Epicor10_ArchitectureGuide_101600
Short Description
Descripción: Epicor ERP 10.1.600 Architecture Guide...
Description
Epicor ERP 10.1.600 Architecture Guide Epicor 10.1.600
Disclaimer This document is for informational purposes only and is subject to change without notice. This document and its contents, including the viewpoints, dates and functional content expressed herein are believed to be accurate as of its date of publication. However, Epicor Software Corporation makes no guarantee, representations or warranties with regard to the enclosed information and specifically disclaims any applicable implied warranties, such as fitness for a particular purpose, merchantability, satisfactory quality or reasonable skill and care. As each user of Epicor software is likely to be unique in their requirements in the use of such software and their business processes, users of this document are always advised to discuss the content of this document with their Epicor account manager. All information contained herein is subject to change without notice and changes to this document since printing and other important information about the software product are made or published in release notes, and you are urged to obtain the current release notes for the software product. We welcome user comments and reserve the right to revise this publication and/or make improvements or changes to the products or programs described in this publication at any time, without notice. The usage of any Epicor software shall be pursuant to an Epicor end user license agreement and the performance of any consulting services by Epicor personnel shall be pursuant to Epicor's standard services terms and conditions. Usage of the solution(s) described in this document with other Epicor software or third party products may require the purchase of licenses for such other products. Where any software is expressed to be compliant with local laws or requirements in this document, such compliance is not a warranty and is based solely on Epicor's current understanding of such laws and requirements. All laws and requirements are subject to varying interpretations as well as to change and accordingly Epicor cannot guarantee that the software will be compliant and up to date with such changes. All statements of platform and product compatibility in this document shall be considered individually in relation to the products referred to in the relevant statement, i.e., where any Epicor software is stated to be compatible with one product and also stated to be compatible with another product, it should not be interpreted that such Epicor software is compatible with both of the products running at the same time on the same platform or environment. Additionally platform or product compatibility may require the application of Epicor or third-party updates, patches and/or service packs and Epicor has no responsibility for compatibility issues which may be caused by updates, patches and/or service packs released by third parties after the date of publication of this document. Epicor® is a registered trademark and/or trademark of Epicor Software Corporation in the United States, certain other countries and/or the EU. All other trademarks mentioned are the property of their respective owners. Copyright © Epicor Software Corporation 2017. All rights reserved. No part of this publication may be reproduced in any form without the prior written consent of Epicor Software Corporation.
Epicor 10.1.600 Revision: May 15, 2017 8:51 a.m. Total pages: 37 sys.ditaval
Epicor ERP 10.1.600 Architecture Guide
Contents
Contents Part I: Epicor ERP 10.1 Application Architecture.............................................5 Chapter 1: Hardware Requirements..........................................................5 1.1 Review Hardware Sizing Guide...........................................................................................................5 1.2 Review Hardware Scenarios................................................................................................................5 1.2.1 Configuration #1: One Server...................................................................................................6 1.2.2 Configuration #2: Two Servers.................................................................................................6 1.2.3 Configuration #3: Three Servers...............................................................................................7 1.2.4 Configuration #4: Four or More Servers....................................................................................7
Chapter 2: Epicor ERP 10.1 Components....................................................8 2.1 2.2 2.3 2.4 2.5 2.6 2.7
Epicor Administration Console............................................................................................................8 Epicor Server.......................................................................................................................................9 Application Server...............................................................................................................................9 Database Server..................................................................................................................................9 Epicor Database..................................................................................................................................9 Reporting Server.................................................................................................................................9 System Agent and Task Agent..........................................................................................................10
Chapter 3: Additional Components and Products..................................11 3.1 3.2 3.3 3.4
Extension Components.....................................................................................................................11 Supplemental Components...............................................................................................................13 Cross-Brand Products........................................................................................................................14 Utilities and Resources......................................................................................................................17 3.4.1 Performance and Diagnostic Tool...........................................................................................17
Chapter 4: Multiple Application Servers..................................................18 4.1 Web Farm / Web Garden Notification...............................................................................................18 4.2 Customization Storage.....................................................................................................................19
Chapter 5: Epicor ERP 10.1 Functionality.................................................20 5.1 Review Epicor ERP 10.1 Feature Summary.........................................................................................20
Part II: Technology Strategies........................................................................21
Epicor 10.1.600
3
Contents
Epicor ERP 10.1.600 Architecture Guide
Chapter 6: Network Protocol Bindings....................................................21 6.1 Protocols..........................................................................................................................................21 6.2 Standard HTTP Binding Types............................................................................................................22 6.3 Transport Encryption Methods..........................................................................................................22 6.4 Serialization......................................................................................................................................22 6.5 Compression....................................................................................................................................23 6.6 User Authentication..........................................................................................................................23 6.7 Protocol Selection.............................................................................................................................23 6.8 Binding Options................................................................................................................................23 6.8.1 UsernameWindowsChannel....................................................................................................23 6.8.2 Windows................................................................................................................................24 6.8.3 UsernameSSLChannel.............................................................................................................25 6.8.4 HttpBinaryUsernameSslChannel..............................................................................................25 6.8.5 HttpsBinaryUsernameChannel................................................................................................26 6.8.6 HttpsBinaryWindowsChannel.................................................................................................27 6.8.7 HttpsOffloadBinaryUserNameChannel.....................................................................................28
Chapter 7: Authentication Options..........................................................30 7.1 User Identity Methods.......................................................................................................................30
Chapter 8: Security Requirements............................................................31 8.1 8.2 8.3 8.4
Licensing..........................................................................................................................................31 User Account Options.......................................................................................................................31 Server Protection..............................................................................................................................31 Securing Database Access.................................................................................................................32
Chapter 9: SSL: Review Digital Certificates for Epicor ERP 10.1.............33 9.1 Overview of Digital Certificates.........................................................................................................33
Chapter 10: Timeout Settings...................................................................34 10.1 Machine.Config Settings.................................................................................................................34 10.2 Additional Timeout Options............................................................................................................35 10.2.1 SSRS Site Timeout.................................................................................................................35
4
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
Part I: Epicor ERP 10.1 Application Architecture Welcome to the Epicor ERP 10.1 Architecture Guide. This comprehensive guide provides a detailed overview on the supported technology and architecture of the Epicor ERP 10.1 application.
Chapter 1: Hardware Requirements Use this section to review hardware requirements for Epicor ERP 10. You can review the documents provided for hardware sizing and configuration, and you can also review example hardware configuration scenarios based on your required applications. It is highly recommended that you understand your hardware requirements prior to installing your Epicor products.
1.1 Review Hardware Sizing Guide Use these steps to download and review the Epicor ERP Hardware Sizing and Configuration Guide. Note that Hardware requirements may change based on the specific release. It is recommended that you have an understanding of the hardware requirements prior to installing. 1. Log on to EPICweb and go to the customer portal website. Navigate to Products > Epicor ERP version 10 > Downloads. You can use this link: https://epicweb.epicor.com/products/epicor-erp-10/downloads 2. Scroll to the Utilities folder. Select Hardware Sizing Guide. 3. From the Available Downloads, select to download the Epicor ERP Hardware Sizing Guide file. 4. Review the entire guide to assist in understanding your hardware requirements.
