Product:
Cognos Analytics 11.0.12
kit_version=11.0.12.18062512
kit_name=IBM Cognos Analytics
Microsoft Windows 2016 server
Problem:
After restart of servers the Cognos BI system does not respond. The users see this message:
The IBM Cognos gateway is unable to connect to the IBM Cognos BI server. The server may be unavailable or the gateway may not be correctly configured.
Error in cognosserver.log file:
com.cognos.accman.jcam.crypto.CAMCryptoException: CAM-CRP-1093 Unable to read the contents of the keystore ‘D:/Program Files/ibm/cognos/analytics/configuration/certs\CAMKeystore’. Reason: java.io.IOException: stream does not represent a PKCS12 key store
Solution:
First, try to restart the IIS server on the Cognos Gateway with the dos command: IISRESET
If that does not help, create new cryptographic keys;
“C:\Program Files\ibm\cognos\analytics\bin64\cogconfigw.exe” open to start cognos configuration.
Stop the running of Cognos BI in Cognos Configuration.
From inside Cognos Configuration, click ‘File > Export As’.
Choose ‘Yes’ at the prompt and save the file. Name it ‘cogstartup backup.xml’ which will be stored in the analytics\configuration folder.
Close Cognos Configuration.
Moving this files to a different, secure location e.g. c:\temp\backup (they should during the cryptographic keys regeneration process be re-created):
· analytics/configuration/cogstartup.xml
· analytics/configuration/caSerial
· analytics/configuration/certs/CAMCrypto.status
· analytics/configuration/certs/CAMKeystore
· analytics/configuration/certs/CAMKeystore.lock
· analytics/temp/cam/freshness
Moving this folder to a different, secure location e.g. c:\temp\backup
· analytics/configuration/csk
In the analytics\configuration folder, rename ‘cogstartup backup.xml’ to ‘cogstartup.xml’.
Go in to Cognos Configuration and click SAVE, and then start.
To test, you can browse to http://ca11servername:9300/p2pd/servlet
Repeat all the above steps on all the Cognos servers, starting with the Content Manager server and take the Cognos Gateway servers last.
If you see the message “CM-CFG-5069 A serious error occurred while committing a delete operation” when starting up the Cognos Analytics service, it can be a temporary error when CA11 try to clean up its own cache. Restart the CA11 server again and see if the error goes away.
Misleading Error in cognosserver.log at first logon of any user after a Cognos restart:
“/v1/identity bi-service Can not retrieve the password from configuration.”
Solved in later versions of CA11.
More information:
https://www.ibm.com/support/pages/how-regenerate-cryptographic-keys-cognos-analytics-11
https://www.ibm.com/support/pages/cognos-gateway-unable-connect-cognos-bi-server-2
By default, the cryptographic keys are valid for 365 days.
- This value is configured inside Cognos Configuration
- Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days
Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.
You must restart the services every so often to ensure the new keys are actually being used.
- If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.