PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 10/30/2020 5:31 PM by  Ray
Expired Certificates
 8 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Ray
Systems Engineer
Private
Basic Member
(16 points)
Basic Member
Posts:6


Send Message:

--
03/27/2019 5:12 PM

    I am having trouble with an expired certificate. We get the following error when trying to log in with portal:

     

    The Portal cannot load because of an intialization error in the single sign-on component.

    The following servlet call is encountering an exception: /ssoconfig/SSOCfgInfoServlet.

     

    The expired certificates are located in "LAWDIR/system". They are:

    .ssotruststore

    .ssokeystore

     

    I have been able to use java "keytool" to look inside these files and do see the expired dates. They were created ~10 years ago. How do you replace (rebuild) these files ? I have found one article that instructs to rename or move the above two files and then execute the utility "ssoconfig". And upon initial execution of ssoconfig, it does in fact state:

     

    Keystores for Lawson authentication service are not configured. Do you want to configure them now?

     

    Answering YES prompts for the organization unit, name, city, state, country values, but when I hit ENTER, nothing happens, the utility hangs/suspends and never completes.

     

    I am wondering if there is something else I should be doing before I execute ssoconfig to allow it to complete? Or is there another way to create the certificate files with valid dates for another 10 years ?

     

    This is an archive system and we no longer have maintenance. But we do have individuals still logging in and looking at historical data.

     

    Any advice with this issue would be greatly appreciated.

     

    Here are my current versions of Lawson:

    Env: 9.0.1.14

    Apps: 9.0.1.MSP11

    UNIX: Sun Solaris 5.10

     

    Thank you.

     

    Alex Tsekhansky
    Private
    Private
    Veteran Member
    (276 points)
    Veteran Member
    Posts:92


    Send Message:

    --
    04/01/2019 8:44 AM

    Are you sure the expired certificates are in your .sso files and not in a web server or WebSphere configuration?

    Are there any errors in Lawson logs in LAWDIR/system, in the WebSphere logs, or Plugin logs?

     

    Ray
    Systems Engineer
    Private
    Basic Member
    (16 points)
    Basic Member
    Posts:6


    Send Message:

    --
    04/09/2019 2:00 PM

    Thank you for your reply. I have been able to expose portions of the .sso files in LAWDIR/system which indicate the certificate is expired (I placed X's for my host, serial#, etc.)::

     

    cd /law9/law/system

     

    keytool -list -v -keystore .ssokeystore

    Enter keystore password: 

     

    *****************  WARNING WARNING WARNING  *****************

    * The integrity of the information stored in your keystore  *

    * has NOT been verified!  In order to verify its integrity, *

    * you must provide your keystore password.                  *

    *****************  WARNING WARNING WARNING  *****************

     

    Keystore type: jks

    Keystore provider: SUN

     

    Your keystore contains 1 entry

     

    Alias name: lsauthensso

    Creation date: Feb 23, 2009

    Entry type: keyEntry

    Certificate chain length: 1

    Certificate[1]:

    Owner: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

    Issuer: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

    Serial number: XXXXXX

    Valid from: Mon Feb 23 11:33:41 CST 2009 until: Sun Feb 24 11:33:41 CST 2019

    Certificate fingerprints:

             MD5:  DD:31:74:06:76:5F:92:07:B9:70:E7C:08:5A:4E:68

             SHA1: F444:2B:0D:7C:FD:7A:1EE:08:E7:99:93:57:5C:A5:CF:37:BD

     

     

    *******************************************

    *******************************************

     

     

    keytool -list -v -keystore .ssotruststore

    Enter keystore password: 

     

    *****************  WARNING WARNING WARNING  *****************

    * The integrity of the information stored in your keystore  *

    * has NOT been verified!  In order to verify its integrity, *

    * you must provide your keystore password.                  *

    *****************  WARNING WARNING WARNING  *****************

     

    Keystore type: jks

    Keystore provider: SUN

     

    Your keystore contains 1 entry

     

    Alias name: lsauthensso

    Creation date: Feb 23, 2009

    Entry type: trustedCertEntry

     

    Owner: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

    Issuer: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

    Serial number: XXXXXX

    Valid from: Mon Feb 23 11:33:41 CST 2009 until: Sun Feb 24 11:33:41 CST 2019

    Certificate fingerprints:

             MD5:  DD:31:74:06:76:5F:92:07:B9:70:E7C:08:5A:4E:68

             SHA1: F444:2B:0D:7C:FD:7A:1EE:08:E7:99:93:57:5C:A5:CF:37:BD

     

     

    *******************************************

    *******************************************

    Ray
    Systems Engineer
    Private
    Basic Member
    (16 points)
    Basic Member
    Posts:6


    Send Message:

    --
    04/09/2019 2:02 PM

    Also, the certificate expired FEB 24, 2019. The below entries are in log files from the 1st attempted restart after the expiration date::

     

    In LAWDIR/system::

     

    Log file = lase_server_1_0.log

    19-03-02 06:31:01:738 81 default.SEVERE authen.LawsonAuthentication.initClientAuthenDatThroughSSL(): Failed to get AuthenDat through SSL on the following server default Detailed me

    ssage is com.lawson.security.authen.SecurityAuthenException: Failed to initialize authentication layer. Cause Connection error (XX.XX.XX.XX, null). Cause: {2}.

