Place the file in c:\temp and start a powershell session:
.\check.ps1 > result.txt
Run the file with pipe the result to a text file, so you later easy can check what files can be an issue.
The command will check in jar files if they have the string JndiLookup.class
It will list the jar files that can have the issue, one example is C:\Program Files\ibm\cognos\analytics\bin\ThirdPartyCertificateTool.jar. Think that this program is not running all the time, it is only used when you use the tool from the command line. Then this jar file have a very little risk. It is worse for web-servers and web applications that run all the time.
You can unzip a jar file, to check its content.
If you remove the file JndiLookup.class and zip it back to a JAR file, you have cleaned the program.
Within IBM Planning Analytics 2.0, only the IBM Planning Analytics Workspace component of IBM Planning Analytics is affected by a security vulnerability. Apache Log4j is used by IBM Planning Analytics Workspace as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j (CVE-2021-44228) vulnerability.
Log4j 1.2.17 and 1.x does not contain any of the same lookup / template evaluation code, and the only class related to JNDI (JMSAppender) does not appear to connect to user-controlled remote systems based on log events. Older version of Cognos Controller that uses log4j-1.2.7.jar, does not have the same issue.
By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. The attacker must get the Cognos Logger software to process a string to the log file, that active the function JNDI to contact LDAP server xxxx and download information, that in real can be java code, and execute it. Gives the possibility to install Trojans and other software, but he need to trick cognos to send the information to the logger.
Things you can do:
Ensure that the Cognos servers do not have contact with Internet, so any application on the server can reach out and download other software.
Creating a default-deny firewall rule will prevent servers from creating unapproved connections and can help reduce your risk of a compromise.
Ensure that only the people and computers that need it, have access to your cognos servers.
You can use tools, to see if you have the vulnerability;
Log4j is a tool to create log files, used by WebSphere and maybe Cognos software.
Check version of WebSphere with this command:
Above is from CA11.1.x CM_version=11.1.7-41.
In a CMD prompt, go to the java bin folder (path depends on version of Cognos Analytics)
Enter command C:\Program Files\ibm\cognos\analytics\wlp\bin\productinfo version
CA11 uses WebSphere Liberty Server, where the version number is the year it was released. WebSphere Application Server (WAS) latest version is 9, that should correspond to WLP 20.
You can search your cognos folder, to see if you have Log4j files that can contain this issue.
You will find it in several folders, but it is only the top one \bin that is the default. The others are cached versions in folders like C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\61\data\cache\com.ibm.ws.app.manager_157\.cache\WEB-INF\lib
Log4j-core and Log4j-api can contain this issue. Above picture from CA11, we see that we use version 2.7 of Log4j program. That is old, so the LOG4J_FORMAT_MSG_NO_LOOKUPS parameter will not work.
“the mitigation is to remove the JndiLookup class from the classpath, with command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. ”
Stop the IBM Cognos service.
Copy the log4j-core-2.7.jar file to a new folder e.g. c:\tempfix
Unzip the jar file.
Go down in the unzipped folder structure to C:\tempfix\log4j-core-2.7\org\apache\logging\log4j\core\lookup folder
Remove the file JndiLookup.class
Go back to your top folder, and zip it again.
Rename your log4j-core-2.7.jar to log4j-core-2.7.org.jar ( to keep a backup ).
Rename your log4j-core-2.7.zip file to log4j-core-2.7.jar.
Copy the new log4j-core-2.7.jar file to your C:\Program Files\ibm\cognos\analytics\bin folder.
Start IBM Cognos.
Check that you can login and run reports.
The Log4j is used to create the cognosserver.log files, so carefully check that the log files work as expected.
Copy the following files to the <VM_Manager_Tool_home_dir>/lib/ directory.
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
Remove the following JAR files from the <VM_Manager_Tool_home_dir>/lib/ directory.
log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
Depending on your operating system, modify one of the following files.
LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following lines:
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.13.3.jar
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.13.3.jarChange them to:
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.15.0.jar
VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.15.0.jar
WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, find the following lines:
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.13.3.jar
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.13.3.jarChange them to:
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.15.0.jar
SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.15.0.jar
Start the VM Manager Tool by using -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
Workaround 2. Mitigate the issue on the current version of the Log4j library included in VM Manager Tool in versions 9.2.21.0 – 9.2.25.0 by the configuration change
Depending on your operating system, run one of the following:
LINUX: In the <VM_Manager_Tool_home_dir>/vmman.sh file, find the following line. It might not contain all the parameters starting with -D string, for example, it might not contain the -Dsun.net.http.allowRestrictedHeaders=true substring.VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true”Add the following text at the end of the found line, just before the double quotation mark that ends this line.“ -Dlog4j2.formatMsgNoLookups=true” (including the space character at the beginning of the text)For example:
VMM_PROPERTIES_DEFS=”-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1 -Dcom.ibm.jsse2.disableSSLv3=false -Dcom.ibm.tools.attach.enable=no -Dsun.net.http.allowRestrictedHeaders=true -Dlog4j2.formatMsgNoLookups=true“
WINDOWS: In the <VM_Manager_Tool_home_dir>/vmman.bat file, add the following entry as the last line of the ####### PROPERTIES DEFINITONS ####### section:SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dlog4j2.formatMsgNoLookups=true
Stop the VM Manager Tool by using the -stop switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
Start the VM Manager Tool by using the -run switch of the <VM_Manager_Tool_home_dir>/vmman.sh|bat script. For more information, see: VM Manager Tool command-line options.
IBM X-Force also has provided an analysis of the Log4j vulnerability, which can be found on the IBM Security Intelligence blog.
You have to decide how you will handle this possible threat in your organization.
This is only a list of information, on the subject.
You should check your logs from your antivirus / firewall software, if you are already compromise.
by Roger·Comments Off on Changes to tm1web is not updated
Product:
Planning Analytics 2.0.9.10
Microsoft Windows 2016 server
Issue:
Changes is made to tm1web_config.xml file to pre-populate the HOST name field, so the user do not need to select adminhost before getting a list of applications. But the change is not visible when you browse to http://tm1webservername.domain.com:9511/tm1web/
The configuration parameters for IBM® Planning Analytics TM1® Web are stored in the tm1web_config.xml file.
The tm1web_config.xml file is located in the following location:
You can edit the file to add several adminhostservers, separated by semicolon.
<!-- If set, users will not be asked to enter Admin Host during login. -->
<add key="AdminHostName" value="tm1server1.domain.com;tm1server2.domain.com;tm1server3.domain.com" />
Solution:
You must close the notepad program that you use to edit the tm1web_config.xml, before the TM1 Web service will be able to read the file and use the changes.
You do not need to restart the service “IBM Planning Analytics Spreadsheet Services” for the changes to take affect.
To troubleshoot; check the log file tm1web.log in folder D:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\logs. You may have this error in it;
Exception Error: ‘d:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml (The process cannot access the file because it is being used by another process.)’
WHILE [CCLMsg: system text=’loading TM1Web configuration from file ‘d:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml”]
‘d:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml (The process cannot access the file because it is being used by another process.)’
WHILE [CCLMsg: system text=’loading TM1Web configuration from file ‘d:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml”]
at com.ibm.cognos.tm1.web.shares.TM1WebConfig.loadConfigFile(TM1WebConfig.java:245)
at com.ibm.cognos.tm1.web.shares.TM1WebConfig.access$100(TM1WebConfig.java:58)
at com.ibm.cognos.tm1.web.shares.TM1WebConfig$1.update(TM1WebConfig.java:176)
at com.ibm.cognos.tm1.web.shares.TM1WebConfig$1.update(TM1WebConfig.java:171)
at com.ibm.cognos.tm1.observe.Observable.notifyObservers(Observable.java:30)
at com.ibm.cognos.tm1.file.Watcher.watchFileChanges(Watcher.java:86)
at com.ibm.cognos.tm1.file.Watcher.access$300(Watcher.java:16)
at com.ibm.cognos.tm1.file.Watcher$FileWatcher.run(Watcher.java:99)
at java.lang.Thread.run(Thread.java:822)
Caused by: java.io.FileNotFoundException: d:\Program Files\ibm\cognos\tm1web\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml (The process cannot access the file because it is being used by another process.)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:212)
at java.io.FileInputStream.<init>(FileInputStream.java:152)
at com.ibm.cognos.tm1.web.shares.TM1WebConfig.loadConfigFile(TM1WebConfig.java:242)
AdminHostName If set, users are not asked to enter a value for Admin Host during login.
