CS 2007 - Secure by Default

  • Article

In case you thought that was all talk, take a look at the Customer and Orders Manager UI in the latest release candidate of Commerce Server 2007. If you are moving from Beta, and are perplexed as to why you suddenly cannot open this UI anymore it is because we now require that the UI connect over SSL by default. Those two last words are the important ones – since the default is what gets used in most cases. Is it a bit more painful? Yes. Is it more secure? Yes. It was important to go over SSL by default for the Customer and Orders manager because of the transfer of more sensitive data such as user passwords and payment information etc. Even though it will typically be in an intranet environment, you would be better off with all the data going over SSL.

 

So how do you get it to work, if you really are not interested in getting SSL setup in your intranet? Well couple of options if you just want to try this on your developer workstation or if you want to roll out the setup of the UI without the SSL requirement:

 

-        Use SelfSSL on your developer box. As simple as installing the IIS 6.0 Resource Toolkit and running selfSSL.exe. An IISReset and your UI should now be all set.

 

-        You can also disable the SSL check permanently by turning the following flag to True in the “%Commerce_Server_Root%\Business User Applications\CustomerAndOrdersManager.exe.config” in order to enable the UI to go over HTTP (instead of just over HTTPS):

 

            <setting name="AllowHTTP" serializeAs="String">

                <value>False</value>

            </setting>

 

The world’s a safer place (with that value set to True)!