Product:
Cognos Analytics 11.1.x
Microsoft Windows 2019 server
Microsoft SQL server

Problem:
I have a new Cognos environment, and want to easy copy the content store from the old environment to the new. The new Cognos environment have the same or newer version of Cognos Analytics.

Solution:

To get security values over  – you must have exact the same Active Directory connection setup on both the old and new environment. Double check in Cognos Configuration that namespace is the same.

On the old server – check in Cognos Configuration where the zip file is stored.

This is normally in folder C:\Program Files\ibm\cognos\analytics\deployment on your CA11 server.
Browse to ..ibmcognos from your web browser. Login as adminstrator in cognos connection.

Click Manage – Administration console

Click Configuration tab
Click Content Administration and click on the export icon

Enter a name and click on Next button

Mark “Select the entire Content Store” and check “Include user account information” to get most information over. Click Next

Click Next

Enter a password you can remember and click OK

Click Next

Select “save and run once” and Click Finish

Click Run

Mark “View the details of this export after closing this dialog” and click OK.

Click on blue “refresh” every 10 min to see if it is finished.

Wait until status says Finish. Above is not a finish status, there is no Completion time.
This can take 30 minutes, depending of the amount of data in your Content Store.

When succeeded, click Close.

When done go to Windows file explorer and copy the zip file over from the old Cognos BI server to your new Cognos Analytics server.  Place the file in the deployment folder you are going to use.

If the deployment folder inside Cognos Configuration is pointing to a file share: \\servername\sharefolder then the Cognos Analytics service must be run under a windows service account and not local system. Local system can only access folders on the same server.

Import content store by loading the deployment file via cognos connection.

Login to new IBMCOGNOS and go to Administration page, click on configuration – Content Administration. Click on the import icon.

Select you full content store file and click Next

Enter your password. Click OK

Click Next

Click Next

Click Next

Select “save and run once” and click Finish.

Do not run upgrade of report specifications. Do that at a later time, as it can take a very long time.

Click Run.

Mark “View the details of this export after closing this dialog” and click OK

Click Refresh every 15 min to see if it is done. When you have a completion time it is finish.

 

You can see errors in the report, note them down and search in google for more information.

If you have changed also the database server host for your AUDIT database, then you need to go into Cognos Administration – Configuration – Data source connections. There you need to update the link to the new database server there for your audit data source.

Click on Audit, then on “more” to right of the test icon.
Click “Set properties”
Click “Connection” tab

Click pencil icon, to get to the data source update dialog.

Change the server name and any other values you need to change. Update also the JDBC tab.
Click OK when done.
Test your data source connection.

Any special configuration you have done on the Cognos Dispatcher is not part of the deployment, they you have to manually add again. Go to Cognos Administration – Configuration. Click on Dispatchers and service and click on properties icon.

Click on settings

Check on all pages for values that is not default=Yes, as they have been changed and may need to be inserted in the new environment. Only enter values that you know you need in the new environment.

Click on the Advance settings blue Edit link, to see if there are any special settings in the environment.
Configuring advanced settings for specific services (ibm.com)

Repeat above steps in the new CA11 environment to get the fine tuning you want.
Logging should in most cases be set to BASIC.

Content Manager service advanced settings (ibm.com)

You can also import content store, by backup/restore the full cm database, but then you need to consider other parts like old dispatchers that will follow the move.

More information:

http://mail.heritagebrands.com.au/ibmcognos/documentation/en/ug_cra_10_2/c_deploying_the_entire_content_store.html

https://www.ibm.com/support/pages/what-difference-between-exporting-content-store-cognos-connection-and-doing-database-backup-content-store

https://www.ibm.com/support/pages/how-copy-entire-content-store-another-cognos-analytics-server-same-version

https://www.bspsoftware.com/products/metamanager/Download

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.ug_cra.doc/c_deploying_the_entire_content_store.html

Product:
Cognos Analytics 11.1.7
Microsoft Windows 2016 Server
Oracle database

Problem:
During a import of a large content store deployment file into a new Content Store database schema – the process take time and there is no new object imported.
After some time, if you browse to the IBMCOGNOS website on the server, you do not get a response either.
Troubleshoot by on the Cognos server start Cognos Configuration and right click on your content store and click Test.