1.2 Review Hardware Scenarios Use this section to review examples of hardware configuration scenarios, including basic multi-server scenarios. The examples list the applications that might be installed on each server. Review the example scenarios to determine which type of configuration is appropriate for your environment. Note that these are basic examples and your desired configuration may be more complex. Note The example scenarios only use compatible versions of Windows Server and SQL Server. For example, Windows Server 2016 is listed with SQL Server 2016; and Windows Server 2012 R2 is listed with SQL Server 2014 or 2016, and Windows Server 2008 R2 is listed with SQL Server 2008 R2. Using mixed versions of Windows Server and SQL Server is not supported. For example, if your Epicor server is running Windows Server 2016 then your SQL server must be running SQL Server 2016.
Epicor 10.1.600
5
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
1.2.1 Configuration #1: One Server Review the One Server configuration example to determine if it is appropriate for your environment.
1.2.2 Configuration #2: Two Servers Review the Two Servers configuration example to determine if it is appropriate for your environment.
6
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
1.2.3 Configuration #3: Three Servers Review the Three Servers configuration example to determine if it is appropriate for your environment.
1.2.4 Configuration #4: Four or More Servers Review the Four or More Servers configuration example to determine if it is appropriate for your environment.
Epicor 10.1.600
7
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
Chapter 2: Epicor ERP 10.1 Components Use this section to review the components of your Epicor ERP application. It is recommended that you understand the relationships between the required components prior to starting your Epicor ERP application installation.
2.1 Epicor Administration Console The Epicor Administration Console includes administrative tools that you can use to maintain and manage your database servers, application servers, and other system components. The Epicor Administration Console is a component that can be selected for installation during the installation of Epicor ERP 10 Server.
8
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
2.2 Epicor Server Epicor server is a server computer that hosts one or more application servers. To define what application servers each Epicor server hosts, you either create new application servers or register existing application servers. These application servers are then linked to the Epicor server and run tasks for the Epicor application.
2.3 Application Server An application server manages how a specific instance of the Epicor application runs. Through each application server, you can configure licenses, companies, sessions, and users for a specific database. An application server is created under the Epicor server. One or more application servers can be defined for each Epicor server. When you select an application server on the tree view, you can perform administrative tasks to it. For more information on Epicor server, review the Epicor Server section within this guide and the Administration Console Online Help. You can set up multiple application servers to run the same database. They can then improve performance by balancing the load. For example, you create two application servers for the same database, but these application servers support different endpoint bindings. One application server is set up to run Epicor Web Access (EWA) on one server machine, while another application server is set up to run a smart client through Net.TCP on a different server machine. Note For more information on Endpoint Bindings, review the Authentication Options section within this guide.
2.4 Database Server A database server represents a SQL Server server\instance and contains the various Epicor application databases your organization requires to conduct business. Before you can work with databases in the Epicor Administration Console, you need to add a database server to the Database Server Management node.
2.5 Epicor Database The Epicor Database resides on the Epicor Database server. For implementation following the Epicor Signature methodology you need four databases. Below are suggested names for the types: • Epicor10_Demo - contains Epicor Demonstration Data. You can use it for Epicor University training and when you use the Education Module, which is how you access the embedded courses. • Epicor10_Test - includes your data. You can use it for test and development purposes and to try new scenarios. • Epicor10_Pilot - contains your data for the Pilot database. The data should be controlled more than the Test database. • Epicor10_Production - contains data you use to leverage various processes in your company.
2.6 Reporting Server Reporting Server contains Epicor SQL Server Reporting Service (SSRS), a server-based reporting platform that provides comprehensive reporting functionality for a variety of data sources. Note that in the Epicor ERP application, SSRS reports can be used in parallel to Crystal reports. If you have an existing Epicor 9.05 application and you chose to not use the recommended SSRS functionality that is available with the Epicor ERP 10.1 application, you can use the steps in the Epicor ERP 10.1 Migration
Epicor 10.1.600
9
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
Guide to install and configure Epicor SQL Server Reporting Service (SSRS) using the previous method, referred to as the "portal method". These steps will create the Epicor SSRS Portal, create the Epicor SQL Report Monitor Service, and establish the connection to a SQL Report Server. This portal method is available to provide a "stop gap" functionality that you can use to continue to have reporting functionality as you gain experience using the new SSRS functionality available in the Epicor ERP 10.1 application.
2.7 System Agent and Task Agent System Agent and Task Agent are designed to streamline and automate the flow of data throughout your company. To maximize the efficiency of your network resources, you can select to execute reports, process programs and run queries not right after you submit them, but at a later time by adding them to a schedule that occurs during specific intervals. You can add programs to recurring schedules using the Schedule drop-down lists available on programs throughout the Epicor ERP application. When you assign a task to a recurring schedule, the Task Agent activates and handles it according to the settings defined by the System Agent. Review the following information to learn more about System Agents and Task Agents. • System Agent Maintenance. You set up schedules in the System Agent Maintenance program. All schedules created through System Agent Maintenance appear on the Schedule list. Each time the schedule activates, all the tasks assigned to it run in the order they were added to the schedule. For example, depending on the task, this could cause a specific report to generate and print, a business activity query to export, and a global alert to be sent. Important To run the Task Agent, you must configure your System Agent Epicor user account to have session impersonation rights. For instructions on how to set session impersonation rights, refer to Epicor ERP 10 Installation Guide. • Task Agent Service Configuration. You can create a task agent in the Task Agent Service Configuration program. This program allows you to add task agents that run on either a local machine or a remote machine. After you set up an application server (AppServer), you can then configure the local or remote task agent for the database. If you have multiple appservers, all of them point to the same database, and you can configure a task agent on any appserver even if they are located on different physical servers. The task agent is distributed to multiple appservers based on pre-defined rules. • Connecting a Task Agent. You can connect a task agent to an application server through different endpoint binding methods. If you connect a new or existing task agent through the Windows endpoint binding type, you must enter a Windows domain user account on the task agent service. The Windows domain user account you enter must be associated with either an Epicor ERP or Epicor ICE user account. Review the Authentication Options section for more details on binding methods you can use in Epicor ERP. Note You can only configure one instance of the task agent service to run against a specific database. If you try to create two task agents to run against the same database, you receive an error message when you attempt to save the second instance. For more information on how to configure a task agent and how to connect it to an application server, review the Administration Console Help and the Application Help. • Creating a System Agent. A System Agent defines the information needed to configure the Task Agent AppServers. You create it after you first install the application, and it is automatically created when you install an Epicor Demo Database or migrate from a previous version. You then can use the System Agent > Detail sheet within the System Management Maintenance program to make changes you need to the system agent. You can also set up multiple system agents based on your requirements for generating reports and processes. With multiple system agents, you can send reports to different AppServers based on a set of rules you define. For example, a system agent can be defined using AppServers with different schedules so various processes and reports run at times that make better use of your available network resources. For more information on how to work with System Agent, review the Application Help.
