M3 ideas

Let’s Encrypt Infor e-Commerce

Today I setup SSL/TLS for Infor e-Commerce using Let’s Encrypt, the new free, automated, and open Certificate Authority (CA).

Topology

Infor e-Commerce (f.k.a. Movex e-Sales) is a J2EE application running on IBM HTTP Server (IHS) and IBM WebSphere Application Server (WAS), where IHS is on the DMZ and has a certificate on port 443, and where WAS is on the local network and has a certificate on port 9043. That’s two certificates.

Step 1. Backup

Backup the following IHS and WAS files in case you need to restore them:

IBM
├───HTTPServer
│   ├───conf
│   │       httpd.conf
│   │
│   └───Plugins
│       └───config
│           └───webserver1
│                   plugin-cfg.xml
│                   plugin-key.crl
│                   plugin-key.kdb
│                   plugin-key.rdb
│                   plugin-key.sth
│
└───WebSphere
    └───AppServer
        └───profiles
            └───AppSrv01
                ├───config
                │   └───cells
                │       └───Node01Cell
                │           │   security.xml
                │           │
                │           └───nodes
                │               ├───AppNode01
                │               │       key.p12
                │               │       trust.p12
                │               │
                │               └───WebNode01
                │                   └───servers
                │                       └───webserver1
                │                               httpd.conf
                │                               plugin-cfg.xml
                │                               plugin-key.crl
                │                               plugin-key.kdb
                │                               plugin-key.rdb
                │                               plugin-key.sth
                │                               server.xml
                │
                └───etc
                        clientCert.arm
                        key.p12
                        serverCert.arm
                        trust.p12

Step 2. Setup IHS on DMZ

Setup IHS on the DMZ (DNS, firewall, etc.) to serve requests on the Internet:

Step 3. Key database

Let’s verify the key database.

The public/private keys, certificate signing requests (CSR), intermediate certificates, and signed certificates are managed in the IBM key database file format (KDB). Apparently, that format does not allow importing private keys that are created externally (e.g. with OpenSSL or EFF’s Certbot), so we must create them internally using either the IBM Key Management tool (iKeyman), the WAS admin console, or the gsk7cmd command. I will use iKeyman.

Find the latest version of iKeyman (there are several versions of iKeyman throughout IHS and WAS); use version 8.0.399 or later for the most recent cryptographic properties (e.g. SHA256):
C:\IBM\HTTPServer\Plugins\bin\ikeyman.bat
Open the default plugin key database:
C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb

The default password is WebAS. You can recover a lost password by calculating the stash (plugin-key.sth) XOR 245, or you can create a new key database from scratch.
Ensure the Signer Certificates contains the same signer certificates as the WAS default trust store (e.g. datapower and root); compare by fingerprints. They should already be there; otherwise, extract them from the WAS admin console, and add them to the key database. That will allow IHS to trust WAS over SSL:

Step 4. Generate key pair + CSR

Let’s generate a public/private key pair and CSR.

In iKeyman, delete the default personal certificate:
Create a new key pair and CSR with the FQDN and cryptographic properties of your choice, leave the email address blank or certbot will throw an error, and save to some temporary file (e.g. certreq.arm):
The result is a new public/private key pair in the key database (plugin-key.kdb) and a new CSR in PKCS#10 format (certreq.arm):

Step 5. Submit CSR to Let’s Encrypt

Let’s submit the CSR to Let’s Encrypt and get a signed certificate in return.

In the ACME protocol, the Let’s Encrypt servers will issue a set of challenges, and our web server must respond correctly to prove ownership of the domain. Normally, it is all automated, but there is no certbot plugin for IHS, so I will use the manual plugin. And because I have not yet tried an ACME client for Windows, I will use certbot on my Linux virtual machine.

Execute certbot with the CSR as input:
certbot certonly --manual --csr ~/certreq.arm
Enter your email address, accept the Terms of Service, enter the domain name, and select Yes to log your IP address. It will present a challenge (a signed nonce):
Create the specified file with the specified content at the specified path:
C:\IBM\HTTPServer\htdocs\.well-known\acme-challenge\
Test the URL over the Internet (the Let’s Encrypt servers will request it):
Back in certbot, press ENTER to complete the domain validation:
The result is a signed certificate, intermediate chain, and full chain:
```
0000_cert.pem
0000_chain.pem
0001_chain.pem
```

Step 5bis. Submit CSR to another CA

If you prefer, you can skip Let’s Encrypt, and submit the CSR to another CA of your choice (Verisign, Thawte, GoDaddy, Comodo, etc.).

Step 6. Add the certificate

Let’s receive the signed certificate into the key database.

In iKeyman > Personal Certificates, receive the certificate 0000_cert.pem:
Extract the Let’s Encrypt root certificate from one of the chains (e.g. with OpenSSL), or download it directly from IdenTrust at DST Root CA X3, and save it to a temporary file somewhere (e.g. dst_root.pem).
In Signer Certificates, add the intermediate certificate 0000_chain.pem (Let’s Encrypt Authority X3), and the root certificate dst_root.pem (DST Root CA X3):
Copy the key database files to WAS:
C:\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\Node01Cell\nodes\Node01\servers\webserver1\

Step 7. SSL in IHS

Let’s enable SSL in IHS.

Open the IHS configuration file in a text editor (e.g. Notepad):
```
C:\IBM\HTTPServer\conf\httpd.conf
```

Add the following directives:

ServerName example.com
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
KeyFile C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb
SSLStashFile C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.sth
Listen *:443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLServerCert default
</VirtualHost>
SSLDisable

Add the following to redirect all HTTP traffic to HTTPS; it is required for at least the login page, password change, credit card, XML Gateway, and a few other sensitive pages; it is optional for the rest:
```
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine on
RewriteCond %{SERVER_PORT} =80
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
```

Copy httpd.conf to WAS:

C:\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\Node01Cell\nodes\Node01\servers\webserver1\httpd.conf

Step 8. SSL in WAS

Let’s enable SSL in WAS.

Ensure the default key store has a personal certificate signed by the signer certificates verified earlier:
Set the default SSL configuration to use that server certificate (default):

WAS will not have the Let’s Encrypt certificate, but that’s OK for now.

Step 9. Backup + restart

Backup the files, and restart IHS and WAS.

Result

The result is that the browser now trusts the site:

Limitations

Let’s Encrypt does not provide Extended Validation (EV) certificates.

Future work

Use an ACME client for Windows
Automate the manual steps
Setup certificate renewal
Setup certificate revocation
Setup the new certificate in WAS too
Setup WAS for remote web server management
Replace IHS with nginx

Conclusion

That was my setup of SSL/TLS for Infor e-Commerce using Let’s Encrypt as the certificate authority. In a next post, I would like to setup the certificate in WAS too and setup automatic certificate renewal.

That’s it! Please like, comment, subscribe, share, contribute.

#TBT

Throwback Thursday

In 2007, I had made a mockup video suggesting to capture fields of an M3 panel for reuse where needed, e.g. in an M3 search engine. My idea came from a suggestion by Daniel Rasmussen in the days of Movex Workplace in 2003 to right-click and M3 program and convert it to IBrix (unfortunately that idea was never implemented). Soon thereafter, the product development team implemented Capture Mode in Smart Office Mashup Designer (likely a timely coincidence unrelated to either suggestion above).

Mockup capture:

Mashup Designer Capture Mode:

Infor e-Commerce XML Gateway

Here is my first test of the Infor e-Commerce XML Gateway.

It is something like https://example.com/infor-ecom/common/gateway.jsp?user=u&password=p&object=o&method=m&request=r

About

The XML Gateway is an API in Infor e-Commerce, for third-party software to make requests to e-Commerce, e.g. to create an order, to get an invoice, or to delete an item. The requests are XML documents, in the proprietary IdealXML schema, sent to e-Commerce over HTTP, targeting the e-Commerce Business Objects and methods.

History

The XML Gateway has existed since the early days of Ideal Seller and e-Sales about 20 years ago:

License

The current part number is M3C-SGX Infor e-Commerce B2B XML Application Adapter:

Is MEC required? No.

Despite what the Infor sales and documentation say, Infor ION, Infor M3 Enterprise Collaborator (MEC), and the e-Commerce Extension for MEC, are NOT required to use the XML Gateway; the XML Gateway is built-in e-Commerce. MEC is suggested for it provides useful features such as development tools, transaction management, persistence, XML transformation, connection pooling, logging, monitoring, management, etc. Apart from that, you can use any other software that does XML over HTTP. Besides, if you were to use MEC, it would have to be the ancient version 9.0.4.0 which is probably not compatible with the MEC you already have for M3:

Documentation

There is some documentation available. The greatest amount of information is located in the Infor e-Commerce Development Studio User’s Guide, and there is some in the Developer’s Guide, Administration Guide, and Configuration Guide for Infor ION:

Business Objects

The business objects and methods of the XML Gateway are listed in the Business Center at Gateway > Requests:

The code is automatically generated from the e-Commerce Development Studio, e.g. Business Object Item and method GatewayDetails to get the details of an item by input parameter ItemID:

Source code

For the curious of us, we can peak at the source code.

The source code starts at /infor-ecom/src/common/gateway.jsp and includes the automatically generated JSP fragment Gateway.jspf:

And the e-Commerce Java library common-10.0.0.jar includes the class com.intentia.iec.businessobject.input.XMLRequest which parses the XML input:

That is sufficient to start peaking at source code.

Furthermore, the e-Commerce Extension for MEC ecom-extension-9.0.0.jar includes the class com.intentia.iec.meci.http.HttpRequester which sends the HTTP request:

And the ION Connector’s MEC Custom Channel iecprotocol-2.0.0.jar includes the class com.intentia.ec.channel.IECGateway which also sends an HTTP request:

Samples

There are sample XML requests in the proprietary IdealXML schema located at C:\Program Files (x86)\Infor\Infor e-Commerce 14.9.1.0\XML Sample Documents\IdealXML 2.0\:

XSD

The XML requests are validated with the proprietary IdealXML Schema located at Infor e-Commerce Development Studio\Infor e-Commerce Extension for Enterprise Collaborator\dist\e-Commerce\request.xsd:

The Development Studio User’s Guide has a chapter The iXML document format.

XSLT? No.

The latest version of the XML Gateway does NOT provide XSL Transformation (XSLT); it may have been included in the early versions when it was ASP, not anymore. You can easily develop a proxy JSP that does XSLT and that forwards the request to gateway.jsp. I will explore this in a future post. Otherwise, if you use MEC and the e-Commerce Extension for MEC, you can do XSLT in MEC as usual.

Setup

To setup the XML Gateway:

Enable the desired Business Object Method (they are all enabled by default), e.g. Item.GatewayDetails:

In the desired Role (e.g. I created role Third-party software), select the Feature Element Gateway User:

In the desired User B2B, select that role:

Still, I am not able to reproduce the setup for another user, and I do not know why.

HTTP request

The HTTP request is of the form:

POST https://example.com:443/infor-ecom/common/gateway.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: example.com:443
Content-Length: 123

user=u&password=p&object=o&method=m&request=r

Where:

I recommend HTTPS (secure), not HTTP (insecure).
The scheme, hostname and port number are those of your e-Commerce, e.g. https://example.com:443.
The method can be either GET (with the parameters in the URL) or POST (with the parameters in the request body), but I advise against GET because the user and password would be in the URL, and nodes along the way may store the URL in clear text in the logs; I recommend POST instead.
The URL path is /infor-ecom/common/gateway.jsp
The media type is application/x-www-form-urlencoded
The input parameters user and password are for authentication. Note: the XML Gateway does not accept HTTP Basic authentication.
The input parameters object and method are for the business object.
The input parameter request is the entire <IdealXML> content.
All parameters must be URL-encoded.

Test

For my test, I will call Item.GatewayDetails to get the details of item 9412-0111:

Here is the corresponding IdealXML that I created from the sample XML:

<?xml version="1.0" encoding="UTF-8"?>
<idealXML version="2.0" id="Thibaud test">
   <commands>
      <command>
         <request>
            <params>
               <param name="@LanguageCode">en</param>
            </params>
            <search>
               <bindings operand="or">
                  <bindings operand="and">
                     <binding attribute="ItemID" value="9412-0111" operator="eq"/>
                  </bindings>
               </bindings>
            </search>
         </request>
      </command>
   </commands>
</idealXML>

Notes:

I removed the <login> and <password> from the <credential> as they are ignored.
I removed the <command>’s name and method attributes as they are ignored.

Result

Here is the result in raw and parsed view:

The XML response is the following, successful, with the requested item details:

<?xml version="1.0" encoding="UTF-8"?>
<resultset object="Item">
   <row Description="For ITRAN GE BLACK INKJET CART 10/CTN" GroupCode="OE" GroupName="Impact Inking" IsActive="Y" IsDangerous="0" IsEmphasized="N" ItemCode="normal" ItemCodeID="normalItemCode" ItemField1="WELLS FARG" ItemField2="201502861.00" ItemField3="" ItemField4="12/99" ItemField5="Y" ItemID="9412-0111" Key="8685" MainCategoryID="59052" MinimumQty="0.0000" ModularQty="0.0000" Name=" INK JET EQUIPMENT" SupplierID="" UnitCodeID="CTItemUnit" Weight="2.4940">
      <Category CategoryID="59052" CategoryName=" INK JET EQUIPMENT" InternalName=" INK JET EQUIPMENT (59052)"/>
      <Text Description="For ITRAN GE BLACK INKJET CART 10/CTN" LanguageID="de" Name=" INK JET EQUIPMENT"/>
      <Text Description="For ITRAN GE BLACK INKJET CART 10/CTN" LanguageID="en" Name=" INK JET EQUIPMENT"/>
      <Text Description="For ITRAN GE BLACK INKJET CART 10/CTN" LanguageID="fr" Name=" INK JET EQUIPMENT"/>
      <Text Description="For ITRAN GE BLACK INKJET CART 10/CTN" LanguageID="it" Name=" INK JET EQUIPMENT"/>
   </row>
</resultset>

Troubleshooting

For troubleshooting:

Inspect the HTTP response headers that indicate either success:

XMLGatewayStatusCode: 200
XMLGatewayMessage: OK

Or an error:

XMLGatewayStatusCode: 401
XMLGatewayMessage: Login failed

XMLGatewayStatusCode: 403
XMLGatewayMessage: Access to requested object or method not allowed

XMLGatewayStatusCode: 500
XMLGatewayMessage: Internal error while executing Gateway method

The Development Studio User’s Guide has a chapter Gateway error messages, with codes, but the codes do not match this.

It is better to look in the logs at C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\server1\SystemOut.log:

Problems

The user and password are echoed in clear text in the logs, it is insecure:
The XML Gateway accepts requests over plain HTTP (instead of HTTPS) even though the request contains the user and password and other private data in clear text, it is insecure.

Future work

Force HTTPS (secure) by default, disable HTTP (insecure).
Do XSL transformation (XSLT).
Finish reproducing the setup.
Try the e-Commerce Extension for MEC.
Try the WSDL and the Infor e-Commerce Web Service Specifications for Synchronous Calls.
Try other Business Objects and methods.
Try custom Business Objects and methods.
Understand more about the bindings.

Conclusion

That was my first test of the XML Gateway in Infor e-Commerce, for third-party software to make requests to e-Commerce, e.g. to place an order or get the details of an item. I have more work to do if I want to master the XML Gateway.

That’s it!

Please like, comment, subscribe, share, participate.

Subversion in Infor e-Commerce Development Studio

Here is an illustration of how to setup Apache Subversion for source control in Infor e-Commerce Development Studio, such that multiple developers can work on the same e-Commerce project at the same time, for team development.

Problem

The problem is that by design an Eclipse workspace cannot be shared, i.e. there can only be one developer using a workspace at a time, others will get the message “Workspace in use or cannot be created, choose a different one”:

Small teams can setup multiple workspaces, one per team member, share the same source code, and mutually agree on which non-overlapping files to work on, being careful to not touch each other’s files. This is workable in small teams, but is not scalable for large teams or inexperienced team members as there is risk of data loss.

The correct solution is to setup source control software to manage that.

Objective

Supposing there a N team members doing e-Commerce development, we will setup one Subversion server & repository, and N e-Commerce Development Studios & workspaces all using the same Subversion repository. In my case, there are three developers, Thibaud, Chris, and Madan, thus I will setup three workspaces to use the same Subversion respository.

Documentation

There is a dedicated chapter in the Infor e-Commerce Development Studio User’s Guide:

Even better, there is a dedicated document in the M3 Adaptation Kit Version Control Guide, not for e-Commerce, but similar setup:

What about Git?

I wish I could use Git, instead of Subversion. I believe Git would work for e-Commerce just as well as Subversion does. The e-Commerce Development Studio requires Subclipse during installation; I could install Subclipse just to surpass that, then ignore it, and install Git. However, I asked Infor Support if Git would work with e-Commerce, and they responded it has not been tested and certified to completely work, and should problems arise due to an effect from using Git, they cannot provide support for it. So I will skip Git for now, and I will try it another time.

1. Subversion server

Install a Subversion server of your choice (e.g. Apache Subversion, TortoiseSVN, VisualSVN):

Create the users (e.g. THIBAUD, CHRIS, MADAN):

Create a new repository, and save the Repository URL in your notes:

Schedule a regular backup of the repository, e.g.:

The Subversion repository is now ready to host the e-Commerce projects.

2. Bootstrap

Choose one user (e.g. Thibaud) to bootstrap the e-Commerce projects (e.g. B2C and B2B) to the Subversion repository for the rest of the team (e.g. Chris, Madan).

I make the assumption that the Eclipse workspace is private (non-shared), e.g. C:\Users\THIBAUD\workspace\ , that it already has the e-Commerce Development Studio fully setup, and that the e-Commerce projects (e.g. B2C, B2B) are fully setup (see previous post):

Note 1: If the projects are in a shared workspace, e.g. C:\e-Commerce\workspace\, and you want to move them to the private workspace, simply cut and paste the project folder from the shared workspace to the private workspace.

Note 2: Don’t make a duplicate (copy) of a project, because after we bootstrap the project to the Subversion repository, any duplicate of that project would be out of reach of Subversion and deprecated.

Go to Eclipse > Window > Open Perspective > SVN Repository Exploring, create new Repository Location, and enter the URL of the Subversion repository created earlier, with the username and password of the workspace’s user (e.g. THIBAUD):

For each project (e.g. B2C, and B2B), do the following:

Select > Team > Share Project:

Select repository type SVN:

Use existing repository location:

Change folder to trunk:

Enter a commit comment, e.g. Initial import:

Wait for the synchronization to finish:

Select Team > Commit:

Select everything except the following files and folders, and enter a commit comment, e.g. Initial commit:
extensions/businessobjectmethods.jar src/com/ businessobject_timestamps.txt

Wait for the SVN Commit to finish:

Each file now has a revision number, date, and author:

Verify in Team > Show history:

Verify the repository in the Subversion server:

The project is now ready for the rest of the team to checkout.

Repeat for each project (e.g. B2C, B2B).

3. Other team members

Now we can setup the Eclipse workspaces and projects for the rest of the team (e.g. Chris, Madan).

Regarding the Eclipse IDE itself, you can choose to use a private install for each user, a shared install for all users, or a shared configuration, see the Eclipse multi-user installs.

I make the assumption that each user has the e-Commerce Development Studio fully setup, with a private workspace, e.g. C:\Users\CHRIS\workspace\ , and with no e-Commerce project (e.g. no B2C, B2B), like so:

Setup the SVN Repository for this user and password (e.g. CHRIS):

Expand the trunk, and checkout the projects (e.g. B2C, B2B):

Leave the default values and click Next:

Leave the default workspace and click Finish:

Wait for the SVN Checkout to finish:

Verify the result:

Select the Active project:

Go to Business Objects tab, click Generate Stub Codes, and wait for it to finish:

That will create the files:
extensions/businessobjectmethods.jar src/com/ businessobject_timestamps.txt

If not, you may have to clean, re-build, and/or refresh the project.

This team member’s environment is now all set.

Repeat for each remaining team member.

4. Everyday development

For everyday development:

Set the Active Project as usual:

Select Team > Update to HEAD to update the project with the latest changes of everyone else:

Make the changes you need to any of the files (e.g. JSP, CSS, HTML), and save your changes:

Deploy the application or presentation as needed:

Test your changes in e-Commerce as usual:

Repeat as needed: make changes, deploy, test.

When done, select the files you modified, select Team > Commit, and enter a comment of your changes; ensure you select only the files you changed, nothing else:

Verify in the SVN Repository > Show History.

Now, when the other team members select Team > Update to HEAD, they will see your changes in their workspace.

Future work

Next time, I would like to try with Git instead of Subversion.

Conclusion

That was an illustration of how to setup Subversion in e-Commerce for a team to work on the same project at the same time. The first user bootstraps the project to the Subversion repository, and the other users checkout that project from the repository.

Special thanks to Wayne Liu of Infor and Marina Baldan of CAD IT for the help.

That’s it!

Please like, comment, subscribe, share, author.

Relate articles

OCI PunchOut in Infor e-Commerce

Here is my first test of Open Catalog Interface (OCI) in Infor e-Commerce.

About OCI

OCI is a standard from SAP from around year 1999:

It competes with the cXML standard from Ariba also from around year 1999.

I will use OCI for PunchOut with e-Commerce, i.e. for a buyer to place an order in a seller’s e-Commerce, and retrieve the order in the buyer’s system (e.g. SAP, PeopleSoft).

Documentation

Infor e-Commerce supports OCI out of the box. Unfortunately, the documentation is meager, and when Infor acquired Lawson they removed the examples and screenshots of all documentation:

Thankfully, the old Lawson documentation still has examples and screenshots:

If we are familiar with Infor e-Commerce and OCI, and if we have the old documentation, we can figure it out.

1. Configuration for seller

Let’s configure the seller’s e-Commerce B2B, with role, customers, and users.

One time only, go to Business Center > Roles, select the desired role (e.g. Reseller), enable the Feature Element OCI Capable, and click Save:

For each customer, go to Business Center > Customers B2B > select a customer (e.g. 66045), and in the Customer Details > OCI Agreement, enter the Agreement Name/Description, Valid From/To, and Contact Person Buyer/Seller, and click Save:

For each user of each customer, go to Business Center > Users B2B, select the user (e.g. Thibaud), and in User Details > User Roles, enable the OCI Capable role (e.g. Reseller), and click Save:

2. Configuration for buyer

Setup the buyer’s OCI software (e.g. SAP, PeopleSoft) to launch e-Commerce with the URL in the following format:

https://seller.com/infor-ecom-b2b/cc/Default2.jsp?@user.userid=tlopezschneider%40ciber.com&@user.password=Password123&reqpage=ItemList.jsp&HOOK_URL=https%3A%2F%2Fbuyer.com%2FOCI

Where:

https://seller.com/infor-ecom-b2b/cc/ is the base URL to Infor e-Commerce B2B Customer Center (replace the host, port, and path as needed). I had tried the B2C URL, but the reqpage had no effect, it only worked with the B2B URL.
Default2.jsp is the e-Commerce OCI page
@user.userid is the e-Commerce userid
@user.password is the e-Commerce password
reqpage=ItemList.jsp is the e-Commerce parameter to request the Item List landing page
HOOK_URL is the buyer’s OCI URL that will receive the e-Commerce order (ask the buyer for that URL), e.g. https://buyer.com/OCI

As usual, the parameter values must be URL-encoded in the URL.

That URL will launch e-Commerce, will authenticate the user, and will land the user in the items page, ready for the user to place an order.

3. Place an order

The user launches e-Commerce using the URL configured above (e.g. from SAP, PeopleSoft), the URL will authenticate the user to e-Commerce, and land directly in the e-Commerce items list:

Add items to the shopping cart as usual, go to View cart & checkout. Then, click Retrieve Order, it is a new button for the OCI Capable role:

At that moment, e-Commerce will logout, and will send the order to the buyer’s sytem by making an HTTP POST request to the specified HOOK_URL with the order details as x-www-form-urlencoded name/value parameters in the body:

Verify the order on the buyer’s system (e.g. SAP, PeopleSoft). That completes the process flow.

OciTestPage.jsp

There is a page OciTestPage.jsp that you can use in HOOK_URL for testing purposes:

But it seems to have a few problems in my environment, and I kept getting an HTTP 302 re-direct to the home page, so I had to fix a few things:

The parameter NEW_ITEM-VENDORMAT had an incorrect index, I had to correct it manually from [2] to [0].
It did not work with my User B2B Thibaud, it says “You are currently not authorized to see the requested page. Please login and try again.” I had to switch to admin, I must be missing a Role.
I had to force the parameter retrieveorder to any non-null value.
There is a parameter ocirul which I do not know how to use.

Future work

OCI does not support edit and cancel operations of requisition orders, unlike cXML, so I must find a workaround.
Most OCI implementations have customized tweaks, deviating from the standard, so I have to find the source code for OCI in e-Commerce, and see if I can modify it accordingly.

Conclusion

That was my first test of OCI in Infor e-Commerce for a buyer to PunchOut to a seller.

Special thanks to Wayne Liu and Karl Bonne at Infor for the help.

That’s it!

Please like, comment, subscribe, share, author.

How to install Infor e-Commerce Development Studio

Here is an illustrated guide on how to install Infor e-Commerce Development Studio.

History

Infor e-Commerce is the B2C and B2B solution for Infor M3. Here is some history I found from the archives. The product was started by Danish-based Catalog-International in 1997, which was acquired by Swedish-based Intentia International in 2002, which was acquired by US-based Lawson Software in 2005, which was acquired by Infor in 2011. Over the years, it has survived many cycles of re-branding, refactoring, re-integration, and feature changes. Its various names have been: Ideal Commerce Suite (Ideal Seller & Ideal Procurement), Movex e-Sales, Lawson e-Sales, Infor e-Commerce, and now Infor Rythm on Infor CloudSuite. The Development Studio is the current plugin for Eclipse to develop for e-Commerce. It is loosely inherited from the old Cat@log Builder and ide@l Design Center.

Documentation

You can download the documentation from Infor Xtreme > Search > Browse Documentation > Show All Product Lines > Infor e-Commerce:

I will follow the Infor e-Commerce Development Studio Installation Guide and User’s Guide. They do not have screenshots, so I will show you screenshots here:

I will assume the Infor e-Commerce server is already installed and setup with the SQL Server database, IBM WebSphere Application Server (WAS), and IBM HTTP Server (IHS). I will install e-Commerce Development Studio version 14.9.1.0 on a Windows x64. There are strict system requirements for ancient versions of software.

1. Java Development Kit

Install the Java SE Development Kit (JDK) version 1.6.0_45. Set the environment variables JAVA_HOME and PATH:

2. Eclipse IDE

Install Eclipse IDE for Java EE Developers version 3.7.1:

Note: I had used the lasted Eclipse version 4.6, but e-Commerce Development Studio threw an error during installation, and I resolved it by reverting to the old Eclipse version 3.7.1:
Missing requirement: DesignCenter Plug-in 1.0.0 (com.lawson.eap.designcenter 1.0.0) requires 'bundle org.eclipse.core.runtime.compatibility 3.2.100' but it could not be found

To install Eclipse, simply download and unzip, e.g. C:\e-Commerce\eclipse\ :

Then, launch Eclipse, and select a workspace, e.g. C:\Users\X\workspace\ :

You can verify the result in Eclipse > About:

Change the Eclipse > Preferences > Java > Compiler, to JDK compliance 1.6:

By default it uses default JDK compliance 1.2, but then e-Commerce will throw compilation errors:
The return type is incompatible with AbstractSelectComponent.getResultset

3. Subclipse plugin

Install the Subclipse plugin version 1.8.x for Eclipse, even if you will not use it:

Note: If you do not install Subclipse – for instance if you want to install Git instead – e-Commerce Development Studio will throw an error during installation:
Missing requirement: DesignCenter Plug-in 1.0.0 (com.lawson.eap.designcenter 1.0.0) requires 'bundle org.tigris.subversion.subclipse.core 1.6.18' but it could not be found:

Note: I used the latest Subclipse version 4.2.x, but Eclipse threw an error, and I resolved it by reverting to the old Subclipse version 1.8.x:
Subclipse talks to Subversion via a Java API that requires access to native libraries. Those libraries were either not found or an incompatible version was loaded.

4. e-Commerce Development Studio plugin

Download the Infor e-Commerce Development Studio plugin from Infor Xtreme > Downloads > Products > Customer Relationship Management > Infor e-Commerce:

Unzip the download, and install the plugin:

Verify the installation details:

In Window > Open Perspectives, select the Infor e-Commerce Development Studio perspective:

e-Commerce Development Studio is ready to be used.

5. Infor Application Installer (IAI)

Install the Infor Application Installer (IAI):

Note: I had an error earlier because of the missing JDK in the PATH:

Select Install IAI:

Find the WAS folder on your e-Commerce server, e.g. C:\IBM\WebSphere\AppServer\ :

In IAI, click Browse, and select the WAS folder. IAI will automatically find the profile (e.g. AppSrv01), cell name (e.g. Node01Cell), node name (e.g. Node01), and internal server name (e.g. server1). Set the Admin login name and password, and click Start:

You can verify the installation log in the temp folder, e.g. C:\Users\X\AppData\Local\Temp\Y\install-iai\ :

You can verify the resulting installation folder, e.g. C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\WIN-70T65OKA2OJNode01Cell\Publish.ear\ :

You can verify the IAI About page, e.g. http://localhost:9080/publish/About :

The Application Installer is now ready to deploy e-Commerce applications.

6. New Application

Back in Eclipse, select File > New > New Registered Application:

Enter a Project Name and Application Name, e.g. infor-ecom:

It will create the new project, and it will automatically build the workspace and generate the file businessobjectmethods.jar, wait for it to finish:

Whenever a timestamp changes in the project, e-Commerce Development Studio will re-build the project, and it can be time consuming and frustrating. To avoid waiting unnecessarily, un-check the Project > Build Automatically, and remember to manually Build Project before deploying:

Go to menu Infor e-Commerce Development Studio > Set Active Project, and select the project:

Go to menu Infor e-Commerce Development Studio > Deployment Settings, and enter the Deployment Target Properties, with Web Server Name as defined in WAS:

Go to tab Data Sources > MS SQL Server > sqlserver > right-click > Connection, and add a new connection, with the e-Commerce database information:

The e-Commerce application is now ready to be deployed.

7. Deploy

Build the Project, and wait for the build to finish.

In the menu Infor e-Commerce Development Studio, select Deploy Application:

The e-Commerce application is now deployed on WAS, and ready to use. There is no need to restart WAS.

8. Result

Test the resulting e-Commerce application.

Customer Center:
http://localhost:9080/infor-ecom/cc

Busines Center:
http://localhost:9080/infor-ecom/bc

We now have a working e-Commerce Development Studio, project, and website to develop with.

9. Everyday development

For everyday development:

We can now modify the JSP, CSS, HTML, and other files in the src folder, re-build the project, and re-deploy as needed:

It is quicker to deploy just the presentation, either bc, cc, or common, depending on where we modified the files, rather than re-deploying the entire application:

Remember to set the active project again after each time you exit Eclipse.

Future work

In future work, I would like to:

Setup a B2B application (it involves swApp.vbs), in addition to the default B2C
Setup a team environment with Subversion for multiple developers to collaborate on the same e-Commerce application at the same time without overriding each other.
Setup logging, troubleshooting, and Java debugging for e-Commerce.
Deploy multiple applications on the same WAS.
Develop JSP that call Business Objects.
Use the XML Gateway.
Use Git instead of Subversion.
Set the Active Project by default.

Conclusion

That was a guide on how to install Infor e-Commerce Development Studio, with lots of illustrations to compensate for the lack of screenshots from the Infor documentation. e-Commerce Development Studio relies on many standards (J2EE, Eclipse, Subversion, etc.), as such it is familiar territory to install. But it requires ancient versions of its software requirements that if not met will cause errors. And the mystery of the e-Commerce Development Studio’s automatic build, at unexpected times, and lengthy, is a known frustration.

That’s it!

Please like, comment, share, subscribe, and come author with us.

M3 Infor Enterprise Search – Search query examples V2

Infor published a new version of the Search query examples document for
M3 Infor Enterprise Search (IES) available on the Knowledge Base at KB 1687355.

IES is an important part of M3 to increase user productivity, like a Google Search for M3.

Here are the topics of the document:

Simple search
Advanced search
Search including reserved words
M3 IES usage through API calls
Multi level key search
Very advanced search queries
Lucene references

Here is a sample screenshot of the document:

See the document at KB 1687355.

Thank you Magnus.

SFTP in MEC

Infor M3 Enterprise Collaborator (MEC) now includes support for SSH FTP (SFTP), a secure file transfer protocol.

FTP vs. PGP vs. SFTP vs. FTPS

Plain FTP does not provide security properties such as confidentiality (against eavesdropping) and integrity (against tampering). FTP provides authentication, but it is plain text. As such, plain FTP is insecure and strongly discouraged.

Even coupled with PGP file encryption and signature verification to protect the contents of the file, the protocol, the credentials, the files and the folders are still vulnerable.

On the other hand, SFTP provides secure file transfer over an insecure network. SFTP is part of the SSH specification. This is what I will explore in this post.

There is also FTPS (also known as FTP-SSL and FTP Secure). Maybe I will explore that in another post.

MEC 9.x, 10.x, 11.4.2.0

If you have MEC 11.4.2.0 or earlier, your MEC does not have full built-in support for SFTP or FTPS. I found some traces in MEC 10.4.2.0, 11.4.1 and 11.4.2. And I was told that support for SFTP was made as a plugin sort of, in some MEC 9.x version; maybe they meant FTPS. Anyway, if you are handy, you can make it work. Or you can manually install any SFTP/FTPS software of your choice and connect it to MEC. Do not wait to secure your file transfers.

MEC 11.4.3.0

MEC 11.4.3.0 comes with built-in support for SFTP, and I found traces of FTPS. Unfortunately, it did not yet ship with documentation. I was told a writer is documenting it now. Anyway, we can figure it out by ourselves. Let’s try.

Here are the release notes:

In Partner Admin > Managed > Advanced, there are two new SFTP channels, SFTPPollIn and SFTPOut, which are SFTP clients:

By looking deeper at the Java classes, we find JCraft JSch, a pure implementation of SSH2 in Java, and Apache Commons VFS2:

SFTPOut channel

In this post, I will explore the SFTPOut channel in MEC which is an SFTP client for MEC to exchange files with an existing SFTP server.

Unit tests

Prior to setting up MEC SFTPOut, we have to ensure our MEC host can connect to the SFTP server. In my case, I am connecting to example.com [11.22.33.44], on default port 22, with userid mecuser, and path /outbound. Contact the SFTP server administrator to get the values, and eventually contact the networking team to adjust firewall rules, name servers, etc.

Do the basic networking tests (ICMP ping, DNS resolution, TCP port, etc.):

Then, do an SSH test (in my example I use the OpenSSH client of Cygwin). As usual with SSH TOFU, verify the fingerprint on a side channel (e.g. via secure email, or via phone call to the administrator of the SFTP server assuming we already know their voice):

Then, do an SFTP test:

Optionally, compile and execute the Sftp.java example of JSch. For that, download Ant, set JAVA_HOME and ANT_HOME in build.bat, set the user@host in Sftp.java, and execute this:build.bat javac -cp build examples\Sftp.java java -cp build;examples Sftp

Those tests confirm our MEC host can successfully connect to the SFTP server, authenticate, and exchange files (in my case I have permissions to put and retrieve files, not to remove files).

Now, we are ready to do the same SFTP in MEC.

Partner Admin

In Partner Admin > Manage > Communication, create a new Send channel with protocol SFTPOut, hostname, port, userid, password, path, filename, extension, and other settings:

I have not yet played with all the file name options.

The option for private key file is for key-based client authentication (instead of password-based client authentication). For that, generate a public/private RSA key pair, for example with ssh-keygen, and send the public key to the SFTP server administrator, and keep the private key for MEC.

The button Send test message will send a file of our choice to that host/path:

The proxy settings are useful for troubleshooting.

A network trace in Wireshark confirms it is SSH:

Now, we are ready to use the channel as we would use any other channel in MEC.

Problems

The SFTPOut channel does not allow us to verify the key fingerprint it receives from the SFTP server. Depending on your threat model, this is a security vulnerability.
There is a lack of documentation (they are working on it)
At first, I could not get the Send test message to work because of the unique file name (I am not familiar with the options) and the jzlib JAR file (see below).
MEC is missing JAR file jzlib, and I got this Java stacktrace:com.jcraft.jsch.JSchException: java.lang.NoClassDefFoundError: com/jcraft/jzlib/ZStream at com.jcraft.jsch.Session.initDeflater(Session.java:2219) at com.jcraft.jsch.Session.updateKeys(Session.java:1188) at com.jcraft.jsch.Session.receive_newkeys(Session.java:1080) at com.jcraft.jsch.Session.connect(Session.java:360) at com.jcraft.jsch.Session.connect(Session.java:183) at com.intentia.ec.communication.SFTPHandler.jsch(SFTPHandler.java:238) at com.intentia.ec.communication.SFTPOut.send(SFTPOut.java:66) at com.intentia.ec.partneradmin.swt.manage.SFTPOutPanel.widgetSelected(SFTPOutPanel.java:414)
I was told it should be resolved in the latest Infor CCSS fix. Meanwhile, download the JAR file from JCraft JZlib, copy/paste it to the following folders, and restart MEC Grid application and Partner Admin:MecMapGen\lib\ MecServer\lib\ Partner Admin\classes\
Passwords are stored in clear text in the database, that is a security vulnerability yikes! SELECT PropValue FROM PR_Basic_Property WHERE PropKey='Password' . I was told it should be fixed in the Infor Cloud branch, and is scheduled to be merged back.
With the proxy (Fiddler in my case), I was only able to intercept a CONNECT request, nothing else; I do not know if that is the intention.
In one of our customer environments, the SFTPOut panel threw:java.lang.ClassNotFoundException: com.intentia.ec.partneradmin.swt.manage.SFTPOutPanel

