Product:
Planning Analytics Workspace 39
Linux Centos (similar to Red Hat)

Problem:
How upgrade PAW to version 39?

Solution:
https://cubewise.com/blog/planning-analytics-workspace-installation-guide/
Download the latest version of PAW from here
https://www-01.ibm.com/support/docview.wss?uid=swg27049597

Backup
Backup will restart the services.
Login to the Linux server with PUTTY
Change to the docker user with command sudo su – dockeruser
go to the paw folder, in our example that is /ibm/paw
cd /ibm/paw

go to the scripts folder, and run the backup script
cd scripts
./backup.sh

After the backup is done, the PAW should work as before.

The backup is stored in folders under /backup as shown above.

Create folders

To be able to change owner of file you need to be root, change to root user with command:
su –

Create the new folder for paw39 with command mkdir /ibm/paw39
Start WINSCP to copy the file to your linux server from windows.

https://winscp.net/eng/download.php
Move to the folder where the ipa file is stored, and to the folder where you want it. Drag the file over in the WINSCP program.

Set the rights for the file in the WINSCP program, so the others have access to the file.

Go back into PUTTY.

Go to the folder and unzip the file with command:
unzip ipa_workspace_local_2.0.39.1695.1.zip  -d /ibm/paw39

Go into the folder /ibm/paw39 and set the owner of all the files in the folder and sub-folders with this command
chown -R  dockeruser:docker ./*

Copy config files from old installation

Copy the <paw_install_location>/config/paw.env file from your current installation to the new
installation folder.
cd /ibm/paw/config
cp /ibm/paw/config/paw.env   /ibm/paw39/config/paw.env

Copy the certs folders files
cp /ibm/paw/config/certs/*.* /ibm/paw39/config/certs/

Copy the pa-workspace.pem file to the new folder
cd /ibm/paw39/config
mv pa-workspace.pem pa-org-workspace.pem
cp /ibm/paw/config/pa-workspace.pem /ibm/paw39/config/pa-workspace.pem

Copy the privatekey.pem to the new folder
cd /ibm/paw/
cp privatekey.pem /ibm/paw39/privatekey.pem

The files you copy depend on your installation.
Stop PAW services
Go to the scripts folder and enter command:
./paw.sh stop

Check that all is stopped with command:
docker ps

Rename folders

mv paw paw35
mv paw39 paw

Start paw
Change to dockeruser with command
sudo su – dockeruser

Update the paw.env file with the ip address that should be used

nano -w paw.env
export ADMINTOOL_IP = 192.168.1.29

Update the Start.sh file with the path to the docker-compose folder if it is not accessible as default

nano -w Start.sh
export PATH=$PATH:/ibm/comp/

Enter ctrl+o to save the file, press enter.
Enter ctrl+x to exit nano text editor.

Enter command below in PAW folder to start paw upgrade.

./Start.sh

Press Y to upgrade
Press Y to start IBM Planning Analytics Workspace Administration Tool.

Scroll down and and accept the IBM License and Non-IBM License to continue.

Check that the TM1 Application Server Gateway URI and the other values is correct, and press Validate.

Click on Status tab and click on Restart button.  Wait until all is started and test that it is working.

Stop the Administration Tool from PUTTY before you leave the Linux server.

To go into the linux container to run ping from inside the docker, enter this command:
docker exec -ti admintool bash

Install the new Agent

https://www.youtube.com/watch?v=Nel5Ovh0-7Q&list=PLfq0ST5X3p-QfZoNXSkDCP-zyblxXmzMZ&index=36

Surf to you new Planning Analytics Workspace and login. If you are administrator there is a new icon to administrate the TM1 instances. Click on the icon.

On the left lower corner you can see the version of PA Agent at your server. If you run TM1_version=TM1-AW64-ML-RTM-11.0.6.71-0 TM1_name=IBM Cognos TM1, you have agent 10.0.36.736.
Click on the download link to download the PA Agent that ships with PAW 39 to your computer.

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_prism_gs.2.0.0.doc/t_paw_download_paa_agent.html

Click on Download and save the file to a new folder on your computer.

Copy the file to a folder on the PAL server and unzip it. Open a CMD window as administrator, and go to the folder where you have the new PAA Agent files. Enter this command to install the new agent:

UpdatePAAAgent.bat  “c:\program files\ibm\cognos\tm1_64\”

You need to add the path to your TM1 instances folders in the bootstrap.properties file, the TM1 samples work as they are already added at default.

To make mail notifications to work, you need to update this lines in above file;

SMTP_EMAIL_PORT=587
SMTP_EMAIL_AUTH=true
SMTP_EMAIL_HOST=example.com
SMTP_EMAIL_USERNAME=user@example.com
SMTP_EMAIL_PASSWORD=Analytics123
PAA_EMAIL_ADDRESS=noreply@example.com

Enter values for your SMTP server, also update the PAA_EMAIL_ADDRESS ( ) field.
Restart the “IBM Planning Analytics Administration Agent” to make the changes take affect.

