Setting up Sage X3 to use SSL and a public certificate

Based on a customer need, RKL worked through the process of extending Sage X3 to be accessible over the internet using an SSL certificate. The client wanted to be able to access Sage X3 without first attaching to their network. So we helped them purchase a website domain name they could use to access Sage X3 over the internet. A security risk is created when you do this, so we knew we needed to get an SSL certificate to encrypt the web traffic.

Definitions:

• FQDN – Fully Qualified Domain Name
• DNS – Domain Name System
• SSL – Secure Socket Layer
  • Additional information on OpenSSL
• .csr – Certificate Signing Request defined in RFC 2986
• .pem – Privacy Enhanced email defined in RFC’s 1421 and 1424
• .crt .cer .cert – A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
• .der - A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension.
• .key - This is a PEM-formatted file containing just the private key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights to these files are very important, and some programs will refuse to load these certificates if they are set incorrectly.

Configuration Steps:

1. 1. Configure internal and external FQDN DNS records for internal and external access

   2. Port 8124 had to be opened in the firewall and forwarded to the internal Sage X3 web server

   3. Download and install OpenSSL on the Sage X3 web server to generate a csr file:

      1. The Sage X3 install process places the openssl file here: C:\Sage\SafeX3\WEB231\tool\SOFTS\HTTPD\bin
      2. Generate ssl: openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr (This will generate a .csr and a .key (in non-pem format) )

   4. Using the csr file you created, go to a Certificate Authority (GeoTrust, GoDaddy, Verisign, etc.) and purchase a public certificate.

      1. Should generate as a crt file (certificate) and a pem file (key)

      2. May need to convert the key file to pem format

      3. openssl rsa -in yourdomain.key -outform PEM -out yourdomain_pem.key

      4. If certificate is in der format, this will convert it to pem (Apache will require a pem format cert and key):

         openssl x509 -in cert.crt -outform der -out cert.der

   5. In Sage X3, go to Administration, Certificates and create a new certificate using the fqdn you generated the certificate for

      1. Click Select file to load the crt certificate file and the pem private key file you generated earlier.

6. Once the certificate is created in Sage X3, go to the Hosts function in the Administration module and edit the existing host record

    a. Check the box to use SSL and select the newly created certificate (shown below)

By following these steps, you can make Sage X3 securely accessible over the internet while protecting your data and minimizing risk. If you’d like help configuring SSL, hardening your environment, or need ongoing support for Sage X3, the RKL team is ready to assist with planning, implementation, and long-term support so you can focus on running your business with confidence.