Planning Analytics 2.0.8 workspace
Microsoft Windows 2016 datacenter

When surf to paw (on a windows 2016) server and you enter name and password for the TM1 native login method. The screen flickers, and nothing happens. You see the blank login screen again.
If you surf from a local computer it works fine, it is only when you surf over a VPN tunnel from a partners laptop, you can not login.
If you surf to the PAW ( from a server, there is no problem – it works fine.

Check your antivirus program – so it is not stopping the connection because it is unsecured.

For example; Bitdefender internet Security can have a policy: Feature: Online Threat Prevention
“Privacy threat blocked
An attempt to send your password unencrypted was about to occur on servername. We blocked the connection to stop your private data from being exposed and tampered with.”

Click on Add to exceptions, and add the PAW server to you internet security programs exceptions list.
Other solution is to add HTTPS to you paw server.

Ensure also that you are not using the same sub-net as the paw docker network. Normally docker paw network is a 172.x.x.x network.
You update docker network in file C:\ProgramData\docker\config\daemon.json with the following contents:
“fixed-cidr”: “”

You need to restart docker.

More information:

Planning Analytics 2.0.8
Planning Analytics Workspace 45
Microsoft Windows 2016 server

After a reboot of the server, the docker service does not start. If you login to server and click on start in the service manager it will start. Ensure that you wait 5 min before testing with “start”.

Suggested Solution:
Check the format of the c:\programdata\docker\config\daemon.json file.
If it contain illegal characters, the docker service will not start.

If you enter docker ps or docker version to see running containers you get this message:

If you check the C:\ProgramData\docker\panic.log you may see this:

Failed to fire hook: The interface is unknown lock: = it did not get the response it needed in time, but windows service will try again in a few minutes,  so wait an see if it starts.

If you check the windows event log, you may see this:

Open the file c:\programdata\docker\config\daemon.json in NOTEPAD++
ensure it looks correct, and do not have any errors.

Debug parameter will write more information in the Windows Event log for Docker. When you have issues with Docker, check the Windows Event log for any errors.

You can copy the text in the json file to this site, to validate

There can be other causes, for this problem, that the docker service does not start.

Ensure that one network cards is prioritize, and that your DNS is working from this server.

You need also at least 4 cpu and 32 GB ram on the PAW server.

More information:

Planning Analytics 2.0.8
Planning Analytics Workspace 45
Microsoft Windows 2012 server

When you surf to your PAW, and go to Administrator page, tab – Databases. It says the Agent is not available.

Even do you are on the same server. You need to open the Windows Firewall inbound port 9012 to make the PAW have access to the PA Agent.

Go to Control Panel
Go to Administrative tools
Go to Windows Firewall
Click Inbound Rules
Click New Rule
Select Port
Enter 9012 (and the other TM1 ports) at Specific Local ports
Click next for Allow the connection
Click next to keep that the rule apply to all domains
Enter a name like “Cognos TM1”
Click Finish

Now it should work.

When you check a previous made firewall rule it can look like this;

More Information:

Cognos Analytics 11.0.13
Cognos Controller 10.4.1 (10.4.1100.133)
Microsoft Windows 2012 R2 standard server

Surf to http://servername/IBMCOGNOS give error HTTP 403, and no Cognos Analytics page.
The website declined to show this webpage – HTTP 403 Forbidden

You may also get a error like this:
Service Unavailable
HTTP Error 503. The service is unavailable

Above error can be that the Application Pool is using the wrong user;
1) From the Start menu, click Control Panel, and then double click to open Administrative Tools.
2) Double click Internet Information Services.
3) Right click on Application Pools and select Properties.
4) Click the Identity tab.
5) If the predefined option is set to Network Service, change it to Local System, or leave it at ApplicationPoolIdentity.

Can also be that above user do not have access to NTFS files.

Most common is that the URL rewrite rules are not created, check in IIS on /ibmcognos/bi folder to see if there are any URL Rewrite rules. If the rules are missing, then it may be because there where left overs of old virtual folders in IIS, like controllerbin or controllerhelp.

You most remove them first, then remove SSO and IBMCOGNOS – as below:
– Open IIS
– Click on Application Pools
– Select the Cognos 11 App Pool and stop it
– Stop also any App Pool for Cognos Controller
– Expand everything
– Select the ibmcognos -> controller folder and remove it
– Select the ibmcognos -> controllerbin folder and remove it
– Select the ibmcognos -> controllerserver application and remove it
– Select the ibmcognos -> sso application and remove it
– Select the ibmcognos application and remove it
– Click on Application Pools, select the Cognos app pool, and delete it
– Close IIS

Open your file explorer
– Navigate to the Cognos gateway install directory
– Delete the following web.config files:
Then you can run the CA11 install IIS script again.

More Information:

Planning Analytics 2.0.6 Workspace
Microsoft Windows 2016 Server

How to use OPENSSL to convert certificates from company CA pfx file to the pem format needed by PAW?

Download OPENSSL from
or from – get the file Git-2.23.0-64-bit.exe Run the installation with all default values.
When installing GIT you will get a local openssl tool, that you can access from the command line:
“c:\program files\git\mingw64\bin\openssl.exe”

If you get a certificatechainfile.pfx file that you should use, you can convert it with the following command in CMD:
openssl  pkcs12  -in  c:\temp\your.pfx  -out  c:\temp\good.pem  -nodes

Then you need to open good.pem in Notepad++ and remove the lines not needed, and save it as pa-workspace.pem. It should have this certs in the file;
(Your Private Key: your_domain_name.key)
(Your Server certificate: your_domain_name.crt)
(Your Intermediate certificate: IntermediateCA.crt)
(Your Root certificate: TrustedRoot.crt)

How setup TLS (SSL) for PAW:

(Do the steps in your TEST environment first, to ensure they work for you.)

Export the root and intermediate certificates first.
Start Internet Explorer and surf to company internal site.
Click on the PAD lock icon.
Click view certificates.
Click Certificate Path tab.

Mark root cert and click view certificate.
Click Details tab.
Click “copy to file” button.
Click Next.

Select Base-64 encoded X.509 (.CER) and click Next.
Browse to your c:\temp folder and enter a name.

Click next and finish.
Repeat above steps for the intermediate cert.

Copy this two cer files to the d:\ibm\paw\config\certs folder.
Rename the cer files to pem.
Start Powershell as administrator.
Go to folder d:\ibm\paw\scripts.
Run .\process_certs.ps1 to include the root cert in the cacerts file.

Stop the paw with command d:\ibm\paw\scripts\paw.ps1 stop.
Go to the d:\ibm\paw\config\ssl folder.
Rename pa-workspace.pem to

If you got a .pfx file from the company that include the privatekey, servercert and  intermediate and root certs. You convert it with this command:
openssl pkcs12 -in your.pfx -out good.pem -nodes

Open good.pem in notepad, and remove lines above the —-BEGIN CERTIFICATE—- but after the —- END line.
Save the file. Now only with the cryptic binary text.

Copy the good.pem file to folder d:\ibm\paw\config\ssl and rename it to pa-workspace.pem

Open d:\ibm\paw\config\paw.ps1 file in notepad++.
Change all HTTP to HTTPS.

Add last in the file, this two lines:


Save the file.
Go to the d:\ibm\paw\ folder.
Run ./Start.ps1 to start the PAW administration.
Click on Validate button. Ensure all URL are correct, does they point to correct CA11 or TM1 servers?
Click on the Update button.
Restart PAW, can also be done from powershell with commando  d:\ibm\paw\scripts\paw.ps1

You must add ibmtm1.arm cert to your CA11 servers:

You must add SSL (TLS) cert to your TM1WEB servers:

More Information:

Common OPENSSL commands (from SSL Shopper):

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using SSL Shopper online tools.

  • Check a Certificate Signing Request (CSR)
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key
    openssl rsa -in privateKey.key -check
  • Check a certificate
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12)
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Shopper SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed
    openssl s_client -connect

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use SSL Shopper SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAC

Planning Analytics 2.0.6
Microsoft Windows 2016 Terminal Server

On new install of TM1 Architect on a Terminal Server, the list of TM1 instances is not showing up. They show up if you run TM1 architect direct on the TM1 server.