10
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
Chapter 3: Additional Components and Products Use this section to review additional software components and products that are available to install with your Epicor ERP 10 application. These additional components and products enhance the functionality of your Epicor ERP 10 application.
3.1 Extension Components You can install the Epicor ERP extension applications after you have configured your Epicor application server. To get an extension working, you need to go through the following three-step process: • select the extension features to install during the Epicor ERP 10.1 server installation process • to deploy the selected features, use the Application Server Configuration process in Epicor Administration Console • perform initial configuration within the installed extension Extension applications include: Epicor Web Access, Epicor Mobile Access, Epicor Social Enterprise, Enterprise Search, Epicor Education, Epicor Information Worker, and Epicor Help. Epicor Web Access Epicor Web Access™ displays programs as web forms within a browser window and is a significant part of the Epicor Everywhere Framework. These forms are generated from Epicor ERP programs. Because of this, the appearance and functionality of the Epicor Web Access forms is nearly identical to the Epicor smart client programs, but do not require the installation of the Epicor client. Epicor Web Access programs can run on several operating systems and on a variety of devices - including handheld devices. You can have multiple instances of the Epicor Web Access extension linked to each application server. Epicor Mobile Access Epicor Mobile Access extends the Epicor Everywhere Framework™ to generate properly sized Web forms for mobile platforms including iPhone, Android, and Windows Phone.
Epicor 10.1.600
11
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
Since the mobile dashboards that support Epicor Mobile Access (EMA) are built using the dashboard technology and Updatable BAQ technology embedded in the Epicor ERP application, users can create web applications that implement business functionality on mobile devices. You can have multiple instances of the Epicor Mobile Access extension linked to each application server. Epicor Social Enterprise Epicor Social Enterprise is an information network designed to support information exchange across your business enterprise. Epicor Social Enterprise is fully integrated into the Epicor ERP application's smart and web clients. From each client, you can access the Epicor Social Enterprise website and work with the full functionality of your Epicor Social Enterprise account, or you can choose to work in Epicor Social Enterprise in the context of a selected ERP data record. You can only have one instance of the Social Enterprise extension linked to each application server. Epicor Enterprise Search Enterprise Search is a powerful search application which you can use to retrieve indexed content from within your Epicor ERP application and then quickly launch specific programs to display the data returned from the search. Using the default search index definition shipped with Epicor ERP, you can search on any item within the Epicor database - like a part, customer, purchase order, AR invoice, and so on. All the records within the Epicor database that use this record in some way appear within the search results. Results are organized by record type and can be filtered by record type. You can only have one instance of the Enterprise Search extension linked to each application server. Epicor Education Epicor's library of embedded educational materials provides you with a platform to develop an effective training program for your organization. The number of resources enable you to choose the best options to meet your training needs and tailor the content to fit your users. You install the Embedded Courses on the Epicor Education sheet. You can only have one instance of the Epicor Education extension linked to each application server. Epicor Information Worker Epicor Information Worker (IW) is a set of plug-in applications for Microsoft Office that offers a transparent user experience for Epicor applications within a familiar desktop productivity environment. It gives employees who depend on enterprise data ("information workers") direct access to Epicor data from inside Microsoft Outlook, Word and Excel. Once Epicor data is imported into Office, users can keep the data synchronized between Office and Epicor, and can work either in online or offline (disconnected) modes. Epicor Help Epicor's online help system contains reference level information on modules and programs. It also contains a series of technical references guides that provide detailed information on job costing, scheduling, and other areas of the Epicor application. You can launch application help from the Home page by clicking the Help tile, or from directly within a specific program by pressing the F1 key or clicking Help > Application Help.
12
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
3.2 Supplemental Components Supplemental components that can be installed after your Epicor ERP 10.1 application is installed and configured. Country Specific Functionality (CSF) Country Specific Functionality is designed to accommodate localization for specific markets throughout the world. It supports global, regional and local accounting and reporting standards such as, IFRS, Generally Accepted Accounting Principles (GAAP), taxes and fiscal reporting Support for various countries. You can view the list of available countries in the Epicor ERP 10.1 Installation Guide and activate the required country in Epicor Admin Console. Microsoft Service Bus 1.1 Microsoft Service Bus for Windows Server, also called "Service Bus", is required as a software component with Epicor ERP 10.1 if you use Multi-Company functionality and you process multi-company transactions between more than one database. Using queue technology, Service Bus provides extensive publish/subscribe capabilities which allow multiple, concurrent subscribers to retrieve views of the published message stream. Review the Service Bus prerequisites when installed for use with Epicor ERP 10.1: • Windows Server 2008 R2 SP1 x64 or Windows Server 2012 x64, Windows Server 2016 • SQL Server 2008 R2 SP1, SQL Server 2008 R2 SP1 Express, SQL Server 2012, SQL Server 2016 • .NET Framework 4.6.1 • TCP/IP connections or named pipes configured in SQL Server • SQL Browser service running in case of TCP/IP connections. Note SQL Server can be installed on the same physical machine with the Service Bus or on a different machine. The Service Bus databases can reside on multiple machines as well. All the databases do not need to be created on a single database server. The instructions for installing Microsoft Service Bus for Windows Server are located in the Epicor ERP 10.1 Installation Guide (New or Migration) > Supplemental Installations section. For additional information, you can also refer to the Microsoft Download Center documentation. Note that the instructions for setting up Multi-Company functionality is located in the Multi-Site Technical Reference Guide which is available within the online help and from the EPICweb Documentation > Technical Reference Guides page. Performance and Diagnostic Tool If you are experiencing performance issues, you should first contact either your Epicor consultant or Epicor Technical Support. If the performance issue cannot be resolved through this initial contact, the technical support representative or the consultant may recommend you use the Performance and Diagnostic Tool. This tool captures performance information, and you can organize this information to receive meaningful metrics that relate to the ® ® performance of your Epicor ERP application. You can also export these results to Microsoft Excel for additional review and analysis. Through the Performance and Diagnostic Tool, you can evaluate: • The performance of one client versus another client on the same system. • The performance of business object methods on both the client and the server. • Overall performance of the server and the network. • Performance of business objects in one system against the same business objects on other systems. • Performance of customizations, personalizations, Business Process Management (BPM) methods, and business activity querys (BAQs). • The configuration of the Epicor ERP application.
Epicor 10.1.600
13
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
To learn more about the Performance and Diagnostic Tool, review the Performance Tuning Guide. This guide describes the common patterns of slow performance, the tools available for testing performance issues, and potential performance solutions. SharePoint Publisher You can use the Epicor SharePoint Publisher functionality to display dashboards in the Microsoft® SharePoint® environment. You leverage web dashboards to create SharePoint web parts that directly link to business activity queries (BAQs). Web parts are integrated sets of controls for creating web sites you can use to directly modify, within a web browser, the content, appearance, and behavior of web pages. All dashboard web parts directly access the Epicor application server, so no web services or other intermediate layers are required to run web dashboards. SharePoint web parts contain nearly the same functionality as Epicor dashboards. The data initially pulled into the dashboard can be refreshed as needed. The Grid views contain both Order By and Group By functionality. Web dashboards support publish and subscribe between views, so data within a grid view can update data with a linked chart view. Web dashboards also link to the Performance Canvas for embedded Epicor EPM functionality.
