Certificates

We recommend that you secure the communication between services with SSL/TLS encryption. This encryption requires the use of certificates. When you set SSL/TLS encryption or select IFS as web access security, an encryption is required.

Note: CNG and ECDSA certificates are supported by Infor EPM.

Types of certificate

SSL/TLS encryption requires several certificates:

  • Master certificate

    The master certificate can sign all other certificates of the farm. This certificate can be generated either by the Service Expert as a self-signed certificate or purchased as a CA-signed certificate. The master certificate acts as a root certificate. Add this certificate to the first server. The Service Expert configures all machines of the farm where this certificate must be trusted. Other certificates that are signed by this certificate are trusted implicitly. This works for Self-Signed and for Certification Agency Signed (CA-signed) certificates.

    • For production systems we recommend purchasing a CA-signed certificate. When purchasing a certificate, ensure that the certificate is capable of signing other certificates. Also, ensure that the certificate has the Is Certificate Authority flag enabled and the signing child certificate option added. For example, in the Basic Constraints field, ensure that you have these parameters selected: Subject Type: CA and Path Length Constraint: None.
    • For test systems, the Service Expert can create a self-signed master certificate. The Service Expert adds this certificate as a trusted root authority certificate to all machines that belong to the farm. The machines that are not part of the farm and which use web browsers to access the dashboards do not get the master certificate automatically. You must manually place the master certificate as a trusted root authority certificate into the Windows Certificates Store. If this certificate is not stored, an error message is displayed in the browser when accessing the farm.
  • Web access certificate

    The certificate used to secure the public URLs of the dashboards. The certificate can either be generated by the Service Expert or a purchased CA-signed certificate that is imported. When using a CA-signed web certificate, the trust on all machines is implicit.

    • When the master certificate is CA-signed, a web access certificate created by Service Expert is CA-signed as well.
    • On test systems you can use a web access certificate that is created by the Service Expert based on a self-signed certificate. In that case you must manually save the certificate into the trusted root folder.

      Infor EPM mobile applications on iOS do not support self-signed certificates.

      If you use Infor EPM mobile applications, we recommend that you use a CA-signed web certificate.

    Go to Service Expert > Global Security. Create a web access certificate and click Save to file. Place the file in the trusted root folder. Do this on every machine.

    The web front end of Infor EPM, the dashboards, are accessed through the public URL of the Dashboards Service Manager.

    Select the Service Expert > Global Settings and specify the URL information in the Dashboards Public URL field.

    The Dashboards public URL
    • When setting up your farm with a single Dashboards Service Manager, the URL of the Dashboards Service Manager is the public URL.
      Note: The service manager can load balance to several workers.

      https://<machine>:<port> default port is 9205.

    • When setting up your farm with several Dashboards Service Managers, you must have one public URL load balancing to the Dashboards Service managers.

    When you purchased a CA-signed web access certificate, you must issue this certificate to the public URLs.

    The Service Expert uses the master certificate of the farm to generate and sign the web access certificate.
    Note: The certificates that are generated by the Service Expert have a static expiry date (10 years). This cannot be changed.

    Consider these situations:

    • You have a Service Expert-created web access certificate on a production system, where the master certificate is CA-signed. In this case, the web access certificate is inherited and CA-signed indirectly.
    • You use a Service Expert-created web access certificate on test systems, where the master certificate is self-signed. In this case, the trust reaches only machines of the farm, but not the browser-machines. For the browser machines you must place the trusted root authority certificate into the Windows Certificates Store manually. Otherwise you cannot access the farm and an error is displayed.
    • You use web authentication through IFS. In this case, you must configure IFS to trust the master certificate.
  • Client certificate

    The certificate is used by various client applications to connect to the farm with the experts, console tools and Infor EPM full clients. It is part of the connection profile. The certificate is generated automatically when rooted in the master certificate.

  • Instance certificates

    Certificates that are used to secure individual Service workers and managers. These certificates are generated automatically whenever a worker or manager is added to the farm that is rooted in the master certificate.

  • Setup certificate

    The certificate is used to secure the individual installations. The Infor EPM setups are signed by Sectigo (AAA) certificate. If Sectigo (AAA) is not found as Trusted Root Certification, then the setup shows an error message. In that situation, install the AAA certificate manually as a local machine certificate first. Then, you can install the Infor EPM farm.