Category Archives: Smart Office Administration

Background server calls for Lawson Applications

Infor Smart Office for Lawson applications provides many custom features which are made possible by meta-data retrieved from the Lawson application server in the background. But these features come at a cost of increased network traffic and additional server utilization which could impact performance.

In a post on the Infor Technology Blog, Vince McGowan explains what meta data services are used for and how to disable them. He identifies the background activity and describe the purpose of each so clients can decide whether or not the feature is useful enough to incur the cost. If not, there are settings provided to disable them.

Head over to the Infor Technology blog to read the full article.
See more at: http://blogs.infor.com/technology/2017/01/background-server-calls-made-by-infor-smart-office-for-lawson-applications/

 

Downloading a CCSS fix with Life Cycle Manager

In this blog post I’ll show you some screenshots how you can download a feature fix for Smart Office. In this case it is the fix for Process Server. I’ll show you the steps to download the fix and get the contained ZIP to be able to extract all the content that is in the zip. The zip might contain a feature to be installed or the full zip that contains extra tools for Smart Office.

Download the fix

  1. Login to LCM.
  2. Click Window menu > Preferences sub-menu.
  3. Specify the correct CCSS server url, https://ccss1.infor.com.
  4. Click Apply then OK button.lcm_1
  5. Click Actions menu > Retrieve Fixes sub-menu.
  6. Select the correct CCSS Channel ex. InforSmartOffice_10.2.0 (Infor Smart Office 10.2.1).
  7. Log on to CCSS Server using the same userid and password that you use for Infor Extreme Support.
    lcm_2
  8. Select the fix from the list of Available Fixes.
  9. Click Retrieve button.
  10. Click Yes button in Verifying package window.lcm_3
  11. Click OK on the notification that Upload is successful.
  12. Open IE, go to CCSS Fixes Available for Download page of the LCM server ex. http://<LCMserver&gt;:<port>/ccss. For us the port is 4062.
  13. Double-click on the fix.
  14. Save the zip file.lcm_4
  15. Go to the location where the zip file is saved and extract the zip file.
  16. The extracted file contains the lawsonapp.

Upload the fix

  1. Go back to LCM.
  2. Click Admin menu > Upload Products sub-menu.
  3. Click Upload button.
  4. Locate the downloaded lawsonapp and proceed with upload.lcm_5
  5. Click OK on the notification that Operation and Registration is successful.

The new version of the application is available and you can uninstall the previous version and install this new one. In most cases you need to do an upgrade (as described below) but after HF18 and with ProcessServerAndLandmarkAdapters you would want to make a new install at this time. But for HF 19 and later you can go ahead and upgrade.

How to upgrade using the fix

  1. Right-click on the previously installed feature, for example ProcessServerAndLandmarkAdapters,
  2. Select Upgrade.lcm_6
  3. Select the correct version.
  4. Click Next button.lcm_7
  5. Click Finish button.

Special thanks to Noreen for providing all these steps!

Important Process Server installation changes in 10.2.1 HF18

If you have Process Server installed running on Landmark we would recommend that you skip HF18 (HF= Hot-Fix), HF19 and wait for HF20 that will be delivered at the end of January 2017 or apply Post Patch for Infor Smart Office 10.2.1 Core HF19 – IPA Update Only available as a CCSS fix (ef_ISO1021_HF19_LPA.zip)

Another important message is that installations done before Smart Office 10.2.1 HF18 must uninstall existing earlier version of Process Server component before applying HF 18 or later. Read more in the Installation Guide section – Configuring Infor Process Automation or ProcessFlow for use with Infor Smart Office.

That means that if you have Process Server feature installed in a pre-HF18 version of Smart Office, version 10.2.1.0.169 or previous versions, then you must uninstall the Process Server application in LCM and install it again. The reason is that the features included have changed. As of HF18 you should only have one Process Server related feature called Infor.PF in the Manage Installation Point tool.

Previously we had Infor.PF10, Infor.LMRK10, Infor.LMRKA10, se below:
installationpointmanager

Make sure you uninstall en re-install and that you don’t have these old features in the Installation Point Manager. There is also an Manage Application view within the Grid Management pages for MangoServer administration where you can see which applications, features and mashups are installed by accessing the Grid Management UI on the server where the server component for Smart Office (MangoServer) is installed.

But as of HF18 there should only be one new Infor.PF feature and the previous should not be used. There is no need to reconfigure anything but you must uninstall the previous version and install the new version. You get the new .lawsonapp from the hotfix that is downloaded in LCM. In my next post I’ll show you how.

Smart Office 10.2.1 Hot Fix 6 is released

Last week we released update 6 for Smart Office Build 10.2.1.0.54. It has some nice new features that you should know about, especially for Lawson customers but also general performance improvements. You will notice performance improvements if you are running large Mashups but also in both Lawson and M3 Forms.

I’ve also added a new link to a new blog from iStone that you might find interesting, M3 Usability Blog.

Special thanks to Vince for the Lawson update below. For more Smart Office and Lawson related information be sure to follow the Infor Lawson Technology blog.

For additional information regarding Infor Smart Office Hot Fix 6 (Build 10.2.1.0.54) and a list of bug fixes and enhancements see KB article 1626878 on Infor Xtreme.

Lawson Import / Export tool

There are a few different tools for exporting and importing. There is a stand alone tool called Mango Admin that we have written about before – but it has it’s limitation as for example M3 and Lawson has other user related data as well and the Mango Admin only exports data on the Smart Office server. There is the export / import manager in Smart Office for settings and predefined widgets (with meta-data for Lawson widgets). But there are also other types of user data such as scripts and personlization files and for M3 and Lawson those files are located on the MUA / Lawson application server. M3 has the Personalizations tool and a Files tool that can export scripts and personlization files separately.  As of 10.2.1.0.54 Lawson has a new great  tool that allows administrators or anyone granted access via their Role to export to a zip file of the various personalization files stored on the Lawson application server. Once exported, this file can then be used to import the files to another server.

ImportExportLawson

Because many personalization files are associated with a Data Area and often the Data Area on the target server will be named differently than the Data Area on the source server, a dialog for ‘mapping’ the names and specifying which Data Areas to process is also provided.

DataArea

Smart Office LSF Administration Tools

Beginning with HF 6 of 10.2.1 Smart Office, a number of LSF Administration tools are made available.  These are the same tools available in Lawson/Ming.le.  The tools available are dependent on the version of LSF.

LSF 9.0.1.14

  • Language Definition
  • Printer Definition
  • Printer Group Definition

LSF 10.0.6

  • Job Queue Definition
  • Language Definition
  • Locale Definition
  • Printer Definition
  • Printer Group Definition

LSF 10.0.7

  • Distribution Group Definition
  • Job Queue Definition
  • Job Queue Group Definition
  • Language Definition
  • Locale Definition
  • Printer Definition
  • Printer Group Definition

LSF 10.0.8

  • Distribution Group Definition
  • Distribution List Group Definition
  • Job Queue Definition
  • Job Queue Group Definition
  • Language Definition
  • Locale Definition
  • Printer Definition
  • Printer Group Definition

Controlling Access

Users with PortalAdmin access will be able to access any of the tools that are available without any need for additional configuration.  Navigator widget links will be available under a new branch of Infor Lawson, LSF Administration Tools, for any user with access to one or more tools.

Navigator

For non-Admin users, access to the tools can be granted on the Administration tab in Role Manager.

RoleXml

Distribution Group Definition

DistributionGroup

Distribution List Group Definition

ListGroup

Job Queue Definition

QueueDef

Job Queue Group Definition

QueueGroupDef

Language Definition

LangDef

Locale Definition

LocaleDefinition

Printer Definition

printerDef

Printer Group Definition

printerGroupDef

Language Translation

For Languages other than English, a Translation Maintenance screen with several tabs is available to translate various phrases and messages defined in the system.  A page size can be selected to set the number of records returned. And columns with a filter field can be filtered much like filters work elsewhere within Lawson screens.

translation

To edit a phrase or message simply click on the Edit icon or the text under Translation:

editTranslation

When done editing on a particular tab, click the Save toolbar button to save changes for that tab. No reminder to save changes will be presented, but the Save button is only enabled if there are pending changes and each line with a pending change will be highlighted with a yellow icon on the left edge.

Phrases Translation

Phrases

Column Phrases Translation

ColumnPhrases

Titles Translation

titles

Value Lists Translation

values

Universe Message Translation

message

Application Messages Translation

appMessage

Scaling out Smart Office server

Scaling out the Smart Office server can be done for different reasons. Being able to serve more users or creating a more robust environment.