ORA-00257: Archiver error. Connect AS SYSDBA only until resolved.
2021-01-14T INFO startup.Audit.JSM [Thread-56] NA  9300 __ JSM 5836 Run Failure Error connecting to the database, some services may not work properly. Check the logs for further details. ORA-00257: Archiver error. Connect AS SYSDBA only until resolved.

Solution:

Ask the Oracle DBA to check the oracle server and log files.
After Oracle is corrected, then the Cognos Analytics (BI service) will continue to import data.
You do not need to restart Cognos, only adjust the Oracle settings.

More Information:

http://www.dba-oracle.com/sf_ora_00257_archiver_error_connect_internal_only_until_freed.htm

Cause: The archiver process received an error while trying to archive a redo log. If the problem is not resolved soon, the database will stop executing transactions. The most likely cause of this message is the destination device is out of space to store the redo log file

https://www.ibm.com/support/pages/export-large-content-store-database

https://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.crn_arch.10.2.2.doc/c_adgsizethecs.html

Product:
Cognos Controller 10.4.2
Microsoft Windows 2016 server

Problem:
When a user make a change and save a value inside “Define Data Mart” in Cognos Controller Client, the program will freeze.
The client will wait for a SQL statement to finish.

select @@trancount; SET FMTONLY ON select * from ##Fa189b4c SET FMTONLY OFF exec tempdb..sp_tablecollations_100 N’.[##Fa189b4c]’

You need to restart the Cognos Controller windows server to release the process.

Kill the controller client program will not help. You get same issue when you go back inside Define Data Mart dialog.

A restart of IIS looks like it release the process, and you can work again in Cognos Controller.

Solution:

Install a fix pack to Cognos Controller 10.4.2 that solves the problem.
https://www.ibm.com/support/pages/client-hangsfreezes-not-responding-when-click-transfer-publish-data-and-structures-define-data-mart-after-creating-new-data-mart-caused-apar-ph27153
Not supported workaround is to update the SQL table XOLAP direct in the SQL database. Ensure you have a backup of the SQL database before you do any changes.

You can run a export of existing data mart, but not update them from inside Cognos Controller. If you want to change the Structure Version on a existing data mart definition, you need to open SQL management studio and edit table XOLAP. Here you can update some of the values that are in the define dialog.

In Microsoft SQL Server Management Studio you can create a query like this to update definition CBI to version 200812:

UPDATE dbo.xolap
SET structversion = 200812
WHERE cubeid = ‘CBI’;

More information about SQL:  https://www.w3schools.com/sql/sql_update.asp

The selection of forms are stored in table XOLAPFORM

You have the list from you define data mart dialog at the form field.

You can check values in database with Cognos Controller function BROWSE DATA if you are a administrator.
Go to MAINTAIN – SPECIAL UTILITIES – BROWSE DATA
Enter table name and click on Arrow to see tables data.

More information:

https://www.ibm.com/support/pages/client-hangsfreezes-not-responding-when-click-transfer-publish-data-and-structures-define-data-mart-after-creating-new-data-mart-caused-apar-ph27153

https://www.ibm.com/support/pages/cognos-controller-builds-ccr-name-and-database-version

https://www.ibm.com/support/pages/ibm-cognos-controller-104x-fix-list

Product:
Planning Analytics 2.0.6 TM1_version=TM1-AW64-ML-RTM-11.0.6.71-0
Microsoft Windows 2016 server

Problem:
Does it exist a better TI editor than TM1 Architect?

Solution:
Yes, there exist – one is PAW (planning analytics workspace) or you can download and use cubewise ARC for a trail period. Browse to https://code.cubewise.com/arc-download
Click on the “Accept License Agreement” and click on SERVER FOR WINDOWS 64 to download it.

 

Save the file to a empty folder like c:\arc on your tm1 server and unzip it in that folder.

Double click on the arc.exe file to start the web-server arc.

It will start up Internet explorer with the start page. Dismiss the news prompt, and click on the license icon.

Under Start Trail tab, select Individual, and scroll down to accept the license by click on “Agree and start Trail”. It will create the license file in you arc folder.
Now stop the arc.exe dos window – to stop the service.
Start a new COMMAND windows as administrator.
Go to the c:\arc folder and enter this command:

arc.exe   -install

This will install the program as a service. Go to services in windows control panel and start the arc service.

