Building an Infor Grid Lab – Part 4

Continuing to learn Infor ION Grid and building a laboratory without LifeCycle Manager (LCM), today I will use the Grid bundled installer and spew screenshots of the intuitive and automated install.


The Grid bundled installer is available publicly as part of the Grid deliverable, but it is for internal use only, not for production use.

1. Database

Install a database server (DB2 AS/400, Apache Derby, Oracle, PostgreSQL, or SQL Server), and create a new database, e.g. InforIONGrid:

2. JAR file

Go to the Infor Product Download Center, find the M3 Core Infrastructure and Technology, download the Grid installer, unzip it, go to the components sub-folder, and execute the installer JAR file:

3. Next Next Next

Follow the wizard:

3. Result

Here is the resulting Grid, files and folders, web UI, admin UI, topology, registry, default router, administrative router, user and role mapping, Grid Bootstrap, database, Windows Service, processes, topology XML, and runtime XML:

User and Role Mappings:



Windows Service:

Infor ION Grid Bootstrap - InforIONGrid - localhost
LogOnAs=NT SERVICE\Infor ION Grid Bootstrap - InforIONGrid - localhost
JavaHome=C:\Program Files\Java\jdk1.8.0_111
JVMParameters=-Xmx512M -XX:MaxPermSize=512m
ApplicationParameters=-baseDir C:\Infor\InforIONGrid


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<topology gridId="83144c68-5a16-4e6c-8280-b9102a477980" xmlns:xsi="" xsi:schemaLocation="" xmlns="">
        <host address="localhost" gridAgentPort="50003" name="localhost"/>
    <registry host="localhost" port="50004"/>
    <administrativeRouter externalAddress="localhost" host="localhost" httpsAuthType="client" httpsPort="50007" port="50005" webStartPort="50006"/>
    <!--5/9/17 12:45 PM-->
    <!--Created by installer-->


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<runtime xmlns:xsi="" xsi:schemaLocation="" xmlns="">
    <sessionProviders developer="false"/>
        <router externalAddress="localhost" host="localhost" httpAuthenticationMethods="ntlm" httpPort="50001" httpsAuthType="client" httpsAuthenticationMethods="basic ntlm" httpsPort="50000" name="Default Router"/>
        <propertyOverrides nodeType="router">
            <property name="grid.jvm.maxHeapMB">256</property>
        <propertyOverrides nodeType="registry">
            <property name="grid.jvm.maxHeapMB">256</property>
            <property name="grid.jvm.maxHeapMB">512</property>
            <property name="">true</property>
            <propertyListMap name="grid.slf4j.mapping" strategy="merge">
            <propertyListMap name="grid.router.endpoints"/>
    <!--5/9/17 12:45 PM-->
    <!--Created by installer-->

Here is the folder structure (zoom in):

