Changing the session encryption key

External facing data, such as cookie encryption, is encrypted in a sessison key. You configure this key differently in the development and runtime environments.

This key is generated and is different from the merchant key that is specified during instance creation. The merchant key is still responsible for encrypting sensitive data that is stored in the database, for example, credit card numbers. Change the session key at the same time you change the merchant key. According to the PCI specification, the merchant key should be changed at least annually.

In the development environment, the key is specified in the Instance/SessionKey attribute in the HCL Commerce configuration file.

Before you begin

  • HCL Commerce DeveloperEnsure that the test server is stopped and that Rational Application Developer is not running.

Procedure

In the runtime environment, use the set-session-key run engine command to set the session key. For instructions on using this command with the Transaction server, see Transaction server Run Engine commands. For Search sessions, see Search server Run Engine commands.

HCL Commerce DeveloperIn the development environment, perform the following steps to set the session key.

  1. At the command line, change to the WCDE_installdir\bin directory:
  2. Run the update session key script, updateSessionKey.bat, to generate a new key, and update the HCL Commerce configuration file with the new value.
  3. Confirm the status in the WCDE_installdir\logs\updateSessionKey.log file.
  4. If you are using local authentication on the Search server, ensure that the session key is synchronized between HCL Commerce and Search server. Copy the new session key to the HCL Commerce search server whenever it is changed on the HCL Commerce server.