number should be changed to the ones you are using in your setup of PA2.

More Information:
https://www.wireshark.org/#download

Product:
Planning Analytics 2.0.4
Microsoft Windows 2012 R2
Cognos Analytics 11.0.9
IE 11

Problem:
When use surf to the TM1 Web Applications portal (pmpsvc) there are no applications listed. If you access the portal from inside Performance Modeler, the applications are listed, so the users have access rights inside the TM1 applications. In PM you use the link http://paservername.domain.com:9510/pmpsvc/services

Solution:
Inside Internet Explorer untick the use of compatibility view settings;
In IE go to the icon for settings menu.
Click on Compatibility View Settings.
Deselect Display intranet sites in Compatibility View.
Deselect Use Microsoft compatibility lists.
Click Close.
Close your Internet Explorer browser.
Launch your Internet Explorer 11 browser and clear the cache.

Surf to http://paservername.domain.com:9510/pmpsvc to test again.

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 Server

Problem:
I want a list of all TM1SERVER.LOG files on the servers D drive, to find what TM1 instances applications logs I should inspect with my log file monitor software.

Suggested Solution:
On one of the servers, log in as a local administrator, that also are  admin on all the other servers.
Create a text file with the names of the servers.
Enter one server name per row, like this
servernameA
servernameB
servernameC
Save the file as tmservers.txt

Create a CMD file with this content:
for /F %%a in (tmservers.txt) do (
net use z: \\%%a\d$
z:
cd \
dir /s /b tm1server.log > d:\temp\%%a.txt
c:
net use z: /d
)
Save the file as tm1list.cmd

Go to a DOS prompt as administrator and run above file.

tm1list.cmd
It will create a file for each server in the d:\temp folder on the server where you run the cmd file.
Each file will have the servername as filename, in the file will be a list looking something like this;

Z:\data\tm1\servers\appone\logfiles\tm1server.log
Z:\data\tm1\servers\appnametwo\logfiles\tm1server.log
Z:\data\tm1\servers\tm1appnametree\Logfiles\tm1server.log

Z is the D drive on the server.

The path is different, depends on where you store the TM1 instances.

More information
https://stackoverflow.com/questions/15486011/batch-file-for-loop-via-a-text-file-of-ip-addresses-not-working

https://ss64.com/nt/dir.html

Product:
Planning Analytics for Excel (PAX) version 35
CORREDIST_version=CORREDIST-AW64-ML-RTM-11.0.35.13-0
CORREDIST_name=IBM Planning Analytics for Excel
Microsoft Excel 365 64 bit Version 1803 (Build 9126.2336 Click-to- run)

Problem:
After installation of PAX on Windows 7 with Office 365, you only can get PAX add in to work if you start Excel as “Run as Administrator”. If you start Excel as normal user you are missing the add-in “IBM Framework for Office”.

Suggested solution:

If you can not manually add the COM Add-ins, you can create a file and add below values to registry on client computer:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CognosOffice12.Connect]
@=”Connect Class”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CognosOffice12.Connect\CLSID]
@=”{0e159c85-c989-4582-8208-3d2afa48c15a}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\Excel\Addins\CognosOffice12.Connect]
@=hex(40000):
“Description”=”IBM Framework for Office”
“FriendlyName”=”IBM Framework for Office”
“LoadBehavior”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Excel\Addins\CognosOffice12.Connect]
“Description”=”IBM Framework for Office”
“FriendlyName”=”IBM Framework for Office”
“LoadBehavior”=dword:00000002

You can save above in NOTEPAD, name the file addvalues.reg. Then if you double click (to run it) on it it will add the values to registry on your computer (if you have the rights to do so).

More information:
https://blog.infostruction.com/2016/11/08/registry-keys-for-office-365-20132016/
https://support.netdocuments.com/hc/en-us/articles/205219670-Changing-the-Load-Behavior-of-the-ndOffice-Add-ins
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_pax_inst_tasks.html
https://www-01.ibm.com/support/docview.wss?uid=swg22012988

Planning Analytics for Microsoft Excel is available as a 32-bit or 64-bit installation. The corresponding installation must be installed on either the 32-bit or 64-bit version of Microsoft Office.