More information:
How set a static ip address on Linux
http://www.mustbegeek.com/configure-static-ip-address-in-centos/

https://www.cyberciti.biz/faq/howto-setting-rhel7-centos-7-static-ip-configuration/

https://www.techrepublic.com/article/how-to-configure-a-static-ip-address-in-centos-7/

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_prism_gs.2.0.0.doc/c_install_paa_local_configure_event_notifications.html

How install docker on Linux
https://docs.docker.com/install/linux/docker-ce/centos/
To Install required packages before docker, enter this:
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo

To download the latest version of docker download this:
sudo yum install docker-ce docker-ce-cli containerd.io

To start and make docker stay started after reboot enter this:
systemctl start docker
systemctl enable docker

To download docker-compose enter this exact command:
sudo curl -L “https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)” -o /usr/local/bin/docker-compose

To change to execute, for this file:
sudo chmod +x /usr/local/bin/docker-compose

Check the version, with this command, to see that it works:
docker-compose version

Product:
Cognos Controller 10.4
https://www-01.ibm.com/support/docview.wss?uid=ibm10735239
Microsoft Windows 2016 Server

Problem:
After upgrade to a later version of Cognos Controller 10.4, where also BI 10 have been replaced by CA11, the PDF shown inside Cognos Controller client is small. HTML reports works fine.

Solution:
The user profile of the user executing the report is referencing a style (also known as skin) from IBM Cognos Business Intelligence 10.

In IBM® Cognos® Analytics, in the lower-left corner, click icon for administration, select Administration Console.
On the Security tab, click Users, Groups, and Roles.
Click the namespace that contains the user.
Find the user whose preferences you want to view or change. You can use the Search feature to find a user Searching for entries using name, description, and name or description.
For that user – in the Actions column, click More.
Click Set preferences.
Click the different tabs to view or change the settings.
In the Preferences tab, choose Style Corporate.
Make the change and click OK.

Test again to run a report in Cognos Controller as PDF.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=ibm10739581
https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.ug_cra.doc/t_viewchange_userprofile.html

Product:
Planning Analytics 2.0.5
Cognos Analytics 11.0.13
Microsoft Windows 2016 server

Problem:
Inside the CA11 cognos connection you have a workspace widget that link to a TM1 Application web (contributor app) that is on a secure TM1WEB server (HTTPS), and your CA11 is not, it uses HTTP. Depending on the browser used, you can get the error “no permission to perform operation”.

This can be that you have no rights in the TM1 application, but can also be that the user credentials is not brought forward to the site.

Suggested solution:
In the case when you have the servers in different domains, this can be a solution;

When the TM1 Application Server is not accepting the request at all. You can add an additional header, so that pmpsvc accepts requests from certain domains. The header is described here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Login to tm1 server.
Open C:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration\fpmsvc_config.xml in notepad++.
Find the line:

name=”X-Content-Type-Options” value=”nosniff”

Add the following after above line:

name=”Referer” value=”domain1.com;domain2.com”

Like this:

Restart TM1 Application Server

The setting will allow the pmpsvc URL to be called from any website within the domain1.com and domain2.com domain.

If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.

Product:
Planning Analytics Workspace version 38
Planning Analytics 2.0.5
Linux Red Hat 7

Problem:
A security scan show that the PAW on port 443 try to use old ciphers sets.

The server is configured to support ciphers known as static key ciphers. These ciphers don’t support “Forward Secrecy”. In the new
specification for HTTP/2, these ciphers have been blacklisted.
Negotiated with the following insecure cipher suites:
TLS 1.1 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

Possible Solution:
Configure the server to disable support for static key cipher suites.

Login to the PAW Linux server with PUTTY.
Change to the user who have access to the paw folder (e.g. dockeruser).
Go to the /ibm/paw/config folder.
Check the content of defaults.env with the command  more defaults.env  to see the current used values.
Open paw.env file with command  nano paw.env
Add below two rows;
export SSLCipherSuite=”ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSAAES256-
GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256″
export SSLProtocol=”all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1″
Save the file with ctrl+o
Exit nano program with ctrl+x
Restart the PAW server.

Check this link for what values to set in SSLCipherSuite:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
If it does not work, revert back to the original settings shown below, by simple remove the two lines from the paw.env file.

export SSLProtocol=”all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1″
above means all protocols except the one listed after the minus, so no SSLv2 or SSLv3 or TLSv1 or TLSv1.1, leaving only TLSv1.2 to show.

The way you created the certificate request when you setup SSL(TLS) for PAW, can affect the ciphers you can use.

