Product:
Planning Analytics Workspace 2.0.9.3

PAA Agent Version 2.0.63.1420
Microsoft Windows 2019 server

Issue:
This request cannot be understood by the server. This might be because there is a problem with the syntax. Retry this action.

Above error when you in PAW click on Administration – Databases – Planning Sample – Configuration.

Solution:
The user who login to PAW need to be local Admin inside the TM1 instance, to be able to see and change the configuration (tm1s.cfg) from the PAW administration page.

Go into Tm1 Architect, open the TM1 instance, right click and select security – Clients/Groups:
Find your username, and mark that you are ADMIN.
Click OK.

The user can restart the TM1 instance from PAW, without being ADMIN inside the TM1 application.

More information:

https://www.ibm.com/docs/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/tm1_inst.pdf

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=workspace-monitor-administer-databases

 

Product:
Planning Analytics 2.0.9 TM1_version=TM1-AW64-ML-RTM-11.0.97.6-0
Cognos Analytics 11.1.7 Product_version=11.1 R7 (LTS)

Microsoft Windows 2019 server with CA11 and PA
Red Hat Linux with PAW

Issue:
How add SSL certificates to the Cognos servers?

Use the official documentation in the first place, this is only a suggestion.
This instruction may not cover all the steps you need to do.

ADD TM1 CERT TO CA11:
The TM1 certificate need to be added to the CA11 keystore once, to be able to run reports on TM1 data.
https://www.ibm.com/support/pages/configure-datasource-ibm-planning-analytics-20x-ibm-cognos-analytics-1106

Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe as administrator

Select Open a key database file, and navigate to the cacerts keystore located in <Cognos Analytics installation>\jre\lib\security. As type select JKS.

On prompt enter password changeit

In the drop down, switch from Personal Certificates to Signer Certificates

On the right select Add

Browse for the certificate file ibmtm1.arm located in <Planning Analytics Install>\bin64\ssl.
On prompt enter an alias for the certificate in the keystore, exempli gratia: TM1Server.
Click OK
Exit ikeyman.

Suggested Solution:

Backup configuration and ssl and security folders before you do any changes.

SETUP CERTIFICATE FOR IIS:
Go to Internet Information Service Manager.
Select the server and click on Server Certificates icon.
Click Create Certificate Request.
Fill in the Distinguished Name properties, important that COMMON NAME is the servername.
Select “Microsoft RSA SChannel Cryptographic Provider” and Bit Length: 2048
Save the result in a request.txt file.
Send this request to your Certificate Authority, or if you use Microsoft CA, go to the website and click Certificate Request link. Mostly named “Request a certificate”.
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Copy the text from you request.txt file and paste it into the Saved Request field.
Select “Web Server” in the Certificate Template dropdown.
Enter the DNS servername in Additional attributes, like SAN:dns=servername.domain.com
Click Submit.
Requesting for certificate in Windows 2012 – Deep Security (trendmicro.com)

In the Certificate Issued dialog you select Base 64 encoded.
Download the certificate  (certnew.cer) and the certificate chain.
In IIS manager go to “complete certificate request”
Select the cer file you got.
Enter the Friendly name to your servername:  servername.domain.com
Leave certificate store to be personal and click OK.

If this is a new server, you need to import the root and issuing certificates to the Trusted Root Certification Authorities tab inside Certificate Manager. To access Certificate Manager, click the Start button, type certmgr.msc in the search field, and click the Enter key. More info in link;

https://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html

BIND CERT TO WEBSITE
Go to IIS Manager, select “Default Web site” and click on Bindings.
Click Add.
Select Type HTTPS and select your server certificate.

Click OK.
Remove the HTTP binding and any old HTTPS certificates.
Click Close.

Inside Cognos Configuration change Gateway URI to point to https://servername.domain.com:443/ibmcognos/bi/v1/disp
Inside TM1S.CFG file change ClientCAMURI to be the same (https://servername.domain.com:443/ibmcognos/bi/v1/disp)

Inside C:\ProgramData\Applix\TM1\tm1p.ini you may need to update; CognosGatewayURI = https://servername.domain.com:443/ibmcognos/bi/v1/disp

You may need to export a pfx file with the key value from inside Certificate Manager on your windows server, right click on servername in Server Certificate and select export.

