Tel:  +44 (0)2920 02 04 05
e-Mail: info@planitcpm.com

Home About us Services Products Support News Blogs Contact us

Blogs

IBM Cognos Technical Blog

September 27, 2011

Configuring SSL / HTTPS with IBM Cognos 10.1 BI and TM1 9.5.2

Filed under: BI and TM1 Integration,Configuration,Contributor,HTTPS / SSL,Installation,Integration,Server,TM1 Contributor — Tags: , , , — Blog Admin @ 5:07 pm

It’s been a long few days. A customer who wanted not just to integrate IBM Cognos 10.1 Business Intelligence with TM1 9.5.2, but also wanted to do it using SSL / HTTPS rather than the out of the box HTTP protocol.  Nice.

I would have said that what follows is not for the faint hearted however with the right steps set out in-front of you its a lot easier than it seemed at the time!

This is a fairly complex task which will need you to have a pretty good level of understanding of a lot of technologies.  I have tried to write this in a simple way but I think I will need to refine this over time based on comments made.  Please feel free to add any feedback at the end so that I can improve this article as required

We will assume a few things before we start:

  •  You have your own SSL certificate either purchased or created for IIS.
  • The SSL certificate is configured and is working (able to serve up a basic HTML page via HTTPS)
  • You have basic installations of IBM Cognos 10.1 BI and TM1 9.5.2 already integrated (help on integration here)

Getting Cognos BI working via HTTPS

With IIS already configured to work on HTTPS its a simple task to get the Cognos Gateway components up and running.

First of all you must get all of your dispatchers up and running using the HTTPS protocol and the secured port 9343.  See the screenshot below for an example.

Cognos Configuration - Dispatcher URI's for SSL Configuration

 

Now that this is done, navigate to the Cryptography -> Cognos section of the tree-view.  Here we need to make sure that the server name is listed for the Server Common Name property.  As below this should be set to the exact name of the server as specified in your dispatcher URI fields.

Settings for Cognos Configuration - SSL Cryptography

Whilst you are there, make sure you set a password for each of the key stores.  It is advisable to use a single, strong password here or else you may find it difficult later on to know which password to use.

The  server common name value above is used in the certificate creation, if this does not match the name of the server specified in the dispatcher URI’s then you will get a prompt due to an invalid certificate during certain operations.  This could stop the integration between TM1 and BI from working correctly.

With IBM Cognos Configuration updated its now time to save and restart the services.  If you have just changed an existing installation from HTTP to HTTPS you will find that the IBM Cognos 10 service is re-registered and so you will have to input the service account credentials again to get things to start up properly.

Saving will take some time as the cryptography settings will be recreated.

Now is a good time to check that IBM Cognos 10 is up and running on HTTPS.  Check IBM Cognos Connection by visiting your gateway URI which should be in the form of

https://bi101.planitcpm.local/ibmcognos

This should return the familiar IBM Cognos portal screen.

If all is well, now try connecting to the dispatcher direct.  This is best done on the server its self as we can then ensure that the SSL certificate is imported at the same time.

The URI to enter is similar to this:

https://bi101.planitcpm.local:9343/p2pd/servlet/dispatch

Because the self-created certificate is not from a trusted root authority you will get the following screen in Internet Explorer.  For now click “Continue to this website (not recommended)”.

You will now see the bare dispatcher login screen.  Notice that the address bar is in pink and you have a certificate error to the right.

Click on “Certificate Error” to view and install the certificate.

When the pop-up screen shows, click on “View Certificate”

You will now see the certificate, click “Install Certificate”.

On the Certificate Store selection screen select “Place all certificates in the following store” and make sure Trusted Root Certification Authorities is selected.

Complete the Wizard.  You will be warned that you are about to install the certificate.  Click “Yes” to complete the process.

Now on the Certificate view, switch to the “Certification Path” tab and complete the same process for the CA Root Certificate.

Now with both certificates installed and trusted, exit from Internet Explorer and visit the Dispatcher URI again.  This time there should be no warnings etc.

IBM Cognos 10.1 is now working using SSL at both the Gateway and the Dispatcher levels.

Enabling TM1 to connect to IBM Cognos 10.1 via SSL

TM1 will need to trust and access the certificate used in the IBM Cognos 10.1 dispatchers,  for this to work we must export the certificate from the CA Keystore.  IBM provides a tool for this ThirdPartyCertificateTool.bat (or on Linux / Unix ThirdPartyCetificateTool.sh).

Open a Command Prompt and navigate to your IBM Cognos 10.1 installation directory / bin folder (in my case c:\Program Files\IBM\Cognos\c10\bin).

You will need to set the JAVA_HOME variable so that it can use the IBM Cognos supplied JRE.  Enter the command:
set JAVA_HOME=c:\program files\ibm\cognos\c10\bin\jre\6.0\
Now run the following command to export the keys.  You will need to substitute my paths for your own.  I am exporting the certificate file to the root of c:\ to a file called cognos.cer.

ThirdPartyCertificateTool.bat -E -T -r c:\cognos.cer -k "c:\Program Files\ibm\cognos\c10\configuration\signkeypair\jCAKeystore" -p password

Where “password” is the password you set for your keys tores in IBM Cognos Configuration.

You will get a response similar to the one below.

 

Note: If you get an error message with number CAM-CRP-1201 it seems to indicate that the password specified is incorrect.  Strangely if you actually omit the password you get an error that tells you that the password is wrong.

The file cognos.cer should now be in your output location.  Locate this file and copy it to a secure location on your TM1 Server.

With the file copied to your TM1 Server you will now need to edit the TM1s.cfg file to ensure that it knows where to find the certificate file.

You should have the following lines, edited for your installation.

ServerCAMURI=https://bi101.planitcpm.local:9343/p2pd/servlet/dispatch
ClientCAMURI=https://bi101.planitcpm.local/ibmcognos/cgi-bin/cognosisapi.dll
ClientPingCAMPassport=900
#Optional CAM parameters
CAMSSLCertificate=c:\cognos.cer
#CAMSSLCertRevList=
SkipSSLCAMHostCheck=TRUE

Once that has been updated you will need to save the file and restart your TM1 Services to allow the changes to be picked up.

Now, to ensure that TM1 and BI can integrate correctly there are a few more steps to complete, these have been discussed in another blog article which can be found here:

TM1 and BI Integration

There are a few differences now however, importantly, these are that the URL’s specified in the various configuration files must contain the HTTPS protocol not HTTP and that  you must reference the new port 9343 in place of 9300.

The files to update are on the BI / Gateway Server:

  • variables_TM1.xml

Which should now contain the following lines instead:

https://bi101.planitcpm.local/TM1Web/TM1WebMiniLogin.aspx

https://bi101.planitcpm.local/TM1Web/TM1WebLoginHandler.aspx

https://bi101.planitcpm.local/TM1Web/TM1WebMain.aspx

https://bi101/TM1Web/TM1WebMiniLogin.aspx

https://bi101/TM1Web/TM1WebLoginHandler.aspx

https://bi101/TM1Web/TM1WebMain.aspx

  • planning.html

Which should now contain the following line

// Update the following to point to the location of the planning service(s)
var planningServices = ["https://bi101.planitcpm.local:9343"];

Allowing TM1 Web to trust the BI Certificate

If you now run the initialize.jsp script from your installation of TM1 Contributor you will find that you get an error.

 

You are getting this error because the SSL Certificate that was applied to your IIS servers not trusted by the IBM Cognos supplied JAVA environment.  We must run a command line application to import this file.

On the BI Server open a command prompt and navigate to c:\Program Files\IBM\Cognos\c10\bin\jre\6.0\bin and execute the following command:

keytool -import -alias caWeb -keystore "c:/program files/ibm/cognos/c10/bin/jre/6.0/lib/security/cacerts” -trustcacerts -file c:\CertificateName.cer

You will be prompted for a password, this is the default password used by the keytool app – enter “changeit” in lower-case.

We also need to run the command to import the certificate created by IBM Cognos 10.1 or we will see an error stating:

 

We must run a command line application to import the cognos.cer file.

On the BI Server open a command prompt and navigate to c:\Program Files\IBM\Cognos\c10\bin\jre\6.0\bin and execute the following command:

keytool -import -alias caRoot -keystore "c:/program files/ibm/cognos/c10/bin/jre/6.0/lib/security/cacerts” -trustcacerts -file c:\cognos.cer

You will be prompted for a password, this is the default password used by the keytool app – enter “changeit” in lower-case.

