Feature Pack 7 or later

Securing the WebSphere Commerce search server

It is recommended that you secure WebSphere Commerce search by enabling WebSphere Application Server Administrative Security. You can further secure your search server by optionally enabling WebSphere Application Server Application Security. Enabling Application Security results in securing Solr Administrative services so that only authenticated users can run these services. For example, updating, deleting, and building a search index. However, performance degradation might be associated with enabling Application Security.

Note: If your feature pack level is earlier than Feature Pack 7, instead complete the steps in Securing the WebSphere Commerce search server.

Before you begin

Procedure

  1. Open the Solr administrative console:
    1. Go to the following directory:
      • SolarisLinuxAIXWAS_installdir/profiles/Solr_profiledir/bin
      • WindowsWAS_installdir\profiles\Solr_profiledir\bin
      Where Solr_profiledir is the directory that is created for the WebSphere Application Server profile that is used by a WebSphere Commerce search instance.
    2. Start the solrServer instance:
      • SolarisLinuxAIX./startServer.sh solrServer
      • WindowsstartServer.bat solrServer
    3. Open the Solr administrative console.
      For instance:
      • http://host_name:port/admin
      Note: For more information about locating your port number, see WebSphere Application Server Technote #?1385225
  2. Feature Pack 7Configure federated repositories:
    1. In the Solr WebSphere Application Server Administration Console, expand Security and click Global Security.
    2. In the Available realm definitions section, select Federated repositories and click Configure.
    3. Enter a user name in the Primary administrative user name field. It represents the name of the administrator that is used to log on to the WebSphere Application Server Administration Console. Click OK.
    4. Enter a password for the administrative user and click OK.
    5. Go back to the Federated repositories configuration page and click Save. A file-based repository is used to store the user ID and password.
  3. Feature Pack 7Enable administrative security and optionally application security:
    1. Select Enable administrative security. It automatically selects Enable application security.
      If your business requirements require application security, keep it enabled. However, performance degradation might be associated with enabling Application Security.
    2. Clear Java 2 security.
    3. Select Federated Repositories and click Set as current.
    4. Click Apply and then click Save.
  4. Feature Pack 8Enable application security:
    1. Administrative security is enabled by default during feature enablement, with the same user ID and password as the WebSphere Commerce server.
    2. Select Enable application security. However, performance degradation might be associated with enabling Application Security.
  5. Restart the solrServer instance by stopping then starting the server:
    1. Stop the solrServer instance:
      • SolarisLinuxAIX./stopServer.sh solrServer
      • WindowsstopServer.bat solrServer
    2. Start the solrServer instance:
      • SolarisLinuxAIX./startServer.sh solrServer
      • WindowsstartServer.bat solrServer
  6. Complete the following steps if you selected Enable application security:
    1. Go to Applications > Application Types > WebSphere enterprise applications > Search.
      1. Click Security role to user/group mapping.
      2. Select SearchAdministrator, click Map Users..., then click Search.
      3. Add the user admin_user_id to the selected bucket and click OK, where admin_user_id is the user name that is specified in the Primary administrative user name field in Step 5.
      4. Click OK and click Save to apply the changes to the master configuration.
    2. WebSphere Commerce DeveloperComplete the following steps:
      1. Open WebSphere Commerce Developer.
      2. Create the META-INF\ibm-application-bnd.xml file in the WebSphere Commerce search EAR project, if it does not exist, and update the user information as needed. For example:
        
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
	xmlns="http://websphere.ibm.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd" (http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd%27)
	version="1.0">

	<security-role name="SearchAdministrator">
		<user name="uid=configadmin,o=defaultWIMFileBasedRealm" />
	</security-role>

</application-bnd>
      3. Save your changes.
    3. Set the following namespace bindings in the WebSphere Application Server for the appropriate WebSphere Commerce or Search machine, depending on whether it is an Authoring server, Production server or Repeater, as explained below:
      1. When configuring the WebSphere Commerce server's WebSphere Application Server administrative console, go to Environments > Naming > Name space bindings > scope:Node=WC_demo_node,Server=server1. Alternatively, when configuring the Search server's WebSphere Application Server administrative console, go to Environments > Naming > Name space bindings > scope:Node=demo_search_node,Server=solrServer.
      2. Add the following name-value pairs:
        Name space bindings name-value pairs
        Name Value
        com.ibm.commerce.foundation.server.services.search.application.security.username The WebSphere Commerce search server application security user name.
        com.ibm.commerce.foundation.server.services.search.application.security.password The encrypted application security password by the wcs_encrypt utility without specifying the merchant key.

        For more information, see Generate encrypted data (wcs_encrypt).
        Where passwords are needed for the following locations and scenarios:
        Authoring machine
        For the WebSphere Commerce server, the namespace binding requires the password of its Authoring search server for delta indexing (UpdateSearchIndex scheduled job) and storefront searches.
        Note:
        • The replication.csv file contains the encrypted password of the repeater or subordinate for index propagation from authoring to the repeater or subordinate using the indexprop utility.
        • The di-buildindex utility specifies its search server password in the command line to run a full index build.
        For the WebSphere Commerce search server (Master of repeater), no password is needed.
        Production machine
        For the WebSphere Commerce server, the namespace binding requires the password of its subordinate search server for storefront searches. This password must match the password that is used for the repeater search server, if one exists.
        In addition, the namespace binding requires the password of its repeater search server for delta indexing (UpdateSearchIndex scheduled job) for Quick Publish, if used. This password must match the password that is used for the subordinate search server.
        For the WebSphere Commerce search server (subordinate of repeater), the password of the repeater is needed to pull index replication.
        Repeater machine (Master of production, subordinate of Authoring)
        The WebSphere Commerce search server (subordinate of repeater) requires the password of the Authoring search server to pull index replication.
      3. Save your changes.
  7. SolarisLinuxAIXWindowsUpdate the following values in the WC_installdir\instances\instance_name\search\commerce\properties\searchServer.properties file:
    • wasAdminUser=admin_user_id
    • wasAdminUserPwd=encrypted_admin_password

      Where the encrypted_admin_password value is the encrypted password by the wcs_encrypt utility without specifying the merchant key. For more information, see Generate encrypted data (wcs_encrypt).

  8. Restart the solrServer and WebSphere Commerce server for the changes to take effect. After you enable the security, you must use the user ID and password that is specified in Step 2 of this task login to the solrServer WebSphere Application Server Administration Console.
  9. Optional: If you are migrating to Feature Pack 7 or later from a previous feature pack, the password-related fields in the following files can be removed. They are replaced by the namespace bindings:
    Files that can be removed
    File path Field path
    All copies of solrconfig.xml under WC_installdir/instances/instance_name/search/solr/home /config/requestHandler/lst/str[@name='httpBasicAuthPassword']

    /config/requestHandler/lst/str[@name='httpBasicAuthUser']
    WC_eardir/xml/config/com.ibm.commerce.catalog-ext/wc-search.xml /common-http/@adminUserPassword
    WC_eardir/xml/config/com.ibm.commerce.catalog-fep/wc-search.xml /common-http/@adminUserPassword

What to do next

After securing the WebSphere Commerce search server, complete the steps in Setting up the search index.