Product:

Cognos Analytics 11.1.7

Microsoft Windows 2019 server

Issue:

What firewall ports should be open in windows firewall to make Cognos work?

Solution:

These are the ports that is used by Cognos products:

Cognos Analytics 11.1.7

80 for client access to cognos portal
443 for client access (https/ssl/tls)
9300 Cognos dispatcher
4300 Sync configuration between CA11 servers
5701 Sync CA11 servers to a group of CA11 servers
9301 CA11 uses this port at start
9362 Cognos log server
9080 WebSphere transport port
8172 IIS Server Farms port to check windows servers

 

Cognos Controller 10.4.2

80 for controller client access to controller server
443 for client access (https/ssl/tls)
9300 Contact to CA dispatcher
9080 Client to controller web
9082 Client to controller report service
9081 if installed on same server as CA11
3000 Controller web backend port

 

Planning Analytics 2.0.9.12

80 for client access to PAW
443 for client access (https/ssl/tls) to PAW
9300 Contact to CA dispatcher
9510 Client access to TM1WEB
9511 Tm1 app web (pmpsvc)
9012 PAA agent
5495 Tm1 architect contact with TM1 Admin service
5498 Tm1 architect contact with TM1 Admin service (ssl)
5895 TM1 Admin Server -> TM1 REST API (HTTP)
5898 TM1 Admin Server -> TM1 REST API (HTTPS)
12300-12400 TM1 instance port range
8888 Administration port for PAW
9513 Shutdown port

 

 

More Information:

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=install-review-default-port-settings

https://www.ibm.com/support/pages/apar/PI95933

https://www.ibm.com/support/pages/node/6257779

https://www.ibm.com/support/pages/controller-web-does-not-work-when-installed-same-server-cognos-analytics

Product:

Cognos Analytics 11.1.7

Microsoft Windows 2019 server

Issue:

After new installation, when you browse to http://servername/ibmcognos you get an error.

If you browse to http://servername:9300/bi/v1/disp, then CA11 works fine.

When it do not work, you see in the URL: http://localhost/ibmcognos/bi/bi

Error message:

The webpage cannot be found

Solution:

You have run the CA_IIS_Config.bat file first, without installing requestrouter_amd64.msi or rewrite_amd64_en-US.msi. The Rewrite module need to be installed first.

CA_IIS_Config.bat file is found in folder D:\Program\ibm\cognos\analytics\cgi-bin\templates\IIS

Download the needed files, this is a new version for Windows 2019, from here:

https://www.iis.net/downloads/microsoft/url-rewrite

https://www.microsoft.com/en-us/download/details.aspx?id=47333

Install them on the Microsoft Windows 2019 server.

You should have in control panel – “Program and Features”;

IIS URL Rewrite Module 2 version 7.2.1993

Microsoft Application Request Routing 3.0 version 3.0.05311

Then run the CA_IIS_Config.bat file, again from a command prompt.

Check in Internet Information Services (IIS) Manager that the URL rewrite exists.

(if rule SSO login is disabled – you do not have SSO with Cognos Analytics).

More Information:

https://www.ibm.com/support/pages/website-declined-show-webpage-error-http-403-forbidden-means-internet-explorer-when-launching-ca-iis-gateway-httpservernameibmcognos-caused-not-installing-application-request-routing-url-rewrite

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=analytics-configuring-server-components

Product:

Cognos Analytics 11.1.7

Microsoft Windows 2019 server

Issue:

After upgrade of CA11 to a new version, the Dynamic Cubes does not load or work. When you test a JDBC connection in cognos portal you get a error.

Error message:

DPR-ERR-2072 Unable to load balance a request with absolute affinity, most likely due to a failure to connect to the remote dispatcher. See the remote dispatcher detailed logs for more information. Check the health status of the installed system by using the dispatcher diagnostics URIs

Solution:

If you upgrade from 11.1.6 to 11.1.7 and you have before applied the log4j patch, then the upgrade will remove the jar file and replace the bootstrap_wlp_winx64.xml file.  But the file xqe.config.custom.xml will still be around. In this file there is a pointer to the log4jSafeAgent2021.jar file.

Stop Cognos Analytics services.

Remove or restore the original xqe.config.custom.xml file.

Start Cognos Analytics services.

 

More information:

If you before the upgrade have done this (listed below), then you can run into above issue.

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

The single version of the patch is applicable to IBM Cognos Analytics versions 11.0.6 to 11.0.13 FP4, 11.1.x and 11.2.x.

The log4jSafeAgent file that is provided for Cognos Analytics modifies the class byte code at the Java startup time. It removes the vulnerable JNDI lookup, and enforces the StrSubstitutor recursion limit without altering the installed product.

