Breadcrumbs

Copy of Configure Your First Gateway (2)

Purpose

This guide provides step-by-step instructions for configuring your first Gateway in Cantara. A Gateway establishes a secure connection between Cantara and your JD Edwards (JDE) environment, allowing authenticated requests to be routed safely and reliably.

Optional SCIM provisioning can also be configured to automate user and group synchronisation between the identity provider (IdP) and Cantara platform.

Before you begin

Before starting Gateway configuration, ensure the following conditions are met:

  • Cantara access: Administrative permissions to manage Gateways.

  • JD Edwards access: Administrative access to the JDE environment to configure nodes and services.

  • Identity provider (IdP) access: Administrative access to the IdP for configuring single sign-on (SSO) authentication.

  • Namespace: At least one namespace must already exist in Cantara, as the Gateway is created within a namespace.

  • License: An active license must be assigned to the namespace in Cantara before the gateway can be configured.

  • SSL Certificate: Required for JWT token signing. Certificate creation is covered in Part One: JD Edwards Configuration.

  • SCIM (Optional): If you plan to configure automated user and group synchronisation, ensure SCIM provisioning is enabled and working

Gateway Configuration Steps

Part

Description

Key actions

Part One

JD Edwards Configuration

Configure SSO nodes, set token lifetimes, establish trust relationships, and create and apply the SSL certificate used for JWT token signing.

Part Two

IdP Configuration

Register the application, configure the redirect URI, create the client secret, set up SSO endpoints and claims, and optionally configure SCIM provisioning.

Part Three

Cantara Gateway Setup

Upload the certificate, configure the gateway and authentication settings, and connect the AIS or JAS service.

Procedure

The configuration process is divided into the following three parts, grouped by where the work is completed: JD Edwards, your IdP, and Cantara. Complete the parts in order to ensure the gateway is configured correctly and securely.

Part One: JD Edwards Configuration

Purpose

This section covers the JD Edwards configuration required for SSO, including node configuration, token lifetimes, trust relationships, and SSL certificate configuration for JWT token signing.

Procedure

Step 1: Access the SSO Configuration Tools in JD Edwards

  • Log in to JD Edwards as an administrator.

  • Access the SSO Configuration Tools using one of the following paths:

Both paths open the same screens, so use whichever option you prefer.

Path A - Via menu navigation:

  1. Navigate to Single Sign-On → SSO Environment Configuration Tools.

  2. The SSO Environment Configuration Tools screen opens displaying three options relevant to this setup: Single Signon Node Configuration, Single Signon Token Lifetime Configuration, and Single Signon Trusted Node Configuration.

Path B - Via application P986115:

  1. Launch application P986115 directly.

  2. On the Machine Search & Select screen, click Form in the toolbar.

  3. Three options are available: Node Configuration, Token Lifetime Cfg, and Trusted Node Config.

Note: It is recommended to enable long user IDs before starting the gateway configuration. For information, see Setting Up Long User IDs.

Step 2: Configure Nodes in JD Edwards

  1. Select Single Signon Node Configuration (Path A) or Node Configuration from the Form menu (Path B).

  2. On the Single Sign-On - Work With Node Configuration form, click Add.

  3. Create nodes for each JD Edwards component:

    • Gateway - Required for token generation.

    • Web Server - Recommended per server; covers AIS and JAS. You may create separate nodes for AIS and JAS, or share nodes if desired.

    • Enterprise Server - Each JD Edwards component is represented as a node. Trust must be established between nodes for token handoff.

  4. On the SSO Node Configuration Revisions form, complete the following fields:

Field

Description

Node Name

Enter a name for the node (max 15 characters).

  • For the Gateway node: any logical name can be used, but it must match the certificate name configured for token signing.

  • For Web Server and Enterprise Server nodes: it is recommended to use the actual server hostname.

Node Description

Enter a description of the node.

Machine Name

  • For the Gateway node: Choose a unique prefix for the gateway. This prefix will form part of the gateway URL and must be globally unique. Record this value as you will need to enter the same prefix in Cantara when configuring the gateway in Part Three: Prefix.

  • For Web Server and Enterprise Server nodes: Must be the actual hostname of the JAS or enterprise server.

Node Status

Set to Active

Node Password

Enter a password for the node. This password helps ensure that tokens generated by the node cannot be tampered with.

Verify Node Password

Re-enter the password.

  1. Click Save.

The new nodes now appear in the list of nodes.

Step 3: Set Token Lifetime

  1. Navigate to the token lifetime configuration: via menu select Single Signon Token Lifetime Configuration; via P986115 select Token Lifetime Cfg from the Form menu. On the Single Sign-On - Work With Token Lifetime Configuration form, click Add.

  2. In the Node Name field, enter or search for the required node.

  3. Select the appropriate node.

  4. On the Single Sign-On - Token Lifetime Configuration Revision form, complete these fields:

    • Regular Token Lifetime

      Specify the expiration time for a regular token. The default value for a node is 720 minutes (12 hours).

    • Extended Token Lifetime

      Specify the expiration time for an extended token. The default value is 4320 minutes (three days).