Check Windows Firewall one both the Terminal Server and on your TM1 (PAL) server.
Go to Run from the start menu, enter wf.msc and press OK
Add a inbound rule that opens port 5495, 5498.
Save it as Cognos TM1 rule and check if it works again.

If you get a list of TM1 instances, but can not connect to them, then you miss the higher ports you have defined in TM1S.CFG
go back into Windows firewall, and add a port range like 12345-12360 to your cognos firewall rule.
Save and try again.

You need ports 5495, 5498 for TM1 Architect. 5895, 5898 is the Admin Server REST interface port (like HTTPPort for Tm1 servers). 5898 is when using TLS1.2
Then you need the ports you specify in TM1 applications – best to set a range like 12345-12360 then update in every TM1S.CFG file to unique values;

More Information:

Port 9300 is for Cognos Analytics (BI dispatcher).
Port 9510 is for TM1WEB and PMPSVC.
Port 5495,5498,5895,5898 is for TM1 Admin service.
Port 9012 is for the TM1 Agent.
Port 80 and 443 is for PAW or CA11 web-gateway ibmcognos.
There are other ports, but they are for communications between servers.

Cognos Analytics 11.0.13 fix pack 2
Microsoft Windows Server 2016

Only a spinning circle when i surf to after we have applied a fix pack to CA11.

Clear the Internet explorer cache.
Launch IE (not chrome)
Tools – Internet Options – under ‘General’ tab click on “Settings” under ‘Browsing History’
Select ‘Every Time I visit the webpage’
Click OK
Clear out the cache by click Delete button
Remove mark for “Preserv Favorites website data”
Click Delete
Click OK
Close IE and launch IE then try again.

More information:

Planning Analytics Workspace 36
Microsoft Windows 2016 Server

When open PAW and create a new book. There are no TM1 servers/applications listed under databases.

If you only miss access to the TM1 instances, then you can see a error like unable to fetch data for content tree. Session can not be established for server: Planning Sample 500 (internal server error) “code”,”Explorer”,”refID”,”message”,”Failed to get children for Server Cubes”,”Cause”…. ConnectTimeoutException….

When you validate the IBM Planning Analytics Workspace Administration Tool, and get time out on the TM1 Admin Server URI – it can be because the Windows Firewall is blocking port 5898.

The Microsoft Windows firewall is blocking the traffic to the TM1 Admin service, and the rest api port to the TM1 instances.
Go to Run from the start menu, enter wf.msc and press OK.
This will start the Windows Firewall.
Expand Inbound Rules
Click New Rule
Select Port and click next
Enter the needed ports, can be depending on TM1 instance, below for the standard samples;
9300, 9510, 5898, 9012, 8888, 12354, 8014, 5010, 44312, 8011, 5011, 8010
Click Next
Mark Allow the connection click Next
Click Next to apply rule everywhere
Enter name to Cognos and click Finish

Try again.

If you still get 401 errors, you may need to restart the Windows server to make the Firewall changes kick in.

Port 9300 is for Cognos Analytics (BI dispatcher)
Port 9510 is for TM1WEB
Port 5898 is for TM1 Admin service
Port 9012 is for the TM1 Agent

More information:

Planning Analytics 2.0.6
Planning Analytics Workspace version 36
Microsoft Windows 2016 server

How add many users to the PAW?

Ensure that SSO and CAM security is working in TM1 (planning analytics).
Check the domain name in Cognos Configuration, this need to be enter in the file.
If the cognos namespace ID is Pacman, then it must be part of the file. It is case sensitive.
Open notepad (or excel) and enter the names like this:
Pacman/Donald Duck,Donald,Duck,administrator,,active
Pacman/Daisy Duck,Daisy,Duck,analyst,,active

Save the file as a comma separated list.
Surf to your PAW installation.
Click on Administration
Click on Users
Click on upload users

Click on the icon of the file to browse for the file.
Select and Open the file
Now the users should be added to your PAW, so they can start working.
Please use this to add new administrators, direct after your first setup of PAW.

One user per line, and you must separate columns with comma. Should contain Login ID, First Name, Last Name, Role, Email, Status. Only the 3 first are required.

More information: