Product:
Planning Analytics 2.0.9.7
Microsoft Windows 2019 server

Problem:
What java keystore should i use for PA?

Follow official documentation in the first place, as the solution change with different versions of Cognos.

Suggested solution:

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=itw-configure-ssl-planning-analytics-tm1-webspreadsheet-services-existing-keystore

Make a backup of the ssl folder before you change anything.

The JAVA Keystore used by PMPSVC.  Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\jre\bin\ directory.

Execute the following command to import/trust the certificate:

keytool.exe -import -trustcacerts -file “C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer” -keystore “C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store” -alias caRoot -storepass applix

The JAVA Keystore used by TM1WEB.  Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\jre\bin\ directory.

Execute the following command to import/trust the certificate:

keytool.exe -import -trustcacerts -file “C:\Program Files\ibm\cognos\tm1web\bin64\ssl\caRoot.cer” -keystore “C:\Program Files\ibm\cognos\tm1web\bin64\ssl\tm1store” -alias caRoot -storepass applix

More information:

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Java Keytool Commands for Creating and Importing

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

• Generate a Java keystore and key pair

  keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks  -keysize 2048

• Generate a certificate signing request (CSR) for an existing Java keystore

  keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

• Import a root or intermediate CA certificate to an existing Java keystore

  keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

• Import a signed primary certificate to an existing Java keystore

  keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

• Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)

  keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

If you need to check the information within a certificate, or Java keystore, use these commands.

• Check a stand-alone certificate

  keytool -printcert -v -file mydomain.crt

• Check which certificates are in a Java keystore

  keytool -list -v -keystore keystore.jks

• Check a particular keystore entry using an alias

  keytool -list -v -keystore keystore.jks -alias mydomain

Other Java Keytool Commands

• Delete a certificate from a Java Keytool keystore

  keytool -delete -alias mydomain -keystore keystore.jks

• Change a Java keystore password

  keytool -storepasswd -new new_storepass -keystore keystore.jks

• Export a certificate from a keystore

  keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

• List Trusted CA Certs

  keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

• Import New CA into Trusted Certs

  keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/secur

https://www.ibm.com/support/pages/how-configure-custom-ssl-certificates-planning-analytics-20-and-201

https://www.ibm.com/support/pages/how-configure-planning-analytics-connect-ssl-secured-cognos-dispatcher

https://docs.bmc.com/docs/decisionsupportserverautomation/89/using-third-party-certification-authority-certificates-656916032.html 

Product:
Cognos Analytics 11.1.7

Microsoft Windows 2016 server

Issue:
When browse to IBMCOGNOS site you get a error message. This after a upgrade of cognos on a old server.

You change the Cognos Application pool to use localsystem as identity, but it did not help.

If you browse to controller test site; http://servername.domain.com/ibmcognos/controllerserver/ccrws.asmx or if you try http://servername.domain.com/ibmcognos/bi/v1/disp , then it works.

Solution:
Check the folder C:\inetpub\wwwroot for any web.config file.

This can be like this:

Rename the web.config file and restart iis with dos command : iisreset.

More Information:
https://www.ibm.com/support/pages/http-403-forbidden-error-message-when-accessing-cognos-anlaytics-1104-or-higher-gateway-url-iis-server

https://docs.microsoft.com/en-us/troubleshoot/iis/http-status-code

Product:
Cognos Analytics 11.0.13

kit_version=11.0.13.18102214
kit_name=IBM Cognos Analytics

Microsoft Windows 2012 server

Issue:
What is Director Administrator counted as kind of license?

Guessed Solution:
Director Administrator is classified as a administrator license.

Inside Cognos Analytics you can get a list of the users that have access to the system.
Go to Manage – Licenses – Export to get a list of user.

The view show only users who have logged into Cognos.
If you change a user from Administrator to User, that person must login to Cognos, before above list is updated with his correct license status.

The exported csv file, list all people that have somehow connected to cognos security.

The level 3 is a Analytic Administrator and level 1 is a Analytic User.
-1 in level show the user have not logged into Cognos, but he is listed in the security groups.

https://www.ibm.com/docs/en/cognos-analytics/11.0.0?topic=managing-licenses

To be sure about license talk to a IBM partner or read the license documents:

https://www-03.ibm.com/software/sla/sladb.nsf/lilookup/F7DA13804AF37FA3852586D8005820E1?OpenDocument

More information:

https://senturus.com/blog/cognos-analytics-using-license-roles-specify-permissions/

https://www.ibm.com/docs/en/cognos-analytics/11.0.0?topic=licenses-default-permissions-based

https://www.bspsoftware.com/products/metamanager/

To get a detailed report of users capabilities, you can install and use Cognos 11 audit extensions;

https://developer.ibm.com/technologies/analytics/tutorials/ibm-cognos-11-audit-extension/

http://www.middlecon.se/vara-omraden/licensoptimering/

Product:
Cognos Analytics 11.1.x
Microsoft Windows 2016 server

Problem:
When you enter url http://servername/ibmcognos then you do not get logged into Cognos Analytics, instead you get a blank screen.

