X.509 Token policy for M3 Web Services

I finally tested the X.509 Token policy in Infor M3 Web Services (MWS), and I share my results here.

X.509 Token Policy in MWS has been available for at least 7 years. For the setup, we create a public-private key and digital certificate for the SOAP client, and the SOAP client and SOAP server exchange certificates to authenticate each other.

Documentation

For an overview of WS-Security (WSS) in the context of M3, see my previous post.

The MWS Designer (MWSD) User Guide has two modest chapters dedicated to WS-Security and X.509 Token policy, and snippets of source code for a Java client:
doc55 doc77

For more information about the implementation of WS-Security in MWS, read the documentation of Apache CXF and Apache WSS4J (Merlin), and explore the MWS server source code in the lws-server and lws-common JARs:
jar

Enable X.509 Token policy

First, create a web service in MWSD, of any type (API, MDP, SQL), deploy it, and test it to ensure it works correctly, e.g. CRS610MI.GetBasicData:
1

Then, go to Infor ION Grid Management Pages > MWSSecurity > Policy Settings > Service Context (e.g. services), select the web service (e.g. CRS610MI), and click the lock icon to Enable X.509 policy token:2

Server certificate

Then, go to Certificate Management, and download the server certificate, MWSServerCert.cer:
3

Note: Download it over HTTPS (secure) and not HTTP (clear text); otherwise verify in a side channel the key fingerprint received.

Now, import the server certificate into the client keystore so that the client can authenticate the server:

$ keytool -importcert -file MWSServerCert.cer -alias MwsServer -keystore keystoreClient.jks

PROBLEM: Weak crypto

MWS uses weak cryptography [1], MD5 hashing algorithm and RSA key size 1024 bit:

Nowadays, it should use SHA256 and RSA key size 2048 bit. Maybe it is possible to upgrade the keys on the server; for future work:
8

Client keys and certificate

Then, generate a public-private key and digital certificate for the SOAP client; use any tool such as JRE’s keytool or OpenSSL:

$ keytool -genkeypair -keystore keystoreClient.jks -alias trustedclient_host -keyalg RSA

$ keytool -exportcert -keystore keystoreClient.jks -alias trustedclient_host -file trustedclient_host.cer

PROBLEM 1: Do not use the weak crypto recommended by the MWSD User Guide in the parameters keyalg and sigalg. Instead, let the keytool use the default values which today for RSA is 2048 bit key size and SHA256withRSA hashing [2].

PROBLEM 2: Use RSA because with DSA the MWS server throws “java.security.InvalidKeyException: Unsupported key type: Sun DSA Public Key”

PROBLEM 3: The MWSD User Guide uses -alias myalias. But when we upload the certificate to the server, the server changes the alias to “trustedClient_” + hostName regardless. So I use that alias too.

Note: Keep the private key private! If you need to send it somewhere, do so only over a secure channel (regular email is not a secure channel). On the other hand, the public key and certificate are public, so you can shout them in the street no problem.

Here is the client certificate with stronger crypto:
7_

Now, upload the client certificate to the MWS server, so that the server can authenticate the client (peer authentication):

Note: Upload over HTTPS (secure) and not HTTP (clear text); otherwise verify in a side channel the key fingerprint the server received.

Test with SoapUI

Now, test using any SOAP client that supports WS-Security, such as SoapUI.

Create a new SOAP project as usual:
10_

Go to Project View > WS-Security Configurations > Keystores, and add keystoreClient.jks and Password:

Go to Outgoing WS-Security Configurations, and add a configuration, e.g. outgoing.

Add an action Timestamp:

PROBLEM 1: The Timestamp must be non-zero, e.g. 10; if I set it to zero the server throws “Security processing failed (actions mismatch) […] An error was discovered processing the <wsse:Security> header” and I do not know why.

Add an Signature action (it is for the client to sign the message with its private key, and for the server to use the client’s public key and verify the integrity of the message received). Select the client Keystore, select the Alias of the client, set the keystore Password, in Parts add Name Body with the Namespace of <soapenv:Body> which is http://schemas.xmlsoap.org/soap/envelope/ and Encode Content, and leave the rest default:
12

Add an Encryption action (it is for the client to encrypt the message with the server’s public key, and for the server to decrypt it with its private key). Select the client Keystore, select the Alias of the server, set the keystore Password, in Parts add the same as above, and leave the rest default:
13

PROBLEM 2: SoapUI is buggy and does not always seem to immediately pick my changes in the configurations, so I had to close and re-open it to pick my changes.

