Changing the session encryption key

External facing data, such as cookie encryption, is encrypted by an encryption key that is specified in the Instance/SessionKey attribute in the WebSphere Commerce configuration file. This key is generated and is different from the merchant key that is specified during instance creation. The merchant key is still responsible for encrypting sensitive data that is stored in the database, for example, credit card numbers. It is highly recommended that you change the session key at the same time you change the merchant key. According to PCI specification, the merchant key should be changed at least annually.

Before you begin

  • LinuxAIXEnsure that you are logged on as the WebSphere Commerce non-root user.
  • WebSphere Commerce DeveloperEnsure that the test server is stopped and that Rational Application Developer is not running.


  1. Complete one of the following tasks:
    • LinuxAIXLog on as a WebSphere Commerce non-root user.
    • WindowsLog on with a user ID that is a member of the Windows Administration group.
  2. Go to the following directory:
    • WC_installdir/bin
    • WebSphere Commerce DeveloperWCDE_installdir\bin
  3. Run the update session key script to generate a new key:
    • Windowsconfig_ant -DinstanceXml=WC_installdir\instances\instance_name\xml\instance_name.xml -buildfile WC_installdir\config\ant\updateSessionKey.xml update
    • LinuxAIX./ -DinstanceXml=WC_installdir/instances/instance_name/xml/instance_name.xml -buildfile WC_installdir/config/ant/updateSessionKey.xml update
    • WebSphere Commerce DeveloperupdateSessionKey.bat
  4. Confirm the status from the following location:
    • The status message appears in the command window where you issued the check status command.
    • WebSphere Commerce DeveloperWCDE_installdir\logs\updateSessionKey.log
  5. Start the WebSphere Commerce instance.
  6. Go to the following directory, WC_installdir/bin.
  7. Run the following command to propagate the change to wc-server.xml file.
    • Windowsconfig_ant -DinstanceName=demo UpdateEAR
    • LinuxAIX./ -DinstanceName=demo UpdateEAR
  8. If you are using local authentication on the WebSphere Commerce search server, ensure that the session key is synchronized between WebSphere Commerce and WebSphere Commerce search. Copy the new session key to the WebSphere Commerce search server whenever it is changed on the WebSphere Commerce server.
  9. Restart your WebSphere Commerce instance.