When talking scaling out an environment it is not only Smart Office server that needs to be considered, it is also the Grid Registry, Grid Session Provider and the connection points into Grid (Grid Routers) that must be included.

This article will describe one way of creating an environment with Smart Office that can handle a larger amount of users and also be more resilient for malfunction hardware using Infor Smart Office 10.2.1 and Infor ION Grid 11.1.13.

As a starting point Grid, LDAP Session Provider and Smart Office have already been installed.

Adding a host to Grid

The first thing needed is to add another host in the Grid and to be able to do that the host must first be added in Lifecycle Manager (LCM). The process of adding a host in LCM is described in the LCM install guide. The steps are shortly described below.

  1. On the new host go to the LCM portal page, normally http://server:4062 and download the Service Installation.
    1_LCMService
  2. Install the service with java.exe –jar installLcmService.jar
  3. After the installation the new host will be visible in the LCM client.
    2_LCMAddedHost

Now when LCM knows about the new host, Grid needs to span to the new host as well.

To add a host to the Grid:

  1. Find your Grid in the LCM client, right click on Grid Hosts and select Add Host.
    2_HostAdded
  2. In the Add Host dialog, select the host previously added to LCM and press Next followed by Finish. Change ports, name etc if needed.
    4_LCMAddHostDialog
  3. In the Grid Topology View the new host should be visible.
    5_GridViewHostAdded

Grid Registry

The Grid Registry cannot run simultaneously on several hosts, it can only run on one host at a time. But there is a failover mechanism. The failover mechanism will make sure the Grid Registry starts on another host if the primary host malfunctions.

To enable failover for Grid Registry do the following.

  1. In the LCM client find the Grid Hosts, right click on the ones that is tagged with registry and select Configure Registry Failover.
    6_FindRegistry
  2. In the Configure Registry Failover dialog, select the new host and press Next followed by Finished. (The Grid needs to re-start when changing the Grid Registry failover settings).
    7_ConfigureRegistryFailoverDlg
  3. Wait for the configuration task to finish and Grid to start again. On the failover host should now be tagged with failover.
    8_VerigyRegistryFailover

Grid Routers and Load balancer

A load balancer must always be placed in front of Grid to be the single entry into the Grid to ensure that even if a host where a Router exists on dies it is still possible to connect to the Grid. A client will not know if a Grid host is failing or another host is added since it always connects to the load-balancer. But what if the load-balancer dies? There are techniques for having clustered load-balancers as well, but that is out of scope for this article.

In order for the load balancer to balance the calls to different servers there must be a Grid Router on each host. The load-balancer is configured with the hosts and https ports to the Grid Router on each host.

The load-balancer should also have a health mechanism so it automatically removes a hosts if it malfunctions.

Where to put the SSL certificate? In the load balancer, in the Grid Routers or in both can be debated. There are pros and cons with all solutions. The solution that works best with all Grid Session Providers and has less security flaws is to put the SSL certificate in the Grid Routers and configure the load-balancer for TCP pass-through.

9_SSL_Loadbalancer

Note that the SSL certificate used in each Grid Router must be issued with the load balancer address and it is recommended to use the same certificate in all routers.

Grid Routers

Either create a new Grid Router on each host that should be included by the load balancer or configure one router to be on started on <all hosts>.

10_Router

Below is the Default Router set to be started on all hosts and they will all be using the same HTTPS port.

11_Router_AllHosts

SSL Certificate

SSL certificates are managed per host, not per Grid Router, and must therefore be added for each host. It is recommended to use the exact same certificate on all hosts, clients may be confused if getting a different SSL certificate depending on which host is being called through the load balancer.

Before creating any SSL certificates decide the address of the load balancer.

To create a SSL certificate from an internal Certificate Authority (CA) and add it to all hosts do the following.

