Securing Smart Office communication with SSL

“Certificates, certificates, certificates! I do not want to hear another word about certificates!”, famous words from a frustrated colleague of mine. But the truth is that understanding how SSL certificates are used to secure HTTP communication is not always easy to understand. Security is always tricky and troubleshooting security issues is always a pain. This article will of course focus on Smart Office but almost everything described is valid for any web application as well.

General SSL information

HTTPS encrypts the traffic between the clients and the server and also prohibits man-in-the-middle attacks. To ensure server identity (prohibit man-in-the-middle attack), the server URL is included in the SSL certificate.

Even though this article is about Smart Office it is easier to troubleshoot and verify SSL certificates through a browser. If the browser can show a HTTPS URL without errors, Smart Office will not have a problem with the URL either.

To view an existing certificate used in a web-site, open up Internet Explorer and navigate to the HTTPS URL. In the example below I have used Google mail.

SSL_IE

Click the padlock and then click View Certificates. It look slightly different on different Internet Explorer versions or if using some other browser.

SSL_CertGeneral

There is some important information on the first tab.

The Issued to: field contains the URL that the SSL certificate is valid for. If accessing the machine through any other URL (IP or only “mail” if you happens to be on the google.com intranet) the browser will report an error. This means that for every server exposing a HTTPS connection a unique SSL certificate must be used. There is however one way to reduce the number of SSL certificates and that is to create a so called wildcard certificate. A wildcard certificate may have an Issued to value like *.google.com. Such a certificate could be used for all servers in the google.com domain. Using a wildcard certificate is less secure then using unique certificates.

Another feature of SSL certificates that can be useful is the ability to add on alternative names. If a server has one or more aliases in the DNS it is possible to create a SSL certificate that is valid for more than one URL. On the Details tab there may be a field called “Subject Alternative Name” that lists all the server names the certificate is valid for.

SSL_AlternativNames

The certificate in this example is valid for both mail.google.com and inbox.google.com.

Now back to the General tab again.

The Valid from, to fields shows the date interval when the SSL certificate is valid. If the SSL certificate has expired the browser will show an error. It is the current date on the client machine that must be in the date interval.

The Issued by: field shows the certificate that has issued (created) the certificate. A self-signed certificate would show the same name in the Issued by: field as the Issued to: field.

On the Certificate Path tab the whole certificate chain is shown.

SSL_Chain

The top most certificate, “GeoTrust Global CA” in this example, is called the root-certificate and must be in the Trusted Root Certificate Authorities list in Windows. If the certificate is not in the list, the browser will show an error when connecting to the HTTPS URL.

SSL_CertTool

Fortunately Microsoft is maintaining this list for us for all the bigger commercial root certificates and is pushing them out to all Windows operating systems through patches. A root-certificate is always a self-signed certificate.

Short summary on what must fulfilled in order for a valid HTTPS connection.

  • The HTTPS URL must be exactly as the Issued to field or any of the alternative names.
  • The root-certificate must be in the Trusted Root Certificate Authorities list in Windows.
  • The current date of the client machine must be in the Valid from, to interval of both the SSL certificate and the root-certificate.

Note that the port number is not include in the SSL verification, that means that the same SSL certificate can be used for all HTTPS endpoints on a machine regardless of which port they use.

View Windows Certificates

To open the Certificates tool show above, open a CMD window and type mmc.exe and press enter. The Microsoft Management Console should be shown. Select File->Add/Remove Snapin… Select Certificates and press Add, select Computer account and press Next. Select Local computer and press Finish.

Mode of acquisition Advantages Disadvantages
Issued by a third-party vendor. Works for clients from any domain. Additional expense; delivery time gap.
Issued by an in-house certificate authority Inexpensive; automatically applies to all clients in the internal network. Configuration and maintenance of certification server is needed; applies only to domain clients.
Self-signed certificate Inexpensive and easy to use especially for test environments. Must be installed at all client machines. Not secure.

Self-signed certificates are almost never used together with Smart Office and is not discussed in this article.

Recommendations on when to buy or when to use an in-house Certificate Authority comes in the next section.