CHANGE CA11 TO USE INTERNAL SSL
Stop the cognos service.
Inside Cognos Configuration, change to HTTPS on all points under environment tab.
Click on save in Cognos Configuration, this will create the new cert and place it in CA keystore.
Open a command prompt as administrator.
Go to folder d:\Program Files\ibm\cognos\analytics\bin and enter below command, to export the cert:

ThirdPartyCertificateTool.bat -E -T -p NoPassWordSet -r ca.cer

Go to certmgr.msc, go to Trusted Root Certification Authorities tab, right click to import the ca.cer certificate.

If you not already have done so, you need to export the root and indeterminate certificates from your IIS Cognos website. Open a web browser, and on the certificate click – view and then export for each cert.

IIS 10 Exporting/Importing SSL Certificates | digicert.com
Rename the certificate files to not have space in there names.
Copy the certificate files to your Cognos server folder d:\Program Files\ibm\cognos\analytics\bin
Open a command prompt as administrator and go to folder C:\Program Files\ibm\cognos\analytics\bin
Enter command to import (the order of import is crucial)
ThirdPartyCertificateTool.bat -i -T -r Root.cer -p NoPassWordSet
ThirdPartyCertificateTool.bat -i -T -r Issuing.cer -p NoPassWordSet
ThirdPartyCertificateTool.bat -i -T -r Servername.cer -p NoPassWordSet

Start Cognos BI.

Go to IIS Manager, select \ibmcognos\bi folder.
Click on URL Rewrite.
Click on Reverse Proxy rule.
Edit the rule to use HTTPS instead of HTTP.
https://servername.domain.com:9300/bi/{R:0}
Click apply in top right corner.
Exit IIS manager.

CHANGE TM1 TO USE SSL

Stop TM1 services.

Change TM1S.CFG to have;
ServerCAMURI=https://servername.domain.com:9300/p2pd/servlet/dispatch
ClientCAMURI=https://servername.domain.com:443/ibmcognos/bi/v1/disp

UseSSL=T
CAMUseSSL=T

Copy your ca.cer file to the Planning Analytics folder d:\Program Files\ibm\cognos\tm1_64\bin64\ssl;

Open a command prompt as administrator and go to folder C:\Program Files\ibm\cognos\tm1_64\bin64

Import to Tm1 admin server with command:

gsk8capicmd_64 -cert -add -db “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb” -stashed -label caRoot -file “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer” -format ascii -trust enable

Open a command prompt as administrator and go to folder C:\Program Files\ibm\cognos\tm1_64\jre\bin

Import to Tm1 App Web (PMPSVC) server with command:
keytool.exe -import -trustcacerts -file “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer” -keystore “d:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store” -alias caRoot -storepass applix

Change the file D:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration\fpmsvc_config.xml to have https at 3 places:

<external uri=”https://servername.domain.com:9510″/>

<gateway uri=”https://servername.domain.com:443/ibmcognos/bi/v1/disp”/>

<dispatcher uri=”https://servername.domain.com:9300/p2pd/servlet/dispatch”/>

Save the file.

Go to d:\program files\ibm\cognos\tm1_64\jre\bin and execute ikeyman.exe as administrator.
Open D:\Program Files\ibm\cognos\tm1_64\configuration\certs\CAMkeystore file as PKC$12 type.
Enter password NoPassWordSet.
Rename encryption to encryptionold.
Click Export/import button:
Mark Import Key.
Select your server pfx file and click OK.
Enter the password you got at the export of the pfx file.
Change label to encryption and click apply.

Switch to Signer Certificates.
Click Add.
Select your root.cer file from the file system and click OK.
Enter a name e.g. rootcert
Repeat for any intermediate certificates
Click Add.
Select your issuing.cer file from the file system and click OK.
Enter a name e.g. issuingcert

Click Add.
Select  D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.arm file.
On prompt enter an alias for the certificate in the keystore, e.g. TM1Server.

Exit ikeyman program.
Use IKeyMan to Configure Custom SSL Certificates for TM1Web (ibm.com)

Open Cognos Configuration for TM1 (planning analytics).
Add the StandaloneCertificateAuthority property under the Local Configuration > Advanced Properties
section and set it to True.

Under Environment change Gateway URI to
https://servername.domain.com:443/ibmcognos/bi/v1/disp
and Content Manger URI to
https://servername.domain.com:9300/p2pd/servlet

Under TM1 Applications change TM1 Application Server gateway URI to
https://servername.domain.com:9510/pmpsvc
and change External server URI to
https://servername.domain.com:9510
and change TM1 Application Server Dispatcher URI to
https://servername.domain.com:9510/pmpsvc/dispatcher/servlet

Under Security > Cryptography > Cognos set Use third party CA? to True.

