
Planning Analytics


How log user login to tm1?


Create a file named in same folder as the tm1s.cfg, with this content:

log4j.logger.TM1=INFO, S1
log4j.logger.TM1.Lock=ERROR, S1
log4j.appender.S1.MemorySize=10 MB
log4j.appender.S1.MaxFileSize=100 MB

log4j.logger.TM1.Login=DEBUG, S2
log4j.appender.S2.MaxFileSize=100 MB

Will create a tm1login.log file in your log folder. It will contain the user name for IntegratedSecurityMode=1.

If it is a CAM user you may have to read the }TM1_DefaultDisplayValue in }Clients dimension.



Then you can use this code to load the log file into a cube;

More Information:


Planning analytics 2.0.9
Microsoft Windows server


What ports are used by PAL?



Check this article from 

Ports used by Planning Analytics
5495   The unsecured TCP/IP port number on which the Admin Server listens for client requests (if allowed in Cognos Configuration).


5498   The secured TCP/IP port number on which all TM1 components communicate with the Cognos TM1 Admin Server using Transport Layer Security (TLS).


5895     Admin Server to REST API unsecured communication port number (tm1AdminHTTPPortNumber). Specifies the HTTP port number that is used by TM1 Admin Server to communicate with the TM1 REST API for unsecured communication (if allowed). The default value is 5895. This default value cannot be changed using IBM Cognos Configuration. For more information, see “Appendix 1: TM1 Admin Host” in the TM1 REST API documentation.


5898   Admin Server to REST API secured communication port number (tm1AdminHTTPSPortNumber). Specifies the HTTPS port number that is used by TM1 Admin Server to communicate with the TM1 REST API for secured (SSL) communication. The default value is 5898. This value cannot be changed using IBM Cognos Configuration.
For more information, see “Appendix 1: TM1 Admin Host” in the TM1 REST API documentation.


<portNumber> The port on which the TM1 server runs. This parameter is used to distinguish multiple TM1 servers running on the same computer. Valid port values fall between 5000 and 65535. The default value is 12345 (already used by Planning Sample). This parameter is to be set in the Tm1s.cfg server configuration file.
12345  Default portNumber for Planning Sample
12346  Default portNumber for SData
45557  Default portNumber for GO_New_Stores
12347  Default portNumber for PData
5333   Default portNumber for Proven_Techniques
44321  Default portNumber for GO_scorecards
50909  Default portNumber for 24Retail


<HTTPPortNumber> Port number on which the TM1 Server listens for incoming HTTP(S) requests. The IBM Planning Analytics TM1 Server services the REST API using this HTTP(S) channel. The server accepts either standard HTTP or SSL secured HTTPS connections depending on the UseSSL parameter: If UseSSL is set to T, switching the use of SSL on, then the server will accept only HTTPS connections, if UseSSL is set to F then the server will accept unsecured HTTP connections. If HTTPPortNumber is not defined in your tm1s.cfg file, then port number “5001” will be assigned automatically. This parameter is to be set in the Tm1s.cfg server configuration file.
12354  Default HTTPportNumber for Planning Sample
8010   Default HTTPportNumber for SData
5010   Default HTTPportNumber for GO_New_Stores
8011   Default HTTPportNumber for PData
5011   Default HTTPportNumber for Proven_Techniques
44312  Default HTTPportNumber for GO_scorecards
52670  Default HTTPportNumber for 24Retail


<ClientMessagePortNumber>  TM1 Client Message port number. This port number establishes a secondary port for client progress messages to use when a lengthy operation is waiting to be canceled. This parameter is to be set in the Tm1s.cfg server configuration file. The default value is blank. By default, this port number is automatically and dynamically assigned when the TM1 server starts. You do not have to set ClientMessagePortNumber to a specific number unless firewalls or other network issues require the listener port to be a well-known number.
CAUTION: If you choose to set a specific value for the ClientMessagePortNumber parameter, instead of having it dynamically assigned, be sure to assign unique port numbers for all the TM1 server and client message ports you are using. If you have two servers running on the same machine using the same port number, the message activity may cause a system conflict or hang.
17469  Default ClientMessagePortNumber for 24Retail


<LDAPPort>    Port that IBM TM1 Server uses to bind to an LDAP server. It is used if PasswordSource=LDAP in tm1s.cfg. The default LDAPPort is 389 (unsecured). Usually, in production, secured port 636 is used instead (LDAPS).