C:\Infor\InforIONGrid>tree /a /f
Folder PATH listing for volume Windows_OS
Volume serial number is 0E5A-3982
|   BootstrapWebUI-50002.url
|   pid
|       sqljdbc4-4.0.jar
|   \---InforIONGrid
|       |   AdminUI.cmd
|       |   ChangeDBPassword.cmd
|       |   ChangeJDK.cmd
|       |   OfflineConfigUI.cmd
|       |   StartAllHosts.cmd
|       |   StartHost.cmd
|       |   StopAllHosts.cmd
|       |   StopHost.cmd
|       |
|       +---config
|       |       binary.path
|       |
|       |
|       +---log
|       |   \---SYSTEM
|       |           grid-agent-1244.log
|       |           grid-agent-1772.log
|       |           grid-agent-4504.log
|       |           grid-agent-4600.log
|       |           grid-agent-4960.log
|       |           grid-agent-6808.log
|       |           grid-registry-3816.log
|       |           grid-registry-3872.log
|       |           grid-registry-4072.log
|       |           grid-registry-5040.log
|       |           grid-registry-6492.log
|       |           grid-registry-8832.log
|       |           grid-router-Administrative_Router-3220.log
|       |           grid-router-Administrative_Router-3908.log
|       |           grid-router-Administrative_Router-4776.log
|       |           grid-router-Administrative_Router-5020.log
|       |           grid-router-Administrative_Router-5320.log
|       |           grid-router-Administrative_Router-9504.log
|       |           grid-router-Default_Router-3052.log
|       |           grid-router-Default_Router-3832.log
|       |           grid-router-Default_Router-4824.log
|       |           grid-router-Default_Router-5152.log
|       |           grid-router-Default_Router-5340.log
|       |           grid-router-Default_Router-8508.log
|       |
|       \---secure
|               https.ks
|               https.ts
|               InforIONGrid.der
|               InforIONGrid.ks
|               server.key
|               server.ks
|       bootstrap-2516.log
|       bootstrap-2532.log
|       bootstrap-2544.log
|       bootstrap-2552.log
|       bootstrap-2568.log
|       bootstrap-2588.log
|       bootstrap-2732.log
|       bootstrap-8144.log
|       installation_20170509124513914.log
|       installation_20170518165426295.log
|       service-2516.log
|       service-2532.log
|       service-2544.log
|       service-2552.log
|       service-2568.log
|       service-2588.log
|       service-2732.log
|       service-8144.log
|       service_out-2516.log
|       service_out-2532.log
|       service_out-2544.log
|       service_out-2552.log
|       service_out-2568.log
|       service_out-2588.log
|       service_out-2732.log
|       service_out-8144.log
|   |   bootstrap-daemon-1.2.4.jar
|   |   commons-daemon-1.0.15.jar
|   |
|   +---1.13.77
|   |       bcmail-jdk16-1.45.jar
|   |       bcprov-jdk16-1.45.jar
|   |       bootstrap-core-1.13.77.jar
|   |       grid-core-1.13.77.jar
|   |       grid.commons-dbcp2-2.0.1.jar
|   |       grid.httpclient-4.2.6.jar
|   |       grid.liquibase-2.0.5.jar
|   |       jackson-core-asl-1.9.12.jar
|   |       jackson-mapper-asl-1.9.12.jar
|   |       javax.servlet-api-3.1.0.jar
|   |       jna-3.3.0-platform.jar
|   |       jna-3.3.0.jar
|   |       maven-shared-utils-0.4.jar
|   |       windowsjnasecurity-1.0.4.jar
|   |
|   +---amd64
|   |       service-wrapper-
|   |
|   \---x86
|           service-wrapper-
|   \---1.13.77
|       +---jaxrs1Resources
|       |       grid-jaxrs1-1.13.77.jar
|       |       jackson-core-asl-1.9.2.jar
|       |       jackson-jaxrs-1.9.2.jar
|       |       jackson-mapper-asl-1.9.2.jar
|       |       jackson-xc-1.9.2.jar
|       |       jersey-core-1.18.1.jar
|       |       jersey-json-1.18.1.jar
|       |       jersey-multipart-1.18.1.jar
|       |       jersey-server-1.18.1.jar
|       |       jersey-servlet-1.18.1.jar
|       |       mimepull-1.9.3.jar
|       |
|       +---jaxrs2Resources
|       |       aopalliance-repackaged-2.2.0.jar
|       |       grid-jaxrs2-1.13.77.jar
|       |       hk2-api-2.2.0.jar
|       |       hk2-locator-2.2.0.jar
|       |       hk2-utils-2.2.0.jar
|       |       jackson-core-asl-1.9.13.jar
|       |       jackson-jaxrs-1.9.13.jar
|       |       jackson-mapper-asl-1.9.13.jar
|       |       jackson-xc-1.9.13.jar
|       |       javassist-3.18.1-GA.jar
|       |       javax.annotation-api-1.2.jar
|       |       javax.inject-2.2.0.jar
|       |
|       |       jersey-client-2.7.jar
|       |       jersey-common-2.7.jar
|       |       jersey-container-servlet-2.7.jar
|       |       jersey-container-servlet-core-2.7.jar
|       |       jersey-guava-2.7.jar
|       |       jersey-media-json-jackson-2.7.jar
|       |       jersey-media-multipart-2.7.jar
|       |       jersey-server-2.7.jar
|       |       mimepull-1.9.3.jar
|       |       osgi-resource-locator-1.0.1.jar
|       |       validation-api-1.1.0.Final.jar
|       |
|       +---licenses
|       |   +---asm
|       |   |       license.txt
|       |   |
|       |   +---bcprov-jdk16
|       |   |       license.txt
|       |   |
|       |   +---core
|       |   |       license.html
|       |   |
|       |   +---cxf
|       |   |       license.txt
|       |   |
|       |   +---httpcore
|       |   |       license.txt
|       |   |
|       |   +---jetty-package
|       |   |       license.txt
|       |   |
|       |   +---jna
|       |   |       license.txt
|       |   |
|       |   +---jquery
|       |   |       license.txt
|       |   |
|       |   +---jquery-hashchange
|       |   |       license.txt
|       |   |
|       |   +---jsp-2.1-glassfish
|       |   |       license.txt
|       |   |
|       |   +---neethi
|       |   |       license.txt
|       |   |
|       |   +---servlet-api
|       |   |       license.txt
|       |   |
|       |   +---timepicker
|       |   |       license.txt
|       |   |
|       |   +---wsdl4j
|       |   |       license.txt
|       |   |
|       |   +---wstx-asl
|       |   |       license.txt
|       |   |
|       |   +---xml-resolver
|       |   |       license.txt
|       |   |
|       |   +---xmlbeans
|       |   |       license.txt
|       |   |
|       |   \---XmlSchema
|       |           license.txt
|       |
|       +---monitorResources
|       |       activation-1.1.jar
|       |       antlr-2.7.7.jar
|       |       antlr-3.3.jar
|       |       antlr-runtime-3.3.jar
|       |       commonj.sdo-2.1.1.jar
|       |       commons-math3-3.0.jar
|       |       decision-trees-1.0.2.jar
|       |       drools-compiler-5.4.0.Final.jar
|       |       drools-core-5.4.0.Final.jar
|       |       ecj-3.5.1.jar
|       |       eclipselink-2.5.1.jar
|       |       grid-monitor-1.13.77.jar
|       |       grid-monitor-impl-1.13.77.jar
|       |       grid-monitor-linux-1.13.77.jar
|       |       grid-monitor-wmi-1.13.77.jar
|       |       groovy-all-2.0.0.jar
|       |       javax.persistence-2.1.0.jar
|       |       joda-time-2.0.jar
|       |       jsr166-1.7.0.jar
|       |       knowledge-api-5.4.0.Final.jar
|       |       knowledge-internal-api-5.4.0.Final.jar
|       |       mail-1.4.jar
|       |       mvel2-2.1.0.drools16.jar
|       |       ojalgo-31.0.jar
|       |       stringtemplate-3.2.1.jar
|       |
|       +---resources
|       |       bcmail-jdk16-1.45.jar
|       |       bcprov-jdk16-1.45.jar
|       |       grid-core-1.13.77.jar
|       |       grid.commons-dbcp2-2.0.1.jar
|       |       grid.httpclient-4.2.6.jar
|       |       grid.liquibase-2.0.5.jar
|       |       javax.servlet-api-3.1.0.jar
|       |       jna-3.3.0-platform.jar
|       |       jna-3.3.0.jar
|       |       linked-binaries-1.13.77.jar
|       |       maven-shared-utils-0.4.jar
|       |
|       +---services
|       |   \---log
|       |           slf4j-api-1.7.5.jar
|       |           slf4j-grid-1.13.77.jar
|       |
|       +---tools
|       |   \---grid-cli
|       |           grid-cli-1.13.77.jar
|       |           jackson-core-asl-1.9.13.jar
|       |           jackson-mapper-asl-1.9.13.jar
|       |           jcommander-1.32.jar
|       |
|       +---webAppResources
|       |       asm-4.1.jar
|       |       asm-commons-4.1.jar
|       |       asm-tree-4.1.jar
|       |       commons-fileupload-1.2.2.jar
|       |       grid-webapp-1.13.77.jar
|       |       javax-websocket-client-impl-9.1.1.v20140108.jar
|       |       javax-websocket-server-impl-9.1.1.v20140108.jar
|       |       javax.annotation-api-1.2.jar
|       |       javax.el-3.0.0.jar
|       |       javax.servlet.jsp-2.3.2.jar
|       |       javax.servlet.jsp-api-2.3.1.jar
|       |       javax.servlet.jsp.jstl-1.2.0.v201105211821.jar
|       |       javax.websocket-api-1.0.jar
|       |       jetty-annotations-9.1.1.v20140108.jar
|       |       jetty-continuation-9.1.1.v20140108.jar
|       |       jetty-http-9.1.1.v20140108.jar
|       |       jetty-io-9.1.1.v20140108.jar
|       |       jetty-jndi-9.1.1.v20140108.jar
|       |       jetty-jsp-9.1.1.v20140108.jar
|       |       jetty-plus-9.1.1.v20140108.jar
|       |       jetty-schemas-3.1.M0.jar
|       |       jetty-security-9.1.1.v20140108.jar
|       |       jetty-server-9.1.1.v20140108.jar
|       |       jetty-servlet-9.1.1.v20140108.jar
|       |       jetty-servlets-9.1.1.v20140108.jar
|       |       jetty-util-9.1.1.v20140108.jar
|       |       jetty-webapp-9.1.1.v20140108.jar
|       |       jetty-xml-9.1.1.v20140108.jar
|       |       org.apache.taglibs.standard.glassfish-1.2.0.v201112081803.jar
|       |       org.eclipse.jdt.core-3.8.2.v20130121.jar
|       |       websocket-api-9.1.1.v20140108.jar
|       |       websocket-client-9.1.1.v20140108.jar
|       |       websocket-common-9.1.1.v20140108.jar
|       |       websocket-server-9.1.1.v20140108.jar
|       |       websocket-servlet-9.1.1.v20140108.jar
|       |
|       +---webServiceResources
|       |       asm-3.1.jar
|       |       commons-logging-1.1.1.jar
|       |       cxf-api-2.7.5.jar
|       |       cxf-rt-bindings-soap-2.7.5.jar
|       |       cxf-rt-bindings-xml-2.7.5.jar
|       |       cxf-rt-core-2.7.5.jar
|       |       cxf-rt-databinding-jaxb-2.7.5.jar
|       |       cxf-rt-databinding-xmlbeans-2.7.5.jar
|       |       cxf-rt-frontend-jaxws-2.7.5.jar
|       |       cxf-rt-frontend-simple-2.7.5.jar
|       |       cxf-rt-management-2.7.5.jar
|       |       cxf-rt-transports-http-2.7.5.jar
|       |       cxf-rt-ws-addr-2.7.5.jar
|       |       cxf-rt-ws-policy-2.7.5.jar
|       |       cxf-rt-ws-rm-2.7.5.jar
|       |       cxf-rt-ws-security-2.7.5.jar
|       |       ehcache-core-2.5.1.jar
|       |       geronimo-javamail_1.4_spec-1.7.1.jar
|       |       grid-ws-1.13.77.jar
|       |       neethi-3.0.2.jar
|       |       stax2-api-3.1.1.jar
|       |       woodstox-core-asl-4.2.0.jar
|       |       wsdl4j-1.6.3.jar
|       |       wss4j-1.6.10.jar
|       |       xml-resolver-1.2.jar
|       |       xmlbeans-2.6.0.jar
|       |       xmlschema-core-2.0.3.jar
|       |       xmlsec-1.5.4.jar
|       |
|       \---webStartResources
|               AppUI.jnlp
|               grid-core-1.13.77.jar.pack.gz
|               Infor48x48.png
|       client.ks
|       admin-ui.jar
|       application-deployer.jar
|       certificates.jar
|       change-db-password.jar
|       change-jdk.jar
|       grid-cli.jar
|       log-viewer.jar
|       scripting-client.jar
    |   uninstall.cmd
    |   uninstall.jar