Before you update and install components, ensure that the following statements are true:

You have administrative privileges on the computer.
Microsoft .NET Framework 4.6.1 or later is installed.
Any previous version of IBM Planning Analytics for Microsoft Excel is uninstalled.
If you are installing a version of Planning Analytics for Microsoft Excel that is older than the version currently installed, back up your connection data. Replacing a newer version of Planning Analytics for Microsoft Excel with an older version might cause your connection data to be lost.
Acquire the appropriate license to use your IBM Cognos for Microsoft Office product.
Configure your antivirus software to allow or unblock connections from the following two applications:
Microsoft .NET Runtime
Microsoft Excel

Depending on version of PAX office click-to-run is supported:

https://www-01.ibm.com/support/docview.wss?uid=swg22015168

How Check NET framework

To find .NET Framework versions by viewing the registry (.NET Framework 4.5 and later)

1. On the Start menu, choose Run.
2. In the Open box, enter regedit.exe.

   You must have administrative credentials to run regedit.exe.

3. In the Registry Editor, open the following subkey:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

   Note that the path to the Full subkey includes the subkey Net Framework rather than .NET Framework.

   Note

   If the Full subkey is not present, then you do not have the .NET Framework 4.5 or later installed.

   Check for a DWORD value named Release. The existence of the Release DWORD indicates that the .NET Framework 4.5 or newer has been installed on that computer.

https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b

Product:
Planning Analytics 2.0.5
Microsoft Windows Server 2016

Problem:
When run a TI process to export data to a csv file you get a error from inside your TM1 Application. You have recently moved from TM1 to Planning Analytics, and also to a new Operating System: Microsoft Windows 2016.
The file share you try to export to is on a Linux server.
It works fine from your old Microsoft Windows 2008 server.

Error on Windows 10:
You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving the issue see: https://support.microsoft.com/en-my/help/4034314/smbv1-is-not-installed-by-default-in-windows

Possible Solution:
The New Windows Server 2016 have been setup to demand the newer more secure file share (SMB) protocol, and the Linux server is of a older OS version that does not support it.
Try to use a different file share, where both old linux program and Micosoft Windows 2016 server have access.

First check if there is not a firewall issue, with TELNET to see if the ports are open. Run below command from TM1 Windows server;
telnet linuxserver 445
telnet linuxserver 139
If above give error, check the firewall settings in the network.

You can from a CMD command try to access file share direct logged in as the service account on the TM1 server, to ensure that the account have access:
net use * \\linuxserver.domain.com\filesharename

Can say “System error 64 has occurred” if you do not have correct SMB access.

Check also that the IBM TM1 instance is run under a domain service account, and not Local System. Local System account can not access network file shares.

Red Hat Enterprise Linux 7.2, which includes samba-4.2, and later comes with proper support for SMBv2 protocol, but earlier releases of Red Hat Enterprise Linux only support SMBv1.

From the internet:
Samba is made by linux/unix
SMB/CIFS is made by windows/microsoft

NOTE: when people say I have a “CIFS share”, its better to say I have a “SMB share “or a “Samba share” – more on this below:
They use the same protocols to talk to each other.

Samba was originally made to emulate SMB, so that linux pcs could share files with Windows PCs. Now MACs also have samba, so they support SMB. So MACS Windows and Linux can all happily talk via Samba & SMB.

With each new version of Windows, a new SMB version comes out. Then Samba team has to be ready to update their code to support the new features in SMB.
Windows;
SMB 1 – Windows 2000
SMB 2 – Windows Server 2008 and WIndows Vista SP1
SMB 2.1 – Windows Server 2008 R2 and Windows 7
SMB 3.0 – Windows Server 2012 / ? and Windows 8 / 10

To identify the SMB version:
Windows 8.1 or 2012, you can use the PowerShell (in admin mode) cmdlet Get-SmbConnection

You can not interrogate which SMB it is using in Windows 7.