Other values you can change for tm1web:
<!-- CubeViewerRowPageSize: Number of rows to fetch in a page of cubeviewer -->
<add key="CubeViewerRowPageSize" value="500" />
<!-- CubeViewerColumnPageSize: Number of columns to fetch in a page of cubeviewer -->
<add key="CubeViewerColumnPageSize" value="100" />
<!-- MaximumSheetsForExport: Maximum number of sheets allowed to Export -->
<add key="MaximumSheetsForExport" value="80" />
by Roger·Comments Off on How find string in SQL agent jobs
Product:
Microsoft SQL server 2016
Issue:
Try to find if any SQL agent jobs have reference to file foo.
Solution:
Run this SQL query on the server:
SELECT s.step_id as 'Step ID',
j.[name] as 'SQL Agent Job Name',
s.database_name as 'DB Name',
s.command as 'Command'
FROM msdb.dbo.sysjobsteps AS s
INNER JOIN msdb.dbo.sysjobs AS j ON s.job_id = j.job_id
WHERE s.command LIKE '%foo%'
Product:
Planning Analytics Workspace 68
Microsoft Windows 2016 server
Issue:
When from IE browse to PAW portal to login, you get redirected to Cognos Analytics, but are then stuck.
Suggested Solution:
Use Chrome instead.
Internet Explorer 11 is no longer supported with Planning Analytics Workspace 2.0.57 and higher versions of Planning Analytics Workspace.
If you use EDGE, and use a Cognos BI as authenticate, check that not there is a group policy that change EDGE to use IE11 mode, at logon, then you will get about half circle in the browser when you connect to PAW. Switch EDGE to use EDGE (chromium mode) to make it work with PAW.
error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.40/containers/json: open //./pipe/docker_engine: The system cannot find the file specified. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.
Suggested solution:
Check the file C:\ProgramData\docker\config\daemon.json for typographical errors.
If you change the file daemon.json, you must reboot the windows server for the changes to take affect.
Rename the file d:\ibm\paw\config\paw.ps1 to paw.ps1.txt and try to start PAW again.
To get info about docker enter
docker info
To remove docker, start PowerShell as administrator, and try this commands:
./paw.ps1 down
docker kill $(docker ps -q)docker rm $(docker ps -a -q)docker rmi $(docker images -q)
docker ps --quiet | ForEach-Object {docker stop $_}
docker system prune --volumes --all
If for some reason, the docker command does not work at all. The Docker service does not start. You can try create a new docker folder like d:\dock and then change the C:\ProgramData\docker\config\daemon.json file to point to the new folder. “data-root”: “d:\\dock” tells what folder to use.
Reboot the windows server and wait 30 min to see if the windows docker service starts.
Remove HostValidated file from your folder d:\ibm\paw\config
Remove upgradewarned file from your folder d:\ibm\paw\config
If its starts, you can restart the installation of PAW, by go to your d:\ibm\paw folder and run the ./Start.ps1 command inside PowerShell again.
If you see error in windows event log like this:
Syscall did not complete within operation timeout. This may indicate a platform issue. If it appears to be making no forward progress, obtain the stacks and see if there is a syscall stuck in the platform API for a significant length of time…
cleanup: failed to delete container from containerd: no such container…
driver “windowsfilter” failed to remove root filesystem: hcsshim::GetComputeSystems: The requested compute system operation is not valid in the current state.
and you are using Symantec Endpoint Protection version 14.3.3385.1000 then you should uninstall Symantec software fully from the server.
Then install PAW without the anti-virus software.
When PAW and Docker is installed and working, then you can install your Anti-virus software again. You may need to configure the Anti-virus software so it works with Docker.
Set Power Options to HIGH Performance in Windows control panel
Turn off IEESC (internet explorer enhanced security configuration)
Check what port your SQL server will use, for access to Content Store and Audit database.
Exclude cognos folders from anti-virus software scanning
Open firewall ports 80, 443 to end users
Open firewall ports 80, 443, 9300, 9362, 4300, 5701, 9301 between servers.
Open firewall ports 1433 for SQL, 25 for Mail, 389 for Active Directory.
Install 7zip and Notepad++ to edit xml files on the server.