Now you can from you laptop browse to the ARC on the TM1 server, by entering http://tm1servername:7070
(you need to have port 7070 open in any firewalls between your server and your laptop)
Click on the TM1 instance you want to work with and you will be prompted to login.

ARC can remember your login, so next time you do not need to enter it again.
For a example to work with ARC, we will load a dimension from a text file (using this process https://www.wimgielis.com/tm1_recreatedimensionfromexport_EN.htm)
In the rare occasion when we have in the dimension name the same character as the separator for the list, we need to adjust it a little.

Click on new process, by right click on the process line.

Enter a name:  import.dim and click Create

Under Parameters, click on string to add below two parameters:

Under Data Source tab, do this steps:

Select ASCII as type from drop down list.
Enter the path and file name to import.
Select the comma separator (if that is what you use in the file).
Set Headers records to Zero.
Click on preview.

When above is OK, click on create variables. Change variables names to be below names.

You can here continue with the default setup from https://www.wimgielis.com. But we are going to change to only read one line.

In data source tab, change to use only a not used separator like pipe, to read each line only.
Click on preview and Variables tab change type name to FullLine:

In prolog tab enter this code: (press CTRL+SPACE to get code help in the editor)

In Metadata tab enter this code:

You need to adjust the code to fit your files.

ASCIIOUTPUT place txt files in your \data folder if no path is submitted.
Click on the SAVE icon to save your changes to the TM1 instance.
Click on “lightning” icon to run the TI process for a test.

Enter the values and click on Execute button at the bottom of the dialog window.

Click the refresh icon, and expand the Dimensions list.
Double click on the new accounttest  to see that the values have been imported correct.

You can solve this in many different ways, but the cubewise ARC editor looks nice.

More information:
https://code.cubewise.com/arc-docs/how-to-start-arc

https://code.cubewise.com/arc-docs/setting-up-arc-as-a-windows-service

https://code.cubewise.com/arc-docs/getting-started-with-arc-desktop-for-windows
https://exploringtm1.com/asciioutput-tm1-function-use-syntax
https://exploringtm1.com/scan/
https://exploringtm1.com/subst-tm1-function-use-syntax/

Product:
Cognos Analytics 11.1.7
Planning Analytics 2.0.9
Microsoft Windows 2019 Server
Problem:
How setup Windows Kerberos login for Cognos products?
Here describes what Kerberos is:
https://web.mit.edu/kerberos/dialogue.html
https://medium.com/@charithra/kerberos-and-how-to-play-with-hadess-pet-c6a29ceed462

Solution:
Setup Cognos Analytics with a IIS gateway and make it work for Single Sign On (SSO) to login.

https://www.ibm.com/support/pages/configure-tm1-cam-authentication-using-cognos-analytics-110-sso

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_stp_sso_active_drctry_remote_user.html

https://www.ibm.com/support/pages/enabling-single-sign-cognos-secured-against-active-directory

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_inst_activedirectoryserver_process.html

You need to create a windows domain account, that is local administrator on the Cognos server where the Cognos Content Manager function is, and run the IBM Cognos service with this account.

The account must be added with domain\name format, without use of @.
The same service account must run the IIS server application pool used by CA11.

Go to Internet Information Service Manager, and expand Application pools. Mark ICAPool and click on Advanced Settings. Click on Identity and select Custom Account. Click Set and enter the domain\name account and password. Click OK.
Restart IIS.
The service account must have “Trust this user for delegation to any service (Kerberos only)” set in Active Directory. Ask the IT department to set this on the Windows Domain Controller.

Constrained delegation is not recommended.
Ensure that the cognos service account have NTFS read/write/execute rights on the cognos folders.
Right click on folder C:\Program Files\ibm\cognos\analytics and select properties.
Check the security tab that the local Administrator group have full rights.

Go to Computer Management in Control panel – Administrative Tools. Expand Local User and Groups – Groups. Check what groups and accounts are in the Administration group on the server.

Ensure that the cognos service account is part of a domain group that is included in the local administrator group. Does not need to be domain admins group, but must be the same group.

