Cognos Planning Analytics Workspace version 36
Centos Linux

How to upgrade PAW?

Download the latest version from

First check there is space left on your linux box with command df -h

Create a new folder for your new software
cd /
mkdir ibm
cd ibm
mkdir paw36

Copy the software over to the linux box with WINSCP

Place the zip file in folder /ibm/paw36.
Unzip the file with the command:
unzip -d /ibm/paw36

Go to the old existing folders script folder (/ibm/paw/scripts/) and run a backup with the command:

Copy the paw.env file from your current installation to the new installation location.
cp /ibm/paw/config/paw.env  /ibm/paw36/config/paw.env

Copy the /config/certs directory from your current installation to the new installation location.
cp /ibm/paw/config/certs/*.* /ibm/paw36/config/certs/

If you use SSL and have saved the certificate in the pa-workspace.pem file, you need to copy that from your current installation to the new installation location.
cd /ibm/paw36/config
mv pa-workspace.pem  pa-org-workspace.pem
cp  /ibm/paw/config/pa-workspace.pem  pa-workspace.pem

If you have changed the old file, you need to add the same values in the new file.
Open in Nano, add the IP address of the Linux server as ADMINTOOL_IP, and add the folder where docker-compose are to the PATH with the command PATH=$PATH:/ibm/comp/
cd /ibm/paw
Enter values like:
export PATH=$PATH:/ibm/comp/
Press CTRL+O and click ENTER to save file.
Press CTRL+X to exit.

Change above path to your folder where DOCKER-COMPOSE is saved.

You may need to update the access to the new files with command:
cd /ibm/paw36
chmod 744 *.*
to give all read access to the files.

Stop the running PAW with command:
cd /ibm/paw/scripts
./ stop

Go to the new folder with command:
cd /ibm/paw36

Start the installation by enter

Enter “y” when you are prompted to install the Docker images. Enter “y” when you are prompted to open the administration tool.

Start a Internet Explorer from your laptop and surf to the Linux server on

Inside the Planning Analytics Workspace administration tool, check that all URL to CA11 and TM1 are correct.

Some Values need to be entered again in configuration tab, do it and save them.

Click Validate.
Click Status.
Click Restart.
Wait until CPU is below 1%.
Click Refresh.

Then surf to HTTP://

Normally the docker containers and images are in folder /var/lib/docker

The daemon.json file are in folder /etc/docker

NOTE: to prevent from having to many PAW folders, and make it hard to now what folder that is in use, do the opposite – rename the old folder /ibm/paw to /ibm/pawold. Create the new folder /ibm/paw. Copy the new zip file to that folder, and unpack it. Then copy the needed config files from /ibm/pawold to the /ibm/paw folder (as listed above). Then start the installation(upgrade) from /ibm/paw/

More Information:

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

How limit the login to Cognos Connection to only to groups in the LDAP (active directory)?

Use the LDAP connector in Cognos Configuration, and limit the users to be able to login only if they belong to two CN.
The “User Lookup” is used when you do not use SSO, and you let the BI (CA11) prompt the user for the user name and password. Change this to include the groups that the person must be part of to be able to login. Below a example how it can be;

(&(|(legacyuid=${userID})(uid=${userID}))(status=ACTIVE)(|(memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,,cn=Cognos Groups,cn=UserGroups,ou=Global,

“External identity mapping” is only used when you use SSO from IIS, to login to the BI server (CA11). You should change this to cover the same groups as the other one to make it act the same if it is using SSO or not.

(&(|(legacyuid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)})(uid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)}))(status=ACTIVE)(|((memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,,cn=Cognos Groups,cn=UserGroups,ou=Global,

In above lines, the user that is part of group Cognos_TM1_Contributor or Cognos_TM1_Modeler in LDAP, can login to Cognos. Good if you have a CA11 server setup, that only authenticate users that should use TM1(Planning Analytics 2.x).

Check that the user is active in LDAP

Compare the userid with the LDAP field Legacyuid

You have to change cn= and ou= values to match your LDAP setup.

Base Distinguished Name, should be the root of the LDAP directory.

How setup LDAP  (from the web)
In every location where you installed Content Manager, open IBM Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.

In the Name box, type a name for your authentication namespace. LDAP
In the Type list, click the appropriate namespace and then click OK.

The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace. Should be same as namespace name.
Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.
If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are run under the authentication context of the user.
If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following step:
Ensure that Use external identity is set to False.
Set Use bind credentials for search to True.
Specify the user ID and password for Bind user DN and password.

If you do not specify a user ID and password, and anonymous access is enabled, the search is done by using anonymous.
Check the mapping settings for the required objects and attributes.

Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos components and the LDAP server.

LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

You are prompted to enter credentials for a user in the namespace to complete the test.

Depending on how your namespace is configured, you can enter either a valid user ID and password for a user in the namespace or the bind user DN and password.

More information:

To bind a user to the LDAP server, the LDAP authentication provider must construct the distinguished name (DN). If the Use external identity property is set to True, it uses the External identity mapping property to try to resolve the user’s DN. If it cannot find the environment variable or the DN in the LDAP server, it attempts to use the User lookup property to construct the DN.

