Enabling Client Certificate Authentication for Production Scheduler

This page describes the steps required to enable client certificate authentication mode.

Prerequisites

• The Sage X3 web server has to be correctly installed using load balancer mode.
• The host certificate has to be installed in Administration > Certificates. This should be done during the Sage X3 installation process.
  Refer to Certificate Installation for more information on certificate management.

Enabling client certificate authentication

To enable client certificate authentication, you first need to configure a host that supports HTTPS:

1. Go to Administration > Servers.
2. Edit the host configuration to add a new connection:
   • Port: 8443 (or any other suitable value)
   • Active: true
   • SSL: true
   • Client authentication: true
   • Server certificate: certificate created during installation

Defining the Common Name

You need a "Syracuse" web server user for the connection. It is refered to as the Common Name (parameter "-cn") in the certificate creation command. Follow the recommendations below to create a dedicated user for the Production Scheduler:

1. Go to Administration > Users > Roles and click New role.
2. Enter the information requested, and make sure you select "ERPTRAN" in the Badges section and "Admin" in the Security profile section.
   We recommend that you use the "ERPTRAN" badge for cost and performance purposes as it is the lowest-level badge.
3. Go to Administration > Users > Groups and click New group.
4. Enter the information requested and select the role you just created in the Roles section.
5. Go to Administration > Users > Users and click New user.
6. Enter the information requested, and make sure you select:
   • the endpoint you want the Production Scheduler to access,
   • the login needed to access the endpoint (admin),
   • the group you just created.

Creating a client certificate

1. Open a command prompt.
2. Go to the cert_gen folder in the installation directory of the "Syracuse" web server.
3. Use the certgen tool to generate a certificate using the following command:
   

   certgen -create -pass pwd_to_use -capass pwd_ca -cn login_x3 -days 730 -notransfer certificate_name

   Where:
   • pwd_to_use is the password for the certificate you are creating,
   • pwd_ca is the passphrase for the CA certificate used during host configuration,
   • login_x3 is the "Common Name" user you created,
   • certificate_name is the name of the certificate you are creating.
4. Combine the .crt and the .key file in a .pfx file (pkcs12 format) by running the following command:
   

   openssl pkcs12 -export -out certificate_name.pfx -inkey certificate_name.key -in certificate_name.crt

   Note: You need openSSL installed on your computer for this step.
5. If you have cURL installed on your computer, you can test the certificate using the following command:

   curl -v -s -k --cert certificate_name.crt:pwd_to_use --key certificate_name.key https://x3-web-server:8443/api1/syracuse/collaboration/syracuse/users

   If everything is correctly configured, you should have "200 status" in the output.

You can now follow the rest of the Production Scheduler Installation.

If you ever have to perform these settings manually (after the Production scheduler installation), you can refer to the Planner One documentation available in the installation path\\docs\Install folder. Follow the steps described in the "Settings for certificate authentication" chapter of the howto_deploy page.