Product:
Planning Analytics 2.0.5
Planning Analytics Workspace 2.0.38

Problem:
Error message when I on some TI processes in PAW, right click and select Edit Process. Other process work fine to open in PAW.

Error Message:

{“errorMessage”. “Error: Internal Server Error\r\nSystemOutOfMemory\r\n\r\n”, “/api/v1/Cubes (‘cubename’)/Views(‘All’)/tm1.Execute”,”httpStatusCode”:500)

Background:
The paw is try to show a to large preview of the selection. If the process have a cube view as data source, and that is large, like All, then you can get this error. It will work for a smaller cube view. When you edit a TI process in TM1 Architect, this error does not show.
If you check the TM1SERVER.LOG you will find this message;
8024 [34] WARN 2019-03-04 09:30:44.083 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “0” – pool# “0” – poolsize “201318656.000000”

You can get same behavior in TM1 Architect, if you open a cube, and try to view all content.
TM1 Error
All: Maximum memory for action exceeded.
View may be too large.
Operation aborted.

Then in TM1SERVER.LOG the error is like this:
4908 [22] WARN 2019-03-04 11:52:24.469 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “326” – pool# “0” – poolsize “201318656.000000”

You can still edit the TI process, so this warning should not be of a concern.
Check your TM1S.CFG file so the value MaximumViewSize is not set to a low value. In most cases you should manage with the default values.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=swg21380704
https://www-01.ibm.com/support/docview.wss?uid=swg21639609
https://www.ibm.com/support/knowledgecenter/en/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.1.doc/c_maximumviewsize_1.html

Product:
Cognos Analytics 11.0.12
Microsoft Windows 2016 server

Problem:
When you create a report and add a visualization you get a error.

Error message:

The web request failed.
404 – Not Found
URL: http://caservername.domain.com/ibmcognos/bi/common/palettes.json

Workaround in early versions of CA11
pallettes.json needs to be copied from /bi/common folder to the /common folder
https://www-01.ibm.com/support/docview.wss?uid=swg21992230

Solution:
Something is wrong in the IIS setup. Redo the setup from start. Below the steps copied from internet. You should not need to copy the file from /bi/common folder.

Clean the IIS setup:

https://www-01.ibm.com/support/docview.wss?uid=swg22011418

Here’s the guideline to follow before starting a fresh manual IIS installation or running the script

– Open IIS
– Click on Application Pools
– Select the Cognos 11 App Pool and stop it (mostly called ICAPool)
– Expand everything
– Select the ibmcognos -> sso application and remove it
– Select the ibmcognos application and remove it
– Click on Application Pools, select the Cognos app pool, and delete it
– Close IIS

Open your file explorer
– Navigate to the Cognos gateway install directory
– Delete the following web.config files:

  • cgi-bin\web.config
  • webcontent\web.config
  • webcontent\bi\web.config

Search your /ibmcognos folder and sub directories, to find more web.config files. Rename them to web.config.old.

Check also the C:\inetpub\wwwroot folder for web.config files. Most changes in IIS Manager is stored in web.config files.

Then setup the IIS manual:

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_gateway_iis.html

The version we have here is from: 2019-02-14 = you should us the steps that are for your version of CA11.

   IIS Automated script is available here.

This topic describes the configuration for Microsoft Internet Information Services (IIS) to support IBM Cognos Analytics. When complete, IIS will be configured to serve static content (such as .js, .html, .css) directly from IIS while sending REST and other server requests to the back-end Cognos Analytics servers.

