In environments where X.509 client authentication is in place, an administrator can
enable PowerDesigner Web to
authenticate users by the user certificate stored on their client machine. The client
browser sends a certificate issued by a trusted certificate authority to identify the user
and they are logged in automatically, without the need to manually enter their
Note This procedure includes enabling SSL.
- Open a command prompt with administrator's privileges and navigate to
JAVA_HOME/bin, where your keytool is
- Create a self-signed key pair to identify the server:
keytool -genkeypair -alias serverkey -keyalg RSA -dname
-keypass <SecurePassword> -keystore
- should provide appropriate metadata to identify your server.
- -keystore "<InstallDir>\keystore\server.jks" - is
the path to the keystore which, by default will be at
C:\Program Files\SAP\PowerDesigner Portal
16\keystore\server.jks. This command will create the
keystore at this location if it does not already exist.
- -keypass <SecurePassword> and
-storepass <SecurePassword> -
must be identical and are the secure password that you define for
the server key and keystore.
- Obtain the client certificate issuer key (*.cer) for your
organization and import it into your keystore:
- In Chrome, select Manage
certificates. and then click
- Select the certificate that you use to identify yourself in your
organization and click View.
- Click the Certification Path tab to show the
path from the selected certificate to the certification authorities that
issue the certificate, select the root certificate and click
- Click the Details tab and click Copy
to File. Follow the instructions in the
Certificate Export Wizard to save the
certificate as a file.
- Execute the following command to import the certificate into your keystore:
keytool -importcert -keystore
- -alias <cacertalias> -
defines the alias for your certification authority
certificate in your keystore.
- -file <file>.cer -
specifies the path to the certificate authority
- Edit the Tomcat/conf/server.xml file to enable client
authentication and configure the keystore/truststore.
Create a <Connector>
element with the following
- port - can be set to any
- clientAuth is set to
want to allow a standard login if the
certificate cannot be found.
- keystoreFile and truststoreFile point to your keystore
(by default at C:\Program Files\SAP\PowerDesigner Portal
- keystorePass and truststorePass are the
<SecurePassword> defined for your
Note To restrict access to this port only, comment out any other connector
- Restart the PowerDesigner Portal Server and direct
your users to connect using https and the new port number. For example:
Users connecting to PowerDesigner Web
from a Windows client with an appropriate certificate and using a supported
version of Internet Explorer or Chrome should be logged in automatically.
Users with other browsers such as Firefox, which cannot read from the
Windows certificate store, or on other operating systems, will require
additional steps to enable single sign-on.
Note Users can browse the repository without taking a license. If a user creates a diagram, or
edits an existing diagram, they will automatically take a license if one is
available. If their session times out (by default, after 15 minutes), they
will silently return their license. If they then return to their browser and
continue editing, they will silently reacquire a license if one is
- [optional] To customize the rights and permissions that users are granted,
consider changing the default rights and permissions granted to the
External users group or pre-creating user accounts
for individual users (see Creating Externally-Authenticated Repository Users).