Save and start TM1 services.

If this is a new installation, you need to update the d:\Program Files\ibm\cognos\analytics\webcontent\bi\planning.html and d:\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web\tm1web.html files with HTTPS.

SETUP OF SSL FOR NEW TM1WEB

Copy your previous created pfx file (that contain the hole chain of certificates) to folder d:\Program Files\ibm\cognos\tm1web\bin64\ssl.

Stop the IBM Planning Analytics Spreadsheet Service.
Open d:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\server.xml.new in notepad++.
Update this row to set your https port
<httpEndpoint id=”defaultHttpEndpoint” httpPort=”-1″ httpsPort=”9511″ host=”*” removeServerHeader=”true”>
</httpEndpoint>
Add this row to point out the certificate pfx file to use
<keyStore id=”defaultKeyStore” location=”${wlp.user.dir}/../../bin64/ssl/cert.pfx” password=”cognos” />
Change cognos to the password you have for your pfx file.
Save the file as server.xml
In a command prompt go to folder d:\Program Files\ibm\cognos\tm1web\jre\bin
Enter this command to import the standard TM1 server cert to the new keystore
keytool -importcert -keystore ..\..\bin64\ssl\cert.pfx -storepass cognos -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\ibmtm1.arm

Copy your Root and Intermediate certificate files to your \tm1web\bin64\ssl\ directory

Import the Root and Intermediate certificates with this command:
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\root.cer” -keystore “..\..\bin64\ssl\tm1store” -alias ca -storepass applix
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\issuing.cer” -keystore “..\..\bin64\ssl\tm1store” -alias intca -storepass applix

CER or PEM files should both work.

Start your IBM Planning Analytics Spreadsheet Service.

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=itw-configure-ssl-new-deployments-planning-analytics-tm1-webspreadsheet-services

You need to browse to you TM1 APP WEB (https://servername.domain.com:9510/pmpsvc) application, and click on Administration icon. Mark the TM1 Application Web client row, and click on edit.
Change the thinclient URL to be https://servername.domain.com:9511/tm1web/Contributor.jsp.
Click OK and OK, to exit the settings.

REQUEST SSL FROM LINUX PAW

Connect to your Linux server with PUTTY program.
Stop your paw with command: sudo ./paw.sh stop
Go to your /data/ibm/paw63 folder.
Run below command to request a certificate:
sudo openssl req -newkey rsa:2048 -nodes -keyout privatekey.pem -out paw.csr
Answer the questions, and you have your file.
Copy the paw.csr file to your CA authority, or IIS website, and repeat previous process to get a certificate. Save the file as Base 64 encoded certificate chain.

SETUP SSL FOR PAW
Copy your certnew.p7b file to linux server folder /data/ibm/paw63.

Copy your private key to a new pem file:
sudo cp privatekey.pem pa_workspace.pem
Change access to files with command:
sudo chmod 777 pa_workspace.pem

Add the certificates to the pem file:
sudo openssl pkcs7 -print_certs -in certnew.p7b >> pa_workspace.pem
Erase the not needed lines, with servernames etc, in the pem file:

sudo nano pa_workspace.pem

-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE----- 

Copy the pa_workspace.pem file to the config folder:
sudo cd /data/ibm/paw63/config
sudo mv pa-workspace.pem pa-old-workspace.pem
sudo cp /data/ibm/paw63/pa_workspace.pem pa-workspace.pem

Add lines to paw.env file:

sudo nano paw.env

add this lines

export EnableSSL=true

export ServerName=pawservername.domain.com

also change to HTTPS instead of HTTP, in lines like export TM1ApplicationsLocation=”https://servername.domain.com:9511″

Save the file.
Copy the ca.cer, issuing.cer and root.cer files to folder /data/ibm/paw63/config/certs.
Go to the scripts folder
sudo cd /data/ibm/paw63/scripts
Run the process to import the certificate in the paw keystore:
sudo ./process_certs.sh

Start paw with command:
sudo ./paw.sh

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=servers-configure-tls-planning-analytics-workspace-local

If this is a new installation, you need to update D:\Program Files\ibm\cognos\analytics\webcontent\bi\pmhub.html file with HTTPS values.

