Cognos Analytics 11.1.x
Microsoft Windows 2019 server
Microsoft SQL server

I have a new Cognos environment, and want to easy copy the content store from the old environment to the new. The new Cognos environment have the same or newer version of Cognos Analytics.


To get security values over  – you must have exact the same Active Directory connection setup on both the old and new environment. Double check in Cognos Configuration that namespace is the same.

On the old server – check in Cognos Configuration where the zip file is stored.

This is normally in folder C:\Program Files\ibm\cognos\analytics\deployment on your CA11 server.
Browse to ..ibmcognos from your web browser. Login as adminstrator in cognos connection.

Click Manage – Administration console

Click Configuration tab
Click Content Administration and click on the export icon

Enter a name and click on Next button

Mark “Select the entire Content Store” and check “Include user account information” to get most information over. Click Next

Click Next

Enter a password you can remember and click OK

Click Next

Select “save and run once” and Click Finish

Click Run

Mark “View the details of this export after closing this dialog” and click OK.

Click on blue “refresh” every 10 min to see if it is finished.

Wait until status says Finish. Above is not a finish status, there is no Completion time.
This can take 30 minutes, depending of the amount of data in your Content Store.

When succeeded, click Close.

When done go to Windows file explorer and copy the zip file over from the old Cognos BI server to your new Cognos Analytics server.  Place the file in the deployment folder you are going to use.

If the deployment folder inside Cognos Configuration is pointing to a file share: \\servername\sharefolder then the Cognos Analytics service must be run under a windows service account and not local system. Local system can only access folders on the same server.

Import content store by loading the deployment file via cognos connection.

Login to new IBMCOGNOS and go to Administration page, click on configuration – Content Administration. Click on the import icon.

Select you full content store file and click Next

Enter your password. Click OK

Click Next

Click Next

Click Next

Select “save and run once” and click Finish.

Do not run upgrade of report specifications. Do that at a later time, as it can take a very long time.

Click Run.

Mark “View the details of this export after closing this dialog” and click OK

Click Refresh every 15 min to see if it is done. When you have a completion time it is finish.


You can see errors in the report, note them down and search in google for more information.

If you have changed also the database server host for your AUDIT database, then you need to go into Cognos Administration – Configuration – Data source connections. There you need to update the link to the new database server there for your audit data source.

Click on Audit, then on “more” to right of the test icon.
Click “Set properties”
Click “Connection” tab

Click pencil icon, to get to the data source update dialog.

Change the server name and any other values you need to change. Update also the JDBC tab.
Click OK when done.
Test your data source connection.

Any special configuration you have done on the Cognos Dispatcher is not part of the deployment, they you have to manually add again. Go to Cognos Administration – Configuration. Click on Dispatchers and service and click on properties icon.

Click on settings

Check on all pages for values that is not default=Yes, as they have been changed and may need to be inserted in the new environment. Only enter values that you know you need in the new environment.

Click on the Advance settings blue Edit link, to see if there are any special settings in the environment.
Configuring advanced settings for specific services (

Repeat above steps in the new CA11 environment to get the fine tuning you want.
Logging should in most cases be set to BASIC.

Content Manager service advanced settings (

You can also import content store, by backup/restore the full cm database, but then you need to consider other parts like old dispatchers that will follow the move.

More information:

Cognos Analytics 11.1.7
Planning Analytics 2.0.9
Microsoft Windows 2019 Server
How setup Windows Kerberos login for Cognos products?
Here describes what Kerberos is:

Setup Cognos Analytics with a IIS gateway and make it work for Single Sign On (SSO) to login.

You need to create a windows domain account, that is local administrator on the Cognos server where the Cognos Content Manager function is, and run the IBM Cognos service with this account.

The account must be added with domain\name format, without use of @.
The same service account must run the IIS server application pool used by CA11.

Go to Internet Information Service Manager, and expand Application pools. Mark ICAPool and click on Advanced Settings. Click on Identity and select Custom Account. Click Set and enter the domain\name account and password. Click OK.
Restart IIS.
The service account must have “Trust this user for delegation to any service (Kerberos only)” set in Active Directory. Ask the IT department to set this on the Windows Domain Controller.

Constrained delegation is not recommended.
Ensure that the cognos service account have NTFS read/write/execute rights on the cognos folders.
Right click on folder C:\Program Files\ibm\cognos\analytics and select properties.
Check the security tab that the local Administrator group have full rights.

