Securing the WebSphere Commerce search server

You can secure WebSphere Commerce search by enabling WebSphere Application Server Administrative Security and optionally WebSphere Application Server Application Security for your search server. This results in Solr Administrative services being secured. Doing this allows only authenticated users to access the WebSphere Commerce search services, for example, updating, deleting and building a search index.

Note: If your feature pack level is above Feature Pack 6, instead complete the steps in Securing the WebSphere Commerce search server.

Before you begin

Ensure that you have deployed the WebSphere Commerce search server in the standard or advanced configuration.
Ensure that Solr is behind a firewall, so that only configured clients can connect to the Solr server.

Procedure

Navigate to the following directory:
- WAS_installdir/profiles/Solr_profiledir/bin
- WAS_installdir\profiles\Solr_profiledir\bin
Where Solr_profiledir is the directory that is created for the WebSphere Application Server profile that is used by a WebSphere Commerce search instance.
Start the solrServer instance:
- ./startServer.sh solrServer
- startServer.bat solrServer
Launch the Solr WebSphere administrative console.
For instance:
- http://host_name:port/admin
Note: For more information about locating your port number, see WebSphere Application Server Technote #?1385225
In the Solr WebSphere Application Server Administration Console, expand Security and click Global Security.
In the Available realm definitions section, select Federated repositories and click Configure.
Enter a user name in the Primary administrative user name field. It represents the name of the administrator that is used to log on to the WebSphere Application Server Administration Console. Click OK.
Enter a password for the administrative user and click OK.
Navigate back to the Federated repositories configuration page and click Save. A file-based repository is used to store the user ID and password.
Navigate back to the Global Security page and configure the following options:
1. Select Enable administrative security. It automatically selects Enable application security.
  If your business requirements require application security, keep it enabled. There might be performance degradations associated with application security.
2. Clear Java 2 security.
3. Select Federated Repositories and click Set as current.
4. Click Apply and then click Save.
Restart the solrServer instance by stopping then starting the server:
1. Stop the solrServer instance:
  - ./stopServer.sh solrServer
  - stopServer.bat solrServer
2. Start the solrServer instance:
  - ./startServer.sh solrServer
  - startServer.bat solrServer
Complete the following steps if you selected Enable application security:
1. Navigate to:
  Applications > Application Types > WebSphere enterprise applications > solr
  1. Click Security role to user/group mapping.
  2. Select WCSolrSearchAdministrator, click Map Users..., then click Search.
  3. Add the user admin_user_id to the selected bucket and click OK, where admin_user_id is the user name that is specified in the Primary administrative user name field in Step 5.
  4. Click OK and click Save to apply the changes to the master configuration.
2. Complete the following steps:
  1. Open WebSphere Commerce Developer.
  2. Create the META-INF\ibm-application-bnd.xml file in the WebSphere Commerce search EAR project, if it does not exist, and update the user information as needed. For example:
```
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
	xmlns="http://websphere.ibm.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd" (http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd%27)
	version="1.0">

	<security-role name="SearchAdministrator">
		<user name="uid=configadmin,o=defaultWIMFileBasedRealm" />
	</security-role>

</application-bnd>
```
  3. Save your changes.
3. Update the WebSphere Commerce search configuration file:
  1. Navigate to the following path:
    - WC_eardir/xml/config/com.ibm.commerce.catalog-fep/wc-search.xml
    - WC_eardir/xml/config/com.ibm.commerce.catalog-ext/wc-search.xml
  2. Make a copy of the wc-search.xml file and save this copy somewhere. You must not make any changes to this copied file.
  3. Update the original wc-search.xml file with the changes in bold:
```
<_config:server name="AdvancedConfiguration">
        <_config:common-http URL="http://yourSolrServer:solrServerPort>/solr/"
            allowCompression="true" connectionTimeout="2000"
            defaultMaxConnectionsPerHost="100" followRedirects="false"
            maxRetries="0" maxTotalConnections="100" soTimeout="2000" securityEnabled="true"
            adminUserId="admin_user_id" adminUserPassword="encrypted_admin_password"/>
    </_config:server>
```
    Where:
    
    admin_user_id
    
    The user ID specified in Step 6 of this task.
    
    encrypted_admin_password
    
    Generated when the following steps are completed:
    
    Navigate to WC_installdir/bin directory.
    
