Security Violation

,

When applying a patch to the LSF environment, we saw Security Violation errors on environment utilities even though security was turned off.  In the below example, the error was returned from trying to run ldunivtkns (to load environment tokens) and also on envrelease (to show the environment version.)  This issue was resolved after contacting the network team to replicate file system permissions from an older Lawson server.  While it was not shared exactly which permissions were changed that were not already in place, once the new permissions were applied, the Security Violations were replaced in the logs with the appropriate responses from the commands.

Initial Error

 

Error Resolved

 

Environment Security Settings

Landmark Installation Error

,

When installing Landmark 11 with Oracle, an error may return in the log related to a config variable when setting up the database.  The installation will run for some time and eventually call D:\lmkprod]\env\install\dbconfigda.pl.  When it does this, the perl script reads the install.cfg file under the landmark system directory.  Within that file, it looks for a number of variables for the database that begin with ORA.  Those variables are set in place during the interview questions before the installation begins. Rather than read the ORA variables, the perl script will look for an additional prefix to those variables – GEN.  When it does not find GEN.ORA, the installation fails.  The installation error can be resolved by copying the ORA variables to the end of the install.cfg file and edited to begin with GEN.ORA.  After updating, the install.cfg, dbconfigda.pl will complete.  The installation can then be restarted and continue past the error.

IP Designer Series – SQL Query Node

,

The SQL Query Node can be used to query any SQL Server database.

Connection information

  • Either select the configuration name that contains your JDBC connection information
  • Or select Override Connection and provide the override information

The SQL Query Node can run a SQL Query, Run a stored procedure, or perform a create/update command. If you are running a SQL Query, you can click the “Build” button to build the query in a GUI wizard.

IP Designer Series – Message Builder Node

,

The Message Builder Node accepts a string of text and appends each text of that string to the message each time the node is used. This can be useful when your process loops through records and records any error messages for each record. It’s also good for notification messages for multiple records.

The Variable name is what will be referenced when you want to use the built message later in the process.

Reference the variable name just like any other variable name. All nodes after the message builder will have access to the message builder variable.

ISAPI Filters

,

If you need multiple web sites for Landmark, when you run the IBM plugin configuration for additional sites the sePlugins ISAPI filter for the original site may be overwritten with the ISAPI dll from the new site. For example, the exectuable path for sePlugin on the site lmkdevweb was originally D:\IBM\WebSphere\Plugins\bin\IIS_lmkdevweb\iisWASPlugin_http.dll.

After adding a new site, the sePlugin executable on the initial site may be updated incorrectly to D:\IBM\WebSphere\Plugins\bin\IIS_lmkdevwebext\iisWASPlugin_http.dll. This could cause problems with the application not returning properly in the browser (http error 404). To prevent redirection problems, ensure that the path for each sePlugin is using the proper path for each site. For example:

IIS Site sePlugin Exectuable
lmkdevweb D:\IBM\WebSphere\Plugins\bin\IIS_lmkdevweb\iisWASPlugin_http.dll
lmkdevwebext D:\IBM\WebSphere\Plugins\bin\IIS_lmkdevwebext\iisWASPlugin_http.dll

 

 

Add Your Company Logo to Ming.le

,

Your organization may wish to brand your Infor Ming.le site by adding a custom logo to the site. Infor Ming.le 10 and 11 offer this possibility, although Infor Ming.le 12 does not provide tools for updating the logo.

NOTE: You must be a site collection administrator to perform this update.

In Sharepoint 2013, select the gear icon, then Site settings. (If you have Sharepoint 2010, you will click the Admin link then Site settings).

Under the Infor Ming.le Site heading, choose “Customize Infor Ming.le User Interface”

To add your custom logo to the selection list, select the “add image” button. 

Browse to your file

Click the “Select image” button to select the image you just added 

You can also enter a custom link in the “Company Logo Link” field

Click “Save” when you are done

Your logo is now displayed on the Ming.le header

IP Designer Series – FTP Node

,

The FTP node can be used to move records from one server to another over FTP. It is important to note that there can be only one FTP configuration per configuration set. So you should create a new configuration set for each FTP server you are using for file transfers.

  • Source File
    • Provide the file name
    • The source is remote if it is not the Landmark server
      • If you are accessing the file via UNC share, you should leave “Is source remote” unchecked
    • Connection information – select the configuration set for the remote server where the file resides (not required if it is a local file)
  • Destination File
    • Provide the file name
    • The source is remote if it is not the Landmark server
      • If you are accessing the file via UNC share, you should leave “Is source remote” unchecked
    • Connection information – select the configuration set for the remote server where the file is being transferred (not required if it is a local file)
  • File Transfer Mode
    • Select Ascii or Bin

IP Designer Series – For Each Node

,

The For Each node can be used to loop through records.