SMB 1 introduced in DOS days, and was also called CIFS in its later version (think of it like SMB 1.1). First versions of Samba 1.x supported SMB and CIFS
SMB 2.0 / SMB2.02 introduced with Windows Vista / 2008 is supported with Samba 3.6
SMB 2.1 introduces with Windows 7 / Windows 2008 R2 is supported with Samba 4.0.0
SMB 3.0 introduced with Windows 8 / Windows 2012 is supported by Samba 4.2
SMB 3.02 introduced in Windows 8.1 / Windows 2012 R2 is not yet supported by any version of Samba (its in the works I assume)
SMB 3.11 introduced in Windows 10 / Windows 2016 is not yet supported by any version of Samba (its in the works I assume)

The latest updates of Windows 10 and Windows Server 2016, the support for SMB1 is automatically removed by Microsoft, if SMB1 is not used.

How remove SMB support:
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

Start a Powershell command
1) check which SMB is enabled and which one is disabled;

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

ex : True=enabled

2) To enable any SMB 1 or 2 or 3 use following,
Set-SmbServerConfiguration  -EnableSMB2Protocol  $True

3) To disable any SMB 1 or 2 or 3 use following,
Set-SmbServerConfiguration  -EnableSMB2Protocol  $False

Restart computer or server after every change.
Or do this on Windows Server 2012 R2 & 2016:
SMBv1
Detect: Get-WindowsFeature FS-SMB1
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

More information:
https://access.redhat.com/articles/3164551
https://www.rootusers.com/disable-smb-version-1-0-in-windows-server-2016/
https://www.mowasay.com/2018/08/windows-10-2016-build-1709-1803-cannot-connect-to-smb-shares/
http://www.admin-magazine.com/Archive/2017/40/SMB-3.1.1-in-Windows-Server-2016

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 server
Microsoft Excel 365 Office version 1803 click-to-run
Planning Analytics for Excel from C:\Program Files\ibm\cognos\IBM for Microsoft Office\cmplst.txt
[Main Applications]

COR_APP_version=COR_APP-AW64-ML-RTM-11.0.35.14-0
COR_APP_name=Cognos 8 Analysis for Excel
CAFES_version=CAFES-AW64-ML-RTM-10.3.0.1-0
CAFES_name=Cafes for Excel
CORREDIST_version=CORREDIST-AW64-ML-RTM-11.0.35.13-0
CORREDIST_name=IBM Planning Analytics for Excel
COI_version=COI-AW64-ML-RTM-11.0.35.7-0
COI_name=IBM Cognos COI

Problem:
When insert a custom report or dynamic report on this sheet, you get #NAME? instead of the numbers for the formula =DBRW($A$1,$A10,$B$2,E$6,$B$4,$B$3).
Click on Rebuild sheet does not help.
Insert a quick report on the sheet gives you numbers.

Solution:
Check that all the add-ins for Excel are installed.
Inside Excel go to File – Options.

Click on Add-ins
at Manage: Excel Add-ins click on GO.

The TM1 part is missing.
Click on Browse and go to C:\Program Files\ibm\cognos\IBM for Microsoft Office folder.

Select CognosOfficeTM1.xll and click OK.

Now you have the Add-ins you also need. Click OK.

You need both IBM Cognos Office Reporting TM1 addin and the IBM Framework for Office COM add-in to make PAX work.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=swg22004391

Product:
Cognos Planning Analytics 2.0.6
Microsoft Windows 2012 R2 Server

Problem:
The log files for opsconsole fill up the C drive, where the software is installed. Can we change the logs file to be created on a separate hard disk named L:\?

Solution:
Login to the Windows server where you run TM1WEB (also the opsconsole)
stop the service IBM Cognos TM1
cut the folder C:\Program Files\ibm\cognos\tm1_64\bin64\opsconsoledata
paste it at L:
rename L:\opsconsoledata to L:\opslogs
start a command prompt as admin
enter command:

mklink /D  “C:\Program Files\ibm\cognos\tm1_64\bin64\opsconsoledata”  L:\opslogs

start the service IBM Cognos TM1
Now the logs are on the L drive….

NOTE: This is not a supported function, and should not be used in production environments.

Surf to opsconsole at the following web address:   http://servername:9510/pmhub/pm/opsconsole

More information:
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_tm1_inst_installingopsconcole.html

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_op.2.0.0.doc/c_tm1_ops_console_configuration_tasks.html

https://skimfeed.com/blog/symbolic-links-in-windows-for-pointing-a-folder-to-another-folder-on-an-external-hard-drive-or-ssd/