Infor Smart Office and Infor ION Grid

Infor ION Grid (Grid) is the application container where the Smart Office server is running.

When installing Grid it will actually create its own root-certificate and use that certificate when issuing all other certificates in the Grid, you can say that the Grid has its own Certificate Authority. For each Grid Host there is a SSL certificate created and all Grid Routers on that host will use the same SSL certificate (in future Grid versions there may be an option to change SSL certificate per Grid Router).

SSL_Grid

In Grid 1.11 the SSL certificates key-stores are located on each Grid Host in the folder <LCM service>\grid\<Grid name>\grids\<Grid name>\secure\ The key-store file-name is https.ks and the key-store password is stored in https.pw. The key-store is a java key-store that can be manipulated with the JDK tool keytool.exe. The only time necessary to manipulate it manually is when wanting to re-use an existing SSL certificate.

For Smart Office to be able to use an out-of-the-box installation the Grid root-certificate must be placed in the Trusted Root Certification Authorities list in Windows. There is an instruction at the end of this blog post on how to do that.

Using an out-of-the-box installation that requires manual steps to start Smart Office may be cumbersome if having many users. Especially if the users do not have that much computer skills or if the users do not have administrative rights on their computers.

There are a few different ways to make it easier for the users, which way to go depends on how Smart Office is going to be used and the intranet infrastructure already in place at the customer.

  • Is Smart Office going to be used over open internet? If yes, I recommend buying a certificate from a third-party vendor. Securing Smart Office and Grid to be used over open internet requires some serious configuration and is not covered here.
  • Does the customer have an in-house Certificate Authority?
    If yes, use it to create SSL certificates. Both Windows server 2008 and Windows server 2012 comes with a Certificate Authority.
    If no, can the customer install one?
  • As a last way, it is possible to distribute the Grid root certificate through a Windows policy. How to distribute a certificate is describes in the Smart Office administration guide or google it.

There are instructions in the Infor ION Grid Security Administration Guide on how to make a certificate request through the Grid Configuration Manager and how to import the actual certificate after it is created by the Certificate Authority.

Smart Office

Smart Office requires that all communication between the Smart Office client and the Smart Office server is made over HTTPS. Smart Office features, like the M3 MForms and the Lawson SForms, executing inside of Smart Office may or may not require HTTPS even though the recommendation is to always use HTTPS. Each Smart Office Feature normally has its own section in the Profile Editor URLs where URLs to back-end system is configured.

Security considerations

The general recommendation is to use at least 2048-bit key for a SSL certificates but there is more than just the key size that makes a connection secure. Read more in this article http://www.symantec.com/connect/blogs/ssl-ciphers-beyond-private-key-and-certificate

Here are also some other interesting links that can be worth reading.

http://www.symantec.com/connect/blogs/deadline-upgrade-2048-bit-ssl-certificates-sooner-you-might-think
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://nakedsecurity.sophos.com/2013/05/27/anatomy-of-a-change-google-announces-it-will-double-its-ssl-key-sizes/

Appendix: How to install the Grid root certificate

Easiest way of installing and the Grid root-certificate is to go to the Smart Office installation page, normally something like http://server.company.com:port/mango and right-click on the text Install Infor Smart Office and select Copy link address.

SSL_InstallPage

Paste the link in text editor and find and copy the value of the SERVER parameter, something like https://server.company.com:port

Start an Internet Explorer as an administrator and navigate to the copied SERVER URL, the Grid information page should be shown and there should be a certificate issue.

SSL_CertError

Click the Certificate error and click View Certificates, select the Certification Path tab and select the root-certificate and click View Certificate.

SSL_RootCert

In the new Certificate dialog click Install Certificate…. In the Certificate Import Wizard select Local Machine and click Next. Select Place all certificates in the following store and click Browse… In the Select Certificate Store dialog check the Show physical stores checkbox and select Trusted Root Certification Authorities->Registry

SSL_SelectStore

Click OK, click Next, click Finish. Click Yes in the Security Warning.
Close all dialogues and all open Internet Explorers. Open an Internet Explorer and try the server URL again, there should be no certificate issues.

