There are few things more frustrating than getting an error in an application and not being able to track down where that error is coming from or how to fix it. We are going to investigate one such error and resolution.
As many of these Infor/Lawson systems start approaching ten plus years of use there are a few things that could start to come up with SSL Certificates. Whether you are using SSL for your Infor URL, or not using SSL, there are some internal certificates set to expire at ten years that will not automatically renew. The one we are looking at with this article is the authentication certificate that is used to decrypt your data stored in the authen.dat file that is used to connect to LDAP. The files associated with this system are in the LAWDIR/system directory. They are the authen.dat, .ssotruststore, and .ssokeystore. We will focus on the .ssotruststore and .ssokeystore as that is where the main certificates are stored.
The issue started with some very unusual errors after a reboot and users unable to access any web related products. We did not start having errors until after the reboot even though the certificate expired months before. The reason is that the authentication is done on a restart of application only, so the issue did not appear until the application was restarted on the reboot. This is the error that the users received trying to log in:
The Portal cannot load because of an initialization error in the single sign-on component.
The following servlet call is encountering an exception: /ssoconfig/SSOCfgInfoServlet
Pretty generic error. After investigating log files we found we were getting an LDAP authentication error due to an expired certificate and were unable to read data in the authen.dat. Still didn’t point to exactly which certificate was expired or where. We used the java utility keytool to start looking at some of the certificates Infor creates. We zeroed in on the .ssotruststore and .ssokeystore. running the following commands:
When prompted for password just hit enter.
When we examined our certificate, we saw that it was expired and needed to be recreated. To accomplish this we renamed the files .ssotruststore and .ssokeystore to backup names and ran the Infor command ssoconfig -c. This command then prompted us for some information for creating a new authentication credential certificate. We answered appropriately, and it then created new certificates valid for ten more years.
It was a fairly simple solution but took many hours of investigation to determine what needed to be fixed and as more servers come up on this ten-year age they will start seeing more problems with certificates. As always it is very important to have a backup prior to attempting any changes such as this.
Please reach out to us if you need assistance. Thank you for reading!
End of Messages