Solution:

Add a rule to allow Cognos Analytics pages to load without a trailing slash in URL. Start IIS Manager and go to IBMCOGNOS.

More information:
https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=services-configuring-iis-in-cognos-analytics

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2016 server
Problem:
Can i store the Native SQL query the users send to the database for later troubleshooting?

Solution:
Activate logging of the SQL query to the AUDIT database.
Setup the AUDIT database logging in Cognos Configuration.
https://www.ibm.com/support/pages/how-configure-audit-reporting-cognos-analytics

Browse to Cognos Analytics (ibmcognos) and go to Manage > Administrative Console > Configuration > Dispatchers and Services. Click on the Set Properties – Configuration icon.
Click the Settings tab, choose logging as category.

Go down to Generate comments in native SQL and mark it.
Click OK.
Run some reports to test the system.
Open SQL Developer and go to your AUDIT database and check the

COGIPF_NATIVEQUERY table.

More Information:

https://www.ibm.com/support/pages/how-see-which-user-generating-query-cognos-analytics

https://www.envisn.com/envisn-cognos-blog/bid/102418/What-s-Wrong-with-IBM-Cognos-Audit-Data

https://www.ibm.com/support/pages/cognos-ipf-audit-table-descriptions

https://cognoshub.blogspot.com/2015/02/cognos-sql-native-sql-and-pass-through.html

https://www.wisdomjobs.com/e-university/ibm-cognos-tutorial-196/auditing-4398.html

Product:
Cognos Analytics 11.1.7
Product_version=11.1 R7 (LTS)
install_type=Custom
selected_features=FTR_LCM
IBM-JRE_version=8.0.6.15
LCM_BUILD_version=11.1.7-2009181443
LICENSE_version=11.1.7-2009291107
Microsoft Windows 2019 server

Problem:
When starting the Cognos® LifeCycle Manager (LCM) on the same server as CA11 is installed, they use the same port 9300.

Suggested Solution:

Start notepad++ as administrator
Change port on LCM by open D:\Program Files\ibm\cognos\lcm\wlp\usr\servers\lcm\server.xml in notepad++

Change the row <httpEndpoint host=”*” httpPort=”9305″ httpsPort=”-1″ id=”defaultHttpEndpoint”/> to use 9305 instead of 9300
Save the file.
Start a CMD as administrator.
Go to folder D:\Program Files\ibm\cognos\lcm
Run lcm_start.bat to start the service

You need to update the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IBM Cognos LCM\LCM URI internet shortcut to reflect the change of port

Then after that it should work to start and use it

More information:

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.ug_upgr_mngr.doc/upgr_mngr.pdf

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.ug_upgr_mngr.doc/t_upgr_mngr_create_project.html#upgr_mngr_create_project

Product:
Cognos Analytics 11.1.7 fix pack 2
Microsoft Windows 2019 server

Problem:

When run some reports after a upgrade from previous version you get a error like this:

XQE–GEN–0002 An unexpected exception occurred: java.lang.StackOverflowError.

Report validation is OK but when you try to run it as HTML report you get a error.

Possible solution:

Check the report specification for any item or function that is common for the reports that does not work.

Can be that you have a filter in the Query parameters that you need to remove from the report to make it work.

You need to remove one part of the report at a time to find what part of the report specification that can give you the issue.

More information:

https://www.njit.edu/finance/sites/njit.edu.finance/files/finance-innovations/Cognos%20Analytics%20Reporting.pdf

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.ug_ca_dshb.doc/ug_ca_dshb.pdf

https://reports.nycenet.edu/Cognos84sdk/documentation/en/ug_cr_rptstd.pdf

standard-deviation From the old Cognos 8
Returns the standard deviation of selected data items. The keyword “distinct” is available for
backward compatibility of expressions used in previous versions of the product.
Syntax
standard-deviation ( [ distinct ] expr [ auto ] )
standard-deviation ( [ distinct ] expr for [ all | any ] expr {
, expr } )
standard-deviation ( [ distinct ] expr for report )
Example
standard-deviation ( ProductCost )
Result: A value indicating the deviation between product costs and the average product cost.

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Problem:
Can not add url or use link to tm1web or other web site.

When you try to add a URL you get below error:

Your URL uses an invalid domain. Click ‘View acceptable domains’ to see a list of domains you can use.

Solution:
On all Cognos BI (CA11) servers, go into Cognos Configuration
Expand Security
Select IBM Cognos Application Firewall
Under “Enable CAF Validation?” = True, click on pen icon to add more servernames for Valid domains and hosts.

Enter the company domain name with a wildcard as *.company.com
Enter all the server names for your Cognos Analytics servers
Enter all the TM1 servers you have in your environment
Enter the TM1WEB servers with port number like tm1webservername:9510 (you must enter the port number for all servers Cognos will communicate with if it is not port 80)

Click OK
Click SAVE in Cognos Configuration.
You need then click on RESTART to make this changes take effect.
Restart the primary content manager service first, when that is up again, then restart the other CA11 servers in your environment.