  1. In Grid Management Pages go to Configuration Manager -> Security->Certificates and click Manage Certificate on one of the hosts.
    12_Certificates1
  2. Click the Create Certificate Signing Request (CSR).
    13_Certificates2
  3. In the Create Certificate Signing Request (CSR) dialog make sure to change the Host FQDN (CN) value to the load balancer address. In this example I have also added the two host names as alternative names to remove certificate error if accessing them directly without going through the load balancer. It is not necessary to do so. Click the Create Request Overwrite Keys.
    13_Certificates3
  4. Send the certificate request to your Certificate Authority and receive a certificate chain back, usually a .p7b file.
  5. Now import the certificate chain by clicking Import Signed SSL Certificate and select the file received from the certificate authority, followed by  Import Certificate, followed by Import.
    14_Certificates4
  6. The SSL certificate is now located on one of the hosts, to be able to import it on the second host export the SSL certificate by clicking Export SSL Certificate with private key. Use Oracles Java key-store and give the key-store a password.
    15_Certificates5
  7. Go back to Configuration Manager->Security->Certificates and select the other host.
  8. Click Import SSL Certificate with private key. Select the file previously exported.
    16_Certificates6
  9. Now both of the Grid Routers will use the same SSL certificate.

Load balancer

In a production environment a load-balancer is most often a piece of hardware, for more information contact your hardware vendor. In a test environment a software load-balancer can be used. For this blog post I used http://nginx.org/ which has a community edition that is free and works on several operating systems including Windows. In my example I have configured nginx with TCP pass-through to two servers. The configuration file is similar to this.

stream {
  server {
    listen 3443;
    proxy_pass grids;
  }
  upstream grids {
    server server1.infor.com:55151;
    server server2.infor.com:55151;
  }
}

For more details see the nginx documentation.

Grid Applications

Some Grid Applications can be scaled out to several machines, other cannot. Some can run several instances at the same time and some cannot. Both Smart Office and the different Grid Session Providers are Grid Applications and have some different characteristics. The details are listed below.

Even if a Grid Application cannot run two instances at the same time most Grid Applications can be started on another host if the original host dies. Within minutes a fully working environment is up and running without human interaction.

There are a couple of things that needs to be prepared and considered when implementing a complex environment when it comes to Grid Applications.

  • Deploy Grid Applications to hosts
  • Configure Grid Bindings
  • Make sure there is enough memory

Deploy Grid Applications

Deploying a Grid Application to a host is a matter of distributing the binaries, nothing will run just by deploying a Grid Application to one or more hosts.

To deploy a Grid Application to a host, in the LCM client find the installed Grid Application, right click and select Application Maintenance->Deploy Application on Hosts

17_DeployApplication

In the Deploy Application on Hosts dialog, select the hosts where the application should be able to run and press Next. Press Finish.

The Grid Application is now possible to start on all hosts it is deployed to.

Grid Bindings

The Bindings for a Grid application is found on the application page in Grid Configuration Manager.

18_Bindings

Click the pencil to edit the Binding.

19_Binding1

For a robust scenario you would like to have the Grid Application run on a minimum of two hosts always to ensure having at least one instance running even if a host dies. Mark the hosts where this binding should be enforced and select Constraint Type to be Per Host. This configuration will result in one instance of the application running on each of the selected hosts.

If having Constraint Type set to Global and Min to 2 would result in almost the same behavior. There will still be two instances of the application but it is not defined if the running instances will be started on the same host or not.

When having an application that only can run in a single instance the following configuration would result as a failover behavior. Constraint Type = Global and Min = 1.

20_Binding2

If the host where the application run on dies, Grid will make sure that the application is started on another host that has been marked in the Binding. By using the Preferred Host property it is possible to hint where the application should run if all hosts are working fine. Within minutes a new instance has started if the first host dies.

Resources

When having Grid Applications that cannot run several instances at the same time but have deployed the application to several hosts Grid will start the application on another host if the preferred host dies. Verify that there is enough memory left on the host where the application is supposed to start before a failover will occur.

Note that memory consumptions from other application will not be taken into account.

Grid Session Provider

There are several Session Providers that can be used in Grid (LDAP, Windows, SAML and DSSO). In practice it is only the SAML Session Provider that supports both failover and can run on multiple hosts and there fore . For these reasons it is recommended to always use SAML Session Provider in environments that requires high stability.

Use the methods describes above to deploy the session provider to additional hosts and configure the bindings. The table below describes what each Session Provider supports.

Session Provider Can be deployed to several hosts Can run multiple instances
LDAP SP 1.10.14 Yes* Yes*
Windows SP 1.10.7 Yes No
SAML SP 1.13.12 Yes Yes
DSSO SP 2.0.7 No No

* LDAP SP can only be deployed to several hosts if configuring the connection to the LDAP with the LDAP protocol. If using LDAPS or Start TLS protocol the LDAP SP will not function properly if deployed to another host. Note! The LDAP protocol should never be used since it sends userid and password in clear text over the network.

