How to manage multiple http and https servers

Introduction

Sage X3 version V11 web platform is able to run on multiple web servers. Every web server can handle several node.js instances, which are managed by a load balancer (a dedicated nanny process handles the load balancer).

A web server can be accessible on several ports. The set up for each port can be different (for example, a port can be on http or https for instance).

All web servers will connect to the same repository if they share the same MongoDB instance. The set up of the different servers is defined by the host entity.

Architecture

The following schema summarizes the architecture:

Every server S can have Ns ports and manage Ms node instances.

If a server is dedicated to the web server layer, at least one node.js process (and probably more) should run per processor core (recommendations for memory and number of node processes per core will be published soon).

When a direct exposition on the web is necessary:

It is preferable and more secure to use one or more reverse proxies instead of opening ports directly on LAN server to Internet.
We strongly recommend that you use https connections and correctly set up the DMZs and the firewalls or other security equipment.

It is possible to have both http and https connections on two different ports of the same server.

Installation

When installing on a web server, be aware of the following:

When you install the first web server and connect it to a MongoDb instance, it will initiate and populate the database like for any installation.
Connect a 2nd or 3rd web server to this same MongoDb to build a cluster.
Use a single CA certificate per web server cluster that will be used by all instances. This can be automatic during installation if, when you generate the certificate by using the generation tool, you select to use the same shared directory for the generation (it can be a network location or a USB device).
Install the various generated certificate public keys (*.pem files) in the correct key directory on the X3 server (usually in the runtime\keys directory).

Use https connections

To run in https:

In the server configuration define which services are set up in SSL. +* Buy or generate, and select the corresponding certificates for the client.
If the certificates used have been self-generated, install the CA certificate as a certification authority for the browsers that use the https connection.

Remark (when you buy a certificate): At the moment, private keys in PKCS #1 and PKCS#8 formats are accepted (in PEM format, not DER format), either unencrypted or with traditional SSLeay compatible encryption (at PEM level; supported encryptiong mechanisms: DES-EDE3-CBC and DES-CBC, that is: DES and triple-DES). The encryption at ASN.1 level is not yet supported.
In other words: When you have a private key in PEM format and the first line of the file contains -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- it is OK, but when it contains -----BEGIN ENCRYPTED PRIVATE KEY----- it is not OK.

Conversion between the formats can be done using openssl (or other tools).

Example: Converting a private key in PKCS #8 format with encryption into a format which can be handled (on Microsoft Windows):

openssl pkcs8 -in privatekey1 -out tempfile 
openssl rsa -in tempfile -des3 -out privatekey2 
del tempfile

Here "privatekey1" and "privatekey2" and "tempfile" must be replaced with the name of the existing private key file in PKCS #8 format and the name of the file to be created and a temporary file name, respectively. The temporary file contains the private key without encryption and should be deleted as soon as possible (see last line)

Index Home