HCL Commerce Version 9.0.1.20 or later

Enabling SSL for database connections in runtime environments

As you update your site to be General Data Protection Regulation (GDPR) ready, you may need to take additional steps so that customer data is encrypted during all communication, both internal and external. To help encrypt the communication between your servers and your database, you can set up a Secure Sockets Layer (SSL) connection.

By default, data that is communicated between HCL Commerce servers and your database is not encrypted. HCL Commerce only encrypts communication between the Transaction server and Search server and between the Store server and Search server.

If you need to encrypt all communication, you must set up the SSL connection for the following servers, which directly interface with the database:
  • Transaction server
  • Search server
  • Utility server
The Customization server and Store server do not communicate directly with the database.

Before you begin

Configure IBM Db2 Database to use SSL before you switch to the protocol in HCL Commerce.

  1. Configure the database to use SSL. For more information, see Configuring Secure Sockets Layer (SSL) support in a DB2 database.
  2. Extract the certificate that was created in the previous step, and copy it to your HCL Commerce environment. SSL uses the certificate to connect the database to HCL Commerce utilities.
  3. IBM Db2 supports encryption within the database. See the DB2 version 11 Data encryption page.

Procedure

Transaction server
  1. Import the database server certificate for the Transaction server.
  2. Configure the data source to support SSL for the Transaction server.
    OptionDescription
    In a running Docker container
    1. Open the Transaction server Docker container
    2. Run the command run update-datasource-db jdbc/WCDataSource dbName dbHost dbSSLPort true to update the port and sslConnection settings. For example, 
      run update-datasource-db jdbc/WCDataSource mall mydbhostname.com 50001 true
      For more information about the update-datasource-db command and its parameters, see Transaction server Run Engine commands.
    In a custom Docker image
    1. In the host server, create a folder that is named tsapp.
    2. Following the instructions for Transaction servers in Building custom Docker images for use with an Oracle database, add the parameters to the custConfiguration.sh file to update the port and sslConnection settings. Save the file in the tsapp folder and complete the instructions in Building custom Docker images for use with an Oracle database to build the new containers.
Search server
  1. Import the database server certificate for the Search server.
  2. Configure the database connection for the Search server.
    OptionDescription
    In a running Docker container
    1. Open the Search server Docker container.
    2. Run the command run update-datasource-db jdbc/wcdb dbName dbHost dbSSLPort true to update the port and sslConnection. For example, 
      run update-datasource-db jdbc/WCDataSource mall mydbhostname.com 50001 true
      For more information about the update-datasource-db command and its parameters, see Search server Run Engine commands.
    In a custom Docker image
    1. In the host server, create a folder that is named search.
    2. Following the instructions for Search servers in Building custom Docker images for use with an Oracle database, add the parameters to the custConfiguration.sh file to update the port and sslConnection settings. Save the file in the search folder and complete the instructions in Building custom Docker images for use with an Oracle database to build the new containers.
Utility server Docker container
  1. Enable an SSL connection for the Utility server Docker container.
    1. Stop any existing containers. For example, if you are using Docker Compose, you can use the following command: 
      docker-compose -f path_to_docker-compose.yml_file stop
    2. Remove any existing containers. For example, if you are using Docker Compose, run the following commands: 
      docker-compose -f path_to_docker-compose.yml_file rm utils
    3. Edit the Compose file for the Utility server Docker container, docker-compose.yml. Update the following initial environment variables.
      DBPORT
      Change to the value of the database server security port SSL_SVCENAME.
      ENABLE_DB_SSL
      Set the value to true.
      For example, if you are using Docker Compose, update the following code in the file:
      utils:
     ...
     environment:
       ...
       - DBPORT=db_ssl_svcename
       ...
       - ENABLE_DB_SSL=true
      For more information and a sample docker-compose.yml file, see Deploying an HCL Commerce Version 9.0.0.0 to 9.0.1.17 authoring environment with Docker Compose.
    4. Deploy the Utility server Docker container based on the updated configuration. For example, if you are using Docker Compose, run the following command: 
      docker-compose -f path_to_docker-compose.yml_file up -d utils
      For more information about Docker image configuration parameters, see Docker container start up configuration parameters.
  2. Import the SSL certificate to the Java SDK default truststore.
    1. Copy the database server certificate from the Utility host to the new container.
    2. Go to /opt/WebSphere/AppServer/java/8.0/bin
    3. Use Keytool to import the certificate. 
      /keytool -import -file cert_location -keystore /opt/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts 
-alias alias -storepass key_store_password
      Where:
      cert_location
      The location path where the certificate is.
      key_store_password
      The password to the trust keystore. The default password of the Java SDK default truststore is changeit.

Results

All HCL Commerce communication with the database is now fully encrypted.