Product:
Planning Analytics 2.0.9.19
Microsoft Windows 2016 server

Issue:
The security scan program reports that the port 12345 is not secure. Cause ssl-cve-2016-2183-sweet32 issue.

Possible solution:

Try to implement this limit in the ciphers that TM1 internally can use for communications.

Login to the PAL (planning analytics) server as admin.

Stop TM1 admin service and all the other TM1 instance services.

Open Cognos Configuration for TM1.

Add below to Supported ciphersuites:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 

Then open each TM1S.CFG file for each instance, and add below last in the file:

tlsCipherList=TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 

Save the file.

Start the TM1 Admin service first, and then the other TM1 instances one by one.

Check that you can login.

Wait and see if the security scan report a problem less.

More Information:

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=pa2f82-disable-des-3des-ciphers-in-planning-analytics-mitigate-false-positive-security-scans 

https://www.rapid7.com/db/vulnerabilities/ssl-cve-2016-2183-sweet32/ 

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=pitf-tlscipherlist 

 

Product:
Cognos Controller 11.0.12
Microsoft Windows 1016 server

Issue:

Error message about missing files when doing a upgrade installation of Cognos Controller 11.

Failed to copy file “d:\cognos controller upgrade\cntrl_11.0.1_win_ml\winx64h\./resource/utf-8\is_en_rc.txt” to destination “d:\program files\ibm\cognos\ccr_64\uninstall\./resource/utf-8\is_en_rc.txt”: No such file or directory.

If you press skip, you get a new message for other missing file.

Solution:

Check the size of the cntrl_11.0.1_win_ml.tar.gz   file – if it is less than 2 326 187 KB, you have the wrong file. Download again from IBM.

Parts and platforms Details eImage
IBM Cognos Controller 11.0.1 Microsoft Windows Multilingual Required M0DH2ML

 

A zip file of the size 409 587 KB is wrong.

More information:

https://www.ibm.com/support/pages/downloading-ibm-cognos-controller-1101

https://www.ibm.com/docs/en/cognos-controller/11.0.1?topic=icclo-installing-configuring-cognos-controller-one-computer

To log a ticket with IBM support go to: https://www.ibm.com/mysupport/s/?language=en_US

IBM Documentation: https://www.ibm.com/docs/en/cognos-controller

Product:
Microsoft Windows 2019 server

Issue:

Your security scan software report that you have a issue on the Windows server with ciphers.

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
Negotiated with the following insecure cipher suites:
* TLS 1.2 ciphers:
* TLS_RSA_WITH_3DES_EDE_CBC_SHA

Configure the server to disable support for 3DES suite.

Solution:

Check that the application software you use on the server does not need this cipher.

Login to the Windows server as local administrator.

Then run this powershell command to remove the support for the cipher:

Disable-TlsCipherSuite -Name 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'

 

Reboot the windows server for the change to take affect.

Get list of cipher that is 3DES:

Get-TlsCipherSuite -name “3DES”

 

Get list of all cipher on server:

Get-TlsCipherSuite | Format-Table Name

Get list of curves:

certutil.exe –displayEccCurve

 

More Information:

A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:

  • Key exchange
  • Bulk encryption
  • Message authentication

Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.

Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.

Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.

In earlier versions of Windows, TLS cipher suites and elliptical curves were configured by using a single string:

Diagram that shows a single string for a Cipher Suite.

 

https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel 

https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls#configuring-tls-cipher-suite-order 

https://learn.microsoft.com/en-us/powershell/module/tls/?view=windowsserver2022-ps

https://learn.microsoft.com/en-us/powershell/module/tls/disable-tlsciphersuite?view=windowsserver2022-ps 

https://rdr-it.io/en/windows-server-disable-a-cipher-suite/ 

https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman

Product:
Cognos Controller 11.0.12

Microsoft Windows 2022 server

Issue:

User get a error when they try to login to Cognos Controller after you have upgraded the software on the server.

Solution:

Ask the user to install the new Cognos Controller client that match the version you have installed on the windows server.

This is often done by central distribution system, like Software center.