It effectively rewrites the “org/apache/logging/log4j/core/lookup/JndiLookup” class to remove its content during IBM Cognos Analytics start up.

To get the patch and detailed instructions, click this link: log4jSafeAgent

Bundle Customers can use the following link: log4jSafeAgent Bundled

https://www.ibm.com/support/pages/node/6538720

In the install_location\configuration directory, edit the xqe.config.custom.xml file. Note: The xqe.config.custom.xml file might not exist and needs to be created. Should changes be made to the xqe.config.xml file (ibm.com)

In the xqe.config.custom.xml file, specify the javaagent parameter with a reference to the log4jSafeAgent2021.jar file. For IBM JRE, add the javaagent as follows:

-javaagent:../webapps/p2pd/WEB-INF/lib/log4jSafeAgent2021.jar”

 

https://www.ibm.com/support/pages/best-practices-using-jdbc-drivers-cognos-analytics-11x

Product:
Cognos Analytics 11.1.7

Microsoft Windows 2016

Issue:

How remove the JNDI call from the log4j-core file?

Suggested solution:

(Test this first in your LAB environment)

Ensure where you have 7zip installed.  https://www.7-zip.org/

Find out what file to clean.  (Take a backup of the files to clean).

For cognos controller, we guess it is this file:

C:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.reports\apps\fcm.reports-rest.war\WEB-INF\lib\log4j-core-2.5.jar

For cognos analytics, it is several files, maybe this:

C:\Program Files\ibm\cognos\analytics\bin\log4j-core-2.7.jar
C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\88\0\.cp\log4j-core-2.7.jar

Create a new folder e.g. c:\fix

Create a text file, where you list the files to clean on this server e.g. c:\fix\filetofix.txt

Create a new powershell file,  jarupdate.ps1, with this content:

# set location of 7z program
$7zip = "C:\Program Files\7-Zip\7z.exe"
# run the script on the source machine
# get files from list to clean
$file2fix= Get-Content -Path "c:\fix\filetofix.txt" 
foreach ($thefile in $file2fix) 
{ 
Write-Host "Currently the script is cleaning " $thefile 
& $7zip d "$($thefile)" "org/apache/logging/log4j/core/lookup/JndiLookup.class"

}

Get approval to do the update on the Cognos server.

Stop all IBM Cognos services.


Check that no JAVA process is still around.
Start POWERSHELL as administrator

Go to you c:\fix folder

Enter command: .\jarupdate.ps1

The output will be similar to this;

Reboot the server.
Test that Cognos still works.

Repeat on all effected servers.

If you have checked the size of the jar file before clean, you should see a difference after clean.

More Information:

https://www.ibm.com/support/pages/node/6526474

https://www.ibm.com/support/pages/node/6526468

911 – Log4j Security Risk Affects IBM Planning Analytics, Cognos…

https://ss64.com/ps/get-content.html

https://7ziphelp.com/7zip-command-line

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2019 server
Issue:

Should i do something for Cognos products because of the Log4j vulnerability?

There is now a “patch”….. read more here https://www.ibm.com/support/pages/node/6526474

Security Bulletin: IBM Cognos Analytics: Apache log4j Vulnerability (CVE-2021-44228)

https://www.ibm.com/support/pages/node/6538720

Background:
https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html

By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. The attacker must get the Cognos Logger software to process a string to the log file, that active the function JNDI to contact LDAP server xxxx and download information, that in real can be java code, and execute it. Gives the possibility to install Trojans and other software, but he need to trick cognos to send the information to the logger.

How Log4j Vulnerability Could Impact You

Suggested Solution:
First check what IBM say, if needed for cognos, they will release patch or instructions on there page.

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

Things you can do:
Ensure that the Cognos servers do not have contact with Internet, so any application on the server can reach out and download other software.
Creating a default-deny firewall rule will prevent servers from creating unapproved connections and can help reduce your risk of a compromise.

Ensure that only the people and computers that need it, have access to your cognos servers.

You can use tools, to see if you have the vulnerability;

https://log4shell.huntress.com/

https://github.com/xforcered/scan4log4shell

https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html

Log4j is a tool to create log files, used by WebSphere and maybe Cognos software.
Check version of WebSphere with this command:

Above is from CA11.1.x  CM_version=11.1.7-41.
In a CMD prompt, go to the java bin folder (path depends on version of Cognos Analytics)
Enter command C:\Program Files\ibm\cognos\analytics\wlp\bin\productinfo  version
CA11 uses WebSphere Liberty Server, where the version number is the year it was released.
WebSphere Application Server (WAS) latest version is 9, that should correspond to WLP 20.

https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server

Above is from CA11.0.x  CM_version=11.0.12.18

You can search your cognos folder, to see if you have Log4j files that can contain this issue.

