Configure LBI for ADFS

When you configure LSF for ADFS, you will need to make some changes to your LBI configuration so that users will be able to access LBI with the userPrincipalName (

The first thing you need to do is ensure that you have a user in Lawson security where RMID = SSOP = UPN (userPrincipalName).  The RM User that is used to search LSF for LBI users must have an account where RMID and SSOP match.  It is recommended that you have a new AD user created for this purpose (such as lbirmadmin).

Add the new user to Lawson, ensuring that their ID and SSOP values both use UPN.  (  Also make sure the new user is in the appropriate LBI groups for LBI access.

The next change will take place in the sysconfig.xml file located in <LBI install directory>/FrameworkServices/conf.  The ssoRMUserid should be the UPN of your LBI user mentioned above.  After you make these changes, restart the application server, clear the IOS cache in Lawson, and try logging into LBI.

Installing DSP for Authentication Against LSF

You may find the need to install or update DSP for your SSO applications, such as LBI or MSCM.  DSP allows these external web application to authenticate against Lawson for Single Sign-On.

Information you will need:

  • The password for ssoconfig
  • The passkey used to install your current DSP version (if applicable)
  • FQDN’s for your LSF server and the server that hosts the application for which you are installing DSP
  • Credentials for an admin account (usually lawson)


First, download the latest DSP jar file from InforXtreme.

It is best practice to back up your ldap instance before you begin the install.

On the server of the SSO application, open a command prompt as administrator.  Navigate to the directory where you saved the DSP install file.

Type command java -jar <DSP file>.jar.  This will open the install wizard.

Enter a new configuration passkey.  NOTE that if you are updating an installed DSP, you will need to know what passkey was used to install it.


Give your DSP instance a meaningful name


Set the location where you want the install files saved, and set the java location.


Mingle DSP install is a different process not addressed in this article.


Provide the FQDN of your LSF server.  The standard and secure ports can be found in your LSF install log.  Enter the password that you use to run ssoconfig.


Enter account information with administrative privileges in Lawson


Enter the appropriate values for the server that hosts your SSO application


Click Install


Update the JVM custom properties with the new install information (if necessary)


Install or update your security application in WebSphere.  The install file lawsec.ear can be found in <DSP install directory/jar/secondary


Run a smoke test against the new DSP install at http://<application base url>:<port>/sso/SSOConfig

IPA – LSF Server Configuration Recommendations from Infor

Infor Process Automation should be configured correctly to ensure proper functioning of other Lawson System Applications. Here are the official best practice IPA-LSF Server Configuration recommendations directly from Infor. (KB 1946828)

Recommended Configurations

  1. JT-973173

    This JT resolves a memory leak issue in the Event Manager Java Process. Not having this JT means the Event Manager Java Process will slowly grow in size and if left unchecked, can consume all RAM and even crash the LSF Server.

  2. Remove lpsMaxHeap=XXXXX and lpsMinHeap=XXXXX from LAWDIR/system/

    These settings are only required when using JNI.

  3. Set useLPSBridgeSocket=true in LAWDIR/system/

    NOTE: The use of the LPS Bridge Socket connection means LSF batch/online programs will no longer initialize a JVM, it will simply make a socket connection to the Event Manager process to make the request.

  4. Set Windows pagefile on LSF server to 32 GB


Additional Recommendations for Infor Cloud Clients

  • Verify and ensure that
  • NOTE: If this setting is not pointed at the internal domain, a grid session memory leak can occur in Event Manager on the LSF server
  • NOTE: Changes to this file should be made by executing pfserv config lps and they require a restart of LSF Process Flow and LSF Web Application Servers.

Additional Recommendations for LSF on LINUX

  • Ensure LSF JT-875069 is applied to the LSF system
  • Add “useLPSLocalServices=true” to LAWDIR/system/
  • Follow KB 1936921 which has two process definitions files used for synchronizing services from IPA/Landmark to LSF
  • In the GEN data area of the Landmark Rich Client, navigate to ConfigurationParameter BusinessClass and add: Component=ipa, Name=useRMIWebServlet, Value=true
  • Configure LSF to look at IPA Services in the LOGAN database instead of connecting to IPA. This requires LSF JT-875069 which allows you to add “useLPSLocalServices=true” in This also requires the use of a ServiceSyncFlow to move the services from IPA to LSF. To implement this procedure, please follow instructions on KB 1936921.

Setting Up LSF Java User Permissions for IPA

When working with Infor Process Automation (IPA), code or programs can be executed remotely on the Lawson System Foundation Server through these four nodes:

  1. System Command Node
  2. File Access Node
  3. Resource Query Node
  4. Resource Update Node

These nodes work by making a connection (via RMI call) to a java.exe process running on the Lawson System Foundation Server. Therefore, it is vital that the process owner has the proper access to run these commands.

Follow the instructions below to configure your LSF system so these processes will be owned by a user that has the necessary access:

  1. Create two files (pfrmi.cfg and pfem.cfg) in %LAWDIR%/system directory. The next time the process flow is restarted, the java.exe process will refer to these files to specify which user will start the java.
  2. Both files should be identical and have just two lines each:
    line 1: LAWSONUID DOMAIN\accountname
    line 2: 

LAWSONUID DOMAIN should be replaced with your own domain and accountname should be replaced with your own account name. This is the user you are designating to run the java command. This user needs to have the proper access to run those commands. This domain/accountname combo needs to be a valid user defined in the LSF Environment Service Identity.

The second line needs to be a blank line. (Only if LSF system is running on Windows. No blank second line needed for UNIX)

line 1/line 2 are there to show you the line numbers. The actual words “line 1” and “line 2” should not be in the files.

Adding or Replacing Existing SSL CERTS Lawson (WINDOWS)

This is a PFX cert.

Start – This is being done on a Lawson LSF server.

  1. Drag the folder with the Cert onto the server you want to apply it to.
    1. Once you do that, make sure you check whether or not the server is running IIS. Typically by searching for IIS Manager or checking services.
  2. Double click the cert file that you dragged onto the server.
  3. Select Local machine:
  4. Specify the file you want to import (should default on the cert you just clicked to run) >> Next
  5. Enter the password for the cert and click next.
  6. Open command prompt as admin and type: start certlm.msc
  7. Under Personal >> Certificates, you should see the new cert you imported: The old one is below the one highlighted in red.
  8. Now go to IIS Manager, Sites >> select WebsiteName and then on right pane select bindings as shown below
  9. Select https binding and edit
  10. Select new cert and click ok
  11. Back in command prompt type: iisreset /restart
  12. Test and you’re done

When applying to Landmark server, we need to run the following commands below (Important to stop and start exactly as shown):

For Mingle in ISS Manager, we need to select the Sharepoint secure site and select bindings.

User sqlplus with Lawson (Tips and Tricks)

Most of customers have by now switched over to a Windows / SQL server environment, but we still have several customers who have stayed on Oracle for their Database needs. This mostly stems from having the Oracle skill set in-house as there is really no other advantage to staying on Oracle once you have moved over to Windows.

Often when there are troubles with connecting to the application, it is relevant to test the connection the database from the server itself. Of course there are several ways to do this, but test fastest way is to do so directly from the command prompt in LID as it doesn’t require any additional setup or software. But it is easy to forget how this is done so we decided to write this quick article to document this very simple syntax.
The utility we’re going to use is called sqlplus and it should already installed on your LSF application server. Simply login to the server using LID and on the command prompt type in the following command:
sqlplus <username>/<password>@dbserverName
If you have the correct username and password, and the server is responding, you will get a SQL> prompt on which you can run any query you want. Here’s an example:
However if you type in the incorrect username:
And finally, if you have the incorrect server name or the server is not responding, the prompt will be suspended for several seconds and you will see the following message:
A few small notes about using sqlplus:
  • Be sure to use a semicolon to end your statements. Otherwise the application doesn’t know when to run your query.
  • Make sure the environment variable %ORACLE_HOME% is set correctly. ($ORACLE_HOME on Unix):
  • To exit sqlplus user the “quit” command
  • The SQL buffer contains the last statement you ran, and you can run the previous query again by simply typing “RUN”  and hitting enter.
  • User the LIST command to see a list of your most recently executed SQL commands.
  • “HELP INDEX” shows a list of possible commands
  • To launch a sql script simply put the “@” symbol in front of the file name and execute it. like: @script.sql or even @/path/to/script.sql
  • You can have a multi-line sql statement.
  • The “SHOW USER” command prints the name of the Oracle user you’re logged in as
  • The “SHOW ALL” command prints all the current settings to the screen.

Certificate chaining error

During an LSF outage, we checked the latest logs and saw security_authen.log was updated. It showed a number of errors that a certificate was not trusted. We checked the trusted certificates and saw that the certificate and related certificates were all trusted. So why was the error returned?

Scroll further down the log list to ladb.log. You may see that there is a GEN failed message. Verify that the GEN database really is available by connecting to it directly with a database utility like SQL Studio. Then verify that the gen database connection info is correct in LAWDIR\gen\MICROSOFT. If you are using SERVICENAME to lookup the password, you may want to test commenting out the service name and including the id/password in the file and secure the file. Restart the server and test the portal.



Caused by: The certificate issued by CN=PKIROOT-01-CA is not trusted; internal cause is: Certificate chaining error





… 68 more

Caused by: Certificate chaining error



… 71 more


DBDataAreaFactory_1 Create of kind “GEN” failed.
java.lang.UnsatisfiedLinkError: com/lawson/rdtec
DBDataAreaFactory_1 Create of kind “GEN” com/lawson/rdtech/db/api/DBJni.jniTsDBConnect(I)Ljava/lang/Integer;





Nogalis Soars at the 15th Annual West Coast Mega Conference

Kicking off 2018, the Lawson user group community held its first event, the 15th Annual West Coast Mega Conference. Bringing together the Pacific Lawson User Group (PLUG), Southern California, Arizona, Nevada Lawson User Group (SCANLUG), and Northern California User Group (INCLU), 19 vendors and over 100 attendees gathered at the Pacific Life building in Newport Beach, California for a 2-day conference on January 23rd and 24th. Attendees chose from over 60 educational sessions covering topics from upgrading to the latest Lawson version, to migrating from on premise to the cloud. Nogalis hosted 2 sessions (Payroll Automation – How we pay 100,000 employees weekly using IPA with no user interaction & How Several Lawson Clients have cut Operational Costs by 35%) with almost 40 attendees, among the largest turnout of any other vendor session.

In recent years, Nogalis introduced their new security product, LSFIQ . The 2018 West Coast User Conference was the first for attendees to see the latest version of LSFIQ. People who visited the booth were given quick demos of the product, signing those interested up for a free version to test out. In return, they would be entered in a drawing for a chance to win a bitcoin wallet valued at over $100. And just for visiting the booth, attendees were given phone hook clips branded with the Nogalis logo to attach to their mobile phones as a handy phone stand and holder. The bitcoin wallet gathered interest; however, the grand prize was the talk of the event. Those who attended either of the Nogalis sessions were automatically entered in a drawing for a chance to win a FREE helicopter ride from local flight school, Revolution Aviation. The ride would include an introductory lesson, a 40 minute – 1 hour tour of Orange and Los Angeles County, and an opportunity to take control of the aircraft in the pilot’s seat! With many of the attendees being Southern California residents, there was no doubt they wanted to get their hands on this amazing experience.

As gold sponsors once again, Nogalis hosted the evening  event at the Marriott hotel, where attendees and vendors enjoyed great food, played casino games, networked with one another, and won raffle prizes.

Batch Error

When Lawson batch jobs are not running, they return the following error:


User: lawson Job: C Queue: **********


BEGIN: Job Submitted: Wed Dec 6 11:30:01 2017

Step 1: CU201 Started. . . . . .: Wed Dec 6 11:30:01 2017

Token Command. . . . . .: D:\lsfprod\law\prod\obj\CU201.gnt

Executable Command . . .: D:\COBOL\bin64\run.exe D:\lsfprod\law\prod\obj\CU201.gnt prod NT00000002 C 1 Process ID . . . . . . .: 11996

Running as Account . . .: \lawson

Program Messages:

Load error : file ‘lacobrts.dll’

error code: 173, pc=0, call=1, seg=0

173 Called program file not found in drive/directory

Elapsed Time . . . . . .: 00:00:00

ERROR: Stopped On Exit 32. Elapsed Time: 00:00:01

END: Job Ended: Wed Dec 6 11:30:02 2017 

The error message from the job log indicated a problem with lacobrts.dll.  The actual problem was related to the local security policy.  This error was resolved by reviewing the setup for the lawbatch id.  The LSF system in this example had a secured ldapbind.  The domain lawbatch id should be added to the Local Security Policy under User Rights Assignment for “Log on as a batch job” and “Allow log on locally.”

Security Violation

When applying a patch to the LSF environment, we saw Security Violation errors on environment utilities even though security was turned off.  In the below example, the error was returned from trying to run ldunivtkns (to load environment tokens) and also on envrelease (to show the environment version.)  This issue was resolved after contacting the network team to replicate file system permissions from an older Lawson server.  While it was not shared exactly which permissions were changed that were not already in place, once the new permissions were applied, the Security Violations were replaced in the logs with the appropriate responses from the commands.

Initial Error


Error Resolved


Environment Security Settings