System SecurityLesson 7

Digital Certificates

Back to S200: SysAdmAdvanced

Lesson 7: Digital Certificates

Part 3: System Security

Acumatica ERP uses digital certificates to store sensitive information in the database encrypted and

to authenticate documents (PDF files) that are shared or sent electronically. These certificates can be purchased from a recognized certification authority. Each certificate has a password that is used to validate the owner of the certificate if you need to reinstall the system or move the database. In this lesson, you will learn how to manage encryption certificates and encrypting the database of your Acumatica ERP instance, as well as how to enable PDF signing in Acumatica ERP.

Lesson Objectives You will do the following:

  • Learn how to import a digital certificate
  • Learn how to encrypt an Acumatica ERP database
  • Learn how to use encryption certificates to sign PDF files generated in the system | Step 7.1: Importing Certificates | 80

Step 7.1: Importing Certificates Acumatica ERP uses digital certificates to store sensitive information in the database encrypted and to authenticate documents (PDF files) that are shared or sent electronically. These certificates can be purchased from a recognized certification authority. Each certificate has a password that is used to validate the owner of the certificate if you need to reinstall the system or move the database. When you want to use a digital certificate in Acumatica ERP, you have to do the following:

  1. You import your certificate on the Encryption Certificates (SM200530) form.
  2. You apply the uploaded certificate to one of the following processes:
  • Encrypting the database: You can replace the encryption algorithm used in Acumatica ERP to encrypt sensitive data by using your encryption certificate.
  • Signing PDF documents: You can use the imported encryption certificate for signing PDF files generated in Acumatica ERP. You can specify a default certificate (which will be used for all PDF documents generated in Acumatica ERP), or you can select an imported certificate as a personal certificate (which overrides the default one). This step describes how you can import a certificate. You do not have to perform these instructions to pass the training. To use a certificate of either type in Acumatica ERP, you would perform the following instructions:
  1. Navigate to the File Upload Preferences (SM202550; Configuration > Document Management > Configure).
  2. Verify that .pfx is on the list of allowed extensions, as shown in the following screenshot. Digital certificates used by Acumatica ERP have the .pfx extension. Before you can import digital certificates into the system, you have to make sure you are able to do this. | Step 7.1: Importing Certificates | 81
    Figure: File Upload Preferences
  3. Navigate to the Encryption Certificates (SM200530; Configuration > User Security > Configure).
  4. On the table toolbar, click Add Row.
  5. In the Name box, type the certificate name that will be used in the system.
  6. In the Password box, type the password for the certificate and save the changes. After you save your changes, the password will be hidden.
  7. Click the paper clip icon in the Files column of the row with the certificate, shown in the following screenshot, and click Add File.
    Figure: Paper clip icon on the Encryption Certificates form | Step 7.1: Importing Certificates | 82
  8. In the Files dialog box that opens, click Browse and select the file with the certificate you want to upload.
  9. Click Upload to import the certificate. Although you can upload multiple files in this dialog box, only the latest uploaded file will be used by the system. We recommend that you delete unnecessary files from the system.
  10. Close the Files dialog box. The selected certificate has been imported, as shown in the following screenshot. Now it can be used for encrypting the database and for signing PDF documents. You can also import more certificates if you need.
    Figure: Imported certificate | Step 7.2: Encrypting the Database | 83

Step 7.2: Encrypting the Database Acumatica ERP database stores sensitive data, such as credit card numbers, encrypted. On the Certificate Replacement (SM200535) form, you can find the current list of encrypted data and the certificates used. If the Current Certificate box is blank, the default encryption algorithm is being used.

Figure: Certificate Replacement form

You can replace the encryption algorithm used in Acumatica ERP with your encryption certificate. If the database of yourAcumatica ERP instance is large, encryption may take a lot of time and may cause slowdowns in responses from the database. For large databases, we recommend that you postpone the start of encryption by scheduling it at a time when nobody uses the system (for example, at night). This step describes how you can encrypt a database. You do not have to perform these instructions to pass the training. To encrypt the Acumatica ERP database with your digital certificate, you would perform the following instructions:

  1. Navigate to the Certificate Replacement form (SM200535; Configuration > User Security > Process ).
  2. In the Selection area, in the New Certificate box, select the certificate whose key will be used for encrypting the database. You can select from only the certificates that you have imported into the system.
  3. On the form toolbar, click Replace Certificate, as shown in the following screenshot. | Step 7.2: Encrypting the Database | 84

Figure: Replacing certificate

This initiates the process of decrypting the data with the previous encryption algorithm and encrypting it by using the new key. | Step 7.3: Signing PDF | 85

Step 7.3: Signing PDF You can also use encryption certificates to sign PDF files generated in the system. A PDF certificate protects the authenticity of a document throughout its life cycle. For example, when a company employee emails the company’s digitally signed quarterly financial statements, the recipients of the documents can be sure of the identity of the sender and the integrity of the financial information. There are two options:

  • You can specify a default certificate that will be used for signing all the PDF documents generated by the system. The default certificate for signing PDF files is used unless users do not specify their personal certificates.
  • You (or any other user responsible for preparing and generating documents) can select another certificate to be used as a personal certificate on the User Profile (SM203010) form. This step describes how you specify a default certificate. You do not have to perform these instructions to pass the training. To specify a default certificate that will be used for signing all the PDF documents generated by the system, you would perform the following instructions:
  1. Navigate to the Security Preferences (SM201060; Configuration > User Security > Configure).
  2. In the PDF Signing Certificate box, select the certificate you want to use as default for signing PDF. You can select from only the certificates that you have imported into the system.
        Figure: Selecting PDF signing certificate
  3. On the form toolbar, click Save. | Lesson Summary | 86

Lesson Summary

In this lesson, you learned how to manage data encryption in Acumatica ERP. Review Questions:

  • How data in Acumatica ERP is protected?
  • What types of certificates are used in Acumatica ERP to protect data?
  • How would you ensure that user passwords are encrypted in the database table using certificates?
  • How would you enable PDF signing in Acumatica ERP?
  • How would you apply a certificate to protect sensitive information stored in the database? | Lesson 8: Restriction Groups | 87