Update LDAP Bind Connection

, ,

Sometime you may have a need to update your LDAP bind connection, such as when the domain controller you are bound to is decommissioned.

To update the LDAP bind connection,

First figure out which service is using ldap bind.  To do that, go to http(s)://<server>:<port>/ssoconfig/SSOCfgInfoServlet.  Make a note of the service name displayed on the page.

Next, log into ssoconfig and export that service:

Now, open the file you just exported.  Update the OVERRIDE attribute to “true”.  Update the “PROVIDER” element to the new server and port.

Next, upload your updated file into ssoconfig.  The syntax is ssoconfig -l <password> <full file path>

For example:

Ssoconfig data is stored in the security cache, so you will need to recycle your system for this change to take effect.

NOTE: If you need to change the credentials for the domain controller, this will be an extra process.  You will need to update the service associated with your LDAP bind.  This is most likely your SSOP_BIND service.  You can look under privileged identities in Lawson Security, check for a “DEFAULT” key associated with your ldap bind user.  That is your LDAP bind service.

To update the credentials for this service, log into ssoconfig and select Manage privileged access to services > Change existing identity.  Enter the service that you noted above.  Enter the correct user DN.  Enter the password.

Recycle Lawson.

 

PR160 In Recovery due to incorrect ACH file path workaround

, ,

If you have a PR160 job that goes into recovery because your ACH path is not correct:

You can modify the exact PR160 job that is in recovering by dumping the job with jobdump command in Lawson Interface Desktop (LID).

Example of command: jobdump -d -o Job -v UserName joesmoe jobdump.dmp

What to change: jobdump -d -o Job -v UserName <your_jobs_username> <enter_the_jobname>.dmp

Edit the dumped job file and change the ACH path ONLY and recover the job to see if it is resolved.

Load the job in report mode (to check for errors): jobload -o Job jobdump.dmp

Load the job in commit mode if it looks good: jobload -c -o Job jobdump.dmp

How to switch LSF domain controller

, ,

Problem:           

If your controller is failing and you need to move the LSF LDAP to another controller

Resolution:

Edit the ldapbind information in the SSOP service and reload it.

  1. Create a dump of the SSOP service:
  • ssoconfig -c
  • Option 5 Manage Lawson services
  • Option 6 Export service and identity info
  • Option 2 for not all services
  • Enter SSOP in upper case
  • Enter NONE in upper case
  • Give a filename (it will write out the file to the directory you are in when you run the ssoconfig -c command.) Example: ssop_prod.xml
  • Exit the ssoconfig menu.
  1. Make a copy of the .xml file that you just created. This is your backup of the SSOP service in its original state.
  2. Then edit the first .xml file and change the following lines:

<BATCH_LOAD FORMAT=”” OVERRIDE=”false”>

to

<BATCH_LOAD FORMAT=”” OVERRIDE=”true”>

 

and this line to the new machine name and port:

<PROVIDER>ldap://dc1.lawson.com:3268</PROVIDER>

to

<PROVIDER>ldap://dc2.lawson.com:3268</PROVIDER>

  1. Save the file.
  2. Do one of the following to load the modified SSOP service file:

ssoconfig -l ssoconfig_password filename.xml

Exit.

  1. A stop and start of the Lawson environment and WebSphere application server is required in order for this to take affect.

 

Suppressing Receiving Delivery and Putaway Delivery Tickets

, ,

To suppress Receiving Delivery and Putaway (PO134) delivery tickets when MSCM Delivery Documents are all that is needed is to disable the Back-Office PO Receiving (PO30) Receiving Delivery and Putaway (PO134) delivery ticket by removing the printer from PO Receiving (PO30) or create a dummy printer to stop the back-office delivery ticket from printing.

Removing the printer from PO Receiving (PO30) only works if the user does not have a default printer assigned to them. After being removed, the default printer will simply populate back in the field upon clicking change.

Additionally, an enhancement to PO Company Setup (PO01) was added which provides a flag called “Delivery and Putaway Ticket Print” which allows disabling the delivery ticket printing at the company level.

