Product:
Cognos Controller 10.3.1
Microsoft Windows 2012 R2 server

Problem:
Cognos Controller Users are disconnected from Server, and have to start there Cognos Controller client again and login.

Suggested Solution:
Change the Recycle from default 29 hours to a specific time at night, when few users are using Cognos Controller.

Login to the Cognos Controller Server.
Open Internet Information Services (IIS) Manager
Click on Applications Pools
Click on DefaultAppPool or the one created for Controller.
On the right side click on Recycle…


Unmark the default of 1740 minutes intervals.
Mark Specific times
Enter 3:00 AM


Click Next


Click Finish.

Let the user test Cognos Controller more than a day before you define if this solve your issue.

More information:
https://www-01.ibm.com/support/docview.wss?uid=swg21990348
https://www-01.ibm.com/support/docview.wss?uid=swg21969315

Product:
Planning Analytics 2.0.5
Microsoft Windows Server 2016

Problem:
When run a TI process to export data to a csv file you get a error from inside your TM1 Application. You have recently moved from TM1 to Planning Analytics, and also to a new Operating System: Microsoft Windows 2016.
The file share you try to export to is on a Linux server.
It works fine from your old Microsoft Windows 2008 server.

Error on Windows 10:
You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving the issue see: https://support.microsoft.com/en-my/help/4034314/smbv1-is-not-installed-by-default-in-windows

Possible Solution:
The New Windows Server 2016 have been setup to demand the newer more secure file share (SMB) protocol, and the Linux server is of a older OS version that does not support it.
Try to use a different file share, where both old linux program and Micosoft Windows 2016 server have access.

First check if there is not a firewall issue, with TELNET to see if the ports are open. Run below command from TM1 Windows server;
telnet linuxserver 445
telnet linuxserver 139
If above give error, check the firewall settings in the network.

You can from a CMD command try to access file share direct logged in as the service account on the TM1 server, to ensure that the account have access:
net use * \\linuxserver.domain.com\filesharename

Can say “System error 64 has occurred” if you do not have correct SMB access.

Check also that the IBM TM1 instance is run under a domain service account, and not Local System. Local System account can not access network file shares.

Red Hat Enterprise Linux 7.2, which includes samba-4.2, and later comes with proper support for SMBv2 protocol, but earlier releases of Red Hat Enterprise Linux only support SMBv1.

From the internet:
Samba is made by linux/unix
SMB/CIFS is made by windows/microsoft

NOTE: when people say I have a “CIFS share”, its better to say I have a “SMB share “or a “Samba share” – more on this below:
They use the same protocols to talk to each other.

Samba was originally made to emulate SMB, so that linux pcs could share files with Windows PCs. Now MACs also have samba, so they support SMB. So MACS Windows and Linux can all happily talk via Samba & SMB.

With each new version of Windows, a new SMB version comes out. Then Samba team has to be ready to update their code to support the new features in SMB.
Windows;
SMB 1 – Windows 2000
SMB 2 – Windows Server 2008 and WIndows Vista SP1
SMB 2.1 – Windows Server 2008 R2 and Windows 7
SMB 3.0 – Windows Server 2012 / ? and Windows 8 / 10

To identify the SMB version:
Windows 8.1 or 2012, you can use the PowerShell (in admin mode) cmdlet Get-SmbConnection

You can not interrogate which SMB it is using in Windows 7.

SMB 1 introduced in DOS days, and was also called CIFS in its later version (think of it like SMB 1.1). First versions of Samba 1.x supported SMB and CIFS
SMB 2.0 / SMB2.02 introduced with Windows Vista / 2008 is supported with Samba 3.6
SMB 2.1 introduces with Windows 7 / Windows 2008 R2 is supported with Samba 4.0.0
SMB 3.0 introduced with Windows 8 / Windows 2012 is supported by Samba 4.2
SMB 3.02 introduced in Windows 8.1 / Windows 2012 R2 is not yet supported by any version of Samba (its in the works I assume)
SMB 3.11 introduced in Windows 10 / Windows 2016 is not yet supported by any version of Samba (its in the works I assume)

The latest updates of Windows 10 and Windows Server 2016, the support for SMB1 is automatically removed by Microsoft, if SMB1 is not used.

