Posts

Tips for Preparing for Infor Patch Bundles

For Infor Cloud customers, Infor periodically releases patch bundles that keep their cloud applications up to date. There are typically dozens (or hundreds) of patches applied during these bundles, to all the Infor applications hosted in the cloud. This can be an overwhelming prospect for users and IT staff who are tasked with testing and validation during these patches.

Here are some quick tips for preparing your organization for a patch bundle:

Preparation

  • Release notes: Infor always provides release notes on the patch bundle that they are implementing. These bundles are cumulative, so the notes on Lawson for instance, will describe ALL of the CTPs that are available for your version of Lawson. So, to make it more manageable, compare your last bundle’s release notes to the current one, and determine which patches are actually going to be applied. Then, save off the html files for those patches and review them.
  • Security: Occasionally the bundles will impact Lawson Security, and even more frequently they will implement new forms/fields/tables/columns that need to be secured. Run some security reports before the bundle so that they can be compared to the same reports after. Also, search your html release notes for any tokens that will be added, and determine if your organization needs to secure them.
  • Reports: Run reports or queries for data validation, but also search the release notes for database changes, and make sure that you are ready to update any reports that are impacted by those changes.

MSCM

  • Certificate: If you own MSCM, it is almost always going to be updated as part of the patch bundle. There is often an issue with the certificate after this update. Either the certificate is no longer valid, or it wasn’t generated during the patch. After the update, make sure you go directly to the CAB file location and that you see a valid certificate there (it’ll be named like your server). If you don’t see the file, or if you get security errors when trying to connect, open a ticket with Infor letting them know you think your cert is not valid.
  • CAB files: It is best practices to delete all your CAB files from the handhelds and reinstall them after these major updates.

IPA

  • Interface validation: There is a high probability that one or more of your IPA processes will be impacted by the patch bundle. It is important to test every single interface end-to-end.
  • IP Designer: The IP Designer version MUST match the Landmark/IPA version exactly. So, after a patch bundle, you WILL have to download a fresh version of IPD.

Testing

  • What to test: You are most likely going to need to test everything. Daily, weekly, monthly, and annual processes should be included in your testing.
  • How to test: Provide users with test scripts for each function, and have a central location for users to log the results. We like to use Jira as our central repository for testing.

Validation

  • You can use LID to validate data counts. You should also compare pre-update reports to post-update reports in all applications, including security.

Infor Support Ending for Internet Explorer

As of October 31, 2020, Infor is no longer going to support Internet Explorer as a browser for accessing Lawson applications. According to Microsoft, the end of life for IE will coincide with the end of life for Windows 10, so this is not a notice for the end of life for IE. This just means that any future Infor patches will not be developed to function with Internet Explorer.

 

Lawson has been stable in Chrome since the later releases of version 9. It is also supported on Microsoft Edge Chromium and Firefox. There are some things you will want to consider before moving to a different browser:

Impacted Applications

  • Infor Lawson System Foundation (LSF) 10.0.X.0 release
  • Infor Landmark Technology Runtime 10.1.1.X and 11 releases
  • Lawson for Infor Ming.le 10.0.X.0 and 10.1.X releases
  • Infor Lawson for Ming.le Content Lawson applications 10.0.X release
  • Infor Lawson Requisition Center 10.0.X.0 release
  • Infor Lawson Smart Reconciliation 10.0.X.0 release
  • Infor Lawson Procurement Card Self-Service 10.0.X.0 release
  • Infor Employee and Manager Self-Service 10.0.X.0 release
  • Infor Lawson Contextual Applications 10.0.X.0 release
  • Infor Lawson Mobile Supply Chain Management (MSCM) 11.X release
  • Infor Lawson Point of Use (POU) 11.X release
  • Infor Lawson Business Intelligence (LBI) 10.X.0.0 release
  • Infor Business Intelligence for Lawson (IBI) 10.X.0.0 release
  • All Infor Human Capital Management (HCM) products, including Infor Global Human Resources (GHR) and Infor Talent Management 10.1, 10.2 and 11 releases.
  • Infor CloudSuite Financials & Supply Management (CSF) 11 release

Design Studio

  • Design Studio 10 (the application) is going to continue to be supported in Internet Explorer
  • Design Studio forms might need some updates to make them compatible with a different browser. Design Studio relies heavily on JavaScript, and some of the syntax is browser-dependent.  Make sure you test all of your design studio forms before having users switch browsers.