    Run the following command: wcs_encrypt admin_password, where admin_password is the password that is specified in Step 7 of this task.
    
    Use the ASCII encrypted string from this command as the encrypted password.
  4. Propagate your changes to the WebSphere Commerce Application EAR.
Restart the solrServer and WebSphere Commerce server for the changes to take effect. After you enable the security, you must use the user ID and password that is specified in Step 6 of this task login to the solrServer WebSphere Application Server Administration Console.

The value pair SearchServerUser=XXXXX,SearchServerPassword=XXXXX must be manually added into the config column of the SRCHCONF and SRCHCONFEXT tables for each row.

The SearchServerPassword value must be an encrypted password. To generate an encrypted password, run the wcs_encrypt utility without specifying the merchant key.

For example,

wcs_encrypt myPassword

If you do not add the value pair to the tables, the Data Import Handler fails to run successfully. For example, for the SRCHCONF and SRCHCONFEXT tables:


select * from srchconf;

SRCHCONF
INDEXTYPE	INDEXSCOPE	LANGUAGES	CONFIG	OPTCOUNTER
`CatalogEntry`	`10001`	`-1`	`SearchServerName=search_server_host_name,IndexScopeTag=0,SearchServerPort=3737,PreProcessConfigDirectory=/opt/WebSphere/CommerceServer70/instances/demo/search/pre-processConfig/MC_10001/Oracle,SearchServerUser=configadmin,SearchServerPassword=Ua4xMY1lGEqYbwa0gxDxGg==`	`0`
`CatalogGroup`	`10001`	`-1`	`SearchServerName=search_server_host_name,IndexScopeTag=1,SearchServerPort=3737,PreProcessConfigDirectory=/opt/WebSphere/CommerceServer70/instances/demo/search/pre-processConfig/MC_10001/Oracle/CatalogGroup,SearchServerUser=configadmin,SearchServerPassword=Ua4xMY1lGEqYbwa0gxDxGg==`	`0`


select * from srchconfext;

SRCHCONFEXT
SRCHCONFEXT_ID	INDEXTYPE	INDEXSCOPE	LANGUAGE_ID	INDEXSUBTYPE	CONFIG	OPTCOUNTER
`1`	`CatalogEntry`	`10001`	`-1`	`Unstructured`	`SearchServerName=search_server_host_name,SearchServerPort=3737,SearchServerUser=configadmin,SearchServerPassword=Ua4xMY1lGEqYbwa0gxDxGg==`	`0`
`2`	`CatalogEntry`	`10001`	`-1`	`Structured`	`SearchServerName=search_server_host_name,SearchServerPort=3737,SearchServerUser=configadmin,SearchServerPassword=Ua4xMY1lGEqYbwa0gxDxGg==`	`0`
`3`	`CatalogEntry`	`10001`	`-1`	`WebContent`	`SearchServerName=search_server_host_name,SearchServerPort=3737,BasePath=/opt/WebSphere/AppServer/profiles/demo/installedApps/WC_demo_cell/WC_demo.ear/Stores.war/AuroraStorefrontAssetStore/StaticContent/en_US/;/opt/WebSphere/AppServer/profiles/demo/installedApps/WC_demo_cell/WC_demo.ear/Stores.war/AuroraStorefrontAssetStore/StaticContent/en_US/,StoreId=10152;10751,SearchServerUser=configadmin,SearchServerPassword=Ua4xMY1lGEqYbwa0gxDxGg==`	`0`
`4`	`CatalogGroup`	`10001`	`-1`	`Structured`	`SearchServerName=search_server_host_name,SearchServerPort=3737,SearchServerUser=configadmin,SearchServerPassword=Ua4xMY1lGEqYbwa0gxDxGg==`	`0`

What to do next

After completing the deployment tasks and securing the WebSphere Commerce search server, complete the steps in Setting up the search index.