April 2, 2012
Today we have the benefit of a guest blogger Rickard Eklind from our Development Center in Sweden. Rickard is an expert on Lawson Smart Office (LSO) technology because he is one of the main architects. Please enjoy his post on LSO Client Installation.
Lawson Smart Office is using the Microsoft technology ClickOnce when installing on client machines. ClickOnce has some advantages and some disadvantages compared to other client installation techniques.
- Easy to install
- Automatic client updates.
- Possibility to have side by side installations of different versions of Smart office.
- Always installs as per user and never for all users on a machine.
For a more complete comparison list see http://msdn.microsoft.com/en-us/library/142dbbz4(v=vs.90).aspx
Lawson Smart Office is normally installed through an URL. Typical scenarios can be:
- The installer sends out an e-mail with an install link.
- Install links are presented on an intranet.
- An administrator pushes out Smart Office with the help of a start script or similar.
When installing the Smart Office server an install page is created.
The install page can be used as is or it can be modified or it has not to be used at all. The important part of the install page is the install URL. An easy way of getting the install URL is to right click on the picture and select Copy shortcut. The install URL is now in your clip board and can be pasted to a text document. This is an example of an install URL.
The install URL can be sent in an e-mail or be put on an intranet site and so on. If the server can be reached over internet external users can also install Smart Office, just remember that those users must also have access to all the back-ends specified in the System Profile.
Even if the URL is called install URL the URL can be used to start Smart Office even if it is already installed.
The first part,
“http://productionserver.lawson.com:25005/LSO/LawsonClient.application”, is the URL to where the actual install binaries can be found. Read further down about the LawsonClient.application file.
The second part, “?server=https://productionserver.lawson.com:25006”, are the parameters that are sent into the Smart Office client the first time it is started. The “server” parameter specifies where the Smart Office server is located and is the only parameter that is required. There are a few other parameters that can be used. For example is it possible to specify another System Profile to use, the specified System Profile will be used regardless of what the user has chosen before. A user can for example create internet shortcuts on his/her desktop to start Smart Office with different System Profiles.
Another parameter that can be used is Language which specifies the default language in a new installation.
More parameters and more detailed information can be found in the Smart Office Administration Guide.
Every time Smart Office is started it will check the installation point if a new version exists and automatically update the client. The automatic update mechanism provided by ClickOnce reduces the amount of work that must be done whenever an upgrade is applied since no work to push out corrections or new version has to be done.
The check for a new version is made regardless if Smart Office is started through an install URL or if started from the Windows Start Menu. If the install point should be unavailable Smart Office will start if it is started from the Windows Start Menu but not if it is started from an install URL.
From Smart Office 10.0.0 and later Smart Office handles Smart Office features differently. In earlier version all features (M3, S3, Document Archive etc) where included in the ClickOnce installation point. That means whenever a feature was added/removed/updated the whole installation point needed to be rebuilt and a complete new version had to be downloaded to the client. From LSO 10.0.0 and later the features are not included in the ClickOnce installation point but are dynamically downloaded to the client whenever they are changed. The advantage is that features can be added/removed/updated without the clients need to download a complete new version of Smart Office. It saves bandwidth and also saves the installer/administrator some work.
Adding/removing features is done through the Install Point Manager inside of Smart Office. C
lickOnce installation point and LawsonClient.application
ClickOnce requires that the installation point is signed with an Authenticode certificate that is valid for code signing.
Signing the Installation Point, or more precisely, signing the LawsonClient.application manifest file, ensures that no one has tampered with the files. In fact, LSO cannot be updated if the newer version of LSO is signed with a different certificate. Therefore it is very important to keep and document the certificate used to sign the first version of the installation point.
Note that the code-signing certificate is not tied to any particular server like an SSL certificate is. That means that you can create it. The procedure of signing the installation is:
- Export information, this is done in the Lifecycle Manager Client.
