Removing LASE

Sort:
You are not authorized to post a reply.
Author
Messages
Sandy Spangler
Basic Member
Posts: 4
Basic Member

    We are creating a historical archive of our one of our production servers that is running LSF9 on Windows.  We've successfully created a VM clone and now want to remove LASE.  Since it is a historical archive, we only want to use LAUA security and access the system via LID (since access will be limited).  The IBM WebSphere services are off/removed.  What would be the next steps for removing LASE?

     

    Kwane McNeal
    Veteran Member
    Posts: 479
    Veteran Member

      Sandy,
      You don't mention exactly which release of LSF9 you're on, so my advise will be constrained accordingly.

      First, LASE means a few different things. I'll address each in context to your question:
      1) LASE the service (the lase.exe process, controlled via startlase/stoplase) CANNOT be disabled. It HAS to be listed and running, meaning the LDAP (presumably ADAM/ADLDS) must also be running

      2) LASE the security concept, more frequently referred to as new Lawson Security, CAN be disabled.
      Execute the command : lsconfig -c #SSOCONFIG_PASSWORD# OFF
      NOTE: Depending on your ESP, this command may not be available. the other options are to start WebSphere and disable it using the LSA tool, or manually do it in the LDAP. I can post these instructions offline if you're interested

      Now, beyond that, you may need to revert user accounts back to LAUA profiles, depending on the state of your previous security setup. A short list of possible considerations are as follows:
      1) CheckLS flag in RM
      2) LAUA Classes in GEN
      3) LAUA assignments in GEN

      Beyond this, the community would need a bit more information to give more specific information. 
        

      Kwane

       

      EDITED: The original posting removed the hyperlink-style tag

       

       

      Sandy Spangler
      Basic Member
      Posts: 4
      Basic Member

        Apologies, full version is 9.0.1.10.288 (yes, it's an older box )

        And I am referring to just Item 2, so any documentation you have would be greatly appreciated!

        BTW, we do have security built out for the various security classes in LAUA/GEN.  And the RM profiles have CheckLS set to No.

        Sandy Spangler
        Basic Member
        Posts: 4
        Basic Member

          Thanks for the info Kwane.  I can disable Lawson security, however, the other problem that I'm encountering is that I cannot start the Lawson environment, which seems to be hung on the lase service. Listed below is the latest output from the lase.log.  Do note that we have seen these Warnings previously but they haven't stopped lase from starting.

          Mon Aug 07 13:41:18 2017: Timeout value is adjusted to 90 Secs

          Mon Aug 07 13:41:18 2017: Security Environment Version 9.0.1.10.288 2012-03-11 04:00:00 (201205) starting.

          Mon Aug 07 13:41:18 2017: Security Environment Version 9.0.1.10.288 2012-03-11 04:00:00 (201205) started.

          Mon Aug 07 13:41:18 2017: Checking authen.dat and .ssokeystore access:
          Mon Aug 07 13:41:18 2017: WARNING: authen.dat is NOT owned by LAWSON (current owner is: Administrators)
          Mon Aug 07 13:41:18 2017: WARNING: authen.dat is NOT secured from group/world
          Mon Aug 07 13:41:18 2017: WARNING: .ssokeystore is NOT owned by LAWSON (current owner is: Administrators)
          Mon Aug 07 13:41:18 2017: WARNING: .ssokeystore is NOT secured from group/world
          Mon Aug 07 13:41:18 2017: Checking authen.dat and .ssokeystore access: DONE

          Mon Aug 07 13:41:18 2017: Security Environment terminated with an exit status of:  1
          Mon Aug 07 13:41:18 2017: Security Environment Version 9.0.1.10.288 2012-03-11 04:00:00 (201205) Stopped.


          Kwane McNeal
          Veteran Member
          Posts: 479
          Veteran Member
            So there are a ton of possible issues here.
            This might be better with a phone call.

            Feel free to call me, 505-433-7744
            Sandy Spangler
            Basic Member
            Posts: 4
            Basic Member

              Thanks for the offer Kwane, tried calling and voice mail was full.  I can be reached anytime via cell 510-828-1085  (I'm in California).

              You are not authorized to post a reply.