Now for decryption, go to Incoming WS-Security Configurations, add a configuration, e.g. incoming (the server will encrypt the SOAP response with the client’s public key, so this is for the client to decrypt that using its private key; and the server will sign the SOAP response with its private key, and the client will verify the signature of the message received using the server’s public key). Select the Decrypt Keystore, the Signature Keystore, and set the keystore Password:
14

PROBLEM 3: There is a bug with decryption in SoapUI 5.2.1, and I solved it by replacing the version of wss4j.jar as explained in this post:
bug2

Now, create the sample SOAP request (SoapUI already created a sample request), remove the <soapenv:Header> which we do not need, set your input parameters (e.g. CustomerNumber), add Basic authentication with the M3 Username and Password, select to Authenticate pre-emptively (optional), select the Outgoing WSS and Incoming WSS, and click Submit:
15

The client will encrypt and sign the Body, the server will decrypt it and verify the signature, the server will execute the web service (e.g. CRS610MI.GetBasicData), it will encrypt and sign the response, and return it to the client.

Result

We now have the decrypted and verified SOAP response (e.g. CustomerName, CustomerAddress):
16

PROBLEM: Plain HTTP and authentication

My understanding of WS-Security is that by design it is an option to transport the message over plain HTTP. That scenario will occur when the message passes the TLS termination point and into proxies and gateways over plain HTTP. For that, we could securely set the M3 user/password in the SOAP header at <cred:lws> and add them to the Encryption and Signature actions. However, I tried it, and I removed the user/password from the HTTP Basic authentication, but MWS throws “401 Unauthorized […] WWW-Authenticate: Basic […] fault […] missing_credentials”:
bug

I found some old documentation from 2009 that sheds more light; maybe I have to use the Username Token instead; for future work:
doc126 doc127

Grid best practice

As a general best practice for the Grid, ensure the Configuration Manager > Routers > Default Router, has WWW Authentication Methods disabled for plain HTTP, and enabled for HTTPS only, to prevent sending user/password over plain HTTP:

Troubleshooting

Here are some tips for troubleshooting.

Use SoapUI’s six tabs of logs:
logs5

Set the MWS logs to DEBUG level:
logs
logs3

Set the MWS Debug Settings to create dump files of all the encrypted and signed SOAP requests (_IN.xml) and responses (_OUT.xml) in the MWS\dumps folder:
logs4
logs2

Set your SOAP client to use a proxy like Fiddler:
Fiddler_ Fiddler

Conclusion

That was my result of testing X.509 Token policy for M3 Web Services with SoapUI. It requires quite a good understanding of the public-key cryptography concepts (public-private keys, certificates, keystores, the dance between client and server, encryption, digital signatures), and it opened more questions than it answered.

Future work

I may work on the following in the future:

  • Implement a similar test client in Java
  • Upgrade the MWS server to stronger crypto
  • Call the web service over plain HTTP (instead of HTTPS)
  • Authenticate over plain HTTP (maybe Username Token, instead of Basic authentication or <cred:lws>)
  • Test MWS against WS-Attacker

That’s it.

Please subscribe, comment, like, share with your colleagues, write the next idea with us, or start your own blog.

SOAP WS-Security in the context of M3

Here is my high-level understanding of SOAP Web Services Security (WS-Security, or WSS), at least the WSS X.509 Certificate Token Profile, and how to apply it in the context of Infor M3.

WS-Security

WS-Security is a standard by the OASIS consortium to provide message encryption and digital signature, the usual security properties to prevent eavesdropping and tampering of a message. It uses asymmetric cryptography with public-private keys and digital certificates. There is an additional property which is central to WSS: the security happens at the message level, not at the transport level, i.e. the security follows the message even across proxies and deep packet inspection gateways, for end-to-end security. WSS is common for example in financial institutions that need to inspect and route a message through several nodes that can read the non-secure part of the SOAP envelope yet not reveal the secret in the message, until it reaches the appropriate destination. If a node on the path gets compromised, the security of the message is not compromised. Despite its continued use, WSS has only had few major updates in 10 years, is not considered secure [1] [2], the Internet agrees it is complicated and design-by-committee, and there is no industry momentum behind it.
versus1_

SSL/TLS, on the other hand, provides similar security properties with encryption and digital signature, using public key cryptography as well, but the security happens at the transport level, i.e. before the message level, for point-to-point security only. Thus, intermediate proxies and deep packet inspection gateways are unable to reveal the message to inspect it and route it, unless they have a copy of the destination’s private key. The workaround is to setup a chain of TLS segments, but the compromise of a node on the path, would compromise the message. TLS has additional security properties such as cipher suite negotiation, forward secrecy, and certificate revocation. TLS is constantly being updated with the latest security properties, and is widely supported and documented.

