Migrating from Triple DES to AES-128 encryption (2024)

About this task

By default, the WebSphere Commerce database is encrypted using a Triple Data Encryptionalgorithm Standard (Triple DES) encryption algorithm. This standard was implemented at a time when asmaller cipher size was considered safe. While still considered a relevant industry standard, TripleDES has since been superseded with a stronger standard known as Advanced Encryption Standard (AES).With a stronger cipher standard, AES is less susceptible to brute force attacks that have becomefeasible with the continual improvements in computational power over the years.

Upgrading to AES-128 is part of updating to NIST SP 800-131A securitystandards. Consider NIST SP 800-131A for more enhancements to site security. See, Updating to NIST SP 800-131A security standards.

Procedure

1. Migrate encrypted data in the database to use AES 128-bit encryption. To complete thismigration, you must run MigrateEncryptedInfo by using the Key Locator Framework(-k) to specify the new AES merchant key. Add thealgorithm="AES" attribute to the new key definition in the custom key configurationfile. Use 32 hex characters (128 bits) for the new key and optional key encryption key values.

   Note: Switching to an AES merchant key can result in temporary session cookie decryption errors forany existing sessions that were created before you upgrade to the AES merchant key.

   See Also

   TLS 1.2 vs TLS 1.1 - KeyCDN Support

   1. Specify that the new key in the keys configuration file is using AES algorithm by addingalgorithm="AES" attribute to the new key definition in the custom keysconfiguration file.

      For example, create or update theWC_eardir/xml/config/CustomKeys.xml file to have a new keydefinition similar to the followingexample.

      <key name="MerchantKey" providerName="WC" status="new" className="com.ibm.commerce.security.keys.WCExternalFileMerchantKeyImpl" version="2" algorithm="AES"><config name="keyFile" value="merchantKey.xml"/><config name="keyEncryptionKeyFile" value="KeyEncryptionKey.xml"/><config name="newKeyFile1" value="newMerchantKey1.xml"/><config name="newKeyFile2" value="newMerchantKey2.xml"/></key>

      For more information about the Key Locator Framework, see Key Locator Framework (KLF).

   2. Ensure that the new keys files combine to form 32 hex characters.
   3. Ensure that the key encryption key, if specified, is also 32 hex characters.
   4. Open a command prompt and go to the following directory:
      • WC_installdir\bin
      • WCDE_installdir\bin
   5. Run the MigrateEncryptedInfo utility for eachinstance, with the Key Locator Framework (-k) option:
      • For runtime environments, you can run the MigrateEncryptedInfo utility whenthe server is offline or online. Follow the steps in Updating encrypted data using MigrateEncryptedInfo (server offline) orUpdating encrypted data using MigrateEncryptedInfo (server online)
      • For a development environment, you must run theMigrateEncryptedInfo utility when the server is offline. Follow the steps inUpdating encrypted data using MigrateEncryptedInfo (server offline).
2. Update the Business Audit Key that is defined inBusinessAuditDataCapture.xml so it can be used with AES. The default audit keyis an encrypted 16 character audit key. To encrypt with AES, the key must be replaced by theencrypted value of a new default 32 character audit key.
   1. Go to the following directory:
      • WC_installdir\wc.ear\xml\config
      • workspace_dir\WC\xml\config
   2. Open BusinessAuditDataCapture.xml for editing.
   3. Optional: If you modified the default audit key to a custom value, rename the original AuditKey toCustomAuditKey.

      The CustomAuditKey node must be defined to continue validating existingrecords/signatures in the database.

      1. Search for the default audit key value: <AuditKeyvalue="rZ15ws0ely9yHk3zCs3sTMv/ho8fY17s" />
      2. If the value matches your search, then you do not have to rename toCustomAuditKey. Continue to 2.d.
      3. If the value does not match your search, copy the <AuditKey> node.
      4. Paste the node into the file.
      5. For the node that you pasted, replace the word "AuditKey" with"CustomAuditKey".
   4. Update the <AuditKey> node with the following 32 character auditkey:

      <AuditKey value="Jmz6ON1Y+573xkNVuOPbfRhZLEJTcW0kqgbCVJv4Jv7UlAGSVFHw6g=="/>

   5. Save and close the file.
   6. Deploy this file for each production instance. For steps on how to deploy a single file, seeDeploying J2EE assets for a single file.
3. Update the instance configuration file, for each instance, to include theAES_DB="true" parameter.
   1. In a text editor, open the WebSphere Commerce configuration file for the instance:
      • WC_installdir\instances\instanceName\xml\instance_name.xml
      • WCDE_installdir\workspace\WC\xml\config\wc-server.xml
   2. In the configuration file, search for the parameter AES_DB. If theparameter does not exist, add the parameter.