Configure Smart Office when using a load-balancer

The Smart Office server must be configured to execute on more than one host and the installation point must be configured to use the load-balancer.

Server

Configuring Smart Office server when using a load-balancer is done with a few steps.

  1. Deploy Smart Office Server to more than one host by following the steps above.
  2. Configure the Smart Office binding to use more than one host, set Constraint Type to Per Host and set Min to 1. After saving the Binding the Smart Office will immediately start on the new host.

Installation Point

When installing the Smart Office client Microsoft Click Once verifies that the installation point URL stated in the installation matches how the installation is accessed. When accessing the installation point through a load balancer, it is the load balancer address that must be put in the Click Once installation. The Smart Office client must also know the URL to the Smart Office server, which also goes through the load balancer.

To change these URLs open the management pages for Smart Office in Grid Management Pages and click Installation Point Configuration.

21_InstallPointConfiguration1

Change the Installation URL and HTTPS URL to the Grid to point to the load balancer. I am using the https port only but if the load-balancer is configured to pass through both http and https, http can of course still be used for the installation point. Do not forget to save (some versions of Smart Office has a bug that wrongly shows the old values after saving).

22_InstallPointConfiguration2

Now use the normal procedure described in the installation guide on how to export/sign/import the installation point.

To install Smart Office client open an Internet Explorer and navigate to https://<load_balancer_address>:port/mango

Smart Office limitations when using a load-balancer

Collaborations does not work properly when using a load-balancer and should be turned off.

Turn off collaborations by setting the property Enable collaboration server to false.

23_Collaboration

M3

Both M3 UI Adapter and M3 H5 Client Enterprise can be configured as Smart Office server, both be deployed to several hosts and run multiple instances at the same time. The process of deploying the application to another host and configuring the Grid Bindings are exactly the same for both M3 UI Adapter and M3 H5 Client Enterprise.

Securing Smart Office communication with SSL

“Certificates, certificates, certificates! I do not want to hear another word about certificates!”, famous words from a frustrated colleague of mine. But the truth is that understanding how SSL certificates are used to secure HTTP communication is not always easy to understand. Security is always tricky and troubleshooting security issues is always a pain. This article will of course focus on Smart Office but almost everything described is valid for any web application as well.

General SSL information

HTTPS encrypts the traffic between the clients and the server and also prohibits man-in-the-middle attacks. To ensure server identity (prohibit man-in-the-middle attack), the server URL is included in the SSL certificate.

Even though this article is about Smart Office it is easier to troubleshoot and verify SSL certificates through a browser. If the browser can show a HTTPS URL without errors, Smart Office will not have a problem with the URL either.

To view an existing certificate used in a web-site, open up Internet Explorer and navigate to the HTTPS URL. In the example below I have used Google mail.

SSL_IE

Click the padlock and then click View Certificates. It look slightly different on different Internet Explorer versions or if using some other browser.

SSL_CertGeneral

There is some important information on the first tab.

The Issued to: field contains the URL that the SSL certificate is valid for. If accessing the machine through any other URL (IP or only “mail” if you happens to be on the google.com intranet) the browser will report an error. This means that for every server exposing a HTTPS connection a unique SSL certificate must be used. There is however one way to reduce the number of SSL certificates and that is to create a so called wildcard certificate. A wildcard certificate may have an Issued to value like *.google.com. Such a certificate could be used for all servers in the google.com domain. Using a wildcard certificate is less secure then using unique certificates.

Another feature of SSL certificates that can be useful is the ability to add on alternative names. If a server has one or more aliases in the DNS it is possible to create a SSL certificate that is valid for more than one URL. On the Details tab there may be a field called “Subject Alternative Name” that lists all the server names the certificate is valid for.

SSL_AlternativNames

The certificate in this example is valid for both mail.google.com and inbox.google.com.

Now back to the General tab again.

The Valid from, to fields shows the date interval when the SSL certificate is valid. If the SSL certificate has expired the browser will show an error. It is the current date on the client machine that must be in the date interval.

The Issued by: field shows the certificate that has issued (created) the certificate. A self-signed certificate would show the same name in the Issued by: field as the Issued to: field.

On the Certificate Path tab the whole certificate chain is shown.

