P4 Plan supports X.509 Base64-encoded DER certificates.
By default, the P4 Plan server automatically generates a self-signed certificate for identifying itself to clients. For better security, you can specify your own server certificate, which may be signed by a known and already trusted certificate authority.
P4 Plan 8.2009 and later supports the TLS 1.2 security protocol.
Certificate locations
The following folders reside in the Security folder in the location where the P4 Plan server is installed.
| Folder | Contains: |
|---|---|
| Cert | Public certificate for the server. Should only contain one file. |
| Private | Private certificate for the server. Should only contain one file. |
| TrustedCerts | Public certificates of the certificate authorities used to verify client certificates. Optional. |
| Intermediate | Intermediate certificate chain between a root certificate authority, which resides in each client machine’s OS certificate store, and the server certificate that resides in the Cert folder. Optional. |
| HasClientCert | Client certificate/key pair (certificate.pem and key.pem) if you have enabled single sign-on (SSO) and your Helix Authentication Server requires a client certificate. Optional. |
| CRLStore | Certificate revocation lists for the certificate authorities in the TrustedCerts folder. Optional. |
Using your own certificate
You can replace the self-signed certificate with your own certificate. Keep the following in mind:
- P4 Plan support Base64-encoded X509 certificates and keys.
- When verifying a server's identity, a client checks that the server's hostname is in the subjectAltName or subjectCommonName field of the certificate. Make sure you include the DNS entry for each database hostname in the subjectAltName field to avoid hostname mismatch validation errors when clients connect. P4 Plan supports wildcard hostname matching in certificates
- There are no naming requirements for certificates or key files, but there can only be one file in the Cert folder and one file in the Private folder.
- When you change the public certificate on the server, you have one minute to put the corresponding private key into the Private folder on the server. When both files are in place, an entry is written to the server log to indicate that the security settings have changed.
- You do not need to restart the P4 Plan server for the new certificate to be used.
1. Optionally stop the P4 Plan server.
2. Replace the Security\Cert\Server.crt file with the Base64-encoded X509 certificate you want to use. You do not have to use the same filename, but there should be only one file in this directory.
3. Replace the Security\Private\Server.key file with the Base64-encoded X509 private key you want to use. You do not have to use the same filename, but there should be only one file in this directory.
4. If you stopped the P4 Plan server, restart it. If you did not stop the server, wait one to two minutes and look for the following message in the log, which indicates the certificate change was successful.
The SSL settings for the server have been changed.
5. Log in from a client to make sure the new server certificate works correctly.
Shares and certificates
Tickets for shares also include the public certificate of the server that generated the ticket. This ensures that a server importing a ticket can verify the server they are connecting to.
P4 Plan Server connecting to other servers using a certificate
When the P4 Plan server connects to another server using a certificate - for example, Helix Authentication Service - P4 Plan will check that certificate against your operating system’s certificate store. This means that you may need to import a Certificate Authority certificate or a self-signed certificate into the operating system’s certificate store and restart the P4 Plan server, before P4 Plan will recognize that server.