  5. Click Save.

Step 4: Add Enterprise Server Trusted Node Configuration

Trusted node configuration establishes which nodes are permitted to validate tokens generated by other nodes. This is required so that authenticated tokens can be passed securely between the gateway, web server (JAS/AIS), and enterprise server without each connection requiring a separate login. Configure trust so that each enterprise server trusts its web server, and each web server trusts the gateway node. Enterprise servers do not need to trust the gateway directly.

token.png

For more information, see How a Node Validates an Authenticate Token.

  1. Navigate to the trusted node configuration: via menu select Single Signon Trusted Node Configuration; via P986115 select Trusted Node Config from the Form menu. On the Single Sign-On - Work With Trusted Node Configuration form, click Add.

  2. In the Node Name field, enter or search for the node that will trust another node (for example the web server node).

  3. In the Trusted Node Name field, enter or search for the node being trusted (for example the gateway node).

  4. Repeat for all required trust relationships.

  5. Click Save.

Note: The nodes that you add to a new trusted node configuration must already be defined and have token lifetime configuration records.

Step 5: SSL Certificate Creation and Configuration

Create an SSL certificate to be used for JWT token signing.

  • The certificate can be self-signed, internally signed, or publicly signed

  • The certificate must include a private key

  • Load the certificate into a Java keystore format

  • Ensure the keystore file is local to the JD Edwards web server where it will be used

  • Securely store the keystore location and keystore password

Step 6: Apply SSL Certificate to JD Edwards Services

After setting up the SSL certificate, the next step is to apply it to the JD Edwards services (JAS and AIS) and ensure the proper configuration for token signing.

  • Apply the certificate to the JAS and AIS servers.

  • If multiple servers are used, repeat this configuration on each server

  • Ensure that Allow JWT Token Login is enabled.

  • If PS token login is in use, Allow PS Token Login should be enabled as well.

  • After configuring, synchronise the settings and restart the affected services to apply the changes.

Note: In some environments, the gateway prefix may need to be added to the Allowed JAS Server Overrides (list) (e.g., <prefix>.GW.cantara.cloud) to avoid redirect errors or access issues. This configuration may vary by environment.

Currently, the system uses prefix-based names (e.g., <prefix>.GW.cantara.cloud). A future update will allow the use of custom domain names for the gateway (e.g., jde.rinami.com), replacing the current prefix-based system.

Outcome

The JD Edwards nodes are configured, token lifetimes are set, trust relationships between enterprise servers, web servers, and the gateway have been established, and SSL certificates are configured and applied for secure JWT token signing.

Part Two: IdP Configuration

Purpose

This part covers the configuration of SSO in your IdP for user authentication with Cantara.

Procedure

Step 1: Register Application in IdP

  • Log in to your IdP (for example, Microsoft Entra ID, Okta and so on).

  • Register the Application that will be used for SSO.

Step 2: Configure Redirect URI

  • Set the Redirect URI in the IdP:

    • Ensure the Redirect URI matches what is configured in Cantara, as it must be registered with your IdP to avoid errors during the authentication flow.

    • Example Redirect URI:
      https://<instance-name>.gw.cantara.cloud/security/oauth/auth

Step 3: Generate Client Secret

  • Generate the Client Secret for the application.

Note: The Client Secret will be shown only once at once at the time of creation, so be sure to copy and store it securely.

Step 4: Configure SSO Endpoints

  • Obtain the following SSO endpoints from the IdP’s application configuration:

    • Authorization Endpoint

    • Token Endpoint

    • JWKS URL

Step 5: Configure ID Token Claims

  • Configure the ID token to include the JDE username field (email or USERID).

Note: The recommended value for the JDE username is USERID.

(Optional) Step 6: Configure Access Control

  • Access can be further restricted by assigning users or groups in the IdP.

  • Go to Users and Groups and assign the users or groups allowed to access the application.

Outcome

Your IdP is configured for SSO with the Cantara Gateway. Users can authenticate through the IdP, and access can be restricted to assigned users or groups if access control was configured. If you do not need automated user provisioning, continue to Part Three: Cantara Configuration for the Gateway.

SCIM Provisioning (Optional)

Purpose

Configure SCIM provisioning to automate user and group synchronisation between your IdP and the Cantara platform. SCIM is an optional feature that automates user provisioning and manages access across your IdP and Cantara. It does not affect user authentication. If your IdP supports SCIM, you can enable automatic provisioning so that user accounts and group memberships are managed in the IdP and synced into Cantara.

For detailed setup instructions, see the following topics:

Outcome

SCIM provisioning is configured. User accounts and group memberships are synchronised automatically from your IdP into Cantara. Continue to Part Three: Cantara Configuration for the Gateway.

Part Three: Cantara Configuration for the Gateway

Purpose

This section covers the Cantara configuration required to upload the SSL certificate, create the gateway, configure authentication and identity mapping, connect the AIS or JAS service, and confirm network requirements.

Step 1: Load SSL Certificate

  1. In Cantara, navigate to Certificates.

  2. Click + Add Certificate.

Gateway 2.png

  1. Click + Choose file and upload the certificate.

Note: The certificate must be in PKCS#12 format.

