User launches "IBM Cognos FAP" from the start menu. The Controller "Financial Analytics Publisher" (FAP) Window appears. User starts a publish. User clicks the 'logs' tab. After a few seconds, an error appears ("Could not login to TM1"). If the user hovers their mouse over this message, then the error 'SystemServerNotFound' appears.
FAP Service Scheduler CRITICAL Could not login to TM1, host xxxxxxxx, server name yyyyyy, user name zzzzzzz
There are many different potential causes for 'Could not login to TM1' & 'SystemServerNotFound' errors.
- TIP: See separate IBM Technote #1664572 for more examples.
This Technote specifically relates to the scenario where the cause is that the SSL certificate (used for the communication traffic with TM1) has expired.
The most likely root cause (of the certificate expiring) is that both of the following are true:
- TM1 is configured to use the default (1024-bit) SSL certificate ("applixca.cer")
- The version of TM1 (being used) uses a 'applixca.cer' certificate with an expiry date of 24th November 2016 (and this is now in the past).
Diagnosing The Problem
For more information on this topic (TM1 SSL certificate expiry), see links at the end of this Technote, especially:
- FAQ inside separate Technote #1990940
- Blog inside Developerworks.
Resolving The Problem
Update your TM1 server and client software, using patches downloaded from the IBM website.
For the avoidance of doubt, these patches are only applied to the TM1 software.
- The Controller software does not need to be patched. The Controller version can therefore stay exactly the same as before.
(1) Make sure that you perform the steps on every device that has had either TM1 server and/or client installed.
- The TM1 server (which hosts the FAP cube)
- It may also have TM1 client (for example TM1 Perspectives and TM1 Architect) software installed (perhaps for testing purposes)
- The Controller application server
- For the 'IBM Cognos FAP Service' to work, then (when the server was first created) it must have had some TM1 software installed (to enable the APIs to work).
- In most cases, customers typically have chosen to install the TM1 client (for example TM1 Perspectives and TM1 Architect) onto this server. NOTE: It is possible that they used the TM1 server software installation media to install the TM1 client (see next section!)
- Any client device (for example, with TM1 Perspectives and/or Architect installed)
- This will have the TM1 client software installed.
This will definitely have the TM1 server software installed
Most customers choose to run their FAP service on the 'main' Controller application server. In other words, this is typically the server which is running the Windows service called 'IBM Cognos FAP Service'.
(2) Check if any TM1 'server' software installations are only using the client components.
Some customers will have installed the TM1 client (TM1 Architect / Perspectives) using the TM1 server installation media. This is OK, but it may cause the reader (of these instructions) to perform some unnecessary extra steps.
- If your device only has the TM1 client installed (does not have the TM1 server installed/configured), but you used the TM1 server installation media to do this, then you only need to perform the steps (see below) relevant for the TM1 client
- For the avoidance of doubt, this means that if you have a separate TM1 server (which hosts your FAP cube) and a separate Controller application server (which runs the 'IBM Cognos FAP Service' Windows service, but not a TM1 server) then you only have to perform the TM1 client patching steps on the Controller application server (even if you used the TM1 server installation media to install the TM1 client).
(3) Choose which method you prefer (to update your SSL certificates):
- See separate IBM Technote #1990588 for full details.
Method #1 - Semi-Automated - using Interim Fix (IF) installers, released approximately 5th October 2016)
This method automates some of the steps. However, it only works for TM1 10.2.0 or earlier (because there is no installer/patch available for TM1 10.2.2.
Method #2 - Manual (using new SSL certificates released 30th September 2016)
This method involves more manual steps (however the author of this Technote prefers this method). It is the only method for customers using TM1 10.2.2.
1. Obtain downtime (no users on the system)
You will also need to stop your FAP publish.
- TIP: The 'best practice' method of stopping the FAP service (and maintaining the data of the TM1 cube) is explained inside separate IBM Technote #1585881.
2. Check which exact version of TM1 you are using on each of your devices (TM1 server, Controller application server, client devices)
- TIP: For instructions, see section "How to Determine the Version of IBM Cognos TM1 in your Environment" inside Technote #1991653.
3. Download the relevant files
- Method #1 (semi-automated)
- TIP: For links, see separate Technote #1991790.
- TIP: For a link, see section "Updated TM1 SSL Certificates Download Location" inside Technote #1991653.
Download the relevant Interim Fixes for your server and client versions
Method #2 (manual)
Download the updated certificates file ("NewSSLCerts.zip")
4. Update any device that has TM1 server running, with the new certificates:
-- Most customers only have one TM1 server in their environment, so this section only has to be performed on one machine --
TIP: If the device has TM1 server installed but not running (for example, TM1 server was only installed to get the TM1 clients installed) then you can follow the simpler instructions (see section 5) instead.
- Method #1 (semi-automated)
- Make sure that you follow the instructions specific to your exact version of TM1 server
- TIP: See section "IBM Cognos TM1 Server Side Updates / Steps" inside Technote #1991653.
For links to instructions on how to install/apply this patch, see separate Technote #1991790.
Method #2 (manual) = Download the updated certificates ("NewSSLCerts.zip")
5. Update any TM1 client installations, with the new certificates:
-- Most customers will have the TM1 client installed on (a) the Controller application server and (b) some other client devices (for example some superuser client devices). Therefore this section has to be performed on all of those machines/devices --
- Method #1 (semi-automated)
- Extract the file 'NewSSLCerts.zip' somewhere sensible (for example C:\TEMP\NewSSLCerts)
- Copy the contents of that folder (C:\TEMP\NewSSLCerts\*.*) and paste them into the following two folders:
- Double-click on the following file: <tm1_install_dir>\tm1_64\bin64\ssl\uninstallSSL.bat
- Double-click on the following file: <tm1_install_dir>\tm1_64\bin64\ssl\importsslcert.exe
For instructions on how to install/apply this patch, see separate Technote #1991793.
Method #2 (manual)
For full details , see section "IBM Cognos TM1 Client Side Updates / Steps" inside Technote #1991653. However, for most situations they simply need to perform the following:
There are other methods which can solve the problem for TM1, but which cause Controller FAP to fail. For this reason, do not use any other method! Specifically:
- For more details, see separate IBM Technote #1697266.
- Therefore, do *not* use the 2048 bit certificate method to try to fix the Controller FAP functionality.
(a) Do not use the 2048 bit certificate ("tm1ca_v2.der") or your own 'custom' certificate !
It is possible to modify the TM1 server to use the 2048 bit certificate ("tm1ca_v2.der") which is supplied (by IBM) as part of the original software. This (different) certificate expires 25th August 2022.
However (although that method will allow the TM1 software to work after 24th November 2016) this is not compatible with Controller's FAP function
(b) For a similar reason, do not try to use your own 'custom' SSL certificate (this will also break the Controller FAP function).
15 June 2018