INSTALLATION INFORMATION
IBM Cognos Controller Version 11.0.1200.28
Integration Version 11.0.1200.8
Install/Updater Kit Version 11.0.1200.36

 

More information:

https://www.ibm.com/docs/en/cognos-controller/11.0.1?topic=icclo-installing-configuring-cognos-controller-one-computer 

https://www.ibm.com/support/pages/troubleshooting-error-invalid-database-version-version-controller-requires-database-version-710-when-launching-controller 

https://www.ibm.com/support/pages/how-install-controller-local-client

 

Product:
Cognos Controller 11
Microsoft Windows 2022 server

Issue:

Error when you try to setup the Cognos Controller web, by running bat command to add the databases.

D:\Program Files\ibm\cognos\ccr_64\fcmweb>SyncDBConf.bat ..\data wlp\user\shared\config\datasources
Found 6 udl files in ..\data

FATAL ERROR: ‘java.io.FileNotFoundException: D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\user\shared\config\datasources\datasources.xml (The system cannot find the path specified.)’
:D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\user\shared\config\datasources\datasources.xml (The system cannot find the path specified.)
Datasources updated.

Solution:

Try to Find the config.js file in C:\Program Files\IBM\cognos\ccr_64\frontend folder
Open the file in a text editor and make the following changes:

/* IBM SOURCE CODE HEADER START

* =====================================================================

* IBM Confidential

*

* IBM Cognos Products: ccr

*

* © Copyright IBM Corp. 2023

*

* The source code for this program is not published or otherwise

* divested of its trade secrets, irrespective of that has been

* deposited with the U.S. Copyright Office.

* =====================================================================

* IBM SOURCE CODE HEADER END */

var fs = require('fs');




module.exports =

{

"proxies": [{

"urlPath": "fcm.web",  //root context for Controller Web backend

"enabled": true,      //forward requests through UI service




"options": {

"ws": true,




// details for Controller web backend connection

"target": {

"host": "controllerservername.domain.com",

"port": 3000,

"protocol": "http:" //set https: for SSL

},

"secure": true  //set this to false if Controller Web Backend is using Self Signed certificates

}

},

{

"urlPath": "ibmcognos",  //root context for Controller Server Backend

"enabled": true,      //forward requests through UI service




"options": {

"ws": true,




//details for Controller Server connection

"target": {

"host": "controllerservername.domain.com",

"port": 80,

"protocol": "http:" //set https: for SSL

},

"secure": true  //set this to false if Controller Server Backend is using Self Signed certificates

}

}],







//Details for Controller UI service 

"expressJs": {

"host": "controllerservername.domain.com", //interface used by Controller Web UI Service

"port": "9080",              //port used by Controller Web UI Service

"adminContext": "admin",

"enableAdminApp": true,

"enableRemoteExcel": false,

"enableClient": false,

"enableFap": true,

"enableFileSettings": true,

"enableIBMIDAuth": false,

"enableEncryption": false,

"allowedOrigin": '{allowedOrigin}',

"oidcProvider": 'IBMid', //IBMid or google or azure

"options": {




//Add ssl object with path to certificates file below for using HTTPS 

//Note: the protocol in proxies section must also be set to HTTPS

                /*

                "ssl": {

// certificates

"key": fs.readFileSync(__dirname+"/keyfile.key"),  //__dirname points to ccr_64\frontend

                    "cert": fs.readFileSync(__dirname+"/cert.crt"),

                    "passphrase":"changeit"

}

*/

},




//false to enable "real time updates" feature for all the users

//true to disable "real time updates" feature for all the users

"disableRealTimeUpdates": false

},

ibmIDConfig: {

"discoveryEndpoint": "{discoveryEndpoint}",

"client_id": "{client_id}",

"client_secret": "{client_secret}",

"redirect_uris": ["{basePath}/auth/sso/callback"]

},

"entryPoints":

{

"paLink": "http://tm1servername.domain.com:9510/tm1web"

},

}

Reboot the Microsoft Windows Server, and then try to run the SyncDBConf.bat command again.

More Information:

https://www.ibm.com/docs/en/cognos-controller/11.0.1?topic=only-configuring-controller-web

Product:

Cognos Controller 11

Microsoft Windows 2022 server

Issue:

You click on the excel icon in cognos controller to start Excel program. The excel program starts very small.

Solution:

Remove the ccr.exe properties to adjust screen resolution (change high DPI settings)  or

open a excel document first in excel, before you login to cognos controller from excel, and run a report.