How add a URL link in CA11:

Click on + in the folder where you want the link to be and select URL

Enter a name and enter the URL to your server including port number 9510 for tm1web. Recommended is to use full names includeing domain part.

Click OK.

Test the link.

“Cannot open URL” can also be becouse the website does not exist.

More information:

https://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.2.doc/t_inst_cnfg_caf_steps.html%23inst_cnfg_caf_steps

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_inst_cnfg_caf_steps.html

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2019

Problem:
How find out who is Active Content Manager without logging in to the CA11 server?

Solution:

From a web browser enter following URL to server on port 9300 to check CM:
http://cognosanalyticsservername:9300/p2pd/servlet

State is Running if it is the active CM in a multiserver environment of cognos bi.

To find java memory usage, enter this URL:

http://servername.domain.com:9300/bi/v1/disp?b_action=/diagnostics

Get Dispatcher version with this URL:
http://servername.domain.com:9300/p2pd/servlet/gc

Verify the configuration of an install with URL:

http://servername.domain.com:9300/bi/v1/disp/p2plbDiag

Find XML parser with URL:
http://servername.domain.com:9300/p2pd/servlet/dispatch/xts.diag

To check if POGO is alive enter URL:
http://servername.domain.com:9300/bi/v1/disp?b_action=/dbg

If you see this message pogo is alive

https://www.accelebrate.com/blog/call-pogo-name

In future use REST API to find out more:
https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.ca_api.doc/c_ca_api_rest.html

https://community.ibm.com/community/user/businessanalytics/blogs/jason-tavoularis1/2020/07/30/connecting-to-rest-api-data

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_rest_api.2.0.0.doc/tm1_rest_api.pdf

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_nfg.2.0.0.doc/c_nfg_tm1_rest_api_2_0_5.html

Product:
Cognos Analytics 11.0.12
kit_version=11.0.12.18062512
kit_name=IBM Cognos Analytics
Microsoft Windows 2016 server

Problem:
After restart of servers the Cognos BI system does not respond. The users see this message:

The IBM Cognos gateway is unable to connect to the IBM Cognos BI server. The server may be unavailable or the gateway may not be correctly configured.

Error in cognosserver.log file:

com.cognos.accman.jcam.crypto.CAMCryptoException: CAM-CRP-1093 Unable to read the contents of the keystore ‘D:/Program Files/ibm/cognos/analytics/configuration/certs\CAMKeystore’. Reason: java.io.IOException: stream does not represent a PKCS12 key store

Solution:

First, try to restart the IIS server on the Cognos Gateway with the dos command: IISRESET

If that does not help, create new cryptographic keys;
“C:\Program Files\ibm\cognos\analytics\bin64\cogconfigw.exe” open to start cognos configuration.

Stop the running of Cognos BI in Cognos Configuration.

From inside Cognos Configuration, click ‘File > Export As’.

Choose ‘Yes’ at the prompt and save the file.  Name it ‘cogstartup backup.xml’ which will be stored in the analytics\configuration folder.

Close Cognos Configuration.

Moving this files to a different, secure location e.g. c:\temp\backup (they should during the cryptographic keys regeneration process be re-created):

· analytics/configuration/cogstartup.xml

· analytics/configuration/caSerial

· analytics/configuration/certs/CAMCrypto.status

· analytics/configuration/certs/CAMKeystore

· analytics/configuration/certs/CAMKeystore.lock

· analytics/temp/cam/freshness

Moving this folder to a different, secure location e.g. c:\temp\backup

· analytics/configuration/csk

In the analytics\configuration folder, rename ‘cogstartup backup.xml’ to ‘cogstartup.xml’.

Go in to Cognos Configuration and click SAVE, and then start.

To test, you can browse to http://ca11servername:9300/p2pd/servlet

Repeat all the above steps on all the Cognos servers, starting with the Content Manager server and take the Cognos Gateway servers last.

If you see the message “CM-CFG-5069 A serious error occurred while committing a delete operation” when starting up the Cognos Analytics service, it can be a temporary error when CA11 try to clean up its own cache.  Restart the CA11 server again and see if the error goes away.

Misleading Error in cognosserver.log at first logon of any user after a Cognos restart:
“/v1/identity bi-service Can not retrieve the password from configuration.”
Solved in later versions of CA11.

More information:

https://www.ibm.com/support/pages/how-regenerate-cryptographic-keys-cognos-analytics-11

https://www.ibm.com/support/pages/cognos-gateway-unable-connect-cognos-bi-server-2

https://www.ibm.com/support/pages/cognos-gateway-unable-connect-cognos-bi-server-while-trying-logon-cam-namespace-solved-iisreset

By default, the cryptographic keys are valid for 365 days.

• This value is configured inside Cognos Configuration
• Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

• If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

https://www.ibm.com/support/pages/apar/PI94141