// Update the following to point to the location of the pmhub service(s)
var pmhubURLs = [“https://pawservername”,”https://pawservername.domain.com”];

 

IMPORT CA CERT TO FRAMEWORK MANAGER
Open a cmd prompt as administrator.
Go to “C:\Program Files (x86)\ibm\cognos\fm\bin\” folder.
Copy the ca.cer file to the same folder.
Enter this command:
ThirdPartyCertificateTool.bat -i -T -r ca.cer -p NoPassWordSet

More information:

Securing Jupyter Notebook Server – IBM Documentation

https://www.ibm.com/support/pages/configure-datasource-ibm-planning-analytics-20x-ibm-cognos-analytics-1106

https://www.ibm.com/support/pages/how-configure-ssl-planning-analytics-web-tier-using-gskit-using-existing-signed-certificate

TM1WEB, an error has occurred when using TLS

Product:
Planning Analytics 2.0.9.7
Planning Analytics Workspace 63
Microsoft Windows 2019 server

Issue:
In PAW, when you create a new book, and insert a Websheet from a TM1 application, you only get a blank box after a long time. This is in a new installation, where you are using the new TM1WEB service (IBM Planning Analytics Spreadsheet Services).

Solution:

You need to in IBM Planning Analytics Workspace Administration Tool ensure that the TM1 Application Server Gateway URI point to the new TM1WEB server and it correct port.

Change and save. Then restart the PAW from inside the status tab.

If you click validate you will still get the 404 error on this line, this is OK, as they validate try to find pmhub parts that is not in PAL at this later versions.

This value is also in the paw.env file, on your PAW linux server. You can edit direct in the file, too.

Change value export TM1ApplicationsLocation=”https://yourservername.domain.com:9511″
The file is in your /ibm/paw/config folder.

Stop PAW with command (from your /paw/scripts/ folder):

sudo ./paw.sh stop

Check if PAW is stopped with command:

sudo docker ps

Start PAW with command:

sudo ./paw.sh

Wait 10 min before you test to browse, to your paw installation in chrome.

More information:

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=web-install-configure-tm1-microsoft-windows

https://www.ibm.com/support/pages/http-404-error-not-found-during-validation-admin-tool-whereas-tm1-application-server-seems-work-properly

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=tpal-how-do-i-fix-my-planning-analytics-workspace-local-installation

Product:
Planning Analytics 2.0.9
Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Issue:
After import of the full content store to a new installed Cognos server, the icons for Tm1 App Web (PMPSVC) is not working.

Solution:
The old Cognos BI 10 solution may have used SKINS for the users.
Check the old server in folder d:\program files\ibm\cognos\c10_64\webcontent\skins for any unique folders that you do not have in your new cognos server. Copy that unique folder over to d:\program files\cognos\tm1_64\webapps\pmpsvc\skins folder.
Looks like the new TM1 needs the old custom skins files to work.

You can also click on icon for My Preferences and change Style to “modern” and click OK.

Below the default style skins that come with the product. If you have more folders in your Cognos BI installation, then they should be copied over to the new cognos server.

More information:
Inside Cognos Analytics – Administrator page – if you are only see text and miss the icons and color, it is possible the same issue, you need to copy the company unique skins folder to the new server.

https://www.cognoise.com/index.php?topic=32055.0

What you’re seeing is related to content (images and css files) not being found.
The person who has selected a custom skin as their default will get this.

If your custom skin is named MyCustomSkin, which doesn’t exist on the Cognos Analytics server.

On the Cognos Analytics server…
Copy <install_location>\webcontent\skins\corporate to <install_location>\webcontent\skins\MyCustomSkin.
Copy <install_location>\webcontent\bi\skins\corporate to <install_location>\webcontent\bi\skins\MyCustomSkin.

No restart is required. Once these are in place, the browser will find the styles and images and Cognos Analytics will be functional and more aesthetically pleasing.

https://www.ibm.com/support/pages/changing-skins-cognos-8-cognos-connection

https://www.ibm.com/support/pages/unable-see-icons-banner-tm1-contributortm1-applications

Product:
Planning Analytics 2.0.97  (file tm1_winx64h_2.0.97.6_ml.tar)
(TM1_version=TM1-AW64-ML-RTM-11.0.97.6-0)
Microsoft Windows 2019 server

Issue:
Error when installing PA on Windows server.

