Updating Bouncy Castle After Websphere Fix Pack

, ,

Similar to Lawson System Foundation, when WebSphere is updated in Landmark, the Bouncy Castle provider might also need to be updated.  If this is the case, you will notice an error message similar to the one below in the SSOCfgInfoServlet page.

Also, there will be messages logged in the ssocfginfoservlet.log and security_authen.log.  One of the biggest indicators of a bouncy castle issue is the error “No provider: BC”.

Ssocfginfoservlet.log, security_authen.log

Tue Dec 22 12:10:05.323 CST 2020 – default–1864609923 – L(2) : tid{DEFAULT} lid{13vdos3oj0u2br08s6qstv1pnv}. Error encountered while processing the request. Additional information: {Error decrypting data.

Stack Trace :

com.lawson.security.authen.SecurityAuthenException: Error decrypting data.

                at com.lawson.security.authen.AuthenDat.getSYMKey(AuthenDat.java:4214)

                at com.lawson.security.authen.AuthenDat.getAuthenDatData(AuthenDat.java:828)

                at com.lawson.security.authen.LawsonAuthentication.getAuthenDatStr(LawsonAuthentication.java:1406)

                at com.lawson.security.authen.LawsonAuthenDataManagerLMImpl.getAuthenDataAsString(LawsonAuthenDataManagerLMImpl.java:53)

                at com.lawson.security.authen.SSOCfgInfoServlet.getConfigXML(SSOCfgInfoServlet.java:177)

                at com.lawson.security.authen.SSOCfgInfoServlet.process(SSOCfgInfoServlet.java:643)

                at com.lawson.security.authen.SSOCfgInfoServlet.doGet(SSOCfgInfoServlet.java:163)

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)

 

 

To update the Bouncy Castle provider, open a Landmark command window, or open a command line window and set the environment variables.  Navigate to WAS_JAVA_HOME, and run the command

java -jar %LAENVDIR%/java/jar/bcinstall.jar

This will put the correct provider file in your java home location.  Then, bounce the application server or reboot the machine.

Configurations to Enhance IPA Performance

, ,

If you are receiving login failures in IPA work units due to connection timeouts, or connection refused, it is possible that you need to take some steps to improve the performance of your IPA-S3 connections.  To do that, you can update the recommended S3 Connection Pool Settings.

First, open the Landmark Grid and click the “gears” to get to the configuration manager.  Select Applications > (your Landmark application) > Edit Properties.  Type Ctrl+F and search for “S3”.

   

   

 

Open each of the S3 configuration properties, and select the “All” radio button.  Make your changes on the “LPA” node for Any Host.  Set the S3 configuration properties to the following recommended values:

  • UsePooledConnections = True
  • MaxActiveConnections = 10
  • MaxIdleConnections = 2
  • MaxConnectionWaitSec = 30
  • TimeBetweenEvictionRunsSec = 30
  • ValidationTimeSec = 240
  • EnableConnectionValidation = True only set this value if you are on Landmark Technology 10.1.1.58 or higher

Save each change in the dialog window, and then click the main “Save” button at the top of the Properties window.  After you have made these changes, restart the LPA node in the Grid.

Cannot Retrieve User File

, ,

After logging into Lawson, if you see the below error “Cannot retrieve user file.  Bookmark IDs cannot be read”, there is a good chance that the iosconfig.xml file has some invalid values.  The error messages might point you directly to this file.  It can be found at LAWDIR/system.  Make sure that the ioswebrootdir attribute points to the correct location.  This location should be LAWDIR/persistdata.  Make sure there are no extra spaces or directory names in this value.

After updating the value, reboot the server or restart the WebSphere services.

401 – Unauthorized error in ESS

, ,

If you receive a 401 or 404 error when accessing ESS pages, you need to make sure that the server users have read/write access on the ESS directories. The directories that need this access are WEBDIR/lawson/xbnnet, WEBDIR/lawson/xhrnet, and WEBDIR/lawson/webappjs.

It is important to note that the permsmaint command does not set this security, and it must be set manually by a server administrator.

Back up WAS Profiles

, ,

Before doing any work on your WebSphere Application Server, it is a good idea to back up the profiles. To do this, navigate to <WAS_HOME>/bin.  Run the command “manageprofiles.bat -listProfiles” to get a list of all the profiles that need to be backed up.  Then run the command:

-manageprofiles.bat -backupProfile -profileName <profile name> -backupFile <full path to back up the file>

Make sure the full file path already exists.

Troubleshooting:

One common issue is if you already have a backup file in the backup directory with the same name.  You also might get an error message if one or more of your servers is running.  To see which servers are running, run the serverStatus.bat -all command.  The deployment manager status can be reviewed from WAS_HOME/bin.  Other servers can be viewed by navigating to the WAS_HOME/profiles/<profile you are checking>/bin.  Sometimes you might also need to stop the web server(s) in IIS.

LDAPS: Binding LDAP to IP Address or FQDN

, ,

While configuring LDAPS, if you try logging into Lawson, and it behaves as if your user doesn’t exist, check the LAWDIR/system/security_authen.log.  You may encounter an error similar to this:

Could Not Bind With privileged identity.

Thu Dec 3 14:27:49.397 PST 2020 – default–1104671165 – L(2) : Failed to get DN for user: lawson

Thu Dec 3 14:27:49.428 PST 2020 – default–1104671165 – L(4) : Set Content-Security-Policy : script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’

Thu Dec 3 14:27:56.977 PST 2020 – default–1104671165: Error encountered while getting users DN. Please see logs for details[peckb73unhe1fga2c54hqghqlj]Could Not Bind With privileged identity. User [lawson]simple bind failed: 111.111.111.11:3269

Stack Trace :

javax.naming.CommunicationException: simple bind failed: 111.111.111.11:3269 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 111.111.111.11 found]

 

This means that the certificate on your Domain Controller to which Lawson is bound, has a Subject Alternative Name that does not match the DC IP address.  You need to make sure the server name you are using for the bind matches the SAN on the Domain Controller’s certificate.

So, bind to this:

Instead of this: