by ·Comments Off on XTR-ERR-0005 A request to TM1 resulted in error

Product:

Cognos Analytics 11.1.7

Microsoft Windows 2016 server

Issue:

Can not create new Planning Analytics data source connections inside CA11.

You have changed the security on the PAL installation, in case it worked before.

When you test the data connection in Cognos Analytics administration page, you get an error like this:

Dynamic Failed XTR-ERR-0005 A request to TM1 resulted in error: “[400] javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target”.

Solution:

Add the TM1 default certificate to the CA11 certificate store in java.

Stop IBM cognos service

Go to D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\bin and start Ikeyman.exe as administrator.

Click on open icon.

Select the cacerts file in folder D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security

Set type as JKS

Click OK

Enter password: changeit

Select in Signer Certificates from the drop-down menu

Click on Add.

Select the ibmtm1.arm file (that you copied over from the Planning Analytics server)

Click OK.

Give it a name like TM1ServerCert.

Close IKEYMAN program.

Start Cognos service.

If you test the connection – the message should be similar to this:

Dynamic Succeeded XQE-DS-0015 TM1 Server Name: tm1ServerName: “11.8.01000.6”.

 

More information:

https://www.ibm.com/support/pages/xtr-err-0005-error-when-testing-ibm-planning-analytics-20x-datasource-ibm-cognos-analytics-1112

by ·Comments Off on Error: Client network socket disconnected before secure TLS connection was established

Product:
Cognos Controller Web 10.4.2
Microsoft Windows 2016 Server

Issue:
User can not login to Cognos Controller Web after update to HTTPS.

In folder D:\Program Files\ibm\cognos\ccr_64\frontend\logs

error in log file can be;

error from web proxy: { Error: Client network socket disconnected before secure TLS connection was established at TLSSocket.onConnectEnd (_tls_wrap.js:1088:19)
at Object.onceWrapper (events.js:277:13)
at TLSSocket.emit (events.js:194:15)

Solution:

Check that the local windows firewall allow connections on port 3443.

Add a inbound rule that allow communications on port 9080,9081,3443,3000.

Controller web ports are set in the config.js and server.xml file.

<httpEndpoint host="*" httpPort="3000" httpsPort="3443" id="defaultHttpEndpoint">
<httpOptions removeServerHeader="true" />
</httpEndpoint>

More information:

https://www.ibm.com/support/pages/server-not-reachable-or-still-initializing-handshake-failure-signer-might-need-be-added-local-trust-store-ccr-ws-api-not-initialized-yet-errors-controller-web-caused-keystore-file-keyjks-containing-wrong-information

https://www.ibm.com/support/pages/node/883036

https://www.ibm.com/support/pages/controller-web-does-not-work-when-installed-same-server-cognos-analytics

https://www.ibm.com/support/pages/how-configure-controller-web-use-ssl-https

by ·Comments Off on key.jks did not load because of the following error: Keystore was tampered with, or password was incorrect

Product:

Cognos Controller Web 10.4.2

Microsoft Windows 2016 server

Issue:

When change Controller Web configuration, user can not login to Controller web. You get a error in the log file that it does not work.  There could be error like this:

[ERROR   ] CWPKI0033E: The keystore located at d:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks did not load because of the following error: Keystore was tampered with, or password was incorrect…

Check log file D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs\messages.log

Check log file D:\Program Files\ibm\cognos\ccr_64\frontend\logs\fcmwebui-stderr.2022-09-13.log

Server ip written in backend-url.js!
Express server listening on port 9080
error from web proxy: { Error: connect ECONNREFUSED 192.168.1.71:3443
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
errno: ‘ECONNREFUSED’,
code: ‘ECONNREFUSED’,
syscall: ‘connect’,

 

Solution:

Check that you use the same password for your PFX file you import certificate from as you use for the key.jks file you created for the Controller Web setup.

Update the file config.js in folder D:\Program Files\ibm\cognos\ccr_64\frontend to correct password

…..

},
“secure”: false //set this to false when you use custom certificates for Controller Web
}
}],

…..
“ssl”: {
// certificates
“key”: fs.readFileSync(__dirname+”/keyfile.key”), //__dirname points to ccr_64\frontend
“cert”: fs.readFileSync(__dirname+”/cert.crt”),
“passphrase”:”TheNewPasswordHere
}…..

Update the file server.xml in folder D:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web to correct password

….

</webApplication>
<keyStore id=”defaultKeyStore” password=”TheNewPasswordHere” sslProtocol=”SSL_TLS” />
</server>…..

Save the changes and restart all 3 IBM Cognos Controller Web services.

Wait at least 20 minutes for it to load fully, before you test.

 

More information:

https://www.ibm.com/support/pages/server-not-reachable-or-still-initializing-handshake-failure-signer-might-need-be-added-local-trust-store-ccr-ws-api-not-initialized-yet-errors-controller-web-caused-keystore-file-keyjks-containing-wrong-information

https://www.ibm.com/support/pages/node/883036

https://www.ibm.com/support/pages/controller-web-does-not-work-when-installed-same-server-cognos-analytics

https://www.ibm.com/support/pages/how-configure-controller-web-use-ssl-https

by ·Comments Off on Setup HTTPS in Cognos 11

Product:

Cognos Analytics 11.1.7

Microsoft Windows 2016 server

Issue:

How setup custom certificate in CA11?

Solution:

Follow IBM recommendations, from here:

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=components-configuring-ssl-cognos-analytics

https://www.ibm.com/support/pages/steps-set-ssl-cognos-analytics-configuration

https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11

 

When configuring IBM® Cognos® Analytics to use an external certificate authority (CA), you must start with a stopped system and an empty key store.

Export the Cognos Configuration as plain text first, by use Select File – Export as, on all CA11 servers. Save as backup.xml in configuration folder.

Procedure to clean the keystore

  1. Open IBM Cognos Configuration as an administrator. Ensure HTTP is used under Environment.
  2. In the Explorer window, under Security > Cryptography, click Cognos.
  3. Under Certificate Authority settings, click the Use third party CA property, and ensure that its Value is set to False.
  4. From the File menu, click Save to save the configuration.
  5. Close Cognos Configuration.
  6. Go to the Cognos Analytics installation directory, and delete all content from the install_location\configuration\certs directory.

 

On Microsoft Windows installations, you can run the tool with the -java:local command to use the JRE that is provided with the installation, as shown in the following example: ThirdPartyCertificateTool.bat -java:local
-c -d ...

The default password is NoPassWordSet.

Procedure to request a new cert

  1. From the install_location\bin directory, run the ThirdPartyCertificateTool.
  2. Type the following command to create the certificate signing request for the crypto key:

On Windows from inside a Administrator Command Prompt, type

ThirdPartyCertificateTool.bat -c -e -d "CN=EncryptCert,O=MyCompany,C=CA" 
-r encryptRequest.csr -p keystore_password -a RSA

  • The distinguished name (DN) value in the command ("CN=Servername,O=MyCompany,C=SE") uniquely identifies the Cognos Analytics installation.

    You can add more information with use of a command line like this:

    ThirdPartyCertificateTool.bat -c -e -p NoPassWordSet -a RSA -r "encryptRequest.csr" -d "CN=servername.domain.com,OU=Finance,O=MyCompany,L=Stockholm,C=SE" -H "servername.domain.com dnsalias.domain.com"

    The password that you enter for this key must be used again when you import the certificate, and again in IBM Cognos Configuration.

    You can ignore any warnings about logging.

    Backup your D:\Program Files\ibm\cognos\analytics\configuration folder to d:\temp
    (in case you start Cognos BI, you may need to go back to this settings before importing the certificates)
    Important: The certificates that are generated by your CA must be PEM (Base-64 encoded ASCII) format.

