The integration of Cognos Analytics and Planning Analytics (or Cognos Business Intelligence with Cognos TM1) is often seen as complex area, especially when it comes to troubleshooting. This document will provide a walkthrough of the integration between Cognos Analytics and Planning Analytics, and will list regular scenarios and its resolution. This integration is often also referred to as using CAM Security.
Part 1 is covering the general change to IntegratedSecurityMode 5 and the steps required for TM1Web. The main configuration of Part 1 is also available as video.
Before we start, it’s best to collect a few information from both the Cognos Analytics and Planning Analytics environment.
Relevant information for the Cognos Analytics environment are the Gateway URL, the Content Manager URLs and the Namespace ID.
Relevant for Planning Analytics are tm1s.cfg, Adminhost, TM1 Servername, TM1 Applications URL and the Planning Analytics Workspace URL.
For the walkthrough, the following is assumed:
Gateway URL: http://web-host:80/ibmcognos/bi/
Content Manager URLs: http://ca-host:9300/bi/ & http://ca-host:9400/bi/
Namespace ID: AD
TM1 Applications URL: http://pa-host:9510/
PAW URL: http://paw-host:80
Change Security Mode of the TM1 Server
Step 1: Copy bi_interop from Planning Analytics to Cognos Analytics
Each Planning Analytics installation will come with a bi_interop folder containing a bi_interop.zip.
1. Unzip bi_interop.zip
2. Copy the content over to each gateway and dispatcher of the Cognos Analytics installation
Step 2: Import a Cognos User to be TM1 ADMIN
When you first start with the TM1 Server only native TM1 users will have ADMIN rights. In order to implement CAM Security, at least one Cognos user will need to receive ADMIN rights. It should be noted that Cognos does not host users itself, but references users from different authentication providers, like Active Directory. A “Cognos user” is therefore an object, referencing a user within an external authentication provider.
In order to set a Cognos user as TM1 ADMIN, mixed mode authentication (IntegratedSecurityMode=2) is first configured, to allow the logon with a current native ADMIN user. This user will then import the user from Cognos Analytics and apply ADMIN permissions.
To generally allow the import of users in Architect, changes to tm1p.ini are also required.
1. Add ServerCAMURI, ClientCAMURI, ServerCAMURIRetryAttempts to tm1s.cfg and change IntegratedSecurityMode to 2
The multiple entries of ServerCAMURI each represent a Content Manager. In case of a failover scenario in Cognos Analytics, the Content Managers will be worked through, starting with the first one in the list. The first entry should therefore represent the primary Content Manager.
2. Changes to tm1p.ini (C:\Users\<username>\AppData\Roaming\Applix\TM1) for Architect, which you want to use to import the users.
AllowImportCAMClients = T
CognosGatewayURI = http://web-host:80/ibmcognos/bi/v1/disp
3. Restart the TM1 Server
4. In Architect go to Security > Client and Groups and add a new client.
A Cognos login screen will now appear. Log in with a user that is a system administrator within Cognos Analytics.
Select the namespace, make sure “Show users in the list” is selected, and navigate to the user that should act as TM1 ADMIN. Check the box beside the user, and move it to the right and confirm.
5. Apply ADMIN rights to the newly imported user and confirm by clicking OK.
Step 3: Change Security Mode of the TM1 Server to IntegratedSecurityMode=5
A Cognos user is now able to perform all ADMIN tasks in TM1, so you can now switch completely to IntegratedSecurityMode 5.
1. In tm1s.cfg change IntegratedSecurityMode from 2 to 5
2. Restart the TM1 Server
Step 4: Verify the login in Architect
1. Open Architect
2. Double click on the TM1 Server to login
3. A Cognos Analytics login screen is now appearing instead of the TM1 native login dialog
4. Logon with the previously imported user in Architect
5. Verify the permissions of the user. You should be able to perform every ADMIN task, ie. import new users
You can now repeat the import of users and groups to establish the required security in the TM1 server, based on Cognos Security.
Common problems during this step of the integration
HTTP 404 – This page can´t be displayed:
The ClientCAMURI entry cannot be accessed from the client machine. Try the URL set as ClientCAMURI in Internet Explorer on the client machine. Architect uses a piece of Internet Explorer to show the Cognos Analytics login page, so a test in another browser like Firefox or Chrome, is not always sufficient.
Something is wrong with the ServerCAMURI. This could be anything from the URL not being accessible, wrong URL being used in tm1s.cfg, Port (in the example Port 9300 and 9400) being blocked. Test the URL to be accessible from the TM1 Adminhost.
Using IntegratedSecurityMode=5 with TM1web
Prerequisite: Section Change Security Mode of the TM1 Server needs to be completed prior.
Step 1: Configure tm1web.html
In our example http://pa-host:9510/tm1web is the URL to access TM1Web. pa-host needs to be added to a list of referrers, that are allowed to forward requests to Cognos Analytics.
This configuration is done in tm1web.html. A copy of this file is available at <cognos analytics gateway>\webcontent\tm1\web by default. If you use Cognos Analytics 11 through a Gateway the tm1 folder needs to be copied also to <cognos analytics>\webcontent\bi after it´s adjusted.
1. Open tm1web.html in an editor
2. Search for “var tm1webServices”
3. Expand the list of URLs from
var tm1webServices = [“http://localhost:8080”, “http://localhost:9510”];
var tm1webServices = [“http://localhost:8080”, http://localhost:9510, “http://pa-host:9510”];
4. Copy the ..\webcontent\tm1 folder to ..\webcontent\bi
Assuming your users would not access TM1Web through pa-host, but through pa-host.domain.com or through a proxy (proxy.domain.com), these URLs needs to be added to the list as well. For example:
var tm1webServices =[“http://localhost:8080”, http://localhost:9510, http://pa-host:9510,”http://pa-host.domain.com:9510”, “http://proxy.domain.com:9510”];
Step 2: Cognos Application Firewall
The pa-host needs to be added to the list of valid hosts and domains in Cognos Analytics Cognos Configuration. This is necessary for the log out action, which routes you from Cognos Analytics to TM1Web. Make sure to add the same lists of hosts as in pmhub.html, both with no port specified, and with port 9510 specified.
1. Open Cognos Configuration of Cognos Analytics
2. In the tree look for Local Configuration > IBM Cognos Application Firewall
3. Under Valid domains or hosts add the host and domain names from the TM1 Application Server
4. Save Cognos Configuration
5. Restart Cognos Analytics
Step 3: Verify the login in TM1Web
1. In a browser, open http://pa-host:9510/tm1web
2. Select the TM1 Server, that has been configured with IntegratedSecurityMode 5
3. The Cognos Analytics login screen appears. Enter the credentials of a valid Cognos user, that has access to the TM1 Server
Common problems during this step of the integration
The TM1Web service parameter was not specified or is not one of the configured locations or a white page.
This usually speaks for tm1web.html not being configured correctly (see above), or an unsupported browser being in use.
Can´t find variables_TM1.xml
The first step suggested to copy the bi_interop folder into the Cognos Analytics installation, which provides the required variables_tm1.xml. The variables_tm1.xml needs to be present at <cognos analytics>\templates\ps\portal for every dispatcher.
On logout a Cognos CAF error message can appear. This can be resolved by adding all allowed URLs to the list of valid domains or hosts in Cognos Configuration.
Stay tuned for the next part covering the Integration between Cogonos Analytics and Planning Analytics for TM1 Applications Portal and Operations Console.
Verified in Cognos Analytics 11.0.6 and Planning Analytics Local 2.0.1.