Cognos Analytics 11.1.x
Microsoft Windows 2016 server

When you enter url http://servername/ibmcognos then you do not get logged into Cognos Analytics, instead you get a blank screen.


Add a rule to allow Cognos Analytics pages to load without a trailing slash in URL. Start IIS Manager and go to IBMCOGNOS.

  1. Click the ibmcognos alias.
  2. Double-click URL Rewrite
  3. Click Add Rules > Inbound Rules > Blank Rule
    • Name is Add Trailing Slash
    • Pattern is ^bi$
    • Action type is Redirect
    • Redirect URL is {R:0}/
    • Check Append query string.
    • Redirect type is Permanent (301)
    • Click Apply and Back to Rules.


More information:


Cognos Analytics 11.1.7
Microsoft Windows 2016 server
Can i store the Native SQL query the users send to the database for later troubleshooting?

Activate logging of the SQL query to the AUDIT database.
Setup the AUDIT database logging in Cognos Configuration.

Browse to Cognos Analytics (ibmcognos) and go to Manage > Administrative Console > Configuration > Dispatchers and Services. Click on the Set Properties – Configuration icon.
Click the Settings tab, choose logging as category.

Go down to Generate comments in native SQL and mark it.
Click OK.
Run some reports to test the system.
Open SQL Developer and go to your AUDIT database and check the




More Information:

Cognos Analytics 11.1.7
Product_version=11.1 R7 (LTS)
Microsoft Windows 2019 server

When starting the Cognos® LifeCycle Manager (LCM) on the same server as CA11 is installed, they use the same port 9300.

Suggested Solution:

Start notepad++ as administrator
Change port on LCM by open D:\Program Files\ibm\cognos\lcm\wlp\usr\servers\lcm\server.xml in notepad++

Change the row <httpEndpoint host=”*” httpPort=”9305″ httpsPort=”-1″ id=”defaultHttpEndpoint”/> to use 9305 instead of 9300
Save the file.
Start a CMD as administrator.
Go to folder D:\Program Files\ibm\cognos\lcm
Run lcm_start.bat to start the service

You need to update the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IBM Cognos LCM\LCM URI internet shortcut to reflect the change of port

Then after that it should work to start and use it

More information:

Cognos Analytics 11.1.7 fix pack 2
Microsoft Windows 2019 server


When run some reports after a upgrade from previous version you get a error like this:

XQEGEN0002 An unexpected exception occurred: java.lang.StackOverflowError.

Report validation is OK but when you try to run it as HTML report you get a error.

Possible solution:

Check the report specification for any item or function that is common for the reports that does not work.

Can be that you have a filter in the Query parameters that you need to remove from the report to make it work.

You need to remove one part of the report at a time to find what part of the report specification that can give you the issue.

More information:

standard-deviation From the old Cognos 8
Returns the standard deviation of selected data items. The keyword “distinct” is available for
backward compatibility of expressions used in previous versions of the product.
standard-deviation ( [ distinct ] expr [ auto ] )
standard-deviation ( [ distinct ] expr for [ all | any ] expr {
, expr } )
standard-deviation ( [ distinct ] expr for report )
standard-deviation ( ProductCost )
Result: A value indicating the deviation between product costs and the average product cost.

Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Can not add url or use link to tm1web or other web site.

When you try to add a URL you get below error:

Your URL uses an invalid domain. Click ‘View acceptable domains’ to see a list of domains you can use.

On all Cognos BI (CA11) servers, go into Cognos Configuration
Expand Security
Select IBM Cognos Application Firewall
Under “Enable CAF Validation?” = True, click on pen icon to add more servernames for Valid domains and hosts.

Enter the company domain name with a wildcard as *
Enter all the server names for your Cognos Analytics servers
Enter all the TM1 servers you have in your environment
Enter the TM1WEB servers with port number like tm1webservername:9510 (you must enter the port number for all servers Cognos will communicate with if it is not port 80)

Click OK
Click SAVE in Cognos Configuration.
You need then click on RESTART to make this changes take effect.
Restart the primary content manager service first, when that is up again, then restart the other CA11 servers in your environment.

How add a URL link in CA11:

Click on + in the folder where you want the link to be and select URL

Enter a name and enter the URL to your server including port number 9510 for tm1web. Recommended is to use full names includeing domain part.

Click OK.

Test the link.

