Initialize KLF in WebSphere Commerce Payments

The encryption key providers are defined in a keys configuration file. For an attended startup Payments instance, an attribute KeysConfigFile in the Payments instance XML file points to the keys configuration file. This attribute is used to initialize the KLF to start, stop, update, or delete the instance. For an unattended startup Payments instance, a custom property wpm.keysConfigFile in the JVM setting of the corresponding WebSphere Application Server instance also points to the keys configuration file. It is used to initialize the KLF to start the instance. The KeysConfigFile attribute is used to update to delete an unattended startup instance.

Note: The Payment instance that is referred to here is the deprecated WebSphere Commerce Multipayment Framework.

The KeysConfigFile attribute and the wpm. keysConfigFile property must specify a relative path to the Payments instance XML directory:

Note: Attended startup means that instance password is required start the Payments instance. Unattended startup means that instance password is not required start the Payments instance. For more information, see Checking the WebSphere Commerce Payments instance password requirements. WC_installdir/instances/payments_instance_name/xml

For example, KeysConfigFile="config/CustomKeys.xml"

If the KeysConfigFile attribute is not present in the instance XML file, a hardcoded location of the keys configuration file is used: WC_installdir/payments/xml/config/WCKeys.xml

For an unattended startup Payments instance, if the wpm.keysConfigFile property is not present in the JVM setting of its corresponding WebSphere Application Server instance, the Payments instance password is not retrieved through the Key Locator Framework but from the wpm.pip property, an encrypted version of the Payments instance password.

Note: Customers should not customize the default WCKeys.xml file. The custom keys configuration file that is specified in the KeysConfigFile attribute and the wpm.keysConfigFile property must use a different name instead of WCKeys.xml to avoid it from being overwritten during migration to 6.0.

The default WCKeys.xml applies to all Payments instances. WCKeys.xml contains a WCPaymentsInstancePasswordImpl provider, which continues to read the Payments instance password from the Payments instance XML file.

Customer can store the Payments instance password in another location, such as in an external file or hardware device. To store the Payments instance password in another location, they must manually add the KeysConfigFile attribute to the Payments instance.xml file. The values specify the location of their customized keys configuration file. For an unattended startup instance, they must add the wpm.keysConfigFile property to the JVM setting of the corresponding WebSphere Application Server instance. Doing so specifies the location of their customized keys configuration file. The customized keys configuration file registers the new Payments instance password provider class, which manages the Payments instance password that is going to be stored in a new location.

For IBM i OS operating systemIf you are using iSeries, you must use an unattended startup instance to be PCI-compliant. iSeries cannot mask the Payments instance password in the command line when it is issuing the IBMPayServer command to start the payment instance. This does not comply with the PCI criteria of "Split knowledge and dual control of keys". For an unattended startup Payments instance, you can start it by starting the corresponding WebSphere Application Server instance. To change the startup mode of your Payments instance, refer to Changing the WebSphere Commerce Payments instance password requirements.