Results

The command generates the following CSR files:

  • The CAMKeystore file in the install_location\configuration\certs directory.
  • The encryptRequest.csr file in the install_location\bin directory.
After the CSR files are generated, perform the following steps:

  • Share the crypto key file encryptRequest.csr, or its contents, with the external CA. Using this key, the CA produces a crypto key certificate, a root certificate, and an intermediate certificate for the request, and sends them back to you.
  • If you get a P7B file, you need to convert it to PEM with OPENSSL. Use this command

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

  • File certificate.cer can be open in Notepad++ and copy out to 3 certificate, one for each function. A pem certificate should not start with a blank line.
  • Copy the certificates from the external CA to the Cognos Analytics installation directory, such as install_location\configuration\bin.

 

You must import the certificates from the external certificate authority (CA) into your IBM® Cognos® Analytics key store.

The import must be done on each computer where the following Cognos Analytics components are installed: Content Manager, the Application Tier Components, the gateway, and the client components such as Framework Manager, and other components if you use them.

 

Procedure to import the cer files

  1. Go to the location where you saved the certificate files from the CA authority, and do the following:
    1. Create a copy of the crypto certificate, and name it encryptCertificate.cer.
    2. Create a copy of the root CA certificate, and name it ca.cer. (cer or pem files work equal good).
  2. If the files are not already there, copy the encryptCertificate.cer, and ca.cer files to the install_location/bin directory.
  3. From install_location/bin directory, start the ThirdPartyCertificateTool command line tool (as shown below).
  4. Type the following command to import the CA root certificate into the Cognos Analytics trust store:

On Windows operating systems, type

ThirdPartyCertificateTool.bat -i -T -r ca.cer -p keystore_password
  • The command reads the ca.cer file and imports the contents into the CAMKeystore file in the certs directory using the specified password.
  • If you use intermediate CA certificates, import all the intermediate certificates (ICA) into the Cognos Analytics trust store by using the same commands as in step 4. Like ThirdPartyCertificateTool.bat -i -T -r issuing.pem -p NoPassWordSet
  • Import the server crypto certificate into the Cognos Analytics encryption key store by typing the following command:

On Windows operating systems, type

ThirdPartyCertificateTool.bat -i -e -r encryptCertificate.cer -p 
keystore_password -t ca.cer
  1. Important: Ensure that the keystore_password is the same password that you entered when you exported the encryption key in the previous task.

    If you have intermediate and root certificate, they need to be merge into the text file chain.cer, that is used instead of ca.cer in above command.

    See how here:

    https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11

Results

The command reads the encryptCertificate.cer and ca.cer files in the install_location\bin directory and imports the certificates from both files into the CAMKeystore file in the install_location/configuration/certs directory using the specified password.

Ensure that the key store locations and passwords in IBM Cognos Configuration match the ones that you typed in the ThirdPartyCertificateTool tool.

Procedure to start CA with custom cert

  1. Open IBM Cognos Configuration as an administrator. Ensure HTTPS is used under Environment.
  2. In the Explorer window, under Security > Cryptography, click Cognos.
  3. Under Certificate Authority settings, click the Use third party CA property, and set its Value to True.
  4. For the Key store password property, enter the password that you used for the crypto key.
  5. Click File > Save to save the configuration.
  6. Restart your IBM Cognos services.

 

 

Test the IIS cert by browse to (or only browse to the Server name):

https://servername.domain.com/ibmcognos/controllerserver/ccrws.asmx

Test the Cognos BI cert by browse to (update with the port you use in Cognos Configuration):

https://servername.domain.com:9300/p2pd/servlet

If you have had the Cognos BI site running HTTP before, you must change in IIS webfarm to use the new HTTPS, and also update the port in use. Otherwise you will get 404 or 502 errors in Web browser.

Best is to clear the IIS configuration, and update the CA_IIS.Config.bat file with the new port number and rerun it. You should not need to delete the COGNOSCONTROLLERS folder, as long it uses a different application pool.

To remove IIS settings.