You have change the ccr.exe properties to not make cognos controller shrink when you open a java menu inside the cognos controller program. This is done by go to C:\Program Files\IBM\IBM Cognos Controller Local Client folder.
Right click on CCR.exe > Properties > Compatibility > Change high DPI settings > Check Override high DPI scaling behavior. Scaling performed by: System (Enhanced).

https://www.ibm.com/support/pages/controller-screen-shrink-after-opening-java-related-menu-function 

If user need to send report to Excel, they need to have an Excel book open first before run send to Excel. Otherwise the Excel will shrink after apply setting.

More Information:

https://www.ibm.com/support/pages/screen-shrinks-after-opening-java-related-menu-function-caused-limitation-apar-pi94499 

https://www.ibm.com/support/pages/controller-screen-shrink-after-opening-java-related-menu-function 

Product:

Cognos Analytics 11.2.4

Issue:

Can not install CA11 as there are file in use.

Solution:

Stop the ibm cognos service and set it to manual in windows services manager.

Stop the IIS ( World Wide Web Publishing Service ) and set it (W3SVC) to manual.

Reboot the Windows server, to clear the memory.

Login as administrator again.

Go to the folder where you have the CA11 media.

Now start the installation from; a file like analytics-installer-3.7.21-win.exe

https://www.ibm.com/support/pages/ibm-cognos-analytics-1124-fix-pack-2 

Ensure that you have backed up the content store database, and saved the cognos configuration as a text file, before you start the upgrade of Cognos Analytics.

If the setup fail during installation, you may have files to restore in folder C:\Program Files\ibm\cognos\analytics\install_backup

More Information:

https://www.ibm.com/support/pages/how-upgrade-your-version-cognos-analytics

https://docs.oracle.com/en/industries/health-sciences/inform/cognos1124-install/index.html?toc.htm?227090.htm

https://docs.oracle.com/en/industries/life-sciences/inform/cognos1124fp2-install/index.html?toc.htm?227238.htm

The IBM Cognos Analytics installation consists of two components: the installer executable and a repository zip file.

  1. Download the ca_instl_win_3.6.39.exe and ca_srv_win64_11.2.4.zip files from My Oracle Support (MOS) in Patch 23294044.
  2. Right click on ca_instl_win_3.6.39.exe, and select Run as administrator.
  3. Select the language to use for the installation, and click Next.

    The Repository selection page appears.

  4. Click Choose, browse to the server repository where the ca_srv_win64_11.2.4.zip file is located, click Open, and then click Next.

    The install getting started page appears.

  5. Select IBM Cognos Analytics, and click Next.
  6. Review and accept the license agreement, and click Next.
  7. In the Installation location field, browse to or type the drive and destination folder for the Cognos Analytics application (for example E:\cognos\c11), and click Next.

    If the Folder does not exist message appears, click Yes to create the folder.

  8. Select the appropriate installation type and components depending on your server configuration, and click Next. Do not select the Optional Gateway component.

    Server Configuration

    To install…

    Installation type

    Choose components

    Single server

    Content Manager and Report Server

    Custom

    Content Tier (mandatory)

    Application Tier

    Active Content Manager

    Custom

    Content Tier (mandatory)

    Application Tier

    Distributed environment

    Standby Content Manager

    Custom

    Content Tier (mandatory)

    Application Tier (mandatory)

    Report Server

    Custom

    Application Tier (mandatory)

  9. Review the pre-installation summary, and click Install.

    The installation program installs the components that you selected. This takes several minutes. When the component installation is complete, the Complete page appears.

  10. Click Done.
  11. On the Complete page, click Done.
  12. Open the cmplst.txt file in the Cognos installation directory.
  13. Look for the line Manifest=casrv-manifest-11.2.4-2212070924-winx64h.json to confirm that Cognos Analytics 11.2.4 is installed successfully.

 

Upgrade to IBM Cognos Analytics 11.2.4 FP2

Install IBM Cognos Analytics 11.2.4 FP2 software on all the applicable servers:

  1. Download the analytics-installer-3.7.12-win.exe and casrv-11.2.4-2307061628-winx64h.zip files from My Oracle Support (MOS) in patch 23294044.
  2. Stop all IBMCOGNOS and IIS services, set them to manual.
  3. Reboot the Windows server to clear the memory before starting the installation.
  4. Right click on analytics-installer-3.7.12-win.exe, and select Run as administrator.
  5. Select the language to use for the installation, and click Next.