On the Windows Domain Controller you must run the SETSPN command to create the Service Principal Name.
https://petri.com/how-to-use-setspn-to-set-active-directory-service-principal-names-2

Enter the webserver and the cognos bi server to the service account. In our case it is the same server.
You need to add all the ways the system connect to the server e.g. HOSTNAME and FQDN.
In our example we use setspn -s HTTP/win2019.lab.pacman LAB\cognosservice

setspn -s HTTP/websrv_aliasname  domain\cognosserviceaccount
setspn -s HTTP/appsrv_FQDN  domain\cognosserviceaccount
setspn -s HTTP/appsrv_HOSTNAME  domain\cognosserviceaccount


Use the servername in cognos configuration for the setspn command above.

Use setspn -L domain\cognosserviceaccount to see the current values in use.

Some common switches used with SetSPN:

-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs
-q    Query the domain for a specific SPN

In IIS manager on the Cognos Gateway server; ensure that Anonymous Authentication is on IBMCOGNOS folder.

Go to \bi folder, and click on Authentication. Select Windows Authentication and click enable.
Disable Anonymous Authentication on the \bi folder.

Click on Providers for the \bi folder, and remove NTLM so you only have Negotiate.

Repeat on \sso folder, so it also only have Negotiate as Windows enabled Providers.

For \sso folder click on Configuration Editor.

Select in the drop down menu for section – system.webServer – security – authentication – windowsAuthentication.

To get this dialog up for the sso folder.

Set true to “useAppPoolCredentials” and “useKernelmode”.
Go to the \bi folder and set the same values.

Click on Configuration Editor icon – select system.webServer – security – authentication – windowsAuthentication. Set true to “useAppPoolCredentials” and “useKernelmode”.

If you use Oracle or DB2 as content store database, you are all set. But if you use Microsoft SQL server you need to add setspn for the service account that run the SQL services.

Ask the SQL DBA to ensure the service account for SQL server is using domain\account notation as above. Kerberos will not work with Local System as the service account for Microsoft SQL database.
You need to check in cognos configuration how Cognos Analytics connects to the content store database. Open Cognos Configuration on your Cognos Content Manager server.

Note down IP or HOSTNAME that is in use to connect to the SQL server. This will be used in the setspn command.  Enter in our case setspn -s MSSQLSvc/192.168.1.15:1433 LAB\cognosservice

setspn -s MSSQLSvc/sqlsrv_FQDN  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:instancename  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:1433  domain\SQLServiceAccount

You need to enter all variants of the SQL server name to the setspn command.

Restart the windows server for Cognos Analytics to ensure the domain changes have taken affect.

To check that Kerberos is in use, activate AAA tracing for a short period in Cognos Analytics.

Login to CA11 as administrator and click on Manage – Configuration.

Click on Diagnostic Logging.

Click on AAA and Apply.
Logout from CA11 and close the browser.
Start the web browser again and go to http://win2019.lab.pacman/ibmcognos/
after the sso have let you in, go to the Cognos Analytics Content Manager server.
Open the C:\Program Files\ibm\cognos\analytics\logs\cognosserver.log file in notepad++

Go to the end of the file and from search menu select find and enter AUTH_TYPE.
Scroll to the right, and if kerberos is used it should say:
<value xsi:type=”xsd:string”>Negotiate</value>

Close the log file.
Go back into CA11 portal.
Go to manage – configuration – diagnostic logging.

Select Default Logging and click Apply. This is important as the logging can make the cognos system slower.

Planning Analytics (TM1) will use kerberos now too, as long they are setup to use CAM security.
https://www.ibm.com/support/pages/configure-tm1-cam-authentication-using-cognos-analytics-110-sso

More information:

Overview of Service Principal Name and Kerberos authentication in SQL Server

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.1.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_inst_sso_active_drctry_constrained_del.html

Product:
Cognos Analytics 11.1.3
Microsoft Windows 2016 server
Problem:
Login dialog when user try to access CA11 website http://caservername.domain.com/ibmcognos

Solution:
Check that the server name is in local intranet sites or trusted sites in internet options.

At most company’s this is controlled by group policy in the network, ask the IT department to add the CA server name and DNS alias to the local intranet site.

The new Edge that use chromium, will only allow SSO for servers in Local Intranet zone. But Internet Explorer on the same computer will allow SSO for servers both in Local Intranet Zone and Trusted Zone.

