Product:
Cognos Controller 10.3.1 interim fix 13
Microsoft Windows 2012 server

https://www.ibm.com/support/pages/cognos-controller-builds-ccr-name-and-database-version

Problem:
After update with a interim fix to Cognos Controller, user get a error when start of a JAVA based dialog, like JOBS DEFINE or COMMAND CENTER.

Solution:
On the IIS manager, for the application folder CONTROLLERSERVER set to allow “Anonymous Authentication”, and only have “Windows Authentication” on virtual folder IBMCOGNOS or SSO.

More Information:
https://www.ibm.com/support/pages/node/1119885
https://www.ibm.com/support/pages/how-upgrade-controller-1031x-later-interim-fix-if-fix-pack-patch-level

Product:
Cognos Controller 10.4.2
Microsoft Windows server 2012 R2
Microsoft SQL Server 2016

Problem:
After restore of one old Cognos Controller database backup, you get this error when you try to create a SQL account for the database.

Error:
The server principal ‘fastnet’ already exists

Solution:
Go into Microsoft SQL Server Management Studio as Administrator
Mark your newly restored controller database
Expand the Tables and check the schema name (mostly it is fastnet)
Click on “New Query”
Past in this code (edit the name and update the ‘ to be correct symbol)
EXEC sp_change_users_login ‘Auto_Fix’, ‘fastnet’
Click on Execute.

The row for user ‘fastnet’ will be fixed by updating its login link to a login already in existence.
The number of orphaned users fixed by updating users was 1.
The number of orphaned users fixed by adding new logins and then updating users was 0.

This should create and update the SQL server with the account used for the controller database.

More information:
https://sqlserverbuilds.blogspot.com/
https://www.crestwood.com/2017/05/24/error-creating-new-sql-user-server-principal-already-exists/

Product:
Cognos Controller 10.3.1
Microsoft Windows 2012 server

Problem:
Several controller users are thrown out of the cognos controller client at reporting week.

Error message:

Solution:
Check the firewall between the servers, controller servers and citrix servers.
Is there any new rules that have been implemented?

Does other application that also use citrix servers have issues with connection losses?

Turn off aggressive Aging in your firewall.

Also check if the Windows SQL server demand TLS 1.2, and you need to update the Windows registry to not use TLS 1.2 communication on the cognos servers. Set this values on cognos server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

“DisabledByDefault”=dword:00000000

“Enabled”=dword:00000000

If it does not help, then also try to change the DoS attacks settings in Windows;

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6859390e-7047-41d2-930e-a1ecd87ba3bb&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

A change in TCP/IP service are going to enable DoS protection.

1. Run regedit.exe
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name TcpMaxHalfOpen, then press Enter.
5. Double-click the new value, set it to 100, then click OK.
6. Enter the name TcpMaxHalfOpenRetried, then press Enter.
7. Double-click the new value, set it to 80, then click OK.
8. Enter the name SynAttackProtect, then press Enter.
9. Double-click the new value, set it to 1, then click OK.
10. Reboot the machine.

If above is set, try to remove it with SynAttackProtect value set to 0.

When SynAttackProtect value is 0, it offers no protection. Value 1 indicate to delay the response Notification untill three way handshake is complete by the received by the SYN packet. By default, this is not invoke untill it exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values. The values TcpMaxHalfOpen and TcpMaxHalfOpenRetried could be changed, and I strongly recommend to test with different settings in your environment, then choose the best ones.

https://www.informit.com/articles/article.aspx?p=371702

More Information:
https://sc1.checkpoint.com/documents/R76/CP_R76_IPS_AdminGuide/12857.htm

Understanding Aggressive Aging

To increase gateway stability, aggressive Aging helps manage the capacity of the connection table and gateway memory consumption.

Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout, it is marked as “eligible for deletion”. When the connections table or memory consumption reaches a user defined threshold, Aggressive Aging begins to delete “eligible for deletion” connections until memory consumption or connection capacity falls to the desired level.

Aggressive Aging lets the Security Gateway handle large amounts of unexpected traffic, for example during a Denial of Service attack.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the “Eligible for Deletion” list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no “Eligible for Deletion” connections, no connections are deleted but the list is checked for each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently.

Best Practice: When memory consumption exceeds its threshold, work with shorter timeouts that can maintain the connectivity for the majority of the traffic.

In the Aggressive Aging Timeouts are enforced when section, select whether they will be enforced if the Connections table exceeds a limit, if Memory exceeds a limit, or if both exceed their limits.

If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the “Eligible for Deletion” list being deleted if either the Connections table or Memory consumption passes this limit.