– Open IIS
– Click Application Pools
– Select the Cognos 11 App Pool and stop it
– Expand everything
– Select the ibmcognos -> sso application and remove it
– Select the ibmcognos application and remove it
– Click Application Pools, select the Cognos app pool, and delete it
– Close IIS

Open your file explorer
– Navigate to the Cognos gateway install directory
– Delete the following web.config files:

  • cgi-bin\web.config
  • webcontent\web.config
  • webcontent\bi\web.config

https://www.ibm.com/support/pages/node/301009

Edit the CA_IIS_Config.bat file with HTTPS and correct port

:: If more than one dispatcher is defined, a Server Farm will be created
::
set disp[1].protocol=https
set disp[1].name=servername
set disp[1].port=9300

:: Enable SSO (True/False)
::

Run the script again, to reconfigure the IIS setup.

You need also to add the certificate for your server to IIS Manager, simplest is if you get a PFX file with all information and import that to Windows server. Then you can in IIS manager bind it to your default web site.

 

More information:

https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11

https://www.thebestcsharpprogrammerintheworld.com/2014/01/17/configuring-application-request-routing-arr-to-use-a-port-other-than-port-80/

by ·Comments Off on You can not use a PFX file to Cognos

Product:
Cognos Analytics 11.1.7
Cognos Controller 10.4.2
Microsoft Windows 2016 server

Issue:
How setup SSL(TLS1.2) with Cognos Analytics, when i only got a PFX file from my company?

Solution:

This is not the recommended way – you should use the IBM guides instead.

https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=components-configuring-ssl-cognos-analytics

https://www.ibm.com/support/pages/how-configure-force-controller-use-tls-12

(This instructions will fail as the next time you start Cognos Configuration and click save, the CAMkeystore file is overwritten)

 

 

First, ensure Cognos Analytics is working with out issues. Check this log files and solve all errors before you start.
D:\Program Files\ibm\cognos\analytics\logs\p2pd_messages.log
D:\Program Files\ibm\cognos\analytics\logs\cognosserver.log
D:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\logs\messages.log

Second, always backup this folders – by copy them to a different folder like d:\temp
D:\Program Files\ibm\cognos\analytics\bin64\ssl
D:\Program Files\ibm\cognos\analytics\configuration\certs
D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security

and for cognos controller backup this folders
D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security
D:\Program Files\ibm\cognos\ccr_64\bin64\jre\8.0\lib\security

You should export a text file of the configuration in Cognos Configuration and create screen dumps of your setup in Cognos Controller Configuration, so you can apply them back in case something goes wrong. Use Select File – Export as.

Download OPENSSL to your windows laptop, with this program you can convert and check certificates. Download GIT for Windows to easy also get the OPENSSL tool. Download from https://git-scm.com/download/win
Run Git-2.37.3-64-bit.exe (with all defaults) to install GIT on you laptop.  Then you find openssl in folder: C:\Program Files\Git\mingw64\bin

 

IMPORTANT: Add a rule in the local windows defender firewall to allow inbound traffic on both port 80 and 443 on all cognos servers.

How install PFX in Windows (IIS)

Copy your PFX file to your server, place it in a folder like c:\cert
Right click on PFX file and select Install PFX

Select Local Machine and click Next

Click next on file to import.

Enter the password you got with the PFX file and click Next.

Click next on Certificate store, and let it be automatically selected.

Click Finish.

Start IIS (Internet Information Services Manager)

Click on the servername (home) and click on Server Certificates, to view that you have valid certificates. Check the Expiration Date to know witch one you can use.

In IIS manager, expand Sites, and mark Default Web Site. Click on bindings link on the right side.

Click ADD button.

Select HTTPS as type.

Select your certificate from the drop-down list SSL certificate, and press OK.

Later, when it is working, remove the support for port 80 in the bindings dialog.

Go to default web site\ibmcognos\bi folder and click on URL Rewrite icon

Double click on Reverse Proxy, to change it values.

Scroll down and edit the ReWrite URL to: https://ca_servers/bi/{R:0}

Click Apply on the right side.

Restart IIS.

 

If you have had the Cognos BI site running HTTP before, you must change in IIS webfarm to use the new HTTPS, and also update the port in use. Otherwise you will get 404 or 502 errors in Web browser.

Clear the IIS setup.  https://www.ibm.com/support/pages/node/301009

Update the CA_IIS_Config.bat file with HTTPS and correct port.

Run CA_IIS_Config.bat as a administrator in Command prompt.