3.3 Cross-Brand Products Use this section to review the Cross Brand Products that can be installed after your Epicor ERP 10.1 application is installed and configured. You can access the Epicor Cross-Brand Solutions documentation on EpicWeb using the following link: https://e picweb.epicor.com/products/epicor-erp-10/documentation. The Cross-Brand Solutions library is in the right pane. Your screen may look similar to the following:
Epicor Cross-Brand Solutions are designed to extend the functionality of your ERP system by providing additional features you can use for your business requirements. You can configure these products to work with different Epicor ERP systems, such as Epicor ERP 10.1, Prophet 21, iScala. Eclipse, Tropos and so on. Cross-Brand solutions interact with your ERP system which allows you to use ERP data in additional environments.
14
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
Advanced Financial Reporting Epicor Advanced Financial Reporting is a complete toolset you use to create custom financial reports specific to the needs of your organization. The reports you build will contain financial information from various sources you define - you can set up each report to pull information from one or multiple general ledger (GL) books across multiple companies, from multiple ERP systems. Epicor Advanced Financial Reporting interacts with an Epicor application through a report server. This server pulls the general ledger data from your active database to an AFR financial database via replication provided by AFR Replication Monitor, and makes this data available for use within AFR. You then create a report definition in the Report Designer. The AFR Report Designer is used to define the basic elements of the reports - row sets, column sets, report parameters, data filters, and formatting of the reports. Using the Report Designer, you can build report definitions, preview them to verify current data displays as expected, and upload Report Definition Language (RDL) files, which enable users to view reports in a web browser, via SQL Server Reporting Services (SSRS). Once you set up your report, you can further refine the look and feel in either Microsoft® Visual Studio® or Microsoft® SQL Server® Report Builder. You can use these report layout and formatting tools to fine-tune the overall look of each financial report. When you finish refining the layout of your financial reports, users can view them in a web browser or in Microsoft®Excel®. Reports can be printed, or exported in various file formats, or you can schedule a batch of reports to be created at regular intervals. Based on the report parameters you define in the report, users can filter data, or change the parameters to view different data, for example, change the report currency, change the report dates, or filter by GL accounts. Commerce Connect Epicor Commerce Connect (ECC) is an e-commerce solution that enables Epicor ERP customers to develop unique websites quickly and manage them easily, providing the necessary tools to deliver a rich customer experience, throughout the typical order life cycle - from quote to fulfillment, and beyond. Fully integrated to your ERP system, Epicor Commerce Connect eliminates the need to maintain a separate product database and provides streamlined access to ordering, product or account information including customer specific pricing, inventory levels, marketing and customer service processes - all in real-time using ERP data that can be viewed online via Epicor Commerce Connect. ECC supports the Magento eCommerce platform and provides a scalable solution that is backed by an extensive support network and allows you to build a site to help fit your unique business needs. Enterprise Performance Management Epicor Enterprise Performance Management provides a complete set of tools and applications that let you plan, execute, and analyze at both strategic and tactical levels – aligning business activities with business goals. A business support system, Epicor EPM supports the complex analysis required to discover business trends. The information retrieved from this analysis is valuable in identifying trends and modeling data in the areas of planning, budgeting, forecasting, financial reporting, and data warehouse reporting. EPM solutions integrate monitoring and analysis with the planning and control (or audit) cycle of the enterprise to enable a cycle of continuous performance improvement. Epicor Financial Planner Epicor Financial Planner (EFP) provides functionality to automate the financial planning and budgeting process to keep your records accurate and up-to-date. It provides a complete system for financial budgeting and forecasting. Epicor Financial Planner allows Epicor ERP customers to improve automation and take control of the budgeting and planning process, allowing you to rest easier with more certainty in your projections.
Epicor 10.1.600
15
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
Epicor Manifest Epicor Manifest is an automated shipping functionality that enables your company to streamline shipping processes and meet the expectations of your customers. Epicor Manifest is multi-carrier shipping software that integrates tightly with the Epicor ERP application and seamlessly processes domestic and international shipping transactions by communicating to various carriers, calculating freight amounts, and printing carrier labels. Mattec MES Epicor Mattec Manufacturing Execution System is a real-time production and process monitoring system which can be used as a powerful tool in manufacturing including rubber and plastics, metals and automotive industries. The solution offers a comprehensive set of MES capabilities for production scheduling, machine operation and maintenance, quality management, and real-time analytics to monitor machines and analyze machine-related data such as overall equipment effectiveness (OEE), run rates, scrap, yield and energy consumption. The system captures data directly from machines and operators, and delivers real-time production metrics and real-time operations analytics in an easy-to-digest visual manner. Real-time reconciliation of information between Epicor ERP and Mattec MES ensures data integrity for supporting accurate scheduling, planning, monitoring, resourcing and costing. Use Data Integration to manage production from a central location and seamlessly integrate data flow between Epicor ERP and Mattec MES. This integration allows you to reduce errors from manual data entry in both applications and get timely and accurate data to enable better manufacturing decisions. Epicor ERP production planning and job data are exported to Mattec MES for use when performing and monitoring shop floor activities. In Mattec MES, production data is monitored and recorded for use in process and quality control monitoring and analysis. Labor and production data recorded in Mattec MES will then flow back to Epicor ERP where the data can be used for costing, reporting and production analysis. Precise ARM Epicor Advanced Requistions Management (ARM) provides companies with an automated procurement system that empowers employees while ensuring that contracted buying agreements and spending limits are enforced. Precise Advanced Requisition Management (ARM) automates and streamlines the requisitioning process, utilizing a Web browser to integrate with and extend the Epicor Purchasing module. Multiple approval methods provide a flexible framework that can be configured to meet the requirements of any organization. ARM uses a catalogue of approved vendors and items, optionally including both stocked and non-inventory products and services, and utilizes a live on-line integration to your Epicor Financials and Distribution solution. Via a separately licensed module, ARM also facilitates inventory transfers between Epicor locations. Secure Data Manager Secure Data Manager (SDM) is a comprehensive standalone payment-handling solution that achieves single Payment Application Data Security Standard (PA-DSS) validation across multiple retail systems while also providing authorization and settlement functionality. With Epicor's Secure Data Manager, payment card information is securely stored in a central repository where PA-DSS requirements are consolidated and managed. By handling data from inception (i.e. card swipe) through storage, Epicor SDM maintains data privacy by providing neighboring applications with a token for reference rather than specific credit card details. Connected systems then pass this token into the datastream, and Epicor SDM utilizes the token's data to determine the credit card information needed for processing each transaction. Service Connect Epicor Service Connect (SC) is a workflow and application integration environment. You can use Service Connect to run a workflow within a single application or to run workflows that span multiple applications. Because it uses
16
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Epicor ERP 10.1 Application Architecture
documents as its primary interface and leverages a Service Oriented Architecture (SOA), Service Connect simplifies the data conversion process from one application to suit the needs of other applications. XL Connect XL Connect is a powerful tool that can be used to report on data currently stored in your accounting system. XL Connect is an add-in to Microsoft Excel™ and is accessed from within Excel. XL Connect is the data retrieval engine. When in Excel, you will use XL Connect Content Functions and Analysis Sets to build reports that will retrieve your accounting system data. XL Connect Content provides the integration specific elements that define for XL Connect the tables in your accounting system from which to retrieve your requested data. Once the data is retrieved into Excel, you can use all of Excel’s capabilities to create a report that meets your business needs: financial statements, budget reports, sales analysis, invoice analysis and dashboards.
