app_maintenance.bat with CAM Security fails

Post Reply
foogy
Posts: 37
Joined: Fri Nov 16, 2012 5:44 pm
OLAP Product: TM1
Version: 10.2.2 FP6
Excel Version: 2016
Location: Germany

app_maintenance.bat with CAM Security fails

Post by foogy »

Dear Forum members,

has any of you already used the app_maintenance.bat tool to perform maintenance tasks for a TM1 Applications app? I would like to import a rights file, but I don't even get that far due to the following error message:

Code: Select all

com.ibm.cognos.fpmsvc.exception.FPMSVCException: INVALID_IDENTITY
exitCode=700
We're using CAM authentication against a Cognos BI 10.1.1 server running on another machine. This works perfectly so far, except for this tool. I've tried both passing the -pwd parameter as well as passing .dat files created by the TM1Crypt.exe tool before.

TM1 version is 10.2 with FP1. The Cognos BI is version 10.1.1, still with FP 1.

I guess the error is not within TM1, but rather withing the Cognos BI server, at least the java error stack may be understood in that way (see stack trace at the bottom of this post).

So have you ever successfully used this tool with CAM security? Which product versions were involved? Do you have sample command lines that definitely worked for you?

Thank you very much!
foogy.

Code: Select all

'com.ibm.cognos.fpmsvc.exception.FPMSVCException: Ungültige Identitätszeichenfolge. :INVALID_IDENTITY'
 WHILE [CCLMsg: system text='INVALID_IDENTITY']com.ibm.cognos.pmpsvc.service.api.ServiceCredentialException (root org.apache.axis.AxisFault): 
'com.ibm.cognos.fpmsvc.exception.FPMSVCException: Ungültige Identitätszeichenfolge. :INVALID_IDENTITY'
 WHILE [CCLMsg: system text='INVALID_IDENTITY']
	at com.ibm.cognos.pmpsvc.service.impl.PlanningService.checkForSessionException(PlanningService.java:700)
	at com.ibm.cognos.pmpsvc.service.impl.PlanningService.logonService(PlanningService.java:245)
	at com.ibm.cognos.pmpsvc.ApplicationMaintenance.doLogon(ApplicationMaintenance.java:989)
	at com.ibm.cognos.pmpsvc.ApplicationMaintenance.execute(ApplicationMaintenance.java:888)
	at com.ibm.cognos.pmpsvc.ApplicationMaintenance.main(ApplicationMaintenance.java:190)
Caused by: com.ibm.cognos.fpmsvc.exception.FPMSVCException: Ungültige Identitätszeichenfolge. :INVALID_IDENTITY
	at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
	at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
	at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
	at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
	at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
	at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227)
	at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:698)
	at org.apache.axis.Message.getSOAPEnvelope(Message.java:435)
	at org.apache.axis.handlers.soap.MustUnderstandChecker.invoke(MustUnderstandChecker.java:62)
	at org.apache.axis.client.AxisClient.invoke(AxisClient.java:206)
	at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
	at org.apache.axis.client.Call.invoke(Call.java:2767)
	at org.apache.axis.client.Call.invoke(Call.java:2443)
	at org.apache.axis.client.Call.invoke(Call.java:2366)
	at org.apache.axis.client.Call.invoke(Call.java:1812)
	at com.ibm.cognos.fpmsvc.api.FPMServiceSoapBindingStub.logon(FPMServiceSoapBindingStub.java:1461)
	at com.ibm.cognos.pmpsvc.service.impl.PlanningService.logonService(PlanningService.java:239)
	... 3 more
foogy
Posts: 37
Joined: Fri Nov 16, 2012 5:44 pm
OLAP Product: TM1
Version: 10.2.2 FP6
Excel Version: 2016
Location: Germany

Re: app_maintenance.bat with CAM Security fails

Post by foogy »

I think I found the reason for the error message. So if ever someone runs into that, you may have a look at your Authentication modes of your cgi-bin application in IIS.
We're using Cognos BI attached to an Active Directory and configured Single Sign On (using the "IdentityMapping" parameter value in Cognos Configuration). TM1 is configured with authentication mode 5 (CAM) against this BI installation.

In our case, the "Anonymous" authentication mode has been disabled and only "Windows Authentication" was enabled.
Activating "Anonymous" mode and restarting the IIS did the trick :idea:

Sound clear when thinking twice, because the java based command line tool "app_maintenance.bat" will of course NOT use Windows integrated authentication due to its nature (in contrast e.g. to Internet Explorer as client for Cognos BI portal).

See attachment for screenshot of corrected settings. Now I will automate some tasks in context of TM1 Applications :-)

Rgrds,
foogy
Attachments
authentication.png
authentication.png (20.75 KiB) Viewed 16707 times
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: app_maintenance.bat with CAM Security fails

Post by ykud »

foogy wrote: In our case, the "Anonymous" authentication mode has been disabled and only "Windows Authentication" was enabled.
Activating "Anonymous" mode and restarting the IIS did the trick :idea:
Hi foogy!

Sorry for kicking the dust on this one, but it's a very interesting topic )
Enabling Anynomous on IIS disables SSO, how did you manage to work around this?

I opened an APAR about this a while ago:
https://www-304.ibm.com/support/entdocv ... wg1PI11160
without any workable resolution, so Id' be really interested to hear more )
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: app_maintenance.bat with CAM Security fails

Post by ykud »

foogy
Posts: 37
Joined: Fri Nov 16, 2012 5:44 pm
OLAP Product: TM1
Version: 10.2.2 FP6
Excel Version: 2016
Location: Germany

Re: app_maintenance.bat with CAM Security fails

Post by foogy »

Dear Yuri,

I did not find the time yet to review your blog post so far, but now I did. The workaround is quite pragmatic, yet kind of brilliant - while IBM insists of its "as designed" argument.
As soon as I find the time I will try to apply this workaround for our solutions as well because I'm really frustrated by these manual update steps on each change of the approval hierarchy. We put so much effort in automating everything here, but this final step then is simply not possible... great job IBM!

Did you have any problems so far in repeatedly starting an IE instance via VBScript and logging on in order to extract the Cookie?

However, great contribution and very helpful for all TM1 developers. Thanks for sharing.

Kind regards,
foogy
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: app_maintenance.bat with CAM Security fails

Post by ykud »

foogy wrote:Did you have any problems so far in repeatedly starting an IE instance via VBScript and logging on in order to extract the Cookie?
Not really, I must say. We have it running for past month on 7 10.2 FP1 servers and 1 10.2.2 server (where it daily reloads a 4000+ elements hierarchy) without any issues (knocking on the wood).

10.2.2 has another approval hierarchy bug, complicating this solution even more, but still the IE logon works without issues.

Happy to help, let me know if you'd need a hand along the way.
tommivi
Posts: 1
Joined: Fri Jul 05, 2013 4:43 am
OLAP Product: TM1
Version: 10.1.1
Excel Version: 2013

Re: app_maintenance.bat with CAM Security fails

Post by tommivi »

ykud wrote:IBM official response to such errors
https://www-304.ibm.com/support/entdocv ... wg1PI11160
My workaround for this
http://ykud.com/blog/cognos/tm1-cognos/ ... nglesignon
Thanks for your workaround. It inspired me to push it a little further. That is, the cam_passport value keeps changing during the day (at least in one of our customer environments) so we cannot automate the application maintenace script as it breaks down when the cam_passport value expires.

So we need a way to automatically fetch the most recent cam_passport value when calling the app_maintenace.bat. Here is how to accomplish that:

http://greenydangerous.com/2015/01/27/t ... challenge/
--
greenydangerous.com
User avatar
ykud
MVP
Posts: 148
Joined: Sat Jan 10, 2009 10:52 am
Contact:

Re: app_maintenance.bat with CAM Security fails

Post by ykud »

tommivi wrote: Thanks for your workaround. It inspired me to push it a little further. That is, the cam_passport value keeps changing during the day (at least in one of our customer environments) so we cannot automate the application maintenace script as it breaks down when the cam_passport value expires.
Hm, that's exactly the reason we use the VBS to acquire a new CAM passport every time we call app_maintenance.bat.
This VBS is basically a substitute for app_maintenance calls, it just incorporates:
* logging on as a user
* grabbing CAM passport
* passing CAM passport to app_maintenance
* logging off

You could use your Powershell in the same way instead of trying to beat the Cognos BI cookie refresh interval (which can change ;) ) by refreshing and storing CAM passports.
RobMc
Posts: 2
Joined: Thu Sep 26, 2013 10:37 am
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2013

Re: app_maintenance.bat with CAM Security fails

Post by RobMc »

thanks ykud + tommivi - your combined solution for this problem works beautifully and has saved me a lot of heartache!

Regards,

Rob
User avatar
tiagoblauth
Posts: 20
Joined: Wed Jul 08, 2015 11:50 am
OLAP Product: TM1, Cognos BI
Version: 10.2.1
Excel Version: 2010

Re: app_maintenance.bat with CAM Security fails

Post by tiagoblauth »

Hi all, I did solved in a different way, by using -CAMNamespace {authentication domain}.
You also need to be on the app_maintenance.bat folder when you run it.
foogy
Posts: 37
Joined: Fri Nov 16, 2012 5:44 pm
OLAP Product: TM1
Version: 10.2.2 FP6
Excel Version: 2016
Location: Germany

Re: app_maintenance.bat with CAM Security fails

Post by foogy »

tiagoblauth wrote:Hi all, I did solved in a different way, by using -CAMNamespace {authentication domain}.
You also need to be on the app_maintenance.bat folder when you run it.
Dear tiagoblauth,
Would you mind to post some command line examples? This would be extremely helpful for all others being confronted with that issue.
Thanks.
User avatar
tiagoblauth
Posts: 20
Joined: Wed Jul 08, 2015 11:50 am
OLAP Product: TM1, Cognos BI
Version: 10.2.1
Excel Version: 2010

Re: app_maintenance.bat with CAM Security fails

Post by tiagoblauth »

Sure I can....

{install folder}\webapps\pmpsvc\WEB-INF\tools\app_maintenance.bat -serviceUrl {server:port} -username {username} -userpwd {password} -CAMNamespace {CAM Namespace} -applicationid {91312-2234-2342} -op refreshrights;

Example of CAM Namespace: CognosExpress
foogy
Posts: 37
Joined: Fri Nov 16, 2012 5:44 pm
OLAP Product: TM1
Version: 10.2.2 FP6
Excel Version: 2016
Location: Germany

Re: app_maintenance.bat with CAM Security fails

Post by foogy »

Thanks for sharing!!
ub14
Posts: 25
Joined: Mon Aug 24, 2009 11:13 am
OLAP Product: TM1
Version: 10.2
Excel Version: 2010

Re: app_maintenance.bat with CAM Security fails

Post by ub14 »

Can we use app_maintenance utility in TM1 Linux environment also. Is this only for Windows Version ?
Thanks & Regards
vsu
Post Reply