SSL_Chain

The top most certificate, “GeoTrust Global CA” in this example, is called the root-certificate and must be in the Trusted Root Certificate Authorities list in Windows. If the certificate is not in the list, the browser will show an error when connecting to the HTTPS URL.

SSL_CertTool

Fortunately Microsoft is maintaining this list for us for all the bigger commercial root certificates and is pushing them out to all Windows operating systems through patches. A root-certificate is always a self-signed certificate.

Short summary on what must fulfilled in order for a valid HTTPS connection.

  • The HTTPS URL must be exactly as the Issued to field or any of the alternative names.
  • The root-certificate must be in the Trusted Root Certificate Authorities list in Windows.
  • The current date of the client machine must be in the Valid from, to interval of both the SSL certificate and the root-certificate.

Note that the port number is not include in the SSL verification, that means that the same SSL certificate can be used for all HTTPS endpoints on a machine regardless of which port they use.

View Windows Certificates

To open the Certificates tool show above, open a CMD window and type mmc.exe and press enter. The Microsoft Management Console should be shown. Select File->Add/Remove Snapin… Select Certificates and press Add, select Computer account and press Next. Select Local computer and press Finish.

Mode of acquisition Advantages Disadvantages
Issued by a third-party vendor. Works for clients from any domain. Additional expense; delivery time gap.
Issued by an in-house certificate authority Inexpensive; automatically applies to all clients in the internal network. Configuration and maintenance of certification server is needed; applies only to domain clients.
Self-signed certificate Inexpensive and easy to use especially for test environments. Must be installed at all client machines. Not secure.

Self-signed certificates are almost never used together with Smart Office and is not discussed in this article.

Recommendations on when to buy or when to use an in-house Certificate Authority comes in the next section.

Infor Smart Office and Infor ION Grid

Infor ION Grid (Grid) is the application container where the Smart Office server is running.

When installing Grid it will actually create its own root-certificate and use that certificate when issuing all other certificates in the Grid, you can say that the Grid has its own Certificate Authority. For each Grid Host there is a SSL certificate created and all Grid Routers on that host will use the same SSL certificate (in future Grid versions there may be an option to change SSL certificate per Grid Router).

SSL_Grid

In Grid 1.11 the SSL certificates key-stores are located on each Grid Host in the folder <LCM service>\grid\<Grid name>\grids\<Grid name>\secure\ The key-store file-name is https.ks and the key-store password is stored in https.pw. The key-store is a java key-store that can be manipulated with the JDK tool keytool.exe. The only time necessary to manipulate it manually is when wanting to re-use an existing SSL certificate.

For Smart Office to be able to use an out-of-the-box installation the Grid root-certificate must be placed in the Trusted Root Certification Authorities list in Windows. There is an instruction at the end of this blog post on how to do that.

Using an out-of-the-box installation that requires manual steps to start Smart Office may be cumbersome if having many users. Especially if the users do not have that much computer skills or if the users do not have administrative rights on their computers.

There are a few different ways to make it easier for the users, which way to go depends on how Smart Office is going to be used and the intranet infrastructure already in place at the customer.

  • Is Smart Office going to be used over open internet? If yes, I recommend buying a certificate from a third-party vendor. Securing Smart Office and Grid to be used over open internet requires some serious configuration and is not covered here.
  • Does the customer have an in-house Certificate Authority?
    If yes, use it to create SSL certificates. Both Windows server 2008 and Windows server 2012 comes with a Certificate Authority.
    If no, can the customer install one?
  • As a last way, it is possible to distribute the Grid root certificate through a Windows policy. How to distribute a certificate is describes in the Smart Office administration guide or google it.

There are instructions in the Infor ION Grid Security Administration Guide on how to make a certificate request through the Grid Configuration Manager and how to import the actual certificate after it is created by the Certificate Authority.

Smart Office

Smart Office requires that all communication between the Smart Office client and the Smart Office server is made over HTTPS. Smart Office features, like the M3 MForms and the Lawson SForms, executing inside of Smart Office may or may not require HTTPS even though the recommendation is to always use HTTPS. Each Smart Office Feature normally has its own section in the Profile Editor URLs where URLs to back-end system is configured.