9510    Default port for both TM1 Application Server (depending on “IBM Cognos TM1” service) and IBM Planning Analytics Spreadsheet Services (the new TM1 Web that depends on “IBM Planning Analytics Spreadsheet Services” service). If both services are still needed on the same machine, then this default port has to be changed for one of them, and TM1 Application Web (pmpsvc) may have to be reconfigured to connect to TM1 Web. Follow this document to achieve this: “How to Configure TM1 Application Web to connect to TM1 Web since ? (IBM Planning Analytics Spreadsheet Services)


53      Docker daemon port.


80         Planning Analytics Workspace’s PAGatewayHTTPPort (to be defined in /config/paw.ps1). This is an HTTP port that is mapped to the host by pa-gateway. The default value is 80.


443     Planning Analytics Workspace’s PAGatewayHTTPSPort (to be defined in /config/paw.ps1). This is an HTTPS port that is mapped to the host by pa-gateway. The default value is 443.


9012     To use IBM Planning Analytics Administration on Planning Analytics Workspace Local, you install and configure the Planning Analytics Administration agent wherever you install IBM TM1 Server. The default port of the Planning Analytics Administration agent is 9012. This port cannot be easily changed because it is hardcoded in the docker image of the container that is accessing the Administration Agent.


8888     Default admintool port. By default, the Planning Analytics Workspace administration tool is accessible on
In IBM Planning Analytics Workspace Local version 2.0.44 or later, if port 8888 is not free, you can configure Planning Analytics Workspace Local to access the Planning Analytics Workspace administration tool remotely on Windows Server. For more information, see “Access the Planning Analytics Workspace administration tool remotely on Windows Server“.
If you can’t run a browser on the localhost interface, you can configure Planning Analytics Workspace Local to access the Planning Analytics Workspace administration tool on another IP address. For more information, see “Access the Planning Analytics Workspace administration tool remotely on Linux



More Information:


Azure Data Factory


How connect with managed identity to SQL private endpoint?


In your azure subscription, ensure that both ADF and SQL are in the same subnet. Then there should not be any firewalls that need to be open between them.

On your AZURE SQL server, set Networking – public access to disable. Ensure you have created private endpoints for you SQL AZURE resource.

Set up a Managed Identity for your Azure Data Factory:  This will create a ID that can be used by other Azure resources to get access.

    • In the Azure portal, go to your Azure Data Factory resource.
    • Under the “Settings” section, select ” managed identity “.
    • Enable the system-assigned managed identity for your Data Factory.

Grant the Managed Identity access to the SQL Azure Database:

    • Go to your SQL Azure Database resource.
    • Under the “Settings” section, select “Access control (IAM)”.
    • Click on “+ Add” and add a role assignment.
    • Select the appropriate role (e.g., “Contributor” or “SQL Server Contributor”) and search for the name of your Azure Data Factory.
    • Select the Data Factory name from the search results and click “Save”.

You can also give the ADF access inside SQL server by giving it access with this commands in SSMS:

-- run in master database



-- run in sql database

CREATE USER [adf-name] FROM LOGIN [adf-name]

ALTER ROLE [db_owner] ADD MEMBER [adf-name]


Configure the Linked Service in Azure Data Factory:

    • Open your Azure Data Factory resource in the Azure portal.
    • Click on launch Studio
    • Go to the “manage” section.
    • Click on the “Linked service” tab and select “New”.
    • Choose the appropriate SQL Server connector (e.g., “Azure SQL Database”).
    • Provide the required connection details such as server name, database name, authentication type like:
      integrationRuntime2 (Managed Virtual Network)
      connection string
      Account selection method – Enter manually.
      Enter SQL server name (Fully qualified domain name) like:
      Enter database name
      For authentication type, under “Managed private endpoint”, Select System Assigned Managed Identity – then all values should come up automatic.
    • Click on “Test Connection” to validate the connection.


Use the Linked Service in Azure Data Factory:

      • Now, you can use the configured Linked Service to connect to the SQL Azure Database private endpoint in your dataset, that are the integration pipelines within Azure Data Factory.

