The information contained in this section applies to WebSphere Commerce Version 8. The documentation also applies to all subsequent releases and modifications until otherwise indicated in a newer section.WebSphere Commerce is a single, unified e-commerce platform that offers the ability to do business directly with consumers (B2C), directly with businesses (B2B), and indirectly through channel partners (indirect business models). WebSphere Commerce is designed to be a customizable, scalable, and high availability solution that is built to leverage open standards. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels.
These topics describe the security features of WebSphere Commerce and how to configure these features.
Some main security standards are: NIST SP 800-131A, FIPS 140-2 and PCI.
Creating a custom implementation of a WebSphere Commerce store requires a significant amount of planning. From gathering client needs, to deploying the live solution, much work is needed to successfully deploy a custom client store. Use the resources in here to help you plan every phase of store creation.
Review the following sections for information about installing the WebSphere Commerce product, associated maintenance, and WebSphere Commerce enhancements.
Before you migrate to WebSphere Commerce Version 8.0, review this information to help plan and execute your migration.
The topics in this section describe how to publish stores to either a test or production environment, and how to deploy customized code.
Topics in the Integrating category highlight the tasks that are commonly performed for using WebSphere Commerce in combination with other products.
WebSphere Commerce provides many tutorials to help you customize and understand your WebSphere Commerce instance and stores.
The topics in the Developing section describe tasks performed by an application developer.
The following section describes how you can leverage WebSphere Commerce features and functionality to help your site be compliant with different privacy and security standards.
Authentication is the process of verifying that users or applications are who they claim to be. In a WebSphere Commerce system, authentication is required for all users and applications that access the system, except for guest customers.
The WebSphere Commerce authentication model is based on the following concepts: challenge mechanisms, authentication mechanisms and user registries.
WebSphere Commerce views access control or authorization as the process of verifying that users or applications have sufficient authority to access a resource. This section describes the details of several aspects of WebSphere Commerce access control.
National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP 800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys and more robust algorithms. To ensure that you are fully compliant, refer to the NIST SP 800-131A standard.
Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. Federal Information Processing Standards publication 140-2 (FIPS 140-2) covers the security standards that are required for cryptographic modules. When in FIPS 140-2 mode, IBM WebSphere Commerce, through IBM WebSphere Application Server and IBM HTTP Server, uses the FIPS 140-2 approved cryptographic providers: IBMJCEFIPS (certificate 376) and IBMJSSEFIPS (certificate 409) for cryptography. The certificates are listed on the NIST website at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
There is more to navigating the PCI standard and the certification procedure than simply installing WebSphere Commerce and making the adjustments that are outlined in the preceding sections. There are significant portions of the standard that, although it applies to your site, do not apply to the software application. To assist you in completely addressing these parts of the standard, HCL has the expertise and resources to assist your site in becoming PCI compliant.
The Payment Card Industry (PCI) Data Security Standard (DSS), developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, facilitates the global adoption of consistent data security measures.
WebSphere Commerce releases security bulletins for APARs that address issues that are considered to be security vulnerabilities. These bulletins provide security risk assessment information to help you assess if a particular issue might impact your organization.
The following WebSphere Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.
To harden the security of your WebSphere Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.
To enhance the security of your WebSphere Commerce site, you can enable various features in Configuration Manager and the Administration Console.
Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, sessions must be managed between the browser side and the server side.
Administration in the WebSphere Commerce environment requires a variety of user IDs. These user IDs along with their requisite authorities are described in the following list. For the WebSphere Commerce user IDs, the default passwords are identified.
You can enable WebSphere Application Server security, which includes two orthogonal components: WebSphere global security and Java 2 security.