CS 2007 – Secure by Default


In case you thought that was all talk, take a look at the Customer and Orders Manager UI in the latest release candidate of Commerce Server 2007. If you are moving from Beta, and are perplexed as to why you suddenly cannot open this UI anymore it is because we now require that the UI connect over SSL by default. Those two last words are the important ones – since the default is what gets used in most cases. Is it a bit more painful? Yes. Is it more secure? Yes. It was important to go over SSL by default for the Customer and Orders manager because of the transfer of more sensitive data such as user passwords and payment information etc. Even though it will typically be in an intranet environment, you would be better off with all the data going over SSL.


 


So how do you get it to work, if you really are not interested in getting SSL setup in your intranet? Well couple of options if you just want to try this on your developer workstation or if you want to roll out the setup of the UI without the SSL requirement:


 


-        Use SelfSSL on your developer box. As simple as installing the IIS 6.0 Resource Toolkit and running selfSSL.exe. An IISReset and your UI should now be all set.


 


-        You can also disable the SSL check permanently by turning the following flag to True in the “%Commerce_Server_Root%\Business User Applications\CustomerAndOrdersManager.exe.config” in order to enable the UI to go over HTTP (instead of just over HTTPS):


 


            <setting name="AllowHTTP" serializeAs="String">


                <value>False</value>


            </setting>


 


The world’s a safer place (with that value set to True)!

Comments (19)
  1. Chad says:

    Hi Nihit,

    I have no problem accessing it from Order Manager, however, when I tried to save Credit Card info in Starter Site, it threw exception.

    I tried to migrate from Beta to RC.

    In the source code for starter side, it happened at EditPayment.aspx.cs where there is a comment above the line of code that threw the error, saying ‘ if it throws exception, it is likely encryption is not configured’.

    I don’t know how to fix the problem, but I have certainly installed the certificate through SelfSSL to enable encryption..  I’m thinking the problem is caused by accessing the Profile Web Service not through https, but using http.. However, I don’t know where to set it in Starter Site

    Can you give me a pointer on this ?

  2. You need to set the <encryption> section in the <profiles> section of the web.config for the ProfilesWebService and the site.

    If you had run the SampleDataImport.exe tool on the StarterSite in Beta, then this would already have been created for you as follows:

       <profiles siteName="StarterSite">

         <encryption>

           <keys keyIndex="1">

             <add type="publicKey" value="registry:HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommerce Server 2006 KeysStarterSite,PublicKey" />

             <add type="privateKey1" value="registry:HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommerce Server 2006 KeysStarterSite,PrivateKey" />

             <add type="privateKey2" value="" />

           </keys>

         </encryption>

       </profiles>

  3. Chad says:

    Thank’s for the reply..

    I ran it yesterday, but I got the error below.

    So, I didn’t continue. That’s why I don’t get the encryption key in the Web.config and in the registry..

    Is there any updated version of this app that didn’t throw the error ??

    E:Commerce Server 2006 Starter Site Beta>SampleDataImport.exe "c:Inetpubwwwro

    otStarterSite"

    Loading data into site: StarterSite

    Unhandled Exception: System.MissingMethodException: Method not found: ‘Microsoft

    .CommerceServer.Orders.OrderManagementContext Microsoft.CommerceServer.Orders.Or

    derManagementContext.Create(System.String)’.

      at CommerceSite.SampleDataImport.CreateOrderContext()

      at CommerceSite.SampleDataImport.Run()

      at CommerceSite.SampleDataImport.Main(String[] args)

  4. Unfortunately – no – there is no updated version of that utility. You should be able to do this manually as well – i.e. update the registry keys (or create them) and populate them with private/public key values you can generate via the ProfileKeyManager.exe (which you should be able to find in the %Commerce_Server_Root%Tools folder).

  5. Chad says:

    Thank’s Nikhil..

    I did what you described above.. A pair of private and public keys were generated, and I’ve already registered them into the registry according to the path described in <encryption> section.

    However, it failed with the following error below..

    It looks to me it found the key location, but failing when trying to verify it..

    Configuration Error

    Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

    Parser Error Message: Decryption failed while reading the registry secret.

    Source Error:

    Line 209:                returns null or if the userIdTarget key does not exist.        

