IBM Support

IMPORTANT Information for Clients that upgrade IBM Cognos Analytics after applying the no-upgrade instructions to address log4j v2 vulnerabilities

Troubleshooting


Problem

Running a DQM (Dynamic Query Mode) report or testing a database connection, the following error is returned:

XQE-CON-0007 XQE error encountered: DPR-ERR-2002 Unable to execute the request because there were no connections to the process available within the configured time limit.

Creating a DQM report, the following error is returned:

XQE error encountered: DPR-ERR-2002 Unable to execute the request because there were no connections to the process available within the configured time limit.

Running or creating a DQM dashboard, the following error is returned:

The metadata for '<Model Name>' did not load. Please contact your administrator for details.

The cogaudit.log contains a log entry with the following strings:

QueryService failed to start with the following command-line arguments:
Also
-javaagent:../webapps/p2pd/WEB-INF/lib/log4jSafeAgent2021.jar
Affected Versions:
Equal to or newer than the following:
IBM Cognos Analytics 11.0.13 IF5 (11.0.13-2201052300)
IBM Cognos Analytics 11.1.7 IF8 (11.1.7-2201050500)
IBM Cognos Analytics 11.2.1 IF3 (11.2.1-2201060400)
Notes:

Verify the version of your installation by opening the <Cognos Install>/cmplst.txt file and looking at the kit_version=<version> entry. The number after the dash (-) in the version represents the date-time when the kit was created. For example, 2201052300 is Year:2022 Month:01 Day:05 Hour:23 Minute:00.

If upgrading to an IBM Cognos version (GA, FP or IF) older than the ones listed, refer to the security bulletin in the next section. You need to revisit the "no-upgrade" option in the bulletin to ensure the installation is properly protected.

Cause

This issue will occur after an upgrade due to a log4j "no-upgrade" mitigation step, implemented on the installation before the upgrade. This step is related to the modification of the xqe.config.custom.xml file. While the log4jSafeAgent2021.jar file, mentioned in the cogaudit.log, is safely removed during the upgrade, a reference to it remains in the xqe.config.custom.xml file as it is not removed or modified during an upgrade.
The security bulletins that describe the log4j vulnerability in relation to IBM Cognos and available remediations:
Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228)
https://www.ibm.com/support/pages/node/6526474
Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-45046)
https://www.ibm.com/support/pages/node/6528388
Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832)
https://www.ibm.com/support/pages/node/6538720
Note: Each bulletin is superseded by the bulletin following it.

Resolving The Problem

In the <Cognos Install>/configuration/xqe.config.custom.xml file search for log4jSafeAgent2021.jar.
If the search finds the file name, remove the argument shown here from the list of options.
-javaagent:../webapps/p2pd/WEB-INF/lib/log4jSafeAgent2021.jar
Restart Cognos.

Notes:
While the log4j mitigation steps required the bootstrap_wlp_os_version.xml file also be modified, this file resets back to its default state during the upgrade and does not need to be edited to resolve this issue.

Backing files before modification is recommended.

The change needs to be performed on all application servers.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl3yAAC","label":"Installation and Configuration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
24 January 2022

UID

ibm16549814