 

How export the root and intermediate cer files from IIS

Go to server certificates, double click on your certificate.

Select Certificate Path tab, and select the middle certificate in the list, and click View Certificate button.

A new windows will open, in there go to the Details tab.

Select Subject row, and copy the CN line to the clipboard.

Click on the Copy to File button.

Click Next in the Certificate Export Wizard.

Mark Base-64 encoded X.509 and click next.

Enter a name and path, suggest use the CN name as name of the cer file. Click Next.

Click Finish.

Now, you need to repate this for the root certificate.

Click on Certificate path tab.

Click on top root cert and click on View Certificate button.

Go to Details tab and select Subject line.

Copy CN line to clipboard.

Click Copy to File button.

Click next in the Certification Export Wizard.

Mark Base-64 encoded X.509 and click Next.

Enter a file name like c:\cert\root.cer and click Next.

Click Finish to create the file.

Now you should have two cer files in your c:\cert folder.

You can test the certificate, by browse to your server at https://servername to see if you get errors in Internet Explorer.

Under Internet Options – Advance – you can uncheck “warn about certificate address mismatch” to suppress error messages.

Update the CAMstore

Before you change the certificate store in Cognos, stop all IBM Cognos services and java process.

Go to folder D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\bin

Right click on IKEYMAN.EXE and select “run as administator”.

Click on the open icon.

Browse to D:\Program Files\ibm\cognos\analytics\configuration\certs folder and select CAMkeystore file.

Set Key database type to PKC$12 and press OK.

Enter the password: NoPassWordSet

Mark encryption, and click rename, to change it to encryptionold.

Click on Export/import button.

Browse to your PFX file.

Select type to be PKCS12 and press OK.

Enter the password you got with the PFX file.

Click OK on the question to change labels.

Mark the new line, and click rename button. Change the name to encryption.

Press OK.

Double click on encryption to check that the certificate is valid. Check the date and the DNS name is the same as your servername.

Select Signer Certificates in the drop down list.

Check that the root and issuing certificate for your company is in the list, if not then click on ADD button, and select the two cer files we created before and import them.

Exit IKEYMAN.  All changes in IKEYMAN are saved directly to your key store file. That is why you need to backup the key store file before you open IKEYMAN program.

Add root cert to java key store

Start IKEYMAN program with Run as Administrator

Click on Open icon.

Browse to D:\Program Files\ibm\cognos\analytics\ibm-jre\jre\lib\security and open cacerts as Type JKS.

Click OK and enter the password: changeit

Click on ADD button.

Find your issue cer file and import it.

Enter a name that describe the certificate and press OK.

Click on ADD button again, and import the root cer file.

Select the cer file and press OK.

Enter it a name and press OK.

Close IKEYMAN program.

Change CA11 to use custom certificate

Start Cognos Configuration program as Administrator.

At Local configuration, click on Advance properties.

Add the value StandaloneCerificateAuthority = True

Click OK

Go to Environment and change all HTTP to HTTPS.

Update the port number 80 to 443.

Keep the port-number 9300 for the other rows. We will use SSL over the port 9300.

Gateway should be: https://servername.domain.com:443/ibmcognos/bi/v1/disp

Controller URI for gateway should be: https://servername.domain.com:443/ibmcognos/controllerServer

Content Manager URI should be: https://servername.domain.com:9300/p2pd/servlet

Go to Cryptography – Cognos

Change Use Third Party CA? to True.

Save the configuration (this will update some key store files for WebSphere Liberty Profile).

Start the IBM Cognos service from inside Cognos Configuration.  This take around 10 minutes.

There should be no errors, when starting Cognos Analytics.

To test the certificate inside Cognos Analytics, start a web browser and go to https://servername.domain.com:9300/p2pd/servlet

There should be no errors, and the padlock should be secure in the web browser.

 

 

 

 

Add the trusted ca root cert to java store

On the cognos controller client computer, start IKEYMAN from D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin  folder.

Click on OPEN icon and go to D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security folder

Select file cacerts mad key database type JKS. Click on OK.