How remove SMB support:
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

Start a Powershell command
1) check which SMB is enabled and which one is disabled;

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

ex : True=enabled

2) To enable any SMB 1 or 2 or 3 use following,
Set-SmbServerConfiguration  -EnableSMB2Protocol  $True

3) To disable any SMB 1 or 2 or 3 use following,
Set-SmbServerConfiguration  -EnableSMB2Protocol  $False

Restart computer or server after every change.
Or do this on Windows Server 2012 R2 & 2016:
SMBv1
Detect: Get-WindowsFeature FS-SMB1
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

More information:
https://access.redhat.com/articles/3164551
https://www.rootusers.com/disable-smb-version-1-0-in-windows-server-2016/
https://www.mowasay.com/2018/08/windows-10-2016-build-1709-1803-cannot-connect-to-smb-shares/
http://www.admin-magazine.com/Archive/2017/40/SMB-3.1.1-in-Windows-Server-2016

Product:
Cognos Analytics 11.0.12
Planning Analytics 2.0.5
Microsoft Windows 2016 Server

Problem:
When create a new report on a FM package that points to a Planning Analytics data source, you get a error message.

Test of data source works fine.
http://biservername.domain.com:9300/p2pd IBM Planning Analytics / Dynamic Succeeded XQE-DS-0015 TM1 Server Name: planning_sample: “11.3.00003.1”.

Error message:
Firewall Security Rejection. Your request was rejected by the security firewall.
DPR-ERR-2079 – Internal Server Error
URL:/v1/metadata/fmmodels
{
“severity”: “error”, “faultcode”: “Server”, “faultstring”: “The server did something wrong”,
“errorCode”: “CAF_VALIDATION_FAILURE”, “messages”: [ “DPR-ERR-2079 Firewall Security Rejection. Your request was rejected by the security firewall.” ]
}

or

XQE-MD-0007 Unable to establish a metadata connection to data source

Possible solution:
The user in CA11 does not have needed rights inside the TM1 application, login with TM1 Architect and give the user who try to create a report more Admin access inside the TM1 solution. Then test to create a report again.

Can also be that the DOMAIN name is not correct listed inside Cognos Configuration for CAF at Valid domains or hosts field.

– Open Cognos Configuration.
– In the left pane, click on the Cognos Application Firewall node.
– Select the “Valid domains or hosts” property and click the edit button.
– Add additional webserver hostname:port entries as required.

*.domain.com
*.userdomain.com

More Information:

http://www-01.ibm.com/support/docview.wss?uid=swg21965323
https://www-01.ibm.com/support/docview.wss?uid=swg21339461

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 server
Microsoft Excel 365 Office version 1803 click-to-run
Planning Analytics for Excel from C:\Program Files\ibm\cognos\IBM for Microsoft Office\cmplst.txt
[Main Applications]

COR_APP_version=COR_APP-AW64-ML-RTM-11.0.35.14-0
COR_APP_name=Cognos 8 Analysis for Excel
CAFES_version=CAFES-AW64-ML-RTM-10.3.0.1-0
CAFES_name=Cafes for Excel
CORREDIST_version=CORREDIST-AW64-ML-RTM-11.0.35.13-0
CORREDIST_name=IBM Planning Analytics for Excel
COI_version=COI-AW64-ML-RTM-11.0.35.7-0
COI_name=IBM Cognos COI

Problem:
When insert a custom report or dynamic report on this sheet, you get #NAME? instead of the numbers for the formula =DBRW($A$1,$A10,$B$2,E$6,$B$4,$B$3).
Click on Rebuild sheet does not help.
Insert a quick report on the sheet gives you numbers.

