Posts

Configure LBI for ADFS

When you configure LSF for ADFS, you will need to make some changes to your LBI configuration so that users will be able to access LBI with the userPrincipalName (username@company.com).

The first thing you need to do is ensure that you have a user in Lawson security where RMID = SSOP = UPN (userPrincipalName).  The RM User that is used to search LSF for LBI users must have an account where RMID and SSOP match.  It is recommended that you have a new AD user created for this purpose (such as lbirmadmin).

Add the new user to Lawson, ensuring that their ID and SSOP values both use UPN.  (lbirmadin@company.com)  Also make sure the new user is in the appropriate LBI groups for LBI access.

The next change will take place in the sysconfig.xml file located in <LBI install directory>/FrameworkServices/conf.  The ssoRMUserid should be the UPN of your LBI user mentioned above.  After you make these changes, restart the application server, clear the IOS cache in Lawson, and try logging into LBI.

5 ways to properly secure new technology

Database errors and security breaches have increased significantly in recent years. With data migration, vulnerability to error and hacking is a great risk. “We have seen a large number of breaches and failures due to human error,” says Robert Reeves, Co-founder and CTO of Datical. Often times, humans underestimate and rely too much on “technology” to believe there will be room for error, but you can still make mistakes. Reeves emphasizes the need to automate security and system standards to eliminate (or significantly decrease) human error. Below are five recommendations on how to ensure that new technologies and systems are properly automated and secured:

How to Reduce ERP Security Risks

Due to the massive amounts of valuable data stored in their systems, enterprise resource planning (ERP) systems are a huge target by attackers. But thanks to technology, most ERP systems are prepared for these attacks. There are a few things, however, that you can do to help prevent hackers as well. Sean Michael Kerner, senior editor at eWEEK and Onapsis CTO JP Perez-Etchegoyen shares what’s behind ERP breaches and provided additional insight. When looking at ERP breaches, there are two things to consider: how the attacker got in and what they do once they have access. According to Perez-Etchegoyen, most people will not notice an ERP breach after an attacker has already gained access. Below are a number of things that organizations can and should do to limit the risk of attacks and improve ERP security:

  • Basic hygiene – find and fix vulnerabilities through patching or configuration changes
  • Define secure configurations
  • Repeatable processes – automate best practices for ERP updates
  • Manage and monitor the environment

These basic maintenance steps with your ERP systems could reduce the risk of being the target of attackers, securing your data with more more peace of mind.

For Full Article, Click Here

What is ADFS?

There has been a lot of confusion in the Infor client community lately over what ADFS is and what the impact of implementing it will be on the organization as a whole.
Active Directory Federation Services (ADFS) is a Microsoft solution created to facilitate Single Sign-On. It provides user with authenticated access to applications like Lawson without the need to provide the password information to the application.
ADFS manages user authentication through a service hosted between the active directory and the target application. It grants access to application users by using Federated trust. The users can then authenticate their identity through Single Sign-On without having to do so on the application itself. The authentication process is usually as follows:
1) The user navigates to the Lawson URL
2) The unauthenticated user is re-directed to the ADFS service
3) The user signs into ADFS
4) ADFS service authenticates the user via the Active Directory
5) The user is then given an authentication claim (in the form of a cookie) by the ADFS
6) The user is forwarded to the Lawson application with the claim which either grants or denies access based on the federated trust service
Note: The Lawson Server never sees the password information which in the case of external applications (like a cloud implementation) is a lot more secure.
 
What are some drawbacks of implementing ADFS?
 
Although ADFS is a new requirement, it comes with a few small drawbacks that you should consider:
– The additional server license and maintenance – You will need an additional server (likely one per environment) to host ADFS
– ADFS is actually somewhat complex and this new skill set can create a new challenge for smaller clients who aren’t already using ADFS for other applications
– A standard ADFS installation is not all that secure and several steps should be taken to ensure good security. Microsoft provides these best practices recommendations: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
There is also a great free e-book published by Microsoft about claims-based identity and access control: https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff423674(v=pandp.10)
To find out more about ADFS and how it can impact your organization, join our webinars or contact us.

BlackBerry becomes a HIMSS Analytics certified consultant on infrastructure

The once widely popular smart business phone maker is still around, and will become a valuable asset to hospital infrastructures.  BlackBerry has signed on as a HIMSS Analytics Certified Consultant and will help direct healthcare organizations through the HIMSS Infrastructure Adoption Model (INFRAM). INFRAM is an eight-stage model (0 – 7) that allows healthcare IT leaders to map the technology infrastructure capabilities needed to reach their organization’s clinical and operational goals, while also meeting benchmarks and industry standards. Sara Jost, global healthcare industry lead at BlackBerry, says that “BlackBerry will assess vulnerabilities in a hospital’s infrastructure, devices, and configurations, using a wide range of penetration testing, social engineering techniques, and physical security assessments.” Even though Blackberry has been less relevent in the mobile phone market, the company’s cyber security is still very strong and in demand. HIMSS Analytics Executive Vice President Blain Newton says, “With BlackBerry’s deep cybersecurity expertise and footprint in highly regulated industries we’re confident that having BlackBerry at the table will ensure the INFRAM is the gold standard for running a scalable and secure organization.”

For Full Article, Click Here

Infor Achieves FedRAMP Authorization

After rigorous review, Infor Public Sector has officially received the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) Provisional – Authority to Operate (P-ATO) status. FedRAMP is a government-wide programs that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. With Infor on board,  the company can now offer Infor Government SaaS (IGS) cloud based solutions that include Infor Enterprise Asset Management (EAM) applications to U.S. federal agencies. Wayne Bobby, vice president, Infor Federal, states, “This is a milestone Infor is proud to reach, but as a company we are still committed to innovating and developing cloud technology that can evolve to address simple migration paths, elevated user experiences, continuous process improvements on a resilient platform, and a SaaS solution architected for the Internet.”

 

For Full Article, Click Here

Certificate chaining error

During an LSF outage, we checked the latest logs and saw security_authen.log was updated. It showed a number of errors that a certificate was not trusted. We checked the trusted certificates and saw that the certificate and related certificates were all trusted. So why was the error returned?

Scroll further down the log list to ladb.log. You may see that there is a GEN failed message. Verify that the GEN database really is available by connecting to it directly with a database utility like SQL Studio. Then verify that the gen database connection info is correct in LAWDIR\gen\MICROSOFT. If you are using SERVICENAME to lookup the password, you may want to test commenting out the service name and including the id/password in the file and secure the file. Restart the server and test the portal.

 

SECURITY_AUTHEN.LOG

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=PKIROOT-01-CA is not trusted; internal cause is:

java.security.cert.CertPathValidatorException: Certificate chaining error

at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)

at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:278)

at com.ibm.jsse2.util.f.a(f.java:14)

… 68 more

Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error

at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)

at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)

… 71 more

 

LADB.LOG
DBDataAreaFactory_1 Create of kind “GEN” failed.
java.lang.UnsatisfiedLinkError: com/lawson/rdtec
h/db/api/DBJni.jniTsDBConnect(I)Ljava/lang/Integer;
DBDataAreaFactory_1 Create of kind “GEN” failed.java.lang.UnsatisfiedLinkError: com/lawson/rdtech/db/api/DBJni.jniTsDBConnect(I)Ljava/lang/Integer;

 

MICROSOFT
#LAWGATENAME=msfdb2000
DBSERVER=lawdbserver
DBNAME=LAWGEN
#SERVICENAME=DBGEN
LOGINNAME=lawson
PASSWORD=lkaj7fde#%&hdsw
SCHEMA=dbo
FILEGROUPS=FALSE
#DEBUG=TRUE

 

PORTAL

Nogalis Soars at the 15th Annual West Coast Mega Conference

Kicking off 2018, the Lawson user group community held its first event, the 15th Annual West Coast Mega Conference. Bringing together the Pacific Lawson User Group (PLUG), Southern California, Arizona, Nevada Lawson User Group (SCANLUG), and Northern California User Group (INCLU), 19 vendors and over 100 attendees gathered at the Pacific Life building in Newport Beach, California for a 2-day conference on January 23rd and 24th. Attendees chose from over 60 educational sessions covering topics from upgrading to the latest Lawson version, to migrating from on premise to the cloud. Nogalis hosted 2 sessions (Payroll Automation – How we pay 100,000 employees weekly using IPA with no user interaction & How Several Lawson Clients have cut Operational Costs by 35%) with almost 40 attendees, among the largest turnout of any other vendor session.

In recent years, Nogalis introduced their new security product, LSFIQ . The 2018 West Coast User Conference was the first for attendees to see the latest version of LSFIQ. People who visited the booth were given quick demos of the product, signing those interested up for a free version to test out. In return, they would be entered in a drawing for a chance to win a bitcoin wallet valued at over $100. And just for visiting the booth, attendees were given phone hook clips branded with the Nogalis logo to attach to their mobile phones as a handy phone stand and holder. The bitcoin wallet gathered interest; however, the grand prize was the talk of the event. Those who attended either of the Nogalis sessions were automatically entered in a drawing for a chance to win a FREE helicopter ride from local flight school, Revolution Aviation. The ride would include an introductory lesson, a 40 minute – 1 hour tour of Orange and Los Angeles County, and an opportunity to take control of the aircraft in the pilot’s seat! With many of the attendees being Southern California residents, there was no doubt they wanted to get their hands on this amazing experience.

As gold sponsors once again, Nogalis hosted the evening  event at the Marriott hotel, where attendees and vendors enjoyed great food, played casino games, networked with one another, and won raffle prizes.

How can I turn off security in Landmark?

Enabling or disabling security can be done in Authorization Activation through Security System Management.  This can be accessed from the landmark validation url’s or from within the rich client.  The validation page can typically be found at D:\LMKDEV\gen_ValidationURLs.htm where D:\LMKDEV is the landmark installation folder.  Opening the htm in a web browser will list the link for Security System Management.

http://landmark.domain.com/SecuritySystemManagement/page/SecuritySystemManagement?csk.gen=true

From the Security System Management screen, select Authorization Activation in the upper right of the menu. It will return a list of productlines.  Double clicking a productline (or Actions – Open from the menu) will return the Security Activation screen.  The screen shows Security Status as a parameter with values to allow All Access, No Access, Process Rules.  Select All Access to turn off the security rules and save the change.  Select Process Rules to again enable security restrictions.

 

Batch Error

When Lawson batch jobs are not running, they return the following error:

——————————————————————————–

User: lawson Job: C Queue: **********

——————————————————————————–

BEGIN: Job Submitted: Wed Dec 6 11:30:01 2017

Step 1: CU201 Started. . . . . .: Wed Dec 6 11:30:01 2017

Token Command. . . . . .: D:\lsfprod\law\prod\obj\CU201.gnt

Executable Command . . .: D:\COBOL\bin64\run.exe D:\lsfprod\law\prod\obj\CU201.gnt prod NT00000002 C 1 Process ID . . . . . . .: 11996

Running as Account . . .: \lawson

Program Messages:

Load error : file ‘lacobrts.dll’

error code: 173, pc=0, call=1, seg=0

173 Called program file not found in drive/directory

Elapsed Time . . . . . .: 00:00:00

ERROR: Stopped On Exit 32. Elapsed Time: 00:00:01

END: Job Ended: Wed Dec 6 11:30:02 2017 

The error message from the job log indicated a problem with lacobrts.dll.  The actual problem was related to the local security policy.  This error was resolved by reviewing the setup for the lawbatch id.  The LSF system in this example had a secured ldapbind.  The domain lawbatch id should be added to the Local Security Policy under User Rights Assignment for “Log on as a batch job” and “Allow log on locally.”