Note – The limits for the Connections table and Memory consumption are set for each profile. The Aggressive Aging timeouts are global. Therefore: different gateways may enforce the same timeouts at different thresholds.

Activate this protection in either Prevent or Detect mode.

Product:
IBM Cognos Controller 10.3.1
Microsoft Windows 2008 R2 server
Microsoft Excel 2008

Problem:
When inside Cognos Controller click on the icon to start excel, you get a error;
APPCRASH. CCR.exe

Error:

Solution:
Install a newer version of Excel.

Cognos Controller 10.3.1 only supports excel version 2010, 2013 and 2016.

https://www.ibm.com/support/pages/ibm-cognos-controller-1031-supported-software-environments

Product:
Cognos Controller 10.4.2
Microsoft Windows 2012 R2 server
Microsoft SQL server

Problem:
How upgrade a new restored database to the latest Cognos Controller version?

Solution:
When a database backup from a previous version is restored on the SQL database server, it needs to be upgrade after it is connected.
You need also to update the data sources in CA11 by click on repair button, in Controller Configuration.

Login to the Controller server (if you have more than one controller server, you need to repeat the first step to configure the new controller database in controller configuration on all servers).
Right click on Controller Configuration and open it as an Administrator.

Go to Database Connections
Click on the icon for a new connection
At database type select SQL Server

Fill in the name of the database, as the users in cognos controller will see it.
Enter the provider to be SQLNCLI11.1
Enter the user id, to the SQL login you have for the database.
Enter the SQL user password.
At Initial catalog, you enter the name of the database as seen on the SQL server.
At data source you enter the name of the windows server that run SQL server.

(if unsure of what to enter, check on the previous database setup parameters)
Click on the test icon, to ensure you got it all right.

Click save.  (Only Above need to be done on the other controller servers too.)

Click on the green arrow to start the DBConv program.

Click on Connect Button to connect to the new database and see what version it have today.

Click on Upgrade Button to upgrade the database to latest Cognos Controller version.

When done, and no errors are shown, click on Close.

Now you have to update the BI database connections, by go to Report Service, in Controller Configuration.
Click on Check icon.

Click on Repair button.
Close Controller Configuration.

Then on the Controller Web server, you need to start a CMD prompt as an administrator.
Inside CMD you need to move to folder C:\Program Files\IBM\cognos\ccr_64\fcmweb

cd C:\Program Files\IBM\cognos\ccr_64\fcmweb

Type the following command to update Controller web:

SyncDBConf.bat    ..\Data   wlp\usr\shared\config\datasources

Now the ControllerWeb application should know about the new Controller Database.

Best is to restart the Windows servers where Cognos Controller is installed, to make the changes noticed. You need to restart the CA11 servers in correct order.

At least you need to restart the IBM Cognos Controller Batch Service.

If you have several controller servers, the Controller Batch Service must only be running on the Controller Master server.

More information:
https://www.ibm.com/support/pages/how-migrate-upgrade-upsize-existing-database-new-later-version-controller
https://www.ibm.com/support/knowledgecenter/SS9S6B_10.4.2/com.ibm.swg.ba.cognos.qrc_ctrl_inst.doc/t_qsg_ctrl_config_controllerdb.html

https://www.ibm.com/support/pages/missing-database-connection-choices-when-using-controller-web

Product:
Cognos Controller 10.4.1 web
Microsoft Windows Server 2016

Problem:
Change to use DNS alias to the cognos controller server, and now can not login to the Controller Web,
“Server is not reachable or still initializing, please refresh the page in a few seconds”
If you surf direct to servername, then controller web works, it is only with dns alias that give the error.

Solution:
You need to change to the DNS alias in the file for Controller Web front end.
Stop the IBM Cognos Controller Web UI service
Start NOTEPAD as administrator
Open file D:\Program Files\ibm\cognos\ccr_64\frontend\config.js
Change the server name at line 25 to be the dns alias

“expressJs”: {
“host”: “dnsalias.domain.com”, //interface used by Controller Web UI Service
“port”: “9080”, //port used by Controller Web UI Service

Save the file.
Start the IBM Cognos Controller Web UI service

Test to surf to http://dnsalias.domain.com:9080/ to see if Controller Web works.

Now to surf to server name, should not work instead.