Planning Analytics Workspace 35
Linux Red Hat

You have no access to the paw, and a restart of the docker containers with command  ./ stop  and  ./  did not help.

If you click “validate” inside the Workspace administration page, you get Error getaddrinfo ENOTFOUND on all the server links.

Error Message:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET.
Reason: DNS lookup failure for: wa-proxy

Restart the linux box.
Login to the linux server with PUTTY.
Change to root user with command:
sudo su – root
Restart the linux server with command:
init 6

Try again after a few minutes.

Cognos Analytics 11.0.12
Microsoft Windows server 2016

When user create a new report and want to add a picture, the default folder is the old /samples/images, but in CA11 the new folder is /webcontent/bi/images in most cases.

Suggested solution:
The default value of the Image picker tool in report studio of CA11, is stored in a JS file.
For version 11.0.12 that file is _WEK_async.js
Copy the file _WEK_async.js from the gateway server at c:\Program Files\ibm\cognos\analytics\webcontent\bi\pat\dialogs to your laptop.
Open the file _WEK_async.js in NOTEPAD++

Change the first occurrence of “../sample/images/” to “../images/” and save the file.
Rename the original _WEK_async.js to
Copy your new _WEK_async.js file to the folder on the gateway server c:\Program Files\ibm\cognos\analytics\webcontent\bi\pat\dialogs

Start a new browser session from you laptop.
Under internet options clear the cache and cookies, before you test again.

Surf to you https://cognosanalyticsserver/ibmcognos/bi/v1/disp
Start a new report
Choose the blank Layout template.
Expand to image tool on left side and double click it, to add it to the report.
Double click the icon and the default folder should be ../images.

If it does not work – try by restarting the Internet Information Server;
Go to the windows gateway server via RDP.
Start a DOS prompt as administrator
Enter IISRESET to restart the IIS services.

How find the json file
In future versions of CA11 this location of value is in a different file.
You have to start a IE browser, hit F12 and select NETWORK and start to capture. Surf to your CA11 website and create a new report.
Then when you open the image dialog, you will find in the first lines the file that it is using – in the list of files in the DEBUG IE Window.

More information:

Cognos Analytics 11.0.12
Microsoft Windows Server 2016

When open up the administration tab from Cognos connection in CA11. You click on the system link on the left in IBM Cognos Administration. You see only the spinning wheel and the text “Working…” for a long time….

Error message:


Suggested solution:
Stop the IBM Cognos services, and start them in correct order slowly.
To make sure that they come up correct.


More information:

Order to Restart Cognos and TM1 Servers

Cognos Analytics 11.0.12
Microsoft Windows Server 2016

After a reboot the Cognos BI Service does not start.

Error message in Cognos Configuration:
CFG-ERR-0103 Unable to start IBM Cognos service. Execution of the external process returns an error code value of ‘-1’.

Error message in Windows services when starting is that the password is wrong.

Possible solution:
A group policy have removed the service account for Cognos, from the local windows policy:
“Log on as a Service”. Add the Cognos windows service account back to the group.
Go to control panel – administration tools
Go to Local Security Policy
Expand Security settings – Local Policies – User Rights Assignment.
Click on Log on as a service.
Click Add user or group.
Add your user, and click OK all the way.

or you can enter the password again, then it will be automatically added to the group.


More Information:

Cognos Analytics 11.0.12
Microsoft Windows Server 2016
Oracle 12 Database

After changing the IBM Cognos service to use a windows service account instead of local system, the Cognos Analytics service does not start.

Error Message:
15:42:12, ‘LogService’, ‘StartService’, ‘FAILED’.
15:42:12, ‘LogService’, ‘StartService’, ‘Success’.
15:42:12, CAF-WRN-0010 CAF input validation enabled.
15:42:12, CAF-WRN-0021 CAF Third Party XSS checking disabled.
15:42:17, ‘ContentManager’, ‘getActiveContentManager’, ‘Failure’.
DPR-CMI-4006 Unable to determine the active Content Manager. Will retry periodically.
15:42:17, CM-CFG-5063 A Content Manager configuration error was detected while connecting to the content store. CM-CFG-5036 Content Manager failed to connect to the content store. The connection string is “”. The error encountered is: “ORA-00604: error occurred at recursive SQL level 1 ORA-12705: Cannot access NLS data files or invalid environment specified ” Cause: ORA-00604: error occurred at recursive SQL level 1 ORA-12705: Cannot access NLS data files or invalid environment specified Stack trace: java.sql.SQLException: ORA-00604: error occurred at recursive SQL level 1 ORA-12705: Cannot access NLS data files or invalid environment specified at oracle.jdbc.driver.T4CTTIoer.processError(

Change the region settings on the server for the Service account to English (United States).

More Information:
The Oracle driver have a NLS setting in registry, the windows region setting need to match this value to make the Cognos service to start.

Start REGEDIT and go to [HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\KEY_OraClient12Home1] check there the value “NLS_LANG”=”AMERICAN_AMERICA.WE8MSWIN1252”.