Solution:

Uninstall Planning Analytics.

Go to control panel – administrative tools – services.

Go to Printer Spooler service, right click and select properties and change it to Automatic.

Click to start the Printer Spooler.

Run the installation of Planning Analytics again.

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=configuration-installing-planning-analytics-local-single-computer

More information:

https://www.ibm.com/support/pages/tm1-install-generates-error-message-enummonitorsfailed-error-1722

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=features-whats-new-in-planning-analytics

https://www.ibm.com/support/pages/ibm-planning-analytics-local-2097-now-available-download-fix-central

Product:
Planning Analytics 2.0.9

Microsoft Windows 2019 server

Problem:
How to stop a TM1 instance from other computer?

Suggested Solution:

Enter below in notepad++ and save as a powershell script named tm1script.ps1

#REM powershell script
#REM enter first the command then the tm1 instance
#REM Get-Service -ComputerName computername -Name servicename | Start-Service

#REM get the server name from a text file that you prepare before
$computers = Get-Content c:\temp\servers.txt

#REM get the command parameters
$action = $args[0]
$tm1instance = $args[1]

#REM if stop do this else do that
If ($action -eq “stop” )
{Get-Service -Computername $computers -Name $tm1instance | Stop-Service }
ElseIf ($action -eq “start” )
{Get-Service -Computername $computers -Name $tm1instance | Start-Service }

#REM if none of above, then enter a line in windows event log
Else
{
write-eventlog -Computername $computers -logname Application -source EventSystem -eventID 1000 -message “something else happened.”
}

Create a text file with the servername for the windows server that you have tm1 installed on.

Place the text file in c:\temp folder on the computer where you want to run the script.

The account running the script need to be administrator on the target host machine to be able to connect and stop windows services.

Enter command: ./tm1script.ps1  stop “planning sample”

The tm1 instance need to be inside ” when it have a space in the name.

More information:

PowerShell Basics: ElseIf Statement

https://learn-powershell.net/2012/01/15/startingstopping-and-restarting-remote-services-with-powershell/

https://ss64.com/ps/write-eventlog.html

Product:
Planning Analytics 2.0.9
Cognos Controller FAP service 10.4.2
Microsoft Windows 2019 server

Problem:
I want my tm1 developer be able to restart the Cognos Controller FAP service without login to the Windows server.

Suggested Solution:
Create two batch files (cmd) to run to start and stop of the FAP service.
Place the batch files in folder c:\scripts on the server where you have both Tm1 instance and FAP service installed.
Then create TI process to call the batch (cmd) files.

Enter below in notepad and save as STARTFAP.CMD

ECHO OFF
REM program to start fap service
REM https://ss64.com/nt/sc.html
REM print — to file
echo ———— >> “c:\Program Files\ibm\cognos\ccr_64\Server\FAP\fapstart.txt”
REM start the service
SC start “IBM Cognos FAP Service”
REM SC start “sdata”
REM print time to file
echo FAP STARTED >> “c:\Program Files\ibm\cognos\ccr_64\Server\FAP\fapstart.txt”
echo %date% %time% >> “c:\Program Files\ibm\cognos\ccr_64\Server\FAP\fapstart.txt”

Enter below in notepad and save as STOPFAP.CMD

ECHO OFF
REM program to stop fap service
REM https://ss64.com/nt/sc.html
REM print —- to file
echo ——— >> “c:\Program Files\ibm\cognos\ccr_64\Server\FAP\fapstart.txt”
REM stop the service
SC STOP “IBM Cognos FAP Service”
REM SC STOP “sdata”
REM print time to file
echo FAP STOPPED >> “c:\Program Files\ibm\cognos\ccr_64\Server\FAP\fapstart.txt”
echo %date% %time% >> “c:\Program Files\ibm\cognos\ccr_64\Server\FAP\fapstart.txt”

Test the files by run them from a administrator command prompt. Check that the log file fapstart.txt is created.


Set the “IBM Cognos FAP service” to Manual.
Start TM1 architect and create a new TI process, enter below text, and save as FAPSTOP

Then create other TI process, enter below text, and save as FAPSTART

Ensure you use correct ‘ or ” at the difference places.

If you share your FAP folder as FAP$ , on the windows server, to the TM1 developer group, then they can check both the error.log file and your fapstart.txt log file.