- Signing the installation point. This is done with the Sign Tool that is delivered with Smart Office.
- Importing the signed installation point, again this is done with the Lifecycle Manager client.
The install guide has a more detailed step by step instructions.
There are several things happening in this process before the LawsonClient.application file is signed.
The first is that the LawsonClient.application file is updated with the actual install URL. During the installation on a client machine the LawsonClient.application is first downloaded and all binaries are then downloaded from the location specified in the LawsonClient.application file. If the URL specified in the LawsonApplication.application file cannot be reached, Smart Office will fail to install.
The second thing that happens is that the LawsonClient.application will get its own identity which makes the installation point unique. When each installation point is unique it allows a user to install several Smart Office clients side by side. Read more in the chapter Side by Side installations below. The third thing that happens is that the LawsonClient.application is signed. The signing prevents tampering with the installation point and it also makes it possible for an administrator to let all users install Smart Office even if they normally are not allowed to install programs on their computer. Read more in chapter All users can install Smart Office.
After importing the signed installation point it is possible to view the LawsonClient.application file in a text editor. The file is located on the host where the server parts of Smart Office are installed, <LcmServiceLocation>\ grid\<gridName>\applications\LSO\Client\IP.
Side by Side installations
The Sign Tool that is delivered with Smart Office makes each installation point unique and it is that uniqueness that allows each installation point to be treated as a separate installation. This means that different Smart Office clients can be installed from separate installation points and live side by side. Allowing side by side installations opens up the possibility to have one installation point for production, one for test and one for verification, each being on different version/fix level. The possibility to have side by side installation cannot be achieved with .msi installatons, at least not without a lot of work.
To make it easy for the users to see the difference between the installed clients it is possible to give each installation a unique name, a suffix that is added to “Lawson Smart Office”. The suffix must be specified when installing the Smart Office server and cannot be changed after the installation, so choose wisely.
I recommend using suffixes like, Production, Verification, Test, Development etc. Including the version of the installed Smart Office is bad because it will get outdated the next release. Giving the installation a name after the server may be good for the administrator or installers but is normally not good for the users since they do not know that the server ABC123 is the Production server.
Below you can see what my Windows Start Menu looks like, remember that I am a Smart Office developer and I install a particular version of Smart Office for testing purposes and then I throw the installation away, that’s why I have not followed my own naming recommendations.
All users can install Smart Client
Users that are not administrators on their machines can still install Smart Office if an administrator has made certain configurations.
If the publisher (the certificate used to sign the installation point) is a trusted publisher, then anyone (even non-administrators) can install LSO.
The publisher is the certificate that signed the installation point. In order to be a trusted publisher:
– That certificate must be placed in the Trusted Publisher list.
– That certificate’s root certificate must also be in the Trusted Root Certification Authorities list.
– If you are using a self-signed certificate (as will be the case when you let the SignTool create a certificate), the root-certificate is the certificate itself. It must therefore be placed in both the Trusted Publisher list and the Trusted Root Certification Authorities list.
Use Active Directory to distribute the certificates, http://technet.microsoft.com/en-us/library/cc772491.aspx , to all clients/users. Since the same certificate is used when upgrading Smart Office distributing the certificate only needs to be done once.
For more details on trusted application deployment see http://msdn.microsoft.com/en-us/library/01daf08f.aspx .
What kind of certificate should be used?
The certificate used to sign the installation point must be an Authenticode certificate that is valid for code signing. When choosing what kind of certificate you should use when signing the installation point, consider the following guidelines:
Using a self-signed certificate
When you install new versions of LSO, you must sign the installation points with the same certificate you used to sign the original. The self-signed certificates created by the Sign Tool delivered with Smart Office are valid for 30 years. That makes it very easy to continue to use the same certificate for a long time. The downside is that you may have to push it out to all clients in the Trusted Publisher list and the Trusted Root Certification Authorities list.