Replacing Expired Certificates for LDAPS

, ,

Installing LDAP certificate in AD LDS instance

  1. Identify the AD LDS service instance in Services
    • LSF
  2. Launch MMC (Microsoft Management Console)
  3. Choose File > Add/Remove Snap-In
  4. Add the certificates Snap-In
  5. Choose “Service” account and click “Next”
  6. Choose “Local Computer” and click “Next”
  7. Choose the Service Account for your AD LDS service and click “Finish”

  8. Right-click on the service that was added and select “All Tasks > Import”
  9. Click next and browse to the .pfx certificate file. Click “Next”
  10. Enter the private key password
  11. Place the certificate in the <AD LDS service>\Personal store
  12. Click Next then Finish

 

 

Export the certificate for Java OS & Java WebSphere

  1. Right click the certificate > All Tasks > Export and click Next
  2. Do not export the private key
  3. Choose Base-64 encoded X.509 (.cer) and click Next
  4. Choose a location to save the file for later use
  5. Click finish

Grant Permissions to Certificate Container

  1. Run command “certutil -store MY’
  2. Find the container with your AD LDS certificate using the thumbprint to identify it
  3. Give NETWORK SERVICE read & execute permissions on the key container file AND the key container directory (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys)
  4. Stop the AD LDS environment service
  5. Restart the AD LDS service

Smoke Test

  1. Open the ldp.exe tool
  2. Type the server FQDN > SSL port and check the SSL box
  3. Click “OK”
  4. Successful connection to LDAPS

Update the LDAP Certificate in WebSphere

Cell Trust Store

  1. Access the WAS Admin Console and navigate to: Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
  2. Click the Retrieve from port button.
  3. Host: <your AD LDS host>
  4. Port: 636
  5. Alias: give it a meaningful name
  6. Click Retrieve signer information.
  7. Click OK & save changes.

 

Node Trust Store

  1. Access the WAS Admin Console and navigate to: Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore (for the LSF server) > Signer certificates
  2. Click the Retrieve from port button.
  3. Host: <your AD LDS host>
  4. Port: 636
  5. Alias: give it a meaningful name
  6. Click Retrieve signer information.
  7. Click OK & save changes.

 

Perform these same steps in the Landmark websphere instance.

Update LDAP Certificate in OS Java

Do this in both Lawson and Landmark

  1. Open a command line and set environment variables
  2. Run command “where java” to determine where LAW_JAVA_HOME is located
  3. Back up <LAW_JAVA_HOME>/jre/lib/security/cacerts
  4. Copy the cert that you exported from the LSF service from the Lawson server to the Landmark server
    • This is the cert you will be importing into cacerts
  5. Run the ikeyman utility at WAS_HOME/bin
  6. Open the LAW_JAVA_HOME/jre/lib/cacerts file and select the Key database type of JKS
  7. Type password “changeit” (default)
  8. Select “Signer Certificates”
  9. Delete the existing certificate, then re-add it
  10. Click “add” and navigate to the ldap certificate exported earlier
  11. Give it a meaningful name

Update LDAP Certificate in WebSphere Java

  1. WebSphere Java directory is WAS_HOME/Java
  2. Back up files WAS_HOME/java/jre\security/cacerts
  3. Peform the same steps as OS Java using iKeyman for both Java instances

 

Lawson Patch Error – failed to uncompress patch.tar.Z file

, ,

Resolution 1:

One reason you could be receiving this error is because there is an additional patch.tar file from a previous or concurrent CTP install.

 

After running the tar command you should only have 3 files for this CTP in the <versionfiledir> that you uncompressed the CTP to.

Examine the extracted files to make sure you received the following three files:

– x.x.x_patch_CTPnumber.readme.html

– Versions

– patch.tar.Z

 

Remove any previous CTP files from this directory, especially any patch.tar files, and run the lawappinstall again.

 

Resolution 2:

If you are encountering this error on a Windows server it is possible that you have spaces in the folder names of the path to the versions dir.  You would receive the failed to uncompress message if this is true.

 

Use a “_” for the space, or use folders that do not contain a space in the name and run the lawappinstall again.

 

Resolution 3:

Make sure the user you are applying the patch with has the proper Windows file permissions to install the patch. This should be the entire LSF application directory.

ujobload fails in lawappinstall activate

, ,

Problem:           

Patch being installed if failing when running lawappinstall activate. It fails when running ujobload.

10/31/2023 5:44:25 Executing ujobdump.

10/31/2023 5:44:25 ujobdump execution successful.

10/31/2023 5:44:25 Executing ujobload.

10/31/2023 5:44:26 ERROR – ujobload failed.

ujobload via lawappinstall activate *** No jobs found to load When run manually, it fails with Segmentation Fault(coredump:

 

Resolution:     

lawappinstall update will stage tokens potentially needing a ujobdump/ujobload in LAWDIR/productline/backup/ACTIVATEstage/JOBconversion.

If conditions are correct, lawappinstall activate will run ujobdump and ujobload, then clean up the staged area.

  1. ujobdump -d LAWDIR/productline/backup/ACTIVATEstage/JOBconversion productline $LAWDIR/productline/backup/ACTIVATEstage/JOBconversion.dmp -t <list of Tokens>

In the above <list of Tokens> would be a space-separated list of the tokens located in $LAWDIR/productline/backup/ACTIVATEstage/JOBconversion/??src directories.

  1. ujobload -ou productline LAWDIR/productline/backup/ACTIVATEstage/JOBconversion.dmp
  2. remove dump file, LAWDIR/productline/backup/ACTIVATEstage/JOBconversion.dmp
  3. remove stage dir, LAWDIR/productline/backup/ACTIVATEstage/JOBconversion

Run steps a through d manually, then rerun lawappinstall activate.   If the ujobload fails in step b with a Segmentation Fault(coredump) or other error, make sure the user running ujobload has write access to these files and their directories.

LAWDIR/UJobLoadDir/productline/Tokens

LAWDIR/productline/UJobLoadDir/LDLog

Make corrections if necessary, run steps b through d above, and rerun lawappinstall activate.

CTP Preview fails in lasetup

, ,

Problem:           

Sometimes when running a CTP patch install preview GENDIR/bin/lawappinstall preview <productline> , the program is executing lasetup with the preview option, and is displaying the following error:

ERROR – failed to uncompress “patch.tar.Z” file.

Installation YEAREND126174.preview of YEAREND126174 terminated abnormally (start = 12/20/2023 13:27:01, stop = 12/20/2023 13:27:01).

ERROR – lasetup execution unsuccessful.

lawappinstall PREVIEW YEAREND126174.preview installation completed unsuccessfully at 12/20/2023 13:27:01.

 

Resolution:     

Follow these simple steps to resolve the issue above.

  1. Backup the current LUU directory
  2. Create a new blank folder for LUU
  3. Update the pl program to LUU
  4. Run the following command:

perl LUUsetup.pl -c E:\LUU

  1. Finally, run the CTP preview again. There should be no more errors.

What do the Lawson Base Mingle Roles Control?

, ,

What do the Lawson Base Mingle Roles Control?

  • Infor-SuiteUser” is the end-user role. This is the default role assigned to all the users. Users with this role have access to the portal only. The portal is one of the components of the Infor Ming.le application. The portal consists of a top level header, an app switcher panel, search, the user menu, share, bookmarks, and a right panel (context/utility applications panel). The users with this role only do not have access to the social space or ION-related features.

 

  • The “MingleEnterprise” role provides access to the social space component of the Infor Ming.le application. The social space component consists of activity feeds, connections, and groups.

 

Users who have this role can do these actions:

    • View the activity feed page
    • Post messages to colleagues and groups
    • Create new groups
    • Connect to users and groups

 

  • MingleAdministrator” is the role assigned to users to have access to administration pages in Infor Ming.le.

 

By design, the “MingleAdministrator” role is added to all applications in the tenant. The user with this role can view all application icons on the App Switcher panel. The user’s ability to open the application and access functionality, however, is controlled by the application security.

 

Users who have this role can see the Admin Settings menu item under the profile menu.

 

Users who have this role can do these actions:

    • Manage applications
    • Manage context/utility applications
    • Manage drillbacks
    • Manage general settings
    • The user with the “MingleAdministrator” role also needs the “MingleEnterprise” role in order to administer some of the users’ related features in social space.

These users can also do these actions:

    • Manage users’ feeds and groups’ feeds
    • Delete any Infor Ming.le group
    • Deactivate the users and groups and also reactivate them

 

  • MingleIONEnabled” is a role that allows users to access ION-related features within Infor Ming.le.

ION-related components consist of alerts, tasks, ION notifications, and workflows.

 

Users who have this role can do these actions:

    • View alerts and perform all the actions in the alerts
    • View tasks and ION notifications and perform all the actions in the tasks and ION notifications
    • Alerts and Tasks options are displayed in the user menu for the users who have this role.