I have seen WSS interfaces used at banks and credit card companies that still have ancient mainframes and old middleware, and WSS is always used in combination with TLS, with peer authentication, thus four sets of public/private keys and digital certificates.
versus3

Infor Grid

Several applications of the Infor Grid expose SOAP web services, but I could not find how to setup WS-Security at the Grid level, so I assume it is not supported at the Grid level, only at the application level; that’s OK as SOAP over HTTPS is sufficient for the Grid’s needs.

grid

M3 Web Services (MWS)

The MWS application does have settings to configure WS-Security (X.509 Token policy); that would be useful for an external partner to call M3 with message-level security (otherwise there is always SOAP over HTTPS); I will explore this in a future post:
MWS

M3 Enterprise Collaborator (MEC)

The MEC application on the Grid does not have built-in SOAP web services. But in MEC Partner Admin the MEC developer can setup SOAP. The SOAP client Send Web Service process does not support WS-Security; this is most unfortunate as here is precisely where I want to setup the secure interfaces with the banks and credit card companies, bummer, I will have to develop my own WS-Security client in Java. On the other hand, the SOAP server WebServiceSyncIn does support WS-Security; I will explore this in a future post:
1

Future work

In future posts, I will:

  • Explore WS-Security in MWS
  • Explore WS-Security in MEC SOAP client
  • Explore WS-Security in MEC SOAP server

Conclusion

That was my high level understanding of WS-Security, at least the WSS X.509 Certificate Token Profile, and how to apply it in the context of M3. I am no expert in WS-Security, but this understanding is sufficient for my needs with M3.

That’s it!

Please subscribe, comment, like, share, and come author with us.

–Thibaud

 

Removing BEGIN statements from Streamfiles with Java

In this example, we have a standard M3 Streamfile (PPS307PF – M3 Put-Away document) that contains separate BEGIN statements (the keyword that signifies a new event to Streamserve) for each item received against a purchase order.  My client would like to see one document with all received items shown as separate lines.  This will save a tremendous amount of paper and allow for easier processing.  With the help of Java and Streamserve filter chains, we can remove unwanted BEGIN statements and quickly achieve a single event document without modification in M3.

In addition to Java knowledge, you’ll also need to have:

  1. Experience with the M3 Output Solution including Streamserve Control Center and Design Center (version 5.6 is used in this example).  Specifically:
    • Creating new Streamserve Applications
    • Modifying, Exporting, and Deploying Streamserve Projects
  2. Administrator access to the Streamserve server.

Now that we’re armed with some basic knowledge, let’s get started.

Step 1:  Examine the Streamfile

Here is my example Streamfile:

*SERVER	server.company.com
*PORT	 22110
*NAME	PPS307PF
*USER	USER
*JOBID	135979716657926744PPS307PF
*MAIL	YES
*TOMAIL1	mnjones@ciber.com
*FRMAIL1	m3apps@hertz.com
*ARCHIVE1	0
*COUNTRY1	US
*ReportFiletype1	PDF
*LANGUAGE	GB
*ZDCONO	111
*ZDDIVI	AAA
*ZDFACI	FAC
*ZDWHLO	DS5
BEGINPPS3070H
*TIME	20160317153921
*LANGUAGE	GB
*ZZCONO	0
*ZZDIVI
*ZZFACI	FAC
*ZZWHLO	WHS
*LAYOUT	LETTER
0HINDCTR	000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000010000000
0HDSUSS	USER
0HMWLNCD	GB
0HPADAT	03-17-16
0HPATIM	15:39:21
0HWDROW3	COMPANY US (111/AAA)
0HZDROW2	M3 13.2 DEV

1MINDCTR	000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000010000000
1MIABUYE	USER
1MIBECVE
1MIBIRCV
1MIBITNO	100000099
1MIBPITD
1MIBPLPN	0000000
1MIBPNLI	010
1MIBPNLS	000
1MIBPRCS
1MIBPROD
1MIBPUNO	8888888
1MIBPURC	USER
1MIBPUUN	EA
1MIBRORC	0
1MIBRORL
1MIBRORN
1MIBSITE
1MIBSUFI
1MIBSUNO	99999999
1MIBWHLO	WHS
1MICREPN	   2111030001
1MMLBANO	7777777
1MMLBREF
1MMLBRE2
1MMMHAC1
1MMMHAC2
1MMMHAC3
1MMMITDS	Excavator
1MMMPPUN
1MMMSLDY
1MMMUNMS
1MMUCOFA
1MMWWHNM	Main Warehouse
1MWTBUYE	Patty Purchaser
1MWTHAC1
1MWTHAC2
1MWTHAC3
1MWTPROD
1MWTPURC	Patty Purchaser
1MWWCAWE
1MWWFUDS	Excavator
1MWWPQTY
1MWWRPQA	         1
1MWWRPQT
1MWWSUNM	Excavator Supply
1MWWWHSL	SERVICE

0NINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
0NIBGRMT	DP0
0NP7QCLV	4
0NWTGRMT	Direct Put-Away (No Doc)
0NWWNEAC	No more activity
0NWWQCQT	

CFINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
CFWWTX60	MAKE BOBCAT

CFINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
CFWWTX60	MODEL D12A
BEGINPPS3070H
*TIME	20160317153921
*LANGUAGE	GB
*ZZCONO	0
*ZZDIVI
*ZZFACI	FAC
*ZZWHLO	WHS
*LAYOUT	LETTER
0HINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000010000000
0HDSUSS	USER
0HMWLNCD	GB
0HPADAT	03-17-16
0HPATIM	15:39:21
0HWDROW3	COMPANY US (111/AAA)
0HZDROW2	M3 13.2 DEV

1MINDCTR	000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000010000000
1MIABUYE	USER
1MIBECVE
1MIBIRCV
1MIBITNO	100000099
1MIBPITD
1MIBPLPN	0000000
1MIBPNLI	010
1MIBPNLS	000
1MIBPRCS
1MIBPROD
1MIBPUNO	8888888
1MIBPURC	USER
1MIBPUUN	EA
1MIBRORC	0
1MIBRORL
1MIBRORN
1MIBSITE
1MIBSUFI
1MIBSUNO	99999999
1MIBWHLO	WHS
1MICREPN	   2111030002
1MMLBANO	8191811
1MMLBREF
1MMLBRE2
1MMMHAC1
1MMMHAC2
1MMMHAC3
1MMMITDS	Excavator
1MMMPPUN
1MMMSLDY
1MMMUNMS
1MMUCOFA
1MMWWHNM	Main Warehouse
1MWTBUYE	Patty Purchaser
1MWTHAC1
1MWTHAC2
1MWTHAC3
1MWTPROD
1MWTPURC	Patty Purchaser
1MWWCAWE
1MWWFUDS	Excavator
1MWWPQTY
1MWWRPQA	         1
1MWWRPQT
1MWWSUNM	Excavator Supply
1MWWWHSL	SERVICE

0NINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
0NIBGRMT	DP0
0NP7QCLV	4
0NWTGRMT	Direct Put-Away (No Doc)
0NWWNEAC	No more activity
0NWWQCQT	

CFINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
CFWWTX60	MAKE BOBCAT

CFINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
CFWWTX60	MODEL D12B

CFINDCTR	000000000000000000000000000000000000000000000000001000000000000000001000000000000000000000000000000
CFWWTX60	Air Condition:Yes

We want to process PPS307PF as one document with multiple lines as opposed to the standard document which has multiple documents (indicated by the multiple BEGINPPS3070H statements in the Streamfile) each with a single line.

There is only one type of BEGIN statement in this Streamfile, but some Streamfiles have more than one, so we’ll take that into account in the code.

Step 2:  Create Java filter to remove the unwanted BEGIN statements

In the Streamfile above we found two instances of BEGINPPS3070H.  In order to remove the second (and any subsequent appearances) while keeping the first, we’ll create a class that will remove these lines as the Streamfile gets passed into Streamserve.  We’ll also take into account that we may need to filter Streamfiles other than PPS307, so we’ll use a regular expression to find the instances of BEGIN in the file that end in ‘H’ (This way we’re excluding 0A BEGIN statements while including 0H, 1H, AH, etc.).

import java.io.*;
public class SingleEvent {
 public static void main(String[]args) {
  BufferedReader br = null;
  int counter = 0;
  String regex = "BEGIN[a-zA-Z0-9]+H$";
  try {
   String sCurrentLine;
   br = new BufferedReader(new InputStreamReader(System.in));
   while ((sCurrentLine = br.readLine()) != null) {
    if (sCurrentLine.matches(regex)) {
     counter++;
     if (counter > 1) {
      sCurrentLine = "***BEGIN STATEMENT SKIPPED***";
     }
    }
    System.out.println(sCurrentLine);
   }
  } catch (IOException e) {
   e.printStackTrace();
  }
  finally {
   try {
    if (br != null)
     br.close();
   } catch (IOException ex) {
    ex.printStackTrace();
   }
  }
 }
}

Our code creates a class called SingleEvent which reads the incoming Streamfile one line at a time and checks the current line to see if it matches our regular expression.  If so, a counter is increased and if the counter is larger than one, it replaces the current line with new text.  This text can be anything other than BEGINPPS3070H as Streamserve is looking for the BEGIN statements to create new documents.  Each (new) line is then written to the console and Streamserve picks up each of the lines before processing the Streamfile.

When we replace the BEGIN statements with alternative text (in this case replacing them with the text “***BEGIN STATEMENT SKIPPED***”).  Streamserve rejects the line, notes it in the Control Center log, and moves to the next line. Later in the process, we’ll see our skipped lines in the log.

Next, compile the code and create a SingleEvent.jar using your favorite tool.  Copy the SingleEvent.jar to an accessible folder on the Streamserve server.  Now we can begin prepping Streamserve to use Java.