“Cannot open URL” can also be becouse the website does not exist.

More information:

Cognos Analytics 11.1.7
Microsoft Windows 2019

How find out who is Active Content Manager without logging in to the CA11 server?


From a web browser enter following URL to server on port 9300 to check CM:

State is Running if it is the active CM in a multiserver environment of cognos bi.

To find java memory usage, enter this URL:

Get Dispatcher version with this URL:

Verify the configuration of an install with URL:

Find XML parser with URL:

To check if POGO is alive enter URL:

If you see this message pogo is alive

In future use REST API to find out more:

Cognos Analytics 11.0.12
kit_name=IBM Cognos Analytics
Microsoft Windows 2016 server

After restart of servers the Cognos BI system does not respond. The users see this message:

The IBM Cognos gateway is unable to connect to the IBM Cognos BI server. The server may be unavailable or the gateway may not be correctly configured.

Error in cognosserver.log file:

com.cognos.accman.jcam.crypto.CAMCryptoException: CAM-CRP-1093 Unable to read the contents of the keystore ‘D:/Program Files/ibm/cognos/analytics/configuration/certs\CAMKeystore’. Reason: stream does not represent a PKCS12 key store


First, try to restart the IIS server on the Cognos Gateway with the dos command: IISRESET

If that does not help, create new cryptographic keys;
“C:\Program Files\ibm\cognos\analytics\bin64\cogconfigw.exe” open to start cognos configuration.

Stop the running of Cognos BI in Cognos Configuration.

From inside Cognos Configuration, click ‘File > Export As’.

Choose ‘Yes’ at the prompt and save the file.  Name it ‘cogstartup backup.xml’ which will be stored in the analytics\configuration folder.

Close Cognos Configuration.

Moving this files to a different, secure location e.g. c:\temp\backup (they should during the cryptographic keys regeneration process be re-created):

· analytics/configuration/cogstartup.xml

· analytics/configuration/caSerial

· analytics/configuration/certs/CAMCrypto.status

· analytics/configuration/certs/CAMKeystore

· analytics/configuration/certs/CAMKeystore.lock

· analytics/temp/cam/freshness

Moving this folder to a different, secure location e.g. c:\temp\backup

· analytics/configuration/csk

In the analytics\configuration folder, rename ‘cogstartup backup.xml’ to ‘cogstartup.xml’.

Go in to Cognos Configuration and click SAVE, and then start.

To test, you can browse to http://ca11servername:9300/p2pd/servlet

Repeat all the above steps on all the Cognos servers, starting with the Content Manager server and take the Cognos Gateway servers last.


If you see the message “CM-CFG-5069 A serious error occurred while committing a delete operation” when starting up the Cognos Analytics service, it can be a temporary error when CA11 try to clean up its own cache.  Restart the CA11 server again and see if the error goes away.

Misleading Error in cognosserver.log at first logon of any user after a Cognos restart:
“/v1/identity bi-service Can not retrieve the password from configuration.”
Solved in later versions of CA11.

More information:

By default, the cryptographic keys are valid for 365 days.

  • This value is configured inside Cognos Configuration
  • Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

  • If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

Cognos Analytics 11.1.7
Microsoft Windows 2019 server
In a multi-server environment, when the second CA11 service is started, then not all the java processes needed for DQM reports is running. There should be 3 java process on a Cognos Analytics server.

The Cognos Configuration say that CA11 is up and running, but if you look into the Cognos Administration you find that the QueryService is not working (as its java process is not started).

Check the cognosserver.log file to find out that the file is damage.

Error you find in the cognosserver.log file are:

ERROR [pool-79-thread-19] NA problem reconfiguring handler queryServiceHandler
com.cognos.xqe.config.ConfigFileException: XQE-CFG-0003 Failed to load configuration file file:/D:/Program%20Files/ibm/cognos/analytics/configuration/xqe.config.xml.
at com.cognos.xqe.config.XQEConfiguration.loadConfiguration( ~[xqeService.jar:?]

Stop the IBM Cognos service from inside Cognos Configuration.
Copy the file xqe.config.xml from the working CA11 server to the none-working CA11 server.
Start the IBM Cognos service from inside Cognos Configuration.

Wait 8 minutes until it starts up. Test to run the reports now.
If no other working Cognos installation is around, you may need to reinstall Cognos to get correct files.

More information:

  1. Stop Dispatcher (that in turn will stop Query service).
  2. Assuming <cognos_home> is home directory of that specific dispatcher delete everything from <cognos_home>\wlp\usr\servers\dataset-service\workarea\*  (i.e. keep the workarea directory, but delete everything in it, including subdirectories)
  3. Delete everything from <cognos_home>\wlp\usr\servers\cognosserver\workarea\*
  4. Delete everything from <cognos_home>\javasharedresources\*
  5. Start Dispatcher (Query service will start automatically)

Cognos Analytics 11.1.x
Microsoft Windows 2019 server
Microsoft SQL server

I have a new Cognos environment, and want to easy copy the content store from the old environment to the new. The new Cognos environment have the same or newer version of Cognos Analytics.


To get security values over  – you must have exact the same Active Directory connection setup on both the old and new environment. Double check in Cognos Configuration that namespace is the same.

On the old server – check in Cognos Configuration where the zip file is stored.

This is normally in folder C:\Program Files\ibm\cognos\analytics\deployment on your CA11 server.
Browse to ..ibmcognos from your web browser. Login as adminstrator in cognos connection.

Click Manage – Administration console

Click Configuration tab
Click Content Administration and click on the export icon

Enter a name and click on Next button

Mark “Select the entire Content Store” and check “Include user account information” to get most information over. Click Next

Click Next

Enter a password you can remember and click OK

Click Next

Select “save and run once” and Click Finish

Click Run

Mark “View the details of this export after closing this dialog” and click OK.

Click on blue “refresh” every 10 min to see if it is finished.

Wait until status says Finish. Above is not a finish status, there is no Completion time.
This can take 30 minutes, depending of the amount of data in your Content Store.

When succeeded, click Close.

When done go to Windows file explorer and copy the zip file over from the old Cognos BI server to your new Cognos Analytics server.  Place the file in the deployment folder you are going to use.

If the deployment folder inside Cognos Configuration is pointing to a file share: \\servername\sharefolder then the Cognos Analytics service must be run under a windows service account and not local system. Local system can only access folders on the same server.

Import content store by loading the deployment file via cognos connection.

Login to new IBMCOGNOS and go to Administration page, click on configuration – Content Administration. Click on the import icon.

Select you full content store file and click Next

Enter your password. Click OK

Click Next

Click Next

Click Next

Select “save and run once” and click Finish.

Do not run upgrade of report specifications. Do that at a later time, as it can take a very long time.

Click Run.

Mark “View the details of this export after closing this dialog” and click OK

Click Refresh every 15 min to see if it is done. When you have a completion time it is finish.


You can see errors in the report, note them down and search in google for more information.

If you have changed also the database server host for your AUDIT database, then you need to go into Cognos Administration – Configuration – Data source connections. There you need to update the link to the new database server there for your audit data source.

Click on Audit, then on “more” to right of the test icon.
Click “Set properties”
Click “Connection” tab

Click pencil icon, to get to the data source update dialog.

Change the server name and any other values you need to change. Update also the JDBC tab.
Click OK when done.
Test your data source connection.

Any special configuration you have done on the Cognos Dispatcher is not part of the deployment, they you have to manually add again. Go to Cognos Administration – Configuration. Click on Dispatchers and service and click on properties icon.

Click on settings

Check on all pages for values that is not default=Yes, as they have been changed and may need to be inserted in the new environment. Only enter values that you know you need in the new environment.

Click on the Advance settings blue Edit link, to see if there are any special settings in the environment.
Configuring advanced settings for specific services (

Repeat above steps in the new CA11 environment to get the fine tuning you want.
Logging should in most cases be set to BASIC.

Content Manager service advanced settings (

You can also import content store, by backup/restore the full cm database, but then you need to consider other parts like old dispatchers that will follow the move.

More information:

Cognos Analytics 11.1.7
Planning Analytics 2.0.9
Microsoft Windows 2019 Server
How setup Windows Kerberos login for Cognos products?
Here describes what Kerberos is:

Setup Cognos Analytics with a IIS gateway and make it work for Single Sign On (SSO) to login.

You need to create a windows domain account, that is local administrator on the Cognos server where the Cognos Content Manager function is, and run the IBM Cognos service with this account.

The account must be added with domain\name format, without use of @.
The same service account must run the IIS server application pool used by CA11.