Future work

Next, I may:

  • Installing a Grid silently with izpack XML
  • Generate secure\server.key with OpenSSL
  • Setup an Administrative Router
  • Setup a Grid Agent
  • Setup a Grid Launcher
  • Setup a Grid Bootstrap
  • Install session providers
  • Install applications
  • Install GDBC
  • Install the Grid on Linux and PostgreSQL


That was an illustration of the Infor ION Grid bundled installer which is internal only and intuitive.

Related posts

Building an Infor Grid Lab – Part 3

I am building an Infor ION Grid laboratory manually without LifeCycle Manager (LCM) for my learning purposes. In part 2, I had made the installation using cryptographic keys taken from an existing Grid installation. Today, I will create new keys.


The Grid uses TLS to ensure privacy, authentication, and integrity of communication within the Grid. That involves asymmetric cryptography, public/private key pairs, key exchange, digital certificates, digital signatures, symmetric keys, ciphers, etc.

Thankfully the Grid automates most of it. It uses the Java Cryptography Extension (JCE), the Bouncy Castle Crypto APIs, and 2048 bit RSA key pairs. The key material is unique to each installation.


The Infor Documentation Infocenter has an Infor ION Grid Security Administration Guide:


The Infor documentation that is publicly available covers the default cryptographic properties of the Grid such as algorithms, providers, cipher suites, block cipher modes of operation, hashing functions, padding, key length, paths, file names, etc.; the Internet covers cryptography in general; and I am not revealing any secrets; therefore, I am revealing no more information than what is already available publicly. Besides, revealing cryptographic properties does not reveal any secrets, therefore Infor is not revealing any secrets either. Besides, the default properties can be changed to suit our needs. The security of a cryptosystem depends not on the knowledge of its cryptographic properties, but on its implementation and on the security of the secret key material. Thus, it is important you keep your systems up-to-date, and keep your secret key material secure. In doubt, read Auguste Kerckhoffs’s principle, “il faut qu’il puisse sans inconvénient tomber entre les mains de l’ennemi” or Claude Shannon’s maxim, “we shall assume that the enemy knows the system being used.”

