Udostępnij za pośrednictwem


CS 2007 - Secure by Default

In case you thought that was all talk, take a look at the Customer and Orders Manager UI in the latest release candidate of Commerce Server 2007. If you are moving from Beta, and are perplexed as to why you suddenly cannot open this UI anymore it is because we now require that the UI connect over SSL by default. Those two last words are the important ones – since the default is what gets used in most cases. Is it a bit more painful? Yes. Is it more secure? Yes. It was important to go over SSL by default for the Customer and Orders manager because of the transfer of more sensitive data such as user passwords and payment information etc. Even though it will typically be in an intranet environment, you would be better off with all the data going over SSL.

 

So how do you get it to work, if you really are not interested in getting SSL setup in your intranet? Well couple of options if you just want to try this on your developer workstation or if you want to roll out the setup of the UI without the SSL requirement:

 

-        Use SelfSSL on your developer box. As simple as installing the IIS 6.0 Resource Toolkit and running selfSSL.exe. An IISReset and your UI should now be all set.

 

-        You can also disable the SSL check permanently by turning the following flag to True in the “%Commerce_Server_Root%\Business User Applications\CustomerAndOrdersManager.exe.config” in order to enable the UI to go over HTTP (instead of just over HTTPS):

 

            <setting name="AllowHTTP" serializeAs="String">

                <value>False</value>

            </setting>

 

The world’s a safer place (with that value set to True)!

Comments

  • Anonymous
    May 29, 2006
    The comment has been removed

  • Anonymous
    May 30, 2006
    You need to set the <encryption> section in the <profiles> section of the web.config for the ProfilesWebService and the site.

    If you had run the SampleDataImport.exe tool on the StarterSite in Beta, then this would already have been created for you as follows:

       <profiles siteName="StarterSite">
         <encryption>
           <keys keyIndex="1">
             <add type="publicKey" value="registry:HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommerce Server 2006 KeysStarterSite,PublicKey" />
             <add type="privateKey1" value="registry:HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommerce Server 2006 KeysStarterSite,PrivateKey" />
             <add type="privateKey2" value="" />
           </keys>
         </encryption>
       </profiles>

  • Anonymous
    May 30, 2006
    Thank's for the reply..
    I ran it yesterday, but I got the error below.
    So, I didn't continue. That's why I don't get the encryption key in the Web.config and in the registry..
    Is there any updated version of this app that didn't throw the error ??



    E:Commerce Server 2006 Starter Site Beta>SampleDataImport.exe "c:Inetpubwwwro
    otStarterSite"
    Loading data into site: StarterSite


    Unhandled Exception: System.MissingMethodException: Method not found: 'Microsoft
    .CommerceServer.Orders.OrderManagementContext Microsoft.CommerceServer.Orders.Or
    derManagementContext.Create(System.String)'.
      at CommerceSite.SampleDataImport.CreateOrderContext()
      at CommerceSite.SampleDataImport.Run()
      at CommerceSite.SampleDataImport.Main(String[] args)

  • Anonymous
    May 30, 2006
    Unfortunately - no - there is no updated version of that utility. You should be able to do this manually as well - i.e. update the registry keys (or create them) and populate them with private/public key values you can generate via the ProfileKeyManager.exe (which you should be able to find in the %Commerce_Server_Root%Tools folder).

  • Anonymous
    May 31, 2006
    The comment has been removed

  • Anonymous
    May 31, 2006
    Thank's for your help.. I've solved the encryption issue problem..

  • Anonymous
    May 31, 2006
    Great to know that the issue is resolved. What was the last error due to? Was it because you were trying to load a profile encrypted earlier with some other key?

  • Anonymous
    May 31, 2006
    First, I tried to use the encryption keys used in my Beta image, that I found aren't portable accross different images. Second, I also had profiles encrypted with other keys that I wasn't aware of. By doing clean installation, I manage to overcome the error.
    So, for those who is doing Starter Site installation in RC image (new image, not just upgrading the beta image), make sure to include <encryption> section, and generate new keys and registered it in the registry as described in the previous exchanges.
    Those steps are supposed to be performed by SampleDataImport.exe, however since
    SampleDataImport.exe isn't working for RC, they have to be done manually..  

  • Anonymous
    June 22, 2006
    We have finally shipped and have more time to develop tutorials and blog more about Commerce Server 2007.&amp;nbsp;...

  • Anonymous
    August 07, 2006
    Just wanted to highlight a couple of points about the Customer and Orders Manager Business Application...

  • Anonymous
    September 14, 2006
    The comment has been removed

  • Anonymous
    September 14, 2006
    Hi,

    Do you have the userIdTarget key defined (one of the previous comments in this thread mention it as well)? Also do you have a clean new installation and new profiles or existing profiles with encrypted properties that you are trying to load?

    I would suggest you post this to the Newsgroups for a better response. Make sure to include details about the questions I just asked as well.

    Thanks,
    Nihit

  • Anonymous
    September 14, 2006
    Hi,
    Thanks for the response, i have an clean install of the site with new profiles, i will goto the newsgroup aswell :) Thank you again for the reply

  • Anonymous
    October 17, 2006
    Just wanted to highlight a couple of points about the Customer and Orders Manager Business Application

  • Anonymous
    February 13, 2007
    The version of SelfSSL in the IISResource Kit has a bug that only allows one website to have SSL at a time. A more recent version - without the bug - is available through the IIS Diagnostics Toolkit. See the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=9bfa49bc-376b-4a54-95aa-73c9156706e7&DisplayLang=en

  • Anonymous
    March 07, 2007
    Hi I am facing problem with the Orders web service. when i try to access the Customer and Order manager, i get the error that " the Order web service is currently unavailable". When i look at the event log it gives me the following information Application [w3wp.exe]. Authentication failed. The user credentials were not accepted by ISA Server.  Verify that the user account running this application has the required permissions. I have given write permission to the user group which was created for the Orders and still i am getting this error. Thanks in advance.

  • Anonymous
    March 08, 2007
    Hi, You should post this to the CS 2007 forums so that more people can help out with the issue (wondering if there is anything ISA specific). I first guess would be to check the IIS Application Pool identity and to make sure that the user that is running as, has the required privileges etc. Thanks, Nihit

  • Anonymous
    March 28, 2007
    me too, i have the same problem !!!!! when i try to access the Customer and Order manager, i get the error that " the Order web service is currently unavailable". People i dont know what to do , i have tried every thign an nohting worked please can any one help ? thnkx in advance

  • Anonymous
    April 02, 2007
    Hi Echos, Please post your issue to the MSDN Commerce Server Forums (and search over there for this issue as well). You should include details on what errors messages and event viewer entries you are seeing on the server. Thanks, Nihit