You will find it in several folders, but it is only the top one \bin that is the default. The others are cached versions in folders like C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\61\data\cache\com.ibm.ws.app.manager_157\.cache\WEB-INF\lib

Log4j-core and Log4j-api can contain this issue. Above picture from CA11, we see that we use version 2.7 of Log4j program. That is old, so the LOG4J_FORMAT_MSG_NO_LOOKUPS  parameter will not work.

Versions of Log4j is listed here:
https://logging.apache.org/log4j/2.x/changes-report.html

If you can not wait for IBM instructions for Cognos, https://www.ibm.com/support/pages/node/6526474,  you can test this in your LAB.

“the mitigation is to remove the JndiLookup class from the classpath, with command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. ”

Stop the IBM Cognos service.


Copy the log4j-core-2.7.jar file to a new folder e.g. c:\tempfix

Unzip the jar file.

Go down in the unzipped folder structure to C:\tempfix\log4j-core-2.7\org\apache\logging\log4j\core\lookup folder

Remove the file JndiLookup.class

Go back to your top folder, and zip it again.

Rename your log4j-core-2.7.jar to log4j-core-2.7.org.jar ( to keep a backup ).

Rename your log4j-core-2.7.zip file to log4j-core-2.7.jar.

Copy the new log4j-core-2.7.jar file to your C:\Program Files\ibm\cognos\analytics\bin folder.

Start IBM Cognos.

Check that you can login and run reports.
The Log4j is used to create the cognosserver.log files, so carefully check that the log files work as expected.

https://docs.oracle.com/javase/tutorial/deployment/jar/build.html

https://convertio.co/zip-jar/

https://www.freefileconvert.com/zip-jar

If your test work out well, you can update the C:\Program Files\ibm\cognos\analytics\bin\log4j-core-2.7.jar file on your other CA11 servers.

PAW have a fix at:

Security bulletin: Security Bulletin: IBM Planning Analytics Workspace: Apache log4j Vulnerability (CVE-2021-44228)

https://www.ibm.com/support/pages/node/6525316

https://www.ibm.com/support/pages/node/6192099

For the latest Cognos Controller version there is a new version out…  but it may come more information from IBM.

Security bulletin: Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache log4j Vulnerability (CVE-2021-44228)

TM1 may also not use the affected version. You have to check with IBM Support, what they say.

IBM SPSS have a fix at https://www.ibm.com/support/pages/node/6526182

IBM ILMT have a different version of Log4j, and therefor a different workaround:

Most product will have a “patch” to upgrade to later Log4j versions.

https://www.ibm.com/support/pages/node/6525762

Workaround 1. Manually upgrade Log4j library included in VM Manager Tool in versions 9.2.21.0 – 9.2.25.0 to version 2.15.0

  1. Download the Log4j library package in version 2.15.0 from this page: https://logging.apache.org/log4j/2.x/download.html and extract them.
  2. Copy the following files to the <VM_Manager_Tool_home_dir>/lib/ directory.
    • log4j-api-2.15.0.jar
    • log4j-core-2.15.0.jar
  3. Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
  4. Remove the following JAR files from the <VM_Manager_Tool_home_dir>/lib/ directory.
    • log4j-api-2.13.3.jar
    • log4j-core-2.13.3.jar
  5. Depending on your operating system, modify one of the following files.
    • LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following lines:
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.13.3.jar
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.13.3.jarChange them to:
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.15.0.jar
      VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.15.0.jar
    • WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, find the following lines:
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.13.3.jar
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.13.3.jarChange them to:
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.15.0.jar
      SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.15.0.jar
  6. Start the VM Manager Tool by using -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.

Workaround 2. Mitigate the issue on the current version of the Log4j library included in VM Manager Tool in versions 9.2.21.0 – 9.2.25.0 by the configuration change

  1. Depending on your operating system, run one of the following:
    • LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following line. It might not contain all the parameters starting with -D string, for example, it might not contain the -Dsun.net.http.allowRestrictedHeaders=true substring.VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true”Add the following text at the end of the found line, just before the double quotation mark that ends this line.“ -Dlog4j2.formatMsgNoLookups=true” (including the space character at the beginning of the text)For example:
      VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true -Dlog4j2.formatMsgNoLookups=true
    • WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, add the following entry as the last line of the ####### PROPERTIES DEFINITONS ####### section:SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dlog4j2.formatMsgNoLookups=true
  2. Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
  3. Start the VM Manager Tool by using the -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.

