Checklist to upgrade PAL

Planning Analytics
Microsoft Windows 2019 server


Do you have a checklist to help out with the upgrade/installation of Planning Analytics?


Best is if you create a checklist that cover the needs of your environment, but here is a suggested to be used as a starting point.

Download from here: 

Detail upgrade instruction here: 


Action Date
Copy the media to local hard disk on server d:\install
Export configuration from cognos configuration to backup folder d:\temp\backup
Backup samples folder D:\Program Files\ibm\cognos\tm1_64\samples\tm1
Backup the tm1web_config.xml for TM1WEB from:

D:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration

Backup server.xml and jvm.options and files from folder:

D:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web

Backup of your PAA Agent file in folder:

D:\Program Files\ibm\cognos\tm1_64\paa_agent\wlp\usr\servers\kate-agent

Export the TM1 applications as a backup – the data is saved in the TM1 data folder.

  1. Open the TM1 Cognos Applications portal.
  2. Click the Export Application icon under the Actions column.
  3. From the File Download dialog box, click Save.
  4. Navigate to the directory to where you want to save the export file.
  5. Click Save.
Backup home.jsp in folder D:\Program Files\ibm\cognos\tm1web\webapps\tm1web
Backup CommonMessages.js in folder D:\Program Files\ibm\cognos\tm1web\webapps\tm1web\scripts\tm1web\common\nls\sv
Backup Tm1WebAppCam.js in folder D:\Program Files\ibm\cognos\tm1web\webapps\tm1web\scripts\tm1web\standalone
Backup pa_header.svg file in D:\Program Files\ibm\cognos\tm1web\webapps\tm1web\scripts\tm1web\themes\carbon\standalone\images\login
If HTTPS is used, backup all certificate stores
Ensure that anti-virus or Windows Defender SmartScreen is turned off on the server during installation
Uninstall Planning Analytics Performance modeler from the windows server before you install the upgrade of TM1
Check that firewall ports between servers are open

Port 25, 80, 9300, 9362, 1433, 389 etc for BI. Port 5495, 5498, 5895, 5898, 8888,9510,9511,9012, 12345, 12346 , 12366 etc for PAL
Stop all related IBM Cognos TM1 and IBM Planning Analytics services and set to MANUAL
Reboot Microsoft Windows server
Install PAL from file tm1_winx64h_2.0.919.10_ml.tar (run as administrator)
Install TM1WEB from file tm1web-11.0.93-24020517-winx64h_bundle
Go into cognos configuration and click save
Reboot the Windows server
Modifications are required when FIPSOperationMode set to 1 (Basic)

— Remove or deprioritise TLS RSA CipherSuites

— TLS V1.2 or higher must be enabled

— EDCHE CipherSuites must also be enabled 

Restore configuration files that were backed up before
Start the IBM planning services  (start CA11 if needed)
Check that you can login to TM1 Architect
Check that you can login to TM1WEB
Set all related IBM Cognos TM1 and IBM Planning Analytics services to AUTOMATIC start
Reboot windows server
Check that you can run Cognos Analytics reports against the upgrade TM1 cubes


In older versions, this was also needed to be done:

Planning Analytics often uses Cognos Analytics for authentication. If CAM security is used and an SSL certificate has been enabled in Cognos, then we need to add the certificate from Cognos Analytics into Planning Analytics. This post explains the steps required to integrate Cognos Security with SSL for Planning Analytics LocalTM1Web (Planning Analytics Spreadsheet Services) and Planning Analytics Workspace.
Extract from above websites:
Navigate to the Planning Analytics server and to the directory < PA install location> \bin64\ssl and copy the ibmtm1.arm file to the Cognos Analytics server. You can copy the file anywhere, but I recommend creating a directory for it in the installation location.
In order to import this certificate we use an executable on the Cognos Analytics server called ikeyman.exe which resides in the <CA install location> \ibm-jre\jre\bin directory. Simply double click this file to open it.
Click the Open icon on the toolbar, ensure the Key Database type is set to JKS, navigate to the directory <CA Install Location> \ibm-jre\jre\lib\security, and open the file called cacerts.
Now you have loaded the certificate file it’s time to import the Planning Analytics certificate. Under the ‘key database content’ section change the drop-down value to ‘Signer Certificates’ and press the ‘Add’ button….



Planning Analytic Workspace upgrade Date
Copy the media to the server d:\install
Unzip the file
Check free disk space on the PAW windows server
Rename folder to PAW92 and place it at root
Exclude new folder d:\paw92 from anti-virus scanning
Copy the <paw_install_location>/config/paw.ps1 file from your current installation to the new installation location
Copy the <paw_install_location>/config/certs directory from your current installation to the new installation location.
If you configured SSL, copy the <paw_install_location>/config/ssl directory from your current installation to the new installation location.
Take screen capture of the configuration today in PAW administration – any existing errors will not be solved by upgrade.
Take a backup
Stop the docker containers Paw.ps1 stop
Check that no running dockers containers Docker ps
Go to the new folder
Run installation ./start.ps1 Start.ps1
Check that admin settings are correct
Check you can login to PAW website
Stop the docker containers Paw.ps1 stop
Reboot windows server, this to ensure the system will work after a reboot.
Check you can login after 30 min
Download the new kate agent
Unzip to a temp folder
To update the Planning Analytics Administration agent Windows service, run UpdatePAAAgent.bat, passing in the full path to <PA_install_location>, that is, the parent of the paa_agent directory.
Check that contain the settings for smtp email as before
Running the /clean.ps1 script removes images for the release in which it is run. Run from old folder e.g. d:\paw90
Check free disk space



More information: 

Due to a security update included in Planning Analytics, customers who have the non-default FIPSOperationMode=1 set in their Tm1s.cfg should remove or deprioritize the TLS RSA CipherSuites for a successful handshake to occur. This includes all CipherSuites that are prefixed with TLS_RSA_. This also means that TLS V1.2 or later must be enabled, as TLS 1.1 and prior do not support alternatives. In the case of TLS V1.2, the ECDHE CipherSuites must also be enabled.