    The Repository selection page appears.

  6. Click Choose, browse to the server repository where the casrv-11.2.4-2307061628-winx64h.zip file is located, click Open, and then click Next.

    The install getting started page appears.

  7. Select IBM Cognos Analytics, and click Next.
  8. Review and accept the license agreement, and click Next.
  9. In the Installation location field, browse to or type the drive and destination folder for the Cognos Analytics application (for example E:\cognos\c11), and click Next.

    A warning appears informing you that you are installing in the same location as a previous location and that files will be overwritten.

  10. Click Yes to agree to choose this location.
  11. Review the pre-installation summary, and click Install.

    A warning appears informing you about failure in pre-action installation step. Click OK to continue.

  12. Click Done.
  13. On the Complete page, click Done.
  14. Open the cmplst.txt file in the Cognos installation directory.
  15. Look for the line casrv-manifest-11.2.4-2307061628-winx64h.json to confirm that Cognos Analytics 11.2.4 FP2 is installed successfully.
  16. Go into Cognos Configuration – check that the environment values are correct – click save.
  17. Change the IBMCOGNOS service to automatic, the same for the WWW service.
  18. Reboot the Windows server.
  19. Wait 20 minutes.
  20. Check that you can login to Cognos Analytics.

 

Problems solved can be found in the Fix List for Cognos Analytics 11.2.4 FP2

Entitled Bundled Customers use this link Cognos Analytics 11.2.4 FP2 to get access to download Cognos Analytics Fix Pack 2.

Product:

Cognos Analytics 11.1.7

Microsoft SQL server 2019

Issue:

Try to connect to content store database from CA11 installation, in Cognos Configuration give you a error message.

Solution:

Error message:

Content Manager failed to connect to the content store. The connection string is “jdbc:sqlserver://192.168.1.77:1433;databaseName=ca11update;applicationName=IBM_C11_CM”. The error encountered is: “Login failed for user ‘cognos’. ClientConnectionId:

Then you have enter the wrong password.

Error message:

Content Manager failed to connect to the content store. The connection string is “jdbc:sqlserver://192.168.1.77:1433;databaseName=ca11update;applicationName=IBM_C11_CM”. The error encountered is: “Cannot open database “ca11update” requested by the login. The login failed. ClientConnectionId

Then you have enter the wrong name of the database.

 

More information:

https://www.ibm.com/support/pages/content-manager-failed-start-because-it-could-not-load-driver-commicrosoftsqlserverjdbcsqlserverdriver-when-starting-ibm-cognos-service

https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Analytics-Cognos-connection-to-SQL-server-fails-when-server-is/ta-p/113351

https://www.ibm.com/support/pages/cm-sys-5003-content-manager-not-configured-listen-tcpip-when-starting-cognos-bi-service

Product:
Planning Analytic in containers (v12)

Issue:

Can i write to a file share from a Tm1 TI process?

Solution:

No, you can not use the old TI command ASCIIOUTPUT

The solution, i guess. is that you need to have a external script (tm1py) that get the data to file by doing HTTP REST API calls to the Planning Analytics installation.

https://github.com/cubewise-code/tm1py

This command only access the tm1 instance data folder in v12 of Planning Analytics.

TurboIntegrator function changes

The following TurboIntegrator file functions now work only with files in the database content directory or its child directories:

  • AsciiDelete
  • AsciiOutput
  • AsciiOutputOpen
  • FileExists
  • SetOutputEscapeDoubleQuote
  • TextOutput
  • WildcardFileSearch

 

Going from v11 to v12, you have to rewrite code that access the file system.