 

Fixes:

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/

https://www.ibm.com/support/pages/node/6525762

https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-websphere-application-server-cve-2021-44228

https://www.ibm.com/support/pages/node/6526182

https://www.ibm.com/support/pages/node/6525706

More Information:

https://pmsquare.com/analytics-blog/2021/12/13/ibm-ca-pa-and-the-apache-log4j-cve-2021-44228-vulnerability

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://www.ibm.com/support/pages/17004-websphere-application-server-liberty-17004

https://www.ibm.com/support/pages/20002-websphere-application-server-liberty-20002

https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server#WebSphere_Liberty_Versions

https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://www.skylit.com/javamethods/faqs/createjar.html
https://success.trendmicro.com/solution/000289940

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228

Reference material can be found at the Apache.orgLog4j Security Vulnerability page.
IBM X-Force also has provided an analysis of the Log4j vulnerability, which can be found on the IBM Security Intelligence blog.

You have to decide how you will handle this possible threat in your organization.
This is only a list of information, on the subject.
You should check your logs from your antivirus / firewall software, if you are already compromise.

https://community.ibm.com/community/user/businessanalytics/communities/community-home/digestviewer/viewthread?MessageKey=ca2a4b8f-5ef7-44a7-85a3-25b4e26a0f7b&CommunityKey=8fde0600-e22b-4178-acf5-bf4eda43146b&tab=digestviewer

The IBM Cognos Analytics team have developed a “no-upgrade” option for our “On Prem” (local installation) customers.

To get the patch, click this link: CA-11.x-Log4jSafeAgent

For detailed instructions, see Mitigate the Apache Log4j vulnerability (CVE-2021-44228) in Cognos Analytics 

Affected Version Fix Version Bundled Customers
IBM Cognos Analytics 11.2.x Cognos Analytics 11.2.1 Interim Fix 1

 

IBM Cognos Analytics 11.2.1 Interim Fix 2 (Bundled)
IBM Cognos Analytics 11.1.x

 

Cognos Analytics 11.1.7 Interim Fix 6

 

IBM Cognos Analytics 11.1.7 Interim Fix 7 (Bundled)
IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

 

Cognos Analytics 11.0.13 Interim Fix 3

 

IBM Cognos Analytics 11.0.13 Interim Fix 4 (Bundled)

New version from 13 Jan 2022:

Affected Version Fix Version Bundled Customers
IBM Cognos Analytics 11.2.x IBM Cognos Analytics 11.2.1 Interim Fix 3

 

IBM Cognos Analytics 11.2.1 Interim Fix 3 (Bundled)
IBM Cognos Analytics 11.1.x

 

IBM Cognos Analytics 11.1.7 Interim Fix 8 IBM Cognos Analytics 11.1.7 Interim Fix 8 (Bundled)
IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

 

IBM Cognos Analytics 11.0.13 Interim Fix 5

 

IBM Cognos Analytics 11.0.13 Interim Fix 5 (Bundled)

 

Product:
Cognos Analytics 11.1.7

kit_version=11.1.7-2106251648
CAMAAAWA_version=11.1.7-21
CM_version=11.1.7-54
Microsoft Windows 2016 server

Issue:
How do i install CA11 on my Windows server?

Solution:
Follow the IBM documentation. Here is only a list of things to think about.

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=1117-release-fp3-june-2021

Download the software from IBM

https://www.ibm.com/support/pages/ibm-cognos-analytics-1117-fix-pack-3

You need at least the analytics-installer-2.2.2-win.exe and casrv-11.1.7-2106251648-winx64h.zip.

Check this before installation on your new windows server:

Check that you have remote access to all your Cognos servers
Install SQL 2012 native client for ODBC support to SQL databases

https://download.microsoft.com/download/B/E/D/BED73AAC-3C8A-43F5-AF4F-EB4FEA6C8F3A/ENU/x64/sqlncli.msi

Install NET Framework 4.7.2

https://support.microsoft.com/sv-se/help/4054530/microsoft-net-framework-4-7-2-offline-installer-for-windows

Turn DEP off in Windows control panel
Set Power Options to HIGH Performance in Windows control panel
Turn off IEESC (internet explorer enhanced security configuration)
Check what port your SQL server will use, for access to Content Store and Audit database.
Exclude cognos folders from anti-virus software scanning
Open firewall ports 80, 443 to end users
Open firewall ports 80, 443, 9300, 9362, 4300, 5701, 9301 between servers.
Open firewall ports 1433 for SQL, 25 for Mail, 389 for Active Directory.
Install 7zip and Notepad++ to edit xml files on the server.