Procedure

  1. Install the IIS Application Request Routing extension.
    1. Install the Application Request Routing extension for IIS by going to the following URL: http://www.iis.net/downloads/microsoft/application-request-routing
    2. When presented with the Microsoft Web Page, click on the green “Install this extension” button.
      Follow instructions to download and run the ARR extension.
    3. To ensure that the ARR extension was installed successfully, launch the IIS Manager from the Windows Start\Administrative Tools\ menu. Once the IIS Manager launches, click on the server name at the top left-hand side of the screen to display the available features. Within the middle IIS pane, the URL Rewrite feature should now be visible; it is installed when ARR is installed.
  2. Create a new, dedicated application pool. For example, named CAPool.
    1. Right-click on Application Pools. Click Add Application Pool.
  3. Optionally, create a server farm to provide load-balancing and failover for Cognos Analytics service requests. Include all Cognos Analytics servers that have the Application server components installed and configured.
    1. Right-click on Server Farms in the left-hand tree and select Create Server Farm.
    2. Name the new server farm. For example, ca_servers.
    3. For each Cognos Analytics server, perform the following steps:
      • Enter the server address. For example, ca-host1.
      • Click Advanced settings, and expand applicationRequestRouting. Set the httpPort or httpsPort (if you’re using HTTPS). For example, 9300.
    4. Click Finish.
    5. Click No when prompted to allow IIS Manager to create a rewrite rule.
    6. Select your server farm in the left-hand tree and double-click Server Affinity.
    7. Select the Client Affinity check box.
    8. Click Apply.
    9. Select your server farm in the left-hand tree and double-click Caching.
    10. Change Query String Support to Include Query String.
    11. Click Apply.
    12. Select your server farm in the left-hand tree and double-click Health Test.
    13. In the URL Test section, enter the URL: http://ca_servers/bi/v1/ping
    14. Click Apply.
    15. Select your server farm in the left-hand tree and double-click Proxy.
    16. In the Time-out (seconds) field, change the value to 120.
    17. Click Apply.
  4. Right-click Default Web Site and then click Add Application.
    • Alias is ibmcognos.
    • Application pool is the one created in step 1.
    • Physical path is install_location\webcontent
    1. Enable Web Content expiry
      1. Select ibmcognos and double-click HTTP Response Headers.
      2. Click Set Common Headers.
      3. Check Expire Web Content and set an expiry that works best for you.
    2. Select ibmcognos and double-click Mime Types.

      Important Add the following mime types to your IIS configuration if they are not already present.

      • .svg : image/svg+xml
      • .woff : application/x-font-woff
      • .json : application/json
      • .woff2 : font/woff2
      • .template : text/html
      • .txt : text/plain
  5. If you are configuring single sign-on between IIS and Cognos, right-click ibmcognos and click Add Application.
    • Alias to sso.
    • Application pool is the one you created in step 1.
    • Physical path is install_location\cgi-bin
    1. Select sso and double-click Handler Mappings.
    2. Click Add Module Mapping in the right Actions pane.
      • Request path is cisapi.
      • Module is IsapiModule.
      • Executable is install_location\cgi-bin\cognosisapi.dll
      • Name is Cognos SSO.
      • Click Request Restrictions and ensure that Invoke Handler is unchecked.
      • Click OK twice.
      • On the Edit Script Map dialog, click Yes.
      • Select sso and double-click Modules. If the WebDAVModule appears in the list, remove it.
  6. Create URL-rewrite rules to map requests to the correct handlers.
    1. Click on bi directory under ibmcognos.
    2. Double-click URL Rewrite.
    3. Add a server variable to identify the Cognos Analytics location by clicking View Server Variables.
      • Click Add.
      • Name the variable HTTP_X_BI_PATH.
      • Click Back to Rules.
      • Click Add.
      • Name the variable HTTP_X_WEBCONTENTROOT
      • Click Back to Rules.
      • Click Add.
      • Name the variable HTTP_X_FORWARDED_HOST.
      • Click Back to Rules.
    4. Add a rule to pass the Cognos Analytics location to the ca-host machines by clicking Add Rules > Inbound Rules > Blank Rule.
      • Name is Headers.
      • Pattern is (.*)
      • Action type is none.
      • Expand Server variables and
        • Click Add. Select HTTP_X_BI_PATH and set the value to /ibmcognos/bi/v1.
        • Click Add. Select HTTP_X_FORWARDED_HOST and set the value to {HTTP_HOST}.
        • Click Add. Select HTTP_X_WEBCONTENTROOT and set the value to /ibmcognos.
      • Clear Stop processing of subsequent rules.
      • Click Apply and Back to Rules.
    5. If you configured the SSO application in a previous step, add rules to map login and legacy UI service requests to the SSO handler.
      1. Click Add Rules > Inbound Rules > Blank Rule.
        • Name is SSO Login.
        • Pattern is v1/login$
        • Action type is Rewrite.
        • Rewrite URL is /ibmcognos/sso/cisapi/bi/v1/login
        • Check Stop processing of subsequent rules.
        • Click Apply and Back to Rules.
      2. Click Add Rules > Inbound Rules > Blank Rule.
        • Name is Legacy SSO.
        • Pattern is (v1/disp(/.*)?)
        • Action type is Rewrite
        • Rewrite URL is /ibmcognos/sso/cisapi/bi/{R:1}
        • Check Stop processing of subsequent rules.
        • Click Apply and Back to Rules.
    6. Add a rule to map Cognos Analytics REST service requests to the backend Cognos Analytics servers.
      1. Click Add Rules > Inbound and Outbound Rules > Reverse Proxy .
        • If proxies are not already enabled, you are prompted to enable. Click OK.
        • Server name is ca-host:9300/bior if you have configured a server farm, http://ca_servers/bi

