We are preparing a new server in order to install Kinetic. I’m told that Kinetic requires an SSL and a “.com” domain (instead of a “.local”) if we’re planning to use REST and Enterprise Search. I’m curious as to a couple things for those that use this:
(Note, there are technically ways to generate your own certs and get around the issues I’m describing below. However, what I’m describing is best practice and what you SHOULD be doing unless you have a really good excuse.)
You don’t need a “.com” specifically. You just need a “real” domain. One that is registered and can only be used by you.
The “.local” stuff is essentially a fake domain that you can use internally within your organization. Anyone can make one up and use whatever name they want. Everyone in the world can be “Amazon.local” if they really want. There’s no registration organization for them. They’re not unique. And you can’t expose them to the internet. Likewise, you can’t get an SSL certificate for a .local domain because it doesn’t actually belong to you.
They made a lot of sense when most businesses weren’t hosting lots of stuff, ERP systems were very rarely public facing, and domains were more expensive. People didn’t want to have to buy domains for internal stuff, so we created a workaround.
But these days, everything is public facing, relatively speaking. Even if your resources aren’t actually used by the general public, they’re on the internet so your employees can reach them via their phones, you can do integrations, and myriad other reasons.
To answer your question: Yes. Technically speaking, you can stand up a new domain just for Epicor. But you don’t want to do this.
What you want to do is bite the bullet and move your infrastructure to a proper domain. It’s not trivial, but it’s probably easier than you expect. As time goes on and security keeps becoming a larger and larger concern, you’ll continue to encounter new issues that push you in this direction.
For my two cents, the time for internal domains is long past. They’re an artifact of the days when there was a bright line between internal and external resources. Production infrastructure should always be running on a proper, registered domain with an SSL cert.
Kinetic 2021, yes you can do this (we are doing this).
Kinetic 2022, no you cannot do this. This is the exact and only reason we are not on 2022.
Others here have said they solved this (@EarlGrei) and while they are WAYYYYYY smarter than me on this, my boss and I have not been able to apply the recommendations.
Also, it is Epicor Support’s official stance that this is currently impossible. See PRB0250701 on EpicCare and please harass them about this.
It also affects people with a wildcard cert.
There is a lot of other ways to integrate without exposing your ERP to the internet. A wrapper API, for example or VPN on all devices.
Kinetic now forces the use of HTTPS with a trusted certificate. In our testing case, and given our internal-only network, we use a self-signed. However, we have been setup as .com for way longer than my tenure, so I cannot speak to a .local or trusted wildcard.
If you own your network, deploy a self-signed cert to each domain computer via policy.