Go to Internet Information Service Manager, and expand Application pools. Mark ICAPool and click on Advanced Settings. Click on Identity and select Custom Account. Click Set and enter the domain\name account and password. Click OK.
Restart IIS.
The service account must have “Trust this user for delegation to any service (Kerberos only)” set in Active Directory. Ask the IT department to set this on the Windows Domain Controller.

Constrained delegation is not recommended.
Ensure that the cognos service account have NTFS read/write/execute rights on the cognos folders.
Right click on folder C:\Program Files\ibm\cognos\analytics and select properties.
Check the security tab that the local Administrator group have full rights.

Go to Computer Management in Control panel – Administrative Tools. Expand Local User and Groups – Groups. Check what groups and accounts are in the Administration group on the server.

Ensure that the cognos service account is part of a domain group that is included in the local administrator group. Does not need to be domain admins group, but must be the same group.

On the Windows Domain Controller you must run the SETSPN command to create the Service Principal Name.

Enter the webserver and the cognos bi server to the service account. In our case it is the same server.
You need to add all the ways the system connect to the server e.g. HOSTNAME and FQDN.
In our example we use setspn -s HTTP/win2019.lab.pacman LAB\cognosservice

setspn -s HTTP/websrv_aliasname  domain\cognosserviceaccount
setspn -s HTTP/appsrv_FQDN  domain\cognosserviceaccount
setspn -s HTTP/appsrv_HOSTNAME  domain\cognosserviceaccount

Use the servername in cognos configuration for the setspn command above.

Use setspn -L domain\cognosserviceaccount to see the current values in use.

Some common switches used with SetSPN:

-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs
-q    Query the domain for a specific SPN

In IIS manager on the Cognos Gateway server; ensure that Anonymous Authentication is on IBMCOGNOS folder.

Go to \bi folder, and click on Authentication. Select Windows Authentication and click enable.
Disable Anonymous Authentication on the \bi folder.

Click on Providers for the \bi folder, and remove NTLM so you only have Negotiate.

Repeat on \sso folder, so it also only have Negotiate as Windows enabled Providers.

For \sso folder click on Configuration Editor.

Select in the drop down menu for section – system.webServer – security – authentication – windowsAuthentication.

To get this dialog up for the sso folder.

Set true to “useAppPoolCredentials” and “useKernelmode”.
Go to the \bi folder and set the same values.

Click on Configuration Editor icon – select system.webServer – security – authentication – windowsAuthentication. Set true to “useAppPoolCredentials” and “useKernelmode”.

If you use Oracle or DB2 as content store database, you are all set. But if you use Microsoft SQL server you need to add setspn for the service account that run the SQL services.

Ask the SQL DBA to ensure the service account for SQL server is using domain\account notation as above. Kerberos will not work with Local System as the service account for Microsoft SQL database.
You need to check in cognos configuration how Cognos Analytics connects to the content store database. Open Cognos Configuration on your Cognos Content Manager server.

Note down IP or HOSTNAME that is in use to connect to the SQL server. This will be used in the setspn command.  Enter in our case setspn -s MSSQLSvc/ LAB\cognosservice

setspn -s MSSQLSvc/sqlsrv_FQDN  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:instancename  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:1433  domain\SQLServiceAccount

You need to enter all variants of the SQL server name to the setspn command.

Restart the windows server for Cognos Analytics to ensure the domain changes have taken affect.

To check that Kerberos is in use, activate AAA tracing for a short period in Cognos Analytics.

Login to CA11 as administrator and click on Manage – Configuration.

Click on Diagnostic Logging.

Click on AAA and Apply.
Logout from CA11 and close the browser.
Start the web browser again and go to http://win2019.lab.pacman/ibmcognos/
after the sso have let you in, go to the Cognos Analytics Content Manager server.
Open the C:\Program Files\ibm\cognos\analytics\logs\cognosserver.log file in notepad++

Go to the end of the file and from search menu select find and enter AUTH_TYPE.
Scroll to the right, and if kerberos is used it should say:
<value xsi:type=”xsd:string”>Negotiate</value>

Close the log file.
Go back into CA11 portal.
Go to manage – configuration – diagnostic logging.

Select Default Logging and click Apply. This is important as the logging can make the cognos system slower.

Planning Analytics (TM1) will use kerberos now too, as long they are setup to use CAM security.

More information:

Overview of Service Principal Name and Kerberos authentication in SQL Server