Infor Landmark Security Roles (ST) explained

, ,

From time to time you may get inquiries from a client’s audit team about Landmark Security Roles. This overview table helps explain their uses assuming no modifications were made to them by the organization or Infor. To see a more in-depth understanding of Landmark classes, see our article: “Infor Landmark Security Classes (ST) explained

 

Delivered role Intended for use by Contains these security classes
InbasketUser_ST Normal end-users who receive work items in the Inbasket BasicProductLineAccess_ST

ProductLineAccess_ST InbasketUser_ST

Lpa_ST ProcessSchedulingAllAccess_ ST
JobQueueServer_ST Users who must perform actions on the Landmark job queue. BasicProductLineAccess_ST

ProductLineAccess_ST JobQueueAccess_ST
ProcessDesigner_ST Process developers BasicProductLineAccess_ST ProductLineAccess_ST

Lpa_ST

ProcessDesigner_ST ProcessSchedulingAllAccess_ ST
ProcessServerAllAccess_ST IPA system administrators BasicProductLineAccess_ST ProductLineAccess_ST

Lpa_ST

LpaAdmin_ST ProcessServerAllAccess_ST ProcessSchedulingAllAccess_ ST ScheduledActionsAccess_ST
ProcessServerReadAccess_ST IPA assistant administrators, power users, developers (depending on policies at

your site)

 ProductLineAccess_ST

ProcessServerReadAccess_ST
Not delivered through a role. Assign the class to any role for users who need to assign proxies. Users who need to assign Tasks to other users to cover for them. ProcessAutomationProxy_ST
ConfigConsoleSecurityAdmin_ST Users who need full access to the Configuration Console. ConfigAdminAccess_ST

SecurityConfigAccess_ST

ConfigConsoleSecurityAdmin_ ST

 

Lawson Add-ins is Not Working, Here’s What to Check For

, ,

If your Lawson Add-ins is not working, check the following:

  1. Check the versioning of Excel, if you’re using 2010 or 2016, the MOA installer will vary.
    • For MOA installer versions, you can research this on docs.infor.com and or search the downloads section within Infor concierge website.
  2. If add-ins is not working after installing, go to Excel options and check for “Disabled Application Add-ins”
  3. If Add-ins is disabled here, under Managed, select Disabled Items >> Go
  4. Access COM Add-ins and make sure Lawson MOA is enabled:

 

That’s it! Steps 2 through 4 are examples of Lawson Add-ins in Excel 2010.

Lawson appears to be down or not working properly, what do I do?

, ,

Here are 5 things you can check for when seeing what is wrong with Lawson:

  1. Contact the different departments within the organization to confirm this is a wide spread issue. Coordinated with them to report back issues they are seeing.
  2. If users can’t access Lawson portal, check to see if websphere is running.
    1. If you have access to the LSF server, go into services and check if the IBM Websphere ServerApp service is running. Stopping and starting the ServerApp is typically safe as well if you’re trying to prevent users from logging in.
    2. If websphere is running, check for IOS log errors found in %LAWDIR%\system
  3. If you’re able to access Lawson portal but users report intermittent issue, check the LADB and LATM log.
    1. On the LSF server, go to %LAWDIR%\system directory and open the ladb.log and latm.log and search for “Database error (94)” or “Connection Failure” errors. Make sure the time stamps lineup.
  4. Check the Lawson job scheduler or reach out to your database team to check for any scripts running on the server.
    1. Its rarer but an update job or sql script could cause intermittent connection issues within Lawson if its hogging all the database or LSF server resources.
    2. Its also important to verify there is nothing important running if you’re thinking of rebooting the either servers.
  5. After doing the above checks and coordinating with the organization, if Lawson is still exhibiting issues and you’re seeing errors, it’s always best to reboot both the Lawson database server along with the LSF server.
    1. A simple way to do this would be to open up a command prompt or powershell in administration mode and type: shutdown -r -t 0

WH110/WH130 – Cannot process loc; allocation feedback running

, ,

So, you have a job failing, possibly a multi-step job and you’ve either ran into the “Cannot process loc” error or something like “Bad File Status 4 7 On File <Filename>”

 

This isn’t allowing the job to run and or pick lists to be printed.

 

  • First make sure you verify with your IT team that this job is not going to run soon again and that none of the other programs are running.
  • Now to resolve this issue, you will need to use a quick paint screen to change the OE-RUN-STS field in the ICLOCATION file from 2 to 0.