Key material

For a minimalist Grid installation, we need the following four files, they are unique to each installation:

For the Grid, we need these files, where the file names must match the Grid name, e.g. Grid:

  • Grid.ks: this is the Java keystore for the Grid. It contains the Grid’s public/private key pair, and the Grid self-signed certificate which will be the root certificate authority (CA) to sign other keys.
  • (optional): this is the clear text password for both keystore and private key.

For each host, we need these files, where the file names are server:

  • server.ks: this is the Java keystore for the host. It contains the host’s public/private key pair, and the host certificate signed by the Grid.
  • this is the clear text password for both keystore and private key.
  • server.key: this is a symmetric key, signed and encrypted, used to encrypt/decrypt protected Grid properties.

In a production environment, keep all these files secure.

Console tool

The Grid has a console tool that automatically creates the key material:

In addition to the console tool, I will show the equivalent command using the Java keytool, and I will inspect the result with KeyStore Explorer.

1. Create Grid material

Use this command to create new key material for the Grid (replace the parameter values with your values, and use a strong password):

java ^
 -cp resources\grid-core.jar;resources\bcprov-jdk16.jar;resources\bcmail-jdk16.jar ^ ^
 -create=gridcert ^
 -gridname Grid ^
 -gridpassword password123 ^
 -gridkeystore secure

It produces these two files:

  • Grid.der
  • Grid.ks

Note: Grid.der is the root CA that typically system administrators will push to the users computers, and then those computers will automatically trust the certificates of M3, Smart Office, etc.

Note: Unfortunately, the command does not automatically generate a strong password for this keystore, which leaves it vulnerable to user choice.

The Grid certificate has the following extensions:

  • Basic Constraints: Subject is a CA, Path Length Constraint: 1
  • Subject Key Identifier
  • Key Usage: Digital Signature, Certificate Signing
  • Extended Key Usage: TLS Web Server Authentication, Code Signing, TLS Web Client Authentication

Alternatively, instead of the console tool, we can use the Java keytool:

keytool ^
 -genkeypair ^
 -keyalg RSA ^
 -keysize 2048 ^
 -sigalg SHA256WITHRSA ^
 -dname cn=Grid ^
 -ext BasicConstraints=ca:true,pathlen:1 ^
 -ext KeyUsage=digitalSignature,keyCertSign ^
 -ext ExtendedkeyUsage=serverAuth,codeSigning,clientAuth ^
 -validity 90 ^
 -keypass password123 ^
 -keystore secure\Grid.ks ^
 -storepass password123

Then, we need to do some export/import to add the certificate as a separate entry:

keytool ^
 -exportcert ^
 -file secure\Grid.der ^
 -keystore secure\Grid.ks ^
 -storepass password123
keytool ^
 -changealias ^
 -alias mykey ^
 -destalias grid_key ^
 -keypass password123 ^
 -keystore secure\Grid.ks ^
 -storepass password123
keytool ^
 -noprompt ^
 -importcert ^
 -alias mykey ^
 -file secure\Grid.der ^
 -keypass password123 ^
 -keystore secure\Grid.ks ^
 -storepass password123
keytool ^
 -changealias ^
 -alias mykey ^
 -destalias grid_cert ^
 -keypass password123 ^
 -keystore secure\Grid.ks ^
 -storepass password123

2. Create host material

Use this command to create new key material for the host (replace the parameter values with your values, and add as many roles and addresses as needed for this host):

java ^
 -cp resources\grid-core.jar;resources\bcprov-jdk16.jar;resources\bcmail-jdk16.jar ^ ^
 -create=hostcert ^
 -gridname Grid ^
 -gridpassword password123 ^
 -hostname localhost ^
 -gridkeystore secure ^
 -hostkeystore secure ^
 -role grid-admin ^
 -address localhost ^
 -address ::1 ^
 -address ^
 -address ^

It produces these two files:

  • server.ks

Note: Fortunately, the command automatically generates a strong password for this keystore.

The host certificate has extensions for the role (e.g. grid-admin), for the host actor (SYSTEM), for the IP addresses and hostnames:

Alternatively, instead of the console tool, we can use the Java keytool. But it is tricky for we have to add the certificate extensions in hexadecimal. The IANA enterprise number for Lawson Software (Infor) is 10105. The OID names can be found in the OID repository. Note: Thomas Fanto registered child OID 238 for the Grid runtime information in 2009, but somehow the console tool uses child OID 237 instead, which is not reserved. Anyway, dump the OID values as hexadecimal (e.g. grid-admin is 677269642D61646D696E, and SYSTEM is 53595354454D). Prefix them with the ASN.1 UTF8String tag byte of 0x0C to encapsulate them as a UTF-8 String and with the byte length in HEX (e.g. grid-admin is 10 bytes long which is 0x0A, and SYSTEM is 6 bytes long which is 0x06). For the sequences, prefix them with the SEQUENCE tag byte of 0x30 and with the sequence byte length (e.g. 9+3+9+11+2*4 = 40 = 0x28).

keytool ^
 -genkey ^
 -alias localhost_key ^
 -keyalg RSA ^
 -keysize 2048 ^
 -sigalg SHA256WITHRSA ^
 -dname cn=localhost ^
 -ext ^
 -ext ^
 -ext ^
 -validity 90 ^
 -keypass password123 ^
 -keystore secure\server.ks ^
 -storepass password123

Then, we need to create a certificate signing request (CSR) for the host certificate, sign it with the Grid root CA, and import the resulting chain to the keystore:

keytool ^
 -certreq ^
 -alias localhost_key ^
 -keyalg SHA256WITHRSA ^
 -file secure\server.csr.txt ^
 -keystore secure\server.ks ^
 -storepass password123
keytool ^
 -gencert ^
 -infile secure\server.csr.txt ^
 -outfile secure\server.der ^
 -keystore secure\Grid.ks ^
 -storepass password123 ^
 -alias grid_key ^
 -ext BC=0
keytool ^
 -importcert ^
 -noprompt ^
 -trustcacerts ^
 -alias grid_key ^
 -file secure\Grid.der ^
 -keystore secure\server.ks ^
 -storepass password123
keytool ^
 -importcert ^
 -trustcacerts ^
 -alias localhost_key ^
 -file secure\server.der ^
 -keystore secure\server.ks ^
 -storepass password123