In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers allowed by the Windows Zones Security Manager (queried for URLACTION_CREDENTIALS_USE). By default, this includes servers in the Local Machine or Local Intranet security zones. For example, when the host in the URL includes a “.” character, by default it is outside the Local Intranet security zone). This behavior matches Internet Explorer and other Windows components.

https://www.chromium.org/developers/design-documents/http-authentication

You have to search the internet to find where you can set the Edge Zone security in the local windows.

https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

There is also granular settings in Custom level there you should uncheck “automatic logon only in intranet zone”.

Then you can have the cognos analytics site in Trusted tab instead.

Steps for Adding Trusted Sites in old Browser

Google Chrome > Adding Trusted Sites

  1. Click the Chrome Menu icon on the far right of the Address bar.
  2. Click on Settings, scroll to the bottom and click the Show Advanced Settings link.
  3. Click on Change proxy settings (under Network)
  4. Click the Security tab > Trusted Sites icon, then click Sites.
  5. Enter the URL of your Trusted Site, then click Add.
  6. Click Close > OK.

Mozilla Firefox > Adding Trusted Sites

  1. Click the menu icon in the upper right-hand corner of the browser.
  2. Click Options.
  3. Click Privacy and Security.
  4. Scroll down to the “Permissions” section, and click on Exceptions to the right of “Warn you when websites try to install add-ons.”
  5. Type the trusted sites into the “Address of website” field.
  6. Click Allow.
  7. Click Save Changes.

 Safari > Adding Trusted Sites

  1. At the top of the screen, click Bookmarks.
  2. Click “Add Bookmark…”
  3. Click “Top Sites” from the dropdown menu.
  4. Click Add.

 Internet Explorer 9, 10 and 11 > Adding Trusted Sites

  1. Click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the  Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

Microsoft Edge > Adding Trusted Sites

  1. Search in the Start Menu for the Control Panel.
  2. Click or double-click the Internet Options icon.
  3. In the Internet Properties window, click the Security tab.
  4. Select the Trusted sites entry and click the Sites button.
  5. Enter the address for the trusted website in the Add this website to the zone text field.
  6. Click the Add button, then click OK to save the website addition.

More information:

https://support.edmentum.com/4_General_and_Technical_Solutions/How_to_clear_browser_cookies%2C_history%2C_temporary_files_and_clear_proxy_cache/Page_Title/Disabling_the_Pop-Up_Blockers_by_Browser/Adding_Trusted_Sites_by_Browser

Security Zones in Edge

https://docs.centrify.com/Content/CoreServices/Authenticate/SilentAuthEdge.htm

https://www.chromium.org/administrators/policy-list-3

Product:
Cognos Analytics 11.0.13
Microsoft Windows 2016 server

Problem:
After change of custom certificate on IIS and in CA11 dispatcher level, in file CAMkeystore. The https://caservername.domain.com:9300/p2pd/servlet/dispatch still show wrong certificate.
When you examine the camkeystore.jks file with ikeyman.exe you find that the root certificate is used instead of the server certificate.

Possible solution:
When using custom certificate for SSL (TLS) communication on port 9300, you need to only add this certificate to the CAMkeystore file.
First you set HTTPS in cognos configuration, then when you press save inside Cognos Configuration for CA11, the keystores files are created.
For example IBM Cognos Configuration > Security > Cryptography > Cognos > Certificate lifetime in days. This value will set the cognos server certificate (encryption) in the keystore to last this long. The internal CA certificate is created to last a year longer.
After the cognos keystore files are created, you can add the custom certificates to the file with ikeyman.exe.

You must add the certificate in correct order:
Root – first
Intermediate – second
Server Cert – last

Make a backup of the C:\Program Files\ibm\cognos\analytics\configuration\certs folder before you start.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Launch ikeyman.exe as administrator ( by right click and select run as administrator)
Open the following file C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMkeystore
Type: PKCS12
File name:CAMKeystore
Location:  C:\Program Files\ibm\cognos\analytics\configuration\certs
Password: NoPassWordSet (default)

Select Signer Certificates from the drop down list.
Click on Add.
Import your root.cer first.
Then import your intermediate.cer second.
Then go back to Personal Certificates from the drop down list.
Mark encryption, and click on Rename. Change the name to old-encryption.
Click on Import button. Select Import key.

Select you certificate file with your server certificate, that contain the DNS alias for your server.
Enter your password when you import the file.
Set the name of the server cert to encryption.
Exit/Close the ikeyman program. Any changes are saved directly to the CAMkeystore file.

Now go into Cognos Configuration and click save. Then start the Cognos service from inside Cognos Configuration. Now the file CAMkeystore.jks is created/update with the custom certificates.
Test to browse to the https://caservername.domain.com:9300/bi/v1/disp

You may need to also add the custom certificate to other places, depending on you system setup.

(Internal CA)
It is Cognos specific certificate authority.  You can check the content with ikeyman tool.

View ‘ca’ certificate under Personal Certificates.  Double click to see the values of the certificate.
When ‘encryption’ certificate is expired, you cannot log in to Cognos Analytics.

If you use PA, you need to add the Planning Analytics certificate to the CA11 key store.
https://www.ibm.com/support/pages/configure-datasource-ibm-planning-analytics-20x-ibm-cognos-analytics-1106

More information:

https://www.ibm.com/support/pages/node/561949

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_cryptoprvdrdflt.html

Product:
Planning Analytics 2.0.6
Microsoft Windows 2016 server

Problem:
After change of Certificate for Cognos Analytics 11 dispatcher level. The user can not login in TM1 Architect.  This when you use CAM security (IntegratedSecurityMode=5).
You get error message like: SystemServerClientNotFound

Solution:
When you update the CA11 Websphere (dispatcher) with a custom certificate, you need to add the root and intermediate certificate to the other parts like TM1 servers (planning analytics).

Download the root and intermediate certificate to BASE-64 cer files.
Copy the files to the TM1 server.
Go to a COMMAND prompt as administrator.
Go to folder C:\Program Files\ibm\cognos\tm1_64\bin64
Run a command similar to this:

gsk8capicmd_64 -cert -add -db “D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb” -stashed -label caRoot -file “C:\temp\rootcert.cer” -format ascii -trust enable

gsk8capicmd_64 -cert -add -db “D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb” -stashed -label caIntermediate -file “C:\temp\intercert.cer” -format ascii -trust enable

Then you need to restart the TM1 service instances, for the change to take effect.

More Information:
https://www.ibm.com/support/pages/how-configure-planning-analytics-connect-ssl-secured-cognos-dispatcher

https://www.ibm.com/support/pages/use-ikeyman-configure-custom-ssl-certificates-tm1web

Product:
Planning Analytics 2.0.9.3
Microsoft Windows 2019 server

Problem:
How setup SSL (TLS) in Planning Analytics Spreadsheet Services?

Solution:
https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_tm1_inst_tm1_web_ssl_existing_keystore.html

Get a custom pfx file from your certification authority for your server.
Go to your PA TM1WEB server and place the file in folder C:\Program Files\ibm\cognos\tm1web\bin64\ssl

Stop the IBM Planning Analytics Spreadsheet Service.
Open C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\server.xml.new in notepad++

Update this row to set your https port
<httpEndpoint id=”defaultHttpEndpoint” httpPort=”-1″ httpsPort=”9510″ host=”*” removeServerHeader=”true”>
</httpEndpoint>
Add this row to point out the certificate pfx file to use
<keyStore id=”defaultKeyStore” location=”${wlp.user.dir}/../../bin64/ssl/cert.pfx” password=”cognos” />
Change cognos to your password.
Save the file as server.xml
In a command prompt go to folder C:\Program Files\ibm\cognos\tm1web\jre\bin
Enter this command to import the standard TM1 server cert to the new keystore
keytool -importcert -keystore ..\..\bin64\ssl\cert.pfx -storepass cognos -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\ibmtm1.arm

Start IBM Planning Analytics Spreadsheet Services

Update the C:\Program Files\ibm\cognos\analytics\webcontent\bi\tm1\web\tm1web.html file on your Cognos Analytics server to have the new HTTPS value:

Save the file.
If you miss above step you get the error:

The TM1Web service parameter was not specified or is not one of the configured locations

Test from Chrome web browser by go to https://yourservername.domain.com:9510/tm1web

If it works, you have done a good job.

If you use the self sign test certificate you get below screen, as the certificate is not trusted by the browser. Self signed certificate works best with TM1 native security.


