Defining certificate chain Common Names

Certificate validation is ENABLED by default for XSL source that is from a secured (HTTPS) host. The certificate chain's Common Names (CNs) must be defined inside %LAWDIR%\system\iosconfig.xml. If not, the web service that processes the XSL source will not be able to properly validate the certificate of the source host.

In the procedure below, attribute "host" refers to the hostname (excluding port or protocol) of the XSL source residing on the web server. If your web server is on a separate machine, from your Infor Lawson System Foundation application server, you will need to declare this node. If your web server is on the same machine as your LSF server, you will not need to declare this node or employ this solution.

The attribute "value" refers to the Common Name of the certificate. This correlates to the "Issued to" or "Subject" value of the actual certificate. If there is a certificate chain in play, all CNs must be declared in this file.

Use the steps in this procedure to verify that the Common Names are defined.

  1. In Lawson Portal, open the Form Help option.

    This calls a Transform web service that has _XSL as one of the parameters. If the _XSL resource is HTTPS, the validation will take effect.

    If you get a blank screen, review the ios.log for the following error message:

    2020-02-27 13:03:53,147 ERROR [WebContainer : 0] [lawson ] [TRANSFORM ] [Transform]
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
verifyCertificate: CN value: *.<mydomain> is not in allowed CN list

    If you receive this error, perform the steps below.

  2. With a text editor, open %LAWDIR%\system\iosconfig.xml.
  3. For each certificate, add the following inside the <transform-hosts></transform-hosts> node. 
    <cn host="hostname" value="cn"/>
    Note: If you don't have a <transform-hosts> node, you can add one:
    <transform-hosts>
<cn host="remote_webserver_name" value="SubjectOfCertificate"/>
</transform-hosts>

    Below is an example showing how to declare more than one host or CN if needed. For example, if you are using a load balancer in front of two remote web servers, you would declare all three servers:

    <transform-hosts>
<cn host="lawweb1.infor.com" value="lawweb1.infor.com"/>
<cn host="lawweb2.infor.com" value="lawweb2.infor.com"/>
<cn host="loadbalancer.infor.com" value="InforCA"/>
</transform-hosts>
    Note: You will need to view your certificates to see the correct subject name for each declaration.

    Below is an example of a wild card certification:

    <transform-hosts>
<cn host="lawweb.infor.com" value="*.infor.com"/>
</transform-hosts>
  4. Save and close the file.
  5. Restart the Infor Lawson System Foundation WebSphere Application Server.
  6. Test to ensure the error has been resolved. In Lawson Portal, open the Form Help option.

    If the above is configured properly, the Form Help option will display correctly. If not, a message will be returned about an error in certificate validation.