To set up a service for MI socket trusted connections

  1. Create or modify the MISOCKET service in Landmark.
    Note: 

    If an MISOCKET service already exists, it probably also already has the required configuration. However, if it does need modification, use update in the following commands instead of add)

    1. Create an MISOCKET service, using the following commands to create the service and set the service properties.

      secadm service add MISOCKET --description MISocketConnection --servicetype MISocket --version 2.0 --loginscheme SSOPV2

      secadm service property add MISOCKET HostName --propertyvalue M3ServerHost

      secadm service property add MISOCKET Port --propertyvalue M3ServerPort

      where

      M3ServerHost is the M3 Busness Engine server host

      M3ServerPort is the boot.batchdispatcher port

    2. Make sure that existing M3 BE users have identities on the MISOCKET service. To add users, use the following commands

      secadm identity add MISOCKET M3User

      secadm actor assign LandmarkUser MISOCKET M3User

      where LandmarkUser is an actor in Landmark and M3User is a user on the M3 Business Engine system.

  2. In the Landmark environment, run secadm mitrustsetup, with the following syntax:

    secadm mitrustsetup create --miservice MISOCKET --alias Landmark-envname

    This accomplishes the following:

    • In .ssokeystore, a key pair and self-signed certificate with alias Landmark-envname_rsa are created.

    • On the MISOCKET service, the service property SystemDN is set to "cn=Landmark-envname,o=lawson". This is so that Landmark knows which certificate to present to the M3 Business Engine.

    • In LASYSDIR, an exported certificate file is created: Landmark-envname_rsa.cer

  3. Copy the certificate file (LASYSDIR/Landmark-envname_rsa.cer) to the M3 BE environment.
  4. Log in to the M3 BE server and go to the environment directory for the M3 BE environment

    On non-Windows platforms:

    cd Properties/mvx/res

    On Windows:

    cd Properties\mvx\res

  5. Find the keystore password in MOVEX.properties. It is the value of auth.keystore.password. (If it has no value, see To set up the M3 Business Engine keystore.)
  6. Import the Landmark certificate into the M3 Business Engine keystore. In a command window, run the following keytool command:

    keytool -keystore keystore.jks -storepass keystorePassword -import -alias Landmark-envname_rsa -file certificateFile

    When the tool asks you if this is a trusted certificate, type "yes" (in the appropriate language).

    Note: 

    If the system does not recognize keytool as a valid command, ensure that the PATH variable includes the path to the Java JDK bin directory. If the PATH variable is set correctly and you type keytool without any parameters, it should display help for the utility.

  7. Find the alias of the M3 Business Engine key pair/certificate:
    1. In MOVEX.properties, find the value of auth.dname and copy it to a text editor.
    2. Remove the initial "cn=", the first comma, and everything after the first comma. For example, after copying auth.dname, you may have a value similar to cn=myserver.corp.acme.net,o=lawson,ou=abc. After you perform the necessary edits, the value would be myserver.corp.acme.net.
    3. Append "_rsa". This creates what is referred to as m3be-alias.
  8. Export the M3 BE certificate to a file. Run the following keytool command:

    keytool -keystore keystore.jks -storepass keystorePassword -export -alias m3be-alias -file m3be-alias.cer

  9. In MOVEX.properties, edit the value of auth.certificates.api and add "cn=landmark-envname,o=lawson". If the property already has a value, append the new value, separated by a semicolon.
  10. In MOVEX.properties, make sure that the value of auth.mode.api is set to 2.
  11. Restart the M3 Business Engine environment in the LifeCycle Manager.
  12. Copy the exported file m3be-alias.cer to LASYSDIR in the Landmark environment.
  13. At the Landmark command line, type

    secadm mitrustsetup import m3be-alias.cer

    Note: 

    To go back to untrusted MISOCKET connections, on the Landmark side, remove the SystemDN service property on the MISOCKET service.