If a self-signed certificate can be used by the normal users I would recommend you to use it.
Buying a certificate
Buying a certificate will reduce the work when having to push it out to the Trusted Root Certification Authorities list. Note that it may still be needed to distribute the certificate to the Trusted Publisher list.
The downside with buying the certificate is that purchased certificate is normally only valid for one to three years and then the certificate must be renewed. You must continue to use the original certificate and renew it when it expires.
If you do try to change certificates, every user will need to uninstall Smart Office and then install Smart Office again because ClickOnce will think someone has been tampering with the installation point. Therefore, if you start with using a purchased certificate, it is difficult to switch over to using another certificate.
Using an in-house Certificate Authority
When using an in-house Certificate Authority, it is possible to set the expiration date on the certificate to an interval that is longer than the normal one to three years.
More information about ClickOnce and authenticode can be found here http://msdn.microsoft.com/en-us/library/ms172240.aspx .
Windows can be configured in numerous ways and sometimes it will work to install Smart Office for non-administrators without distributing the publisher certificate to the Trusted Publisher list. One other thing that may interfere is if Windows interprets the Smart Office as an internet or intranet resource. Normally there are different rules for intranet and for internet for non-administrators when it comes to the ability to install ClickOnce applications and depending on how the installation point is accessed Windows will interpret the install site as an intranet or internet site.
- If that installation URL is on the format http://myserver/LSO/LawsonClient.application, Windows will assume the source is in the Local Intranet.
- If the installation URL is on the format http://myserver.lawson.com/LSO/LawsonClient.application, Windows will assume the source is from the Internet and different security levels may be achieved. Read more in this article http://msdn.microsoft.com/en-us/library/ms996418.aspx
One way of letting Windows know that the Smart Office server is on the intranet is to make sure the Smart Office site is added to the list of websites that always should be interpreted as intranet sites. It is possible to use wildcards when adding a site. To add a site start Internet Explorer and open the Internet Options. On the Security tab select Local intranet, click Sites and then Advanced. Add the sites you need to the list. This list can of course also be configured by ad administrator for all users in the Windows domain.
Pushing Smart Office to many users
To push out Smart Office to many users use the PushClient.exe that is delivered with Smart Office. That small application can be used to start a silent installation of Smart Office, however when doing a silent installation it is not possible to use application parameters and therefore a Group Policy must be defined specifying where the Smart Office server is located. This is described in the Smart Office Administration guide.
Multiple installation points
Sometimes it is a good idea to have multiple installation points but use the same Smart Office server. Here are two reasons:
- There are offices located in areas with low bandwidth. Instead of letting all users at the offices with low bandwidth between the users and where the Smart Office server is located place an installation point closer to the users.
- External users that need to install Smart Office over internet. The same servers may not be available for internet users as they are for intranet users.
The installation guide has step by step instruction on how to create a multiple install points.
It is only possible to define one Group Policy specifying where the Smart Office server is located and therefore it is only useful to push out one installation point. For those users that need to use more than one Smart office client other Smart Offices can be installed using the normal install URL.
Disadvantages with ClickOnce
ClickOnce installations always install into the current user’s folder, C:\Users\<userid>\AppData\Local\Apps\2.0 and below. The exact folder paths are decided by Windows and ClickOnce and cannot be predicted. All files that the Smart Office client is storing locally are stored below the C:\Users\<userid>\AppData\Local\Apps\2.0\Data folder.
For normal desktop users this is normally not a problem but if using a desktop virtualization application like Citrix it will become a problem since all users must install Smart Office, also add the complexity if having several servers in a farm then the ClickOnce installation is not that well suited.
For such environments there exists an .msi installation for Smart Office. The .msi install program requires that the server where the desktop virtualization is running on is Windows Server 2008 R2 or higher and that the installer is an administrator.
How to use the .msi file is described in the Smart Office install guide.
Install ClickOnce applications from other browsers than IE