  • Iteration
    • Supply a number of iterations, or a variable
  • Expression
    • Typical “for-each” loop
    • Can use variables for each of the expressions
  • Array
    • Provide an array of values
  • XML
    • Loop over elements in an XML document




IP Designer Series – File Access Node

,

The FileAccess node can be used for file manipulation on local and remote servers. If you are manipulating files on a remote server, you can access them via UNC share, or you can create a new configuration set that connects to the file server.

  • Configuration name
    • default is system (Landmark)
  • Execution mode
    • Read from file
      • This can be used with a data iterator
      • Pass the output data (line) of the file to the iterator
    • Write to file
      • Creates the file and then writes to it
    • Append to file
      • Appends to an existing file
    • Check file exists
      • Returns an error that can be trapped if it doesn’t exist
    • Delete file
    • List files

Landmark Authentication Fails

,

After completing federation and restarting LSF and Landmark, landmark authentication fails.  The security authen log returns the following error:  sun.security.validator.ValidatorException: PKIX path building failed.

This can happen if secured ldap bind is being used.  With the secured ldap bind (using ldaps protocol and port 636), the certificates from the AD server are missing from the java keystore on the landmark server.  This can happen even if you are using SSOP on LSF for authentication.  To resolve the issue, export the certificates from the AD server and import them into the java keystore.  If LSF was bound to AD, the certificates should already be on the LSF box.  They can be copied over from LSF and imported to the keystore on the landmark server using the following example.

 

D:\JDK\bin\keytool.exe  -keystore D:\JDK\jre\lib\security\cacerts -importcert -alias ADca –file D:\cacert.cer

D:\JDK\bin\keytool.exe  -keystore D:\JDK\jre\lib\security\cacerts -importcert -alias ADroot –file D:\root.cer

 

 

Error:

 

Wed May 31 09:49:13.112 MDT 2017 – default-724934462: Error encountered while getting users DN. Please see logs for details[egn1ldmam2ike26udaqvs9rs2g]Could Not Bind With privileged identity. User [lawson]simple bind failed:ldap.domain.com:636

Stack Trace :

javax.naming.CommunicationException: simple bind failed: ldap.domain.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)

at javax.naming.InitialContext.init(InitialContext.java:244)

at javax.naming.InitialContext.<init>(InitialContext.java:216)

at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)

at com.lawson.security.authen.LawsonLDAPBindLoginProcedure.getDNForUser(LawsonLDAPBindLoginProcedure.java:446)

at com.lawson.security.authen.LawsonLDAPBindLoginProcedure._authenticate(LawsonLDAPBindLoginProcedure.java:233)

at com.lawson.security.authen.LawsonLDAPBindLoginProcedure.authenticate(LawsonLDAPBindLoginProcedure.java:681)

at com.lawson.security.authen.LawsonLoginSchemeImpl.authenticate(LawsonLoginSchemeImpl.java:1701)

at com.lawson.security.authen.LawsonProgrammaticAuthenticatorImpl.authenticate(LawsonProgrammaticAuthenticatorImpl.java:198)

at com.lawson.security.authen.LawsonProgrammaticAuthenticatorImpl.authenticate(LawsonProgrammaticAuthenticatorImpl.java:100)

at com.lawson.rdtech.gridadapter.provider.LmrkSessionProvider.createGridPrincipal(LmrkSessionProvider.java:287)

at com.lawson.rdtech.gridadapter.provider.LmrkSessionProvider.validatePassword(LmrkSessionProvider.java:254)

at com.lawson.rdtech.gridadapter.provider.AbstractSessionProviderBase.logon(AbstractSessionProviderBase.java:134)

at com.lawson.rdtech.gridadapter.provider.LmrkSessionProvider.logon(LmrkSessionProvider.java:159)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.lawson.grid.proxy.ProxyServerImpl$ProxyRequestThread.invoke(ProxyServerImpl.java:2715)

at com.lawson.grid.proxy.ProxyServerImpl$ProxyRequestThread.processRequest(ProxyServerImpl.java:2502)

at com.lawson.grid.proxy.ProxyServerImpl$ProxyRequestThread.runThread(ProxyServerImpl.java:2425)

at com.lawson.grid.util.thread.PooledThread.run(PooledThread.java:137)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)

at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)

at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)

at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)

at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)

at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)

at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)

… 30 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

at sun.security.validator.Validator.validate(Validator.java:260)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)

… 43 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

… 49 more

 

Wed May 31 09:49:13.113 MDT 2017 – default-724934462: Error encountered while getting users DN. Please see logs for details[egn1ldmam2ike26udaqvs9rs2g]Could Not Bind With privileged identity.

Wed May 31 09:49:13.113 MDT 2017 – default-724934462: Failed to get DN for user: lawson