      <config> <InstanceProperties name="Instance Properties">... <Security AES_DB="true" AdminPwd="0gYsW5onfbvbp7Q3MYrc917pU0EFWcJPgwsgCjE/Btg=" AdminUser="configadmin" AuthMode="" Realm="" RunAsID="" RunAsPwd="" enabled="false" enabledGlobal="true" passwordpolicy="true"/>... </InstanceProperties> ...</config>

      If the parameter exists, ensure that the value is set to "true".

   3. Save and close the file.
   4. If your site uses a clustered environment, you must manually sync the nodes by using thedeployment manager for the changes to take effect.
   5. Propagate the changes that are made to the WebSphere Commerce configuration file. For stepson how to propagate changes, see Propagating changes to the WebSphere Commerce configuration file.
4. Update product.xml to include the AES_DB="true" parameteron production instances.
   1. Open WC_installdir\xml\product.xml
   2. Search for the parameter, AES_DB. If the parameter does not exist, add theparameter.

      Forexample:

      <websphere><commercesuite>...<security><AES_DB>true</AES_DB></security></commercesuite></websphere>

      Ifthe parameter exists, ensure that the value is set to "true".

   3. Save and close the file.
   4. Deploy this file for each production instance. For steps on how to deploy a single file, seeDeploying J2EE assets for a single file.
5. Restart the server.
6. Run the MigrateEncryptedFiles utility.

   For the utility to complete successfully, ensure that the WebSphere Application Server iscontinuously up and running during the process.

   1. In a command prompt, go to the following directory:
      • WC_installdir/bin
      • WC_installdir\bin
      • WCDE_installdir\bin
   2. Run the following command:
      • MigrateEncryptedFiles.sh
      • MigrateEncryptedFiles.bat
      • MigrateEncryptedFiles.bat

      To verify that the utility ran successfully, in each of the wc-server.xml or product.xml files that you updated in step 3 and step 4, ensure that the AES_Files parameter is set to "true".

7. Restartthe WebSphere Application Server.
8. Enable AES on the Search server:
   1. Set the following namespace bindings in the WebSphere Application Server for each Searchmachine.
      1. In the WebSphere Commerce Search server WebSphere Application Server administrative console, goto Environments > Naming > Name space bindings > scope:Node=demo_search_node,Server=solrServer.
      2. Add the following name-value pair.

         Table 1.

         Name	Value
         com.ibm.commerce.foundation.server.services.search.aes.files	true

      3. Update the following name-value pair.

         Table 2.

         Name	Value
         com.ibm.commerce.foundation.server.services.commerce.integration.sessionkey	The sessionKey value from the WebSphere Commercewc-server.xml file.

      4. Required if application security is enabled on the Search server:
         1. Set the following namespace binding in WebSphere Application Server for each WebSphere CommerceAuthoring and Production machine:In the WebSphere Commerce server WebSphere ApplicationServer administrative console, go to Environments > Naming > Name space bindings > scope:Node=WC_demo_node,Server=server1.
         2. Update the following name-value pair.

            Table 3.

            Name	Value
            com.ibm.commerce.foundation.server.services.search.application.security.password	The Search server's application security password, encrypted by thewcs_encrypt utility in WebSphere Commerce. You do not need to specify the merchant keybecause WebSphere Commerce and Search are now using AES protocol. For more information, see Generate encrypted data(wcs_encrypt).

         3. Set the following namespace binding in WebSphere Application Server for each Search Productionand Repeater machine. In the Search server WebSphere Application Server administrative console, goto Environments > Naming > Name space bindings > scope:Node=demo_search_node,Server=solrServer.
   2. This step is only required if you are using the Commerce Insights BAC SFTP Server password(used by Commerce Insights Product Sequencing), and assuming that WebSphere Commerce is alreadyusing AES for its files.
      1. Edit or create the fileSearch_eardir/xml/config/com.ibm.commerce.foundation/wc-component.xml.
      2. Set the property <_config:property name="BACSFTPServerSetting/userPassword" value=""/> by running the wcs_encrypt utility (without the merchant key) fromthe WC_install/bin directory.
      3. Set the AES flags to true in underSearch_eardir/xml/config/com.ibm.commerce.foundation/wc-component.xml:

         <_config:property name="CommerceServerSetting/Security/AESDBEnabled" value="true"/> <_config:property name="CommerceServerSetting/Security/AESFilesEnabled" value="true"/>

      4. Restart the servers that were updated above.
9. Edit the fileSearch_eardir/xml/config/com.ibm.commerce.foundation/wc-component.xml.Set the AES flags in the file to true.

   <_config:property name="CommerceServerSetting/Security/AESDBEnabled" value="true"/> <_config:property name="CommerceServerSetting/Security/AESFilesEnabled" value="true"/>

10. Restart the search server.