  1. Complete the following fields:

Field

Description

Name

Enter a name for the certificate.

Alias

If the key store contains multiple certificates, provide an alias. If there is only one certificate, the alias field can be left blank.

File Password

Enter the password associated with the SSL certificate file. This is mandatory to ensure file security.

Key Password

If using a private key, enter the password for it. This may not always be required.

For more information on how certificates are managed in Cantara, see Certificates in the Administration Guide.

Gateway 4.png

  1. Click Save Certificate.

Result

The certificate is uploaded and available for use. The expiry date is displayed to confirm validity. The certificate can be reused across namespaces.

If a certificate expires, you can upload a new one under the same name or give it a new name as per your preference.

Step 2: Configure Gateway in Cantara

  1. In Cantara, navigate to Gateways.

Gateways - slect namespace.png

  1. Select the appropriate namespace.

+ add Gateway.png

  1. Click + Add Gateway.

  2. Complete the following fields:

Add Gateway

Complete the following required fields:

Field Name

Description

Name

Unique name for the gateway (must correspond with the Node Name in JDE)

Security Provider

Select OAuth2

Prefix

Enter the gateway prefix you chose in Part One: Machine Name. This is the value entered as the Machine Name for the Gateway node. The prefix forms part of the gateway URL, must be globally unique, and must match exactly.

Time Zone

Set to the time zone where the JDE servers are hosted

Default Date Format

Select the date format your system uses

JDE Authentication

Defaults to JWT

JDE Environment Name

Specify the JDE environment being connected to (e.g., TEST, PROD).

Long Usernames

Recommended to enable unless the environment does not support long usernames

The following fields are optional and can be configured as needed:

Field Name

Description

Token Timeout

The duration in seconds before the token expires. Default is 3,600 (1 hour).

Description

Add a description for the gateway.

Component Version

Specify the component version.

Email From Address

Set the default sender email address for notifications.

Session Cookie Name

Specify a custom session cookie name.

RememberMe Cookie Name

Specify a custom remember me cookie name.

Note: Cookie settings can typically be left as default unless specific overrides are required.

JWT Authentication

Field Name

Description

Node Name

JDE node name created during setup

Node Password

Password for the node

Certificate Name

Select certificate used for secure communication
JDE Security

Field Name

Description

Service Username

JDE service account username

Service Password

Password for the JDE service account

JDE Role

The role for the user

JDE Date Format

Date format for the JDE service user
OAuth 2.0 Configuration

Field Name

Description

Authentication Method

JDE service account username

Client ID

OAuth 2.0 client identifier

Client Secret

OAuth 2.0 client secret

Authentication URL

OAuth 2.0 authorisation endpoint

Access Token URL

OAuth 2.0 token endpoint

Redirect URL

OAuth 2.0 redirect URL. Must match the redirect URI registered in Azure AD for the application.

JSON Web Key Set URL

JWKS token validation support

Username Attribute

email or USERID

Note: Must match the JD Edwards username

  • Recommendation:
    Use long usernames where the JD Edwards username matches the IdP username (typically email).

  • If short usernames are used, additional token configuration is required in the IdP.

Enable Refresh Tokens
If refresh tokens are required for your authentication flow, enable the Refresh Token setting in your IdP application configuration.

Result
The gateway is configured with authentication, identity mapping, and connectivity to JD Edwards.

Step 3: Configuring AIS or JAS Service in Cantara

Gateway updated.png

  1. Select the required service:

  • AIS

  • JAS

  1. Set Up Connection Node

  • Select the Scheme from the dropdown:

    • HTTP

    • HTTPS

  • Enter Host details.

    • DNS name of your secure endpoint

Result

The gateway is configured to route requests to the JD Edwards.

Step 4: Network Requirements

Before the gateway can communicate with JD Edwards, ensure the following network configurations are complete.

IP Whitelisting

Allow traffic from Cantara IP addresses:

REGION

CANTARA IP ADDRESS

Asia Pacific

34.151.106.182

Asia Pacific

35.189.15.37

United States

104.154.231.218

United States

34.135.234.39

Europe

34.140.87.23

Europe

34.76.36.159

Configure firewall and network controls to allow traffic only from the aforementioned IPs. Collaborate with your network or system administrators to ensure these settings are applied correctly.

Optional: Load Balancing

If your environment uses multiple AIS or JAS nodes, load balancing can be configured.

  • Additional nodes can be added in Cantara

  • Health checks should be enabled for multi-node setups

For single-node environments, load balancing is not required.

Result:

The AIS or JAS service is now available through the Cantara gateway using the configured authentication and network settings.

Outcome

Your first gateway is configured and operational. A secure connection has been established between Cantara and your JD Edwards environment, with authentication handled through your IdP and JWT token signing secured via SSL certificates. Authenticated requests can now be routed from Cantara to JDE through the gateway.

If SCIM provisioning was configured, user accounts and group memberships are synchronised automatically from your IdP into Cantara.

What’s next?

Once the gateway is configured, Gateway Access Control can be configured to manage access to services and functions. See Configure Gateway Access Control.