Configuring certificates for single sign-on on the Hansoft server

If the Helix Authentication Service (HAS) used for Hansoft authentication is running on https, you need to add certificates to the Hansoft server for Hansoft to act as a client for HAS. You can use self-signed certificates provided by the HAS installation or generate your own, which must be signed by a trusted certificate authority known by HAS.

Tip:  See OpenSSL Certificate Authority for information about creating certificates. Do not use the -aes256 option anywhere it is mentioned.

1. Make sure that a version of the Hansoft server that supports single sign-on using HAS is installed. Hansoft 11.0041 and later supports SSO.

2. Add certificates to the following directory on the Hansoft server computer: HPMServer\Security\HASClientCert (e.g., C:\PMServer\Security\HASClientCert).

Hansoft expects the following certificate filenames, so you may need to rename your files:

• certificate.pem – Client certificate
• key.pem – Private key for the client certificate
• ca.pem – Certificate authority (CA) certificate, to validate the Helix Authentication Service’s server certificate. If a https connection to your Helix Authentication Service requires a CA that is not installed in your operating system’s certificate store, you can save that CA certificate here.

Note:  Adding a certificate to your operating system’s certificate store requires a Helix Plan server restart, but updating the file ca.pem does not.

3. If you have a self-signed client certificate, specify its filename in the CA_CERT_FILE setting in helix-authentication-service/.env and relaunch HAS.

If you have a CA signed certificate, use CA_CERT_FILE or CA_CERT_PATH as described in the Helix Authentication Service Administrator Guide.