Mango Admin Tool – the import and export tool

The Mango Admin Tool is a stand-alone tool for exporting and importing data. It was first delivered in Smart Office 10.1 and is continuously enhanced as we create more tables in the database. The 10.1 version works with 10.0.5.4 as well and is used for migrating data from 10.0.5.4 to 10.1 since 10.1 is a new install. The tool (MangopAdminTool.zip) is located in the AdditionalFiles folder in the download package. You can unzip the tool in a folder on the server or on your client PC. Please note that it has the same .Net 4.5 requirement as Smart Office.

AdminTool

Hints, tips and recommendations

  • You need to be a Smart Office administrator to run the Mango Admin tool.
  • The Mango Admin tool should only be used during a service window.
  • Roamed files can get very large. It is recommended to do the export in two steps. First all but the roamed files and then the roamed files.
  • Check the MangoServer log as it will print out when the export/import is started and completed
  • If you get the exception below – this does not mean that there is an error:
    System.AggregateException: One or more errors occurred. —> System.Threading.Tasks.TaskCanceledException: A task was canceled.
    It is caused by a timeout in the tool because there was no reply from the server. The timeout is specified in a config file next to the tool, see How to change tool settings.
  • Only run one export/import at a time. There are versions of Smart Office that does not check for concurrent request especially if you get the exception above you must check the log for completion in versions prior to 10.2 HF3.
  • If you would like to take a backup you should use the Management tools provided by the database provider for the database that Smart Office uses instead of this tool.

Adding a server configuration

You can use the same tool to run against different servers. You need to enter a configuration per server. The first time the tool is started you will see the dialog below. This dialog can later be opened by clicking the configuration menu in the upper left corner of the application.

Serverconfig

  1. Press the plus sign to create a new server configuration.
  2. Enter a name for the configuration
  3. Enter the Server Uri in the format https://server.company.com:4000
  4. Press OK to save the configuration
  5. Back in the Select Server Configuration dialog press OK again to select the server you created
  6. Once a server configuration is selected you will see the name of the server configuration in the application window title

Entering a user for logon

You can click the User button to enter an administrator user and password that will be used to connect to the Smart Office server or you can continue using the tool and when the tool needs to connect to the server you will get a login prompt. Please note that the user needs to be a Smart Office Administrator and that the same user will be used throughout the session even if you change server configuration.

Using filters and selecting categories

There are three icon buttons that can be used for selecting / deselecting all categories for import/export. There is also a filter button that will clear all filters.

The filter field supports exact matches and start (*) matches. For example entering a user filter test* and checking the ‘Roamed files’ will export all settings, canvas etc. for all users with a user id that starts with test.

How to change Mango Admin Tool settings and reuse configuration

If you have started the Mango Admin Tool a MangoAdminToolSettings.xml file will be created in the same folder as the tool. It contains a list of settings for the tool as well as the last used filters etc and can be edited in a text editor.
This file contains a block with the added Configurations so it is safe to copy the configurations you have for a previous version of Smart Office to a new one by copying the Configurations block.

There is one setting for the timeout in the tool – that is how long the tool will wait for a reply while the export or import is done. The setting is RequestTimeoutSeconds and if you experience timeouts you can change this to a higher value – or split your export/import in chunks.

Import / Export categories

The Mango Admin tool is for exporting and importing different data categories of data that is stored in the Smart Office server’s database.

Filters
All filter fields can take the following input:

  • A name, for example a file name. For example: Profile.xml
  • A semicolon separated list. For example: CRMgen.mashup,Items.mashup
  • A simple wildcard expression. For example: *storage.xml

Default canvas files

Canvas files that can be configured for first time users in settings is stored in this category. The Default canvas consist of two parts:
(1) the file name in the Settings Editor and (2) the file in the database. Selecting this data category will export the canvas files.

Server files

The server files contains the MangoClient.application file for the installation point and the predefined widgets file. If you would like to export all predefined widgets specify the filter as: WidgetSettingsDefinitions.xml.

Settings files

The settings file is the default settings, the settings that are managed in the Settings Editor in Smart Office. Check include roles to include rules configured for roles and users. The filter can be set to the name of the settings file for example: Mango.UI.xml, Mango.Core.xml or Mango.* for all settings file that start with Mango. Note that the user specific settings are not included in this category. They are part of the Roamed files data category.