 

 

Install IIS on the Windows Server 2016 select Web Server IIS, ASP.NET 4.6, HTTP Activation, TCP Port Sharing, HTTP Redirection, WebDav Publishing, ISAPI Extensions, Websocket, Windows Authentication, IIS Management Scripts and Tools.
Update regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp\MajorVersion to 9  (only if needed)
Install https://www.iis.net/downloads/microsoft/application-request-routing  or

rewrite_amd64_en-US.msi
requestRouter_amd64.msi

http://download.microsoft.com/download/5/7/0/57065640-4665-4980-a2f1-4d5940b577b0/webfarm_v1.1_amd64_en_us.msi
https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi

https://download.microsoft.com/download/E/9/8/E9849D6A-020E-47E4-9FD0-A023E99B54EB/requestRouter_amd64.msi

Run the installation of Cognos Analytics manually

https://www.ibm.com/docs/en/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/inst_cr_winux.pdf

Get the CA_IIS_Config.bat script from folder D:\Program Files\ibm\cognos\analytics\cgi-bin\templates\IIS and copy it to its own folder, e.g. d:\install

http://www-01.ibm.com/support/docview.wss?uid=swg22000097

Run the installation of the Cognos Analytics developer programs (framework manager)
Update the IIS script with the server name, and run the script CA_IIS_Config.bat
Copy file sqljdbc42.jar into folder d:\program files\ibm\cognos\analytics\drivers

https://download.microsoft.com/download/F/0/F/F0FF3F95-D42A-46AF-B0F9-8887987A2C4B/sqljdbc_4.2.8112.200_enu.exe

Setup a Notification database in SQL, if you have many users in cognos and many scheduled jobs
https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=performance-bulk-cleanup-nc-tables
Setup a Content Store and Audit database in your SQL server
Configure Cognos Analytics with FQDN, leave Websphere memory at 8182
Install the CA samples https://revelwood.com/installing-samples-cognos-analytics/

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=samples-downloading-configuring-extended

Setup WebDav in IIS

https://www-01.ibm.com/support/docview.wss?uid=swg22002398&aid=1

Stop creation of dump files, open the cclWinSEHConfig.xml file from the install_location\configuration folder. Set “CCL_HWE_ABORT” value=”0″
Setup the audit database source and copy the D:\Program Files\ibm\cognos\analytics\samples\Audit_samples\IBM_Cognos_Audit.zip file to D:\Program Files\ibm\cognos\analytics\deployment folder. Import the audit samples.
Create a company logo in cognos  https://quebit.com/askquebit/IBM/creating-and-setting-a-default-theme-for-cognos-analytics-11-0-4/ The tags can be different for the different versions.
Tune logging to “Basic” in cognos connection
Activate SSO in Cognos Configuration by adding the advanced property
Name : singleSignonOption

Value: IdentityMapping

https://www.ibm.com/support/pages/how-configure-sso-single-sign-controller-cognos-analytics

Set CAF to exclude *.domain.com and tm1webserver:9510 and tm1webserver:9511
If you also have Cognos Controller then change Security – Authentication in CA11, Inactivity timeout in seconds to 36000
Update Windows TCP windows settings by import below reg values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

“MaxUserPort”=dword:0000fffe

“TcpTimedWaitDelay”=dword:00000032

To get login to Planning Analytics with Cognos BI (CAM) you need to change a few files, as below:

Update tm1web.html with tm1web servername and port, like this

var tm1webServices = ["http://tm1servername.domain.com:9510","http://tm1webservername.domain.com:9511"];

Copy tm1web.html to locations;

D:\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web

D:\Program Files\ibm\cognos\analytics\webcontent\tm1\web

Update pmhub.html with also paw servername and port, like this

var pmhubURLs = ["http://tm1servername.domain.com:9510","http://tm1webservername.domain.com:9511","http://pawservername.domain.com"];

Copy pmhub.html to locations;
D:\Program Files\ibm\cognos\analytics\webcontent

D:\Program Files\ibm\cognos\analytics\webcontent\bi

Update planning.html with also tm1servername and port, like this

var planningServices = ["http://tm1servername.domain.com:9510","http://tm1webservername.domain.com:9511"];

Copy planning.html to same folders as pmhub.html listed above.

The content manager will look in folder D:\Program Files\ibm\cognos\analytics\webcontent for this files, but the Cognos Gateway will look in folder D:\Program Files\ibm\cognos\analytics\webcontent\bi for above files.

 

To prevent scriptable report error  when running sample custom control reports
you need to change the sample reports as below (they are written to only work on port 9300).

The global Sales Report is a sample showing how to use a javascript file with a custom control. These are authored to work ‘out of the box’ via dispatcher but not via a gateway.