        Select the newly created rule and click Edit.

        • Pattern is (^$)|(^v1(/.*)?)|(^[^/]+\.jsp)
        • Action type is Rewrite.
        • Rewrite URL is http://ca-host:9300/bi/{R:0}or if you have configured a server farm, http://ca_servers/bi/{R:0}
        • Check Stop processing of subsequent rules.
        • Click Apply and Back to Rules.
      2. Click Add Rules > Inbound Rules > Blank Rule.
        • Name is Event Studio.
        • Pattern is ^(ags|cr1|prompting|ccl|common|skins|ps|cps4)/(.*)
        • Open the Conditions section.
        • Change the Logical Grouping to Match Any
        • Click Add.
          • Condition input is {HTTP_REFERER}
          • Check if input string is Matches the Pattern
          • Pattern is v1/disp
          • Check Ignore case.
        • Click Add
          • Condition input is {HTTP_REFERER}
          • Check if input string is Matches the Pattern
          • Pattern is (ags|cr1|prompting|ccl|common|skins|ps|cps4)/(.*)\.css
          • Check Ignore case.
        • Action type is Rewrite
        • Rewrite URL is /ibmcognos/{R:0}
        • Check Stop processing of subsequent rules.
        • Click Apply and Back to Rules.
      3. Click Add Rules > Inbound Rules > Blank Rule
        • Name is Report Viewer
        • Pattern is ^rv/(.*)
        • Action type is Rewrite
        • Rewrite URL is /ibmcognos/{R:0}
        • Check Stop processing of subsequent rules.
        • Click Apply and Back to Rules.
  7. Adjust request size limits.
    1. Select the bi directory under the ibmcognos application created earlier.
    2. Double-click Request Filtering.
    3. Click Edit Feature Settings… from the right-hand panel.
      • Set Maximum URL length (bytes) to 8192.
      • Set Maximum query string (bytes) to 8192.
      • Click OK.
    4. Double-click Request Filtering.
    5. Select Headers tab and click Add Header.
    6. In Header Box, type the header field name as Referer.
    7. In the Size Limit box, type 8192.
    8. Click OK.
    9. Repeat process for a header field name entitled Cookie with the Size Limit of 4096.
    10. Click OK.
    11. Click the ibmcognos virtual directory.
    12. In the Home view, Management section, double-click Configuration Editor.
    13. In the Section drop-down list, expand system.web, and select httpRuntime.
    14. Set the property maxQueryStringLength to 8192.
    15. Apply the configuration change.
  8. Configure IIS to allow to pass through the custom 441 errors that are used for recoverable exceptions from CAM. Otherwise, IIS can block these errors, and the customer sees the “Invalid Logon Response” error when trying to log on.
    1. Click the ibmcognos virtual directory.
    2. In the Home view, Management section, double-click Configuration Editor.
    3. In the Section drop-down list, expand system.webServer, and select httpErrors.
    4. Set the existingResponse property to PassThrough.
    5. Apply the configuration change.
  9. If you configured the SSO application in previous steps, enable Windows Authentication.
    1. Select the SSO application. For Microsoft Edge browser, select the ibmcognos application.
    2. Double-click Authentication. Disable Anonymous Authentication, and enable Windows Authentication.
    Cognos Analytics should now be available at: http://iis-host/ibmcognos.