Enter the password: changeit

Select Signer Certificates from the drop down list.

Click on ADD button, to add the root.cer and issuing.cer files you have created before from IIS.

After you have added both certs, exit IKEYMAN program.

Copy now the cacerts file to all cognos controller installations, and place the file in folder D:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security.

If you are using ccrRemoteServer in file D:\Program Files\ibm\cognos\ccr_64\ControllerProxyServer\web.config

<add key=”ccrRemoteServer” value=”https://servername.domain.com/ibmcognos/controllerserver” />

That need to be updated with https, and the server need to be restarted.

 

Update Cognos Controller to support TLS 1.2

Go to the folder: d:\Program Files\ibm\cognos\ccr_64\server\
Open CCRProxy.options in NOTEPAD++
Add the following lines (at the end):
-Dcom.ibm.jsse2.overrideDefaultTLS=true
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

Save the file.

On the Cognos Controller server and Cognos Controller clients do this:
1. Open the registry editor, by clicking on ‘Start’ menu and typing:    REGEDIT
2. Navigate to the following path: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
3. Right-click on v4.0.30319 and select New –> DWORD (32-bit)
  • Set the name to: SchUseStrongCrypto
  • Set the value to 00000001

 

Go into Cognos Controller Configuration and update the Report Server dialog to use HTTPS instead of HTTP.

Report server should be: https://servername.domain.com/ibmcognos/bi/v1/disp

Dispatcher URI should be: https://servername.domain..com:9300/p2pd/servlet/dispatch

Important to also update the Cognos Controller Client Distribution Server Configuration. All should use HTTPS.

When you change cognos controller configuration to HTTPS, you must also stop and start the Batch service from inside controller configuration, to update all files correct.

WSSUrl should be: https://servername.domain.com/ibmcognos/controllerserver

Save the changes in Controller Configuration.

To test that the SSL is working on the server, from the cognos controller client start a web browser and browse to

https://myservername.mycompany.com/ibmcognos/controllerserver/ccrws.asmx

There should be no errors.

 

 

(Please do not use this instructions – as they will not work – when you change in Cognos Configuration, the certificate store is replaced with the cognos default certificate – and the system will break)

Use this instructions instead:

https://www.ibm.com/support/pages/how-add-3rd-party-ca-allow-ssl-between-components-ibm-cognos-analytics-11

 

More Information:

https://www.ibm.com/support/pages/how-configure-main-controller-client-ccrexe-use-https-ssl

https://www.ibm.com/support/pages/how-configure-force-controller-use-tls-12

https://www.sslshopper.com/ssl-converter.html

by ·Comments Off on The TM1Web service parameter was not specified or is not one of the configured locations

Product:

Planning Analytics 2.0.9

Microsoft Windows 2019 server

Issue:

After adding support for HTTPS(SSL) to TM1WEB, the url does not work. You get loged in to CA11, but then you get a error like this:

The TM1Web service parameter was not specified or is not one of the configured locations

If you check the URL (copy it to notepad) you see that the TM1WEB server still are using the old port you had before HTTPS was implemented.

The TM1WEB.HTML file contain the correct value, with the new port for SSL communication, on the Cognos Analytics server.

Check folder c:\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web.

c:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\SERVER.XML have also a correct row for the new port;

<httpEndpoint id="defaultHttpEndpoint" httpPort="-1" httpsPort="9510" host="*" removeServerHeader="true" >

Solution:

tm1web_config.xml in folder c:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration, has the old server value hard-coded to this line ExternalUrl, it should be empty “”.

 <add key="X-Frame-Options" value="2" />
<!-- When performing CAM authentication, optional redirection url override example http://127.0.0.1:9510/tm1web -->
<add key="ExternalUrl" value="" /> 
<!-- LogoutUrl to be executed after logout normally completes-->
<add key="CustomCAMLogoutUrl" value="" />

Update the file and save it.

