HaloENGINE
HaloENGINE
Breadcrumbs

Phase 1. Certificate Configuration

The HaloENGINE Admin portal includes a reliable approach for dealing with certificates. It provides two approaches for dealing with a server certificate:

  1. A self-signed server certificate is generated by the server itself.

  2. Or using the organization's own certificate.

The figure below depicts the high-level steps involved in administering the server certificate.

HaloENGINE_Server Certificate.png

HaloENGINE Certificate

HaloCAD for SOLIDWORKS PDM client relies on server certificate authentication, therefore, you can use either a self-signed certificate (HaloENGINEServer.cer) or a company-owned signed certificate for authentication.

The figure below depicts the high-level steps involved in administering the client certificate.

HaloENGINE_Client Certificate.png

HaloENGINE Client Certificate

Step 1. Use Server Certificate Generated by HaloENGINE Admin Portal (Option 1)

Step 1a. Create a Self-Signed HaloENGINE (Server) Certificate 

  1. On the left navigation bar, click System Configuration, go to the Certificate Configuration tab, and click Configure.

    System Configuration.png

    System Configuration page

  2. The Overview page appears as shown in the figure below:

    Default Certificate Page.png

    Overview page

  3. Click Server Certificate, and then click the Create Certificate button.

  4. The Add Server Certificate page appears as shown in the figure below:

    Creating a server certificate.png

    Creating a server certificate

  5. Enter certificate subject name − Enter a subject name. For example: CN=COMMONENG.LOCAL, OU=SECUDE, L=ENGLAND, ST=LONDON.

  6. Enter server keystore password − Enter a server Keystore password. For example, HaloENGINE_1. Note: Copy and paste are not allowed in this field. Please refer to the section “ Keystore password policy ”.

  7. Validity (days) − Enter certificate validity in days (1 to 5475). The default value is 3650.

  8. Enter subject alternative name (IP addresses) − Enter the server IP address. For example, 10.91.0.171.

  9. Enter subject alternative name (DNS) − Enter an alternative subject name (FQDN). For example, COMMONENG.LOCAL.

  10. Click Save

    Results:

    1. A confirmation message appears after the certificate is successfully updated.

    2. A self-signed server certificate (HaloENGINEServer.cer) is generated along with two other files (HaloENGINEServer.csr, serverKeystore.jks) in ...Tomcat\conf\cert.

    3. The page displays the server certificate information.

    What to do next

    1. For client systems such as Windchill, Teamcenter, Keytech, or Autodesk Vault, proceed to Step 4 to generate the client keystore.

    2. In case of the SOLIDWORKS PDM client/HaloENGINE_API, download the self-signed certificate (HaloENGINEServer.cer) and install it into the Trusted Root Certification Authorities on the client machine.

    3. Click the download icon, and in the Download Server Certificate dialog, click Download CER File to download a copy of the self-signed server certificate HaloENGINEServer.cer.

      Download Server Certificate.png

      Download Server Certificate

  11. Click Close to exit the dialog.

Keystore Password Policy

Before creating the password, make sure to follow the policies listed below:

  • Passwords must be between 6 to 30 characters long

  • The password should not contain a space

  • The first letter should be an alphabetic character [upper or lower case letter]

  • It must contain at least 1 numerical character [0-9]

  • It must contain at least 1 symbol [$ _ #]
    For example: HaloENGINE_1

Step 1b. For a CA-Signed HaloENGINE Certificate 

You can convert the self-signed certificate created in Step 1a into a CA-Signed certificate by signing it with your Certificate Authority (CA).

  1. Click the download icon, and in the Download Server Certificate dialog, click Download CSR File to download the Certificate Signing Request (CSR) HaloENGINEServer.csr.

  2. Submit the HaloENGINEServer.csr file to your Certificate Authority to obtain the signed certificate in HaloENGINEServer.cer format.

  3. Import the CA - refer to  Step 3 . Note that a signed certificate cannot be imported until its corresponding CA certificate has been uploaded.