Future work

When I have time, I would like to:

Try the SFTPPollIn channel, it is an SFTP client that polls an existing SFTP server at a certain time interval
Try the private key-based authentication
Try SFTP through the proxy
Try FTPS
Keep an eye for the three fixes (documentation, jzlib JAR file, and password protection)

Conclusion

This was an introduction about MEC’s support for SFTP, and how to setup the SFTPOut channel for MEC to act as an SFTP client and securely exchange files with an existing SFTP server. There is more to explore in future posts.

Please like, comment, subscribe, share, author. Thank you.

UPDATES 2017-01-13

Corrected definition of SFTPPollIn (it is not an SFTP server as I had incorrectly said)
Added security vulnerability about lack of key fingerprint verification in MEC SFTPOut channel
Emphasized the security vulnerability of the passwords in clear text

User synchronization between M3 and IPA – Part 4

I re-discovered a technique to synchronize users between Infor M3 and Infor Process Automation (IPA) using IPA’s web based administration tools.

It is now my preferred technique for the initial mass load of users, whereas previously in part 2, I had been using command line tools.

IPA web admin tools

The IPA web admin tools are located at http://host/UserManagement/home?csk.gen=true for the gen data area, to create the Identities, Actors, Actor-Identity, and Actor-Roles; and at http://host/lmprdlpa/LpaAdmin for the environment data area – PRD in my case – to create the Users, Tasks, and User-Tasks. It is the same as the IPA Rich Client Admin but web-based instead of Java GUI based.

To find the tools, use the shortcuts ValidationURLs.htm in your IPA installation folder:

Replaying the actions

I manually created users in the IPA web admin tools, intercepted in Fiddler the HTTP requests of each action, replayed the POST requests in Fiddler Composer, and repeatedly pruned the unnecessary data away until I identified the minimum set of values.

I then translated the result into the equivalent JavaScript code.

Result

Here below is the result. It supposes you already have an array of users which you can generate with SQL or M3 API (from MNS150 and CRS111).

Identities:

Actors:

Actor-Identities:

Actor-Roles:

Users:

Source code

I posted the source code WebAdmin.js on my GitHub repository. I will update the source code there.

Future work

Stitch the JavaScript code together
Create the Tasks (from MNS405)
Create the User-Tasks (from MNS410)

Conclusion

This is yet another technique to synchronize users between M3 and IPA. I find it easier than the command line tools I was using previously. Follow the progress on the GitHub repo.

Part 1, overview of user synchronization between M3 and IPA

That’s it! Please like, comment, subscribe, share, and author with us.

Troubleshooting M3 Web Services

I forgot how to troubleshoot Infor M3 Web Services (MWS) and wasted time researching again. This time I share what I rediscovered so I remember next time.

Scenario

I created a simple web service of type M3 Display Program (MDP) that creates a Facility in CRS008. The steps work correctly in M3:

MWS Designer error

I created the equivalent web service in MWS Designer (MWSD), but it throws ‘Unable to execute MPD!’:

MWS Designer log

The MWSD log does not provide more information:

We can increase the MWSD log level from WARN to DEBUG/TRACE, it shows some HTTP/SOAP information (remember to revert when done as it fills the disk space):

Fiddler proxy

We can use an HTTP proxy such as Fiddler to see the HTTP/SOAP request/response:

SoapUI

We can use another SOAP client such as SoapUI to test the web service:

Generated Java code

MWS Server generates Java code for each web service. I do not see any error with the generated code. The code uses Apache Axis2/CXF for SOAP, and the old Intentia Movex MPD for the interactive session:

MWS Server log

The MWS Server log provides some more information, it mentions m3.program which hints me to believe my web service is correct and the problem is in M3:

MWS Server DEBUG/TRACE

I increased the Grid’s log levels of Subsystem and MWS to DEBUG and TRACE (remember to revert when done as it fills the disk space):

I ran the test case again, and opened the merged log:

This time the log shows more information. It shows the <MPD> XML, and it shows the error Abnormal termination of mvx.app.pgm […] Dump log created:

M3 DUMPLOG

The M3 dumplog shows even more information, it shows there was a NullPointerException on READ_DSP ICFCMD:

I do not know how to analyze an M3 dumplog, so I will forward it to an M3 developer and ask for help. The problem points not to MWS but to the M3 program. That is as far as I can go in my troubleshooting.

Future work

Furthermore, depending on the case, it may also be useful to:

Intercept network traffic to the BCI port, and troubleshoot the old Intentia Movex BCI protocol; MPD uses M3Session which uses BCIConnection:
Use the Advanced Grid tools:
Analyze the Thread dumps:
Analyze the MWS Profiler:
Analyze the Grid Status Report:
Decrypt the encrypted Grid network traffic
Debug the MWS Server Java code line by line at runtime

Conclusion

That was how to troubleshoot M3 Web Services and digg more information about an error. I dug as far as I could, all the way to M3, and asked help to an M3 developer. Furthermore, there are plenty other ways to troubleshoot and dig beyond.

That’s it!

Please like, comment, subscribe, share, and come author the next post.