How to Use SSL in Sage Enterprise Management (Sage X3)
Many companies that use Sage Enterprise Management (Sage X3) choose to have their Syracuse Web Server exposed to the internet for ease of access – no VPNs or remote desktop services to use – but making the connection open to the public internet exposes your web server/data to attack. Security is a necessity, as organizations need to keep their data private and secure.
Using an SSL (secure socket layer) connection with a certificate from a trusted Certificate Authority protects the confidentiality and integrity of company data exchanged online. SSL is the standard security technology for establishing an encrypted link between a web server and a browser; this encrypted link will ensure that the data exchanged between the user and the web server is transmitted securely and remains private. Any Sage Enterprise Management exposed to the public internet should use SSL to secure its connection with the users and protect company data.
Below are instructions on how to use SSL in Sage Enterprise Management.
Use an SSL tool like OpenSSL to create a certificate request (*.csr file) and a private key (*.key file) on your Syracuse Server.
The installation of the Safe Enterprise Management Web Server component will create OpenSSL binaries in the Sage\SafeEnterprise Management\Web\tools\SOFTS\HTTPD\bin folder. The exact path depends on the path specified during installation of the Web Server component.
Open a Windows Command Prompt and run the following: set OPENSSL_CONF=C:\Sage\SafeEnterprise Management\WEB235.2\tool\SOFTS\HTTPD\conf\openssl.cnf
In the Windows Command Prompt, browse to the bin folder noted previously and run the following: openssl req -out myCompany.csr -new -newkey rsa:2048 -nodes -keyout myCompany.key (myCompany is the name of your company)
The previous step will create a *.csr and a *.key file. Keep the key file in a secure location, as you’ll need it in the following steps.
Send the certificate request (*.csr) file to a Certificate Authority of your choice. They’ll generate the certificate file (*.crt) and provide either send the file to you or offer access to download it.
Create the certificate to be used by Sage Enterprise Management.
Browse to Administration, Certificates, Certificates, and click +New certificates
Provide the name used to reference the certificate information.
Description is optional.
In the Certificate section, drag/drop the *.crt file received from the certificate authority.
In the Private Key section, drag/drop the *.key file generated in step 1b. Do not leave this section blank even though it is not marked as required.
Enter a Passphrase.
Leave the CA Certificates/Server sections blank unless you know why you’re entering values here.
Click Save. If clicking Save does nothing, the private key and certificate files may not match. Sage Enterprise Management could also be detecting that the files are not valid or in the wrong format.
Configure the Sage Enterprise Management host to use SSL and the certificate created in the previous step.
Have all users exit the system. Any users still logged in will be disconnected from the system during the following steps.
Browse to Administration, Servers, Hosts, and click the pencil icon. If you have multiple hosts, choose the one marked as Started.
Check the box for
In the Server Certificates field, click the browse button and choose the certificate you created in step 3.
You may leave the Port field unchanged (default is 8124) or change it to the industry standard of 443 for SSL. If the port is changed, your IT professionals will need to configure the network and firewall with the correct routing information for the newly defined port.
Warning: If there is a problem with certificate setup, the certificate files, or the port, you may be locked out of Enterprise Management after the Syracuse service restarts in the following step.
To prevent this from happening, you can add another connection and configure it to use another port by clicking on the blue plus symbol instead of modifying the original one. This way, Syracuse will be listening on two ports.
You would only enable SSL for one of these connections and ports. If there is a problem with the SSL configuration, you can fall back on the other connection and port which was not changed.
You may or may not be prompted to restart the Syracuse service, but restart whether you’re prompted to or not.
All users must be logged out or they will be forcefully disconnected.
If the Syracuse service was restarted after responding to the prompt, it may not start automatically and will require you to do it manually.
If the Syracuse service does not stop/start in a timely manner, use the Task Manager to end all node.exe processes. Once they are ended, you should be able to start the Syracuse service.
So much of your data should never been seen by outside eyes, so connecting it to the public internet simply for ease of access is a poor idea. Instead, you should use an SSL (secure socket layer) connection with a certificate from a trusted Certificate Authority to protect the confidentiality and integrity of company data exchanged online.