3.4 Utilities and Resources Use this section to review the utilities and resources that are available and can be used with your Epicor ERP 10.1 application.
3.4.1 Performance and Diagnostic Tool You can use the Epicor Performance and Diagnostic Tool to analyze Epicor logs to measure performance from both the client and the server. The Epicor Performance and Diagnostic Tool summarizes information in the client and server trace logs. You can manipulate that information to provide meaningful metrics related to the installation efficiency and performance of your Epicor ERP application. Epicor Performance and Diagnostic Tool offers the following utilities: • Client Diagnostics - use it to analyze the performance of client installations. • Configuration Check - use it to check the configuration of the application server. This utility reveals the issues and potential issues you may have with the application server configuration. • Network Diagnostics - use it to verify the baseline network and server performance are running at optimal levels. • Server Diagnostics - use it to analyze the performance of server installations. The Epicor Performance and Diagnostic Tool is run from the Epicor Administration Console. For information on how to run the Epicor Performance and Diagnostic Tool, use the Performance Tuning Guide. The guide is available from various locations, including from within the Performance and Diagnostic Tool (webhelp format), the Epicor ERP 10 application online help (webhelp and PDF format), or the EPICweb Documentation > Technical Reference Guide site (PDF format).
Epicor 10.1.600
17
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
Chapter 4: Multiple Application Servers If you have a multiple application server environment, use this section to review information specific to web farm and web garden configurations.
4.1 Web Farm / Web Garden Notification When multiple application servers are connected to the same database, each can internally notify all application servers in the web farm or web garden that a change occurred. The application servers in this web farm or web garden then refresh with the required changes. This feature is useful for web farm, web garden, or other multiple application server environments. For example, when the database changes or a BPM assembly is updated, the application server with the change sends out an internal notification. If this update is a database change, the application servers refresh their caches. If this update is a BPM assembly change, the application servers regenerate their BPM assemblies. You can set up these notifications by selecting the notification type that best reflects your network configuration. To do this, modify the web.config file for your environment. This file is located in your server installation. For example: C:\Epicor\Deployment\Server Set up the NotificationType to define how the application servers send notifications to the group. Available notification types are: • local - Select this option to indicate a single application server is in this web farm / web garden and no internal notifications are needed. Always select this option when only one application server is in the web farm / web garden, as it improves performance by reducing unnecessary notifications. • UDP - Indicates the notifications are delivered through a User Datagram Protocol (UDP) broadcast. This protocol exchanges messages between all computers in a local area network (LAN). This notification type does not work on a wide area network (WAN). If your application servers are on the same LAN and the required ports are open, a UDP broadcast can reach them. You should then select this option. For the NotificationUdpPort setting, be sure to enter a unique and unused port for each application server group. This requirement ensures the internal notifications are only sent within a specific application server group. • database - Select this option when you cannot use the UDP option and you are running more than one process or application server. Depending on how your network is configured, you may not be able to select UDP and so you instead must send notifications through the database. While this option is the most reliable, this setting increases the number of calls to the database and so reduces performance. If your environment supports UDP, you should use the UDP option instead. Note that the default type is database. Use these steps if you need to change the type to the one that best reflects your network configuration. 1.
Navigate to your Epicor ERP 10 application server web.config file. This file is located in your server installation, for example, \Epicor\Deployment\Server.
2.
Locate the NotificationType entry.
3.
Set the value to one of the options. If you set the notification type value to UDP, you also need to specify the NotificationUdpPort property which defines the unique port used by the application server group. Your file may look similar to the following: 4.
Save and close the web.config file.
4.2 Customization Storage For multiple appservers scenario, Epicor recommends to use a shared location to distribute active customizations and their dependencies between multiple environments. Customers hosting several Epicor ERP 10 endpoints, those running the Epicor ERP 10 web farm or web garden may set up the web.config as follows: • Customization storage provider (customizationStorage - provider attribute) configured to use SqlBlob. For Epicor ERP 10.1 and later, this option is set by default. • Storage of external assemblies (externalsStorage - provider attribute) configured as FileSystem, pointing (externalsStorage - settings attribute) to a single shared folder location for all Epicor ERP 10 instances in the web farm/web garden corresponding to a single Epicor ERP 10.1 installation. When setting up access rights to the folder, make sure that Application Pools of all participating web applications have at least read access. Example Use DFS or UNC (common) path - \\server\share\folder accessible to all appservers.
Epicor 10.1.600
19
Epicor ERP 10.1 Application Architecture
Epicor ERP 10.1.600 Architecture Guide
Chapter 5: Epicor ERP 10.1 Functionality Use this section to review the Epicor ERP 10.1 application functionality.
5.1 Review Epicor ERP 10.1 Feature Summary It is recommended that you become familiar with the features available in the Epicor ERP 10 release prior to installing the Epicor ERP 10.1 application. 1. Review the Epicor ERP 10.1 Feature Summary to learn about the features in the Epicor ERP 10.1 release. To access the Feature Summary, log onto the EPICWeb Documentation site and click the Feature Summaries link. You can use this link: https://epicweb.epicor.com/documentation/feature-summaries. Note that you can also view the Feature Summary using the Epicor online help system. 2. If desired, contact the Services group to learn more about upgrading or migration to Epicor ERP 10.1. Note To request assistance from Services, fill out the Services Request Form available on the EPICWeb Services site. You can use this link: https://epicweb.epicor.com/services/Pages/default.aspx.
20
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
Part II: Technology Strategies Use this section to review the technology strategies required for using the ICE 3.0 framework technology with the Epicor ERP 10 application.
Chapter 6: Network Protocol Bindings The Windows Communication Foundation (WCF) hosts the services for your Epicor application. By working with the Epicor ICE Framework, the Windows Communication Foundation manages the service calls, or messages, that users initiate on clients. These messages are then transported to the server, where application code updates the database. Together both the Epicor ICE Framework and the WCF form a secure and efficient pipeline that sends the service call messages between the clients and servers across your network. You can use different WCF protocol bindings to facilitate this network communication. The Epicor application utilizes several binding options, so you need to select the protocol binding that best matches the transport of different functions. If you have an environment integrated with Service Connect, generate reports on a separate server, or require a similar processing need, you can set up multiple application servers to update the same database. Each application server can have a different protocol binding that best facilitates the configuration it needs to execute its function. Utilizing multiple application servers can also help you load balance the demand on your network. This section first describes the main aspects of network protocols to help you understand the differences between them. Then this section details each protocol binding option you can activate for the Epicor application. By reviewing this information, you will be better able to determine which protocol binding to select and implement.