Solution:
Check that all the add-ins for Excel are installed.
Inside Excel go to File – Options.

Click on Add-ins
at Manage: Excel Add-ins click on GO.

The TM1 part is missing.
Click on Browse and go to C:\Program Files\ibm\cognos\IBM for Microsoft Office folder.

Select CognosOfficeTM1.xll and click OK.

Now you have the Add-ins you also need. Click OK.

You need both IBM Cognos Office Reporting TM1 addin and the IBM Framework for Office COM add-in to make PAX work.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=swg22004391

Product:
Cognos Planning Analytics 2.0.6
Microsoft Windows 2012 R2 Server

Problem:
The log files for opsconsole fill up the C drive, where the software is installed. Can we change the logs file to be created on a separate hard disk named L:\?

Solution:
Login to the Windows server where you run TM1WEB (also the opsconsole)
stop the service IBM Cognos TM1
cut the folder C:\Program Files\ibm\cognos\tm1_64\bin64\opsconsoledata
paste it at L:
rename L:\opsconsoledata to L:\opslogs
start a command prompt as admin
enter command:

mklink /D  “C:\Program Files\ibm\cognos\tm1_64\bin64\opsconsoledata”  L:\opslogs

start the service IBM Cognos TM1
Now the logs are on the L drive….

NOTE: This is not a supported function, and should not be used in production environments.

Surf to opsconsole at the following web address:   http://servername:9510/pmhub/pm/opsconsole

More information:
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_tm1_inst_installingopsconcole.html

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_op.2.0.0.doc/c_tm1_ops_console_configuration_tasks.html

https://skimfeed.com/blog/symbolic-links-in-windows-for-pointing-a-folder-to-another-folder-on-an-external-hard-drive-or-ssd/

Product:
Cognos Analytics 11.0.x
Microsoft Windows Server 2016 Standard

Issue:
Users are prompted with login during there session with Cognos Analytics and some icons are missing from the main page.
SSO is setup and working, but you still get a windows login dialog now and then.
To ensure SSO is correct check this:
http://www-01.ibm.com/support/docview.wss?uid=swg21993357

Error message when you try to create a new report:
Error: Startup Request Failed: Webbegäran misslyckades.:401 – unauthorized
URL: ../images/common_icons.svg

Suggested Solution:
On the CA11 web server (gateway) go to the file manager and go to folder c:\Program Files\ibm\cognos\analytics\webcontent\bi\images
Right click on Images folder and select properties
Click on security tab
Ensure that the following groups at least are there:
SYSTEM
Administrators
Users

If a group is missing, add it.

In one case the group Users where missing, meaning that a person that did not belong to the Administrator group on the server got above issues when surfing to Cognos Analytics portal. Adding the local server Users group solved the problem.

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 server

Problem:
How change the number of columns shown and loaded in tm1web?

Suggested Solution:
Update the file tm1web_config.xml, that are in folder
C:\Program Files\ibm\cognos\tm1_64\webapps\tm1web\WEB-INF\configuration on the TM1WEB server.
Change below lines to a number that works for your application:

<!– CubeViewerRowPageSize: Number of rows to fetch in a page of cubeviewer –>
<add key=”CubeViewerRowPageSize” value=”250″ />
<!– CubeViewerColumnPageSize: Number of columns to fetch in a page of cubeviewer –>
<add key=”CubeViewerColumnPageSize” value=”100″ />

In TM1 10.2 FP1 two settings, controls the number of columns and rows that are loaded in TM1 Web Websheets,
WebsheetRowThreshold and WebsheetColumnThreshold.
http://www-01.ibm.com/support/docview.wss?uid=swg27040580

In the documentation for Planning Analytics 2.0 these settings are not found, instead you find settings CubeViewerRowPageSize and CubeViewerColumnPageSize.
https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_modifyingtm1webconfigurationparameters_n50ce5.html

The tm1web_config.xml.new do not have WebsheetRowThreshold and WebsheetColumnThreshold settings.