  4. As the certificate (HaloENGINEServer.cer) is signed now, you need to import it into the HaloENGINE Tomcat Service.

  5. Import Signed Certificate: 

    1. After importing the CA (in Step 3: Import Intermediate CAs), continue to import the signed certificate.

    2. From the list, choose Import signed certificate.

    3. Click on the attachment button and select the signed HaloENGINEServer.cer certificate from the Open dialog box.

      Importing Signed HaloENGINEServer.cer certificate.png

      Importing the signed HaloENGINEServer.cer certificate

      Results: The name of the certificate will be displayed on the screen, and you will receive a confirmation message after uploading the certificate. To close the dialog, click Close. The Server Certificate page appears as shown in the figure below when you upload your certificate:

      Signed Server certificate and Root CA #1.png

      Signed Server certificate and Root CA #1

      Illustration for the self-signed certificate.

      Self-Signed Server certificate #2.png

      Self-Signed Server certificate #2

  6. What to do next: Continue from  Step 4 .

Step 2. Use Company Own Certificate as the Server Certificate (Option 2)  

Alternatively, if you already have a certificate for your company, you can use it with the HaloENGINE Admin Portal. However, the company's own certificate must be converted to work with HaloENGINE. Conversion is as simple as uploading to the admin portal and downloading it as HaloENGINEServer.cer.

To convert the company's own certificate, follow the steps below:  

  1. On the left navigation bar, click System Configuration, go to the Certificate Configuration tab, and click Configure.

  2. Click Server Certificate, and then click Convert Certificate.

  3. The Convert .pfx/.p12 to HaloENGINE Certificate dialog appears. 

  4. Enter the source password for the PFX/P12 file you want to convert. Note: Copying and pasting are not allowed in this field.

  5. Enter the server keystore password. Please refer to the section “ Keystore password policy ”.

  6. Click the attachment button and select the PFX/P12 file from the Open dialog box.

    Convert existing certificate into HaloENGINE certificate.png

    Convert the existing certificate

  7. The certificate's name is displayed on the page.

    Results:

    1. A confirmation message appears once the certificate is uploaded successfully.

    2. Click Close to exit the dialog box.

What to do next

  1. Import the CA - refer to  Step 3 . Please note that a signed certificate cannot be imported before uploading its corresponding CA. 

  2. If your certificate is signed, you need to import it into the HaloENGINE Tomcat Service - refer to Step 1b .

  3. After uploading your certificates, the Server Certificate page looks as shown in the figure below:

    Company own certificate and its Root CA.png

    Company own certificate and its Root CA

  4. Continue from  Step 4 .

Step 3. Import Intermediate CAs 

To evaluate a system's overall security level, the HaloENGINE needs a root CA or intermediate CA. You must include all intermediate CAs in the following cases: 

  1. If an intermediate CA has signed HaloENGINEServer.cer - Step 1b .

  2. If you use the company's own certificate, which is signed by an intermediate CA - Step 2 .

To upload the CA Certificate, follow the steps below:

  1. Click the upload icon, and a pop-up window Upload Signed Server Certificate / CA Certificate appears.

  2. From the list, choose Import CA certificate and enter an alias name of your choice for Root CA (e.g., itadminsca).  

  3. Click on the attachment button and select your root CA from the Open dialog box.

    Importing CA certificate.png

    Importing the CA certificate

  4. The certificate name appears on the page.

    Results:

    1. A confirmation message appears after uploading the certificate

    2. Repeat the steps above to add all intermediate CAs.

Step 4. Use Client Certificate from Admin Portal (Option 1) 

Similar to how the Server certificate is handled, HaloENGINE provides two ways to handle a client certificate:

  1. A self-signed client certificate is generated by the server - refer to the below Step 4a .

  2. Another option is to use the company’s own certificate; refer to  Step 5  for SOLIDWORKS PDM and HaloENGINE API clients.

Step 4a. For a Self-Signed HaloENGINE Client Certificate  

This instruction applies to the clients listed below. Note: Self-signed client certificates can be generated using the HaloENGINE admin portal, and they are added to the client Keystore at the time of creation.

Client systems

Required Keystore format 

Windchill

.jks

Teamcenter

.jks

Autodesk_Vault

.jks

Keytech

.jks

Client Keystore

Follow the steps below to create a self-signed client certificate:

  1. On the left navigation bar, click System Configuration, go to the Certificate Configuration tab, and click Configure.

  2. Click Client Certificate and then click Create Certificate button.

  3. The Add Client Certificate page appears as shown in the figure below:

    Creating a client certificate.png

    Creating a client certificate

  4. Enter keystore name − Enter a Keystore name for the client. For example: CLIENTKEY.

  5. Enter certificate subject name − Enter a subject name. For example: CN=DESKTOP0001, O=SECUDE, L=ENGLAND, ST=LONDON. Enter client keystore password  Enter a client Keystore password. For example: ckpass1#. Note: Copying and pasting are not allowed in this field. Please refer to the section “ Keystore password policy ”.