The OE-RUN-STATUS values are:

0 – No processing in progress

1- Allocation Feedback Running (WH110)

2- Pick List Print Running (WH130, WH131)

3 – Picking Feedback Running (WH132 – Feedback step 1)

4 – Packing Feedback Running (WH132 – Feedback step 2)

5 – Shipping Feedback Running (WH132 – Feedback step 3)

6 – Ic Reorder Running (IC140, IC141, IC142)  The IT Team can use command such as tmmon to verify.

  • If the job is scheduled to run again automatically, allow it to do so and it should complete and the pick lists should be printed. Make sure other jobs are not scheduled to run around the same time you’re changing the OE-RUN-STATUS.
  • Lastly, if you’re running frequently for the same parameters, change the pgmdef, Execute parameter to Non-Concurrently to ensure the job prior has completed before the next one attempts to run.

Good luck!

IP Designer Series – Lawson Form Transaction

, ,

The Lawson Form Transaction node is used to create AGS calls to make updates to Lawson Forms.  If you already have an AGS call built, you can simply put it in the property window of the node.  You can also build an AGS call from scratch by clicking the “Build” button and going through the Wizard.  The connection should already be using your Infor Lawson configuration set, but you can set that explicitly if desired.  For this node to work, it is important that you have the Infor Lawson tab configured in your “main” configuration set in Landmark/IPA.  You can get more information on how to do that here.

In the Build wizard, select your product line, the module, and the token where you are making updates.  The Method(s) available to that token will be all the methods available to the token in Lawson portal.

Move over the field(s) that you want to update.  Make sure you include the fields that are required on the form.  If you are making a change, make sure you include the key fields and their values for the item you are changing.  The Value can be a hard-coded value, or a variable available to the node.

Click finish when you have filled in all your desired fields.  The AGS call will now appear in the property window.

 

IP Designer Series – Resource Query

, ,

The Resource Query node can be used to query Lawson user (RM) data in Lawson Security.  This node can be especially useful for automated user functions, such as onboarding and offboarding.

To start a query, click “Build” on the properties screen.

Select the RM Object and the Service that you want to use and click “Get Attributes”.  Choose the Attributes that you want to retrieve from each user’s record.  Then click “Next” to select the search criteria.

You can choose users based on their Resource (RM) data or Services, or both.

Once you click finish, the query should be built in the properties window.

 

Configure External Lawson to Authenticate Against LDAP Bind

, ,

There are a couple of authentication options when it comes to your external Lawson website.  If you want to authenticate using AD FS, you will have to put an AD FS server on the DMZ and make it externally facing.  If that is not an option at your organization, another option is to authenticate using the LDAP Bind.  Even when you implement AD FS for Lawson authentication, some pieces of the application (such as Add-ins) still require LDAP Bind.  So, you can set up your external website to take advantage of that service instead of AD FS.

The first step is to create an SSO domain if you don’t already have one.

Next, you will need to create a new HTTP endpoint with the values:

FQDN – the fully-qualified domain name of your externally facing web server

HTTP Port – the HTTP port your Lawson site uses (can be -1 if you want to disable HTTP)

HTTPS Port – the HTTPS port your Lawson site uses

SSO Domain – the LDAP Bind domain from the step above

Next, assign your new endpoint to your LDAP Bind service.  If you are still using LS as STS (as opposed to AD FS) for authentication to Lawson, this service is probably “SSOP”.  Otherwise, it is the service that was set up for LDAP Bind in applications like MS Add-ins or Lawson Security Administrator.

Next, you need to create an endpoint Group.  Give it a meaningful name that will let you know this is the group for external Lawson.

Now, assign your new endpoint to the endpoint group you just created.

Recycle services (or reboot your server), and do your smoke test.  Check the SSOServlet URL to make sure you are presented with the Infor Lawson login screen:

DSP for Ming.le Fails on Installation

, ,

There is a common issue that may present itself when installing Distributed Security Package (DSP) for Ming.le.  The install will fail when trying to retrieve the trust store from the LSF server, with a message similar to the screenshot below.  There will also be exceptions in the LASE logs on the LSF server indicating a certificate issue (“Received fatal alert: certificate_unknown”).

Except from LASE log:

20-04-15 19:58:11:874 12 default.SEVERE authen.SSOServer.run(): SSOServer: Got unexpected exception when processing new secured connection com.lawson.security.server.LawsonNetException: Got exception while writing to connection /172.18.8.58,40001
Stack Trace : com.lawson.security.server.LawsonNetException: Got exception while writing to connection /172.18.8.58,40001
at com.lawson.security.server.AbstractDefaultEventSource.write(AbstractDefaultEventSource.java:299)
at com.lawson.security.server.Connection.<init>(Connection.java:170)
at com.lawson.lawsec.authen.SecuredConnection.<init>(SecuredConnection.java:39)
at com.lawson.lawsec.authen.SSOServer.run(SSOServer.java:180)Caused by:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at com.lawson.security.server.AbstractDefaultEventSource.writeMsg(AbstractDefaultEventSource.java:348)
at com.lawson.security.server.AbstractDefaultEventSource.write(AbstractDefaultEventSource.java:287)
… 3 more

 

If you come across this issue, you will need to add a line to the lsservice.properties file.

 

To handle multiple certificate in the keystore when LS as STS (Verify if your SSOP service definition has any of these listed for the PRIMARYTARGETLOOKUP; Use Ldap Binds, Verify passwords in Lawson Security, Use Claim Based, or Kerberos) or “AD FS” is configured, edit LAWDIR/system/lsservice.properties and add the property below.

 

server.keystore.use.classic=false

 

In a Federated environment the property needs to be added in federated systems that are configured to use STS or ADFS such as in the Landmark System configuration in the LAENV/system/lsservice.properties file there

 

Once this line has been added it will not take effect until you stop WebSphere and the LSF environment and then start the LSF environment and start WebSphere.

 

**NOTE**

If your LSF environment is federated with Landmark you should stop and start landmark after the LSF side of things are back up and running.

 

Revert LBI to a Previous Version

, ,

If you did an upgrade-in-place of LBI and are experiencing issues with it, you can revert to the previous version.

Before you begin a task like this, always get snapshots of your sever!!!

****If you don’t have a backup of your pre-upgrade database, then you won’t be able to complete these steps.  You can’t revert the database changes.  Always start with a database backup!!!****

 

Revert CRAS

You don’t need to perform this step unless your previous version of LBI requires a different version of CRAS.  To revert Crystal Report Application Server, you need to uninstall the new version, and reinstall the old version.  CRAS does not uninstall cleanly, so once you step through the wizard, and reboot the server, you will need to clear out the components left behind in the registry.  Here are the registry keys you may need to delete (key names may differ based on your version):

  • HKEY_LOCAL_MACHINE\SOFTWARE\SAP Business Objects\Suite XI 4.0\Crystal Reports\
  • HKEY_CURRENT_USER\Software\ SAP Business Objects\Suite XI 4.0\Crystal Reports
  • HKEY_USERS\S-#-#-##-…-####\Software\ SAP Business Objects\Suite XI 4.0\Crystal Reports

Reboot again.  Try reinstalling the older version.  If you get any errors during the reinstall, you may have left behind some keys in the registry.  You can search the registry for “Crystal”.

 

Uninstall LBI From WebSphere

In WebSphere Administration Console, navigate to Applications > Application Types > WebSphere enterprise applications.  Select all of your LBI applications (Framework Services, Reporting Services, Smart Notification), and Uninstall.

Reboot the server.

 

Rename the LBI Install Directory

Stop the IBM WebSphere Application server service, then rename your LBI install directory.  This way, you can install your previous version of LBI in the same directory.

 

Restore Data

Restore your pre-upgrade data to the RS, FS, and SN databases.

 

Reinstall LBI

Run the LBI install wizard for your previous version.  Verify that the applications were deployed to WebSphere and that they were started.  Perform smoke tests.

 

You should be ready to retry the upgrade!  LBI upgrades can be finicky with WebSphere and database updates.  I recommend rebooting between each component update.  So, reboot before you begin.  Then reboot after upgrading Framework Services.  Then reboot after upgrading Reporting Services.  And so on…

Database Errors after an LBI Upgrade

, ,

When using the wizard to perform an in-place update to LBI, occasionally the database scripts will fail without notification. The issue will typically present itself when you restart the IBM services and the SystemOut.log throws database errors, such as “invalid object name” or “field does not exist” after the application attempts to run a query.

The good news is that the database update scripts can be run manually.  These scripts can be found at <lbi_install_dir>\<product>\<product>.ear\<product>war-<version>.war\WEB-INF\rdbms\<database type>

So, for example:

  • D:\LBI\ReportingServices\Reporting Services.ear\erswar-10.6.0.0.war\WEB-INF\rdbms\MSSQL2K
  • D:\LBI\FrameworkServices\Framework Services.ear\efswar-10.6.0.0.war\WEB-INF\rdbms\MSSQL2K
  • D:\LBI\SmartNotifications\Smart Notifications.ear\lsnwar-10.6.0.0.war\WEB-INF\rdbms\MSSQL2K

You want to run all the update scripts that exist between your old version and your new version.  So, if you are upgrading from 10.4 to 10.6, you would run the highlighted scripts:

***IMPORTANT:  DO NOT run the oracle.sql or TreeSchma.sql script. They will drop all your tables.