The old parameters can configure the amount of rows and columns in a websheet that completely fetch on loading. If the sheet fits roughly within the number of rows and columns specified with the new parameters, it will be fully loaded on start up.
If a sheet is larger than the values set with the parameters, then Cognos TM1 Web fetches additional data on demand as you scroll beyond the buffers of the previously loaded data.

New Planning Analytics have a better TM1WEB solution, and will cache values different, and above old parameters should not be needed for new TM1WEB.

The parameters in this file, tm1web_config.xml, control the following IBM TM1 Web features.

  • View node
    Cube Viewer page size
    Number of sheets to export from a Cube Viewer
    IBM TM1 Web startup and appearance settings
    Session timeouts

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_ug.2.0.0.doc/c_tm1web_cfg_params_v10r2.html

Product:
Cognos Planning Analytics Workspace version 36
Centos Linux

Problem:
How to upgrade PAW?
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_paw_upgrade.html

Solution:
Download the latest version from
https://www-01.ibm.com/support/docview.wss?uid=swg27049597

First check there is space left on your linux box with command df -h

Create a new folder for your new software
cd /
mkdir ibm
cd ibm
mkdir paw36

Copy the software over to the linux box with WINSCP
https://winscp.net/eng/download.php

Place the zip file in folder /ibm/paw36.
Unzip the file with the command:
unzip ipa_workspace_local_2.0.36.1440.5.zip -d /ibm/paw36

Go to the old existing folders script folder (/ibm/paw/scripts/) and run a backup with the command:
./backup.sh

Copy the paw.env file from your current installation to the new installation location.
cp /ibm/paw/config/paw.env  /ibm/paw36/config/paw.env

Copy the /config/certs directory from your current installation to the new installation location.
cp /ibm/paw/config/certs/*.* /ibm/paw36/config/certs/

If you use SSL and have saved the certificate in the pa-workspace.pem file, you need to copy that from your current installation to the new installation location.
cd /ibm/paw36/config
mv pa-workspace.pem  pa-org-workspace.pem
cp  /ibm/paw/config/pa-workspace.pem  pa-workspace.pem

If you have changed the old Start.sh file, you need to add the same values in the new Start.sh file.
Open Start.sh in Nano, add the IP address of the Linux server as ADMINTOOL_IP, and add the folder where docker-compose are to the PATH with the command PATH=$PATH:/ibm/comp/
cd /ibm/paw
nano Start.sh
Enter values like:
export ADMINTOOL_IP=192.168.254.11
export PATH=$PATH:/ibm/comp/
Press CTRL+O and click ENTER to save file.
Press CTRL+X to exit.

Change above path to your folder where DOCKER-COMPOSE is saved.

You may need to update the access to the new files with command:
cd /ibm/paw36
chmod 744 *.*
to give all read access to the files.

Stop the running PAW with command:
cd /ibm/paw/scripts
./paw.sh stop

Go to the new folder with command:
cd /ibm/paw36

Start the installation by enter
./Start.sh

Enter “y” when you are prompted to install the Docker images. Enter “y” when you are prompted to open the administration tool.

Start a Internet Explorer from your laptop and surf to the Linux server on http://192.168.254.11:8888

Inside the Planning Analytics Workspace administration tool, check that all URL to CA11 and TM1 are correct.
https://www.ibm.com/communities/analytics/cognos-analytics-blog/cognosanalytics-and-planninganalytics-integration-walkthrough-part-3/

Some Values need to be entered again in configuration tab, do it and save them.


Click Validate.
Click Status.
Click Restart.
Wait until CPU is below 1%.
Click Refresh.