Install IIS on the Windows Server 2016 select Web Server IIS, ASP.NET 4.6, HTTP Activation, TCP Port Sharing, HTTP Redirection, WebDav Publishing, ISAPI Extensions, Websocket, Windows Authentication, IIS Management Scripts and Tools.
Update regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp\MajorVersion to 9 (only if needed)
Get the CA_IIS_Config.bat script from folder D:\Program Files\ibm\cognos\analytics\cgi-bin\templates\IIS and copy it to its own folder, e.g. d:\install
Stop creation of dump files, open the cclWinSEHConfig.xml file from the install_location\configuration folder. Set “CCL_HWE_ABORT” value=”0″
Setup the audit database source and copy the D:\Program Files\ibm\cognos\analytics\samples\Audit_samples\IBM_Cognos_Audit.zip file to D:\Program Files\ibm\cognos\analytics\deployment folder. Import the audit samples.
Update planning.html with also tm1servername and port, like this
var planningServices = ["http://tm1servername.domain.com:9510","http://tm1webservername.domain.com:9511"];
Copy planning.html to same folders as pmhub.html listed above.
The content manager will look in folder D:\Program Files\ibm\cognos\analytics\webcontent for this files, but the Cognos Gateway will look in folder D:\Program Files\ibm\cognos\analytics\webcontent\bi for above files.
To prevent scriptable report error when running sample custom control reports
you need to change the sample reports as below (they are written to only work on port 9300).
The global Sales Report is a sample showing how to use a javascript file with a custom control. These are authored to work ‘out of the box’ via dispatcher but not via a gateway.
To use with a gateway you need to edit the custom control in the report to point to the correct path.
1. Open the ‘Global Sales’ report in Edit mode.
2. select the custom control which is the thin blue box underneath the Prompts and view the properties.
3. In properties under General choose the ‘Module Path’ property and click the ellipsis.
4. By default this path is set to ‘/bi/samples/js/HideShowFilterPanel.js’
5. Please add your gateway to the front of this path so it reads something like:’/ibmcognos/bi/samples/js/HideShowFilterPanel.js’ (where ibmcognos is the name of your gateway virtual directory)
6. Save and re-execute the report.
Setup of jupyter notebook is not covered here, you have to follow the IBM documentation.
by Roger·Comments Off on How copy files to several servers
Product:
Planning Analytics 2.0.9.10
Microsoft Windows 2016 server
Issue:
I have several Cognos BI servers, where i need to update the planning.html file on, to make SSO work for TM1.
Solution:
On your source TM1 server, create a folder c:\script\tm1.
Create a text file serverslist.txt, where you enter the name or IP address of the servers.
Copy the updated planning.html, pmhub.html and tm1web.html files to this folder.
Create a powershell file, copyfiles.ps1, with this content:
# run the script on the source machine
# remote machines list
$machines= Get-Content -Path "c:\Script\tm1\serverslist.txt"
foreach ($onemachine in $machines)
{
Write-Host "Currently the script is copying files on" $onemachine
Copy-Item -Path "c:\Script\tm1\planning.html" -Destination "\\$onemachine\c$\Program Files\ibm\cognos\analytics\webcontent" -Recurse
Copy-Item -Path "c:\Script\tm1\planning.html" -Destination "\\$onemachine\c$\Program Files\ibm\cognos\analytics\webcontent\bi" -Recurse
Copy-Item -Path "c:\Script\tm1\pmhub.html" -Destination "\\$onemachine\c$\Program Files\ibm\cognos\analytics\webcontent" -Recurse
Copy-Item -Path "c:\Script\tm1\pmhub.html" -Destination "\\$onemachine\c$\Program Files\ibm\cognos\analytics\webcontent\bi" -Recurse
Copy-Item -Path "c:\Script\tm1\tm1web.html" -Destination "\\$onemachine\c$\Program Files\ibm\cognos\analytics\webcontent\tm1\web" -Recurse
Copy-Item -Path "c:\Script\tm1\tm1web.html" -Destination "\\$onemachine\c$\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web" -Recurse
}
Ensure that the paths are correct for your servers, if you have installed to D: drive you need to update the powershell script to reflect this; “\\$onemachine\d$\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web”
Start a powershell window as administrator.
The person logged in must have local admin rights on all cognos servers for this to work.
When you run the script it will print out any errors, like above when it can not find the server.
Test the script first in you LAB environment, as it will overwrite any existing files on the CA11 servers.
