HCL Commerce Version 9.1.14.0

HCL Commerce 9.1.14.1

HCL Commerce 9.1.14.0 was released on September 19, 2023. A fix pack for HCL Commerce, HCL Commerce 9.1.14.1 was released on October 25, 2023.

Fix packs

HCL Commerce fix packs for Elasticsearch functionality will be made available between major releases, starting with 9.1.13.1, to provide important search-related updates. It is recommend to upgrade to the latest fix pack as it becomes available. Only certain images within the release are updated for fix pack releases. These updated containers, with modified fix pack file names, are intended to be used with the remaining original containers of the same release.

Release Date Updated containers
HCL Commerce 9.1.14.1 October 25, 2023
  • HCL_Commerce_Enterprise_9.1.14.1_Data_Query_Server_x86-64.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_Ingest_Server_x86-64.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_NiFi_Server_x86-64.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_NiFi_Registry_Server_x86-64.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_Query_Server_ppc64le.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_Ingest_Server_ppc64le.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_NiFi_Server_ppc64le.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Data_NiFi_Registry_Server_ppc64le.tgz
  • HCL_Commerce_Enterprise_9.1.14.1_Transaction_Server_ppc64le.tgz
  • HCL_Commerce_Search_Bundle_9.1.14.1.zip
  • HCL_Commerce_Helm_Charts_9.1.14.1.bundle
HCL Commerce 9.1.14.0 September 19, 2023 Full release.

For a full list of the release files and their associated MD5 checksum values, see HCL Commerce eAssemblies.

Security updates

HCL Commerce 9.1.14.0 contains the following security-related fixes.
Affected software CVE(s) Vulnerability
WebSphere Application Server and IBM Java SDK CVE-2022-40609, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-35890, CVE-2023-22, CVE-2023-22049045, CVE-2023-22049 Multiple vulnerabilities in IBM WebSphere Application Server and IBM Java SDK affect HCL Commerce
Apache Lucene WS-2021-0646 A vulnerability in Apache Lucene affects HCL Commerce with Elasticsearch
HCL Commerce CVE-2023-37532 A path traversal vulnerability affects HCL Commerce

Important changes

HCL Commerce 9.1.14.1 contains the following important changes to site features and functionality.

Important: Required changes
  • Before upgrading your deployment to HCL Commerce 9.1.14.0, you must consider the implications of the non-root user update. Not doing so can break your deployment. For more information, see HCL Commerce container users and privileges.
  • After upgrading to HCL Commerce 9.1.14.0 with the Elasticsearch-based search solution, you must delete any existing boost scripts.
    1. Run the following REST API calls to delete any existing scripts.
      DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-1
      DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-2
      DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-3
      Note: you can use the GET request method to check for existing scripts.
    2. Restart the Query service to re-generate the appropriate boot scripts for this release.
  • Management Center for HCL Commerce in all releases 9.1.12.0 and greater now report business user analytics to HCL. This information assists HCL in the development of new features and the enhancement of existing business user tools.
    Note: Only high level business user behaviors in new tools within Management Center are collected. No sensitive information about the user or the organization that owns the environment is captured or transmitted to HCL. Specifically, the URLs of the pages that business users access are logged. Event data such as the version of HCL Commerce and the deployment type, as well as generic information about the browser, are also collected. Google Analytics also captures general location information, if users have opted-in through their browser settings.
    Important: When starting the Tooling Web Docker container in versions 9.1.12.0 through 9.1.14.0, you must set the container deployment type. Failure to do so will prevent the container from starting. Ensure that you set the deployment type via the DEPLOYMENT_TYPE container environment variable, or in Vault at the following path ${VAULT_URL}/${TENANT}/${ENVIRONMENT}/deploymentType. Accepted values are development, staging, or production.
    The collection of this data can be disabled during deployment. For more information on disabling this data collection, see the following steps in the deployment documentation:
    • For Docker deployments, see step #8 in the deployment prerequisites.
    • For Kubernetes deployments, see step #11 in the deployment prerequisites.
    • For SoFy deployments, see step #2 in the deployment.
  • Upgrading to HCL Commerce 9.1.14.1 with a social network OAuth 2.0 login integration that was configured prior to 9.1.7.0 requires changes to be made for the integration to continue working. No action will result in the integration ceasing to function.

    Learn more...

  • From HCL Commerce version 9.1.10.0 onwards, Spring is upgraded from version 4.x to version 5.x. You must update your existing spring-extension.xml Spring configuration file with the supportedMethods property and the associated values of GET and POST.
    For example:
    <bean id="/GetRootManagedDirectory" class="org.springframework.web.servlet.mvc.ParameterizableViewController">
    <property name="viewName" value="/jsp/commerce/attachment/restricted/GetRootManagedDirectory.jsp"/>
    <property name="supportedMethods" value="GET,POST"/>
    </bean>

Feature enhancements

The following features have been introduced in this release. Review the following list to ensure that your site is prepared once this update is applied.

Indicates enhancements inspired by or created by customers and partners, and submitted through the HCL Commerce | Product Portal. Sign up to vote and submit your own ideas!

Deployment
Non-root user introduction
A non-root user is introduced as the default user across all HCL Commerce containers that were using the root user. This enhancement allows for increased compliance and better conformity with industry security best practices. The use of the root user remains available for customers with existing requirements.
Restriction: Upgrading Power-based environments to non-root containers is currently not supported. New deployments are supported.
Learn more...
CentOS operating system migration
The CentOS Linux operating system image that has been used within the various HCL Commerce application Docker containers has been migrated to the Red Hat Universal Base Image (UBI) 8. This upgrade strips the Linux operating system to its bare essentials, offering benefits such as improved performance, stability, security, and streamlined support when it comes to underlying operating system issues. CentOS Linux 7 will reach end-of-life (EOL) on June 30, 2024.
  • The NodeJS and GraphQL containers use the UBI minimal image.
  • All remaining containers use the UBI standard image.
Learn more...
Note: UBI uses the DNF (Dandified YUM) package manager, as opposed to the YUM package manager previously used in CentOS.
Hystrix disabled by default
Hystrix, a latency and fault tolerance technology that was previously used on the Store server, has been deprecated, and disabled by default. The technology is no longer maintained by its developers and it was recommended to be disabled in previous releases of HCL Commerce.

Learn more...

Basic and Advanced Natural Language Processing (NLP)
HCL Commerce uses the full suite of CoreNLP Natural Language Processing features for a comprehensive set of default languages. If you add languages beyond this default set, the extra languages are evaluated by a Basic NLP module. This fallback processing mechanism gives you most of the advantages of full NLP without using CoreNLP.

Learn more...

Store
Next.js B2B store

Next.js store application is enabled for B2B e-commerce. The sample B2B storefront is called Ruby B2B. The B2B Next.js store features include B2B features, in addition to all of the available features in the B2C storefront, with the exception of guest-user shopping flows.

Next.js store application has been moved out of the preview stage.

Learn more...

Kit details page
Kits are collections of products that your customers can purchase in a single transaction. The default layout for the page displays the kit name, image, price, short description, long description, descriptive attributes, and more.

Learn more...

Bundle details page
The Bundle page displays various combinations of items (bundles) in tabular form, which allows you to select attributes for products and their variants. The default layout for the page displays the bundle name, image, price, short description, long description, descriptive attributes, and more.

Learn more...

Multiple languages for Next.js store

Next.js store application supports multiple languages, allowing users to choose their preferred language for their shopping experience.

Learn more...

Customer Service Representative (CSR) Appeasements

CSR can perform the appeasement on orders which are in open statuses.

Learn more...
Tools
Google Analytics enhancements
Google Analytics upgraded to provide GA4 support to the Ruby store.

Learn more...

Active Catalog Filter
Management Center now allows you to view, add, remove, and replace the active catalog filter in the Catalog and Pricing tool.

Learn more...

TinyMCE Editor
From version 9.1.14 onwards, Management Center for HCL Commerce has replaced CKEditor with TinyMCE editor version 6 and is available by default.

Learn more...

SAS Support for the Page Composer tool
From HCL Commerce version 9.1.14.0 onwards, the Storefront Asset Store support is enabled by default.

Learn more...

Security
XML Parser Enhancement
Security enhancements are made around XML processing of inbound web services that use the Program Adapter and WCS.INTEGRATION message mapper. The new feature offers a more flexible way to validate inbound requests and prevent users from accessing remote resources hosted by untrusted sites.
Learn more...

Defect fixes

See HCL Commerce 9.1.14.0, and HCL Commerce 9.1.14.1 in Fixes that are included in HCL Commerce releases for a detailed list of defects that were fixed in this release and its associated fix pack.

Supported companion software

HCL Commerce 9.1.14.1 has been tested with the following companion software.
Commerce Companion software Database Browsers
HCL Commerce Version 9.1.14.0
  • WebSphere Application Server 9.0.5.16 + PH54406
  • WebSphere Application Server V8.5.5 Liberty 23.0.0.6
  • IBM SDK, Java Technology Edition, Version 8.0.8.6
  • IBM HTTP Server 9.0.5.16
  • Elasticsearch
    • x86-647.17.10
    • Power7.17.10
  • ZooKeeper
    • x86-643.8.0
    • Power3.8.0
  • Redis
    • x86-647.0.12
    • Power7.0.12
  • Reddison 3.23.3
  • NiFi 1.22
  • NiFi Registry 1.22
  • Vault 1.13.4
  • Kubernetes 1.25 to 1.27
  • Solr-based search solution
    • IBM Db2
      • x86-6411.5.8
      • Power11.5.8
    • Oracle 18c
    • Oracle 19c
  • Elasticsearch-based search solution
    • IBM Db2
      • x86-6411.5.8
      • Power11.5
    • Oracle 19c
  • Approval server
    • PostgreSQL 14.8
  • Management Center for HCL Commerce
    • Edge 20+
    • Firefox 39+
    • Chrome 44+
    • Safari 10+
    HCL Commerce Version 9.1.14.0 or laterNote: HCL Commerce 9.1.14.0 and greater no longer supports Internet Explorer for use with Management Center.
  • React-based storefronts
    • Edge 87+
    • Firefox 84+
    • Chrome 87+
    • Safari 14+
  • Aurora-based storefronts
    • Internet Explorer 20H2+
    • Edge 87+
    • Firefox 84+
    • Chrome 87+
    • Safari 14+