Step 3:  Prep Streamserve to use Java

Because we’ll be adding a filter on both the TCP/IN port and DirScan folder, it’s best to create a new Streamserve Application specifically for our new SingleEvent Streamfiles.  We don’t want to place this filter on our base Streamserve Application and filter all Streamfiles.   Follow the standard steps to create the new application in the correct domain in Control Center.  For this example, we named our application “Dev_SingleEvent_22104” to indicate the domain, application purpose, and incoming port number.   Next, right click on the application and select Java Configuration.

beginsts_31

When the Java Configuration screen opens, we see the properties list.  Click in the Value box and select the appropriate vendor.  In my case, this was Oracle.

beginsts_32

Next, we’ll need to import our SingleEvent.jar and add the new filter chain in the Streamserve Global_Resourceset. In the Global_Resourceset, right click and select “Import…”.

beginsts_33

Navigate to the folder on the Streamserve server where you stored SingleEvent.jar.  Highlight SingleEvent.jar and click Open.

Streamserve will automatically load the correct Resource Type (Java).

beginsts_34

Click OK and your new Java resource will appear in the Global_Resourceset.

Now, let’s create our new filter chain.  The filter chain is the heart of this transaction as Streamserve will filter the Streamfile through the Java program as it comes into the TCP port or is dropped into the DirScan folder.

First, navigate to the Filter Chain folder in the Global_Resourceset, right click and select New > Filter Chain.

beginsts_35

We’ll name the filter chain “Platform – SingleEvent”.  It will be used at both the TCP/IP and Directory input connectors.

beginsts_36

Then, right click and select Start Editor.

There will be an existing Codepage Filter already in place.  We won’t make any changes here.  From the Filter Chain menu, select Add Filter > External Filter.   Type “java.exe –jar ..\data\java\SingleEvent.jar” in the Value box, save and close.

beginsts_37

Navigate to the Platform next, where we’ll copy/paste the standard TCP_MOVEX and DirScan_MOVEX input connectors and rename them as “SingleEvent_TCP_MOVEX” and “SingleEvent_DirScan_MOVEX”, respectively.  Make the necessary changes to ports and input folders for the physical platform you’re using.

Now, we’ll add the Platform – SingleEvent filter chain to each of these input connectors. In the Platform, right click on the SingleEvent_TCP_MOVEX input connector and select Settings.

beginsts_38

From the logical platform, click on the “Filter chain” button and add the new filter chain.

beginsts_39

Repeat these steps for the SingleEvent_DirScan_MOVEX connector.

Verify all the changes, save and export the project and then deploy in Control Center to your new application.

Step 4:  Test

To test, drop the Streamfile into the DirScan folder in the Management Gateway and see the Filter Chain at work in the Control Center log. Here is a snip from the log:

beginsts_41

We can see our “Unknown line (ignored):***BEGIN STATEMENT SKIPPED***” message line and each duplicate header fields that has been ignored.  We also see the “ExternFilter exitCode:0” message indicating the filter completed successfully.

Here is our new document with one event and multiple lines:

beginsts_42

Final Thoughts

We’ve successfully written a Java class that works as a filter to remove unwanted BEGIN statements from a Streamfile, setup Streamserve to use Java and our new filter, and processed a test Streamfile through the filter.  Let me know how it works for your project and any tweaks you made for it to deliver the document you want.

Special thanks to the posters at StreamShare whose excellent variety of posts on filtering and using Java with Streamserve allowed me to combine them to achieve a solution.  If you work with Streamserve, make sure to check out the forums.

Now that we’ve seen how Java works with Streamserve, next time let’s discuss using Java to connect to M3 APIs and add information to a Streamserve PageOut.

Good luck,

Neil

Calling SOAP web services from MEC

Here is a primer on how to invoke SOAP web services from Infor M3 Enterprise Collaborator (MEC) using the Send Web Service process, where MEC is the SOAP client calling SOAP servers.

MEC process

I am using MEC version 11.4.3.

We find the Send Web Service process in Partner Admin > Agreement > Processes:
1

The properties are the following:
1_

The MEC Partner Admin Tool User Guide does not have much information:
3

The MEC training workbook does not have information either.

I decompiled MEC and found the Java class com.intentia.ec.server.process.SendWebServiceProcess. I was expecting it to use a legitimate SOAP client such as Apache CXF, but it uses a mere java.net.HttpURLConnection:
2

Consequently, this process does no more than the HTTPOut process albeit the additional SOAP action property.

Problems

There are many problems with this type of implementation:

  • It does not validate the message against the web service’s WSDL, the XML Schemas, not even against XML syntax
  • It does not have a factory to create client stubs
  • It is byte-based (we could send whatever content) whereas SOAP clients are more RPC-like with setters and getters for parameters
  • It is HTTP-centric, not SOAP-centric
  • It is restricted to HTTP whereas SOAP is agnostic to the underlying transport protocol, e.g. SOAP supports FTP
  • It does not support WS-Security for XML Encryption and XML Signature
  • It does not support the use of HTTP proxy
  • Etcetera

Anyway, let’s give it a try.