Then, save the keystore password with:

echo | set /p="password123" > secure\

3. Create symmetric material

Use this command to create new symmetric key material (replace the parameter values with your values):

java ^
 -cp resources\grid-core.jar;resources\bcprov-jdk16.jar;resources\bcmail-jdk16.jar ^ ^
 -create=symkey ^
 -gridname Grid ^
 -gridkeystore secure ^
 -gridpassword password123 ^
 -symkeypath secure ^
 -hostkeystore secure ^
 -hostname localhost

It produces this file:

  • server.key

It is used to encrypt/decrypt protected Grid properties such as passwords:

Alternatively, we can generate the server.key in Java by taking the Grid certificate’s distinguished name in ASN.1 DER encoded form, signing it with the Grid’s private key, and encrypting it with the host’s public key, but I am not allowed to show the source code for that, and I am struggling with replicating it with the OpenSSL RSA utility and AES encryption. So use the Grid command tool above to generate server.key.


We now have the new unique necessary and sufficient cryptographic key material for a minimalist Grid, and the Grid successfully validates it:

successfully initialized secret key
successfully initialized server keystore


I collected all the commands in my GitHub at keys.cmd.

Future work

Next time, I would like to:

  • Generate the symmetric key with OpenSSL
  • Continue researching security vulnerabilities
  • Use the new Grid installer
  • Setup an administrative router
  • Setup session providers
  • Install applications
  • Install the Grid on Linux and PostgreSQL


That was an illustration of how to manually create – for learning purposes – new cryptographic keys for a minimalist installation of the Infor ION Grid using the built-in tools, and alternatively using the Java keytool. I am learning so I probably missed a few things. Thankfully the Grid console tool automates most of it.

That’s it! Congratulations if you’ve made it so far.

Related posts

Building an Infor Grid Lab – Part 2

I am building an Infor ION Grid laboratory manually without LifeCycle Manager (LCM) for my learning purposes. In the previous post I had installed a minimalist Grid using an old version. Today I will install the latest version.

1. Preparation

Choose values for the following properties (here are some sample values):

Grid name e.g. Grid
Grid folder e.g. C:\Infor\Grid\
Database name e.g. InforIONGrid
Host name e.g. localhost
Host address e.g.
Grid agent port e.g. 50003
Registry port e.g. 50004

2. Download latest version

Download the latest version of the Grid; as of today (5/12/2017) it is

3. Create folder structure

Choose a home directory for your Grid, e.g. C:\Infor\Grid\ where the folder must match the Grid name (e.g. Grid), and create these sub-folders:


4. Copy JAR files

Let’s find the main grid-core.jar and supporting JAR files:

  1. Unzip the LCM file.
  2. Go to folder: Grid_Installer_11.\products\Infor_ION_Grid_11.1.13.0\tasks\
  3. Select these JAR files:

  4. Copy them to your Grid\resources\ folder:

5. Create database

Let’s create the Grid database:

  1. Install SQL Server and SQL Management Studio (I installed SQL Server 2014 Express Edition at no cost), and ensure it works correctly:
  2. Download and install the Microsoft SQL Server JDBC Driver, and ensure you can connect to the database via JDBC (e.g. with SQuirreL):
  3. Create a new database (e.g. InforIONGrid):
  4. Run the following SQL to create the configuration table:
        GRID varchar(64) NOT NULL,
        TYPE varchar(32) NOT NULL,
        NAME varchar(128) NOT NULL,
        TS numeric(20, 0) NOT NULL,
        DATA varbinary(max) NULL,
        SEQID numeric(5, 0) NOT NULL

  5. Run the following SQL to create a Grid configuration with name (e.g. Grid), runtime XML and topology XML (replace the Grid name and XML contents as needed):
    DECLARE @runtime VARCHAR(300)
    DECLARE @topology VARCHAR(300)
    SET @runtime =
    '<?xml version="1.0" ?>
    <runtime xmlns="">
        <bindings />
        <sessionProviders />
        <routers />
        <contextRoots />
        <propertySettings />
    SET @topology =
    '<?xml version="1.0" ?>
    <topology xmlns="">
            <host name="localhost" address="" gridAgentPort="50003" />
        <registry host="localhost" port="50004" />
    INSERT INTO GRIDCONF (GRID, TYPE, NAME, TS, DATA, SEQID) VALUES ('Grid', 'runtime' , 'null', 0, CONVERT(varbinary(max), @runtime), 0)
    INSERT INTO GRIDCONF (GRID, TYPE, NAME, TS, DATA, SEQID) VALUES ('Grid', 'topology' , 'null', 0, CONVERT(varbinary(max), @topology), 0)

  6. Verify the result:

  7. Copy the JDBC driver to your Grid\drivers\ folder:
  8. Create the JDBC configuration file at Grid\config\ with the values you chose above and with your database password Base64-encoded (in a production environment, keep this file secure):

Configuration Import & Edit

Alternatively, instead of using SQL to insert the runtime and topology XML into the GRIDCONF table, we can run the following command to import the XML files from the Grid\config\ folder into the GRIDCONF table (it requires the EXISTING_GRIDS table):

    GRID_NAME varchar(64) NOT NULL,
    GRID_VERSION varchar(32) NOT NULL,
    MODIFIED_BY varchar(128) NULL,
    TIMESTAMP numeric(20, 0) NOT NULL,
java -cp resources/grid-core.jar;resources/grid.liquibase.jar;drivers\sqljdbc42.jar com.lawson.grid.config.JDBCConfigAreaRuntime C:\Infor\Grid

Then, we can use this other command to launch the XML Editor and edit, format and validate the XML:

java -cp resources/grid-core.jar;resources/grid.liquibase.jar;drivers\sqljdbc42.jar;resources/bcprov-jdk16.jar;resources/bcmail-jdk16.jar com.lawson.grid.config.client.ui.Launch

6. Security

The Grid uses cryptography to protect its network traffic. We need the following four files in the folder Grid\secure\ . For now, I will simply get these files from an existing Grid, and I will create new ones later.


7. Start the Grid

Start the Grid:

java -cp resources/grid-core.jar;resources/bcprov-jdk16.jar;resources/bcmail-jdk16.jar;resources/grid.liquibase.jar;drivers\sqljdbc42.jar;resources/javax.servlet-api.jar;resources/grid.httpclient.jar com.lawson.grid.Startup -registry -configDir . -host localhost -logLevel ALL

8. Grid Management Pages

Start the Grid Management Pages and connect to the registry at localhost:50004:

java -jar resources/grid-core.jar

9. Topology View

For the Topology View, we need another table:

    GRID varchar(256) NOT NULL,
    NAME varchar(256) NOT NULL,
    HOST varchar(256) NOT NULL,
    ID varchar(64) NULL,
    PENDINGID varchar(64) NULL,
    STATE varchar(32) NOT NULL,
    LOGNAME varchar(256) NULL,
    PROFILENAME varchar(64) NULL,
    PROFILEDATA varbinary(max) NULL,
    JVMID varchar(64) NULL


We now have a minimalist Grid installed manually without LCM.

Future work

In the next post, I will show how to create the security files.


That was how to install a minimalist latest version of the Infor ION Grid manually without LifeCycle Manager. We have the minimalist folder structure, database, configuration, commands, Grid Management Pages, and Topology View. I will continue in the next post.

That’s it!

M3 Ideas, now 282 subscribers.

Related posts

Building an Infor Grid Lab – Part 1

These days I am doing a lot of work with the Infor ION Grid – to learn, troubleshoot, and do penetration testing – and I need to setup my own laboratory. I will follow the footsteps of PotatoIT’s Lab.

Grid concepts

The Infor ION Grid is a proprietary application framework to run Java applications in a distributed, redundant, fail-over, load balanced, scalable, performant, and secure environment, sort of a crossing between IBM WebSphere Application Server (WAS) and Platform as a Service (PaaS), for the purposes of Infor products, and that over the years has become a rich framework that helps power the Infor CloudSuite. Grid concepts are explained in the Infor documentation and in my previous work. Basically, there are: hosts (physical/virtual machines), a registry (to keep track of the nodes), nodes (JVM), applications (e.g. M3), routers (to direct network traffic), and more.


The Grid is available for download from the Infor Xtreme Product Download Center:


The Installation Guide has a chapter Installing Infor ION Grid:

LCM? No.

The documentation says Infor LifeCycle Manager (LCM) is a prerequisite to install the Grid. But in my previous encounter with LCM I had concluded I can reproduce installation steps manually without LCM, albeit with a lot of work. Anyway, for my purposes I just need a minimal Grid without Infor M3 which makes the installation easier. To that end, I set out to learn how to install a minimal Grid manually without LCM. I will split my learning into several blog posts.

Version 0.x

In my archives of 10 years ago I found an early internal development unreleased version of the Grid with some documentation. It was a pure Java application that started Grid hosts, nodes, routers, registry, and user interface. It did not have database, certificates, configuration, or web server. It was not available publicly. Thanks to its simplicity, I will use it as a starting point of my learning.

1) Start the registry

java -cp grid.jar com.lawson.grid.Startup -registry -groupName THIBAUD

2) Start a node

java -cp grid.jar com.lawson.grid.Startup

3) Start a router

java -cp grid.jar com.lawson.grid.Startup -router

4) Start the user interface

java -jar grid.jar localhost 44444


We have a minimal Grid with a host, a registry, a node, a router, and a user interface.

Future work

In my next blog posts, I will:

  • Install a later version of the Grid
  • Use the new Grid installer
  • Install the Grid on Linux and PostgreSQL


That was a starting point for me to learn how to install a minimal Infor ION Grid manually without LifeCycle Manager. I will continue in the next post.

That’s it!

Related posts

Access Control on Grid Management Pages

It is my great pleasure to be an author of M3 Ideas. Thanks very much for Thibaud’s invitation.

I put my foot into M3 water five years ago and M3 Ideas has been giving me great help in developing my technical skills since then. It is my great honor to share my work and make contributions to it.

The issue of access control on grid management pages has been a trouble to me for nearly two years. The installation web page of ISO, in our case, http://BE Server:19005/LSO/index.html is very close to the grid information page, http://BE Server:19005/grid/info.html and the grid management pages, http://BE Server:19005/grid/ui/#. It is fairly easy for a user with web skills to figure out the latter two web pages and he/she can explore and check basically all the grid information.

Although the grid management pages requires credentials to log on to be able to start or stop a process, a user actually can try the default account,  and the famous password, which are mentioned by the Companion, to get full control. This is not a joke, but a real case. It makes M3 system really vulnerable. Even if users do not make any actions to it, there is no sense and it is ridiculous to disclose all the system information to the public.

We did raise InforXtreme case for Infor to fix it. However, they could not give a robust solution after a long time discussion. The reason is the grid management pages and LSO is sharing the same Java process in the BE server. If you check the TCP connections and processes using netstat in the BE server, you would find there is no way to tell which connection is from the grid management pages visit or from LSO request, which is the biggest technical challenge.

After many tests it seems the most feasible solution is to analyze each incoming and outgoing TCP packet in the BE sever to see whether there are any patterns. If we can be 100% sure that a remote IP address is visiting the grid management pages according to the patterns, then we can apply IPSec to block it automatically. Although it means that IP address cannot use LSO as well, it can be sorted out by manually removing it from the black list given a promise is made not to visit again. If the promise is broken, there is no second chance for them. It is something like Damocles’ Sword.

So I made a Console Application using C# as follows.

using System;
using System.Collections.Generic;
using SharpPcap;
using SharpPcap.LibPcap;
using System.Text;
using System.Net.Mail;
using System.Diagnostics;

namespace CA_Grid
class CA_Grid
static List<string> jsIPList;

static void Main(string[] args)
jsIPList = new List<string>();

var varDevices = CaptureDeviceList.Instance;

if(varDevices.Count<1) { Console.WriteLine("No devices were found on this machine"); return; } Console.WriteLine("The following devices are available on this machine:"); Console.WriteLine("----------------------------------------------------"); Console.WriteLine(); int i = 0; foreach(var varDec in varDevices) { Console.WriteLine("{0}) {1}", i, varDec.Description); i++; } Console.WriteLine(); Console.Write("-- Please choose a device to capture: "); int varChoice = 0; if (!int.TryParse(Console.ReadLine(), out varChoice) || varChoice>=i)
Console.WriteLine("The device is not valid!");

ICaptureDevice varDevice =varDevices[varChoice];

varDevice.OnPacketArrival += Device_OnPacketArrival;

varDevice.Filter = "ip and tcp";
Console.WriteLine("-- Listening on {0}, hit 'Ctrl-C' to exit...",varDevice.Description);


varDevice.OnPacketArrival -=Device_OnPacketArrival;

private static void Device_OnPacketArrival(object sender, CaptureEventArgs e)
string varMIP = "BE Server IP Address";
if (e == null || e.Packet == null)

if (e.Packet.Data == null)

var varPacket = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
if (varPacket == null)

if (varPacket.GetType()!=typeof(PacketDotNet.EthernetPacket))

var varIP = (PacketDotNet.IpPacket)varPacket.Extract(typeof(PacketDotNet.IpPacket));
if (varIP == null)

string varDIP = varIP.DestinationAddress.ToString();
string varSIP = varIP.SourceAddress.ToString();

if (varSIP != varMIP)

var varTCP = (PacketDotNet.TcpPacket)varPacket.Extract(typeof(PacketDotNet.TcpPacket));
if (varTCP == null)

if (varTCP.PayloadData == null)

var varData = Encoding.UTF8.GetString(varTCP.PayloadData);

if (varData == null)

string varDPort = varTCP.DestinationPort.ToString();
string varSPort = varTCP.SourcePort.ToString();

bool varHTTPS = varSPort == "443";
bool varHTTP = varSPort.Contains("19005") && varData.Contains("text/html") && varData.Contains("gzip");
if ((varHTTPS || varHTTP) && !jsIPList.Contains(varDIP))

string varWay = varHTTP ? "HTTP" : "HTTPS";
string varM1 = "----------------------------------------------------";
string varM2 = string.Format("{0}, {1}, {2}", DateTime.Now, varDIP, varWay);
string varM3 = "Original IP packet: " + varIP.ToString();
string varM4 = "Original TCP packet: " + varTCP.ToString();
string varM5 = "Original TCP Header: " + varData;

if (varDIP != "IP to Exclude")
using (var varProcess = new Process())
varProcess.StartInfo.FileName = "cmd.exe";
varProcess.StartInfo.UseShellExecute = false;
varProcess.StartInfo.RedirectStandardInput = true;
varProcess.StartInfo.RedirectStandardOutput = true;
varProcess.StartInfo.RedirectStandardError = true;
varProcess.StartInfo.CreateNoWindow = true;

string varCommand = "netsh ipsec static add filter filterlist=\"IP_Filter_Grid\" srcaddr=" + varDIP + " dstaddr=me protocol=TCP mirrored=No";
varProcess.StandardInput.AutoFlush = true;


using (var varSMTP = new SmtpClient("Mail Forwarder IP Address"))
using (var varMail = new MailMessage())
varMail.From = new MailAddress("from address");
varMail.To.Add("my e-mail address");
varMail.Subject = "Unauthorised Access to Infor Grid Management Pages";
varMail.Body = varM1 + "\r\n" + varM2 + "\r\n" + "\r\n" + varM3 + "\r\n" + "\r\n" + varM4 + "\r\n" + "\r\n" + varM5;
catch (Exception ex)

SharpPcap can be downloaded from GitHub. It has two Dlls, SharpPcap for capturing packets and Packet.Net for packet analysis. WinPcap needs to be downloaded and installed into the BE server. There is no need to restart the server after installation.

The console application is running in an asynchronous mode, so there is trivial impact on the M3 performance.

The script starts with detecting all the devices first. Then it asks for a device number to listen to. Each device could be a network adapter. A filter is applied to the device for IP and TCP packets. An event to capture the packets is attached to the device. Finally the listening starts.

The event handler has the key logic.

1. Two patterns to find the visit to the grid management pages.

(1) HTTPS: The source port would be 443.

(2) HTTP: The packet contains text/html and gzip.

HTTPS communication is encrypted, so we cannot analyze the packet content. Fortunately LSO never uses the port of 443.

2. If the destination IP address is not on the white list, then it would be added to the IPSec filter list. We need to manually create a IPSec policy and a IPSec filter & Action beforehand.

3. Console would output the captured information.

4. An e-mail alert would be sent with the captured information.

5. A global variable of jsIPList is used to keep the IP addresses already captured to avoid repeated alerts.

Then it works. There were three IT users from local division, who still tried to access to the grid management pages on Monday as usual. Then they found they could not visit it any more, as well as LSO. So far there are no normal users to be blocked, no matter whether they run M3 programs, or download LSO from the installation web page. All of sudden the two-year headache is gone.

If you have the similar concerns to me, I hope the above solution would give you a ride. If you have got any issues using the solution, please reply to this post or send me an e-mail at

Finally my heartfelt appreciations to all the authors on this website, as well as the author of SharpPcap and Packet.Net.

Grid CLI

Here is a quick peek at the Infor ION Grid command line interface (CLI).

Early days

The earliest reference I found is the following. The Grid Scripting Utility, a.k.a. Grid Script Client, a.k.a. Scripting Client, was introduced in Lawson Grid in 2011, and can control the Grid and Grid applications, e.g. start/stop the Grid and applications, as well as query the Grid for status information:

java –cp grid-core.jar;grid-ui.jar com.lawson.grid.util.ScriptingClient agentAddress agentPort -ks keystoreFileName keystorePassword command target

It does not seem to be available anymore, at least I could not find grid-ui.jar. And as per NCR 6975“CLI tool is to be seen as a replacement for Scripting Client that has been deprecated and will be discontinued in Grid 2.0.”