Go to Computer Management in Control panel – Administrative Tools. Expand Local User and Groups – Groups. Check what groups and accounts are in the Administration group on the server.

Ensure that the cognos service account is part of a domain group that is included in the local administrator group. Does not need to be domain admins group, but must be the same group.

On the Windows Domain Controller you must run the SETSPN command to create the Service Principal Name.

Enter the webserver and the cognos bi server to the service account. In our case it is the same server.
You need to add all the ways the system connect to the server e.g. HOSTNAME and FQDN.
In our example we use setspn -s HTTP/win2019.lab.pacman LAB\cognosservice

setspn -s HTTP/websrv_aliasname  domain\cognosserviceaccount
setspn -s HTTP/appsrv_FQDN  domain\cognosserviceaccount
setspn -s HTTP/appsrv_HOSTNAME  domain\cognosserviceaccount

Use the servername in cognos configuration for the setspn command above.

Use setspn -L domain\cognosserviceaccount to see the current values in use.

Some common switches used with SetSPN:

-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs
-q    Query the domain for a specific SPN

In IIS manager on the Cognos Gateway server; ensure that Anonymous Authentication is on IBMCOGNOS folder.

Go to \bi folder, and click on Authentication. Select Windows Authentication and click enable.
Disable Anonymous Authentication on the \bi folder.

Click on Providers for the \bi folder, and remove NTLM so you only have Negotiate.

Repeat on \sso folder, so it also only have Negotiate as Windows enabled Providers.

For \sso folder click on Configuration Editor.

Select in the drop down menu for section – system.webServer – security – authentication – windowsAuthentication.

To get this dialog up for the sso folder.

Set true to “useAppPoolCredentials” and “useKernelmode”.
Go to the \bi folder and set the same values.

Click on Configuration Editor icon – select system.webServer – security – authentication – windowsAuthentication. Set true to “useAppPoolCredentials” and “useKernelmode”.

If you use Oracle or DB2 as content store database, you are all set. But if you use Microsoft SQL server you need to add setspn for the service account that run the SQL services.

Ask the SQL DBA to ensure the service account for SQL server is using domain\account notation as above. Kerberos will not work with Local System as the service account for Microsoft SQL database.
You need to check in cognos configuration how Cognos Analytics connects to the content store database. Open Cognos Configuration on your Cognos Content Manager server.

Note down IP or HOSTNAME that is in use to connect to the SQL server. This will be used in the setspn command.  Enter in our case setspn -s MSSQLSvc/ LAB\cognosservice

setspn -s MSSQLSvc/sqlsrv_FQDN  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:instancename  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:1433  domain\SQLServiceAccount

You need to enter all variants of the SQL server name to the setspn command.

Restart the windows server for Cognos Analytics to ensure the domain changes have taken affect.

To check that Kerberos is in use, activate AAA tracing for a short period in Cognos Analytics.

Login to CA11 as administrator and click on Manage – Configuration.

Click on Diagnostic Logging.

Click on AAA and Apply.
Logout from CA11 and close the browser.
Start the web browser again and go to http://win2019.lab.pacman/ibmcognos/
after the sso have let you in, go to the Cognos Analytics Content Manager server.
Open the C:\Program Files\ibm\cognos\analytics\logs\cognosserver.log file in notepad++

Go to the end of the file and from search menu select find and enter AUTH_TYPE.
Scroll to the right, and if kerberos is used it should say:
<value xsi:type=”xsd:string”>Negotiate</value>

Close the log file.
Go back into CA11 portal.
Go to manage – configuration – diagnostic logging.

Select Default Logging and click Apply. This is important as the logging can make the cognos system slower.

Planning Analytics (TM1) will use kerberos now too, as long they are setup to use CAM security.

More information:

Overview of Service Principal Name and Kerberos authentication in SQL Server

Cognos Analytics 11.1.3
Microsoft Windows 2016 server
Login dialog when user try to access CA11 website

Check that the server name is in local intranet sites or trusted sites in internet options.

At most company’s this is controlled by group policy in the network, ask the IT department to add the CA server name and DNS alias to the local intranet site.

The new Edge that use chromium, will only allow SSO for servers in Local Intranet zone. But Internet Explorer on the same computer will allow SSO for servers both in Local Intranet Zone and Trusted Zone.

In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers allowed by the Windows Zones Security Manager (queried for URLACTION_CREDENTIALS_USE). By default, this includes servers in the Local Machine or Local Intranet security zones. For example, when the host in the URL includes a “.” character, by default it is outside the Local Intranet security zone). This behavior matches Internet Explorer and other Windows components.

You have to search the internet to find where you can set the Edge Zone security in the local windows.

There is also granular settings in Custom level there you should uncheck “automatic logon only in intranet zone”.

Then you can have the cognos analytics site in Trusted tab instead.

Steps for Adding Trusted Sites in old Browser

clipboard_e8a7609ba67df6fed071fd60091e07355.pngGoogle Chrome > Adding Trusted Sites

  1. Click the Chrome Menu icon on the far right of the Address bar.
  2. Click on Settings, scroll to the bottom and click the Show Advanced Settings link.
  3. Click on Change proxy settings (under Network)
  4. Click the Security tab > Trusted Sites icon, then click Sites.
  5. Enter the URL of your Trusted Site, then click Add.
  6. Click Close > OK.

clipboard_ea8e5cecec1e5dca38441c9c37134257b.pngMozilla Firefox > Adding Trusted Sites

  1. Click the menu icon in the upper right-hand corner of the browser.
  2. Click Options.
  3. Click Privacy and Security.
  4. Scroll down to the “Permissions” section, and click on Exceptions to the right of “Warn you when websites try to install add-ons.”
  5. Type the trusted sites into the “Address of website” field.
  6. Click Allow.
  7. Click Save Changes.

clipboard_eec6508771be7e2766cbef130f1739002.png Safari > Adding Trusted Sites

  1. At the top of the screen, click Bookmarks.
  2. Click “Add Bookmark…”
  3. Click “Top Sites” from the dropdown menu.
  4. Click Add.

clipboard_eaed7201dc9178b78099be4d2fd603773.png Internet Explorer 9, 10 and 11 > Adding Trusted Sites

  1. Click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the  Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

clipboard_e7cae9f0eed9e3179b0a0bb00194c503c.pngMicrosoft Edge > Adding Trusted Sites

  1. Search in the Start Menu for the Control Panel.
  2. Click or double-click the Internet Options icon.
  3. In the Internet Properties window, click the Security tab.
  4. Select the Trusted sites entry and click the Sites button.
  5. Enter the address for the trusted website in the Add this website to the zone text field.
  6. Click the Add button, then click OK to save the website addition.

More information:

Security Zones in Edge

Cognos Analytics 11.0.13
Microsoft Windows 2016 server

After change of custom certificate on IIS and in CA11 dispatcher level, in file CAMkeystore. The still show wrong certificate.
When you examine the camkeystore.jks file with ikeyman.exe you find that the root certificate is used instead of the server certificate.

Possible solution:
When using custom certificate for SSL (TLS) communication on port 9300, you need to only add this certificate to the CAMkeystore file.
First you set HTTPS in cognos configuration, then when you press save inside Cognos Configuration for CA11, the keystores files are created.
For example IBM Cognos Configuration > Security > Cryptography > Cognos > Certificate lifetime in days. This value will set the cognos server certificate (encryption) in the keystore to last this long. The internal CA certificate is created to last a year longer.
After the cognos keystore files are created, you can add the custom certificates to the file with ikeyman.exe.

You must add the certificate in correct order:
Root – first
Intermediate – second
Server Cert – last

Make a backup of the C:\Program Files\ibm\cognos\analytics\configuration\certs folder before you start.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Launch ikeyman.exe as administrator ( by right click and select run as administrator)
Open the following file C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMkeystore
Type: PKCS12
File name:CAMKeystore
Location:  C:\Program Files\ibm\cognos\analytics\configuration\certs
Password: NoPassWordSet (default)

Select Signer Certificates from the drop down list.
Click on Add.
Import your root.cer first.
Then import your intermediate.cer second.
Then go back to Personal Certificates from the drop down list.
Mark encryption, and click on Rename. Change the name to old-encryption.
Click on Import button. Select Import key.

Select you certificate file with your server certificate, that contain the DNS alias for your server.
Enter your password when you import the file.
Set the name of the server cert to encryption.
Exit/Close the ikeyman program. Any changes are saved directly to the CAMkeystore file.

Now go into Cognos Configuration and click save. Then start the Cognos service from inside Cognos Configuration. Now the file CAMkeystore.jks is created/update with the custom certificates.
Test to browse to the

You may need to also add the custom certificate to other places, depending on you system setup.

(Internal CA)
It is Cognos specific certificate authority.  You can check the content with ikeyman tool.

View ‘ca’ certificate under Personal Certificates.  Double click to see the values of the certificate.
When ‘encryption’ certificate is expired, you cannot log in to Cognos Analytics.

If you use PA, you need to add the Planning Analytics certificate to the CA11 key store.

More information:

Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Error when using Event Studio in a multi server installation of CA 11.1.7 .

CAM-CRP-1655 Member coordination host in Configuration Group is not configured properly

Ensure that Server Common Name is the FQDN of the server and not the word CAMUSER, as it was in old version of Cognos.

From Cognos Analytics 11.1.7 you must use Fully Qualified Domain Names for the following Cognos Configuration fields, even when you do not use SSL.

Gateway URI
External dispatcher URI
Internal dispatcher URI
Dispatcher URI for external applications
Content Manager URIs
Environment > Configuration Group
Group contact host
Member coordination host
Security > Cryptography > Cognos
Server common name
Subject Alternative Name > DNS names
Subject Alternative Name > IP addresses

More information:

Planning Analytics 2.0.9
Microsoft Windows 2016 server

Try to add a new TM1 instance, and when click save configuration get error message. You have recently change the CA11 security setup.
[ ERROR ] CAM-CRP-1315 Current configuration points to a different Trust Domain than originally configured.

You are unable to generate Cryptographic keys after changing authentication for a TM1 server.

Inside Cognos Configuration save the configuration as text, name the file to pa_backup.xml
Stop both IBM Cognos service and IBM Cognos TM1 services.
Remove the C:\Program Files\ibm\cognos\tm1_64\temp\cam\freshness file.
Back up the existing cryptographic keys by copy the following directories to d:\temp\backup:

C:\Program Files\ibm\cognos\tm1_64\configuration\configuration\csk
C:\Program Files\ibm\cognos\tm1_64\configuration\certs

Delete the C:\Program Files\ibm\cognos\tm1_64\configuration\csk directory.
Clear the certs directory, except for the jCAPublisherKeystore file that you keep.

Rename cogstartup.xml to
Rename pa_backup.xml to cogstartup.xml in folder C:\Program Files\ibm\cognos\tm1_64\configuration

Open IBM® Cognos® Configuration for Planning Analytics, save the configuration and start the services, IBM Cognos TM1 and TM1 Admin Server.


If you have similar problem with CA11, you can save below in a text file (certclean.cmd) and then run it from a administration command. (but first you need to stop the IBM Cognos service, and after you need to open Cognos Configuration and click save.)

REM Export current configuration to an XML file
cd “C:\Program Files\ibm\cognos\analytics\bin64”
cogconfig.bat -e “C:\Program Files\ibm\cognos\analytics\configuration\backup.xml”

REM Remove current crypographic keys/information
md “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\cogstartup.xml” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\caSerial” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMCrypto.status” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMKeystore” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMKeystore.lock” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\temp\cam\freshness” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
ren “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
cd “C:\Program Files\ibm\cognos\analytics\configuration”
ren csk csk_backup_to_fix_problem

REM Copy new configuration
copy “C:\Program Files\ibm\cognos\analytics\configuration\backup.xml” “C:\Program Files\ibm\cognos\analytics\configuration\cogstartup.xml”

More Information:

Cognos Controller 10.4.2
Cognos Analytics 11.0.13
Microsoft Windows 2012 server

On a CA installation where the IIS web server is using HTTPS for IBMCOGNOS.
How update the certificate on the IIS server when it expire after some years.

Suggested Solution:
Get a new certificate from the company’s internal Certificate Authority.
You get a pfx file and a cer.pem file.
You also get a password to the pfx file – save it in notepad.
Save them in a separate folder on the server (c:\temp\cert)

Go to the IIS Manager
Select the server name in the tree
Click on Server Certificates icon

Click on Import link at the right
Click on … to find the pfx file.
Enter the password and press OK

Click on Default web site
Click on Bindings

Select HTTPS
Click Edit

Click on drop down and select the new cert
Click OK

Start your Cognos Controller client and check that you can login.

You may also need to update the CACERTS file in the cognos controller client installation to get the Java menus to work (like maintain – jobs – define).

