Expired Certificates

Sort:
You are not authorized to post a reply.
Author
Messages
Ray
Basic Member
Posts: 6
Basic Member

    I am having trouble with an expired certificate. We get the following error when trying to log in with portal:

     

    The Portal cannot load because of an intialization error in the single sign-on component.

    The following servlet call is encountering an exception: /ssoconfig/SSOCfgInfoServlet.

     

    The expired certificates are located in "LAWDIR/system". They are:

    .ssotruststore

    .ssokeystore

     

    I have been able to use java "keytool" to look inside these files and do see the expired dates. They were created ~10 years ago. How do you replace (rebuild) these files ? I have found one article that instructs to rename or move the above two files and then execute the utility "ssoconfig". And upon initial execution of ssoconfig, it does in fact state:

     

    Keystores for Lawson authentication service are not configured. Do you want to configure them now?

     

    Answering YES prompts for the organization unit, name, city, state, country values, but when I hit ENTER, nothing happens, the utility hangs/suspends and never completes.

     

    I am wondering if there is something else I should be doing before I execute ssoconfig to allow it to complete? Or is there another way to create the certificate files with valid dates for another 10 years ?

     

    This is an archive system and we no longer have maintenance. But we do have individuals still logging in and looking at historical data.

     

    Any advice with this issue would be greatly appreciated.

     

    Here are my current versions of Lawson:

    Env: 9.0.1.14

    Apps: 9.0.1.MSP11

    UNIX: Sun Solaris 5.10

     

    Thank you.

     

    Alex Tsekhansky
    Veteran Member
    Posts: 92
    Veteran Member

      Are you sure the expired certificates are in your .sso files and not in a web server or WebSphere configuration?

      Are there any errors in Lawson logs in LAWDIR/system, in the WebSphere logs, or Plugin logs?

       

      Ray
      Basic Member
      Posts: 6
      Basic Member

        Thank you for your reply. I have been able to expose portions of the .sso files in LAWDIR/system which indicate the certificate is expired (I placed X's for my host, serial#, etc.)::

         

        cd /law9/law/system

         

        keytool -list -v -keystore .ssokeystore

        Enter keystore password: 

         

        *****************  WARNING WARNING WARNING  *****************

        * The integrity of the information stored in your keystore  *

        * has NOT been verified!  In order to verify its integrity, *

        * you must provide your keystore password.                  *

        *****************  WARNING WARNING WARNING  *****************

         

        Keystore type: jks

        Keystore provider: SUN

         

        Your keystore contains 1 entry

         

        Alias name: lsauthensso

        Creation date: Feb 23, 2009

        Entry type: keyEntry

        Certificate chain length: 1

        Certificate[1]:

        Owner: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

        Issuer: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

        Serial number: XXXXXX

        Valid from: Mon Feb 23 11:33:41 CST 2009 until: Sun Feb 24 11:33:41 CST 2019

        Certificate fingerprints:

                 MD5:  DD:31:74:06:76:5F:92:07:B9:70:E7C:08:5A:4E:68

                 SHA1: F444:2B:0D:7C:FD:7A:1EE:08:E7:99:93:57:5C:A5:CF:37:BD

         

         

        *******************************************

        *******************************************

         

         

        keytool -list -v -keystore .ssotruststore

        Enter keystore password: 

         

        *****************  WARNING WARNING WARNING  *****************

        * The integrity of the information stored in your keystore  *

        * has NOT been verified!  In order to verify its integrity, *

        * you must provide your keystore password.                  *

        *****************  WARNING WARNING WARNING  *****************

         

        Keystore type: jks

        Keystore provider: SUN

         

        Your keystore contains 1 entry

         

        Alias name: lsauthensso

        Creation date: Feb 23, 2009

        Entry type: trustedCertEntry

         

        Owner: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

        Issuer: CN=localhost, OU=XX.XX.XX.XX, O=XX.XX.XX.XX

        Serial number: XXXXXX

        Valid from: Mon Feb 23 11:33:41 CST 2009 until: Sun Feb 24 11:33:41 CST 2019

        Certificate fingerprints:

                 MD5:  DD:31:74:06:76:5F:92:07:B9:70:E7C:08:5A:4E:68

                 SHA1: F444:2B:0D:7C:FD:7A:1EE:08:E7:99:93:57:5C:A5:CF:37:BD

         

         

        *******************************************

        *******************************************

        Ray
        Basic Member
        Posts: 6
        Basic Member

          Also, the certificate expired FEB 24, 2019. The below entries are in log files from the 1st attempted restart after the expiration date::

           

          In LAWDIR/system::

           

          Log file = lase_server_1_0.log

          19-03-02 06:31:01:738 81 default.SEVERE authen.LawsonAuthentication.initClientAuthenDatThroughSSL(): Failed to get AuthenDat through SSL on the following server default Detailed me

          ssage is com.lawson.security.authen.SecurityAuthenException: Failed to initialize authentication layer. Cause Connection error (XX.XX.XX.XX, null). Cause: {2}.

          Stack Trace :

          com.lawson.security.authen.SecurityAuthenException: Connection error (XX.XX.XX.XX, null). Cause: {2}.

                  at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:389)

           

          Log file = security_authen.log

          Sat Mar 02 06:31:00 CST 2019 - default-1767552537: error starting up SecEvent servlet, original message: Failed to initialize authentication layer. Cause Connection error (XX.XX.

          XX.XX, null). Cause: {2}.

          Stack Trace :

          com.lawson.security.authen.SecurityAuthenException: Connection error (XX.XX.XX.XX, null). Cause: {2}.

                  at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:389)

                  at com.lawson.security.authen.LawsonAuthentication.initClientAuthenDat(LawsonAuthentication.java:247)

           

          And from a WebSphere log file: File = SystemOut.log

          [3/2/19 6:32:23:020 CDT] 0000001c servlet       E com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0100E: Uncaught init() exception created by servlet SSOManager in applic

          ation law9_lawsec: javax.servlet.ServletException: com.lawson.lawsec.authen.LSFSecurityAuthenException:com.lawson.lawsec.authen.LSFSecurityAuthenException:Failed to get AuthenDat t

          hrough ssl on the following server default on 1 server instances: [default]

          Stack Trace : com.lawson.lawsec.authen.LSFSecurityAuthenException:Failed to get AuthenDat through ssl on the following server default on 1 server instances: [default]

                  at com.lawson.lawsec.authen.LawsonAuthentication.initClientAuthenDatThroughSSL(LawsonAuthentication.java:856)

                  at com.lawson.lawsec.authen.LawsonAuthentication.initClientAuthenDat(LawsonAuthentication.java:601)

                  at com.lawson.lawsec.authen.LawsonAuthentication.remoteInit(LawsonAuthentication.java:1858)

                  at com.lawson.lawsec.authen.LawsonAuthentication.initializeForTenant(LawsonAuthentication.java:205)

                  at com.lawson.lawsec.authen.LawsonAuthentication.initializeForTenant(LawsonAuthentication.java:118)

                  at com.lawson.lawsec.authen.LawsonAuthentication.initialize(LawsonAuthentication.java:103)

          Jeff White
          Veteran Member
          Posts: 83
          Veteran Member

            Was this issue ever resolved?  We're running into this now, and I'm trying to find out what we need to do.

             

            Jeff

            Ray
            Basic Member
            Posts: 6
            Basic Member

              I never found a "Lawson-type" solution ... so of course, we did the obvious ... hahaha ... we have three (3) Lawson servers (DEV, QA, PROD) ... all are considered an “archive” system and we no longer have maintenance ... but individuals still log in and look at historical data ... all of the server-certificates have expired within a few months of each other ... seems they were good for only 10 years after the original installation ... I have performed the below steps on each server (multiple times in some cases when the server accidently rebooted) ... every time has been successful ... the concept is simple ... you might have to make slight adjustments ... hope this works for you as well ... good luck ...

              Ray
              Basic Member
              Posts: 6
              Basic Member

                Perform the following:: 
                What: Restore access to Lawson (UNIX) – temporary solution without creating new keystore certificates

                How:
                PREP: Set the time on the server back before the certificate expired.

                Once the date on the server is prior to the expiration date, do the following: 
                [1] Stop/start all Lawson processes (UNIX) & LBI Reporting processes (WINDOWS) to re-synch the servers

                [2] Navigate to the Lawson portal URL::
                http://XXX.XXX.XXX.com/lawson/portal/ 
                Login and inquire on data. 

                Perform these post steps (wait before proceeding until [2] is successful): 
                [3] Disable the automatic stop/start of the Lawson processes (root crontab) 
                [4] Disable all database backups to prevent a disconnect from Lawson
                [5] Reset the time to current date on the server 

                 

                Jeff White
                Veteran Member
                Posts: 83
                Veteran Member
                  Actually we did end up getting this fixed. Lawson/Infor had to regenerate those LSF keys (.ssokeystore and .ssotruststore) for us using our authen.dat file. We could not do this ourselves still being on version 9.0.1. We had migrated to SAP in 2015, and only have one process that's currently processing thru Lawson. And since we installed Lawson 9.0.1 in 2010, those keys expired this year. Now we have another 10 years to get that process of of Lawson.
                  Ray
                  Basic Member
                  Posts: 6
                  Basic Member

                    Good deal ... thank you for the follow-up ...

                    You are not authorized to post a reply.