By following these steps, you’ll be able to establish a connection to a SQL Azure Database private endpoint from Azure Data Factory using a managed identity.

More information:


Microsoft Azure Storage Account


When doing the Microsoft learn section:

Try to list content in a blob, you get a message:

There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide –connection-string, –account-key or –sas-token in your command as credentials.

You also can add `–auth-mode login` in your command to use Azure Active Directory (Azure AD) for authorization if your login account is assigned required RBAC roles.
For more information about RBAC roles in storage, visit

In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use –help to get more information about environment variable usage.



The blob photos have been created, if you check direct in your subscription storageaccount. But you can not verify it with the command:

az storage container list \
--account-name <name>

The <name> should be replaced with your uniq storage account name.

The result returned is cryptic, but if you find below lines, then there is a success. Keep in mind that you need to enter the CLI command in one line.

"immutableStorageWithVersioningEnabled": false,
"metadata": null,
"name": "photos",
"properties": {

As this message is a warning, and not a error. You can add –only-show-errors  to suppress warnings. Like this;

az storage container list --only-show-errors --account-key  <your key> --account-name <your account>

The --auth-mode key will be deprecated in the future, try to use other method.

As this warning message is new – it may break your scripts, as they do not expect the message to come.

You can get more information with adding –debug  to the command, like;

az storage container list --debug --account-name  <name>


More Information: 


When you don’t specify the authentication type, it will try yo get the access key of the storage account: This requires Microsoft.Storage/storageAccounts/listkeys/action permission. If you have contributor role or the storage account, you have the required permission.

--auth-mode login means it will use AAD auth to connect to the storage. You can use of the built-in roles to access the storage (see documentation):

  • Storage Table Data Contributor
  • Storage Table Data Reader

When using AAD Auth, you could also disable access key authentication.

There is an good article related to RBAC management and data plane model: Assign an Azure role for access to blob data.

Microsoft Azure File share


How use POSTMAN to send up a file to AZURE file store with REST API?


Download POSTMAN program from

Go into your AZURE subscription and to your storage account, to get the shared access signature (SAS), that is a URI that grants restricted access rights to Azure Storage resources.

As this is a file share you should select allowed service to be FILE, and allowed resource types to be OBJECT.

Set the end date for expiry to a year from now.

Leave the Allowed IP addresses blank – to allow any computer to access the account.  (Keep the DNS and FIREWALL setup so that only computers from your company can reach the azure area).

Allowed protocols should be HTTPS only.

Click on Generate SAS and connection string.  This strings you must copy and save in notepad. You can not show them again when you have left this Azure page.

The connection string contain all info you need. Inside notepad split it up to only have the information you need in one string for file share. Copy text after FileEndpoint=.

You should get something like this:

sv= is the version of REST API, the value you may need to add as; x-ms-version: 2022-11-02

se= is the end date for the connection key to work, like 2025-07-31T22:45:45Z

st= is the start date for the connection key to work, like 2023-05-30T14:45:45Z

sig= is the key value, that gives you full access to the area. Do not share it with others.

sp= is what kind of rights you have given, e.g. read write delete list create.

In your storage account file share, you may have created some subfolders like testfiles. Click on File Shares to find the name and any sub-folders you have underneath it. Click on file share and click on browse to find the folder name where you have Authentication method: Access key. This is the folder you can access.

Update your url to contain the path and the filename of the file you want to create. Like……

Start POSTMAN. Do not login, skip that. Create a New HTTP dialog.

Select PUT and paste in your URL. Then POSTMAN will interpreter your values and list them as parameters.

With file share, you must do the REST API in two steps. First create the file in correct size, and then do a second call to fill the file with data. This is different from BLOB storage, where you can do it in one REST API CALL.

In POSTMAN go to the Headers tab and add two keys:

x-ms-type = file

x-ms-content-length = 1

Here we set the length of the file to 1 character (1 byte). (this will work as long you only use a-z characters and UTF-8 coding).

Click on SEND button, and if all is correct you should get:  201 created.

Browse to you AZURE file storage and check that the file was created, with a size of 1.

To write to the file, add in headers this two keys:

x-ms-write = update

x-ms-range = bytes=0-0

The x-ms-range should always start with 0 and then be one number less than the total of characters in your file. If the file is 42 characters, then the value should be bytes=0-41.