  6. Enter a certificate alias  Enter an alias name. For example: SLVU148CLIENT.

  7. Validity (days) − The default period is 3650 days.

  8. Click Save

    Results:

    1. A confirmation message appears after the client’s certificates are successfully added.

    2. A self-signed (CLIENTKEY.cer) certificate is generated along with two other files (CLIENTKEY.pfx, CLIENTKEY.jks) in ...Tomcat\conf\cert. The user-specified Keystore name is used as the filename.

    3. Click Close to exit the page.

    4. The client certificate is generated and installed into the HaloENGINE Tomcat Service.

What to do next: Download the HaloENGINE Client Certificate.

To establish the connection between the client and server, you need to download this certificate/Keystore and add it to the client machine.

  1. Click the download icon, and the Download Client Certificate dialog appears. 

  2. Click Download JKS File to download a copy of the JKS file. In the example shown above, a file named CLIENTKEY.jks is downloaded. Note: HaloENGINE client systems, such as Windchill, Teamcenter, Autodesk_Vault, and Keytech, require a JKS Keystore to operate. 

    Downloading client certificate.png

    Downloading the client certificate

  3. Click Close to exit the page.

Step 5. Use Company’s Own Certificate as the Client Certificate (Option 2) 

If you want to use your company's certificate, you must add it to the HaloENGINE Tomcat Service. This option applies to SOLIDWORKS PDM and HaloENGINE API clients.

Prerequisites:

  1. In the case of other clients, have client certificates ready in advance.

  2. If your client certificate is signed by an intermediate CA, you must upload it as described in section  Step 3

To upload an existing client certificate, follow the steps below:

  1. Click Import Certificate

  2. The Import Client Certificate dialog appears. 

  3. Click on the attachment button and select the client certificate from the Open dialog box.

  4. Perform the same steps to upload other client certificates as well.

    Uploading existing client certificates.png

    Uploading existing client certificates

  5. Click Close to exit the dialog. 

    Results: After uploading your certificates, the Client Certificate page looks as shown in the figure below:

    Uploaded client certificates.png

    Uploaded client certificates

How to Delete the HaloENGINE Client Certificate? 

To remove the client certificate, perform the following steps:

  1. On the left navigation bar, click System Configuration, go to the Certificate Configuration tab, and click Configure. Then, click Client Certificate in the top-right corner.

  2. Select the client certificate and click the delete icon under the Actions column.

  3. In the prompt “Are you sure to delete?”, click OK. By clicking OK, you confirm the permanent deletion of the client certificate.

    Result: A confirmation message appears after the certificates are successfully deleted.

How to Delete the HaloENGINE Certificate?

Deleting the server certificate removes all certificates.

Removing the server certificate will permanently delete all other certificates, including client and CA certificates. After deletion, the admin portal will not load. To access the portal again, manually change the protocol to HTTP and the port number to 8383, and clear your browsing data.

CA Certificate(s)

To remove the CA certificate(s), perform the following steps:

  1. On the left navigation bar, click System Configuration, go to the Certificate Configuration tab, and click Configure.

  2. Click Server Certificate in the center.

  3. Select the CA certificate and click the delete icon under the Actions column.

  4. In the prompt "Are you sure to delete server CA certificate?", click Yes. By clicking Yes, you confirm the deletion of the CA certificate from the Keystore.

    Result: A confirmation message appears after the certificates are successfully deleted.

Server Certificate

To remove the server certificate, follow these instructions:

  1. On the left navigation bar, click System Configuration, go to the Certificate Configuration tab, and click Configure.

  2. Click Server Certificate in the center.

  3. Select the server certificate and click the delete icon under the Actions column.

  4. In the prompt "Are you sure to delete the HaloENGINE Certificate?", click OK. By clicking OK, you confirm permanent deletion of the Server and Client certificates from the Keystore.

    Result: A confirmation message appears after the certificates are successfully deleted.

Restart the HaloENGINE Tomcat service

Restart the HaloENGINE Tomcat service after completing all necessary certificate-related changes.