MSCM

  • MSCM 10 is not compatible with Chrome. Infor will continue to support Internet Explorer with MSCM 10 installations until the end-of-life for MSCM 10.X.
  • MSCM 11.X (base, POU, and SIM) is compatible with Chrome, and it is recommended that you get to v11 as soon as possible! Contact us if you need help upgrading.

Recommendations

  • Switching browsers should be pretty seamless. Just have your users spend a week performing their daily tasks in your organization’s chosen browser, and log any issues that arise.  If they hit a wall, they can always move to IE until a workaround is provided.
  • Upgrade MSCM! If you own licensing for MSCM, the update should already be available to you.

 

As always, check the Infor Lawson compatibility matrix to get the latest information in application compatibility.

Securing a website using IIS

If your organization has custom websites that need to be secured quickly and easily, you can use the IIS internal authentication and authorization rules.

First make sure that your host server is set up to utilize Windows Authentication.  In Roles and Features  > Server Roles > Web Server (IIS) > Security, install “Windows Authentication”.

Once Windows Authentication is installed, select your site in IIS and select “Authentication”

Set Windows Authentication to enabled

Go back to your website, and select “Authorization Rules”

From here, you can give access to individual users or Active Directory groups.  The users will be presented with a Microsoft credentials dialog, and they will log in with their Windows credentials.

 

 

 

Backing up the AD FS internal databases on Microsoft Server 2012

If AD FS is configured to use the Windows Internal Database (WID) server, there are a couple of ways to maintain the databases created in the install.  They can be maintained using command-line sql or SQL Server Management Studio.  The AD FS configuration databases are called AdfsArtifactStore and AdfsConfiguration.

Not that both of these methods need to be performed on the server where AD FS is configured.

 

Command-line SQL

Log into the AD FS server using the service account under which AD FS was configured.

To prepare the server to run SQLCMD.exe, you will need to install the Native Client, ODBC Driver 11 for SQL Server, and the Command Line Utilities for SQL Server 2012.  These can be downloaded from Microsoft’s website.

Once these utilities are installed, create two “.sql” files using a text editor, one for the artifact database and one for the configuration database.  The following text should be placed in the sql file (update with the appropriate names and file paths).  The database names are AdfsArtifactStore and AdfsConfiguration.

BACKUP DATABASE [database name] TO DISK = “backup-path/backup-file.BAK” WITH NOFORMAT, INIT, NAME = “Artifact – Full Database Backup”, SKIP, NOREWIND, NOUNLOAD,STATS = 10

GO

Next, run the sqlcmd to execute a SQL script (provide the name of the script you created in the step above).

sqlcmd.exe -S \\.\pipe\MICROSOFT##WID\tsql\query -i sql-script-path\sql-script-filename.sql

 

SQL Server Management Studio

The WID server can also be accessed using SQL Server Management Studio (SSMS).  Note that SSMS must be installed on the server where AD FS is configured in order to be able to connect.

Log into the AD FS server using the service account under which AD FS was configured.  Run SSMS as administrator.  Connect to the server \\.\pipe\MICROSOFT##WID\tsql\query, and use Windows Authentication to connect.

The AD FS configuration databases are AdfsArtifactStore and AdfsConfiguration.  As long as you logged into SSMS as administrator, you should have admin rights on these databases to perform backups, run queries, etc.

 

How to Improve Operational Efficiency During the COVID-19 Pandemic

Many organizations have experienced various difficulties due to the COVID-19 pandemic.  Whether they are short-staffed due to furloughs or staff in mandatory quarantine, or searching for ways to be more productive while employees are working at home, this may be an opportunity to address some operational inefficiencies within the organization.  Here are some things to consider:

  • Manual processes: All software applications promise automation but few organizations ever achieve the goal.  Infor Process Automation (IPA) offers a workflow-based solution to automate nearly any process in Lawson.  You can use your own business logic to build a process that can do everything from onboarding automation to payroll automation.  This can be a great time and cost saver.
  • Process improvement: In addition to eliminating manual processes, there are also ways to use Lawson more effectively to improve efficiency. Your functional users and support staff cannot be expected to understand every aspect of the software and how to optimize processes within the application.  Hiring a managed services partner that knows and understands the application will be an investment in your future.  Once you can optimize your processes, you will free up time for employees to be more productive.  The initial time and cost will be minimal compared to the eventual benefit.
  • Empowering employees: Many employees have gone from doing 100% of their work in an office setting, to doing 100% of their work at home.  There are many solutions for allowing employees to connect to your network and do their work.  Since Lawson is web-based, it is a prime candidate for providing access externally over the internet.  To maintain a secure application, it would be best to configure Lawson to authenticate using with a secure method such as AD FS, and to implement multi-factor authentication.
  • Managed Services: A good Managed Service firm can help you administer Lawson and other Infor products, and even provide functional assistance, at the fraction of the cost of an FTE.  If you find that your organization is short-staffed during this period, it might be the perfect time to try a Managed Services model.

Lawson Managed Service

For more information about how Nogalis could help your organization save money (including process improvement and managed services), contact us any time.

IP Designer Series – Lawson Form Transaction

The Lawson Form Transaction node is used to create AGS calls to make updates to Lawson Forms.  If you already have an AGS call built, you can simply put it in the property window of the node.  You can also build an AGS call from scratch by clicking the “Build” button and going through the Wizard.  The connection should already be using your Infor Lawson configuration set, but you can set that explicitly if desired.  For this node to work, it is important that you have the Infor Lawson tab configured in your “main” configuration set in Landmark/IPA.  You can get more information on how to do that here.

In the Build wizard, select your product line, the module, and the token where you are making updates.  The Method(s) available to that token will be all the methods available to the token in Lawson portal.

Move over the field(s) that you want to update.  Make sure you include the fields that are required on the form.  If you are making a change, make sure you include the key fields and their values for the item you are changing.  The Value can be a hard-coded value, or a variable available to the node.

Click finish when you have filled in all your desired fields.  The AGS call will now appear in the property window.

 

IP Designer Series – Resource Query

The Resource Query node can be used to query Lawson user (RM) data in Lawson Security.  This node can be especially useful for automated user functions, such as onboarding and offboarding.

To start a query, click “Build” on the properties screen.

Select the RM Object and the Service that you want to use and click “Get Attributes”.  Choose the Attributes that you want to retrieve from each user’s record.  Then click “Next” to select the search criteria.

You can choose users based on their Resource (RM) data or Services, or both.

Once you click finish, the query should be built in the properties window.

 

Configure External Lawson to Authenticate Against LDAP Bind

There are a couple of authentication options when it comes to your external Lawson website.  If you want to authenticate using AD FS, you will have to put an AD FS server on the DMZ and make it externally facing.  If that is not an option at your organization, another option is to authenticate using the LDAP Bind.  Even when you implement AD FS for Lawson authentication, some pieces of the application (such as Add-ins) still require LDAP Bind.  So, you can set up your external website to take advantage of that service instead of AD FS.

The first step is to create an SSO domain if you don’t already have one.

Next, you will need to create a new HTTP endpoint with the values:

FQDN – the fully-qualified domain name of your externally facing web server

HTTP Port – the HTTP port your Lawson site uses (can be -1 if you want to disable HTTP)

HTTPS Port – the HTTPS port your Lawson site uses

SSO Domain – the LDAP Bind domain from the step above

Next, assign your new endpoint to your LDAP Bind service.  If you are still using LS as STS (as opposed to AD FS) for authentication to Lawson, this service is probably “SSOP”.  Otherwise, it is the service that was set up for LDAP Bind in applications like MS Add-ins or Lawson Security Administrator.

Next, you need to create an endpoint Group.  Give it a meaningful name that will let you know this is the group for external Lawson.

Now, assign your new endpoint to the endpoint group you just created.

Recycle services (or reboot your server), and do your smoke test.  Check the SSOServlet URL to make sure you are presented with the Infor Lawson login screen:

DSP for Ming.le Fails on Installation

There is a common issue that may present itself when installing Distributed Security Package (DSP) for Ming.le.  The install will fail when trying to retrieve the trust store from the LSF server, with a message similar to the screenshot below.  There will also be exceptions in the LASE logs on the LSF server indicating a certificate issue (“Received fatal alert: certificate_unknown”).