Do this https://www.ibm.com/support/pages/node/879929 to get away from above error in testing.
To encrypt the password in the server.xml file do this steps:

Ensure that the cert.pfx file is in folder C:\Program Files\ibm\cognos\tm1web\bin64\ssl

Open C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\bootstrap.properties in Notepad++
Add the line (with your own key password):
wlp.password.encryption.key=VeryStrongandSecurePasswordKey
Start a command prompt as administrator.

Run set JAVA_HOME=C:\Program Files\ibm\cognos\tm1web\jre\ to temporary set the JAVA_HOME for next command
Move to folder C:\Program Files\ibm\cognos\tm1web\wlp\bin
Run command (to encrypt the value in key-store)
securityUtility.bat encode –encoding=aes –key=VeryStrongandSecurePasswordKey cognos
(you add the -key password you defined in bootstrap file, and then the password used today to access the cert.pfx file)

Copy the response to notepad
Open C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\server.xml in notepad++
Update the line (to include the new password)
<keyStore id=”defaultKeyStore” location=”${wlp.user.dir}/../../bin64/ssl/cert.pfx” password=”{aes}AIm6d2W+Hk0JBXaWVrJSvq+AGyBDkec/kdUiXAu5nKoI” />

Save the file and restart Planning Analytics Spreadsheet Services.

Now the password to the keystore (pfx) is not in cleartext in the server.xml file.

You can check for errors in file C:\Program Files\ibm\cognos\tm1web\wlp\usr\servers\tm1web\logs\console.log

Launching tm1web (WebSphere Application Server 20.0.0.7/wlp-1.0.42.cl200720200625-0300) on IBM J9 VM, version 8.0.6.15 – pwa6480sr6fp15-20200724_01(SR6 FP15) (sv_SE)
[AUDIT ] CWWKE0001I: The server tm1web has been launched.
[err] log4j:WARN No appenders could be found for logger (org.apache.axis.transport.http.AxisServlet).
[err] log4j:WARN Please initialize the log4j system properly.
[err] log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

How to create a keystore for testing:
One your laptop install openssl from here https://github.com/git-for-windows/git/releases/tag/v2.23.0.windows.1 – get the file Git-2.23.0-64-bit.exe. Run the installation with all default values.

Create a new folder (c:\workarea)

Create text file with above content, replace with your servername and location.
Save the file in c:\workarea folder.
Start a command prompt as administrator. Go to folder C:\Program Files\Git\mingw64\bin
Enter to create the self signed certificate:
openssl.exe req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout C:\workarea\cert.pem -out C:\workarea\cert.pem -config C:\workarea\san.txt

Enter to create the pfx file:
openssl.exe pkcs12 -export -out C:\workarea\cert.pfx -in C:\workarea\cert.pem -name “win2019pa” -passout pass:cognos

Replace win2019pa with your servername, and cognos with your password of choice.

Copy the cert.pfx file to your PA server and place in folder C:\Program Files\ibm\cognos\tm1web\bin64\ssl, then do the rest at top of this page.

-x509

This option outputs a self signed certificate instead of a certificate request.

 

Enter this to check a pfx for its content:

keytool -v -list -storetype pkcs12 -keystore cert.pfx

More information:
https://www.ibm.com/support/pages/how-configure-ssl-ibm-planning-analytics-spreadsheet-services-using-existing-keystore

https://www.ibm.com/support/pages/how-disable-port-9080-planning-analytics
https://www.ibm.com/support/pages/planning-analytics-ssl-configuration-tm1web-or-any-web-tier-components-does-not-work-expected

https://blog.devolutions.net/2020/07/tutorial-how-to-generate-secure-self-signed-server-and-client-certificates-with-openssl

https://www.phildev.net/ssl/opensslconf.html

https://geekflare.com/san-ssl-certificate/

https://certificatetools.com/

TM1s.cfg & How to Create a TM1 Model – A Best Practice Guide

Product:
Planning Analytics 2.0.9
Planning Analytics Workspace 55
Microsoft Windows 2016 server

Problem:
What to add cube security for new cognos groups from file.
You have created some cognos groups – GroupA and GroupB and filled them with Active Directory users.

You have added the group into TM1 Architect, to see that they are visible. This is done by right click on the Tm1 application and select security – clients/groups.