Important, in the params tab you must add a key as below (this to active the range function – otherwise the x-ms-range is not used);

comp = range

Then we need to add some data in POSTMAN to write to the file, go to the Body tab, and select RAW – text and enter a letter.

The text should be the same size as the file you have created. File size and text you put into the file must match exactly on the byte.

Click on SEND, and you should get a Status: 201 Created if all is fine.

Common errors you can see in POSTMAN are:

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. Authentication scheme Bearer for files is not supported in this version.

This is solved by adding the correct version, like: x-ms-version: 2022-11-02

You should also try to have headers like:

Authorization: Bearer
<Error><Code>UnsupportedHttpVerb</Code><Message>The resource doesn't support specified Http Verb.

This is solved by using PUT instead of POST.

<Error><Code>ShareNotFound</Code><Message>The specified share does not exist.

This is solved by you enter the correct path and filename to the URL.

HTTP Error 400.  The request host name is invalid.

Solved by enter the correct host.

HTTP Error 411. The request must be chunked or have a content length

Solved by enter the header Content-Length.

HTTP Error 404 The specified resource does not exist.

HTTP Error 400 Value for one of the query parameters specified in the request URI is invalid

HTTP Error 404 The specified parent path does not exist
Solved by enter the correct path to the files in AZURE.
One of the HTTP headers specified in the request is not supported.

Solved by adding the key comp in params tab.

An HTTP header that's mandatory for this request is not specified.

Solved by adding the key x-ms-content-length.

An HTTP header that's mandatory for this request is not specified.

Solved by adding the key x-ms-write.

The value for one of the HTTP headers is not in the correct format.
This is solved by enter correct value in the x-ms-range key or that you add comp = range in the params tab.


More Information:


Cognos Controller 10.4.2
Microsoft Windows Server 2022


Suddenly user can not login to cognos controller.

They get a error like this:

System.Web.Services.Protocols.SoapException: Server was unable to process request. —> System.ArgumentNullException: Value cannot be null.
Parameter name: uriString
at System.Uri..ctor(String uriString)
at System.Web.Services.Protocols.WebClientProtocol.set_Url(String value)
at Cognos.Controller.Common.CRNBridge.CRNBridge.set_EndPointURL(String sURL)
at Cognos.Controller.Proxy.CCRWS.GetUserInfo(String sGuid, String sUser, String passportId)
— End of inner exception stack trace —
at Cognos.Controller.Forms.Common.Main.DoLoginCognos8(Form& frm, Boolean runtimCheck)
at CCR.AppContext.DoLogin()
at CCR.AppContext.Login()


Restart the IIS service on the Cognos Controller server.


Steps to check the issue:

Login to the Cognos Controller server (via remote desktop).

Check that all IBM Cognos service are running.

Start IE and browse to CA11 – does it work?

Start IIS manager and check that all application pools are running.

Go to Components service from control panel administration. Expand COM+ components.

Ensure that “IBM Cognos Controller Consolidation” is running. If not, then restart the IIS from inside IIS manager program.

Check the windows event log for any error message, that can explain why any of above processes have stopped.

More Information:


Planning Analytics

Microsoft Windows 2019 server


How change TM1 Application web (pmpsvc) to use CAM SSO security when it have been setup to use Native TM1 security before?


If you only have one tm1 application connected to tm1 app web (common in new installations – like planning sample in our example).

Stop the “IBM Cognos TM1” service (pmpsvc web server).

Open the file fpmsvc_config.xml from D:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration folder.

Remove the planning sample line from between servers section.

So it looks like this;


Save the file.

Change you planning sample tm1s.cfg file to have correct values like below:



Save tm1s.cfg file and restart the planning sample service.

Test to login to planning sample in Tm1 Architect, it should work with CAM SSO if all is correct.

Then browse to your tm1 app web on:

If all works well – you should get to the configuration page – where you can select Tm1 instance. Select a TM1 instance that will be up and use CAM security. All Tm1 applications that are used inside Tm1 Application web (contributor) must all have the same security settings, most common is IntegratedSecurityMode=5.

Save the settings and you should get into the IBM Cognos Tm1 Applications portal. If you need to edit the configuration later, click on the tools icon.

In Cognos TM1 Applications Configuration web page, click on Edit link, below the selected server names.