To use with a gateway you need to edit the custom control in the report to point to the correct path.

1. Open the ‘Global Sales’ report in Edit mode.
2. select the custom control which is the thin blue box underneath the Prompts and view the properties.
3. In properties under General choose the ‘Module Path’ property and click the ellipsis.
4. By default this path is set to ‘/bi/samples/js/HideShowFilterPanel.js’
5. Please add your gateway to the front of this path so it reads something like:’/ibmcognos/bi/samples/js/HideShowFilterPanel.js’ (where ibmcognos is the name of your gateway virtual directory)
6. Save and re-execute the report.

Setup of jupyter notebook is not covered here, you have to follow the IBM documentation.

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=server-configuring-cognos-analytics-gateway-jupyter-notebook

 

More information:

https://www.ibm.com/support/pages/ibm-cognos-analytics-premises-111x-supported-software-environments

https://www.ibm.com/docs/en/cognos-analytics/11.0.0?topic=configuring-upgrade-cognos-analytics

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=samples-cognos-analytics

https://www.ibm.com/support/pages/scriptable-report-error-when-running-cognos-sample-global-sales-report

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=administration-tuning-server-performance

https://intelalytics.com/blog-and-downloads/f/notes-on-installing-cognos-111x-in-a-windows-environment

Product:

Cognos Analytics 11

Issue:
The icon to start cognos configuration is gone, how do i start it?

Solution:

For CA 11 kit_version=11.0.12.18062512
kit_name=IBM Cognos Analytics

Run D:\Program Files\ibm\cognos\analytics\bin64\cogconfig.bat

For CA 11kit_version=11.0.13.19030518
kit_name=IBM Cognos Analytics

Run “C:\Program Files\ibm\cognos\analytics\bin64\cogconfigw.exe”

For CA kit_version=11.1.7-2106251648
Manifest=casrv-manifest-11.1.7-2106251648-winx64h.json
Installer=analytics-installer-2.2.2-win.exe

Run D:\Program Files\ibm\cognos\analytics\bin64\cogconfigw.exe

More information:

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=analytics-cognos-configuration-command-line-options

https://www.ibm.com/support/pages/ibm-cognos-analytics-1117-fix-pack-3

Product:
Cognos Analytics 11.1.4
Microsoft Windows 2019 server

Issue:
How request and use external certificate for CA11 internal communication, e.g. port 9300?

If both internal and external connections use HTTPS, then you can use port 9300 for HTTPS. Otherwise you need to set a separate port number for the HTTPS services, suggestion 9334 or 9443.

Solution:

The IKEYMAN tool allows you to include more fields for your certificate request. This instruction is hard to find, so a copy is provided here.

You need to do the steps on all your CA11 servers, but you start with the Content Manager server first.

1. Ensure that all IBM Cognos component services in the environment are shut down. Close any IBM Cognos Configuration that is open.
2. Copy the complete <cognos>\configuration directory to a safe place and name it configuration_original. At any point, this backup configuration directory can be restored to bring the state of the cryptographic keys for this component back to the original state.
3. Run iKeyman.exe as administrator (or ./ikeyman for linux/unix users) from C:\Program Files\ibm\cognos\analytics\ibm-jre\jre\bin (for IBM Cognos 11.1.X+). For IBM Cognos 11.0.13 and lower versions, the path is <cognos>\jre\bin.

4. Click the folder with the curved arrow icon at the top of the window. In the open dialog panel, select PCKS12 as the Key Database Type, then browse to the <cognos>\configuration\certs directory and select CAMKeystore. Click OK. The default password is NoPassWordSet.

 

Generating a Certificate Signing Request (CSR):
5. Once the CAMKeystore loads, there are two certificates under the Personal Certificates drop down: ca and encryption.

 

 

