Cognos Analytics 11.0.6
Microsoft Windows 2012 R2 server
Microsoft SQL 2014 database server

How setup IIS for SSO with CA 11.0.6?

This solution is using the tool provided by IBM for configuration of the IIS.

In this example, everything is setup on the same Microsoft Windows 2012 R2 server. You may need to check that the web server you use, have Trusted Delegation on the Domain Controller. Enter GPEDIT or SETSPN -L  ServerName at CMD prompt to see some information. More instructions here for Windows Kerberos;

On the Microsoft Windows 2012 R2 server;

– turn off DEP
– turn off UAC
– turn off ‘On access scan’ of anti-virus software
– turn off IEESC (internet explorer enhanced security configuration)
– Set Power Option to ‘High Performance’
– in Folder Options – view – untick ‘Hide extensions for known file types’
– Internet Options, under General – Settings, mark ‘Every time I start Internet Explorer’
– Internet Options, under Security – Local Intranet – sites, Advanced, add the CA 11 servers to the zone.

Create a empty database named “contentstore” on the Microsoft SQL server. Create a SQL login name cognos with password cognos204. Set the SQL user cognos to be DBOWNER of the database “contentstore”.

Setup CA 11
Download the CA 11.0.6 files from here

Run installation of all tools, including IBM Cognos Software Development Kit 11, on the server. Start with the IBM Cognos Analytics Server Microsoft Windows Multilingual (CNIN2ML). The new license, allow the administrator to use all tools.


Right click on ca_srv_win64_11.0.6.17031315.exe file and select “run as administrator”.
Click next to run the installation in English.
Select IBM Cognos Analytics, and click Next.
Select to Accept the license agreement, and click Next.
Enter the installation directory to d:\program files\ibm\cognos\analytics and click Next.
Select the Custom installation type, and click Next.
Select the First Install option and click Next.
Select all components and click Next.
Click on Install.
If you get a warning from the Windows firewall, check all and click on “Allow access” to continue the program installation.
When finish, click on Done

In later versions of CA11 you must copy file sqljdbc42.jar into folder d:\program files\ibm\cognos\analytics\drivers before configuration.

Start up Cognos Configuration by right click and select “run as administrator”
Check that the CAservername is already filled in at all the fields, at Environment.


The Content store need to be change from IBM DB2 to a SQL Server database. Under Data Access – Content manager, right click ‘Content Store’. Select ‘Delete’ and confirm deletion.
Right-click New Resources -Database. Name the database ‘Content Store’ and select the type ‘Microsoft SQL Server database’.
In the right-hand pane at ‘Resource Properties’, fill in;
Database server name with port number (the sql servernamn:1433)
User ID and password (in our example cognos and Cognos204)
Database name (in our example contentstore)
Click on save icon and wait.


Above the default values for CA11 WebSphere Liberty Profile. Ensure the server have enough memory.

To enable login to Active Directory, you need under Security and Authentication,
Right-click New Resource – Namespace. Provide a name of the domain ‘AD’ and select ‘Active Directory’. Click OK.
Enter the Namespace ID to be the same as the namespace properties ‘AD’.
Enter the host and port to the domain:
Click the save icon.
Right click and test to see that the AD connection works, you must provide an existing AD users name and password for the test.

Click save and click on start (triangle) to start the CA 11 service.
Surf to http://BIservername:9300/bi/v1/disp to test the program.
You should get to the page without the need to login.

In Cognos Configuration – namespace “Change allow anonymous access” to ‘False’.
Save the change and restart the Cognos services from the restart icon.
Test to surf again to http://servername:9300/bi, this time you should get a login dialog.

When installing the developer tools, you must enter the server name in lower case in Cognos Configuration for Cognos Cube Designer, otherwise it will not work to publish a cube.


You can “pin to start”, your most used programs, to make them easy to find.

Install IIS
Ensure that IIS is installed on the Microsoft Windows 2012 R2 server.
Click on Server Manager icon, normally in lower left corner of screen.
Click on Local Server, on the left in the Server Manager.
Scroll down to Roles And Features, click on Tasks icon and select Add Role and Features.
Click Next 3 times to you get to “Select Server Roles”.

Select Web Server (iis) and click “Add features” to any question about installing additional features.
Click Next 3 times to you get to “Role Services”.
Scroll down and select

– Security – Request Filtering (already filled in) and Windows Authentication

– (expand) Application Development Features – CGI, ISAPI Extentions and Isapi Filters

Click Next and click Install.

Start a Administrative Power Shell

Enter this to make a backup of IIS settings
backup-webconfiguration -name MyIISbackup

Download ARR from here

Run ARRv3:0.exe


Click Install

Click I accept


Click Finish.