More Information:
https://www.ibm.com/support/pages/server-not-reachable-or-still-initializing-please-refresh-page-few-seconds-error-launching-controller-web-caused-incorrect-tcp-port-inside-serverxml
https://render-prd-trops.events.ibm.com/support/pages/troubleshooting-server-not-reachable-or-still-initializing-please-refresh-page-few-seconds-error-launching-controller-web
https://www.ibm.com/support/knowledgecenter/en/SS9S6B_10.4.1/com.ibm.swg.ba.cognos.ctrl_inst.doc/t_contrweb_configure.html

In cmplst.txt you will find this version for controller 10.4.1:

LICENSE_CONTROLLER_version=LICENSE_CONTROLLER-AW64-ML-RTM-10.4.1100.1-0
LICENSE_CONTROLLER_name=IBM Cognos 8 License
SWTAG_CONTROLLER_version=SWTAG_CONTROLLER-AW64-ML-RTM-10.4.1.1-0
SWTAG_CONTROLLER_name=SWTAG CONTROLLER
CONTRL_version=CCR-AW64-ML-RTM-10.4.1100.133-0
CONTRL_name=IBM Cognos Controller

Product:
Cognos Controller 10.4.1
Microsoft Windows 2016 server

Problem:
Controller admin try to update users in Maintain – Rights – User dialog, for a installation where CAM security is used. He can not see the connected CAM users in the list.

Solution:
You must be part of Cognos Connection security group Controller Administrators. Only people in this group can change things inside controller security dialog.

When you open the user dialog, you maybe got a message “The user currently logged in is not authorized to use this method”. That means you are not part of the Controller Administrator group.

Add the person to the Controller Administrator group in Cognos. The Controller Administrator group is not the same as the ibm Cognos Controller administrator authorized user license. This is controlled by access to the Maintain menu.

More Information:

https://www.ibm.com/support/pages/controller-licensing-what-difference-between-administrator-and-non-administrator-user

https://www.ibm.com/support/knowledgecenter/en/SS9S6B_10.4.1/com.ibm.swg.ba.cognos.ctrl_ug.doc/t_usurrrigh.html#usurrrigh

Product:
Cognos Controller 10.4.1 FAP service
Planning Analytics 2.0.6
Microsoft Windows 2016 server

Problem:
You get a error when run first IP in a new setup of FAP and TM1 instance.

Error in log file D:\Program Files\ibm\cognos\ccr_64\Server\FAP\error.log
10:00:08,849 | ERROR [fap.service.schedule.Scheduler] [schedulerThread], Could not logon to TM1
javax.naming.ConfigurationException: The TM1Server fap is neither in BASIC or in CAM mode
at com.ibm.cognos.fap.common.persistence.tm1.TM1Context.login(TM1Context.java:110)
at com.ibm.cognos.fap.service.schedule.Scheduler.updateDatamarts(Scheduler.java:567)
at com.ibm.cognos.fap.service.schedule.Scheduler.run(Scheduler.java:257)
at com.ibm.cognos.fap.service.schedule.Scheduler$1.run(Scheduler.java:162)
at java.lang.Thread.run(Thread.java:812)

Solution:
Change to IntegratedSecurityMode=5 from IntegratedSecurityMode=2 in TM1s.cfg file for the TM1 application.

During setup you have been in mode 2 to be able to add the windows service account that is going to be used by the FAP service to login to the TM1 solution. Keep in mind when you setup the DataMart (TM1 server) you need to specify the user login to TM1 with namespaceid\user name as NamespaceID looks in Cognos Configuration (CA11) and user name as you can find it in Cognos Connection. Something like this:

Domain\Lastname Firstname

The field in Edit Data Mart is case sensitive and space sensitive.

More Information:

https://www-01.ibm.com/support/docview.wss?uid=swg21679216

https://www.ibm.com/support/knowledgecenter/en/SS9S6B_10.4.1/com.ibm.swg.ba.cognos.ctrl_inst.doc/t_win_conf_cam.html

Product:
Cognos Controller 10.4.1
CONTRL_version=CCR-AW64-ML-RTM-10.4.1100.133-0
CONTRL_name=IBM Cognos Controller
Microsoft Windows 2012 Server

Problem:
How setup Cognos Controller Web with SSO?

Solution:
Ensure that SSO is working from your Cognos Controller client first, when you login.

