Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Error when using Event Studio in a multi server installation of CA 11.1.7 .

CAM-CRP-1655 Member coordination host in Configuration Group is not configured properly

Ensure that Server Common Name is the FQDN of the server and not the word CAMUSER, as it was in old version of Cognos.

From Cognos Analytics 11.1.7 you must use Fully Qualified Domain Names for the following Cognos Configuration fields, even when you do not use SSL.

Gateway URI
External dispatcher URI
Internal dispatcher URI
Dispatcher URI for external applications
Content Manager URIs
Environment > Configuration Group
Group contact host
Member coordination host
Security > Cryptography > Cognos
Server common name
Subject Alternative Name > DNS names
Subject Alternative Name > IP addresses

More information:

Planning Analytics 2.0.9
Microsoft Windows 2016 server

Try to add a new TM1 instance, and when click save configuration get error message. You have recently change the CA11 security setup.
[ ERROR ] CAM-CRP-1315 Current configuration points to a different Trust Domain than originally configured.

You are unable to generate Cryptographic keys after changing authentication for a TM1 server.

Inside Cognos Configuration save the configuration as text, name the file to pa_backup.xml
Stop both IBM Cognos service and IBM Cognos TM1 services.
Remove the C:\Program Files\ibm\cognos\tm1_64\temp\cam\freshness file.
Back up the existing cryptographic keys by copy the following directories to d:\temp\backup:

C:\Program Files\ibm\cognos\tm1_64\configuration\configuration\csk
C:\Program Files\ibm\cognos\tm1_64\configuration\certs

Delete the C:\Program Files\ibm\cognos\tm1_64\configuration\csk directory.
Clear the certs directory, except for the jCAPublisherKeystore file that you keep.

Rename cogstartup.xml to
Rename pa_backup.xml to cogstartup.xml in folder C:\Program Files\ibm\cognos\tm1_64\configuration

Open IBM® Cognos® Configuration for Planning Analytics, save the configuration and start the services, IBM Cognos TM1 and TM1 Admin Server.


If you have similar problem with CA11, you can save below in a text file (certclean.cmd) and then run it from a administration command. (but first you need to stop the IBM Cognos service, and after you need to open Cognos Configuration and click save.)

REM Export current configuration to an XML file
cd “C:\Program Files\ibm\cognos\analytics\bin64”
cogconfig.bat -e “C:\Program Files\ibm\cognos\analytics\configuration\backup.xml”

REM Remove current crypographic keys/information
md “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\cogstartup.xml” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\caSerial” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMCrypto.status” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMKeystore” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMKeystore.lock” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\temp\cam\freshness” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
ren “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
cd “C:\Program Files\ibm\cognos\analytics\configuration”
ren csk csk_backup_to_fix_problem

REM Copy new configuration
copy “C:\Program Files\ibm\cognos\analytics\configuration\backup.xml” “C:\Program Files\ibm\cognos\analytics\configuration\cogstartup.xml”

More Information:

Cognos Controller 10.4.2
Cognos Analytics 11.0.13
Microsoft Windows 2012 server

On a CA installation where the IIS web server is using HTTPS for IBMCOGNOS.
How update the certificate on the IIS server when it expire after some years.

Suggested Solution:
Get a new certificate from the company’s internal Certificate Authority.
You get a pfx file and a cer.pem file.
You also get a password to the pfx file – save it in notepad.
Save them in a separate folder on the server (c:\temp\cert)

Go to the IIS Manager
Select the server name in the tree
Click on Server Certificates icon

Click on Import link at the right
Click on … to find the pfx file.
Enter the password and press OK

Click on Default web site
Click on Bindings

Select HTTPS
Click Edit

Click on drop down and select the new cert
Click OK

Start your Cognos Controller client and check that you can login.

You may also need to update the CACERTS file in the cognos controller client installation to get the Java menus to work (like maintain – jobs – define).

Export the certificate from IIS with use of IE:
Surf to your IBMCOGNOS site with https
Click on the lock icon in IE toolbar and click “View certificates”
Click on Details tab

Click Copy to file button

Click next

Select Base-64 encoded X.509 and click next

Enter path and name and click next

Click finish
Repeat above for the Root certificate and any intermediate certificates.

You must first view the certificate before you export it from the details tab.

Import the cert with the IKEYMAN:
If you have Cognos Analytic on the same server as you have installed Cognos Controller client, you can use it to import the cer files to the cacert file.
Before change the cacerts file make a backup of the file to other folder.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Right click ikeyman.exe and select run as administrator

click open and select your cacerts file in folder C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security

Click ok

Enter password changeit
Click ok

Click drop down list and select Signer Certificates

Click on Add button

Click on browse and select your cer file.
Click OK

Enter a name e.g. Cognos

Repeat the ADD steps for Root and other company needed certificates.

Changes are save direct, so only select exit to end the program.

The update cacerts file can be made part of any Cognos Controller client installation package the company uses (so not every user need to do this) .

Or import the cert with the command line, if you do not have CA11 on the server:
“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias CognosController -file “C:\temp\cert\CognosController.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

You should manage with only have the Company Root certificate and any intermediated in the file;

“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias root1 -file “C:\temp\cert\root1.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias intermediated2 -file “C:\temp\cert\intermediated2.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

More Information:
To add certificates to the Trusted Root Certification Authorities store for a local computer

Click Start, click Start Search, type mmc, and then press ENTER.

On the File menu, click Add/Remove Snap-in.

Under Available snap-ins, click Certificates,and then click Add.

Under This snap-in will always manage certificates for, click Computer account, and then click Next.

Click Local computer, and click Finish.

If you have no more snap-ins to add to the console, click OK.

In the console tree, double-click Certificates.

Right-click the Trusted Root Certification Authorities store.

Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Cognos Analytic 11.1.6
Microsoft Windows 2016 server

When you browse to http://caservername/ibmcognos you get an error;

Service Unavailable
HTTP Error 503. The service is unavailable.

This is in most cases is this that the application pool is stopped.

Go to IIS manager and start the ICApool.


More Information:

Cognos BI 10.2.2 fix pack 10
C8BISRVR_UPDATE_name=IBM Cognos Business Intelligence Server Update
Microsoft Windows 2012 R2

When you run a report as schedule, the formatting for HTML is lost. If you run the report intermediate it works fine.

Above the scheduled report who is missing formatting

Above the correct report layout, as it looks when you run it intermediate.

Inside Cognos Connection can you create a “job” to schedule the run a report at a defined time.

Change to use cognosisapi, as the default IIS gateway.

On the IBM Cognos 10 Gateway server,

  1. Open \webcontent\default.htm in a notepad. For example, D:\cognos\c10\webcontent\default.htm.
  2. Find the line that reads

    and change cognos.cgi to cognosisapi.dll.


This will make http://<webserver>/<alias> work like http://<webserver>/<alias>/isapi, redirecting to the ISAPI Gateway after showing a splash screen.

Possible the schedule report is saved in the content store database, but when you try to look at it is not showing the correct formatting, because the cognos.cgi process does not get all the data.

More information:

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

The users can not login with SSO, they have to enter name and password at the IBMCOGNOS website.
Only a few Cognos CA11 gateway servers are affected.

Suggested solution:
Go into the Cognos Configuration on gateway servers and click save.
Does it help?

Recommend is to on all Cognos Configuration installation change the “common symmetric key lifetime in days” from 365 to a higher value like 1825 (5 years).

Inside Cognos Configuration on the CA11 servers
Go to Local Configuration -> Security -> Cryptography
Modify the value for: Common symmetric key lifetime in days
Also go to Local Configuration -> Security -> Cryptography -> Cognos
Modify the value for: Certificate lifetime in days
Save the configuration and start the services.
You must start the Content Manager first, then the gateway servers last.

The issue can also be caused by changes to IIS setup for the SSO part.

More Information:
By default, the cryptographic keys are valid for 365 days.

This value is configured inside Cognos Configuration
Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

If you miss above, you will get in a years time this error;
“The Cognos gateway is unable to connect to the Cognos BI server. The server may be unavailable, or the gateway may not be correctly configured”

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

How limit the login to Cognos Connection to only to groups in the LDAP (active directory)?