6. Select the encryption certificate and rename it to encryption_old.
7. Select Create at the top of the iKeyman window, then click New Certificate Request. Make sure that Key Label is called “encryption“. The recommended Key Size is 2048 and the recommended Signature Algorithm is SHA256WithRSA.
The rest of the details can be completed as necessary. Multiple DNS names separated by a comma or a space can be used as well.
8. The CSR is called certreq.arm and it is located in <cognos>\configuration\certs. Give the certreq.arm to the certificate authority to generate the signed certificates.
9. Take another backup of the <cognos>\configuration directory and store it in a safe place. Name it “configuration_with_CSR“.
10. If the certificate authority returns two or three separate certificate files (root, intermediate (optional), and server certificates), in iKeyman, ensure that the Personal Certificates dropdown is set, then select Receive. Select only the server certificate.
If there is a dialog box that mentions that the CA (root certificate) is missing, click OK, and the encryption certificate is highlighted in yellow or the encryption certificate will be listed alongside the ca and encryption_old certificate.
Change the Personal Certificates drop down to Signer Certificates, then select Add and import the root certificate and intermediate certificate if the certificate authority returned one. The labels can be named root and intermediate.
If the certificate authority returns one file containing the certificates (.pem or .p12), click Receive or Add in either the Personal or Signer Certificates drop down, and select “Import all” at the prompt. All of the certificates are placed in their correct section.
11. Open Cognos Configuration. Under Environment, change these URIs to https:
  • Gateway URI
  • Dispatcher URIs for gateway
  • Controller URI for gateway
  • External and Internal dispatcher URI
  • Dispatcher URI for external applications
  • Content Manager URI
12. Under Cryptography > Cognos, switch “Use third-party CA?” to True.
Also, change the following to match the values used for the CSR in step 7:
  • Server common name (CN)
  • Organization name (O)
  • Country or region code (C)
Change the DNS Names field under Subject Alternative Name to match the DNS name(s) that were used during the generation of the CSR in Step 7.
13. Save the configuration and start the IBM Cognos services.

Important Note: During this process, IBM Cognos Configuration cannot be opened and the IBM Cognos Services cannot be started until these steps are completed. If the certificate authority takes some time to send the signed certificates, consider using the Third-Party Certificate Tool method instead.

More information:

The DOS program supports 3 values in the request;

ThirdPartyCertificateTool.(bat|sh) -c -e

[-p keystore_password] -a key_pair_algorithm

-r path_to_cert_or_csr

-d dn

[-H subject_alternative_nameDns_name_dn]

[-I subject_alternative_ip_addresses]

[-M subject_alternative_email_addresses]

 

 

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2016 server
Microsoft SQL server

Issue:
New installation of CA11. At start the IBM cognos service take long time to start. But the JAVA.EXE spins up to 6 GB ram and then crash and start over.

Errors like this are found log cbs_run_WebSphereLiberty.log:

Fri Aug 27 11:28:08 2021  INFO  t[e20] CBSBootstrapService attempt to load config from “D:\Program Files\ibm\cognos\analytics\.\bin64\./bootstrap_wlp_winx64.xml”

Fri Aug 27 11:28:11 2021  ERROR t[e20] CBSSocketCommand failed to connect, CAM error: <errorDetail><errorCode>-12</errorCode><errorMessage>CAM-CRP-0026 The underlying socket: ‘10.123.123.65:9300’ returned an error.</errorMessage><errorStack><errorCode>10061</errorCode><errorMessage>Could not connect the socket, errno: 0x274d(10061)</errorMessage>

Error found in windows event log:

Faulting application name: cogbootstrapservice.exe, version: 11.1.5.2, time stamp: 0x5daf2515

Faulting module name: ntdll.dll, version: 10.0.14393.4530, time stamp: 0x60e33cac

Exception code: 0xc0000374

Fault offset: 0x00000000000f7153

Faulting process id: 0x960

Faulting application start time: 0x01d79b1621caeb73

Faulting application path: D:\Program Files\ibm\cognos\analytics\bin64\cogbootstrapservice.exe

Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

 

Thu Aug 26 20:59:12 2021  WARN  t[1908] CBSSockSendAction did not detect success string in response.

Thu Aug 26 21:00:14 2021  ERROR t[1908] PingChildProcess ping loop: process “wlp” is not active, so restarting it.

Thu Aug 26 21:00:52 2021  ERROR t[1908] CBSSocketCommand failed to connect, CAM error: <errorDetail><errorCode>-12</errorCode><errorMessage>CAM-CRP-0026 The underlying socket: ‘172.10.10.123:9300’ returned an error.</errorMessage><errorStack><errorCode>10061</errorCode><errorMessage>Could not connect the socket, errno: 0x274d(10061)

Error in Cognos Configuration at start:

[ ERROR ] CFG-ERR-0106 IBM Cognos Configuration did not receive a response from the IBM Cognos service in the time allotted.

Check that IBM Cognos service is available and properly configured.

16:31:03, ‘LogService’, ‘StartService’, ‘Success’.

Suggested solution:

Ensure DEP is only for needed processes.

Check that the if the server have two network cards, they are correct configured.

Check that the IP address and interface metric is not the same as other cards on the server.

Test to change to IBM cognos instead of NIST SP 800-131A.

Check that the IP addresses in cognos configuration is then one of your server.