Security considerations

The general recommendation is to use at least 2048-bit key for a SSL certificates but there is more than just the key size that makes a connection secure. Read more in this article http://www.symantec.com/connect/blogs/ssl-ciphers-beyond-private-key-and-certificate

Here are also some other interesting links that can be worth reading.

http://www.symantec.com/connect/blogs/deadline-upgrade-2048-bit-ssl-certificates-sooner-you-might-think
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://nakedsecurity.sophos.com/2013/05/27/anatomy-of-a-change-google-announces-it-will-double-its-ssl-key-sizes/

Appendix: How to install the Grid root certificate

Easiest way of installing and the Grid root-certificate is to go to the Smart Office installation page, normally something like http://server.company.com:port/mango and right-click on the text Install Infor Smart Office and select Copy link address.

SSL_InstallPage

Paste the link in text editor and find and copy the value of the SERVER parameter, something like https://server.company.com:port

Start an Internet Explorer as an administrator and navigate to the copied SERVER URL, the Grid information page should be shown and there should be a certificate issue.

SSL_CertError

Click the Certificate error and click View Certificates, select the Certification Path tab and select the root-certificate and click View Certificate.

SSL_RootCert

In the new Certificate dialog click Install Certificate…. In the Certificate Import Wizard select Local Machine and click Next. Select Place all certificates in the following store and click Browse… In the Select Certificate Store dialog check the Show physical stores checkbox and select Trusted Root Certification Authorities->Registry

SSL_SelectStore

Click OK, click Next, click Finish. Click Yes in the Security Warning.
Close all dialogues and all open Internet Explorers. Open an Internet Explorer and try the server URL again, there should be no certificate issues.

Mango Admin Tool – the import and export tool

The Mango Admin Tool is a stand-alone tool for exporting and importing data. It was first delivered in Smart Office 10.1 and is continuously enhanced as we create more tables in the database. The 10.1 version works with 10.0.5.4 as well and is used for migrating data from 10.0.5.4 to 10.1 since 10.1 is a new install. The tool (MangopAdminTool.zip) is located in the AdditionalFiles folder in the download package. You can unzip the tool in a folder on the server or on your client PC. Please note that it has the same .Net 4.5 requirement as Smart Office.

AdminTool

Hints, tips and recommendations

  • You need to be a Smart Office administrator to run the Mango Admin tool.
  • The Mango Admin tool should only be used during a service window.
  • Roamed files can get very large. It is recommended to do the export in two steps. First all but the roamed files and then the roamed files.
  • Check the MangoServer log as it will print out when the export/import is started and completed
  • If you get the exception below – this does not mean that there is an error:
    System.AggregateException: One or more errors occurred. —> System.Threading.Tasks.TaskCanceledException: A task was canceled.
    It is caused by a timeout in the tool because there was no reply from the server. The timeout is specified in a config file next to the tool, see How to change tool settings.
  • Only run one export/import at a time. There are versions of Smart Office that does not check for concurrent request especially if you get the exception above you must check the log for completion in versions prior to 10.2 HF3.
  • If you would like to take a backup you should use the Management tools provided by the database provider for the database that Smart Office uses instead of this tool.

Adding a server configuration

You can use the same tool to run against different servers. You need to enter a configuration per server. The first time the tool is started you will see the dialog below. This dialog can later be opened by clicking the configuration menu in the upper left corner of the application.

Serverconfig

  1. Press the plus sign to create a new server configuration.
  2. Enter a name for the configuration
  3. Enter the Server Uri in the format https://server.company.com:4000
  4. Press OK to save the configuration
  5. Back in the Select Server Configuration dialog press OK again to select the server you created
  6. Once a server configuration is selected you will see the name of the server configuration in the application window title

Entering a user for logon

You can click the User button to enter an administrator user and password that will be used to connect to the Smart Office server or you can continue using the tool and when the tool needs to connect to the server you will get a login prompt. Please note that the user needs to be a Smart Office Administrator and that the same user will be used throughout the session even if you change server configuration.

Using filters and selecting categories

There are three icon buttons that can be used for selecting / deselecting all categories for import/export. There is also a filter button that will clear all filters.

The filter field supports exact matches and start (*) matches. For example entering a user filter test* and checking the ‘Roamed files’ will export all settings, canvas etc. for all users with a user id that starts with test.

How to change Mango Admin Tool settings and reuse configuration

If you have started the Mango Admin Tool a MangoAdminToolSettings.xml file will be created in the same folder as the tool. It contains a list of settings for the tool as well as the last used filters etc and can be edited in a text editor.
This file contains a block with the added Configurations so it is safe to copy the configurations you have for a previous version of Smart Office to a new one by copying the Configurations block.