How to do things in the new version of Tm1 is mostly found in the community……

https://community.ibm.com/community/user/businessanalytics/discussion/planning-analytics-engine-drill-through-to-asciioutput-file

https://community.ibm.com/community/user/businessanalytics/blogs/edward-stuart/2023/10/13/executehttp?CommunityKey=8fde0600-e22b-4178-acf5-bf4eda43146b&Tab=groupdetails

More Information:

https://www.linkedin.com/pulse/developers-perspective-navigating-transition-tm1-v12-shane-bethea-2fwke

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=engine-changed-features-components-in-planning-analytics

Planning Analytics Engine (v12) does not support the C, Java, .Net, and all internal and experimental versions of the REST API. Only the OData compliant REST API is supported for interaction with the Planning Analytics Engine database.

Because older APIs are no longer supported, clients such as Architect and Perspective, do not work with Planning Analytics Engine.

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=engine-deprecated-features-components-in-planning-analytics

The following TurboIntegrator functions are not supported in Planning Analytics v12 Engine:

AddInfoCubeRestriction
AllowExternalRequests
AssignClientPassword
AssociateCAMIDToGroup
BatchCellIncrement
BatchUpdateFinish
BatchUpdateFinishWait
BatchUpdateStart
CGAddPromptValues
CGPromptGetNextMember
CGPromptSize
CreateHierarchyByAttribute
CubeDataReservationAcquire
CubeDataReservationGet
CubeDataReservationGetConflicts
CubeDataReservationRelease
CubeDataReservationReleaseAll
CubeGetLogChanges
CubeSaveData
CubeSetConnParams
CubeSetLogChanges
DisableBulkLoadMode
EnableBatchCellIncrement
EnableBulkLoadMode
ExecuteJavaN
ExecuteJavaS
LockOff LockOn
RefreshMDXHierarchy
RemoveCAMIDAssociation
RemoveCAMIDAssociationFromGroup
SaveDataAll ServerShutdown
SetChoreVerboseMessages
SetOdbcUnicodeInterface
SwapAliasWithPrincipalName

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=attf-asciioutput-1

https://www.ibm.com/support/pages/ibm-planning-analytics-20-fix-lists#anchor5

Example of write to PAL using TM1PY

https://gist.github.com/MariusWirtz/751c153a568d0f029c65f701fc6c03c8

https://succeedium.com/teamone/features.html

Product:
Planning Analytics 2.0.9.x
Microsoft Windows 2019 server

Issue:
Can i prevent user from change the transaction log files?

Solution:
That is the default – tm1 admin and users can not change the transactions log file from inside Planning Analytics (Tm1 architect).

You must have direct access to the TM1 server and the logg folder, and you can only change the file when the TM1 instance is stopped.

If you do not allow people access to the windows server disk – then the files can not be tampered with.

The transactions log can be read and search from inside TM1 architect, or PAW.

The following information is recorded in the tm1s.log file:

Date and time the change was made
Name of the client who made the change
Whether the new data is simple data (N) or string data (S)
Value before the change
Value after the change
Name of the cube in which the change was made
Elements that identify the cell that changed

More Information:

  • Transaction logging can be enabled and disabled for specific cubes by setting the LOGGING column in the }CubeProperties cube. Transaction logging is typically needed on cube transactions only during period of manual user data entry. For more information, see Enabling and disabling transaction logging.
  • The current transaction log file is named tm1s.log. The tm1s.log file is locked by the TM1 database and cannot be viewed or edited with a text editor. The current transaction log file is renamed to tm1s<timestamp>.log during a SaveDataAll (SaveDataAll happens automatically on shutdown or restart). An empty tm1s.log file is generated when the TM1 database starts and during a SaveDataAll without a database restart. For more information, see SaveDataAll.
  • The tm1s timestamped files, can be moved to other storage area for secure storage, if they are needed for later analysis.
  • If the server is intentionally shut down without saving the changes, the log file is saved with a timestamp and the extension is changed to .rej. You can process the tm1s<timestamp>.log file through TurboIntegrator to recover the transactions.
  • During an improper server shutdown, the tm1s.log remains as is and is not timestamped during shutdown. When the server restarts, it recognizes the presence of an old tm1s.log file and prompts you to choose between recovering the new log from the old existing log.
  • By default, TM1 logs transactions to all cubes loaded on the server. As the system administrator, you have the option to turn off logging for particular cubes. When you disable logging, TM1 accelerates updating the data but you cannot recover the updates in the event of a system failure.

 

https://exploringtm1.com/using-tm1-log-files/ 

The transactions log – IBM Documentation