Changing the session encryption key

External facing data, such as cookie encryption, is encrypted by an encryption key that is specified in the Instance/SessionKey attribute in the HCL Commerce configuration file. This key is generated and is different from the merchant key that is specified during instance creation. The merchant key is still responsible for encrypting sensitive data that is stored in the database, for example, credit card numbers. It is highly recommended that you change the session key at the same time you change the merchant key. According to PCI specification, the merchant key should be changed at least annually.

Before you begin

  • LinuxEnsure that you are logged on as the HCL Commerce non-root user.
  • HCL Commerce DeveloperEnsure that the test server is stopped and that Rational Application Developer is not running.

Procedure

  1. Complete one of the following tasks:
    • LinuxLog on as an HCL Commerce non-root user.
  2. Go to the following directory:
    • WC_installdir/bin
    • HCL Commerce DeveloperWCDE_installdir\bin
  3. Run the update session key script to generate a new key:
    • Linux./config_ant.sh -DinstanceXml=WC_installdir/instances/instance_name/xml/instance_name.xml -buildfile WC_installdir/config/ant/updateSessionKey.xml update
    • HCL Commerce DeveloperupdateSessionKey.bat
  4. Confirm the status from the following location:
    • The status message appears in the command window where you issued the check status command.
    • HCL Commerce DeveloperWCDE_installdir\logs\updateSessionKey.log
  5. If you are using local authentication on the Search server, ensure that the session key is synchronized between HCL Commerce and Search server. Copy the new session key to the HCL Commerce search server whenever it is changed on the HCL Commerce server.