More Information:
https://electricenergyonline.com/print_article.php?ID=779

http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295
https://wiki.mozilla.org/Security/Server_Side_TLS
http://support.microsoft.com/kb/245030/
https://tools.ietf.org/html/rfc7540/

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md

Product:
Planning Analytics 2.0.5
Microsoft Windows 2016 server

Problem:
A security audit list that the access to TM1 Admin service is not enough secure. Port 5498 and 5898 show this;
Negotiated with the following insecure cipher suites:
TLS 1.0 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.1 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Vulnerability Solution:
Enable support for at least one of the ciphers listed below:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Possible solution:
Inside the Cognos Configuration the TM1 Admin server value for Support pre-TLS v1.2 clients are set to TRUE, this should be set to False to solve above issue.

Change to FALSE,
Save settings.
At the restart of the TM1 Admin Server, all the TM1 running instances will be restarted, this can take time. Do this at a planned date.

More information about ports:
http://www.practicallynetworked.com/sharing/app_port_list.htm
http://www.networksorcery.com/enp/protocol/ip/ports04000.htm

Ports used by CA11
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_reviewthedefaultsettings.html

Ports used by PAL
https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_inst_defaultvaluesfortm1installation.html

 

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_configuringthetm1adminservertousessl_n12010f.html

This can also help secure the TM1 Admin service;

TM1 Admin Server Certificate Version Specifies which version of the TM1 generated certificates to use.

By default, the 1024-bit encryption version of the TM1 generated certificates is used.

Change this property only if you want to use the new 2048-bit encryption version of the default certificates. You can use the new version with old and new TM1 clients, but you must configure the clients to use the new certificate authority file.

Note This property does not apply if you are using your own certificates.

Valid values include:

  • 1 – Enables certificate authority for 1024-bit encryption with sha-1 (default value)
  • 2 – Enables certificate authority for 2048-bit encryption with sha-256

Product:
Cognos Controller 10.4
Microsoft Windows 2016 server

Problem:
When doing currency conversation in a consolidation you get a error “ActiveX component can’t create object”.

When you check the Windows event log you find a error similar to this:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{4DAC0D14-D942-47CD-9A74-CBFC5BBFA14E}
and APPID
{6591F1B8-A9EF-45FA-A403-2850BD72D910}
to the user DOMAIN\USERNAME SID (S-1-5-21-55472620-132315974-3481569866-49656) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Service

Suggested Solution:
Login to the Cognos Controller Window server.
Go into IIS Manager
Go to the application pools.
Select the application pool for controller, can be NET v4.5 or Controller (depending what you have named it), and click advanced settings.

Under Process Model, change Identity from ApplicationPoolIdentity to LocalSystem.
Also ensure the Idle Time-out is 600 minutes, and not the default 20 minutes.
Click OK
Restart the IIS service.


You need also go into Controller Configuration
Change COM+ server to us Local System Account
Save the changes.

Retry the currency conversation.

More information:

https://www-01.ibm.com/support/docview.wss?uid=swg21608353
https://www-01.ibm.com/support/docview.wss?uid=swg21347488
https://www-01.ibm.com/support/docview.wss?uid=swg21459682

Product:
Planning Analytics 2.0.5
Planning Analytics Workspace 2.0.38

Problem:
Error message when I on some TI processes in PAW, right click and select Edit Process. Other process work fine to open in PAW.

Error Message:

{“errorMessage”. “Error: Internal Server Error\r\nSystemOutOfMemory\r\n\r\n”, “/api/v1/Cubes (‘cubename’)/Views(‘All’)/tm1.Execute”,”httpStatusCode”:500)

Background:
The paw is try to show a to large preview of the selection. If the process have a cube view as data source, and that is large, like All, then you can get this error. It will work for a smaller cube view. When you edit a TI process in TM1 Architect, this error does not show.
If you check the TM1SERVER.LOG you will find this message;
8024 [34] WARN 2019-03-04 09:30:44.083 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “0” – pool# “0” – poolsize “201318656.000000”

You can get same behavior in TM1 Architect, if you open a cube, and try to view all content.
TM1 Error
All: Maximum memory for action exceeded.
View may be too large.
Operation aborted.

Then in TM1SERVER.LOG the error is like this:
4908 [22] WARN 2019-03-04 11:52:24.469 TM1.Server.Memory al_Alloc() outOfMemory Exception <<< MEMORY_TEMP_POOL_EXCEEDED >>> MaximumViewSize memory exceeded – apifunc# “326” – pool# “0” – poolsize “201318656.000000”

You can still edit the TI process, so this warning should not be of a concern.
Check your TM1S.CFG file so the value MaximumViewSize is not set to a low value. In most cases you should manage with the default values.

More Information:
https://www-01.ibm.com/support/docview.wss?uid=swg21380704
https://www-01.ibm.com/support/docview.wss?uid=swg21639609
https://www.ibm.com/support/knowledgecenter/en/SS9RXT_10.2.2/com.ibm.swg.ba.cognos.tm1_inst.10.2.2.1.doc/c_maximumviewsize_1.html