The information contained in this section applies to IBM WebSphere Commerce Version 7.0.0.9 and Feautre Pack 8. The documentation also applies to all subsequent releases and modifications until otherwise indicated in new editions.
These topics describe the security features of WebSphere Commerce and how to configure these features.
Creating a custom implementation of a WebSphere Commerce store requires a significant amount of planning. From gathering client needs, to deploying the live solution, much work is needed to successfully deploy a custom client store. Use the resources in here to help you plan every phase of store creation.
Review this section for information about installing the WebSphere Commerce product, associated maintenance, and WebSphere Commerce enhancements.
Before you migrate WebSphere Commerce, review this information for an overview of the migration process.
WebSphere Commerce provides many tutorials.
The topics in the Developing section describe tasks performed by an application developer.
The following section describes how you can leverage WebSphere Commerce features and functionality to help your site be compliant with different privacy and security standards.
Authentication is the process of verifying that users or applications are who they claim to be. In a WebSphere Commerce system, authentication is required for all users and applications that access the system, except for guest customers.
The WebSphere Commerce authentication model is based on the following concepts: challenge mechanisms, authentication mechanisms and user registries.
WebSphere Commerce views access control or authorization as the process of verifying that users or applications have sufficient authority to access a resource. This section describes the details of several aspects of WebSphere Commerce access control.
National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP 800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys and more robust algorithms. To comply with this standard, there are some recommended steps to follow for WebSphere Commerce. To ensure that you are fully compliant, refer to the NIST SP 800-131A standard.
Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. Federal Information Processing Standards publication 140-2 (FIPS 140-2) covers the security standards that are required for cryptographic modules. When in FIPS 140-2 mode, IBM WebSphere Commerce, through IBM WebSphere Application Server and IBM HTTP Server, uses the FIPS 140-2 approved cryptographic providers: IBMJCEFIPS (certificate 376) and IBMJSSEFIPS (certificate 409) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
The following table is provided to help you locate WebSphere Commerce security bulletins.
To enhance the security of your WebSphere Commerce site, you can enable various features in Configuration Manager and the Administration Console.
Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, there must be a way to manage sessions between the browser side and the server side.
Administration in the WebSphere Commerce environment requires a variety of user IDs. These user IDs along with their requisite authorities are described in the following list. For the WebSphere Commerce user IDs, the default passwords are identified.
You can enable WebSphere Application Server security, which includes two orthogonal components: WebSphere global security and Java 2 security.