HCL Commerce 9.1.13.2
HCL Commerce 9.1.13.0 was released on June 2, 2023. A fix pack for
HCL Commerce 9.1.13.0, HCL Commerce 9.1.13.1 was released on
June 21, 2023. A second fix pack for HCL Commerce 9.1.13.0, HCL Commerce
9.1.13.2 was released on July 20, 2023.
Fix packs
HCL Commerce fix packs include defect fixes, and are made available between major releases, beginning with 9.1.13.1. It is recommended to upgrade to the latest fix pack as it becomes available. Only certain images within the release are updated for fix pack releases. These updated containers, with modified fix pack file names, are intended to be used with the remaining original containers of the same release.
| Release | Date | Updated containers |
|---|---|---|
| HCL Commerce 9.1.13.2 | July 20, 2023 |
|
| HCL Commerce 9.1.13.1 | June 21, 2023 |
|
| HCL Commerce 9.1.13.0 | June 2, 2023 | Full release. |
For a full list of the release files and their associated MD5 checksum values, see HCL Commerce eAssemblies.
Important: The store web server take
EXTERNAL_DOMAIN_NAME environment variable and use it to
construct CSP (Content Security Policy,
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
response header. The EXTERNAL_DOMAIN_NAME is the Store public
domain name or the root domain. If the root domain is provided, all the sub
domains are taken care.
Security updates
HCL Commerce 9.1.13.2 contains the following security-related fixes.
HCL Commerce 9.1.13.0 contains the following security-related
fixes.
| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| Elasticsearch | CVE-2023-3446, CVE-2023-2976, WS-2021-0646 | Multiple vulnerabilities in open source libraries affect HCL Commerce with Elasticsearch |
| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server and IBM HTTP Server | CVE-2023-32342, CVE-2023-27554, CVE-2023-24966, CVE-2022-39161 | Multiple vulnerabilities in IBM WebSphere Application Server and IBM HTTP Server affect HCL Commerce |
| IBM Java SDK and IBM HTTP Server | CVE-2023-30441, CVE-2023-25690 | Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with IBM WebSphere Application Server affect HCL Commerce |
| WebSphere Application Server | CVE-2023-24998, CVE-2023-26283 | Multiple vulnerabilities in IBM WebSphere Application Server affect HCL Commerce |
Important changes
HCL Commerce 9.1.13.2 contains the following important changes to site features and functionality.
Important:
Required changes
- After upgrading to HCL Commerce 9.1.13.0 with the
Elasticsearch-based search solution, you must delete any existing boost
scripts.
- Run the following REST API calls to delete any existing
scripts.
DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-1 DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-2 DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-3Note: you can use the GET request method to check for existing scripts. - Restart the Query service to re-generate the appropriate boot scripts for this release.
- Run the following REST API calls to delete any existing
scripts.
- A new parameter is added for health checking on the query server to stop the query server from starting until the NER file is generated. This behavior is controlled by the LockQueryServiceForNLPIntialization parameter, which is configurable in the wc-component.xml file. This parameter is set to 'prod, preprod', which means that by default both prod and preprod environments will not start until the NER file has been generated.
- The IBM json4j.jar file is deprecated. It will still function, however the recommended version for new development work is wink-json4j-1.4.jar.
- The security settings for XML processing in inbound web services that use the Program Adapter and WCS.INTEGRATION message mapper were strengthened in HCL Commerce 9.1.12.0. You may need to update the configuration around handling external entities if it is too restrictive for your environment.
- Management Center for HCL Commerce in all releases 9.1.12.0
and greater now report business user analytics to HCL. This information
assists HCL in the development of new features and the enhancement of
existing business user tools.Note: Only high level business user behaviors in new tools within Management Center are collected. No sensitive information about the user or the organization that owns the environment is captured or transmitted to HCL. Specifically, the URLs of the pages that business users access are logged. Event data such as the version of HCL Commerce and the deployment type, as well as generic information about the browser, are also collected. Google Analytics also captures general location information, if users have opted-in through their browser settings.Important: When starting the Tooling Web Docker container in versions 9.1.12.0 through 9.1.14.0, you must set the container deployment type. Failure to do so will prevent the container from starting. Ensure that you set the deployment type via the DEPLOYMENT_TYPE container environment variable, or in Vault at the following path
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/deploymentType. Accepted values are development, staging, or production.The collection of this data can be disabled during deployment. For more information on disabling this data collection, see the following steps in the deployment documentation: - Hystrix is no longer supported by its maintainers. It is recommended to disable Hystrix on the Store server. For more information, see Disabling Hystrix on the Store server.
- Upgrading to HCL Commerce 9.1.13.2 with a social network OAuth 2.0 login integration that was configured prior to 9.1.7.0 requires changes to be made for the integration to continue working. No action will result in the integration ceasing to function.
- From
HCL Commerce version 9.1.10.0 onwards, Spring is upgraded from version
4.x to version 5.x. You must update your
existing spring-extension.xml Spring configuration file with the
supportedMethodsproperty and the associated values ofGETandPOST.For example:<bean id="/GetRootManagedDirectory" class="org.springframework.web.servlet.mvc.ParameterizableViewController"> <property name="viewName" value="/jsp/commerce/attachment/restricted/GetRootManagedDirectory.jsp"/> <property name="supportedMethods" value="GET,POST"/> </bean>
Feature enhancements
The following features have been introduced in this release. Review the following list to ensure that your site is prepared once this update is applied.
Indicates enhancements
inspired by or created by customers and partners, and submitted through the
HCL Commerce | Product Portal. Sign up to vote and submit
your own ideas!
- Store
-
The Ruby storefront- The Ruby store is based on the framework that enables React-based web applications with server-side rendering and generation of static websites. Ruby provides a number of features to enhance site, product, and search management and interactions.
- Customer Service Representative (CSR) post order capabilities
-
The Customer Service Representative (CSR) tool now supports non-headless stores such as AuroraEsite and AuroraB2BEsite.
- Tools
-
- Google Analytics enhancements
- Google Analytics supports GA4 reporting in Management Center.
- React store preview improvements
- Management Center now allows you to preview the following
information along with previewing settings:
Page and Layout Information Learn more...
Widget Information Learn more...
- Page Composer support for the Storefront Asset Store
- Management Center supports the Storefront Asset Store (SAS) through the Page Composer tool.
- Allow display of inventory without blocking ordering based on that inventory
- An inventory flag for the non-ATP inventory system enables you to skip the inventory check and return the actual inventory quantity. It allows the store to display the inventory quantity without blocking ordering based on that inventory.
- Performance
-
- Elasticsearch monitoring toolkit
- Comprehensive documentation of the Elasticsearch toolkit guides you through different performance scenarios, discusses monitoring tools for Elasticsearch, and helps you identify critical metrics that require regular checks.
- Marketing
- The marketing command cache rules are now relocated and enabled in the Transaction server. If the marketing cache rules were introduced previously by manual customization, they should be removed.
Defect fixes
See HCL Commerce 9.1.13.0, HCL Commerce 9.1.13.1, and HCL Commerce 9.1.13.2 in Fixes that are included in HCL Commerce releases for a detailed list of defects that were fixed in this release and its associated fix packs.
Supported companion software
HCL Commerce
9.1.13.2 has been tested with the following companion
software.
| Commerce | Companion software | Database | Browsers |
|---|---|---|---|
| HCL Commerce Version 9.1.13.0 |
|
|
|
7.17.3
7.17.3