Client certificate authentication for Production Scheduler

When PlannerOne collects data in Sage X3, it requires to be authenticated.

There are two options:

• Basic authentication
• Client certificate authentication

This page describes the steps you need to do before enabling the client certificate authentication mode.

Prerequisites

• Sage X3 web server has to be correctly installed with setup using the load balancer mode (aka. nanny mode).
• Host certificate has to be installed in the list of certificates (should be done during the installation and first start). Go to All > Administration > Administration > Certificates
• Please refer to the documentation Certificate installation for general information on the certificate management.

Enabling the client certificate connections

Client certificate authentication requires a SSL connection. Although, you must configure a host to support HTTPS.

In the Host management (All > Administration > Administration > Servers), edit the host configuration (you should have a single one in common case) then add a new connection with:

• Port: 8443 (or any other suitable value)
• Active: true
• SSL: true
• Client authentication: true
• Server certificate: the one created during the installation

Create a client certificate

In order to be accepted during the authentication phase, the client certificate need to be created using the same CA certificate than the server certificate used in the host configuration in the step above.

The second condition to not be rejected is that the Common Name (CN) must be a login that can access the Sage X3 server.

On the X3 server:

A Sage X3 web server user will be used for the connection (parameter -cn in the following command). For this purpose, it is recommanded to define a dedicated user consuming the ERPTRAN badge (defined in the Role). This Sage X3 web server user must be able to connect to the X3 endpoint containing the datas to be linked with the Production Scheduler.

• Open a command line prompt
• Go to the cert_gen folder in the installation directory of the syracuse server.
• Use the certgen tool to generate a certificate using the following command:

              certgen -create -pass pwd_to_use_for_pk -capass pwd_used_when_creating_ca -cn login_used_for_x3 -days 730 -notransfer certificate_name
          

Example:

    certgen -create -pass strongpwd -capass verystrongpwd -cn ortems -days 730 -notransfer ortems    

This will generate files: ortems.crt, ortems.key and ortems.pem in the output folder.

Alternatively, you can use the standard openssl tool, but this is out of scope of this page.

For registering this client certificate in PlannerOne, you need a pfx file so it requires to combine the crt and key file into a single file in pkcs12 format. To create it, run the openssl command:

    openssl pkcs12 -export -out ortems.pfx -inkey ortems.key -in ortems.crt    

Use the client certificate in PlannerOne

You have now a client certificate that can be used to be identified in Sage X3. You can test it using curl using the command:

    curl -v -s -k --cert ortems.crt:strongpwd --key ortems.key https://x3-web-server:8443/api1/syracuse/collaboration/syracuse/users    

If every thing has been correctly configured, you should have a 200 status in the output.

In the Production scheduler installation, the prerequisites for the Client certificate authentication are now done.

You will be able to enable the client certificate authentication mode in the installation procedure :

At the Setting for application server access step, you will have to select the Certificate mode and then enter:

• The full path of the pfx file you have created above.
• The password used during the client certificate creation
• Confirmation of the password
• The full path of the CA certificate used to generate de client certificate

In the case you will have to perform those settings manually (after the Production scheduler installation), you can refer to the Planner One documentation available in the installation path\\docs\Install folder. In particular, please follow the steps described in the "Settings for certificate authentication" chapter of the howto_deploy page.