Use the LDAP connector in Cognos Configuration, and limit the users to be able to login only if they belong to two CN.
The “User Lookup” is used when you do not use SSO, and you let the BI (CA11) prompt the user for the user name and password. Change this to include the groups that the person must be part of to be able to login. Below a example how it can be;

(&(|(legacyuid=${userID})(uid=${userID}))(status=ACTIVE)(|(memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,,cn=Cognos Groups,cn=UserGroups,ou=Global,

“External identity mapping” is only used when you use SSO from IIS, to login to the BI server (CA11). You should change this to cover the same groups as the other one to make it act the same if it is using SSO or not.

(&(|(legacyuid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)})(uid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)}))(status=ACTIVE)(|((memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,,cn=Cognos Groups,cn=UserGroups,ou=Global,

In above lines, the user that is part of group Cognos_TM1_Contributor or Cognos_TM1_Modeler in LDAP, can login to Cognos. Good if you have a CA11 server setup, that only authenticate users that should use TM1(Planning Analytics 2.x).

Check that the user is active in LDAP

Compare the userid with the LDAP field Legacyuid

You have to change cn= and ou= values to match your LDAP setup.

Base Distinguished Name, should be the root of the LDAP directory.

How setup LDAP  (from the web)
In every location where you installed Content Manager, open IBM Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.

In the Name box, type a name for your authentication namespace. LDAP
In the Type list, click the appropriate namespace and then click OK.

The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace. Should be same as namespace name.
Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.
If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are run under the authentication context of the user.
If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following step:
Ensure that Use external identity is set to False.
Set Use bind credentials for search to True.
Specify the user ID and password for Bind user DN and password.

If you do not specify a user ID and password, and anonymous access is enabled, the search is done by using anonymous.
Check the mapping settings for the required objects and attributes.

Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos components and the LDAP server.

LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

You are prompted to enter credentials for a user in the namespace to complete the test.

Depending on how your namespace is configured, you can enter either a valid user ID and password for a user in the namespace or the bind user DN and password.

More information:

To bind a user to the LDAP server, the LDAP authentication provider must construct the distinguished name (DN). If the Use external identity property is set to True, it uses the External identity mapping property to try to resolve the user’s DN. If it cannot find the environment variable or the DN in the LDAP server, it attempts to use the User lookup property to construct the DN.

Cognos Analytics 11.0.12
Microsoft Windows 2012 Server
TM1 10.2.2

The IBM Cognos Windows service look like it is started in Windows, but when you try to login you get a message that the page can not be shown. When starting Cognos from Cognos configuration you get message CFG-ERR-0106 … did not receive response from the IBM Cognos service in the time allotted. You can not surf to http://servername:9300/p2pd/servlet
The firewall is not blocking the connection.

Possible solution:
A other software was installed on the Cognos BI server, that uses JAVA and have set JAVA_HOME, JDK_HOME and JRE_HOME as windows variables. You can see this by enter SET at a CMD prompt on the server. This have given that Cognos have used the wrong java version.

Adjust JAVA_HOME to point to the Cognos java folder.

More information:

Cognos BI 10.2.2 (or Cognos Analytics 11.0.x)
Microsoft Windows 2008 Server

You have not access to the Cognos Connection. The IBM Cognos service is running, what it looks like in Windows Services. The cogserver.log is empty since last restart.

Error message:
IBM Cognos gateway can not connect to IBM Cognos BI server.

The root cause, a corruption in the \wlp\usr\servers\cognosserver\workarea for WebSphere Liberty Profile (WLP)
Stop the IBM Cognos Windows service.
Backup the “workarea” folder.
Delete the “workarea” folder at  C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea
Start IBM Cognos service again.

More information:

Cognos BI 10.2.2 fix pack 7
Microsoft Windows 2012 R2 Server

When user in IE surf to Cognos Connection to login they get a AAA-SYS-0001 error.

Error Message:
AAA-SYS-0001 : An internal error occurred.
java.lang.RuntimeException: A visa already exists for this A visa already exists for this namespace.

Suggested Solution:
Inside Internet Explorer, clear the cache and try again.
Press CTRL+SHIFT+DELETE to bring up the “delete browsing history” dialog.
Press Delete.
Restart Internet Explorer and try again.