6.1 Protocols The Epicor application supports NET.TCP, HTTP, and HTTPS protocols. NET.TCP NET.TCP is designed to facilitate communication between servers that reside in the same data center. For example, the Epicor task agent schedules tasks within its application server and so the NET.TCP protocol bindings can handle this network communication. However this protocol does not work as well over the internet. Because the NET.TCP protocol needs to keep communication constantly open between the clients and servers, firewalls and routers can disrupt the transport pipeline. These bindings are faster than the available HTTP binding, but you can only use them for WCF to WCF communication. HTTP The Epicor application uses Hypertext Transfer Protocol (HTTP) to support data communication through the Simple Object Access Protocol 1.2 (SOAP). Through SOAP the data message is encrypted, but the transport process for this data is not encrypted. To do this, HTTP uses the WSHttpBinding. This binding is similar to the BasicHttpBinding, but it provides message security, transaction, consistent messages, and WS Addresses. Epicor supports the HttpBinaryUsernameSslChannel binding option. This binding encrypts the body of the message. It does not use Hypertext Transfer Protocol Secure (HTTPS), so it tends to be slower than bindings which use HTTPS.
Epicor 10.1.600
21
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
HTTPS The Hypertext Transfer Protocol Secure (HTTPS) bindings are designed to facilitate communication between clients across Wide Area Networks (WANs) and the internet. These protocols can also handle communication within Local Area Networks (LANs), but a purchased or self-signing certificate is required to maintain the integrity of the system. If you need to set up an application server that communicates with components over the internet, you should select one of the HTTPS protocol bindings.
6.2 Standard HTTP Binding Types The following HTTP binding types are pre-defined in Windows Communication Foundation (WCF). These binding types are only used with the HTTP and HTTPS protocols. basicHttpBinding This binding exposes endpoints that communicate through ASMX based Web services and other services that conform to the WS-I Basic Profile 1.1. The transport of messages is secured through HTTPS. wshttpBinding This binding uses WS-Reliable Messaging for reliability and WS-Security for message security and authentication. Message transport is handled by HTTP and is not encrypted, but the messages themselves are encoded using Text/XML. webHttpBinding Instead of using SOAP requests, the webHttpBinding exposes the communication endpoints through HTTP requests. These endpoints are used for REST integration within the Epicor application. The transport of messages is secured through HTTPS.
6.3 Transport Encryption Methods When the protocol binding encrypts the network transport process, it uses the following methods: • Windows - If the client and server use the same Windows Domain, WCF can leverage the domain to secure the network transport. Either the client and the server must be on the same Windows Domain, or the client and server domains need to have a trust relationship between different domains. • Secure Sockets Layer (SSL) - If the client and the server are on separate, untrusted Windows Domains or do not reside on any domain, the Secure Sockets Layer (SSL) is used to encrypt the network transport. The client and server machines must trust the authority that issues the certificate. You typically do this by obtaining a certificate from Verisign or a similar Microsoft approved authority. Your IT organization can also issue and manage internal certificates.
6.4 Serialization When a user enters data on a form and sends it across the network to the server, this data is transformed from the object behind the form into a variety of formats that allow data to be sent across networks. These formats include binary, JSON, and XML. The Epicor application can do this transformation, or serialization, through the following methods. • Custom Binary -- The Epicor application can utilize a custom binary serialization optimized for performance. This serialization is used when the Epicor application code runs on both the client and the server. The data format is designed for effective network performance. However Custom Binary serialization is difficult to
22
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
integrate with other applications. You cannot use custom binary serialization if your client runs on a non-Windows platform such as Linux or another operating system. • Interoperability -- When the client does not use .NET or Epicor code, the Epicor application uses the .NET Data Contract Serializer. Both the SOAP 1.1 and 1.2 can then be available to transport the XML data over the network. The REST endpoints also support both XML and JSON.
6.5 Compression The network protocols available in the Epicor application all support data compression.
6.6 User Authentication You can secure user identities through either Windows domain credentials or Epicor user account credentials. If you use Windows credentials, the transport encryption type used by the protocol binding affects how user identities are secured within the Windows domain.
6.7 Protocol Selection The following table summarizes the main differences between each protocol. Latency
Wire Cloud Interop Load Efficiency Reliability Balancing
Best
Very Good
Good
None
Requires Windows, SSL Hardware and Server Affinity
Default for on-premise servers
Very Good
Very Good
None
Easiest to Configure
SSL
Best for cloud or VPM infrastructures
HTTP/SOAP Acceptable Very 1.2 Good
Very Good
Good
Easiest to Configure
WS-SecureConversation Best for WS* Configurations
HTTPS/SOAP Good 1.1
Good
Good
Easiest to Configure
SSL
NET.TCP
HTTPS/Binary Very Good
Good
Privacy
Comment
Needed for non-WS* clients like Ruby and Python
6.8 Binding Options The Windows Communication Foundation (WCF) has several protocol binding options. Most of the WCF binding options available for your Epicor application are custom bindings optimized for specific environments. This section documents each protocol binding available within the Epicor application.
6.8.1 UsernameWindowsChannel This NET.TCP binding authenticates transactions through an Epicor Username and Password. Windows checks for existing Epicor user accounts to authenticate logins.
Epicor 10.1.600
23
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
The following diagram illustrates how this binding handles network transactions.
Protocol binding features: • Epicor user account (User ID/Password) token required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The serialized data is compressed through a custom routine developed by Epicor. • Window encrypts the transport between the client and the server.
6.8.2 Windows This NET.TCP binding authenticates transactions using a Windows Username and Password. Any user with a Windows Username and Password within this domain can successfully log into the Epicor application. The following diagram illustrates how this binding handles network transactions.
24
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
Protocol binding features: • Client Windows Domain credentials is required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The serialized data is compressed through a custom routine developed by Epicor. • Window encrypts the transport between the client and the server.
6.8.3 UsernameSSLChannel This NET.TCP binding authenticates transactions using a Secure Sockets Layer (SSL) X509 certificate. Leverage this method for application servers that handle smart client installations when users reside in different domains. By using an SSL certificate, users from these different domains can log into the Epicor application. The following diagram illustrates how this binding handles network transactions.
Protocol binding features: • Epicor user account (User ID/Password) token required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The Secure Socket Layer encrypts the transport between the client and the server.
6.8.4 HttpBinaryUsernameSslChannel This HTTP binding protocol authenticates using a Secure Sockets Layer (SSL) X509 certificate. The data transfers between the client and server using Hypertext Transfer Protocol (HTTP). Instead of the transport, the message which contains the data transfer is encrypted. Because this binding does not use Hypertext Transfer Protocol Secure (HTTPS), it tends to be slower than bindings which use HTTPS. Use this method for application servers that handle smart client installations when users reside in different domains. By using an SSL certificate, users from these different domains can log into the Epicor ERP application.