Sample web service

I have a sample web service from TMW SystemsLink, a Transportation Management Software. It is available on my customer’s network. It is only setup for HTTP (not HTTPS), without authentication, thus it is insecure, but it is easy for illustration purposes.

First, I ensure I can get to the WSDL:
5_

Test with SoapUI

Then, I test the web service with a SOAP client such as SoapUI:

Then, I get the SOAP action and content type to be used later (we can get them from the WS-A and http log tabs of SoapUI or from Fiddler):

Test with Java – optional

Optionally, I test the web service with the URLConnection in Java, from the same location and JRE as MEC:

javac Test.java && java -cp . Test
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.net.URL;
import java.net.URLConnection;

class Test {
	public static void main(String[] args) throws Exception {
		URL url = new URL("http://tmwsl/TMWSystemsLink/APIWCFServices.svc");
		URLConnection con = url.openConnection();
		con.setDoOutput(true);
		con.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
		con.setRequestProperty("SOAPAction", "http://tempuri.org/IAPIWCFServices/RetrieveCarrier");
		String data = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:tem=\"http://tempuri.org/\" xmlns:tmw=\"http://schemas.datacontract.org/2004/07/TMWSystems.SystemsLink.APIClasses\"><soapenv:Header/><soapenv:Body><tem:RetrieveCarrier><tem:criteria><tmw:CarrierID>JONCOL</tmw:CarrierID></tem:criteria></tem:RetrieveCarrier></soapenv:Body></soapenv:Envelope>";
		con.setRequestProperty("Content-Length", "" + data.length());
		OutputStreamWriter out = new OutputStreamWriter(con.getOutputStream());
		out.write(data);
		out.close();
		BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
		String s;
		while ((s = in.readLine()) != null) {
			System.out.println(s);
		}
		in.close();		
	}
}

The result is the SOAP response:
7

Test in Partner Admin

Now, I am ready to test in Partner Admin. I create a simple test agreement with the Send Web Service process configured to the end point address, content type, and SOAP action:
8

Then, I add a simple detection such as the default DiskIn, I reload the communication channel in the MEC Grid Management Pages, I create a file with the sample SOAP request, I drop the file in the DiskIn folder, I wait for MEC to process the file, and I check the result; the usual steps in MEC.

Result

Here is the result in MEC Grid Management Pages, it successfully finished sending the SOAP request, and getting the SOAP response:
9

Here is the resulting POST HTTP request: 10

At this point we can use Partner Admin and MEC Mapper to transform an M3 MBM and generate the SOAP request, we can process the SOAP response, etc.

Conclusion

That was an illustration of how to call SOAP web services from Infor M3 Enterprise Collaborator (MEC) using the Send Web Service process, for MEC to be a SOAP client calling SOAP servers. Despite “Web Service” in its name, the process is deceitfully not very SOAP oriented, but we can manage with it.

Future work

In future posts I will:

  • Explore how to securely call a web service over HTTPS (not HTTP); if I use a custom server certificate, I have to setup the JRE keystore, or explore the Partner Admin > Manage > Certificate Keystores:
    future1
  • Explore how to use the Partner Admin > Manage > Web Service Definitions; I do not know what this is for:
    future2
  • Explore how to use the Manage > Advanced > WebServiceSyncIn/Out; I think that is for MEC to be a SOAP server, accept requests, and serve responses:
    future3 future3_

That’s it.

Please leave a comment, click Like, click Follow to subscribe, share around you, and come write the next blog post.

MForms Automation in Mashups

Let’s explore MForms Automation in Infor Smart Office Mashups.

MForms Automation

MForms Automation execute sequences of steps through M3 programs, e.g. run CRS610, enter a customer number in field W1OBKV, and press ENTER:
3_

MForms Automation Builder is located at C:\SmartOfficeSDK\External\M3\Tools\MFormsAutomationBuilder.exe:
1

In Mashups

To use them in Mashups, we tell MForms Automation Builder to create an MForms URI encoded, we copy/paste the URI into the desired property in Mashup Designer which will XML-encode it, and we carefully replace the hard-coded values by parameter names in curly braces with the corresponding parameter binding:

Smart Office will do the variable substitution, and will execute a CMDTP=RUN with the XML:

I find the whole process of URI-encoding, XML-encoding, and curly brace replacement too error-prone and time consuming for routine maintenance, so I found an alternative.

Alternative

I find it easier to preserve the original XML in a CDATA section in the XAML:
8_

Note: We must omit spaces between the CDATA start and XML declaration; the rest can be indented.

I find this alternative to be more elegant and easier to maintain than the double-encoded surgical process above.

Let me know what you think in the comments below.

That’s it.

