Attempting to connect to the Cognos Business Intelligence Gateway in a browser, error "The Cognos gateway is unable to connect to the Cognos BI server. The server may be unavailable, or the gateway man not be correctly configured."
The Cognos gateway is unable to connect to the Cognos BI server. The server may
be unavailable, or the gateway man not be correctly configured.
There are many possible causes for this error.
- This Technote relates to the scenario where the cause is that the Cognos keystores have expired.
By default, the cryptographic keys are valid for 365 days.
- This value is configured inside Cognos Configuration
- Specifically, browse to "Local Configuration -> Security -> Cryptography" and modify the value for: Common symmetric key lifetime in days
Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn't save the configuration for 365 days, they would expire and you'd need to manually regenerate them.
You must restart the services every so often to ensure the new keys are actually being used.
- If you think you won't be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.
Diagnosing The Problem
Originally it was thought that when you check the timestamp of your keystores (cognos_root_install/configuration/[csk] [signkeypair] [encryptkeypair]), and if these are older than one year, recycle your keys.
- However, this timestamp does not reflect the renewal date, but rather the create/modify date of the file itself.
Instead, use ikeyman to open certificates and view the actual expiry date, as follows:
1. Launch ikeyman.exe as administrator (Program Files\cognos\bin\jre\6.0\bin\ikeyman.exe)
2. Click "Open", and select key database type "PKCS12"
3. Go to the Cognos\configuration directory, then to the signkeypair
4. At the bottom click "All files" and then select "jCAKEYSTORE"
- It will open and the valid date range should be visible.
Resolving The Problem
Recycle your cryptographic keys.
Steps for a distributed installation (where you have more than one server)
1. Stop all servers in the environment
- Given, cryptographic keys on all servers must be synchronized against the active Content Manager, the active CM should always be the first server started and the last one stopped.
2. Open Cognos Configuration on your Content Manager and export the configuration as plain text (File -> Export as) in the cognos_root_install/configuration directory.
- Choose cogstartup.xml as the filename and overwrite the existing file. (Ignore the warning, this is because passwords for the authentication source or content store can be visible in this unencrypted file.)
3. Exit Cognos Configuration, do not save your configuration or start the service if prompted.
- Navigate to your cognos_root_install/configuration directory
- Delete the keystores ([csk] [signkeypair] [encryptkeypair])
- Next, open Cognos Configuration again and save your configuration
- Start the Content Manager before moving to the next step.
4. Repeat the step described for the Content Manager on every Report Server.
- After new keys have been generated, restart your Report Server
5. Last step is to recycle the keys on the Gateway (save Configuration in plain text / remove the keystores)
Steps for a single-server installation
1. Stop the application
2. Open Cognos Configuration and export the configuration as plain text (File -> Export as) in the cognos_root_install/configuration directory.
- Choose cogstartup.xml as filename and overwrite the existing file.
- Exit Cognos Configuration and go to your cognos_root_install/configuration directory.
- Delete the keystores which are folders: csk, signkeypair and encryptkeypair.
- Next, open Cognos Configuration again and save your configuration. Start the application again.
Note: You may have to restart IIS on your gateway server when you have reconfigured your keystores
If you are still receiving the same error after recreating the keys. the permissions on the cogstartup.xml file (in the gateway server's cognos_root_install\configuration directory) may need to be modified.
- Granting the "Everyone group" Full Control to the cogstartup.xml file will most likely resolve this issue.
- If you are using cognosisapi.dll, you must restart the webserver for this change to take effect.
15 June 2018