NOTE: that above is tested for CA 11.0.13, and can behave different for other versions of CA11. Contact Cognos Support to get the correct instructions on how to setup CA Gateway in IIS.

Product:
Cognos Analytics 11.0.12
Microsoft Windows 2016 Server

Problem:
When you surf direct to the CA11 gateway server IIS, you get a error, but if you add /ibmcognos/bi it works fine.

Error Message in web browser (IE):
Service Unavailable
HTTP Error 503. The service is unavailable.

Solution:
Inside the IIS manager, the DefaultAppPool is stopped. Start it from Internet Information Services (IIS) Manager.
expand Application Pools
select the DefaultAppPool and click Start on the Right side.

The ICAPool is often setup for the /ibmcognos/ application, and that is therefor it works to surf direct to http://servername.domain.com/ibmcognos

A restart of IIS with the command iisreset, does not start the Applications pools that are stopped.

A redirect on the Default Web Site will not work, if the Application pool is not started, but you can set that up to make users who only enter the server name to be sent to the CA11 solution.  Best is to use a DNS alias for the server if it exist.

You can also enter HTTPS, if you have setup the IIS to use HTTPS, so users who surf to IIS server direct are rerouted to HTTPS as above.

How setup SSL

https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis

https://support.microsoft.com/en-us/help/324069/how-to-set-up-an-https-service-in-iis

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_configureawebserver_single.html

Product:
Planning Analytics 2.0.5
internet Explorer 11
Firefox Quantum

Problem:
After apply SSL in TM1WEB, the node for a contributor application show a blank page in IE. But it works fine in Chrome.
No error message in IE, but in Firefox you get this message:
The information you have entered on this page will be sent over an insecure connection and could be read by a third party. Are you sure you want to send this information?

Background – how to setup SSL in TM1WEB for Planning Analytics;
http://www-01.ibm.com/support/docview.wss?uid=swg22004239

Solution:
Go to the pmpsvc start page at
https://pawebservername.domain.com:9510/pmpsvc/applications.jsp?portal=1
Click on the icon for “Administrator IBM Cognos TM1 Applications”

Under clients mark the “TM1 Application Web” and click on blue Edit link.

Change the URL from
http://pawebservername.domain.com:9510/tm1web/Contributor.jsp
to
https://pawebservername.domain.com:9510/tm1web/Contributor.jsp

Click OK
Click OK

Try now again to open the node in TM1 Application Web with Internet Explorer.

The servername and port number should be changed to the ones you are using in your setup of PA2.

More Information:
https://www.wireshark.org/#download

Product:
Planning Analytics 2.0.4
Microsoft Windows 2012 R2
Cognos Analytics 11.0.9
IE 11

Problem:
When use surf to the TM1 Web Applications portal (pmpsvc) there are no applications listed. If you access the portal from inside Performance Modeler, the applications are listed, so the users have access rights inside the TM1 applications. In PM you use the link http://paservername.domain.com:9510/pmpsvc/services

Solution:
Inside Internet Explorer untick the use of compatibility view settings;
In IE go to the icon for settings menu.
Click on Compatibility View Settings.
Deselect Display intranet sites in Compatibility View.
Deselect Use Microsoft compatibility lists.
Click Close.
Close your Internet Explorer browser.
Launch your Internet Explorer 11 browser and clear the cache.

Surf to http://paservername.domain.com:9510/pmpsvc to test again.

Product:
Cognos Analytics 11.0.12
Microsoft Windows 2016 server

Problem:
After apply stronger TLS security demand with the tool IIS Crypto, to apply to VISA and MASTERCARD data regulation ( PCI DSS ), on a IIS server for Cognos, users of Firefox or Chrome can not surf to it with HTTPS. IE is still working fine.