260 subscribers!

Clear global customization cache

Here is a refresher on how to clear global M3 personalizations for non-administrators:

mforms://_command/?value=clear custcache

M3 personalizations

I am currently doing maintenance of M3 personalizations (hyperlinks, conditional styles, shortcuts, labels, tab orders, views, show/hide fields, and scripts), for all users (role GLOBAL_CUSTOMIZATIONS):
2

Maintenance

To change a personalization, either I use the Personalization Manager (for that I need the administrator role), or I change the file with a text editor directly in the MNEDATA folder (for that I need read/write access to the MNEDATA folder):
4
3

Clear customization cache

To clear the global customization cache, I use the Net Extension Manager > Clear customization cache (for that I need to be administrator):
5

Non-administrators

There is another environment where I am not administrator, there is no Net Extension Manager, and yet I need to clear the global customization cache. I realized I can simply execute the clear command, and it will clear the global customization anyway:

mforms://_command/?value=clear custcache

6

7

That’s the actual command behind the Clear button.

I traced the calls, from the Smart Office Dlls, to the MNE server Java classes, and it seems to really do a global clear, even without being administrator:

MForms.dll
MForms.Services.Applications.Admin.NetExtensionManager.IComponentConnector.Connect
MForms.Services.Applications.Admin.NetExtensionManager.OnClickClearCustCache

mne-app-10.2.2.0.jar
com.intentia.mc.command.RunCmd.doChangeEnvironment
com.intentia.mc.mgmt.ServerMgr.clearCustomizationCache
com.intentia.mc.customization.CustomizationManager.clearCentralCache

Maybe there’s a good explanation for the lack of authorization; or maybe I am administrator somewhere afterall. I haven’t read the administrator’s guide or looked any further.

That’s it!

Related posts

Continuous integration of Mashups #4 – Command line

Finally, I was able to develop a command line to deploy Infor Smart Office Mashups. This is important for me to save time when deploying many Mashups, on many environments, many times a day, so I can re-invest that time in the Mashups, instead of wasting time on their deployment in the various graphical user interfaces. Read #1, #2, and #3 for the backstory.

Disclaimer

I will use the internals of Smart Office and MangoServer which by definition are not public. Infor Product Development may change any of it at any time.

Project

I will create my C# Console Application project in the free (as in free beer) Microsoft Visual Studio 2015 Community Edition:
10.1

Add references to the Smart Office assemblies Mango.UI.dll and Mashup.Designer.dll which you can find in your Smart Office local storage (search for the path in your Log Viewer); you can also get them from the Smart Office product download, or in the Smart Office SDK:
b4

When you Build the project, Visual Studio will automatically grab the additional assemblies Mango.Core.dll, log4net.dll, and DesignSystem.dll.

Web service client

Smart Office already has client code for its web services in the namespace Mango.UI.Services.WS, but it’s missing the method DeployMashup which is precisely the one I need:
b1

It’s easy to generate the code in Visual Studio, select Add Service Reference, and enter the URL to the MangoServer /mangows/InstallationPointManager?wsdl:
b8

In the App.config file, add the <transport clientCredentialType=”Basic” /> and add the name/address of the target M3 environments, e.g. DEV, TST, EDU, PRD:

Source code

Add the C# class Deploy.cs:

 using System;
 using System.IO;
 using System.Reflection;
 using Mango.UI.Services.Mashup;
 using Mango.UI.Services.Mashup.Internal;
 using MangoServer.mangows;
 using Mashup.Designer;
 
 namespace Mashups
 {
     class Deploy
     {
         // Usage: deploy.exe Mashup1,Mashup2,Mashup3 DEV,TST
         static void Main(string[] args)
         {
             // get the M3 userid/password
             Console.Write("Userid: ");
             string userid = Console.ReadLine();
             Console.Write("Password: ");
             string password = Console.ReadLine();
 
             // for each directory
             string[] directories = args[0].Split(',');
             foreach (string directory in directories)
             {
                 // for each Mashup
                 string[] files = Directory.GetFiles(directory, "*.manifest", SearchOption.AllDirectories);
                 foreach (string file in files)
                 {
                     Console.WriteLine("Opening {0}", file);
                     ManifestDesigner manifest = new ManifestDesigner(new FileInfo(file));
                     string name = manifest.DeploymentName + Defines.ExtensionMashup;
                     Console.WriteLine("Generating {0}", name);
                     // generate the Mashup package
                     if (SaveMashupFile(manifest))
                     {
                         // get the resulting binary contents
                         byte[] bytes = File.ReadAllBytes(manifest.File.Directory + "\\" + name);
                         // for each M3 environment
                         string[] environments = args[1].Split(',');
                         foreach (string environment in environments)
                         {
                             // deploy
                             Console.WriteLine("Deploying to {0}", environment);
                             DeployMashup(name, bytes, environment, userid, password);
                         }
                         Console.WriteLine("DONE");
                     }
                 }
             }
         }
   