There is one setting for the timeout in the tool – that is how long the tool will wait for a reply while the export or import is done. The setting is RequestTimeoutSeconds and if you experience timeouts you can change this to a higher value – or split your export/import in chunks.

Import / Export categories

The Mango Admin tool is for exporting and importing different data categories of data that is stored in the Smart Office server’s database.

Filters
All filter fields can take the following input:

  • A name, for example a file name. For example: Profile.xml
  • A semicolon separated list. For example: CRMgen.mashup,Items.mashup
  • A simple wildcard expression. For example: *storage.xml

Default canvas files

Canvas files that can be configured for first time users in settings is stored in this category. The Default canvas consist of two parts:
(1) the file name in the Settings Editor and (2) the file in the database. Selecting this data category will export the canvas files.

Server files

The server files contains the MangoClient.application file for the installation point and the predefined widgets file. If you would like to export all predefined widgets specify the filter as: WidgetSettingsDefinitions.xml.

Settings files

The settings file is the default settings, the settings that are managed in the Settings Editor in Smart Office. Check include roles to include rules configured for roles and users. The filter can be set to the name of the settings file for example: Mango.UI.xml, Mango.Core.xml or Mango.* for all settings file that start with Mango. Note that the user specific settings are not included in this category. They are part of the Roamed files data category.

Shared files

These are files that are shared by all users. Links in M3 and S3 are part of this category. The filter can be set to for example *M3.xml to get the M3 links.

System files

This data category contains the following files: profile.xml, template.xml

It might also include channels.xml and users.xml from previous versions of Smart Office.

To export the profile xml enter profile.xml as filter.

Category files

Category file is specific generic table for storing files. These are the files that can be administered via the Category Files administration tool in Smart Office. The categories that are supported are: Mashup and Startpad. For the category Shared Shared files should be used and for System the System files should be used. It is not possible to add them as categories and export them here even if they are visible in the Category Files Administration tool.

The first filter field is the name of the component for example CRM* for all Mashup packages that starts with CRM. The category filter is the name for the category for example Mashup or Startpad.

Select include roles to include role mappings – for example all roles connected to Startpads and Mashups.

Roamed files

The roamed files contains all user files that are uploaded and downloaded to the client. For example all user settings files, Canvas, Favorites, private Startpads, excel templates and links.

To apply a filter enter the name of the file or a list of files for example Favorties.lfv,Canvas.xml in order to export all user’s favorites and canvas files. To export all files for a specific users enter a user name in the user filter. The filter is the same as all other filters it can take a list or a simple wildcard expression.

Collaboration users

If you are using the Collaboration you can select to export the list of user’s as well as their contacts if you select to include contacts. Offline messages will not be exported so this export is for user information and the contacts each user has.

Feature files

Including features will extract all features that are installed via LCM. You should select this if you move from a H2 database to another database provider. This will export all features and their application definitions. This is potentially a data category with a lot of data that you can consider exporting separately.

Note! If you are setting up a new environment and are installing all features and applications via LCM and you only what to export/import configuration this category should not be selected.

Importing data

When importing data only select the content that you know is contained in the zip.

How to export data

  1. Make sure you have a service window
  2. Select configuration
  3. Select the data categories to include
    1. Specify filters
    2. Consider exporting roamed files separately
  4. Press Export to start the export
    1. Monitor the MangoServer log for more information as the export runs
  5. Download the MangoData.zip using the Download button or locate the file on disk.
    1. The path to the file will be part of the success message

How to import data

  1. Make sure you have a service window
  2. Select configuration
  3. Upload the MangoData.zip
    • Use the Upload button and browse to the file –or
    • Copy the file to the MangoFiles/MangoImport folder located in a location similar to this: c:\LifeCycle\server.company.com\grid\GridName\grids\GridName\applications\MangoServer\MangoFiles
  4. Select the data categories to import that are included in the zip
    • Specify filters
    • Consider importing roamed files separately
  5. Press Import to start the export
    • Monitor the MangoServer log for more information as the import run
  6. Wait for a success message in the Mango Admin tool or in the log that the import has completed

Note! The Delete All button will clear the content in the database and can be used to clear an environment before importing. Use with extreme care 🙂