Then surf to HTTP://pawservername.domain.com

Normally the docker containers and images are in folder /var/lib/docker

The daemon.json file are in folder /etc/docker

NOTE: to prevent from having to many PAW folders, and make it hard to now what folder that is in use, do the opposite – rename the old folder /ibm/paw to /ibm/pawold. Create the new folder /ibm/paw. Copy the new zip file to that folder, and unpack it. Then copy the needed config files from /ibm/pawold to the /ibm/paw folder (as listed above). Then start the installation(upgrade) from /ibm/paw/Start.sh.

More Information:
http://blog.thoward37.me/articles/where-are-docker-images-stored/

Product:
Cognos Analytics 11.0.12
Microsoft Windows 2016 server

Problem:
How limit the login to Cognos Connection to only to groups in the LDAP (active directory)?

Solution:
Use the LDAP connector in Cognos Configuration, and limit the users to be able to login only if they belong to two CN.
The “User Lookup” is used when you do not use SSO, and you let the BI (CA11) prompt the user for the user name and password. Change this to include the groups that the person must be part of to be able to login. Below a example how it can be;

(&(|(legacyuid=${userID})(uid=${userID}))(status=ACTIVE)(|(memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,o=CompanyA.com)(memberof=cn=Cognos_TM1_Modeler,cn=Cognos Groups,cn=UserGroups,ou=Global,o=CompanyA.com)))

“External identity mapping” is only used when you use SSO from IIS, to login to the BI server (CA11). You should change this to cover the same groups as the other one to make it act the same if it is using SSO or not.

(&(|(legacyuid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)})(uid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)}))(status=ACTIVE)(|((memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,o=CompanyA.com)(memberof=cn=Cognos_TM1_Modeler,cn=Cognos Groups,cn=UserGroups,ou=Global,o=CompanyA.com)))

In above lines, the user that is part of group Cognos_TM1_Contributor or Cognos_TM1_Modeler in LDAP, can login to Cognos. Good if you have a CA11 server setup, that only authenticate users that should use TM1(Planning Analytics 2.x).

(status=ACTIVE)
Check that the user is active in LDAP

legacyuid=${userID}
Compare the userid with the LDAP field Legacyuid

You have to change cn= and ou= values to match your LDAP setup.

Base Distinguished Name, should be the root of the LDAP directory.

How setup LDAP  (from the web)
In every location where you installed Content Manager, open IBM Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.


In the Name box, type a name for your authentication namespace. LDAP
In the Type list, click the appropriate namespace and then click OK.

The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace. Should be same as namespace name.
Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.
If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are run under the authentication context of the user.
If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following step:
Ensure that Use external identity is set to False.
Set Use bind credentials for search to True.
Specify the user ID and password for Bind user DN and password.

If you do not specify a user ID and password, and anonymous access is enabled, the search is done by using anonymous.
Check the mapping settings for the required objects and attributes.

Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos components and the LDAP server.

LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

You are prompted to enter credentials for a user in the namespace to complete the test.

Depending on how your namespace is configured, you can enter either a valid user ID and password for a user in the namespace or the bind user DN and password.

More information:
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_ldapauthentication_process-element.html

To bind a user to the LDAP server, the LDAP authentication provider must construct the distinguished name (DN). If the Use external identity property is set to True, it uses the External identity mapping property to try to resolve the user’s DN. If it cannot find the environment variable or the DN in the LDAP server, it attempts to use the User lookup property to construct the DN.

Product:
Planning Analytics Workspace 35
Linux Red Hat

Problem:
You have no access to the paw, and a restart of the docker containers with command  ./paw.sh stop  and  ./paw.sh  did not help.

If you click “validate” inside the Workspace administration page, you get Error getaddrinfo ENOTFOUND on all the server links.

Error Message:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET.
Reason: DNS lookup failure for: wa-proxy

Workaround:
Restart the linux box.
Login to the linux server with PUTTY.
Change to root user with command:
sudo su – root
Restart the linux server with command:
init 6

Try again after a few minutes.