Stop the Controller web services

Start NOTEPAD in ADMINISTRATOR mode, and open up the file C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\etc\server.env

Change the JAVA HOME line to
JAVA_HOME=C:/Program Files/IBM/cognos/ccr_64/fcmweb/jre
Save the file.
Start a CMD prompt as ADMINISTRATOR, go to the folder C:\Program Files\IBM\cognos\ccr_64\fcmweb and enter below command:
SyncDBConf.bat     ..\Data     wlp\usr\shared\config\datasources

The number of database updated depend on the number of database you have setup in Cognos Controller
From notepad open file C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\com.ibm.cognos.fcm.web.properties

Change the lines to like this;
ccrwsUrl=http://win-ca.company.com/ibmcognos/controllerserver/ccrws.asmx
biUrl=http://win-ca.company.com/ibmcognos/bi/v1/disp
biDispatchEndpoint=http://win-ca.company.com:9300/p2pd/servlet/dispatch
loginMode=CAM

change win-ca to your controller/cognos analytics server.
Save the file.
Change the memory used by controller web by open from notepad file C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\etc\jvm.options
You must test different values to find the best – maybe start with -Xmx12g
# Java Heap size.
# In production, setting min and max to same value can provide the best performance by avoiding heap expansion and contraction.
# But high min value increases startup time, which may be undesired in a dev environment.
-Xms2g
-Xmx4g

Save the file.
Start the Windows service IBM Cognos Controller Web

Open a new document in notepad – and paste in below text

<CRNenv c_cmd=”http://win-ca.company.com:9080/#!/CamLogin”>

<cookies>

<param name=”cam_passport”/>

</cookies>

</CRNenv>

save the file to C:\Program Files\ibm\cognos\analytics\templates\ps\portal\variables_CCRWeb.xml on your Cognos Analytics server.

On your Controller server open in NOTEPAD this file C:\Program Files\IBM\cognos\ccr_64\frontend\config.js

Change the hostname and publicInterface to your controller servers FQDN name e.g. win-ca.company.com
Save the file.
Start the Windows service IBM Cognos Controller Web UI

Surf to http://win-ca.company.com:9080/ to get into the Cognos Controller Web

Select your database and login.

Cognos Controller 10.4.1 only supports this versions

https://render-prd-trops.events.ibm.com/support/pages/downloading-ibm-cognos-controller-1041

You download CA11.0.13 that is part of the Controller package
IBM Cognos Controller 10.4.1 Microsoft Windows Multilingual CC0URML
IBM Cognos Analytics Limited Use 11.0.13 Microsoft Windows Multilingual CNV2WML
IBM Cognos Framework Manager 11.0.13 Microsoft Windows Multilingual CNV2EML
IBM Cognos Analytics Samples 11.0.13 Microsoft Windows Multilingual CNV2LML
Download PA if you are going to use the FAP service
IBM Planning Analytics 2.0.6 Microsoft Windows Multilingual CNWN1ML
IBM Planning Analytics Client 64-bit 2.0.6 Microsoft Windows Multilingual CNWN2ML
Download if you are going to use the PAX plugin to Excel
IBM Planning Analytics Workspace 2.0.6 Microsoft Windows Server 2016 Multilingual CNWN4ML
IBM Planning Analytics for Microsoft Excel 64-bit 2.0.6 Microsoft Windows Multilingual CNWN6ML

How to setup CA11 instructions here
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_settinguptheenvironment.html
https://render-prd-trops.events.ibm.com/support/pages/how-install-cognos-analytics-111x

How to setup SSO with CA instructions here
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_stp_sso_active_drctry_remote_user.html

How install CA samples
https://revelwood.com/installing-samples-cognos-analytics/

More Information:
https://www.ibm.com/support/pages/how-configure-controller-web-use-cognos-cam-authentication
https://www.ibm.com/support/knowledgecenter/en/SS9S6B_10.4.1/com.ibm.swg.ba.cognos.ctrl_inst.doc/t_contrweb_configure.html

https://www.ibm.com/support/pages/blank-empty-white-screen-when-launch-controller-web-inside-internet-explorer-typically-directly-application-server-caused-using-compatibility-view

How setup SSL with Controller Web

https://render-prd-trops.events.ibm.com/support/pages/how-configure-controller-web-use-ssl-https

Product:
Cognos Controller 10.4
Microsoft Windows 2016 server

Problem:
During reporting period when using data entry, one some forms, you get a message that the sheet is protected. When you try to unprotected it in excel you are ask for a password. This is a sign that the form is corrupt and need to be created again.

Error message:

Solution:

First open the form for edit, and then select standard colors, update layout, save layout.
Exit Excel and Cognos Controller. Then test again if the data entry form works.
In some cases you need to run optimize database from inside Cognos Controller.

If above does not work, then it may be faster for you to create a new data entry form. Go to Maintain – Form Structure – Define.
Create it with a new name, you can reused the rows definition, but most likely need to manually recreate the columns definition under new name. Save it and attach it to the right groups for linked structure. If it works, remove the old not working form, and rename this to the old name (make it easier for the users to use same name as before). You need to update the linked structure again.

More information:
https://www-01.ibm.com/support/docview.wss?uid=swg21666512
https://www-01.ibm.com/support/docview.wss?uid=swg21666563