IBM Support

Very poor performance of Controller when client device does not have access to the Internet

Troubleshooting


Problem

User launches the Controller client. It may take a long time to launch. When (finally) inside Controller, some (or all) functions inside Controller work abnormally slowly.

Symptom

The symptoms will vary depending on environment/circumstance.

As an example, in one real-life case:

  • Logging onto a brand-new blank database, using native security, takes about 60 seconds (instead of the expected 5 seconds)
  • Once Controller is open, clicking on other menu options is also abnormally slow (for example approx 30 to 60 seconds, compared with 5 seconds).

Cause

The Controller client uses Microsoft .NET. By default, the Windows operating systems (running the client software) will check that the .NET code is 'digitally signed' by a trusted company.

  • This is done with the use of 'digital certificates', which are published by IBM Cognos and authenticated by 3rd party vendors (for example Verisign and Thawte).

This 'certificate checking' is performed (over the internet) by Windows, before each code component can be executed. If the internet cannot be reached, then there is a delay (timeout) (typically of approximately 30 or 60 seconds) before the component is eventually executed.

Environment

Client device (for example end user's PC, or Citrix server) has no access to the internet.

Resolving The Problem

There are several possible:

  • Method #1 - Disable .NET certificate checking (over the Internet) entirely for all applications via GUI
  • Method #2 - Disable .NET certificate checking (over the Internet) only for Controller/Excel.
    • For most customers, this is the easiest method
  • Method #3 - Allow the clients and application server to access the internet to perform certificate checking
  • Method #4 - Disable .NET certificate checking (over the Internet) entirely for all applications via registry

Steps:
Choose whichever of the following methods is easiest for your environment:

Method #1 - Disable .NET certificate checking (disable 'CRL verification') for all applications
  1. Logon to the 'slow' client device using the 'bad' Windows user's credentials
  2. Launch Internet Explorer
  3. Click 'Tools - Internet Options'
  4. Click tab 'Advanced'
  5. Scroll down to section 'Security'
  6. Untick the box next to 'Check for publisher's certificate revocation'


Method #2 - ** RECOMMENDED ** - Disable .NET certificate checking (over the Internet) only for Controller/Excel.
This is normally the recommended method because:
    (a) It can sometimes give slightly faster performance (compared to Method #2)
    (b) It is often the easiest method for most customers to implement.

For step-by-step instructions, see separate IBM Technote #1441779.

Method #3 - Allow the clients and application server to access the internet
  1. Logon to client PC (or Citrix server) using the 'slow' end-user's Windows username/password
  2. Launch Internet Explorer
  3. Open a few test websites (e.g. www.bbc.co.uk, www.verisign.com) to check that the pages appear correctly
    If step 3 is unsuccessful, then modify the Internet Explorer settings (e.g. proxy server) and network settings (e.g. default gateway) until this is successful.

    TIP: After giving access to the Internet and successfully proving that Controller access is faster, you may find that (after re-disabling the Internet access) Controller still runs quickly. In other words, once .NET has authenticated the relevant Controller component once then (in the future) it will quickly assume that it is still safe even if the certificate cannot be re-checked over the internet.
    However, despite this behaviour, please make sure that you leave the internet access enabled for the future. This means that when an end-user uses a new Controller component/code (in the future), or when the version of Controller is upgraded (in the future) this problem will not re-occur.
    Also, the 'certificate revocation list' gets updated regularly (approximately every 15 days) so the fix may only work for 15 days, unless you leave internet access enabled.

Method #4 - Disable .NET certificate checking (over the Internet) entirely for all applications via registry
t is also possible to achieve the same thing as Method #1 (see above), but by instead modifying a registry key (inside the 'bad' end user's profile). Specifically, the following key changes the CRL verification:
    HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • Disable CRL (fast): 0x00023e00
  • [Enable CRL (slow): 0x00023c00]

[{"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.2.1;10.2.0;10.1.1;10.1;8.5.1;8.5;8.4;8.3","Edition":"Not Applicable","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

1034825

Document Information

Modified date:
15 June 2018

UID

swg21347312

Page Feedback