I am having trouble with an expired certificate. We get the following error when trying to log in with portal:
The Portal cannot load because of an intialization error in the single sign-on component.
The following servlet call is encountering an exception: /ssoconfig/SSOCfgInfoServlet.
The expired certificates are located in "LAWDIR/system". They are:
.ssotruststore
.ssokeystore
I have been able to use java "keytool" to look inside these files and do see the expired dates. They were created ~10 years ago. How do you replace (rebuild) these files ? I have found one article that instructs to rename or move the above two files and then execute the utility "ssoconfig". And upon initial execution of ssoconfig, it does in fact state:
Keystores for Lawson authentication service are not configured. Do you want to configure them now?
Answering YES prompts for the organization unit, name, city, state, country values, but when I hit ENTER, nothing happens, the utility hangs/suspends and never completes.
I am wondering if there is something else I should be doing before I execute ssoconfig to allow it to complete? Or is there another way to create the certificate files with valid dates for another 10 years ?
This is an archive system and we no longer have maintenance. But we do have individuals still logging in and looking at historical data.
Any advice with this issue would be greatly appreciated.
Here are my current versions of Lawson:
Env: 9.0.1.14
Apps: 9.0.1.MSP11
UNIX: Sun Solaris 5.10
Thank you.
Are you sure the expired certificates are in your .sso files and not in a web server or WebSphere configuration?
Are there any errors in Lawson logs in LAWDIR/system, in the WebSphere logs, or Plugin logs?
Thank you for your reply. I have been able to expose portions of the .sso files in LAWDIR/system which indicate the certificate is expired (I placed X's for my host, serial#, etc.)::
cd /law9/law/system
keytool -list -v -keystore .ssokeystore
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: lsauthensso
Creation date: Feb 23, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX
Issuer: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX
Serial number: XXXXXX
Valid from: Mon Feb 23 11:33:41 CST 2009 until: Sun Feb 24 11:33:41 CST 2019
Certificate fingerprints:
MD5: DD:31:74:06:76:5F:92:07:B9:70:E7C:08:5A:4E:68
SHA1: F444:2B:0D:7C:FD:7A:1EE:08:E7:99:93:57:5C:A5:CF:37:BD
*******************************************
keytool -list -v -keystore .ssotruststore
Entry type: trustedCertEntry
Also, the certificate expired FEB 24, 2019. The below entries are in log files from the 1st attempted restart after the expiration date::
In LAWDIR/system::
Log file = lase_server_1_0.log
19-03-02 06:31:01:738 81 default.SEVERE authen.LawsonAuthentication.initClientAuthenDatThroughSSL(): Failed to get AuthenDat through SSL on the following server default Detailed me
ssage is com.lawson.security.authen.SecurityAuthenException: Failed to initialize authentication layer. Cause Connection error (XX.XX.XX.XX, null). Cause: {2}.
Stack Trace :
com.lawson.security.authen.SecurityAuthenException: Connection error (XX.XX.XX.XX, null). Cause: {2}.
at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:389)
Log file = security_authen.log
Sat Mar 02 06:31:00 CST 2019 - default-1767552537: error starting up SecEvent servlet, original message: Failed to initialize authentication layer. Cause Connection error (XX.XX.
XX.XX, null). Cause: {2}.
at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDat(LawsonAuthentication.java:247)
And from a WebSphere log file: File = SystemOut.log
[3/2/19 6:32:23:020 CDT] 0000001c servlet E com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0100E: Uncaught init() exception created by servlet SSOManager in applic
ation law9_lawsec: javax.servlet.ServletException: com.lawson.lawsec.authen.LSFSecurityAuthenException:com.lawson.lawsec.authen.LSFSecurityAuthenException:Failed to get AuthenDat t
hrough ssl on the following server default on 1 server instances: [default]
Stack Trace : com.lawson.lawsec.authen.LSFSecurityAuthenException:Failed to get AuthenDat through ssl on the following server default on 1 server instances: [default]
at com.lawson.lawsec.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:856)
at com.lawson.lawsec.authen.LawsonAuthentication.initClientAuthenDat(LawsonAuthentication.java:601)
at com.lawson.lawsec.authen.LawsonAuthentication.remoteInit(LawsonAuthentication.java:1858)
at com.lawson.lawsec.authen.LawsonAuthentication.initializeForTenant(LawsonAuthentication.java:205)
at com.lawson.lawsec.authen.LawsonAuthentication.initializeForTenant(LawsonAuthentication.java:118)
at com.lawson.lawsec.authen.LawsonAuthentication.initialize(LawsonAuthentication.java:103)
Was this issue ever resolved? We're running into this now, and I'm trying to find out what we need to do.
Jeff
I never found a "Lawson-type" solution ... so of course, we did the obvious ... hahaha ... we have three (3) Lawson servers (DEV, QA, PROD) ... all are considered an “archive” system and we no longer have maintenance ... but individuals still log in and look at historical data ... all of the server-certificates have expired within a few months of each other ... seems they were good for only 10 years after the original installation ... I have performed the below steps on each server (multiple times in some cases when the server accidently rebooted) ... every time has been successful ... the concept is simple ... you might have to make slight adjustments ... hope this works for you as well ... good luck ...
Perform the following:: What: Restore access to Lawson (UNIX) – temporary solution without creating new keystore certificates
How: PREP: Set the time on the server back before the certificate expired.
Once the date on the server is prior to the expiration date, do the following: [1] Stop/start all Lawson processes (UNIX) & LBI Reporting processes (WINDOWS) to re-synch the servers
[2] Navigate to the Lawson portal URL:: http://XXX.XXX.XXX.com/lawson/portal/ Login and inquire on data.
Perform these post steps (wait before proceeding until [2] is successful): [3] Disable the automatic stop/start of the Lawson processes (root crontab) [4] Disable all database backups to prevent a disconnect from Lawson [5] Reset the time to current date on the server
Good deal ... thank you for the follow-up ...