Epicor 10.1.600
25
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
The following diagram illustrates how this binding handles network transactions.
Protocol binding features: • An HTTP based protocol. • Epicor user account (User ID/Password) token required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The protocol uses .NET v4.5 compression. • The message body is encrypted; message headers are not encrypted; the transport is not encrypted.
6.8.5 HttpsBinaryUsernameChannel This HTTPS binding authenticates transactions using an Epicor Username and Password. The data transfers between the client and server using Hypertext Transfer Protocol Secure (HTTPS). HTTPS encrypts the data transfer.
26
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
The following diagram illustrates how this binding handles network transactions.
Protocol binding features: • Epicor user account (User ID/Password) token required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The protocol uses .NET v4.5 compression. • HTTPS encrypts the transport between the client and the server.
6.8.6 HttpsBinaryWindowsChannel This HTTPS binding authenticates transactions using a Windows Username and Password. The data transfers between the client and server using Hypertext Transfer Protocol Secure (HTTPS). You can select this method for application servers that handle smart client installations and Epicor Web Access (EWA) installations where users access the application through the same domain. Any user with a Windows Username and Password within this domain can successfully log into the Epicor application.
Epicor 10.1.600
27
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
The following diagram illustrates how this binding handles network transactions.
Protocol binding features: • Client Windows Domain credentials required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The protocol uses .NET v4.5 compression. • Windows encrypts the transport between the client and server. • The client-server communications is based on HTTP.
6.8.7 HttpsOffloadBinaryUserNameChannel This HTTPS protocol binding is a configuration that offloads encryption handling to an intermediary Application Request Router such as an F5. The binding authenticates using an Epicor Username and Password token. The data transfers between the client and server using Hypertext Transfer Protocol Secure (HTTPS). This protocol is configured to move encryption handling to an intermediary Application Request Router like F5 or a similar router.
28
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
The following diagram illustrates how this binding handles network transactions.
Protocol binding features: • Epicor user account (User ID/Password) token required for authentication. • The protocol is an Epicor Custom Binary Serialization. • The transport is encrypted between the client and Application Request Router (or F5) Server. • The data traffic between the ARR server and the Epicor application server is not encrypted.
Epicor 10.1.600
29
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
Chapter 7: Authentication Options Use this section to review the authentication options available with the Epicor ERP 10.1 application.
7.1 User Identity Methods In this section, review the identity methods used to authenticate a user account. These methods have both advantages and disadvantages, so select the method that works the best for your organization. You define your user identity method when you implement single sign on. For more information on single sign on, refer to the Epicor ERP Installation Guide in the Appendices > Implement Single Sign On section. Controlling access to the application is one of the primary ways you can secure the Epicor ERP application. When you authenticate the identity of users attempting to login, or call, the application, you help prevent malicious access. • Windows Account. Use this method to authenticate user identity through Windows accounts. These accounts are secured by the Windows operating system, making it much more difficult for these accounts to be externally compromised. This method controls access at the operating system level, so you can define your password policy and account lockout policy through the Group Security Policy program. This method is easier to administrate, as you control access at the operating system level. The disadvantage to this method is that if malicious users do compromise your Windows environment, they gain access to all applications on your system. • Epicor Account. If you use this method, you authenticate user identity through your internal Epicor accounts. You then control access at the application level, using both the Password Policy Maintenance and Account Lockout Policy programs to define the complexity of passwords and the number of failed logon attempts you allow. Like Windows accounts, your Epicor accounts are encrypted. By securing at the application level, you make it harder for malicious users to specifically access Epicor ERP. However the disadvantage to this method is users will need to manage separate passwords for each application in your environment, making it harder for you to administrate security. For more information on user identity methods, refer to Epicor ERP System Administration Guide.
30
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
Chapter 8: Security Requirements Use this section to review the security requirements when using the Epicor ERP 10.1 application.
8.1 Licensing In the Epicor ERP 10 application, you use the Licensing node to manage licensing for your product licenses for an application server. Using the licensing node, you can import or delete licenses and view the license properties. Properties include information such as the installation name, expiration date, and data on companies, license modules, and country specific functionality included in the installation.
8.2 User Account Options Review the types of user accounts that must be created in your Epicor ERP 10 application. • SQL Server User. You set up an SQL Server User so that you have a login account to access the Epicor ERP 10 database. • IIS Application Pool. You can choose to use the default application pool provided by IIS on install, or you can create your own application pool. An IIS worker process is a windows process (w3wp.exe) which runs Web applications, and is responsible for handling requests sent to a Web Server for a specific application pool. Application Pool is a way to create sections or compartments in a web server. It allows you to isolate applications running on the same server, thus a crash on a single application/website does not bring down the entire server. • Epicor application. Application users are managed under the application server Users node in the Epicor Administration Console.
8.3 Server Protection Review this section for information on how to set up such server protection features as ports to use for connection on the servers and anti-viral scan configuration. You should use the following ports for connection on the servers associated with the Epicor ERP 10 application: Client and Epicor IIS Servers
Epicor IIS Server
SQL Server
• 808 (net.tcp)
• 80 (default IIS/Report Server)
• 80 (IIS/Default Report Server)
Epicor 10.1.600
31
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
Client and Epicor IIS Servers
Epicor IIS Server
SQL Server
• 443 (ssl)
• 9010 (task agent service)
• 1433 (SQL)
• 8172 (we check this port during the creation of appservers; aka: webdeploy port) • 8098/9098 (Enterprise Search) When you configure anti-viral software, Epicor recommends to exclude the following folders from real time scans: Epicor Client Server
Epicor IIS Server
SQL Server
• The root IIS folder (by default, c:\inetpub)
• All folders that contain the SQL db files (ldfs/mdfs)
• The ERP10\client folder
• The root ERP10 folder (by default, c:\epicor\erp10)
• Client cache (by default, c:\programdata\Epicor)
8.4 Securing Database Access Securing database access from the application server is an important aspect to consider when installing the Epicor ERP application. Several methods are available to secure access to each database: Use the Windows Domain Account and Encrypting the Web.config File. Use the Windows Domain Account The Windows Domain account can be used to run the application server. It is recommended that you do not use the same account across multiple databases. Each database should have an unique account. For example, use MyDomain\E10ServiceAccount. To use this account, do the following: • In SQL Server, grant access to the Windows User. • In the web.config file, use Trusted Windows Connection for the database setting. • In IIS Manager, under Advanced Settings, assign the app pool to the Windows User. Encrypt the Web.config File The application server web.config file includes important SQL Authentication credentials, such as the SQL user name and password. To help secure the integrity of the credentials, it is recommended that you encrypt the web.config file. Several methods exist for encrypting the web.config file, including: • DataProtectionConfigurationProvider • RSAProtectedConfigurationProvider To learn more about encrypting configuration files, use the following Microsoft Developer Network links: • "Walkthrough" Encrypting Configuration Information Using Protected Configuration". Click this link to review a step-by-step example on encrypting parts of a configuration file: ttps://msdn.microsoft.com/en-us/library/d tkwfdky(v=vs.100).aspx. • "ASP.NET IIS Registration Tool". Click this link to review instructions on how to use the ASP.NET IIS Registration Tool (aspnet_regiis.exe). Link: https://msdn.microsoft.com/en-us/library/vstudio/k6h9cz8h(v=vs.100).aspx. You can use these configuration options: • -pe option can be to encrypt a specified configuration section and can be used with modifiers. • -pef option encrypts the specified configuration section of the Web.config file in the specified physical directory.
