by ·Comments Off on HTTP Error 431

Product:

Planning Analytics Workspace 2.1.14
Cognos Analytics 12.0.3

Microsoft Windows 2022 server

Issue:

Sometimes we can not login, but it work if we start a different web browser on your computer. Try EDGE instead of CROME.
Note that PAW and TM1WEB looks like it use different whys to handle cookies at login.

CA may time out and throw one of the following errors:

  • Unexpected Server Response
  • HTTP Error 431
  • Unable to Load Requested View
  • Cannot read properties of undefined (reading ‘perspective’)
  • DPR-ERR-2107 The User Capabilities Cache cookie cannot be decoded.

Solution:

  1. Clear cache and cookies from the affected browser. See KB 15 (Michigan State University) for details.
  2. Close completely out of all browser windows.
  3. Open an incognito/InPrivate browsing window and use that to access Cognos. See KB 1203 (Michigan State University) for details.
  4. Check you go to correct start page ( https://XXXXX.planning-analytics.cloud.ibm.com ) – exchange with your local server name.
  5. Check that your local network is working – try a different physical location for your laptop.

There can be other solutions or explanations of this errors – hopefully you can find them at IBM site.

How to retrieve the content of the CAM_passport and userSessionID from cookie?

In Browser window after you log in to the Cognos Connection Portal type any of the following in the address bar of the browser:

  • javascript:document.cookie
  • javascript:document.write(document.cookie)
  • javascript:alert(document.cookie) – This script will popup a window on which it will show up cam_passport and userSessionid
  • Or maybe have a look in your user directory under  “C:\Users\yourname\AppData\Local\Microsoft\Edge\User Data\Default” or “C:\Users\yourname\AppData\Local\Google\Chrome\User Data\Default” .. or where the files are stored in modern browsers.

 

Easier to view cookies in Chrome, perform the following steps:

Open Chrome settings. Right-click on your browser window.
Choose Inspect to enter the Chrome Developer Tools.
Choose the Applications tab. Depending on the size of your screen, you may need to expand your tab options at the top by clicking on the >> symbol:
Open application.
Under the Storage tab, select Cookies to view cookies in Chrome.
You will see all the available websites. Select the website you want to see cookies in Chrome.
Check the domain column, if you have different values here for same cam_passport (cookie) then you can get above errors.  Should only be ONE domain name for the same cookie name.

Name. The cookie’s name.
Value. The cookie’s value.
Domain. If the domain name corresponds with the website you are browsing, it means that these cookies are First-party cookies. If the domain name is different- these cookies are third-party cookies.
Path. The URL that must exist in the requested URL in order to send the Cookie header.
Expires / Max-Age. The cookie’s expiration date or maximum age. This field shows which are session cookies and which are persistent cookies, that operate for a certain duration of time.
Size. The cookie’s size, in bytes.
HttpOnly. If true, this means that it is a HTTP cookie. JavaScript modification is not allowed.
Secure. If true, this means that the cookie is sent to the server only over a secure, HTTPS connection.
SameSite. The SameSite cookie attribute is used by browsers to allow or block cookies based on attribute. It could contain Strict or Lax SameSite attributes.
Partition Key. A cookie’s partition key is the scheme and registrable domain of the top-level URL the browser was visiting at the start of the request to the endpoint that set the cookie.
Priority. It is used with deprecated cookie priority attribute. Could contain Low, Medium (default), or High priority.

 

More information:

https://kinsta.com/blog/http-error-431/ 

https://privacysandbox.google.com/cookies/basics/cookie-tools 

https://developer.chrome.com/docs/devtools/application/cookies 

https://tdx.msu.edu/TDClient/32/Portal/KB/ArticleDet?ID=998 

https://www.w3schools.com/js/js_cookies.asp 

https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art013

https://cookie-script.com/blog/chrome-cookies 

 

By default the cookie path is the root path to Cognos.

This value can be me modified in Cognos Configuration using the steps below.

1. Open Cognos Configuration.
2. Click Actions–> Edit Global Configuration

3. Go to the General tab and Modify the cookie settings:

4. Modify the path and other information as required.

5. Click OK and save.

Stop and restart the Cognos Service.

https://www.ibm.com/docs/en/cognos-analytics/11.2.x?topic=settings-customizing-cookie 

by ·Comments Off on Trojan.GenericKD

Product:

Microsoft Windows 10

Issue:
What anti-virus software should i use on my old laptop?

Suggested solution:

Windows Defender is good, but when there are no more updates, you can consider to use a separate Anti-Virus software product.

You have to yourself decide what to use (and if you need it) as the software market for anti-virus program is lucrative, program that was good for 10 years ago is maybe not the best today.

Consider:

  1. Is the software easy to understand for me? Can i setup schedule scans in a easy way?
  2. What is the price the second year? Most software will give you a 50% discount the first year. Check if you can get a family price for 3-5 computers. Review sites have often links to good offers.
  3. Does the software take a lot of CPU when running or does it do the scan in the “cloud” ?  Check more than one review to see if the program will slow down your PC.
  4. Check more than one review of the software – most top teen listings are only trying to sell you a special anti-virus software where they get most money from.
  5. Do you trust the company behind the program?  Check WIKI pages about what country the software comes from.

https://en.wikipedia.org/wiki/Malwarebytes 

https://en.wikipedia.org/wiki/VIPRE

https://en.wikipedia.org/wiki/Bitdefender

https://en.wikipedia.org/wiki/ZoneAlarm

As of January 2006, ZoneAlarm was reportedly[6] sending data to the company’s servers in a covert fashion. A developer dismissed allegations that ZoneAlarm was spying on its clients, saying that it was an issue related to software updates and that it would be fixed.[7]

In December 2007, a browser toolbar was shipped with ZoneAlarm as an opt-out, which was not well received.[8] This was removed in later versions of the software.

On September 2, 2010, the free version of ZoneAlarm started showing a “Global Virus Alert” popup as a scareware tactic to get users to switch to their paid security suite.[9] The popup was turned off by ZoneAlarm marketing team after an uproar from disgruntled users, many of whom uninstalled the software.[10][11]

These program have a free version (that you can test):

https://www.bitdefender.com/en-us/consumer/free-antivirus 

https://www.malwarebytes.com/solutions/virus-scanner 

https://www.zonealarm.com/software/free-antivirus

the free version is maybe not the same program as the full version of the program. Check what engine is inside the anti-virus program.

You can also try the more expensive ones:

https://vipre.com/home/vipre-antivirus-plus/ 

https://www.gdatasoftware.com/antivirus-windows

We tested the Bitdefender windows version on Windows 10.

We run a deep scan, and it found things in old TM1 files, version 2.1.5, Trojan.GenericKD is Windows-only malware, as far as I know, so it’s highly likely that these detection’s are false positives, as it looks like many anti-virus software can find them in different files.

If there where issues, this are solved now. IBM sends out updates regularly. We checked the latest version PAL 2.1.14, and there where no issues there.

https://www.ibm.com/support/pages/node/7246602 

https://www.ibm.com/support/pages/security-bulletin-ibm-planning-analytics-workspace-affected-vulnerabilities 

(It looks like the Bit-defender can not scan ZIP files larger than 2 GB)

We upgrade Bitdefender to PLUS version in hope the firewall should be part of that deal.

But firewall was not part of the PLUS version. We got the VPN function, but you can not choose what country you will be using. We need to upgrade again to get firewall…

The company change the offering every year, so the package you have the first year may be something different the next year. If you stop your automatic subscription, then the bitdefender program stops working when the subscription ends. Malwarebytes have a different solution.