Export the certificate from IIS with use of IE:
Surf to your IBMCOGNOS site with https
Click on the lock icon in IE toolbar and click “View certificates”
Click on Details tab

Click Copy to file button

Click next

Select Base-64 encoded X.509 and click next

Enter path and name and click next

Click finish
Repeat above for the Root certificate and any intermediate certificates.

You must first view the certificate before you export it from the details tab.

Import the cert with the IKEYMAN:
If you have Cognos Analytic on the same server as you have installed Cognos Controller client, you can use it to import the cer files to the cacert file.
Before change the cacerts file make a backup of the file to other folder.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Right click ikeyman.exe and select run as administrator

click open and select your cacerts file in folder C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security

Click ok

Enter password changeit
Click ok

Click drop down list and select Signer Certificates

Click on Add button

Click on browse and select your cer file.
Click OK

Enter a name e.g. Cognos

Repeat the ADD steps for Root and other company needed certificates.

Changes are save direct, so only select exit to end the program.

The update cacerts file can be made part of any Cognos Controller client installation package the company uses (so not every user need to do this) .

Or import the cert with the command line, if you do not have CA11 on the server:
“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias CognosController -file “C:\temp\cert\CognosController.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

You should manage with only have the Company Root certificate and any intermediated in the file;

“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias root1 -file “C:\temp\cert\root1.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias intermediated2 -file “C:\temp\cert\intermediated2.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

More Information:
To add certificates to the Trusted Root Certification Authorities store for a local computer

Click Start, click Start Search, type mmc, and then press ENTER.

On the File menu, click Add/Remove Snap-in.

Under Available snap-ins, click Certificates,and then click Add.

Under This snap-in will always manage certificates for, click Computer account, and then click Next.

Click Local computer, and click Finish.

If you have no more snap-ins to add to the console, click OK.

In the console tree, double-click Certificates.

Right-click the Trusted Root Certification Authorities store.

Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Cognos Analytic 11.1.6
Microsoft Windows 2016 server

When you browse to http://caservername/ibmcognos you get an error;

Service Unavailable
HTTP Error 503. The service is unavailable.

This is in most cases is this that the application pool is stopped.

Go to IIS manager and start the ICApool.


More Information:

Cognos BI 10.2.2 fix pack 10
C8BISRVR_UPDATE_name=IBM Cognos Business Intelligence Server Update
Microsoft Windows 2012 R2

When you run a report as schedule, the formatting for HTML is lost. If you run the report intermediate it works fine.

Above the scheduled report who is missing formatting

Above the correct report layout, as it looks when you run it intermediate.

Inside Cognos Connection can you create a “job” to schedule the run a report at a defined time.

Change to use cognosisapi, as the default IIS gateway.

On the IBM Cognos 10 Gateway server,

  1. Open \webcontent\default.htm in a notepad. For example, D:\cognos\c10\webcontent\default.htm.
  2. Find the line that reads

    and change cognos.cgi to cognosisapi.dll.


This will make http://<webserver>/<alias> work like http://<webserver>/<alias>/isapi, redirecting to the ISAPI Gateway after showing a splash screen.

Possible the schedule report is saved in the content store database, but when you try to look at it is not showing the correct formatting, because the cognos.cgi process does not get all the data.

More information:

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

The users can not login with SSO, they have to enter name and password at the IBMCOGNOS website.
Only a few Cognos CA11 gateway servers are affected.

Suggested solution:
Go into the Cognos Configuration on gateway servers and click save.
Does it help?

Recommend is to on all Cognos Configuration installation change the “common symmetric key lifetime in days” from 365 to a higher value like 1825 (5 years).

Inside Cognos Configuration on the CA11 servers
Go to Local Configuration -> Security -> Cryptography
Modify the value for: Common symmetric key lifetime in days
Also go to Local Configuration -> Security -> Cryptography -> Cognos
Modify the value for: Certificate lifetime in days
Save the configuration and start the services.
You must start the Content Manager first, then the gateway servers last.

The issue can also be caused by changes to IIS setup for the SSO part.

More Information:
By default, the cryptographic keys are valid for 365 days.

This value is configured inside Cognos Configuration
Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

If you miss above, you will get in a years time this error;
“The Cognos gateway is unable to connect to the Cognos BI server. The server may be unavailable, or the gateway may not be correctly configured”