Check for ports in use with DOS command:  netstat -a | find “9300”

Export the configuration, and recreate the crypto keys; like this

 

1. Stop the running of your service in Cognos Configuration.

2. On the Content Manager computer, click ‘File > Export As’.

3. Choose ‘Yes’ at the prompt and save the file. For example, name it ‘backup.xml’ which will be stored in the c11\configuration folder.

4. Close Cognos Configuration.

5. On the Content Manager computer
5.1 Create a backup of the following files before moving them to a different, secure location (as during the cryptographic keys regeneration process they will be re-created):

The files are:

· c11/configuration/cogstartup.xml

· c11/configuration/caSerial

· c11/configuration/certs/CAMCrypto.status

· c11/configuration/certs/CAMKeystore

· c11/configuration/certs/CAMKeystore.lock

· c11/temp/cam/freshness

5.2 Create a backup of the following directories before moving it to a different, secure location (as during the cryptographic keys regeneration process they will be re-created). Alternatively you can also rename the directories.

The directory is

· c11/configuration/csk

6. In the c11\configuration folder, rename ‘backup.xml’ to ‘cogstartup.xml’.

7. Open Cognos Configuration, save the configuration and start the services.

 

Restart windows server and see if that helps.

More information:

https://www.ibm.com/support/pages/node/286475

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=problems-starting-cognos-analytics

https://www.ibm.com/support/pages/faulting-application-name-cogbootstrapserviceexe-0xc0000374-error-event-viewer-when-starting-ibm-cognos-service

https://www.ibm.com/support/pages/error-starting-cognos-service-cogbootstrapserviceexe-application-error

https://www.ibm.com/support/pages/node/6379144

https://www.cognoise.com/index.php?topic=14377.0

https://www.ibm.com/support/pages/cognos-service-will-not-start-process-wlp-not-active

https://www.ibm.com/support/pages/dpr-err-2109-dispatcher-cannot-service-request-time-dispatcher-still-initializing-cognos-analytics

https://www.ibm.com/support/pages/node/6386326

https://www.ibm.com/support/pages/cognos-analytics-11-flipper-diagnostic

Product:

Cognos Analytics 11.1.7

Microsoft Windows 2016 server

Issue:
Only one user get a error when running a report in CA11, after he have logged in with SSO, if he do not use SSO with IIS, and instead enter name and password at Cognos dialog, then the report works.

A check of the users – showed he belongs to a lot of domain groups.

net user  donaldduck  /DOMAIN   >  c:\temp\userlist.txt

Error message:

HTTP Error 400. The size of the request headers is too long.

Solution:

Increase the allowed header size on the Cognos Gateway server

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]

"MaxFieldLength"=dword:00032768

"MaxRequestBytes"=dword:01000000

Login to the server, and start REGEDIT program.

Expand to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]

Add the DWORD values.

You must restart the Windows server, for the registry changes to take affect.

You may also need to update the TCPIP values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"MaxUserPort"=dword:0000fffe
"TcpTimedWaitDelay"=dword:00000032

or change the IIS \ibmcognos\bi folders Request Filtering to a higher value, to get the report to work.

 

More information:

https://stackoverflow.com/questions/1097651/is-there-a-practical-http-header-length-limit

Although each web server software has some limitations, there is a difference whether there’s a limit for the HTTP request line plus header fields or for each header field.

Here’s a summary:

  • Apache 1.3, 2.0, 2.2, 2.3: 8190 Bytes (for each header field)
  • IIS:
    • 4.0: 2097152 Bytes (for the request line plus header fields)
    • 5.0: 131072 Bytes, 16384 Bytes with Windows 2000 Service Pack 4 (for the request line plus header fields)
    • 6.0: 16384 Bytes (for each header fields)
  • Tomcat:
    • 5.5.x/6.0.x: 49152 Bytes (for the request line plus header fields)
    • 7.0.x: 8190 Bytes (for the request line plus header fields)

So to conclude: To be accepted by all web servers above, a request’s request line plus header fields should not exceed 8190 Bytes. This is also the limit for each header fields (effectively even less).

You can edit tomcat/conf/server.xml’s HTTP/1.1 Connector entry, and add a maxHttpHeaderSize=”65536″ to increase from the default maximum of 8K or so, to 64K

https://docs.microsoft.com/en-US/troubleshoot/iis/httpsys-registry-windows

https://stackoverflow.com/questions/42862828/how-to-increase-size-limit-for-http-header-value-in-request-for-azure-iis

https://docs.microsoft.com/en-us/troubleshoot/iis/http-bad-request-response-kerberos

https://www.leansentry.com/guide

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/requestlimits/headerlimits/

https://www.leansentry.com/guide/reset-restart-recycle-iis

https://www.ibm.com/support/pages/kerberos-based-single-sign-fails-some-not-all-users