Passwords manager is better to use separate program like:

https://keepass.info/ 

https://bitwarden.com/pricing/

https://en.wikipedia.org/wiki/KeePass 

 

More information:

https://en.wikipedia.org/wiki/Antivirus_software 

https://www.bitdefender.com/consumer/support/answer/106172/ 

https://www.bitdefender.com/pages/consumer/se/new/cl-offer-premium-dlp?irclickid=QTEWqQW9ixycTh7zFWyZ4WU4Ukpy7-3HHW8nTc0&im_rewards=&irgwc=1&MPid=1271102&cid=aff%7Cc%7CIR%7CSafetyDetectives&locale=sv-SE&vcampaign=NDLP25V2 

 

https://www.bitdefender.com/consumer/support/prevention/ 

Before you decide, search the internet for zonealarm issues…

by ·Comments Off on Failure initializing Performance Monitor

Product:
Planning Analytics 2.1.14 server
Microsoft Windows 2022 Server

Issue:

In tm1server.log file you have this error at every startup of the TM1 service:

TM1.Server Failure initializing Performance Monitor: Installed counters do not match registry definition

Solution:

Looks like the installation did not go well.

Start a CMD as a administrator on the TM1 server.

Go to folder:  D:\Program files\ibm\tm1_64\bin64

Enter command:

regsvr32    TM1PerfmonDLL.dll

Click OK.

Restart the TM1 service, and check if the error is gone from the tm1server.log file. Search for TM1.Server Security Mode to find the lines.

example from the tm1server.log file;

…..TM1.Server Certificate Authority:
TM1.Server Client Export Server Certificate: 0
TM1.Server Security Mode: 5
TM1.Server Use Generic Login Connect Error:
TM1.Server Server CAM URI: http://servername:9300/p2pd/servlet/dispatch
TM1.Server Server CAM URI Retry Attempts: 3
TM1.Server CAM use SSL: 0
TM1.Server Client CAM URI: http://servername:80/ibmcognos/bi/v1/disp
TM1.Server Web CAM URI: http://servername:80/ibmcognos/bi/v1/disp… …………..
TM1.Server Client Ping CAM Passport: 900
TM1.Server Start time: Fri Oct 24 2025 02:22:44 PM
TM1.Server Failure initializing Performance Monitor: Installed counters do not match registry definition
TM1.Server The server will use Parallel Interaction.
TM1.Server Client Message Port does not accept Tm1Top connections.
TM1.Server SmartCache is disabled
TM1.Server Starting HTTP Session Timeout thread. Thread Id: 6264
TM1.Server Dynamic Client Message Port: 57066
TM1.Server MTQ is enabled with 8 threads ……

 

More Information:

https://www.ibm.com/docs/en/planning-analytics/2.1.0?topic=utility-running-tm1-perfmon

 

by ·Comments Off on The refresh token has expired due to inactivity

Product:

Microsoft Power BI service
Issue:

When click on refresh for a dataset (sematic model) in https://app.powerbi.com/ you get a error like:

Data source error: {“error”:{“code”:”DMTS_OAuthTokenRefreshFailedError”,”pbi.error”:{“code”:”DMTS_OAuthTokenRefreshFailedError”,”details”:[{“code”:”DM_ErrorDetailNameCode_UnderlyingErrorMessage”,”detail”:{“type”:1,”value”:”AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-11-19T10:55:36.9381120Z and was inactive for 90.00:00:00.

Solution:

Wait and try again later or go into your PowerBI report and update all credentials to different data sources you have used in your report.

In the dataset – go to settings – take over as owner –  go to data source credentials

click on edit the credentials and update with your account information. This should refresh the token.

This issue can happen when the OAuth refresh token used by Power BI Service to authenticate with the data source has expired. The error message shows that your token has been inactive for 90 days, which is the default expiration period for Azure Active Directory (AAD) refresh tokens.

Here are a few suggestions you can check:

  1. Re-authenticate the Data Source in Power BI Service
  • Go to Power BI Service (app.powerbi.com).
  • Navigate to Settings > Manage Connections and Gateways.
  • Locate the data source for your dataset.
  • Click Edit Credentials and sign in again using your credentials.
  • Choose the correct authentication method (usually OAuth2 for Analysis Services).
  • Save and retry the refresh.
  1. Check and Update Permissions
  • If your credentials were updated or your permissions changed, you may need to reassign them.
  • Ensure that your account has read permissions on the Analysis Services data source.
  • If your organization uses Conditional Access Policies, check with your IT team to ensure Power BI can maintain an active connection.
  1. Remove and Reconnect the Dataset
  • If the issue persists, try removing the dataset from Power BI Service and republishing it from Power BI Desktop.
  1. Ensure Your Token Doesn’t Expire Again
  • If you’re using service accounts, consider setting up a refresh schedule to keep the token active.
  • Work with your IT admin to adjust AAD token lifetime policies to extend the refresh token validity.
  1. Try a Personal Gateway (If Applicable)
  • If you’re using a Personal Mode gateway, restarting or reinstalling it might help.

 

More Information:

https://learn.microsoft.com/en-us/power-bi/connect-data/refresh-troubleshooting-refresh-scenarios 

https://www.c-sharpcorner.com/article/how-to-handle-power-bi-data-refresh-error-refresh-token-expired/

https://www.vuepilot.com/support/article/microsoft-power-bi-authentication-information/ 

https://www.beringer.net/beringerblog/power-automate-connection-reference-failures/ 

 

by ·Comments Off on kate-agent does not respond after upgrade

Product:
Planning Analytics version 2.1.14
Microsoft Windows 2022 server

Issue:
After upgrade from previous version of TM1, you do not get the PAA_Agent to work. It does not respond on port 9012.

In power shell you test with:   tnc  servername.domain.com  -port  9012

Suggested solution:

The path to the bin folder have changed for TM1, to D:\Program Files\ibm\tm1_64\bin64

Therefor when you have updated the PAA Agent, run the following scripts from a Command Prompt.
<install_dir>\paa_agent\bin\PAAAgentSetJavaHome.bat

This should update the server.env file with the correct path to the JAVA JRE

The configuration is done in the  D:\Program Files\ibm\tm1_64\paa_agent\wlp\usr\servers\kate-agent\bootstrap.properties file.

This file need to be updated manually every time you upgrade, as it is overwritten with default values.

If you have more TM1 tools installed on the server, it can point to the other folder and still work.

Then after that file is updated, you can start the PAA_Agent service.

 

If above does not work;

You may need to uninstall PAL totally and start over.
Stop all TM1 services.

To remove the TM1 Admin Server service, run the tm1admsd.exe -remove command.
To remove the Planning Analytics Administration agent service, run the <install_dir>\paa\bin\PAAAgentDelete.bat script.

Run Uninstall_IBM_Planning_Analytics.exe in the <install_dir>\uninstall directory.

Ensure that the PAA Agent is uninstalled from the Windows service list.

Then run the installation again of TM1/PAL from analytics-installer-4.0.27-win.exe

Create the ADMIN service again.

Update the bootstrap.properties file with SMTP information

Run the bat files;

<install_dir>\paa_agent\bin\PAAAgentSetJavaHome.bat

<install_dir>\paa_agent\bin\PAAAgentRegister.bat

Start and test again.

 

More Information:

https://www.ibm.com/docs/en/planning-analytics/2.1.0?topic=itscpa2l-registering-running-planning-analytics-administration-agent-as-windows-service

https://www.ibm.com/docs/en/planning-analytics/2.1.0?topic=upal2-upgrading-planning-analytics-workspace-local-from-version-20-21 

https://www.ibm.com/docs/en/planning-analytics/2.1.0?topic=later-uninstalling-data-tier-components

by ·Comments Off on Unable to register subset

Product:

Planning Analytics 2.1.11
Microsoft Windows 2022 server

Issue:

You get random Unable to register subset when you run the Tm1 TI process, can be that the subset is not correct deleted, and therefor already exist when the TI process try to create it.