    Stack Trace :

    com.lawson.security.authen.SecurityAuthenException: Connection error (XX.XX.XX.XX, null). Cause: {2}.

            at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:389)

     

    Log file = security_authen.log

    Sat Mar 02 06:31:00 CST 2019 - default-1767552537: error starting up SecEvent servlet, original message: Failed to initialize authentication layer. Cause Connection error (XX.XX.

    XX.XX, null). Cause: {2}.

    Stack Trace :

    com.lawson.security.authen.SecurityAuthenException: Connection error (XX.XX.XX.XX, null). Cause: {2}.

            at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:389)

            at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDat(LawsonAuthentication.java:247)

     

    And from a WebSphere log file: File = SystemOut.log

    [3/2/19 6:32:23:020 CDT] 0000001c servlet       E com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0100E: Uncaught init() exception created by servlet SSOManager in applic

    ation law9_lawsec: javax.servlet.ServletException: com.lawson.lawsec.authen.LSFSecurityAuthenException:com.lawson.lawsec.authen.LSFSecurityAuthenException:Failed to get AuthenDat t

    hrough ssl on the following server default on 1 server instances: [default]

    Stack Trace : com.lawson.lawsec.authen.LSFSecurityAuthenException:Failed to get AuthenDat through ssl on the following server default on 1 server instances: [default]

            at com.lawson.lawsec.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:856)

            at com.lawson.lawsec.authen.LawsonAuthentication.initClientAuthenDat(LawsonAuthentication.java:601)

            at com.lawson.lawsec.authen.LawsonAuthentication.remoteInit(LawsonAuthentication.java:1858)

            at com.lawson.lawsec.authen.LawsonAuthentication.initializeForTenant(LawsonAuthentication.java:205)

            at com.lawson.lawsec.authen.LawsonAuthentication.initializeForTenant(LawsonAuthentication.java:118)

            at com.lawson.lawsec.authen.LawsonAuthentication.initialize(LawsonAuthentication.java:103)

    Jeff White
    Private
    Private
    Veteran Member
    (231 points)
    Veteran Member
    Posts:83


    Send Message:

    --
    10/24/2020 7:32 PM

    Was this issue ever resolved?  We're running into this now, and I'm trying to find out what we need to do.

     

    Jeff

    Ray
    Systems Engineer
    Private
    Basic Member
    (16 points)
    Basic Member
    Posts:6


    Send Message:

    --
    10/28/2020 6:28 PM

    I never found a "Lawson-type" solution ... so of course, we did the obvious ... hahaha ... we have three (3) Lawson servers (DEV, QA, PROD) ... all are considered an “archive” system and we no longer have maintenance ... but individuals still log in and look at historical data ... all of the server-certificates have expired within a few months of each other ... seems they were good for only 10 years after the original installation ... I have performed the below steps on each server (multiple times in some cases when the server accidently rebooted) ... every time has been successful ... the concept is simple ... you might have to make slight adjustments ... hope this works for you as well ... good luck ...

    Ray
    Systems Engineer
    Private
    Basic Member
    (16 points)
    Basic Member
    Posts:6


    Send Message:

    --
    10/28/2020 6:31 PM

    Perform the following:: 
    What: Restore access to Lawson (UNIX) – temporary solution without creating new keystore certificates

    How:
    PREP: Set the time on the server back before the certificate expired.

    Once the date on the server is prior to the expiration date, do the following: 
    [1] Stop/start all Lawson processes (UNIX) & LBI Reporting processes (WINDOWS) to re-synch the servers

    [2] Navigate to the Lawson portal URL::
    http://XXX.XXX.XXX.com/lawson/portal/ 
    Login and inquire on data. 

    Perform these post steps (wait before proceeding until [2] is successful): 
    [3] Disable the automatic stop/start of the Lawson processes (root crontab) 
    [4] Disable all database backups to prevent a disconnect from Lawson
    [5] Reset the time to current date on the server 

     

    Jeff White
    Private
    Private
    Veteran Member
    (231 points)
    Veteran Member
    Posts:83


    Send Message:

    --
    10/29/2020 12:03 PM
    Actually we did end up getting this fixed. Lawson/Infor had to regenerate those LSF keys (.ssokeystore and .ssotruststore) for us using our authen.dat file. We could not do this ourselves still being on version 9.0.1. We had migrated to SAP in 2015, and only have one process that's currently processing thru Lawson. And since we installed Lawson 9.0.1 in 2010, those keys expired this year. Now we have another 10 years to get that process of of Lawson.
    Ray
    Systems Engineer
    Private
    Basic Member
    (16 points)
    Basic Member
    Posts:6


    Send Message:

    --
    10/30/2020 5:31 PM

    Good deal ... thank you for the follow-up ...

    You are not authorized to post a reply.