         /*
             Create the Mashup package (*.mashup) from the specified Mashup Manifest.
             Inspired by Mashup.Designer.DeploymentHelper.SaveMashupFile
         */
         static bool SaveMashupFile(ManifestDesigner manifest)
         {
             try
             {
                 // validate Manifest
                 typeof(DeploymentHelper).InvokeMember("ValidateManifest", BindingFlags.InvokeMethod | BindingFlags.NonPublic | BindingFlags.Static, null, null, new Object[] { manifest });
                 // create Mashup package
                 string defaultFileName = manifest.DeploymentName + Defines.ExtensionMashup;
                 FileInfo packageFile = new FileInfo(manifest.File.Directory + "\\" + defaultFileName);
                 PackageHelper.CreatePackageFromManifest(manifest, manifest.File, packageFile, PackageHelper.DeployTarget_LSO);
                 // check Mashup profile
                 if (manifest.GetProfileNode() != null)
                 {
                     string message = "Please note that this Mashup contains a profile section and should be deployed using Life Cycle Manager. Warning - Using the Mashup File Administration tool will not result in a merge of profile information into the profile.";
                     Console.WriteLine(message);
                 }
                 return true;
             }
             catch (Exception exception)
             {
                 Console.Error.WriteLine(exception);
                 return false;
             }
         }
 
         /*
             Deploy the specified Mashup name and file (*.mashup binary contents) to the specified M3 environment (see App.config) authenticating with the specified M3 userid and password.
             Inspired by /mangows/InstallationPointManager/DeployMashup
         */
         static void DeployMashup(string Name, byte[] MashupFile, string environment, string userid, string password)
         {
             InstallationPointManagerClient client = new MangoServer.mangows.InstallationPointManagerClient(environment);
             client.ClientCredentials.UserName.UserName = userid;
             client.ClientCredentials.UserName.Password = password;
             client.DeployMashup(Name, MashupFile);
         }
     }
 } 

Final project:
b10

Here is what the folder looks like:
10.6

Build the solution, the resulting command application will be Deploy.exe with the required assemblies and config file:b11

Usage

Suppose you have the following Mashups\ folder with Mashups inside, e.g. Mashup1, Mashup2, Mashup3, Mashup4, Mashup5, Mashup6:

And suppose you want to deploy only Mashup1, Mashup2, and Mashup3.

The usage is:

Mashups\> Deploy.exe Mashup1,Mashup2,Mashup3 DEV,TST

Where Mashup1,Mashup2,Mashup3 is the comma-separated list of Mashup folders, and where DEV,TST is the comma-separated list of target M3 environments as defined in Deploy.exe.config.

The program will recursively descend the specified folders. So you can also specify the parent folder – Mashups\ – and the program will deploy every Mashup that’s inside.

The program will ask for the M3 userid and password at the command prompt, as it’s more secure to not hard-code them in source code nor in a config file.

Result

Here is an example of deploying three Mashups on two environments:
b12

Here is the result in the MangoServer database of one of the environments:

Here is the result in Smart Office:
b15

Variations

  • Instead of using Microsoft Visual Studio, you can use Xamarin’s MonoDevelop which is free software (as in freedom) and open source and recently acquired by Microsoft, or use Microsoft’s .NET SDK’s C# command line compiler csc.exe
  • If you are more familiar with the JScript.NET programming language than C#, you can re-write the program in that language and compile it with Microsoft’s .NET SDK’s JScript.NET command line compiler jsc.exe (you could also run it as a script in Smart Office but that wouldn’t make sense)
  • Instead of generating web service client code, you can use the Smart Office method Mango.Core.DynamicWs.WSDataService.CallAsync

Future work

  • Remove the Mashups from LifeCycle Manager as Karin instructed
  • Replace our generated web service client code with the built-in Smart Office code, if and when Infor Product Development will provide it
  • Explore the Mango Admin tool
  • Explore the FeatureServlet of the latest Smart Office hotfix
  • Encrypt the password in the config file using a symmetric cipher as in the Grid applications, or use a YubiKey (hey, Sweden)

Conclusion

That was my solution to deploy Mashups at the command line. This is useful when deploying multiple Mashups, on multiple M3 environments, multiple times a day. It can potentially save hundreds of clicks and keystrokes per day compared to using the graphical user interfaces of Smart Office Mashup Designer and LifeCycle Manager. The time saved can be invested in the Mashups rather than on their deployment, aiming for continuous integration.

That’s it!

Please let me know what you think in the comments below, give me a thumbs up, click the Follow button to subscribe to this blog, share with your co-workers, and come write the next blog post with us. Pleeease, click something. Your support keeps this community going. Thank you for your support.

M3 Ideas, now 244 subscribers.

Related posts