Error contain: Unable to register subset

Suggested solution:

Instead of using the TI process name, create a random subset name with a code similar to below:

#--------------------------------------------------
# Create names
#--------------------------------------------------

SourceView= pFromCube | 'TempSource' | getProcessName() | '_' | timSt(now, '\Y\m\d\h\i\s') | '_' | NumberToString (Rand()*1000000000);
TargetView= pToCube | 'tempClear' | getProcessName() | '_' | timSt(now, '\Y\m\d\h\i\s') | '_' | NumberToString (Rand()*1000000000);

#--------------------------------------------------
# Create views
#--------------------------------------------------

#Source
if(ViewExists(pFromCube, SourceView)=0);
viewCreate(pFromCube, SourceView,1);
endif;
#target
if(ViewExists(pToCube, TargetView)=0);
viewCreate(pToCube, TargetView,1);
endif;

ViewCreate (cubetouse, viewnametouse, a 1 here make the view only exist in this process section..)

ViewCreate(Cube, ViewName, <AsTemporary>);

Argument

Description
Cube The parent cube of the view you are creating.
ViewName The name you want to assign to the view.
AsTemporary This is an optional argument that specifies whether the view being created is temporary. 1 indicates a temporary view, 0 indicates a permanent view.

If this argument is omitted, the view is permanent.

More Information:

ViewCreate – IBM Documentation

For TM1® Server version 11.2.0 and earlier, temporary views were visible and usable only by the process that created it and any of its child processes. Temporary views were not visible to the ancestor and sibling processes. You could create same-named views in sibling child processes with the same parent process.

For TM1 Server version 11.3.0 and later, these temporary views are visible to the ancestor and sibling processes. If a parent TurboIntegrator process A invokes two child TurboIntegrator processes A1 and A2, and the child TurboIntegrator process A1 creates a temporary view S, the temporary view S exists for the duration of the parent TurboIntegrator process A. You cannot create a temporary view with the same name S in the sibling TurboIntegrator process A2 since the view is visible and usable by siblings A1 and A2.

Create a very large dimension in Cognos TM1 using Turbo Integrator (TI) – Ever Analytics

Wim‘s Excel, TM1 & soccer site

What’s new in IBM Planning Analytics – IBM Documentation

  • Planning Analytics 2.0.7 – April 29, 2019
    IBM Planning Analytics Local version 2.0.7 and the cloud release of IBM Planning Analytics version 2.0.7 includes updates and new features for IBM TM1 Server version 11.5.0.
  • Planning Analytics 2.0.6 – October 11, 2018
    IBM Planning Analytics Local version 2.0.6 and the cloud release of IBM Planning Analytics version 2.0.6 includes updates and new features for IBM TM1 Server version 11.4.0.
  • Planning Analytics 2.0.5 – June 25, 2018
    IBM Planning Analytics Local version 2.0.5 and the cloud release of IBM Planning Analytics version 2.0.5 includes updates and new features for IBM TM1 Server version 11.3.0.
  • Planning Analytics 2.0.4 – February 16, 2018
    IBM Planning Analytics Local version 2.0.4 and the cloud release of IBM Planning Analytics version 2.0.4 includes updates and new features for IBM TM1 Server version 11.2.0.

by ·Comments Off on Error with CAM passport

Product:
Planning Analytics 2.1 Architect
Microsoft Windows 2022 server
Cognos Analytics 12.0.3

Issue:

After change in Cognos Configuration, you can not login from TM1 Architect, but you can login with TM1WEB.

Error you get: tm1camclient

Solution:

Inside Cognos Configuration for CA12, change the Edit Global Configuration under Action menu.

Remove the dot in front of the server domain name.  So it says servername.domain.com instead of .servername.domain.com

The clue, it can be .domain.com, then it should work best if you only have one CA server to work with. If you have the servername in global settings then you should not use the period first.

Also ensure that the GATEWAY URL is the same in both Cognos Configuration and TM1S.CFG file

In the TM1S.CFG file it should be like this

ServerCAMURI=http://servername.domain.com:9300/p2pd/servlet/dispatch
ClientCAMURI=http://servername.domain.com:80/ibmcognos/bi/v1/disp

Then in TM1 architect under FILE – OPTIONS you enter the servernname to TM1 e.g. servername.domain.com and update.

Also change the value for “Allow session information to be shared between client applications” – change it to False can help solve the issue.

Save and restart CA12 service for the changes to take affect.

 

More Information:

Users are not able to log into Cognos Connection after setting a Domain property in the Global Configuration Cookie Settings. Submitting a login results in the user being redirected back to the login page without an error.

Diagnosing The Problem

Users unable to log in, are looped back to login page without error.

Resolving The Problem

Use the same server name qualification as that specified in the Domain property of the Global Configuration Cookie Settings.

Example:

Domain property: .travelinfo.co.nz

Prior to configuring this property, users accessed Cognos Connection using the servername ( http://servername/ibmcognos ). This URL no longer works with the Domain property set.

You will need to use the fully qualified server name in the URL to access Cognos Connection.

http://servername.travelinfo.co.nz/ibmcognos

An error message ‘Error with CAM Passport’ is seen when attempting to login into a TM1 server with Architect and Perspectives. The TM1 server uses CAM security (IntegratedSecurityMode 4 or 5 in the tm1s.cfg file). No error is seen during CAM authentication in TM1Web.

Cause

Incorrect Cookie Domain setting in Cognos Configuration for the Cognos BI Server used for CAM authentication.

Resolving The Problem

On each Content Manager server in your environment, remove or correct the Cookie Domain setting from Cognos Configuration. This setting can be access in Cognos Configuration from the Actions -> Edit Global Configuration… menu option.

Question

Multiple IBM Cognos installation in same domain Unable to open Cognos Connection when using the same browser instance, where another Cognos instance was opened before.

Cause

Same domain.
Answer

Launch “IBM Cognos Configuration -> Action -> Edit Global Configuration -> General” and configure the Cookie settings “Domain” and “Path” for each installation

Example:
Domain : .server1.domain
Path : /ibmcognos/

Domain : .server2.domain
Path : /ibmcognos/

Note: Do not forget the point before the server name.

Not sure of what is the correct setting in EDIT GLOBAL CONFIGURATION, you need to test what will work in your windows environment. Test to login to both your Cognos Analytics servers from same web browser, and from TM1 architect pointing to different TM1 servers.

 

by ·Comments Off on Signature not valid in the specified time frame

Product:

Microsoft Azure Blob Storage

Issue:

When you run ETL script to send files to your BLOB storage you get a error like this:

HTTP Status Code: 403 HTTP Reason Phrase: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Signature not valid in the specified time frame:

 

Possible Solution:

Please check if the SAS KEY you use in your script have expired.

Create a new SAS KEY and insert that in your script to upload files, to solve the issue.

 

More Information:

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview 

https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal

https://markheath.net/post/upload-azure-blob-storage-sas

https://community.boomi.com/s/article/How-to-Create-a-Azure-Blob-Shared-Access-Signature-Token

A Shared Access Signature (SAS) token is a unique string of encrypted text that encapsulates all the necessary details needed to authenticate a shared signature to access Azure Storage services. It also determines which service and resource can be accessed, the permissions granted, and the validity period of the signature.

If we look at the specifics of these tokens, there are 3 types of SAS tokens: Account SAS, Service SAS, and User Delegation SAS. This blog walks through Account SAS tokens specifically, as this is the type of token used to access storage, which is a critical (if not the most critical) point of failure in data security.

Account SAS Tokens

SAS tokens are encrypted codes in the form of URIs (Uniform Resource Identifier) that grant specific access rights to one or more Azure Storage resources, such as Azure Blob Storage, Azure File Storage, and Azure Queue Storage. Compared to other tokens, this extensive access means it’s crucial to handle Account SAS carefully to prevent unauthorized data access.

https://www.cyera.com/blog/understanding-the-risks-of-azure-sas-tokens 

Explanation of parameters:

sv: The storage service version.
ss: The signed services, in this case, blobs.
srt: The signed resource types, in this case, service (s), container (c), and object (o).
sp: The signed permissions, in this case, read (r).
se: The expiry time for the SAS token (2024-04-10T23:59:59Z).
st: The start time for the SAS token (2024-04-08T00:00:00Z).
spr: The signed protocol, in this case, HTTPS.
sig: The signature, which is a hashed value generated using your account key and the specified parameters.

https://bigid.com/blog/understanding-azure-sas-tokens/