Run the script
Download the script from here

Unpack the file CA_IIS_Config(6.22.17).zip
Open the file CA_IIS_Config.bat in Notepad++


set ca_path Set the location of the Cognos Analytics gateway folder d:\Program Files\ibm\cognos\analytics
set ca_disp This section is where all application dispatcher(s) in entered. (Do not enter servers that are only Content Managers)

• set disp[x]=server_name is where you would put the fully qualified dispatcher name
ex. set disp[0]=

• set disp[x].port is where you would put the dispatcher port number.
ex. set disp[0].port= 9300

set enable_SSO To enable single sign-on capabilities in IIS, set this to True.

Save the BAT file.


In Windows Explorer, right click on CA_IIS_config.bat file and select Run as Administrator
A command windows will open with the variables that you have configured. If they are incorrect then press ‘n’ to exit and reopen the bat file to correct the issue. If everything is correct, then press ‘y’.


If all is well, there should not be any errors.

Surf to : Http://

If the SSO does not work after above script is run, check first that Windows Authentication is Enabled in IIS Manager. Open IIS Manager and go to the Default Web Site – ibmcognos. Click on Authentication. Mark Windows Authentication and click Enable. Ensure that Anonymous Authentication is Disabled on ibmcognos.


Then add singleSignOnOption=IdentityMapping in Cognos Configuration at Security – Authentication – AD – Namespace – Resource Properties. Click on Advanced properties above Account mappings (advanced) to enter the singleSignOnOption value. Save and restart the Cognos services.


Restart the server, if it still does not work then you need to manually check out all the steps to ensure it works.

Note: that for pictures to be displayed in PDF reports, you often have to in IIS manager set Authentication to allow (enabled) Anonymous Authentication on the picture folder like /ibmcognos/bi/samples/images.

Change of GateWay
Inside Cognos Configuration for Framework manager or other tools, or for Internet Shortcut you need to update to use this link
to get SSO
will give you the login without SSO.

The URI Gateway for Transformer or Framework Manager clients should be:

The URI external dispatcher for Transformer should be:

The URI external dispatcher for Framework Manager should be:

The URLs in Cognos Configuration for Cognos Analytics 11 can use the fully qualified domain name (FQDN).
The Gateway URL in Cognos Configuration for Cognos Analytics is configured as follows ( is the FQDN for the Cognos Analytics gateway server and is the alias that was set in CA_IIS_config.bat before running the script.)


If you examine the .\\webcontent\default.htm and .\\webcontent\index.html file. They have no reference to cgi as before.

Database Issues

With CA11.0.6 only database driver sqljdbc42.jar is in folder d:\program files\ibm\cognos\analytics\drivers, that should be good enough to connect to a Microsoft SQL database server. You should install a Microsoft SQL Server Native client (msncli.msi) to allow CQM reports to work.


Setup Audit database and import the deployment package.
Ensure Audit is configured in Cognos Configuration.
Create the data source connection to Audit database in Cognos Connection. Click on Test to test the data source link.

Click on the Success text (if possible) in test connection to see more information.

If you get a error XQE-DAT-0001, when you build a new report against the Audit database.
Then you may have forgotten to enter the database name, test will only check to the database server, not to the database you are going to query.

Ensure the JDBC connection have all fields filled out, for Microsoft SQL datasources.

When you test a data source to a TM1 server, you may get a error like below when you use AD authentication.
IBM Cognos TM1  / Dynamic  Failed   XQE-CM-0008
If you change to NO Authentication, then the data source test works. Set it back to AD external namespace authentication and build a report  and test that that works to get data from the TM1 cube.


More information:

Cognos Controller 10.2.1
Microsoft Windows 2008 R2 Server
Microsoft SQL 2012 database

How to upgrade Controller 10.2.1.x to a later Fix Pack ?

This is a very good article – so i copy the text, to have it here as well.

It is possible to patch an existing 10.2.1 Controller application server *without* having to perform a full uninstall/re-install of the Controller application server software. However, care needs to be taken (during the patching process) to ensure that all Controller-related services/systems/components are stopped.

To check which version of Controller you are currently using, click “Help – System Info” (inside the Controller client) and check the value of the first/top line.

To upgrade the Controller application server, perform the following tasks:
1. Download a copy of the patch (either a Fix Pack or Interim Fix).
2. Obtain downtime (no users on system)
3. As a precaution, perform the following tasks:
(a) Backup all Controller-related databases (application repositories, ContentStore and FAP)
(b) Launch ” Cognos Configuration” and create a backup of all the settings.
Typically this means click “File – Export As” and save the settings as an XML file (in a safe place)
(c) Launch ” Controller Configuration” and create a backup of all the settings
e.g. create a Word document with printscreens of all the current settings
(d) If using virtual servers (for example ESX) then create a backup image of the virtual server(s)
In other words, ask your ESX administrator to create a virtual snapshot backup of any server (for example Controller application server) before you make any changes.
4. VITAL: Shut down all Controller-related Windows services (running on the application server(s))
Specifically, stop the following Windows services:
IBM Cognos
IBM Cognos Controller Batch Service
IBM Cognos Controller Consolidation
IBM Cognos Controller Java Proxy
IBM Cognos Controller User Manager
IBM Cognos FAP Service

5. VITAL: Shut down other Controller-related subsystems (running on the application server(s))
Launch the “Internet Information Services (IIS) Manager” tool
Highlight the Default Web Site.
Click “Stop”:

Launch the “Components Services” tool
Right-click the “IBM Cognos Controller Consolidation” COM+ application and choose “Shut down”:
6. As a precaution, now take a backup copy of the entire ccr_64 folder (e.g. compress inside a backup ZIP file):
[This process helps make it easier to revert back to the older version of Controller if necessary later].

7. If the Controller application server has a Controller client installed, then uninstall the Controller client first before proceeding:
Important to uninstall the client before you upgrade the server. The uninstall program may use some of the previous versions files.
8. Install patch onto the application server(s) by doing the following:
Extract the compressed patch file
Double-click on installer file issetup.exe (inside subfolder winx64h)
Navigate through the installation wizard (in general by accepting all the default options).
TIP: Ensure that you choose the installation folder to be the same folder as the current installed version
If you have multiple Controller application servers, apply the patch for all remaining Controller application servers.

9. After the patch has finished installing, launch “IBM Cognos Configuration”. Click the buttons (near the top-left corner of the screen) to:
Save the current configuration
Start the IBM Cognos service:
10. Afterwards, launch ” Controller Configuration” and open the section ‘Database Connections’. Click on each database connection, and click on the green ‘play’ button.
Check to see if the ‘Current Version’ is set to be the same as the ‘Upgrade to’ version:
Sometimes (depending on the old/new versions of Controller) the ” Upgrade to” will have increased (because of the patch). If so, then you must press ‘ Upgrade’ to upgrade your Controller application databases (to the latest version).

11. Inside Controller Configuration, check that all the other settings look *exactly* the same as before the upgrade. Most importantly (in particular) check the following two sections:
Report Server:
COM+ Server:
TIP: Refer to the printscreens that you took earlier (in step 3 – before the upgrade) to make sure that the settings look the same as before.
12. If you used “ISAPI” before the upgrade, then:
change “Report Server” to mention cognosisapi.dll instead of cognos.cgi
modify the files “default.htm” and “index.html” (located in webcontent folder) to refer to cognosisapi.dll instead of cognos.cgi
13. Check the Windows service ” IBM Cognos Controller Java Proxy”. Ensure that it is configured to ‘ Log On As’ using the correct Windows user (typically the Cognos Controller system user e.g. \Controller_system).
14. Inside the IIS Manager, highlight the “Default Web Site” and click ” Start”
15. Afterwards, reboot Controller 10.2.1 application server(s) (to automatically start relevant services and ensure that the registry key change takes effect)

16. Upgrade client software on each-and-every end-user’s client device (see below).

Simplified instructions for how to upgrade *Client* software on each-and-every end-user’s client device:
1. Logon to the client device as the SAME Windows administrator which originally installed the Controller client.
2. Launch “Add/Remove Programs” and remove the Controller client ( for example “IBM Cognos Controller Local Client”):
VITAL that you uninstall the old cognos controller client before you install a new Cognos Controller client.
3. Download the new version of the Controller client from the application server
TIP: You can download it from: http://SERVERNAME/ibmcognos/controllerbin/ ccrlocalclient.msi
There are three different versions of the client – see Technote#1371088. For most customers, CCRLocalClient.MSI is the best version to use.
4. Double-click on the client installation file (for example ” ccrlocalclient.msi”)
5. Follow the installation wizard
TIP: If unsure what values to use (for example WSSUrl) then open the file %APPDATA%\Cognos\CCR\ccr.config inside NOTEPAD and read the values from there.
6. If the client device does not have access to the internet (e.g. most Citrix/Terminal servers) then modify the file “ccr.exe.config” (inside C:\Program Files (x86)\ibm\IBM Cognos Controller) as per separate Technote #1441779.

There are patches coming for Cognos Controller. You decide when you need to apply them, depending on how “secure” your network is and the risk of that the Cognos servers will be affected by unwanted software. Recommendation is to always be on latest fix pack.
This upgrade instructions affect IBM Cognos Controller 10.2.1, check IBM web site for instructions for other versions.

The recommended solution is to apply the fix for versions listed as soon as practical:

Planning Analytics 2.0 Local (TM1)
Microsoft Windows 2012 R2 Server
Microsoft SQL 2014 database server

How setup PA 2.0 Local?

This will describe the steps to setup PA 2.0 local with Security mode 5 connected to Cognos Analytics 11 (CA) and install of Toolbox docker and PAW. This doc will not cover SSO or how-to setup a reverse proxy for CA 11.

Ensure that you have a big virtual Microsoft Windows 2012 R2 server, with at least 4 CPU cores, 16 Gb ram and 200 Gb hard disk space. Recommended is to have more RAM – like 64 GB ram.

Download software from IBM web site (easiest is to search for the PART NUMBER)

IBM TM1 2.0 Microsoft Windows Multilingual (download also the latest version from the links below) CNG5RML
IBM Planning Analytics Workspace 2.0 Multilingual CNG5UML
IBM Planning Analytics for Microsoft Excel 64-bit 2.0 Microsoft Windows Multilingual CNG5WML
IBM TM1 Client 64-bit 2.0 Microsoft Windows Multilingual  (TM1 Perspective) CNG5TML
IBM Cognos Analytics Server 11.0.5 Microsoft Windows Multilingual (for cam security)

You should download the latest version – at least version 11.0.6 from link below.

IBM Cognos Framework Manager 11.0.5 Microsoft Windows Multilingual CNG25ML
IBM TM1 Client 32-bit 2.0 Microsoft Windows Multilingual (if you have 32 bit Excel) CNG5SML
IBM Planning Analytics for Microsoft Excel 32-bit 2.0 Microsoft Windows Multilingual (if you have 32 bit Excel 2010) CNG5VML

RTM versions are listed here

Download IBM Cognos Analytics from here (ca_srv_win64_11.0.6.17031315.exe)

IBM Planning Analytics Local 2.0.2 is now available on Fix Central (tm1_winx64h_2.0.2.138_ml.tar.gz)

IBM Planning Analytics Workspace 2.0.20  (

IBM Planning Analytics for Microsoft Excel 2.0.20  (cor_win32_2.0.20.17_ml.tar.gz)

Fix pack information can be found here

To get the fix list info in mail

This is only a suggestion for the setup of PA 2.0 Local – you should follow the instructions that come from IBM in the first hand.

If you install to Microsoft Windows 2016 – you should use version 2.0.21

Download Docker Toolbox  if PAW is going to be installed on Windows 2012 server.

Check that on the Windows 2012 R2 server, you have installed:

  • NET Framework 4.6.1
  • C++ 2010 x64 redistributable (vcredist_x64.exe)
  • 7zip (to unpack the media files)
  • Telnet client (for testing of access to ports)
  • SQL drivers (sqlncli_x64.msi and sqljdbc4.jar files)

Turn off DEP

  1. Log on to the server.
  2. Open Windows Explorer.
  3. Right-click Computer > Properties.
  4. In the System Properties window, click Advanced System Settings.
  5. On the Advanced tab, under the Performance heading, click Settings.
  6. In the Performance Options window, click the Data Execution Prevention tab, and then select Turn on DEP for essential Windows programs and services only.
  7. Click OK and then restart your system to enable the change.

DEP – Data Execution Prevention, can also be changed like this;
To do this from the Start menu select All Programs, then go to Accessories and then finally right-click on Command Prompt and click Run as Administrator.
Once the command prompt is open, you can now disable the DEP by entering the following command line.
bcdedit.exe /set nx AlwaysOff

Now restart the server
To reverse the action, simply type this command line to enable DEP back on again.
bcdedit.exe /set nx AlwaysOn

Turn off IE enhanced security

To disable IE enhanced security in windows server 2012 R2, launch the Server Manager, on the left hand side click on Local Server. On the right hand side click on the On link next to IE Enhanced Security Configuration.

You will now see the Internet Explorer Enhanced Security Configuration box. Click on Off to turn off the IE ESC for both users and administrators.

Switch to the High Performance power profile

To configure this using a GUI, go to the Start Menu, search for “Choose a Power Plan” under Settings, then select the “High Performance” option. To configure this from a command line, use “POWERCFG.EXE /S SCHEME_MIN”.

By default, hidden files and folders are not visible, change this to make the work easier.

  1. Start Control panel.
  2. Click Folder options.
  3. Click Folder and search options.
  4. Click the View tab.
  5. Check show hidden files, folders and drives.
  6. Scroll down until you notice Hide extensions for known file types, un-check this line by clicking the check box.
    Note; To hide file name extensions, check this line.
  7. Click OK

If you are going to install CA11 and PA 2.0 Local on the same Windows server you must install CA11 first. If they are not on the same server (it is recommended to have them on separate servers) you can install PA 2.0 Local first and set it up with “localhost” in Cognos Configuration Environment tab.

Copy all media files to a folder on the Windows server, like D:\install

Unzip all gz media files to different folders, and remove the .tar files to save space.


Create an empty database on your SQL server, name the database to “contentstore”.

Create a SQL login named cognos with the password Cognos202.

Ensure the SQL login cognos is DB_OWNER on the database “contentstore”.

Turn off On-Access-Scan in the server’s Anti-virus software before installing.


Right click on ca_srv_win64_11.0.6.17031315.exe file and select “run as administrator”.

Click next to run the installation in English.

Select IBM Cognos Analytics, and click Next.

Select to Accept the license agreement, and click Next.


Enter the installation directory to d:\program files\ibm\cognos\analytics and click Next.