 

More information:

TM1WEB picks up your URL, and sends it to CA11 for login, then CA11 will check if the URL you come from matches the URL listed in the file TM1WEB.HTML, if it is not listed, then you get this error.

https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=tls-use-key-management-configure-custom-certificates

https://www.ibm.com/docs/en/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/iKeyman.8.User.Guide.pdf

by ·Comments Off on NET ERR_CERT_COMMON_NAME_INVALID

Product:

Planning Analytics

Microsoft Windows 2019

Issue:

When user browse to tm1web site, they get a warning in web browser that “your connection is not private”.

If you check the certificate – by click on the padlock in the browser – windows says the certificate is OK.

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate Error There are issues with the site’s certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

Solution:

Order a new certificate for your TM1WEB server that contain a Subject Alternative Name, that is the server-name or DNS alias.

The certificate you have today, if you open it in MMC, under Details tab, there is no line for Subject Alternative Name, only a line for Subject.

 

More Information:

https://www.digicert.com/faq/subject-alternative-name.htm

Security certificate does not specify subject alternative names

by ·Comments Off on Only add rows for a date to table

Product:

Microsoft SQL server 2016

Microsoft Windows 2016 server

Problem:

How add rows for a date to a table?

Solution:

For this example we use this demo database:

https://www.brentozar.com/archive/2021/03/download-the-current-stack-overflow-database-for-free-2021-02/

Create a table with;

CREATE TABLE [dbo].[Storage](
[Id] [int] IDENTITY(1,1) NOT NULL,
[CreationDate] [datetime] NOT NULL,
[DisplayName] [nvarchar](40) NOT NULL,
[DownVotes] [int] NOT NULL,
[LastAccessDate] [datetime] NOT NULL,
[Location] [nvarchar](100) NULL,
[Reputation] [int] NOT NULL,
[UpVotes] [int] NOT NULL,
[Views] [int] NOT NULL,
[AccountId] [int] NULL,
[UpdateDate] [datetime] NOT NULL
CONSTRAINT [PK_Storage_Id] PRIMARY KEY CLUSTERED 
(
[Id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON, OPTIMIZE_FOR_SEQUENTIAL_KEY = OFF) ON [PRIMARY]
) ON [PRIMARY]
GO

To insert one row based on date and time;

INSERT INTO [dbo].[Storage]
(
[CreationDate],
[DisplayName],
[DownVotes],
[LastAccessDate],
[Location],
[Reputation],
[UpVotes],
[Views],
[AccountId],
[UpdateDate] 
)
SELECT
[CreationDate],
[DisplayName],
[DownVotes],
[LastAccessDate],
[Location],
[Reputation],
[UpVotes],
[Views],
[AccountId],
(GETDATE()) AS UpdateDate
FROM
[dbo].[Users]
WHERE
LastAccessDate = '2018-06-18 11:47:32.200'

To set a variable for a date;

DECLARE @@TargetDate DATETIME = '2018-06-18'
SELECT @@TargetDate

To insert all rows for a specific LastAccessDate;

INSERT INTO [dbo].[Storage]
(
[CreationDate],
[DisplayName],
[DownVotes],
[LastAccessDate],
[Location],
[Reputation],
[UpVotes],
[Views],
[AccountId],
[UpdateDate] 
)
SELECT
[CreationDate],
[DisplayName],
[DownVotes],
[LastAccessDate],
[Location],
[Reputation],
[UpVotes],
[Views],
[AccountId],
(GETDATE()) AS UpdateDate
FROM
[dbo].[Users]
WHERE
CONVERT (date,(LastAccessDate)) = @@TargetDate

 

More information

https://www.sqlshack.com/how-to-update-from-a-select-statement-in-sql-server/

https://popsql.com/learn-sql/sql-server/how-to-query-date-and-time-in-sql-server

SQL Server GETDATE () function and its use cases

by ·Comments Off on How add data from other table

Product:

Microsoft SQL server 2016

Microsoft Windows 2016

Problem:

How add data from one table to other table?