Shared files

These are files that are shared by all users. Links in M3 and S3 are part of this category. The filter can be set to for example *M3.xml to get the M3 links.

System files

This data category contains the following files: profile.xml, template.xml

It might also include channels.xml and users.xml from previous versions of Smart Office.

To export the profile xml enter profile.xml as filter.

Category files

Category file is specific generic table for storing files. These are the files that can be administered via the Category Files administration tool in Smart Office. The categories that are supported are: Mashup and Startpad. For the category Shared Shared files should be used and for System the System files should be used. It is not possible to add them as categories and export them here even if they are visible in the Category Files Administration tool.

The first filter field is the name of the component for example CRM* for all Mashup packages that starts with CRM. The category filter is the name for the category for example Mashup or Startpad.

Select include roles to include role mappings – for example all roles connected to Startpads and Mashups.

Roamed files

The roamed files contains all user files that are uploaded and downloaded to the client. For example all user settings files, Canvas, Favorites, private Startpads, excel templates and links.

To apply a filter enter the name of the file or a list of files for example Favorties.lfv,Canvas.xml in order to export all user’s favorites and canvas files. To export all files for a specific users enter a user name in the user filter. The filter is the same as all other filters it can take a list or a simple wildcard expression.

Collaboration users

If you are using the Collaboration you can select to export the list of user’s as well as their contacts if you select to include contacts. Offline messages will not be exported so this export is for user information and the contacts each user has.

Feature files

Including features will extract all features that are installed via LCM. You should select this if you move from a H2 database to another database provider. This will export all features and their application definitions. This is potentially a data category with a lot of data that you can consider exporting separately.

Note! If you are setting up a new environment and are installing all features and applications via LCM and you only what to export/import configuration this category should not be selected.

Importing data

When importing data only select the content that you know is contained in the zip.

How to export data

  1. Make sure you have a service window
  2. Select configuration
  3. Select the data categories to include
    1. Specify filters
    2. Consider exporting roamed files separately
  4. Press Export to start the export
    1. Monitor the MangoServer log for more information as the export runs
  5. Download the MangoData.zip using the Download button or locate the file on disk.
    1. The path to the file will be part of the success message

How to import data

  1. Make sure you have a service window
  2. Select configuration
  3. Upload the MangoData.zip
    • Use the Upload button and browse to the file –or
    • Copy the file to the MangoFiles/MangoImport folder located in a location similar to this: c:\LifeCycle\server.company.com\grid\GridName\grids\GridName\applications\MangoServer\MangoFiles
  4. Select the data categories to import that are included in the zip
    • Specify filters
    • Consider importing roamed files separately
  5. Press Import to start the export
    • Monitor the MangoServer log for more information as the import run
  6. Wait for a success message in the Mango Admin tool or in the log that the import has completed

Note! The Delete All button will clear the content in the database and can be used to clear an environment before importing. Use with extreme care :-)

Finding the logs for trouble shooting

How do I find the logs for trouble shooting? In this post I’ll cover the Smart Office log as well as the M3 UI Adapter log. I will not be covering where logs are located in LSF, Landmark, Ming.le or IFS.

For Smart Office there are a few logs that can be of interest. In a previous post we had information about how to find the client log. Continue reading

Custom data templates in M3 lists with JScript

Changing the appearance of M3 list cells with conditional styles is easy but in some cases you need to do things that require logic that cannot be expressed with conditional styles alone. This post will show you how to change the style of list cells in M3 lists using JScript, custom data templates and custom data template selectors.

Continue reading

Category Files Administration tool

In this post I’m going to give you a bit of information regarding the Category Files Administration tool that has been around since 10.0.5.2. It is a generic tool that handles files in the database but it can be configured to view files of a specific category so this tool is also the Mashup File Administration and the Startpad File Administration. The Startpad in 10.0.5 and 10.1 is a separate install which some customers do not install so in 10.0.5 you might just have the Mashup File Administration but it is in fact the same tool as below it is just that you are not allowed to change category.
Continue reading