With this all completed you should now find that you can access TM1 Contributor using HTTPS as shown below:

As stated at the beginning of the article, please do comment or ask questions.  I know this article needs some refinement but I really did want to keep it as short and to the point as possible whilst still explaining the steps involved to get this working.

I would also like to thank Keith Faulkner from IBM Support who helped me get this working and organised the relevant people behind the scenes at IBM to get the right information out to me.

 

 

August 23, 2011

Say No to multiple Admin Servers

Filed under: Cognos Planning,Configuration,Contributor,Errors,IBM Cognos 8,Installation — Tags: , — Blog Admin @ 9:28 am

Recently a customer requested that we review their self-installed IBM Cognos Planning environment due to poor performance and regular job failures.  There were a number of installation, configuration and sizing issues with the environment (which was on a vastly underpowered VMware platform), but one of the key recommendations that we made was to disable the Planning Administration Console Service on all but one of the Application Servers.

Additional CPU’s were added, but beyond that most of our recommendations are yet to be implemented.  In the meantime the environment continues to perform poorly and job failures are almost as frequent.

One of the latest issues that has been reported to us is that during the copy-load-prepare process, once you have completed the “copy” stage and switch to the “load” tab they are finding that different cubes are displayed each time.

  • Copy five files, switch to the load tab and find that cubes “A, C, D” show.
  • Try again with the same five files and find that cubes “D and E” show.
This is a typical symptom of having multiple Administration Servers configured in the environment, what is happening here is that a different Admin Server is processing each of the file copies, then when switching to the “load” tab just one of the servers is being used and so only a selection of the copied files are being detected.
The fix for this is a simple one, disable the Planning Administration Console Service on all but one of the Application Servers in your Planning server environment.

August 4, 2011

Running an IBM Cognos Analyst Macro from a Contributor Macro

Filed under: administrator,Cognos Planning,Contributor,IBM Cognos,IBM Cognos 8,Macros — Blog Admin @ 10:41 am

The usual way to run an IBM Cognos Analyst macro from within a Contributor macro is to use the “Execute Analyst Macro” step, however for some customers this seems to fail without logging any good reasons.  The error logging is minimal, though you will typically find errors such as:

Unable to execute macro 'ApplicationName.MacroName'.
The return code was 1107.

One alternative I find to work more robustly is to use the “Execute Command Line” macro step, we can use this step to launch an Analyst Batch Utility job just like in the “good old days”.  This method seems to be a bit more reliable and also logs a little bit more detail.

To maximise the success rate the wizard to create the batch job should be  run on the Admin Server.  The wizard creates two files in the c:\Program Files\cognos\c8\bin (or equivalent IBM Cognos 10 location) and are called:

  • bujobs.bin
  • bulibmap.lut
If the wizard is run on a machine other than the Admin Server they can be copied to the relevant location on the Admin Server to allow the Batch Job to be called by the macro.

To set up the Batch Utility job, open Analyst and to to the “Tools” menu.  Near the bottom you can select the option “Batch Utility Wizard”.

The Wizard Welcome Page will be shown, click “Next”.

Select “Create a new batch job”.

On the “Select a macro” screen, choose your Library and Macro from the drop-down menus and then give a descriptive name for this batch job.

You can also enter the name of the Namespace you want the batch-job to use.

Finally set up a log file location so you can review the Batch Job’s status.

The completion screen gives you the options to run the job right away or to print a summary of the job.

Click “Finish” to exit the Wizard.

The command line for the Batch Utility job will be copied to the clipboard automatically, this will be useful as we can use this when we set up the Contributor Macro to call it.

Open the Contributor Administration Console and navigate to “Macros” in the tree on the left.

Then click “New” to create a new macro.

You will be prompted to enter a name for the macro.

Then you will be given a list of macro step types.  Select the “Execute Command Line” macro step.

You will need to name the macro step, a descriptive name is best here, some people find it useful to prefix the step names with a code to indicate what type of macro step it is for example “ECL” for Execute Command Line, or “EAL” for Execute Administration Link”.

Place your cursor into the “Command to execute” text box and use CTRL-V on the keyboard to paste in the command line that was generated by the Batch Utility Wizard.

Finally you can chose to either enter a success code, typically success is determined by a code of “0″ (Zero).

With the macro created you can now execute this and check that it works as expected.

 

June 23, 2011

TM1 9.5.2 and BI 10.1 Integration

Filed under: BI and TM1 Integration,Business Intelligence,Configuration,Contributor,IBM Cognos,Installation,IntegratedSecurityMode,Integration,Server,TM1,TM1 Contributor — Blog Admin @ 7:50 pm

Having spent quite some time trying to figure out why our installation of TM1 Contributor would not work when using IBM Cognos 10 Integrated Security we figured it may be worth a blog entry to make sure that others coming across this problem don’t run into the same issues.

There are a number of steps involved with getting the installation up and running but first, lets just outline the server topology.

  • 1x 32-bit BI Server (Gateway, Application Tier and Content Manager) with TM1 Portlets and TM1 Web and TM1 Contributor installed.
  • 1x 64-bit TM1 Application Server (Running as a TM1 Admin Server and also hosting the individual TM1 Servers)
  • 1x SQL Server hosting the Content Store database and miscellaneous other databases not directly related to the install.

We are assuming here that you can (and have) installed the different IBM Cognos products correctly and are now focussing on integrating these products.

Enabling IBM Cognos Security on the TM1 Server

On your TM1 Application Server you will have a number of TM1 Servers such as the Planning Sample TM1 Server.  Each TM1 Server has a file called tm1s.cfg that contains parameters used during the startup of your TM1 Server.  An example file is below:

# Security mode
## If IntegratedSecurityMode is set to 1. All clients must provide a database
# username and password. This is traditionally done through a login screen.
## If IntegratedSecurityMode is set to 2. The clients will have the choice
# to connect provide a database username and password or use the single-login
# mechanism for authentication.
## If IntegratedSecurityMode is set to 3. All clients must use the single-login
# mechanism for authentication.
## If this is not set the parameter will be set to 1 by default.
# GroupsCreationLimit
## Note: The GroupsCreationLimit server configuration parameter pre-allocates
# memory and should not be set higher than needed. Please see TM1 technical
# bulletin: GroupsCreationLimit Recommendations for more information on
# how this parameter works.
[TM1S]ServerLogging=F
SecurityPackageName=Kerberos
IntegratedSecurityMode=5
UseSSL=T
ServerName=Planning Sample
DataBaseDirectory=C:\Program Files\Cognos\TM1\Custom\TM1Data\PlanSamp\
AdminHost=TM1952
PortNumber=12345
Language=ENG
SaveTime=
DownTime=
ProgressMessage=True
AuditLogOn=F
AuditLogMaxFileSize= 100 MB
AuditLogUpdateInterval=60
PersistentFeeders=F
ParallelInteraction=F
ServerCAMURI=http://bi101:9300/p2pd/servlet/dispatch
ClientCAMURI=http://bi101/ibmcognos/cgi-bin/cognosisapi.dll
ClientPingCAMPassport=900
#Optional CAM parameters
#CAMSSLCertificate=
#CAMSSLCertRevList=
#SkipSSLCAMHostCheck=TRUE
#CAMPortalVariableFile=portal\variables_plan.xml 

To enable IBM Cognos 10.1 BI Integrated Security we need to change the value of "IntegratedSecurityMode" from 1 to 5.

Also by default the “ServerCAMURI”, “ClientCAMURI” and  ”ClientPingCAMPassport” values are commented out.  These need to be given the values for your server which can be obtained from IBM Cognos Configuration.

The TM1 Server will need to be restarted to pick up these values.