32
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
Chapter 9: SSL: Review Digital Certificates for Epicor ERP 10.1 Use this section to review requirements for using digital certificates with Epicor ERP 10.1. Digital certificates play a key role in securing the communications between callers and services in the Epicor ERP 10.1 application and Epicor ICE 3.1 framework. When the Epicor ERP 10.1 application is installed, the web services (SOAP) and REST services can be hosted automatically by the Epicor 10 web sites. The SOAP-based web services can be used for integrations from either non-.NET callers or from callers that do not have Epicor binaries available. REST services are used with Epicor Web Access (EWA). Both of these protocols require encryption using digital certificates. You can set up your machine to use the sample X509 certificates available with Epicor ERP 10.1. These certificates do not expire until 2039 and are meant to be used during your Epicor ERP 10.1 implementation. You can also replace these sample certificates with certificates that you create on from your own trusted servers or delivered from a Third Party company such as VeriSign.
9.1 Overview of Digital Certificates A digital certificate is basically a pair of keys - one public and one private. The public key can only decrypt data which was encrypted using the private key and vice-versa. By keeping the private key truly private, client applications using the public key are assured they are communicating with a known service. The digital certificates are used to verify that the service is really who or what you believe it is. A digital certificate is signed using (usually) the public key of another digital certificate, the private key being held by a trusted party. These signatures form a "trust chain". At the top of the trust chain is a "root" certificate, which used its private key to basically sign itself. For commercial web sites, the trust chain follows one of a small number of primary certificate authorities. The images below show the trust chain for a bank's website. You can see this chain by clicking the padlock icon displayed in most browsers when on any secure website. The browser not only shows you the trust chain, but it verifies the integrity of every certificate in the chain. It checks that none of the certificates in the chain has expired or has been revoked, meaning the private key was stolen or made public which makes the certificate basically invalid. Digital certificates also have a regular, readable name, technically called a "Subject". For web sites, the subject name of the certificate securing the web site also must match the domain name of the web site. Finally - and crucially - browsers and web client stacks will decline connections to web sites secured by a self-signed certificate. The assumption is that without a separate issuer, no digital certificate can be fully trusted.
Epicor 10.1.600
33
Technology Strategies
Epicor ERP 10.1.600 Architecture Guide
Chapter 10: Timeout Settings The Epicor ERP application uses a series of default timeout settings to prevent frozen transactions from locking your system. If you typically process a large volume of data, you must increase these timeout settings to prevent the Epicor ERP application from prematurely stopping transactions before they complete. These timeout settings are organized through a parent-child hierarchy. Depending on your performance and testing needs, you adjust the timeout settings at different levels in this hierarchy. Current hierarchy levels are: • machine.config file - This high level configuration file contains the overall settings used by all applications on the server. This file contains the default timeout values. If no override timeout values exist lower in the hierarchy, the values in this file determine when a transaction times out. • web.config file - This configuration settings file defines the settings used by the application server that runs the Epicor ERP application. You typically adjust the timeout settings in this file, as they only affect transactions run by the Epicor ERP application. In addition to this hierarchy, you can also adjust timeout values in the rsreportserver.config file, the .sysconfig file, the Task Agent Configuration program, and on the SSRS Site. These settings define timeout durations for transactions not monitored by the machine.config and web.config files.
10.1 Machine.Config Settings The machine.config file is the main configuration settings file on your server. It contains the maximum timeout values allowed for all server transactions. Any transaction settings entered in the web.config file and any transaction scope overloads must have an equal or shorter duration than the duration defined in the machine.config file. The maximum duration typically defined on the machine.config file is ten minutes. However to accommodate larger transactions, you can modify this file to allow longer timeout durations. When you do this, you also need to update the web.config settings to handle longer timeout durations. Note these child timeout durations can be equal to or shorter than the default timeout value defined in the machine.config file. Be aware that any change to the machine.config file changes the timeout duration for all applications that run on this server. Increasing the timeout duration on the machine.config file could cause issues for other applications. Be sure to thoroughly assess the consequences before you increase the duration limit on the machine.config file. It may not be practical to raise this timeout limit. However when you receive the following errors, you should increase the timeout values in this file: • The transaction associated with the current connection has completed but has not been disposed. The transaction must be disposed before the connection can be used to execute SQL statements. • Cannot access a disposed object. Transaction. • TransactionScope nested incorrectly. Some part transactions and serial number processing may require a five hour timeout duration. Because this exceeds the standard ten minute duration, you can adjust the machine.config file to handle these five hour transactions. This feature helps you determine the cause of timeout issues for these users. Remember that even though the machine.config file can be set to a longer timeout duration, the Epicor ERP framework first uses the lower timeout durations defined in the web.config or transaction scope values. If you wish to test a system using the five hour duration, you need to adjust the web.config or transaction scope values to handle the longer time limit as well.
34
Epicor 10.1.600
Epicor ERP 10.1.600 Architecture Guide
Technology Strategies
10.2 Additional Timeout Options Use this section to set up additional timeout options.
10.2.1 SSRS Site Timeout If you regularly run large reports, set up SQL Server Reporting Services (SSRS) to either use a longer report timeout duration or indicate SSRS should never timeout reports. To do this, modify options within the Site Settings page on your report server. 1. On your server, run the Reporting Services Configuration Manager. To do this, click Start > All Programs > Microsoft SQL Server 2012 > Configuration Tools > Reporting Services Configuration Manager. 2. In the Reporting Services Configuration Connection window, enter the Server Name and a Report Server Instance for the server that handles SSRS reporting for your system. Click Connect. 3. In the left pane, click the Report Manager URL icon. The Report Manager URL screen displays. 4. Click the URLs hyperlink to display SQL Server Reporting Services in your internet browser. 5. A login window displays. Enter a Windows user account that has permissions to view the SSRS site. Click OK. 6. On the Home page for SQL Server Reporting Services, in the upper right corner, click the Site Settings hyperlink. 7. On the Site Settings page, locate the Report Timeout radio button options. Select one of the following options: a. Select the Do not timeout report option to prevent SSRS from stopping reports from generating. b. Select the Limit report processing to the following number of seconds option to increase how long SSRS can run while it generates reports. Then enter how many more seconds each report can run before it timeouts. 8. Click Apply.
Epicor 10.1.600
35
Technology Strategies
36
Epicor ERP 10.1.600 Architecture Guide
Epicor 10.1.600
Additional information is available at the Education and Documentation areas of the EPICweb Customer Portal. To access this site, you need a Site ID and an EPICweb account. To create an account, go to http://support.epicor.com.
View more...
Comments