Enabling SSL for database connections

As you update your site to be General Data Protection Regulation (GDPR) ready, you may need to take additional steps so that customer data is encrypted during all communication, both internal and external. To help encrypt communication, WebSphere Commerce encrypts communications between servers. To secure any data transfer between WebSphere Commerce and your database, set up a Secure Sockets Layer (SSL) connection.

Before you begin

If you are using DB2, configure it to use SSL before you switch to the protocol in WebSphere Commerce.

  1. Configure the database to use SSL. For more information, see Configuring Secure Sockets Layer (SSL) support in a DB2 database.
  2. Extract the certificate that was created in the previous step, and copy it to your WebSphere Commerce environment. SSL uses the certificate to connect the database to WebSphere Commerce utilities.

Procedure

Configure the database connection for runtime applications.
  1. Import the database server certificate for the Transaction server:
    1. Open the WebSphere Application Server administrative console.
    2. Go to Security > SSL certificate and key management > Key stores and certificates > {select a resource} > Signer certificates > Retrieve from port.
    3. Click Retrieve from port.
    4. Enter the host name and security port of the database server.
    5. Type an alias name for the certificate.
    6. Click Retrieve signer information.
    7. Click OK to save the configuration.
  2. Configure the data source to support SSL connections with the Transaction server.
    1. Select Resources > JDBC > Data sources.
    2. Select WebSphere Commerce db-type DataSource demo in the data source list, where db-type is the database type you are using, eg., DB2.
    3. Update the port number in the Common and required data source properties section. Enter the value of the security port that you set in the database server.
    4. Click Apply.
    5. In the Additional Properties section, select Custom properties.
    6. Click New
    7. Enter sslConnection in the Name field, and enter true in the Value field.
    8. Click OK to save the configurations.
    9. Perform the same configuration for the data source WebSphere Commerce db-type Publish DataSource demo.
  3. Follow the procedure described in steps 1 and 2 to configure the Search server.
    Note: The data source for the Search server should be WebSphere Commerce Search db-type DataSource demo.
  4. Restart the Transaction server and Search server.
Configure the database connection for utilities: Oracle databases
  1. If you are configuring an Oracle database, see Configuring the Oracle database connection for utilities to authenticate users with Oracle Wallet.
Configure the database connection for utilities: DB2 databases
  1. If you are Import the SSL certificate to the JDK default trust store.
    1. Open a command-line window and change directories to WAS_installdir/java_1.7_64/jre/bin.
    2. Use Keytool to import the certificate. 
      ./keytool -import -file <cert_location> -keystore WAS_installdir/java_1.7_64/jre/lib/security/cacerts 
    -alias <alias> -storepass <key_store_password>
      Where
      cert_location
      The path to the certificate that was generated when you configured the database to use SSL.
      key_store_password
      The password of the trust key store. The default password of the JDK default trust store is 'changeit'.
  2. Update the database connection configuration file.
    1. Go to the directory WC_installdir/xm/config, and open the alldbconnector.xml configuration file for editing. For more information about the alldbconnector.xml file, see Database connection acquisition for utilities and Ant tasks.
    2. Update the db2 type in alldbconnector.xml. Ensure that you include the property sslConnection with value true, and property portNumber with the value of the database server security port. Once these properties are set, all utilities will communicate with the database via SSL connection.
      For example,
      <db2>
...
<property name="sslConnection" value="true"/>
<property name="portNumber" value="50001"/>
...
</db2>
  3. Create a new properties file to override the JAVA security properties. Add the following content in the file. 
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
    Save and exit the file.
  4. Configure the environment variable setting scripts.
    1. Edit the script WC_installdir/bin/setenv.sh.
    2. Update the environment variable JAVA_EXE to include the property java.security.properties. For example, 
      JAVA_EXE="$JAVA_HOME/bin/java -DWAS_HOME=$WAS_HOME -DWAS_INST=$WAS_INST -DWAS_PLUGIN_HOME=$WAS_PLUGIN_HOME 
    -Djava.endorsed.dirs=${WAS_ENDORSED_DIRS_JDK7} -Djava.security.properties=<customized_properties_file_location>"
      Where customized_properties_file_location is the path to the properties file you created in Step 7.
    3. Save and exit the file.