More detailed information on setting up the integrated security can be found here:

http://www.ibm.com/developerworks/data/library/cognos/page413.html

Installing the TM1 Portlets

The TM1 Portlets are used to provide integration between TM1 Web and IBM Cognos Connection, these are available as a separate download “TM1Portlets_10.1_mp.tar.gz” – the full list of part numbers is here:

Parts and Platforms Required/
Optional		 Details Part number
IBM Cognos TM1 Quick Start Guide 9.5.2 Multilingual Required Describes the general steps required to install TM1. CZW15ML
IBM Cognos TM1 Widget Updater 9.5.2 for BI 10.1.0 Multiplatform Multilingual Optional Updates the Cognos BI 10.1 TM1 Widgets, providing the TM1 CubeViewer and Websheet Widgets with new toolbars. CZW16ML
IBM Cognos TM1 Portlets 9.5.2 for BI 8.4.0 Multiplatform Multilingual Optional Allows you to create portlets to view TM1 cube views and websheets in BI 8.4.0. CZW1NML
IBM Cognos TM1 Portlets 9.5.2 for BI 8.4.1 Multiplatform Multilingual Optional Allows you to create portlets to view TM1 cube views and websheets in BI 8.4.1. CZW1PML
IBM Cognos TM1 Portlets 9.5.2 for BI 10.1.0 Multiplatform Multilingual Optional Allows you to create portlets to view TM1 cube views and websheets in BI 10.1.0. CZW1MML

 

Once extracted and installed using the usual IBM Cognos InstallStream installer you will need to move around and edit some files as follows: -

From the location C:\Program Files\Cognos\TM1\Cadmin\gateway take the files

pmpsvc.war -> c:\Program Files\IBM\Cognos\c10\webapps
planning.html -> c:\Program Files\IBM\Cognos\c10\webcontent
variables_plan.xml -> c:\Program Files\IBM\Cognos\c10\templates\ps\portal

Once the files are moved in to place we need to perform some actions upon them.

pmpsvc.war

This file has been copied into the IBM Cognos 10 webapps folder, if the IBM Cognos 10.1 BI service is running it will automatically be extracted and loaded into memory.  This forms the TM1 Contributor Web Application and is now running into the bundled Tomcat instance.  It can also be deployed manually to another instance of Tomcat if you so choose.

planning.html

This file needs to be edited to contain the path to your PMPSVC application.  By default the file has the following line:

// Update the following to point to the location of the planning service(s)
var planningServices = ["http://localhost:8080"];

We must change the path to one that is correct for your installation such as:

// Update the following to point to the location of the planning service(s)
var planningServices = ["http://YOUR-BI-SERVER.DOMAIN.COM:9300"];

Be sure to get this exactly right as this is something that caught us out during our first installation.  Due to a number of other errors we were troubleshooting at the time we ended up with the “/pmpsvc” added to the end of the URL.  This is very bad and will result in the following error:

The planning service parameter was not specified or is not one of the configured locations

variables_plan.xml

This file does not need to be edited, the default file as below is correct and works out of the box:

<?xml version="1.0" encoding="UTF-8"?>
<CRNenv>
	<urls>
		  <url>../planning.html</url>
 	</urls>
</CRNenv>

variables_tm1.xml.sample

This file already exists in the c:\Program Files\IBM\Cognos\c10\temlates\ps\portal folder but needs to be renamed to “variables_tm1.xml” and it also needs to be edited.  The default file looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<CRNenv>
	<urls>
<url>
		<url>http://tm1webhostname/tm1web/tm1weblogin.aspx</url>
		<url>http://tm1webhostname/tm1web/tm1webloginhandler.aspx</url>
		<url>http://tm1webhostname/tm1web/tm1webmain.aspx</url>
</url>
	</urls>
	<cookies>
		<param name="cam_passport"/>
	</cookies>
</CRNenv>

One thing to look out for is that in our initial installation there was an extra set of <url></url> tags that had to be removed.  They are shown in red in the file above, these were not correct.

To ensure that TM1 Web is working correctly we need to add in all the permutations of the three URL’s above.  Namely using the NETBIOS name and the full DNS name of the servers as well as and DNS aliases that my may have set up.

In our test server setup we had the following as an example:

<url>http://bi101.planitcpm.local/TM1Web/TM1WebMiniLogin.aspx</url>
<url>http://bi101.planitcpm.local/TM1Web/TM1WebLoginHandler.aspx</url>
<url>http://bi101.planitcpm.local/TM1Web/TM1WebMain.aspx</url>
<url>http://bi101/TM1Web/TM1WebMiniLogin.aspx</url>
<url>http://bi101/TM1Web/TM1WebLoginHandler.aspx</url>
<url>http://bi101/TM1Web/TM1WebMain.aspx</url>

Restart the services

With these files copied into place and edited correctly you should restart the IBM Cognos 10 service so that the new files are picked up.