Error message:
NS_ERROR_NET_INADEQUATE_SECURITY or ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

Background:
https://www.nartac.com/Products/IISCrypto
The IIS Crypto 2 tool is run on the server to apply the settings, using a template file.  Here is a example how you can do it https://gist.github.com/JimWolff/fc35d863db8971b2a73c96f90c5002e4

Part of the template file is this cipher settings listed as below:
<cipherSuites>
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521″ state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_256_GCM_SHA384″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_128_GCM_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_256_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_128_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_256_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_128_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_3DES_EDE_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_RSA_WITH_AES_256_GCM_SHA384″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_RSA_WITH_AES_128_GCM_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_256_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_128_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_256_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_128_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_RC4_128_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_RC4_128_MD5″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_NULL_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_NULL_SHA” state=”Disabled” />
<cipherSuiteItem name=”SSL_CK_RC4_128_WITH_MD5″ state=”Disabled” />
<cipherSuiteItem name=”SSL_CK_DES_192_EDE3_CBC_WITH_MD5″ state=”Disabled” />
</cipherSuites>

Templates can be found here https://gist.github.com/JimWolff

Suggested Solution:
Add two cipher suites to the template file, and reboot the server to apply the new settings.

<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256″ state=”Enabled” minimumOSVersion=”Windows2016″ />

Should make the file to look like this

After this change, and you have applied it with the IIS Crypto 2 program, test if it works in Firefox or Chrome.

If you inspect the certificate in Firefox – you can see above information about the SSL in use.

Some of The changes are stored in the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]

More information:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e17d836-39f7-4246-a382-b073d1130079/ssl-cipher-suite-order-best-practice?forum=winserversecurity
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ciphersuites
https://docs.microsoft.com/en-us/powershell/module/tls/?view=win10-ps

https://tls.mbed.org/supported-ssl-ciphersuites

A Cipher Best Practice: Configure IIS for SSL/TLS Protocol

https://support.microsoft.com/en-ph/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

The Best Practices setup by the IIS Crypto 2 tool is:

<?xml version=”1.0″ encoding=”utf-16″?>
<iisCryptoTemplate xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” version=”0″>
<header>
<name>Best Practices</name>
<author>Nartac Software</author>
<lastUpdated>2019-01-21T13:47:28.1977801Z</lastUpdated>
<description>This template sets your server to use the best practices for TLS. It aims to be compatible with as many browsers as possible while disabling weak protocols and cipher suites.</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols=”true”>
<clientProtocols>
<schannelItem name=”Multi-Protocol Unified Hello” state=”Disabled” />
<schannelItem name=”PCT 1.0″ state=”Disabled” />
<schannelItem name=”SSL 2.0″ state=”Disabled” />
<schannelItem name=”SSL 3.0″ state=”Disabled” />
<schannelItem name=”TLS 1.0″ state=”Enabled” />
<schannelItem name=”TLS 1.1″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
<schannelItem name=”TLS 1.2″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
</clientProtocols>
<serverProtocols>
<schannelItem name=”Multi-Protocol Unified Hello” state=”Disabled” />
<schannelItem name=”PCT 1.0″ state=”Disabled” />
<schannelItem name=”SSL 2.0″ state=”Disabled” />
<schannelItem name=”SSL 3.0″ state=”Disabled” />
<schannelItem name=”TLS 1.0″ state=”Enabled” />
<schannelItem name=”TLS 1.1″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
<schannelItem name=”TLS 1.2″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
</serverProtocols>
<ciphers>
<schannelItem name=”NULL” state=”Disabled” />
<schannelItem name=”DES 56/56″ state=”Disabled” />
<schannelItem name=”RC2 40/128″ state=”Disabled” />
<schannelItem name=”RC2 56/128″ state=”Disabled” />
<schannelItem name=”RC2 128/128″ state=”Disabled” />
<schannelItem name=”RC4 40/128″ state=”Disabled” />
<schannelItem name=”RC4 56/128″ state=”Disabled” />
<schannelItem name=”RC4 64/128″ state=”Disabled” />
<schannelItem name=”RC4 128/128″ state=”Disabled” />
<schannelItem name=”Triple DES 168″ state=”Enabled” />
<schannelItem name=”AES 128/128″ state=”Enabled” />
<schannelItem name=”AES 256/256″ state=”Enabled” />
</ciphers>
<hashes>
<schannelItem name=”MD5″ state=”Enabled” />
<schannelItem name=”SHA” state=”Enabled” />
<schannelItem name=”SHA 256″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
<schannelItem name=”SHA 384″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
<schannelItem name=”SHA 512″ state=”Enabled” minimumOSVersion=”Windows2008R2″ />
</hashes>
<keyExchanges>
<schannelItem name=”Diffie-Hellman” state=”Enabled” />
<schannelItem name=”PKCS” state=”Enabled” />
<schannelItem name=”ECDH” state=”Enabled” />
</keyExchanges>
</schannel>
<cipherSuites>
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA” state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA” state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256″ state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA” state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA” state=”Enabled” minimumOSVersion=”Windows2016″ />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_256_GCM_SHA384″ state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_128_GCM_SHA256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_256_CBC_SHA256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_128_CBC_SHA256″ state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_256_CBC_SHA” state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_AES_128_CBC_SHA” state=”Enabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_3DES_EDE_CBC_SHA” state=”Enabled” />
<cipherSuiteItem name=”TLS_DHE_RSA_WITH_AES_256_GCM_SHA384″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_RSA_WITH_AES_128_GCM_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_256_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_128_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_256_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_AES_128_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_RC4_128_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_RC4_128_MD5″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_NULL_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_RSA_WITH_NULL_SHA” state=”Disabled” />
<cipherSuiteItem name=”SSL_CK_RC4_128_WITH_MD5″ state=”Disabled” />
<cipherSuiteItem name=”SSL_CK_DES_192_EDE3_CBC_WITH_MD5″ state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_RSA_WITH_AES_256_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_DHE_RSA_WITH_AES_128_CBC_SHA” state=”Disabled” />
<cipherSuiteItem name=”TLS_PSK_WITH_AES_256_GCM_SHA384″ state=”Disabled” />
<cipherSuiteItem name=”TLS_PSK_WITH_AES_128_GCM_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_PSK_WITH_AES_256_CBC_SHA384″ state=”Disabled” />
<cipherSuiteItem name=”TLS_PSK_WITH_AES_128_CBC_SHA256″ state=”Disabled” />
<cipherSuiteItem name=”TLS_PSK_WITH_NULL_SHA384″ state=”Disabled” />
<cipherSuiteItem name=”TLS_PSK_WITH_NULL_SHA256″ state=”Disabled” />
</cipherSuites>
</iisCryptoTemplate>

Workaround in firefox

Open Firefox and type about:config in the address bar
Click on I Accept The Risk
Search for network.http.spdy.enabled.http2
Change the value to False
Restart your browser

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 Server

Problem:
I want a list of all TM1SERVER.LOG files on the servers D drive, to find what TM1 instances applications logs I should inspect with my log file monitor software.

Suggested Solution:
On one of the servers, log in as a local administrator, that also are  admin on all the other servers.
Create a text file with the names of the servers.
Enter one server name per row, like this
servernameA
servernameB
servernameC
Save the file as tmservers.txt

Create a CMD file with this content:
for /F %%a in (tmservers.txt) do (
net use z: \\%%a\d$
z:
cd \
dir /s /b tm1server.log > d:\temp\%%a.txt
c:
net use z: /d
)
Save the file as tm1list.cmd

Go to a DOS prompt as administrator and run above file.

tm1list.cmd
It will create a file for each server in the d:\temp folder on the server where you run the cmd file.
Each file will have the servername as filename, in the file will be a list looking something like this;

Z:\data\tm1\servers\appone\logfiles\tm1server.log
Z:\data\tm1\servers\appnametwo\logfiles\tm1server.log
Z:\data\tm1\servers\tm1appnametree\Logfiles\tm1server.log

Z is the D drive on the server.

The path is different, depends on where you store the TM1 instances.

More information
https://stackoverflow.com/questions/15486011/batch-file-for-loop-via-a-text-file-of-ip-addresses-not-working

https://ss64.com/nt/dir.html

Product:
Planning Analytics for Excel (PAX) version 35
CORREDIST_version=CORREDIST-AW64-ML-RTM-11.0.35.13-0
CORREDIST_name=IBM Planning Analytics for Excel
Microsoft Excel 365 64 bit Version 1803 (Build 9126.2336 Click-to- run)

Problem:
After installation of PAX on Windows 7 with Office 365, you only can get PAX add in to work if you start Excel as “Run as Administrator”. If you start Excel as normal user you are missing the add-in “IBM Framework for Office”.

