Setting Up a Service for MI Socket Trusted Connections between Landmark and M3 Business Engine
Use this procedure to simplify the maintenance of users in a Landmark system that is connected via an MI socket connection to an M3 Business Engine Foundation version of 9.0.x. Note that trusted connections are currently not available for M3 Business Engine Foundation version 9.1.x.
Without this procedure, you will need to maintain user passwords in both a Landmark service for MI socket and in a central repository, such as your corporate LDAP. Once the MI Socket trusted connections are set up, the Landmark server and the M3 Business Engine server will authenticate to each other using public key certificates. Landmark will authenticate users against the central repository and then send only the user names (no passwords) to the M3 Business Engine when accessing through the MI socket. Because the M3 Business Engine knows that it is indeed communicating to Landmark and that Landmark has authenticated the user, there is no need to authenticate the users again.
As part of this setup, you will need to generate an asymmetric key pair on both the Landmark and M3 Business Engine sides, and a keystore needs to be set up with the respective certificates. If Business Engine already runs in trusted mode (for example, against Lawson Web Services, MNE and MWP), there is already a keystore and key pair on the Business Engine side.
If you do not want to set up the connection between Landmark and the M3 Business Engine as trusted connections using public key certificates, you can instead set up the MISOCKET service according to the procedure in Creating the MISocket Service for M3 Application Data Access. In this case, Lawson recommends using only a few dedicated accounts with unlimited password life for connecting to BE.
The administrator who sets up the trusted connections
must have experience configuring Landmark and the M3 Business Engine.
In addition, the administrator must have access to the Landmark environment,
login access to the M3 Business Engine server, write permissions on
the MOVEX.properties file, and access to the LifeCycle Manager with
permission to start and stop the M3 Business Engine. If the secadm
utility is password protected, the administrator
must have access to the password for the utility.
To avoid keeping passwords synchronized between Landmark and M3 Business Engine, the MI Socket connection between the two systems can be configured to use trusted connections.
Currently, trusted connections between Landmark and M3 Business Engine is only supported if M3 Business Engine is not running in the Lawson Grid.
Before using the secadm mitrustsetup
command, be sure to create the following backups. If an error occurs when you use secadm mitrustsetup
, you will not be able to delete entries from the Landmark keystore. You will need a backup.
-
The file system - especially the Lawson environment directories, including %LASYSDIR%
-
The .ssokeystore, .ssotruststore and authen.dat files