More information:
https://www.tm1forum.com/viewtopic.php?t=12599

https://www.toolbox.com/tech/big-data/question/run-an-external-command-from-tm1-052112/  

https://www.ibm.com/support/pages/how-perform-fap-reset-sequence-re-synchronise-controller-data-publishing-tm1

https://www.ibm.com/support/pages/safe-method-restart-tm1-servers-ensure-it-does-not-break-controller-fap-publish

Product:
Planning Analytics 2.0.9.3
Microsoft Windows 2019 server

Problem:
After SSL setup in TM1WEB, then TM1WEB does not list any TM1 servers to connect to.
In TM1 APP WEB (pmpsvc) when you click on a contributor link you get a “an error has occurred”.

TM1 applications should use the internal Cognos certificate, ibmtm1.arm.

Please follow the official documentation, as it changes with every new version of PA.

Possible Solution:

As TM1Web is using a new keystore, you must include the TM1 Server certificates in the keystore file or you will be unable to see your TM1 Servers, point to that the SSL CERT import failed.

Redo the setup from; but first take a backup of all keystores files you use.

https://www.ibm.com/support/pages/how-configure-ssl-ibm-planning-analytics-spreadsheet-services-using-existing-keystore

If you got a PFX file with the certificate chain and key as you need you can use it to setup SSL.

For PMPSVC do this;
Start IKEYMAN.EXE as administrator from C:\Program Files\ibm\cognos\tm1_64\jre\bin folder
Open CAMkeystore file from C:\Program Files\ibm\cognos\tm1_64\configuration\certs folder
It is a PKCS12 file with password  NoPassWordSet

In Personal Certificates remove the encryption certificate
As you already have a correct PFX file, you click on IMPORT button.
Select you PFX file and enter the password you got with the PFX file from the Certified Authority who created the PFX for you.

You will be asked to rename the personal certificate, enter encryption and press OK.
Go then to Signer Certificates and check that you have also got the root and  intermediate certificates for your server. Double click on the certificates to check they have correct date and DNS alias.

You may need to import the \bin64\ssl\ibmtm1.arm file again as Signer Certificates.
Close IKEYMAN.

Go into Cognos Configuration for Planning Analytics (TM1).
Edit the TM1 Applications Properties.  Update all URI references to contain your fully qualified address, as well as change the http to https.
Edit the Local Configuration properties.  Add the property StandaloneCertificateAuthority and set it to True.

Edit the Cryptography > Cognos properties.  Change the Use third party CA? to True.
Save the Cognos configuration for Planning Analytics (TM1).
Start the TM1 service.

For new TM1WEB:

Export the Root and Intermediate certificates from your web browser, by go to the cognos site, and then select each certificate and save them as Base-64 encoded X.509 cer files.
Stop IBM Cognos TM1 service.
Copy the PFX file you got to C:\Program Files\ibm\cognos\tm1web\bin64\ssl folder

Open C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\server.xml in notepad++
Update the ports you want to use, here 9510 for SSL and enter -1 to disabled HTTP.
<httpEndpoint id=”defaultHttpEndpoint” httpPort=”-1″ httpsPort=”9510″ host=”*” removeServerHeader=”true”>

Add as last line:
<keyStore id=”defaultKeyStore” location=”${wlp.user.dir}/../../bin64/ssl/customKeystore.pfx” password=”xxxxthepasswordxxxx” />

Replace with your PFX file name and the password for that file.
Go to C:\Program Files\ibm\cognos\tm1web\jre\bin\ in a DOS prompt.

Import the TM1 cert with command:
keytool -importcert -keystore ..\..\bin64\ssl\customKeystore.pfx -storepass xxxxthepasswordxxxx -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\ibmtm1.arm

Copy your Root and Intermediate certificate files to your \tm1web\bin64\ssl\ directory

Import the Root and Intermediate certificates with this command:
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\ca.cer” -keystore “..\..\bin64\ssl\tm1store” -alias ca -storepass applix
keytool.exe -import -trustcacerts -file “..\..\bin64\ssl\intermediate.cer” -keystore “..\..\bin64\ssl\tm1store” -alias intca -storepass applix

CER or PEM files should work both. Now the new tm1store is updated with your root certs.