Suggested solution:

If you can not manually add the COM Add-ins, you can create a file and add below values to registry on client computer:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CognosOffice12.Connect]
@=”Connect Class”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CognosOffice12.Connect\CLSID]
@=”{0e159c85-c989-4582-8208-3d2afa48c15a}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\Excel\Addins\CognosOffice12.Connect]
@=hex(40000):
“Description”=”IBM Framework for Office”
“FriendlyName”=”IBM Framework for Office”
“LoadBehavior”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Excel\Addins\CognosOffice12.Connect]
“Description”=”IBM Framework for Office”
“FriendlyName”=”IBM Framework for Office”
“LoadBehavior”=dword:00000002

You can save above in NOTEPAD, name the file addvalues.reg. Then if you double click (to run it) on it it will add the values to registry on your computer (if you have the rights to do so).

More information:
https://blog.infostruction.com/2016/11/08/registry-keys-for-office-365-20132016/
https://support.netdocuments.com/hc/en-us/articles/205219670-Changing-the-Load-Behavior-of-the-ndOffice-Add-ins
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_pax_inst_tasks.html
https://www-01.ibm.com/support/docview.wss?uid=swg22012988

Planning Analytics for Microsoft Excel is available as a 32-bit or 64-bit installation. The corresponding installation must be installed on either the 32-bit or 64-bit version of Microsoft Office.

Before you update and install components, ensure that the following statements are true:

You have administrative privileges on the computer.
Microsoft .NET Framework 4.6.1 or later is installed.
Any previous version of IBM Planning Analytics for Microsoft Excel is uninstalled.
If you are installing a version of Planning Analytics for Microsoft Excel that is older than the version currently installed, back up your connection data. Replacing a newer version of Planning Analytics for Microsoft Excel with an older version might cause your connection data to be lost.
Acquire the appropriate license to use your IBM Cognos for Microsoft Office product.
Configure your antivirus software to allow or unblock connections from the following two applications:
Microsoft .NET Runtime
Microsoft Excel

Depending on version of PAX office click-to-run is supported:

https://www-01.ibm.com/support/docview.wss?uid=swg22015168

How Check NET framework

To find .NET Framework versions by viewing the registry (.NET Framework 4.5 and later)
  1. On the Start menu, choose Run.
  2. In the Open box, enter regedit.exe.

    You must have administrative credentials to run regedit.exe.

  3. In the Registry Editor, open the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

    Note that the path to the Full subkey includes the subkey Net Framework rather than .NET Framework.

    Note

    If the Full subkey is not present, then you do not have the .NET Framework 4.5 or later installed.

    Check for a DWORD value named Release. The existence of the Release DWORD indicates that the .NET Framework 4.5 or newer has been installed on that computer.

https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed#net_b

Product:
Cognos Controller 10.3.1
Microsoft Windows 2012 R2 server

Problem:
Cognos Controller Users are disconnected from Server, and have to start there Cognos Controller client again and login.

Suggested Solution:
Change the Recycle from default 29 hours to a specific time at night, when few users are using Cognos Controller.

Login to the Cognos Controller Server.
Open Internet Information Services (IIS) Manager
Click on Applications Pools
Click on DefaultAppPool or the one created for Controller.
On the right side click on Recycle…


Unmark the default of 1740 minutes intervals.
Mark Specific times
Enter 3:00 AM


Click Next


Click Finish.

Let the user test Cognos Controller more than a day before you define if this solve your issue.

More information:
https://www-01.ibm.com/support/docview.wss?uid=swg21990348
https://www-01.ibm.com/support/docview.wss?uid=swg21969315

Product:
Planning Analytics 2.0.5
Microsoft Windows Server 2016

Problem:
When run a TI process to export data to a csv file you get a error from inside your TM1 Application. You have recently moved from TM1 to Planning Analytics, and also to a new Operating System: Microsoft Windows 2016.
The file share you try to export to is on a Linux server.
It works fine from your old Microsoft Windows 2008 server.