Except from LASE log:

20-04-15 19:58:11:874 12 default.SEVERE authen.SSOServer.run(): SSOServer: Got unexpected exception when processing new secured connection com.lawson.security.server.LawsonNetException: Got exception while writing to connection /172.18.8.58,40001
Stack Trace : com.lawson.security.server.LawsonNetException: Got exception while writing to connection /172.18.8.58,40001
at com.lawson.security.server.AbstractDefaultEventSource.write(AbstractDefaultEventSource.java:299)
at com.lawson.security.server.Connection.<init>(Connection.java:170)
at com.lawson.lawsec.authen.SecuredConnection.<init>(SecuredConnection.java:39)
at com.lawson.lawsec.authen.SSOServer.run(SSOServer.java:180)Caused by:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at com.lawson.security.server.AbstractDefaultEventSource.writeMsg(AbstractDefaultEventSource.java:348)
at com.lawson.security.server.AbstractDefaultEventSource.write(AbstractDefaultEventSource.java:287)
… 3 more

 

If you come across this issue, you will need to add a line to the lsservice.properties file.

 

To handle multiple certificate in the keystore when LS as STS (Verify if your SSOP service definition has any of these listed for the PRIMARYTARGETLOOKUP; Use Ldap Binds, Verify passwords in Lawson Security, Use Claim Based, or Kerberos) or “AD FS” is configured, edit LAWDIR/system/lsservice.properties and add the property below.

 

server.keystore.use.classic=false

 

In a Federated environment the property needs to be added in federated systems that are configured to use STS or ADFS such as in the Landmark System configuration in the LAENV/system/lsservice.properties file there

 

Once this line has been added it will not take effect until you stop WebSphere and the LSF environment and then start the LSF environment and start WebSphere.

 

**NOTE**

If your LSF environment is federated with Landmark you should stop and start landmark after the LSF side of things are back up and running.

 

Revert LBI to a Previous Version

If you did an upgrade-in-place of LBI and are experiencing issues with it, you can revert to the previous version.

Before you begin a task like this, always get snapshots of your sever!!!

****If you don’t have a backup of your pre-upgrade database, then you won’t be able to complete these steps.  You can’t revert the database changes.  Always start with a database backup!!!****

 

Revert CRAS

You don’t need to perform this step unless your previous version of LBI requires a different version of CRAS.  To revert Crystal Report Application Server, you need to uninstall the new version, and reinstall the old version.  CRAS does not uninstall cleanly, so once you step through the wizard, and reboot the server, you will need to clear out the components left behind in the registry.  Here are the registry keys you may need to delete (key names may differ based on your version):

  • HKEY_LOCAL_MACHINE\SOFTWARE\SAP Business Objects\Suite XI 4.0\Crystal Reports\
  • HKEY_CURRENT_USER\Software\ SAP Business Objects\Suite XI 4.0\Crystal Reports
  • HKEY_USERS\S-#-#-##-…-####\Software\ SAP Business Objects\Suite XI 4.0\Crystal Reports

Reboot again.  Try reinstalling the older version.  If you get any errors during the reinstall, you may have left behind some keys in the registry.  You can search the registry for “Crystal”.

 

Uninstall LBI From WebSphere

In WebSphere Administration Console, navigate to Applications > Application Types > WebSphere enterprise applications.  Select all of your LBI applications (Framework Services, Reporting Services, Smart Notification), and Uninstall.

Reboot the server.

 

Rename the LBI Install Directory

Stop the IBM WebSphere Application server service, then rename your LBI install directory.  This way, you can install your previous version of LBI in the same directory.

 

Restore Data

Restore your pre-upgrade data to the RS, FS, and SN databases.

 

Reinstall LBI

Run the LBI install wizard for your previous version.  Verify that the applications were deployed to WebSphere and that they were started.  Perform smoke tests.

 

You should be ready to retry the upgrade!  LBI upgrades can be finicky with WebSphere and database updates.  I recommend rebooting between each component update.  So, reboot before you begin.  Then reboot after upgrading Framework Services.  Then reboot after upgrading Reporting Services.  And so on…