Select the Custom installation type, and click Next.

Select the First Install option and click Next.


Select all components and click Next.

Click on Install.


If you get a warning from the Windows firewall, check all and click on Allow access to continue the program installation.

When finish, click on Done.


Start up Cognos Configuration by right click and select “run as administrator”.


Check to ensure the Windows server name is under Environment instead of localhost for the important URLs. Should be same server name everywhere instead of localhost.


The Content store need to be change from IBM DB2 to a SQL Server database.  Under Data Access – Content manager, right click ‘Content Store’.  Select ‘Delete’.

Right-click New Resources -Database.  Name the database ‘Content Store’ and select the type ‘Microsoft SQL Server database’.

In the right-hand pane at ‘Resource Properties’, fill in;

Database server name with port number (the sql servernamn:1433)

User ID and password (in our example cognos and Cognos202)

Database name (in our example contentstore)

Click on save icon and wait.


To enable login to Active Directory, you need under Security –  Authentication,

Right-click New Resource – Namespace.  Provide a name of the domain ‘AD’ and select ‘Active Directory’.  Click OK.

Enter the Namespace ID to be the same as the Authentication name like ‘AD’.

Enter the host and port to the domain:

Click the save icon. You must change and the server-name to meet your environments need.

Right click and test to see that the AD connection works, you must provide an AD users name and password for the test.

Click save and click on start (triangle) to start the CA 11 service.

Surf to ‘http://servername:9300/bi/v1/disp’ to test the program.

You should get to the page without the need to login.


To test the network speed to the AD server, open a DOS prompt, and enter


This should give you how far it is to the DC server, if Time value is above 50ms you need to talk to IT department.


Change allow anonymous access to ‘False’ under the cognos namespace in Cognos Configuration.

Save the change and restart the Cognos services from the restart icon.

Test to surf again to http://servername:9300/bi, this time you should get a login dialog up.

Login to ensure the connection to Active Directory (AD) is working.


SETUP PA 2.0 Local

Turn off the anti-virus program on the server before installing.

Go to the folder where you have unzipped the PA media files.

Right click on file D:\install\pa 2.0.1\pa_2.0.1_win_ml.tar\winx64h\iisetup.exe and select ‘run as administrator’.

Click Next to get English as installation language.

Click I agree to the IBM License Agreement, and click Next.


Enter the path to the installations folder and set the server use type to Production (if this is the production server) and click Next. Server use type can be used by ILMT software to list the server as production or not.


Select all components and click Next.


Mark ‘Make the shortcuts visible to all users’ and click Next.

Click next to start the installation.

It should finish without any errors.


Go to the folder for the latest version of the PA 2.0 Local media and run the setup again in same folder. Ensure you install to the same folder as before. (maybe it is possible to run the setup direct with this refresh media file tm1_winx64h_2.0.2.138_ml.tar.gz)


Right-click IBM Cognos Configuration for IBM Cognos TM1 – 64. and select Run as Administrator.

Go to Environment and enter the server name of the BI (CA11) server (if BI is not on same server as PA, then some fields should point to PA) instead of localhost.


Click on save icon.  If you get message from Windows Firewall , click on Allow access.

Right click on TM1 Admin server and select start.

Go to TM1 applications and enter the server name of the TM1 server you are configure instead of localhost. Click on the save icon.

Right click on IBM Cognos TM1 under IBM Cognos TM1 services and select start.

Go down to TM1 servers, and start the SData and Proven_Techniques sample TM1 data models.

SData is default used by Opsconsole as the holder of user’s login.

We use Proven_Techniques to test the CAM security later.

Close Cognos Configuration.


Start TM1 Architect and test that you can login to Sdata.

User name is Admin and password is apple.


To access the PA 2.0 Local from other computers, you need to open some ports on the Microsoft Windows firewall on the 2012 server.

On the Start menu, click Run, type WF.msc, and then click OK.

In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane (upper right corner).


Select Port and click next.


Specify the local ports to: 80,443,9300,9510,9513,5495,5498, 5895,5898,9362,9580,9543

Click Next.

Ensure ‘allow the connection’ is select and click next.


Mark all options for the rule to apply and click next.


Enter a name, like “Cognos Tm1” and click on Finish.

Repeat the above for a new rule for the TM1 applications ports.

Here is best to open a series of ports – can be this suggested range;

PortNumber Range 12340 -12350
HTTPPortNumber Range 12540 -12550
ClientMessagePortNumber Range 12440 -12450


We may have missed some needed ports, like 1433, that you also need to open in the Windows firewall on the server.

If there exist router firewalls between the servers, then you also need to open the ports in there.


Ensure the PA 2.0 LOCAL server is in the Trusted Zone in your Internet Options for your IE browser. Add both the server name and the *

Surf to http://PAservername:9510/tm1web to test tm1web.

for IBM Cognos Performance Management Hub use:

for TM1 Operations Console use:

TM1 applications should you not setup yet, if you are going to use CAM security.



Start Cognos Configuration for CA 11, and change to not allow anonymous login.

Save and restart the CA 11 windows service (IBM Cognos).

Open Cognos Configuration for PA 2.0 and in Environment section copy the URL for gateway and internal dispatcher to notepad. This should be used in your TM1S.CFG file.

Close TM1 architect, if it is open.


Click start and select Command Prompt (admin).

From the cmd dialog enter notepad and press enter.

This will start a notepad in admin mode that can write to \program files\ folder.

From inside Notepad select open and find tm1s.cfg in folder d:\Program Files\ibm\cognos\tm1_64\samples\tm1\Proven_Techniques\.

You need to change notepad to show all files and not only .txt.


Add this values to the tm1s.cfg file






Update the values for ports to this





Add these values









See here for more values to tm1s.cfg

Save the tm1s.cfg file for Proven_Techniques

From inside Notepad (in administrator mode) open the tm1p.ini file for your user.

You will find it in folder C:\Users\%username%\AppData\Roaming\Applix\TM1

Change AllowImportCAMClients = F to AllowImportCAMClients = T.

Add CognosGatewayURI = http://biservername:9300/bi/v1/disp


Save the file and close notepad.

Check that Cognos BI service ‘IBM Cognos’ is running.

Restart your TM1 services, like IBM Cognos TM1 Server – proven_techniques.


Start TM1 Architect and login to proven_techniques.

Use the native login of Admin and password apple.

When inside, select the application and right click and select security – clients/groups.

From menu clients, select add new member.

At the login prompt enter the AD username and password you have.

You should get to Cognos Connections add users dialog where you can select Cognos and your AD namespace.

Go to you AD namespace, and search for the Windows users you want to be able to work in your application. In this test, only add one user (you).

You can also click on TYPE in upper right corner and enter the username like this;


Where first is your AD namespace name and after the slash is the NT user name.

Click on the arrow to add the user, and it should resolve to display name.

Click OK to add the user to your TM1 application.

Mark ADMIN for that user before you exist TM1 architect.

Close TM1 Architect.


Start NOTEPAD from Admin command prompt.

Open the tm1s.cfg file from d:\Program Files\ibm\cognos\tm1_64\samples\tm1\Proven_Techniques folder.

Change to IntegratedSecurityMode=5

Save the tm1s.cfg file and exit notepad.

Restart the TM1 windows service proven_techniques.


Wait a long time to allow the services to start.

Start TM1 Architect and login to proven_techniques, you should be prompted with the CA 11 login page, and come in as the user you have just added.


You need to repeat above step of adding users for your TM1 applications, so you get the first CAM user to be Admin inside the TM1 application.


To get TM1WEB and PMPSVC to work with CAM security you need to update some file in your Cognos BI (CA 11) server.


On your PA 2.0 Local (TM1) server unzip the file d:\program files\ibm\cognos\tm1_64\bi_interop\ to a new folder.

Stop the Cognos Analytices service (IBM Cognos)

Copy the webcontent to the folder d:\program files\ibm\cognos\analytics\webcontent to merge the content.

Copy the templates to the folder d:\program files\ibm\cognos\analytics\templates to merge the content.

Start Notepad from a admin command prompt, to be able to save the files later.

From inside notepad open the file d:\program files\ibm\cognos\analytics\webcontent\planning.html


// Update the following to point to the location of the planning service(s)

var planningServices = [“”];

to point to the new PA (TM1) server

// Update the following to point to the location of the planning service(s)

var planningServices = [“”];

Save the file.


From inside notepad open the file d:\program files\ibm\cognos\analytics\webcontent\pmhub.html


// Update the following to point to the location of the pmhub service(s)

var pmhubURLs = [“http://mypmhubserver1:9510″,””];

to point to the new PA (TM1) server and to the PAW server, like this

// Update the following to point to the location of the pmhub service(s)

var pmhubURLs = [“″,””];

Save the file.


From inside notepad open the file d:\program files\ibm\cognos\analytics\webcontent\tm1\web\tm1web.html


// Update the following to point to the location of the TM1Web service(s)

var tm1webServices = [“http://localhost:8080”, “http://localhost:9510”];

to point to the new PA (TM1) server

// Update the following to point to the location of the TM1Web service(s)

var tm1webServices = [“”];

Save the file.

Start the CA 11 ( IBM  Cognos) service. Wait until it is started.

Startup PMPSVC for the first time, now when you have cam security in your application and support for it setup in the cognos bi (CA 11) server.

Surf to


Ensure you can select your TM1 application in the dropdown list

(if the list is missing – please try a different web browser)

All url should be correct populated.

If you are missing information – check the TM1 Cognos Configuration section. You may have a localhost line there.

Mark the Cognos BI dispatcher and click OK to save the settings (they are save to the file d:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration\ fpmsvc_config.xml).

Now only applications with the same security (IntegratedSecurityMode=5) will work in TM1 application portal (pmpsvc).

User who need to access the admin functions in pmpsvc, can need to be part of the first TM1 application you added to the list of PMPSVC TM1 applications (instances).

The new Planning Analytics Workspace (PAW) in IntegratedSecurityMode=1 point to ONE TM1 instance, that must contain the admin users who can change the PAW settings.

PAW only work with IntegratedSecurityMode=1 applications or IntegratedSecurityMode=5 applications, you cannot mix IntegratedSecurityMode for applications that interact with the PAW.

Simplest is to use IntegratedSecurityMode=1 in your application, but then the TM1 super user need to handle the name and password administration.

With IntegratedSecurityMode=5 you can use the Active Directory (or LDAP) functions, and user and password administration can be handled by your IT department.


Before installing docker;


Check that VTX are enable on the Microsoft Windows 2012 server, by download and install the Intel processor identifier. Download it from here:
Run the utility, and go to the cpu technologies tab. The Intel VT-x with EPT must read a value of Yes. If No, you must active VTx in your system before we start installing PA 2.0 Local PAW.


This mean your VMWARE guru need to change in HOST BIOS, enable VT-X support in the HOST VMware console, and for change VT-x support for the image you plan to run PAW in.

Note; that some versions of Hyper-V or VMWARE does not support VT-x, here can you not install PAW.

Best is to create a folder, d:\vbox, for the virtual machines on your server.

Go to Control Panel \System and Security\System.

Click on Change Settings.

Go to “Advance” tab.

Click on Environment Variables.


Set the “MACHINE_STORAGE_PATH” system variable to point to folder d:\vbox


Go to CMD prompt and enter SET to see a list of all variables in use.

Check that the MACHINE_STORAGE_PATH is listed correct.



For Microsoft Windows 2012 you must download the “docker toolbox” installation program.

Right click on DockerToolbox.exe and select “run as administrator”.

Untick ‘help Docker improve Toolbox’ and click Next.


Enter the path for the program (d:\program files\docker toolbox) and click Next.


Choose Full Installation and click Next.


Uncheck ‘Install VirtualBox with NDISS driver’ and click Next, at additional tasks.


Click Install.


If you get the question to install ‘Oracle Corporation Universal Serial Bus’, click Install.


Uncheck ‘View Shortcuts in File Explorer’ and click Finish.


This should give you some new icons on the desktop for Oracle VM VirtualBox.

To get VBOX to run as a service you need to download VBoxVmService-5.1-Plum.exe from

This will only work with VirtualBox Version 5.1.

The Only help I found was here;



Important to reboot the Windows server before installing the PAW program.

You need to download the latest PAW installation file from IBM Fix Central.

Unzip the file to a folder on the server.


Place the files in an easy accessible folder, because you will check the log files here.

The start.bat file contain values you can change.


Open it in Notepad before installation, to change the memory the PAW image will use and the Ports the program will use. If it is run one its own server, then leave the default ports at 80 and 443.

In the case we install it on the same server where we have Cognos BI or IIS installed, then change the ports to 9580 and 9543 (so they will not collide with IIS port 80).

You should not change the CPU COUNT to less than 4 CPU, then it will become slow.

But your host server must have at least the same amount of CPU, and best if it have 2-4 Gb ram more than the PAW will use.

If your VMware host use the network 192.168.40.x you should change the Networks values to a different not used network.


Example of START.BAT shown below:

@echo off

REM Start up a bash shell and run the Windows start script for IBM Planning Analytics Workspace














REM Avoid a breaking change in Docker Compose 1.9



REM Share the parent directory with the Virtual Machine

cd %PAW_DIR%/..


cd %PAW_DIR%




SET VALUE_NAME=”InstallPath”


FOR /F “tokens=2*” %%A IN (‘REG.exe query “%KEY_NAME%” /v “%VALUE_NAME%”‘) DO (set GIT_PATH=%%B)


IF NOT “%GIT_PATH%”==”” (

SET BASH_PATH=%GIT_PATH%\bin\bash.exe

) ELSE (

SET BASH_PATH=C:\Program Files\Git\bin\bash.exe



if exist “%BASH_PATH%” (


start “IBM Planning Analytics Workspace Administration” “%BASH_PATH%” –login -i “scripts\”

) else (

@echo on

echo Install Docker Toolbox for Windows and try again.

explorer “”




On the Windows server right click on start and select ‘command prompt (admin)’.

In the CMD window, CD to the folder where you have your Start.bat.


Enter START.BAT to start the PAW installation.

You must enter START.BAT, if you enter only START it will fail.

The program will check the ports,

and give you an option to change the memory and cpu usage.

Creating the virtual machine “paw” takes a very long time.


Press Y when you get the question about starting the Administration Tool.


This will start a IE Browser one your host accessing the Admin page, accept both license before you can move on.


In the Configuration tab you should enter your TM1 servers name.