You have tested to add manually in TM1 architect, the values in the security cube.

Solution:

This can be solved in many ways, this is one example.
You have a text file with the groups and the new values. Here you add the other groups and there values you want to be setup.

Columns are cube to update, cube, cognos group, access rights.

Go to PAW. Login to your TM1 Instance. Go to Processes and right click and select Create Process.

Enter a name, in our example ImportSecurityTI.

Click Create.

Click on file.

Drag you text file to the drop area, to load the file into the system.
This will copy the file to a folder under your data folder.


Click Next.  Select the delimiter you have in your file. Here we use comma.
Click preview.

Here we have a simple file, all columns are strings and we keep the default variables values of V1 to V4.
Click validate and save. Click on script.

Now enter code similar to this to make it populate the cube;

#Section Prolog
#****Begin: Generated Statements***
#****End: Generated Statements****

#——————————————————–
# setup the file to import
#——————————————————–

DataSourceType=’CHARACTERDELIMITED’;
# ASCII for comma is 44   http://www.asciitable.com/
DatasourceASCIIDelimiter=Char(44);
DatasourceASCIIHeaderRecords=0;
# ASCII for quates is 34
DatasourceASCIIQuoteCharacter=Char(34);

# place the file in below folder and paw will find the file
DatasourceNameForServer=’model_upload\CubeSecurity3.txt’;
# full path to the file and name – this is for Tm1 architect to find the file
DatasourceNameForClient=’C:\Program Files\ibm\cognos\tm1_64\samples\tm1\24Retail_CAM\data\model_upload\CubeSecurity3.txt’;

# set default values
sNAMESPACE= ‘CAMID(“:’;
sEND = ‘”)’;
sCUBE= ‘}CubeSecurity’;

#Section Metadata
#****Begin: Generated Statements***
#****End: Generated Statements****

#——————————————————–
# remove the ### for the debug lines to write variables to text file
#——————————————————–

### ASCIIOutput (‘c:\temp\debugout1.txt’, v1, v2, v3, v4 );
# check if string contain : (colon)
# SCAN(find , in string)
nSTART= scan ( ‘:’,v1);
if (nSTART <> 0);
# remove all before
# SUBST(string, beginning, length)
v1 = subst (v1, nSTART +1, (LONG( v1) – nSTART));
endif;

# add CAMID to the group (column 3)
# check that it does not already have : (colon)
nSTART= scan ( ‘:’,v3);
if (nSTART = 0);
# add value before to look like this “CAMID(“:GroupA”)”
# SUBST(string, beginning, length)
v3 = sNAMESPACE | v3 | sEND;
endif;

### ASCIIOutput (‘c:\temp\debugout2.txt’, v1, v2, v3, v4 );
# write values to the cube
# CellPutS (String, Cube, element1, element2, elementn )
CellPutS(v4,v1,v2,v3);

#Section Data
#****Begin: Generated Statements***
#****End: Generated Statements****

#Section Epilog
#****Begin: Generated Statements***
#****End: Generated Statements****

Click on validate – save – run buttons.

If all apostrophes are correct it should work fine.

More information:

nSTART= scan ( ‘:’,v1);
if (nSTART <> 0);

This will find the position in variable v1 where there are a colon. If there is none, then the value in nSTART is zero. At if we test that if not zero then do next line.

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_ref.2.0.0.doc/r_tm1_ref_scan.html

v1 = subst (v1, nSTART +1, (LONG( v1) – nSTART));

Here we replace variable v1 with a part of its content, we take one character to the right from the nSTART position and until end of string ( length of sting minus the start position).

v3 = sNAMESPACE | v3 | sEND;

The pipe character is to add strings together in TI processes. We add the predefined variables sNAMESPACE and sEND around the variable v3, to get it to look correct.

Concatenating Data in TM1 – How to Concatenate Variables in a TI or Rule

https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_ref.2.0.0.doc/c_miscellaneousturbointegratorfunctions_n72f55.html

If you do not add the groups in security dialog before you run the script you get this error:

Process completed with errors
“24Retail_CAM:}CubeSecurity”,”Capital”,”GroupA”,”WRITE”,Data Source line (1) Error: MetaData procedure line (26): Invalid key: Dimension Name: “}Groups”, Element Name (Key): “CAMID(“:GroupA”)”