Start your IBM Planning Analytics Spreadsheet Service

Test to browse to https://paservername.domain.com:9510/tm1web

Check for errors in file C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\logs\console.log

More information:

https://www.ibm.com/support/pages/use-ikeyman-configure-custom-ssl-certificates-tm1web

https://www.ibm.com/support/pages/how-configure-ssl-ibm-planning-analytics-spreadsheet-services-using-existing-keystore

https://www.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/admin_gd175.htm

https://www.sslshopper.com/ssl-converter.html

To check a PFX file;

One your laptop install openssl from here https://github.com/git-for-windows/git/releases/tag/v2.23.0.windows.1 – get the file Git-2.23.0-64-bit.exe. Run the installation with all default values.

Start a command prompt as administrator. Go to folder C:\Program Files\Git\mingw64\bin

openssl  pkcs12  -in  c:\temp\customKeystore.pfx -out  c:\temp\good.pem  -nodes

Open good.pem  in notepad++ to check it contains 4 certificates.

The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extensions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Product:
Planning Analytics 2.0.9
Microsoft Windows 2019 Server

Problem:
How many PVU is the CPU on my virtual TM1 server?

You can in Task Manager on the CPU tab, see number of sockets and number of cores.

Solution:
Check the number of sockets, if is less than or equal too 2 then each CPU CORE is 70 points.

In some cases the Windows 2019 task manager does not show correct number of sockets, so check the server hardware – what server are you running the virtual servers on? Then check that hardware, what number of sockets they have. For example, if you have a HPE ProLiant BL460c Gen9 server, check here

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c04434541

says it are Upgradeable to two (2) processors. Then we assume it have 2 sockets max.
This mean that each cpu core in task manager is 70 pvu points.
A windows server with 4 cpu cores will then be 280 pvu points.

Check your contract for lines like this;  IBM Planning Analytics Local TM1 Server for Non-Production Environment Processor Value Unit (PVU) Annual SW Subscription & Support Renewal to see how many PVU points you can spend on your server.

More Information:
https://www.ibm.com/software/passportadvantage/pvu_licensing_for_customers.html

https://infocube.com.au/ilmt

https://lodestarsolutions.com/what-the-heck-is-an-ibm-cognos-pvu

Product:
Planning Analytics Workspace 2.0.
Linux Red Hat 7

Problem:
After change/crash of PAW, the system is starting but user can not login. They get the message “Planning Analytics Workspace is unavailable. Try again in a few minutes”
On the Linux server you run command to check that all containers are up, and they all show the same number of seconds to be up. This make it look like the PAW is working.
sudo docker ps

If you check the logs for a container, with below command, you can see if there are any errors giving more information.

sudo docker logs share-platform

cp: failed to extend ‘bootstrap.properties’: No space left on device

cp: error writing ‘bootstrap.properties’: No space left on device

Check the date before in log file, above can be a fill up disk of log files that have crashed the PAW before.

Check space with command: df -h

sudo docker logs pa-gateway

This may show AH01114: HTTP: failed to make connection to backend: share-platform, that tell us that it does not speak with the share-platform container, who had a problem before.

Solution:

Recreate the images, they can have been corrupted of the space outage you had earlier. This may remove the books you have inside PAW, so take a backup first by run script /ibm/paw/scripts/backup.sh to create a backup file under backup folder.

Go to the /ibm/paw/scripts folder on Linux server. Enter below command to stop PAW

./paw.sh stop

Backup the config folder and it sub-folders;   cp -ivR config  /tmp/cognos  (will copy all files in config folder to /tmp/cognos folder)

Kill all running containers
docker kill $(docker ps -q)
Delete all stopped containers
docker rm $(docker ps -a -q)
Delete all images
docker rmi $(docker images -q)

Then go to the PAW folder of your installation on the Linux server and run start.sh to create the images/containers from scratch.

./Start.sh

Answer YES on both questions.

You can in Linux test that the PAW is up by entering command (replace with your server DNS alias):

curl -k https://planningworkspaceserver.domain.com

this will return the html page as plain text – check for errors.

More Information:
https://www.ibm.com/support/pages/troubleshooting-planning-analytics-workspace-related-docker-issues

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_paw_trbl_cant_access_paw.html

https://www.ibm.com/support/pages/unable-access-ibm-planning-analytics-workspace

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_paw_uninstall.html

To limit docker log files you can edit the daemon.json file in folder /etc/docker

This sample configuration will limit the json log files to 10 megabytes, and will only keep the 5 most recent logs:

{

“log-opts”: {

“max-size”: “10m”,

“max-file”: “5”

}

https://ss64.com/bash/cp.html