Changing the session encryption key
External facing data, such as cookie encryption, is encrypted by an encryption
key that is specified in the Instance/SessionKey attribute in the WebSphere Commerce configuration file. This key is
generated and is different from the merchant key that is specified during instance creation. The
merchant key is still responsible for encrypting sensitive data that is stored in the database, for
example, credit card numbers. It is highly recommended that you change the session key
at the same time you change the merchant key. According to PCI specification, the merchant key
should be changed at least annually.
Before you begin
Ensure that you are logged on as the WebSphere Commerce non-root
user.
Ensure that the test server is stopped and that Rational Application
Developer is not running.
Procedure
-
Complete one of the following tasks:
- Log on as a WebSphere Commerce non-root user.
Log on with a user ID that is a member of the Windows Administration
group.
-
Go to the following directory:
- WC_installdir/bin
- WCDE_installdir\bin
-
Run the update session key script to generate a new key:
- config_ant
-DinstanceXml=WC_installdir\instances\instance_name\xml\instance_name.xml
-buildfile WC_installdir\config\ant\updateSessionKey.xml update
- ./config_ant.sh
-DinstanceXml=WC_installdir/instances/instance_name/xml/instance_name.xml
-buildfile WC_installdir/config/ant/updateSessionKey.xml update
- updateSessionKey.bat
-
Confirm the status from the following location:
- The status message appears in the command window where you issued the check status command.
- WCDE_installdir\logs\updateSessionKey.log
-
Run the following command to propagate the change to wc-server.xml
file.
config_ant -DinstanceName=demo UpdateEAR./config_ant.sh -DinstanceName=demo UpdateEAR
Every time you change the session encryption key, synchronize it with WebSphere Commerce search.