We often provide the recommendation to clean-up your users in LSF before running an ISS synch, other than identifying and deleted orphaned records here are some pointers on running an ISS synch.
- If you are synching with LSF 9 verify you are on version 9.0.1.13 or 9.0.1.14 before starting. Make sure latest LDAP schema update was done. If any nagging issues with security or LDAP exist, try to resolve before proceeding. Install latest version of Lawson Security Administrator.
- Check the ISS release notes for LSF and Landmark prerequisites. Install patches as needed.
- Do an LDAP data refresh in test. Try to make test as close to prod as possible. All users in prod should exist in test.
- Dump LDAP to a file, open in Excel or Access, and look for anomalies like orphaned identities, invalid e-mail addresses, etc. Resolve in test & prod with LSA and/or JXplorer.
- Clean up old unused accounts.
- Backup up LSF LDAP, Gen database, authen.dat, .sso*, and lsservice.properties files in LSF and Landmark before installing ISS. If ISS totally hoses the environment, these backups will be crucial.
- A new version of ISS comes out every couple of months. Sometimes the newest version is not the best. Ask others who have installed recently what their experience was.
- Install ISS in test. Make sure things generally work before attempting federation. If any issues with ISS or LSF, resolve before proceeding with federation. Maybe revert to earlier ISS version if significant issues encountered.
- Give yourself a week to get through the first sync in test. Sync is done during regular daylight uptime and you can work at your own pace (ie it will still be there waiting for you if you go work on something else for a while).
- Sync has seven phases. When it fails, it can be resumed from the last completed phase. All errors are written to lawdir/system/security_provisioning.log. Sync can be cancelled altogether with ssoconfig.
- Sync will always identify some conflicts. Follow the instructions in the ISS Configuration guide to know which conflicts can safely be ignored.
- Sync may identify issues that need to be corrected manually in LSA, JXplorer, or Rich Client. Don’t forget to apply these corrections to production.
- For example, it might fail to sync an environment identity for a user. Try creating that environment identity in Landmark Gen manually using Rich Client, then rerun the sync identities phase.
- Try to get a general sense of timing when working thru sync in test in anticipation of production deployment. Keep an eye on performance of Lawson LDAP server (ADAM), Landmark, and Landmark database server.
- Use the ISS Configuration Guide to set Landmark LASE Max Heap and LSF NThread to improve performance.
- After a successful sync, run Set Primary Authenticating System, then restart LSF and Landmark.
- This may result in not being able to login to Landmark anymore, even as lawson. Don’t panic. Use secadm commands to verify/correct association between SSOP (new primary authenticating service) and AD bind login scheme. Make note of the fix and be prepared for production.
- Once federation is complete use the ISS website for all user maintenance tasks instead of LSA. Grant the actor role SecurityAdministrator_ST to anyone who needs the ability to maintain Lawson user accounts.
- Update or rewrite user provisioning scripts to work with the newly federated environment. Use ISS list-based sync functionality.
- Everyone responsible for maintaining Lawson user accounts should be trained on ISS and ready to transition off of LSA immediately after production implementation.
- Plan two downtimes for production – one to install ISS and one to run SetPAS. Leave enough time in between to work through initial sync judging by your experience in test environment.
- Backup everything in prod before proceeding, then backup the backups.
- Follow the procedure you piloted and documented in test and your production implementation will be successful.