    Line 210:            –>

    Line 211: <profiles siteName="StarterSite">

    Line 212: <userProfile profileDefinition="UserObject" userIdProperty="GeneralInfo.user_id" organizationIdProperty="AccountInfo.org_id" catalogSetIdProperty="AccountInfo.user_catalog_set" userIdSource="ASP.NET" userIdKey="GeneralInfo.email_address" userIdTarget="GeneralInfo.user_id"/>

    Line 213: <organizationProfile profileDefintion="Organization" organizationIdProperty="GeneralInfo.org_id" catalogSetIdProperty="GeneralInfo.org_catalog_set"/>

  6. Chad says:

    Thank’s for your help.. I’ve solved the encryption issue problem..

  7. Great to know that the issue is resolved. What was the last error due to? Was it because you were trying to load a profile encrypted earlier with some other key?

  8. Chad says:

    First, I tried to use the encryption keys used in my Beta image, that I found aren’t portable accross different images. Second, I also had profiles encrypted with other keys that I wasn’t aware of. By doing clean installation, I manage to overcome the error.

    So, for those who is doing Starter Site installation in RC image (new image, not just upgrading the beta image), make sure to include <encryption> section, and generate new keys and registered it in the registry as described in the previous exchanges.

    Those steps are supposed to be performed by SampleDataImport.exe, however since

    SampleDataImport.exe isn’t working for RC, they have to be done manually..  

  9. We have finally shipped and have more time to develop tutorials and blog more about Commerce Server 2007.&amp;nbsp;…

  10. Just wanted to highlight a couple of points about the Customer and Orders Manager Business Application…

  11. We are considering using commerce 2007 as our new backend when we choose to upgrade from site server 3 ( :/ )

    I have managed to get the Startersite up except for Checkout and using an card, i’ve been reading abit but i just cant get past the problem. After reading abit on this site and pushing the keys into the registry i now get this error:

    Parser Error Message: Decryption failed while reading the registry secret.

    Source Error:

    Line 228: returns null or if the userIdTarget key does not exist.        

    Line 229: –>

    Line 230: <profiles siteName="StarterSite">

    Line 231: <encryption>

    Line 232: <keys keyIndex="1">

    I registered the keys as binary in the path it looks for them, is there anyone that has any help for me on this subject pleaser?

  12. Hi,

    Do you have the userIdTarget key defined (one of the previous comments in this thread mention it as well)? Also do you have a clean new installation and new profiles or existing profiles with encrypted properties that you are trying to load?

    I would suggest you post this to the Newsgroups for a better response. Make sure to include details about the questions I just asked as well.

    Thanks,

    Nihit

  13. Hi,

    Thanks for the response, i have an clean install of the site with new profiles, i will goto the newsgroup aswell 🙂 Thank you again for the reply

  14. Just wanted to highlight a couple of points about the Customer and Orders Manager Business Application

  15. Adam Kahtava says:

    The version of SelfSSL in the IISResource Kit has a bug that only allows one website to have SSL at a time. A more recent version – without the bug – is available through the IIS Diagnostics Toolkit. See the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=9bfa49bc-376b-4a54-95aa-73c9156706e7&DisplayLang=en

  16. RockyBalbova says:

    Hi I am facing problem with the Orders web service.

    when i try to access the Customer and Order manager, i get the error that " the Order web service is currently unavailable".

    When i look at the event log it gives me the following information

    Application [w3wp.exe]. Authentication failed. The user credentials were not accepted by ISA Server.  Verify that the user account running this application has the required permissions.

    I have given write permission to the user group which was created for the Orders and still i am getting this error.

    Thanks in advance.

  17. Hi,

    You should post this to the CS 2007 forums so that more people can help out with the issue (wondering if there is anything ISA specific).

    I first guess would be to check the IIS Application Pool identity and to make sure that the user that is running as, has the required privileges etc.

    Thanks,

    Nihit

  18. echos says:

    me too, i have the same problem !!!!!

    when i try to access the Customer and Order manager, i get the error that " the Order web service is currently unavailable".

    People i dont know what to do , i have tried every thign an nohting worked please can any one help ?

    thnkx in advance

  19. Hi Echos,

    Please post your issue to the MSDN Commerce Server Forums (and search over there for this issue as well).

    You should include details on what errors messages and event viewer entries you are seeing on the server.

    Thanks,

    Nihit

Comments are closed.

Skip to main content