Error on Windows 10:
You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving the issue see: https://support.microsoft.com/en-my/help/4034314/smbv1-is-not-installed-by-default-in-windows

Possible Solution:
The New Windows Server 2016 have been setup to demand the newer more secure file share (SMB) protocol, and the Linux server is of a older OS version that does not support it.
Try to use a different file share, where both old linux program and Micosoft Windows 2016 server have access.

First check if there is not a firewall issue, with TELNET to see if the ports are open. Run below command from TM1 Windows server;
telnet linuxserver 445
telnet linuxserver 139
If above give error, check the firewall settings in the network.

You can from a CMD command try to access file share direct logged in as the service account on the TM1 server, to ensure that the account have access:
net use * \\linuxserver.domain.com\filesharename

Can say “System error 64 has occurred” if you do not have correct SMB access.

Check also that the IBM TM1 instance is run under a domain service account, and not Local System. Local System account can not access network file shares.

Red Hat Enterprise Linux 7.2, which includes samba-4.2, and later comes with proper support for SMBv2 protocol, but earlier releases of Red Hat Enterprise Linux only support SMBv1.

From the internet:
Samba is made by linux/unix
SMB/CIFS is made by windows/microsoft

NOTE: when people say I have a “CIFS share”, its better to say I have a “SMB share “or a “Samba share” – more on this below:
They use the same protocols to talk to each other.

Samba was originally made to emulate SMB, so that linux pcs could share files with Windows PCs. Now MACs also have samba, so they support SMB. So MACS Windows and Linux can all happily talk via Samba & SMB.

With each new version of Windows, a new SMB version comes out. Then Samba team has to be ready to update their code to support the new features in SMB.
Windows;
SMB 1 – Windows 2000
SMB 2 – Windows Server 2008 and WIndows Vista SP1
SMB 2.1 – Windows Server 2008 R2 and Windows 7
SMB 3.0 – Windows Server 2012 / ? and Windows 8 / 10

To identify the SMB version:
Windows 8.1 or 2012, you can use the PowerShell (in admin mode) cmdlet Get-SmbConnection

You can not interrogate which SMB it is using in Windows 7.

SMB 1 introduced in DOS days, and was also called CIFS in its later version (think of it like SMB 1.1). First versions of Samba 1.x supported SMB and CIFS
SMB 2.0 / SMB2.02 introduced with Windows Vista / 2008 is supported with Samba 3.6
SMB 2.1 introduces with Windows 7 / Windows 2008 R2 is supported with Samba 4.0.0
SMB 3.0 introduced with Windows 8 / Windows 2012 is supported by Samba 4.2
SMB 3.02 introduced in Windows 8.1 / Windows 2012 R2 is not yet supported by any version of Samba (its in the works I assume)
SMB 3.11 introduced in Windows 10 / Windows 2016 is not yet supported by any version of Samba (its in the works I assume)

The latest updates of Windows 10 and Windows Server 2016, the support for SMB1 is automatically removed by Microsoft, if SMB1 is not used.

How remove SMB support:
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

Start a Powershell command
1) check which SMB is enabled and which one is disabled;

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

ex : True=enabled

2) To enable any SMB 1 or 2 or 3 use following,
Set-SmbServerConfiguration  -EnableSMB2Protocol  $True

3) To disable any SMB 1 or 2 or 3 use following,
Set-SmbServerConfiguration  -EnableSMB2Protocol  $False

Restart computer or server after every change.
Or do this on Windows Server 2012 R2 & 2016:
SMBv1
Detect: Get-WindowsFeature FS-SMB1
Enable: Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Disable: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

More information:
https://access.redhat.com/articles/3164551
https://www.rootusers.com/disable-smb-version-1-0-in-windows-server-2016/
https://www.mowasay.com/2018/08/windows-10-2016-build-1709-1803-cannot-connect-to-smb-shares/
http://www.admin-magazine.com/Archive/2017/40/SMB-3.1.1-in-Windows-Server-2016