Initialising the TM1 Contributor Web Application

We need to set the parameters for the TM1 Contributor application now, to do this navigate to the URL set up earlier, e.g. http://servername.domain.com:9300/pmpsvc/ – assuming this is the first time you have run this it will redirect automatically to the initialize.jsp page as shown below:

TM1 Contributor initialise.jsp

Ensure that you get all of the correct URL’s in the fields and also be sure to put the the DNS name for your TM1 Admin Server into the Admin Host field as it defaults to the local machine and won’t list any of your TM1 Servers.

The TM1 installation and IBM Cognos Business Intelligence will now be integrated.

March 23, 2010

Remembering the importance of server reboot.

Filed under: Contributor,IBM Cognos,Reboot,Server — Blog Admin @ 11:02 am

Too often in a support situation people poke fun  and make sarcastic comments about the requests for screenshots and reboots to clear problems, seen as being either delaying tactics or lazy troubleshooting, so sometimes the humble server reboot is overlooked, as we try too hard to find another fix for the problems at hand.

Earlier this week a client got in touch about a problem they encountered following some issues with their Cognos service account on their Windows 2003 servers.  Initially all of the Contributor applications were unavailable, each giving a message on the web page stating that:
“The application definition is being updated on the server.  Please try again in a little while”
Very polite, but not too helpful.  As far as we knew the application definition was in no need of being updated.  But try again in a little while we did.
Four out of five applications did indeed become available but the last one refused.  So we viewed the error logs only to find there was no specific help there, we tried to GTP, Synchronise, GTP again, each time the GTP successful, unless a reconcile job was required, at which point the reconcile failed to complete even a single e.list item.
“The application must be corrupted” we declared.  ”I suggest that you restore the database from a backup file”.  And so within 30 minutes a backup file from Friday night was restored and we tried again.
“The application definition is being updated on the server.  Please try again in a little while” the server responded.
By now time was getting on, nobody wanted to stay on the phone so we offered that it may be worthwhile getting the databases off-site to try some testing on our own servers, to limit the drain on the customers time of course.  And so we suggested the following:
  1. Try a reboot of all the servers if possible
  2. If the reboot is unsuccessful, please upload the backup files so we can try them ourselves
An hour later we received an email saying the servers had been rebooted and the application was now working.  The customer quite rightly said it was a bit of a shame in a way, that we had not tried this earlier in the day.  Though I have to wonder if we had suggested rebooting the servers as a first stab at finding a fix for the solution if it would have been greeted so warmly.
So maybe we should remember that rebooting the server is not always the lazy option, but simply a way of ensuring that all the cobwebs have been blown out before resorting to more thorough investigations.

March 15, 2010

TM1 – Ahem, technical issues…

Filed under: Contributor,IBM Cognos,Installation,IntegratedSecurityMode,TM1 — Blog Admin @ 6:47 pm

There has been quite a bit of TM1 work about lately, most interesting of all is the latest 9.5 work with the TM1 Contributor component.  It’s been somewhat easier to implement within the localised VMware environments with no complicated Active Directory or anything like that to get in the way but even so, its not exactly rocket science… or is it?

I mean, its really giving me a bit of a rough time on a particular customer implementation that I am working on right now, its just not playing nice.  On the surface it is all working nicely.  Navigating around, looking at the web etc.  But just you try publish an application to Contributor… oh yes… and that’s where it starts giving a headache.

First of all it spend a long while complaining that you really do want to be using “IntegratedSecurityMode=5″ with TM1 Contributor.  Ok, thats a fair point.  What I had actually done was mistakenly put it to “IntegratedSecurityMode=4″ – this I could not resolve for even when the setting had been corrected, TM1 still wanted to tell me that I can’t use 4.  I got around it in the end by copying the sample application from another installation over to the problematic server.  But now its complaining again and I have my work cut out for me.

The very annoying error is some JAVA.NULL.EXCEPTION.POINTER or some thing similar.  Seems to only happen with the Planning Sample App for now anyway as I just got it to work with the customer’s own data.  #win!

What is a Cognos Competency Centre?
  • Other Posts
© 2012 Planit CPM

Privacy Policy
Cookie Policy
Site Map
Contact Us
Twitter