In the Grid 11.1.13, there is a command line interface (CLI), a.k.a. Grid Commander:

D:\LifeCycle\host\grid\DEV\tools>java -jar grid-cli.jar


I could not find documentation about it, but here is the first set of commands:

    start                     Start the Grid
    stop                      Stop the Grid
    info                      Display Grid name, version and state
    offline                   Set Grid offline
    online                    Set Grid online

    list                      List routers

    start                     Start the specified hosts. Defaults to the local host if no host is specified
    stop                      Stop the specified hosts. Defaults to the local host if no host is specified
    list                      List all hosts in the Grid
    configureHost             Update host configuration, if the address is changed and the new address is not valid for the current host certificate the certificate will be regenerated, this command requires the grid to be stopped
    setSecondaryHost          Set secondary host, this host will get the registry and administrative router in case of the primary host becomes unavailable
    changePrimaryHost         Move Registry and Administrative router to a second host, make sure <gridname>.ks and <gridname>.pw is available in secure folder before this is performed. Also note that the secondary host configuration will be reset
    configurePrimaryHost      Reconfigure registry port and adminrouter ports and external address, only possible to run on the current primary host
    updateHttpsCertificate    Create a new HTTPS certificate for this host with a specific address, requires <gridname>.ks and <gridname>.pw to be available in secure the folder
    add                       Add a new host
    remove                    Remove a host from the Grid
    installer                 Download a host installer

    permanentlyOffline        Set a specified application or all applications permanently offline
    propertiesXml             Print application properties as XML
    permanentlyOfflineState   Print application permanently offline state
    start                     Start application
    stop                      Stop application
    list                      List application versions, started and global state
    uninstall                 Uninstall an application
    info                      Print detailed application information
    scaleOut                  Deploy the application to additional host(s)
    scaleIn                   Remove this application from host(s)
    upgrade                   Upgrade an existing application
    online                    Set an application online
    offline                   Set an application offline
    listBindings              List all bindings for a given application
    install                   Install an application
    deploymentStatus          List deployment status for a given application

    pemFormat                 Convert Java keystore to PEM format

    info                      Print details about the Grid database
    config                    Update database url, user and password

    load                      Loads a byte array property from KeyValueStore and writes it into a file
    save                      Saves a file as a byte array property in the KeyValueStore
    delete                    Delete the property for the given application and key
    listProperties            List all properties for given application and key
    listKeys                  List keys for given application
    deleteAll                 Deletes all stored data for the given application and key

    load                      Loads a byte array property from persisted data and stores it into a file
    save                      Saves a file as a byte array property into persisted data
    delete                    Delete the given property for the given application
    list                      List all properties for given application
    deleteAll                 Deletes all stored data for the given application

    log                       Print node log
    stop                      Stop a given node
    list                      Print a list of all running nodes in the Grid
    info                      Print details about a Grid node
    start                     Launch a binding on a specified host

    list                      List gar files in the repository
    clean                     Remove all non deployed gar files of a specific application type from the repository, specifying -version allows to remove gar files matching a specific version

Each tool references a grid-launch-class in the Maven POM, e.g. change-db-password:

Wait, there’s more

It seems the old script client is still available, renamed:


That was a quick peek at the Grid command line interface (CLI). It is useful for system administrators to manage the Grid as an alternative to the graphical user interface (GUI). In a previous post I was looking for a command line to install Mashups (*.mashup) onto LifeCycle Manager (LCM). But this CLI does not seem to do that, it seems to only install Grid applications (*.gar).

That’s it.

M3 Ideas, now 250 subscribers.

How to call M3 API from the Grid application proxy

Here is how to call M3 API using the MI-WS application proxy of the Infor Grid.

This is useful if we want to benefit from what is already setup in the Grid and not have to deal with creating our own connection to the M3 API server with Java library, hostname, port number, userid, password, connection pool, etc.

Note: For details on what Grid application proxies are, refer to the previous post.

MI-WS application proxy

The MI-WS application is part of the M3 Business Engine Foundation. We will need foundation-client.jar to compile our classes:

Step 1. Logon to the Grid

First, login to the Grid from your application and get a SessionId and optionally a GridPrincipal.

From a Grid application:

import com.lawson.grid.proxy.access.GridPrincipal;
import com.lawson.grid.proxy.access.SessionController;
import com.lawson.grid.proxy.access.SessionId;

// get session id
SessionId sid = ??? // PENDING
GridPrincipal principal = ??? // PENDING;

From a client application outside the Grid:

import com.lawson.grid.proxy.access.GridPrincipal;
import com.lawson.grid.proxy.access.SessionId;
import com.lawson.grid.proxy.access.SessionProvider;
import com.lawson.grid.proxy.access.SessionUtils;
import com.lawson.grid.proxy.ProxyException;

// logon and get session id
SessionUtils su = SessionUtils.getInstance(registry);
SessionProvider sp = su.getProvider(SessionProvider.TYPE_USER_PASSWORD);
SessionId sid;
try {
    sid = sp.logon(userid, password.toCharArray());
} catch (ProxyException e) {
GridPrincipal principal = su.getPrincipal(sid);

Step 2. Call the M3 API

Second, call the M3 API, for example CRS610MI.LstByNumber, and get the result:

import java.util.ArrayList;
import java.util.List;
import com.lawson.grid.proxy.ProxyClient;
import com.lawson.grid.proxy.ProxyException;
import com.lawson.miws.api.MITransactionException;
import com.lawson.miws.proxy.MIAccessProxy;

// get the proxy
MIAccessProxy proxy = (MIAccessProxy)registry.getProxy(MIAccessProxy.class);

// login to M3
ProxyClient.setSessionId(proxy, sid);

// prepare the parameters
MIParameters paramMIParameters = new MIParameters();

// set the return columns
ColumnList returnColumns = new ColumnList();
List<String> returnColumnNames = new ArrayList<String>();

// execute
MIResult result;
try {
	result = proxy.execute(paramMIParameters);
} catch (MITransactionException e) {
} catch (ProxyException e) {

// show the result
List<MIRecord> records = result.getResult();
for (MIRecord record: records) {

Note: When I use ColumnList it throws$ColumnList. It appears to be a bug in that the ColumnList class is missing implements Serializable. I reported it in Infor Xtreme incident 8629267.

That’s it. Please let me know what you think in the comments below.