Suggested solution:

For the example we have downloaded the StackOverflow2013 database from here

https://www.brentozar.com/archive/2021/03/download-the-current-stack-overflow-database-for-free-2021-02/

Create a new table;

CREATE TABLE [dbo].[Staff](
[Id] [int] NOT NULL,
[CreationDate] [datetime] NOT NULL,
[DisplayName] [nvarchar](40) NOT NULL,
[DownVotes] [int] NOT NULL,
[LastAccessDate] [datetime] NOT NULL,
[Location] [nvarchar](100) NULL,
[Reputation] [int] NOT NULL,
[UpVotes] [int] NOT NULL,
[Views] [int] NOT NULL,
[AccountId] [int] NULL,
CONSTRAINT [PK_Staff_Id] PRIMARY KEY CLUSTERED 
(
[Id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON, OPTIMIZE_FOR_SEQUENTIAL_KEY = OFF) ON [PRIMARY]
) ON [PRIMARY]
GO

To be able to copy IDENTITY values between tables you need to use IDENTITY_INSERT and specify the columns in the INSERT INTO statement (not used in our example) .

SET IDENTITY_INSERT dbo.Employee ON

To copy all rows for users from Denmark to the new table;

INSERT INTO dbo.Staff
SELECT
    [Id],
    [CreationDate] ,
    [DisplayName] ,
    [DownVotes] ,
    [LastAccessDate],
    [Location] ,
    [Reputation] ,
    [UpVotes] ,
    [Views] ,
    [AccountId]
FROM windows2016.stackoverflow2013.dbo.users
WHERE location = 'Denmark'

To set the value to zero for column DownVotes when View is less than 100;

UPDATE [StackOverflow2013].[dbo].[Staff]
  SET DownVotes = 0
  WHERE views < 100

Select only one row by use of ID column;

SELECT *
FROM StackOverflow2013.dbo.staff
WHERE id = 19 AND location = 'denmark'
Update one column value for one row;
UPDATE StackOverflow2013.dbo.staff
SET DownVotes = 1
WHERE id = 19 AND location = 'denmark'

To list all users sorted by views column;

SELECT 
       [Id]
      ,[CreationDate]
      ,[DisplayName]
      ,[DownVotes]
      ,[LastAccessDate]
      ,[Location]
      ,[Reputation]
      ,[UpVotes]
      ,[Views]
      ,[AccountId]
  FROM [StackOverflow2013].[dbo].[Staff]
  ORDER BY views DESC

 

 

More information:

http://www.sql-server-helper.com/error-messages/msg-8101.aspx

https://www.sqlshack.com/how-to-copy-tables-from-one-database-to-another-in-sql-server/

https://www.sqlshack.com/overview-of-the-sql-insert-statement/

https://www.tutorialspoint.com/sql/sql-order-by.htm

by ·Comments Off on PA-gateway does not start after patch of windows

Product:

Planning Analytics Workspace

Microsoft Windows 2019 server

Issue:

After patch or restart of the Windows server, sometimes the PAW does not come up.

Suggested solution:

In Daemon.json file shutdown timeout settings update and changed to 600 sec from 180 sec

Found in folder C:\ProgramData\docker\config

Registry key settings update WaitToKillServiceTimeout increase to 20 sec from 5 sec

  • WaitToKillServiceTimeout: Windows normally waits 5 seconds for background services to clean up and close when you tell your computer to shut down. Some applications may change this value when you install them, giving their background services extra time to clean up. Windows forcibly shuts down background services after this period of time. This value controls how many seconds Windows waits before doing so. Windows will automatically shut down if all services close successfully before the timer expires.

It should be created in regedit under this branch:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

Change the Service type of ‘Docker Engine’ to manual from automatic.

Create a task scheduler so that this ‘Docker Engine’ service should start only after 15 minutes of the server restart.

https://www.maketecheasier.com/start-scheduled-tasks-with-delay-windows/

https://www.technipages.com/scheduled-task-windows

More information:

https://www.ibm.com/support/pages/troubleshooting-planning-analytics-workspace-related-docker-issues

https://exploringtm1.com/how-to-install-planning-analytics-workspace-to-windows-server-2019/

https://www.ibm.com/support/pages/how-configure-planning-analytics-timeout-settings

https://www.howtogeek.com/282062/control-how-long-windows-waits-before-killing-apps-at-shutdown/