Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 server

Problem:
A security audit list that the access to TM1 Admin service is not enough secure. Port 5498 and 5898 show this;
Negotiated with the following insecure cipher suites:
TLS 1.0 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.1 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA

Vulnerability Solution:
Enable support for at least one of the ciphers listed below:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Possible solution:
Inside the Cognos Configuration the TM1 Admin server value for Support pre-TLS v1.2 clients are set to TRUE, this should be set to False to solve above issue.

Change to FALSE,
Save settings.
At the restart of the TM1 Admin Server, all the TM1 running instances will be restarted, this can take time. Do this at a planned date.

More information about ports:
http://www.practicallynetworked.com/sharing/app_port_list.htm
http://www.networksorcery.com/enp/protocol/ip/ports04000.htm

Ports used by CA11
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_reviewthedefaultsettings.html

Ports used by PAL
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_defaultvaluesfortm1installation.html

 

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_configuringthetm1adminservertousessl_n12010f.html

This can also help secure the TM1 Admin service;

TM1 Admin Server Certificate Version Specifies which version of the TM1 generated certificates to use.

By default, the 1024-bit encryption version of the TM1 generated certificates is used.

Change this property only if you want to use the new 2048-bit encryption version of the default certificates. You can use the new version with old and new TM1 clients, but you must configure the clients to use the new certificate authority file.

Note This property does not apply if you are using your own certificates.

Valid values include:

  • 1 – Enables certificate authority for 1024-bit encryption with sha-1 (default value)
  • 2 – Enables certificate authority for 2048-bit encryption with sha-256

Product:
Cognos Controller 10.4
Microsoft Windows 2016 server

Problem:
When doing currency conversation in a consolidation you get a error “ActiveX component can’t create object”.

When you check the Windows event log you find a error similar to this:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{4DAC0D14-D942-47CD-9A74-CBFC5BBFA14E}
and APPID
{6591F1B8-A9EF-45FA-A403-2850BD72D910}
to the user DOMAIN\USERNAME SID (S-1-5-21-55472620-132315974-3481569866-49656) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Service

Suggested Solution:
Login to the Cognos Controller Window server.
Go into IIS Manager
Go to the application pools.
Select the application pool for controller, can be NET v4.5 or Controller (depending what you have named it), and click advanced settings.

Under Process Model, change Identity from ApplicationPoolIdentity to LocalSystem.
Also ensure the Idle Time-out is 600 minutes, and not the default 20 minutes.
Click OK
Restart the IIS service.


You need also go into Controller Configuration
Change COM+ server to us Local System Account
Save the changes.

Retry the currency conversation.

More information:

https://www-01.ibm.com/support/docview.wss?uid=swg21608353
https://www-01.ibm.com/support/docview.wss?uid=swg21347488
https://www-01.ibm.com/support/docview.wss?uid=swg21459682

Product:
Planning Analytics 2.0.5
Planning Analytics Workspace 2.0.38

Problem:
Error message when I on some TI processes in PAW, right click and select Edit Process. Other process work fine to open in PAW.

Error Message:

{“errorMessage”. “Error: Internal Server Error\r\nSystemOutOfMemory\r\n\r\n”, “/api/v1/Cubes (‘cubename’)/Views(‘All’)/tm1.Execute”,”httpStatusCode”:500)

Background:
The paw is try to show a to large preview of the selection. If the process have a cube view as data source, and that is large, like All, then you can get this error. It will work for a smaller cube view. When you edit a TI process in TM1 Architect, this error does not show.
If you check the TM1SERVER.LOG you will find this message;
8024 [34] WARN 2019-03-04 09:30:44.083 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “0” – pool# “0” – poolsize “201318656.000000”

You can get same behavior in TM1 Architect, if you open a cube, and try to view all content.
TM1 Error
All: Maximum memory for action exceeded.
View may be too large.
Operation aborted.

Then in TM1SERVER.LOG the error is like this:
4908 [22] WARN 2019-03-04 11:52:24.469 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “326” – pool# “0” – poolsize “201318656.000000”

You can still edit the TI process, so this warning should not be of a concern.
Check your TM1S.CFG file so the value MaximumViewSize is not set to a low value. In most cases you should manage with the default values.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=swg21380704
https://www-01.ibm.com/support/docview.wss?uid=swg21639609
https://www.ibm.com/support/knowledgecenter/en/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.1.doc/c_maximumviewsize_1.html