TM1 Admin server URI =

TM1 Application Server Gatway URI =

Under Authentication Mode when using TM1 you should point to the Window server where you have your TM1 instance using a specific port, that will be your TM1 application to control who will have access to the Administration tool.

TM1 Login Server URI=

(Note: that all new functions use the new HTTPport for access)


Click on validate button, to check the values you entered are working.

If you get an Error: Request timed out after 10010ms, you maybe  have entered the wrong port number.

Click UPDATE when you get the Validate to work.


The start of PAW will take some time, click on STATUS and then on REFRESH to see the progress.

When CPU usage is low like 1%, then it is ready and you can surf to the PAW (Planning Analytics Workspace).

Surf to http://PAwservername:9580/


Login with the user and password you have in your TM1 application.


In our test, click on a new book and expand and drag some view of the cube onto the canvas.


Click on Save icon up at the left side to save your designs.


Here some Error messages you may get when installing PAW

(The log files are found in folder d:\install\ipa_workspace_local_2.0.20.770.4\log\admintool)


Docker Machine is not installed. Please re-run Toolbox Installer and try again.


Reboot your Windows server.


Creating CA: D:\vbox\certs\ca.pem

Creating client certificate: D:\vbox\certs\cert.pem

Running pre-create checks…

(paw) Image cache directory does not exist, creating it at D:\vbox\cache…

(paw) No default Boot2Docker ISO found locally, downloading the latest release…

(paw) Latest release for is v17.05.0-ce

(paw) Downloading D:\vbox\cache\boot2docker.iso from…



Good you had internet connection, so it could download the file.


Running pre-create checks…

Error with pre-create check: “This computer doesn’t have VT-X/AMD-v enabled. Enabling it in the BIOS is mandatory”


Change the VMWARE host to support VTX.


Invalid command line. Found extra arguments [–virtualbox-no-share –virtualbox-hostonly-cidr –virtualbox-memory 6144 –virtualbox-cpu-count 4 –virtualbox-disk-size 20000 paw]


You have been changing the file \scripts\ in attempt to get past the VTX issue.

Check that you have not missed a space.


Running pre-create checks…

(paw) Image cache directory does not exist, creating it at C:\machine\cache…

(paw) No default Boot2Docker ISO found locally, downloading the latest release…

Error with pre-create check: “Get dial tcp: lookup getaddrinfow: No such host is known.”


Place the file boot2docker.iso in correct folder, d:\vbox\cache

Try again to run the Start.bat file



If not already started, run START.BAT, and select NO on update PAW, instead say YES to start the Admin configuration.


Here at the Configuration tab click on CAM button and fill in the values for the BI server.

IBM Cognos BI Gateway URI =

IBM Cognos BI Dispatcher URI =

IBM Cognos BI Authentication Namespace ID = Exact the same Namespace ID you entered in Cognos Configuration for CA11 (this is case sensitive).


Click on validate and OK.

Go to status tab and click on the RESTART button to make the changes take effect.


Error you may see when working in PAW;


Cannot get the data.

Cannot create the session for server SDATA.

The SDATA application use Native security and you have setup PAW to use CAM security.

Only use CAM security enabled TM1 applications with your PAW installation.


The server it temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Wait or reboot the services.


Important to reboot the windows server before configuring PAW to be run as a service.

Rigth click on VBoxVmService-5.1-Plum.exe and select run as administrator.


Mark “I accept the agreement” and click next.


Click install.


Click finish.


Open the file d:\vms\VBoxVmService.ini in notepad.

Looks like this;
















Change it to point out your location for images that is d:\vbox\machines

Change it to handle the paw image and take away the last image.

Should look like this now









Save the file.

Restart the server.

The log file will be written to d:\vms\VBoxVmService.log

Check the log file to ensure the service start up correct.

You must test reboot of the Windows server to find the best settings for this vbox service settings to work with PAW.

Example of Error you can get:

Callee RC  E_FAIL (0x80004005)

You have too little memory free, the last shutdown of the vbox did not work.

Reboot the Windows server.



Run the START.BAT from a command prompt to get to a java prompt.


Enter scripts/ stop to stop the server


Enter scripts/ to stop paw services and make a backup and start them again


All the example scripts you can use, are in this folder, d:\install\ipa_workspace_local_2.0.20.770.4\scripts

Explore and create better scripts for your use.


The backup files are stored in a folder under d:\install\ipa_workspace_local_2.0.20.770.4\backup.


The TM1 application, can you backup with a bat file that contain this lines (you need to adjust the paths for your environment);

REM execute the backup command on data folder

“d:\program files\7-zip\7z” a d:\pal\planning\work\backup\ -r d:\pal\planning\datafiles\*.*

TM1 reboot

Stop these WINDOWS services before you reboot your server with PA 2.0 Local









When TM1 instance is down, you can also make a backup of the log files folder.

More information:

Note: in code you need to replace “ with ” to make it work.