Based on customer need, RKL worked through the process of extending Sage X3 version 7 to be accessible over the internet utilizing an SSL certificate. The client wanted to be able to access Sage X3 without first attaching to their network. So we helped them purchase a website domain name they could use to access Sage X3 over the internet. A security risk is created when you do this, so we knew we needed to get an SSL certificate to encrypt the web traffic.
Here is the process:
Definitions:
- FQDN – Fully Qualified Domain Name
- DNS – Domain Name System
- SSL – Secure Socket Layer
- Additional information on OpenSSL
- .csr – Certificate Signing Request defined in RFC 2986
- .pem – Privacy Enhanced email defined in RFC’s 1421 and 1424
- .crt .cer .cert – A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
- .der - A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension.
- .key - This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
Configuration Steps:
1. Configure internal and external fqdn DNS records for internal and external access
2. Port 8124 had to be opened in the firewall and forwarded to the internal Sage X3 web server
3. Download and install OpenSSL on the Sage X3 web server to generate a csr file:
a. The Sage X3 install process places the openssl file here: C:\Sage\SafeX3\WEB231\tool\SOFTS\HTTPD\bin
b. Generate ssl: openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
i. This will generate a .csr and a .key (in non-pem format)
4. Using the csr file you created, go to a Certificate Authority (GeoTrust, GoDaddy, Verisign, etc.) and purchase a public certificate.
a. Should generate as a crt file (certificate) and a pem file (key)
b. May need to convert the key file to pem format
i. openssl rsa -in yourdomain.key -outform PEM -out yourdomain_pem.key
c. If certificate is in der format, this will convert it to pem (Apache will require a pem format cert and key):
i. openssl x509 -in cert.crt -outform der -out cert.der
5. In Sage X3, go to Administration, Certificates and create a new certificate using the fqdn you generated the certificate for:
a. Click Select file to load the crt certificate file and the pem private key file you generated earlier.
6. Once the certificate is created in Sage X3, go to the Hosts function in the Administration module and edit the existing host record
a. Check the box to use SSL and select the newly created certificate (shown below)
To learn more about remotely accessing Sage X3 ERP contact us at support@rklesolutions.com or call 717-735-9109 option 4.