Then fill out the fields – for any change needed.

Admin host = should be the server-name of windows server where Tm1 Admin service is running (normally the tm1 server itself).

Server Name = should be the selected TM1 instance, that user will first be authenticated against. Should be using CAM SSO, as describe above.

Cognos BI Gateway URI = should be to the gateway like

Cognos BI Dispatchers URI = should be point to the CA11 server on port 9300 like

Click OK to save, and there should not be any errors. If errors check in IE on server if you can browse to above URL for Cognos BI.


If you turn off the planning sample application and change it to IntegratedSecurityMode=5, without change in fpmsvc_config.xml file, then you get a Tm1 login dialog in TM1 App Web when you connect and you can not login. This becouse “pmpsvc” is setup for Native Security. You need to change planning sample back to IntegratedSecurityMode=1 to be able to login to Tm1 App Web again.

To clear a TM1 Application from TM1 APP WEB connections, so you can work with the TM1 instance in TM1WEB, you need to run TI process:



More Information: 

You can maybe edit pmpsvc_path\WEB_INF\configuration\ file in the same folder to change log level to INFO or DEBUG to get a lot more info in WEB_INF\logs\pmpsvc.log… or check folder D:\Program Files\ibm\cognos\tm1_64\wlp\usr\servers\tm1\logs for messages.log files.


Microsoft SQL Azure database


A new created SQL native user [Kalle] can not see the tables in the database, but he can login to SSMS.


Please do not use the role db_datareader or db_datawriter or their deny equivalents. They are for backwards compatibility only.

Remove the user from the role with below command, did not help.

EXEC sp_droprolemember 'db_datareader', 'Kalle'

You have to drop the user and create him again;



Use Master

CREATE LOGIN Kalle WITH PASSWORD = 'advancedpasswordhere'

-- to be able to login from SSMS you need to have the user in master database --


-- gives the user Kalle access to see all tables in the DM schema --


This should give that the user only have read access to all tables and views that are part of the DM schema in the database.

To list members of built in roles use:

 SELECT AS DatabaseRoleName, 
isnull (, 'No members') AS DatabaseUserName 
FROM sys.database_role_members AS DRM 
RIGHT OUTER JOIN sys.database_principals AS DP1 
ON DRM.role_principal_id = DP1.principal_id 
LEFT OUTER JOIN sys.database_principals AS DP2 
ON DRM.member_principal_id = DP2.principal_id 
WHERE DP1.type = 'R'

To list if any user have DENY rights use:

SELECT as grantee_name, p.state_desc, p.permission_name,
FROM sys.database_permissions AS p JOIN sys.database_principals AS l 
ON p.grantee_principal_id = l.principal_id
JOIN sys.sysobjects O 
ON p.major_id = 
WHERE p.state_desc ='DENY'


More information:

Cognos Controller 10.4.2


After a reboot of the TM1 server where the FAP service is running, the FAP does not connect to the TM1 services with error in D:\Program Files\ibm\cognos\ccr_64\Server\FAP\error.log file.

DEBUG [fap.service.schedule.ConnectionsPoller] [pool-5-thread-2], Starting connection poller for datamart ‘FAP’ with a 3600000 ms timeout.

ERROR [fap.service.schedule.Scheduler] [pool-5-thread-2], Could not find the TM1 server [tm1:FAP]

Suggested solution:

Change the FAP service to have “Automatic (Delayed Start)” in the windows services.

The Tm1 instance must be started before the FAP service is started.

More Information:


Microsoft AZURE file storage


How upload a file to AZURE file storage?


Download the AZURE STORAGE EXPLORER and install it. 

Connect to Azure with your account from inside Azure Storage Explorer.

Expand in the left to your file share.

Click on Upload icon on the right.

Find a example file and upload from the correct folder you want to upload files from.

Click upload and watch the program work.

When finish in lower right corner click on link : ‘Copy AzCopy Command to Clipboard’ next to the log message.

Paste this into NOTEPAD.

Edit the string, to be as you want it to be.

Download azcopy.exe to a folder like d:\script from 

Open a powershell command window.

Go to the d:\script folder.

Paste in your azcopy command from the notepad into powershell session, and it will copy the files you defined.


Maybe you can programatically change the powershell script for azcopy to use it from a schedule program.


More Information: