Welcome to MSDN Blogs Sign in | Join | Help

Data Tools and Software Testing

Old model-based testers never die; they just transition to a higher state.

Syndication

News

    These postings are provided "AS IS" with no warranties, and confer no rights.
    Use of included script and code samples are subject to the terms specified here.

CS 2007 - Secure by Default

In case you thought that was all talk, take a look at the Customer and Orders Manager UI in the latest release candidate of Commerce Server 2007. If you are moving from Beta, and are perplexed as to why you suddenly cannot open this UI anymore it is because we now require that the UI connect over SSL by default. Those two last words are the important ones – since the default is what gets used in most cases. Is it a bit more painful? Yes. Is it more secure? Yes. It was important to go over SSL by default for the Customer and Orders manager because of the transfer of more sensitive data such as user passwords and payment information etc. Even though it will typically be in an intranet environment, you would be better off with all the data going over SSL.

 

So how do you get it to work, if you really are not interested in getting SSL setup in your intranet? Well couple of options if you just want to try this on your developer workstation or if you want to roll out the setup of the UI without the SSL requirement:

 

-        Use SelfSSL on your developer box. As simple as installing the IIS 6.0 Resource Toolkit and running selfSSL.exe. An IISReset and your UI should now be all set.

 

-        You can also disable the SSL check permanently by turning the following flag to True in the “%Commerce_Server_Root%\Business User Applications\CustomerAndOrdersManager.exe.config” in order to enable the UI to go over HTTP (instead of just over HTTPS):

 

            <setting name="AllowHTTP" serializeAs="String">

                <value>False</value>

            </setting>

 

The world’s a safer place (with that value set to True)!

Published Friday, May 26, 2006 11:45 AM by nihitk

Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: CS 2007 - Secure by Default @ Tuesday, May 30, 2006 4:26 AM

Hi Nihit,

I have no problem accessing it from Order Manager, however, when I tried to save Credit Card info in Starter Site, it threw exception.
I tried to migrate from Beta to RC.
In the source code for starter side, it happened at EditPayment.aspx.cs where there is a comment above the line of code that threw the error, saying ' if it throws exception, it is likely encryption is not configured'.

I don't know how to fix the problem, but I have certainly installed the certificate through SelfSSL to enable encryption..  I'm thinking the problem is caused by accessing the Profile Web Service not through https, but using http.. However, I don't know where to set it in Starter Site

Can you give me a pointer on this ?

Chad

# re: CS 2007 - Secure by Default @ Tuesday, May 30, 2006 1:21 PM

You need to set the <encryption> section in the <profiles> section of the web.config for the ProfilesWebService and the site.

If you had run the SampleDataImport.exe tool on the StarterSite in Beta, then this would already have been created for you as follows:

   <profiles siteName="StarterSite">
     <encryption>
       <keys keyIndex="1">
         <add type="publicKey" value="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server 2006 Keys\StarterSite,PublicKey" />
         <add type="privateKey1" value="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server 2006 Keys\StarterSite,PrivateKey" />
         <add type="privateKey2" value="" />
       </keys>
     </encryption>
   </profiles>

nihitk

# re: CS 2007 - Secure by Default @ Tuesday, May 30, 2006 7:35 PM

Thank's for the reply..
I ran it yesterday, but I got the error below.
So, I didn't continue. That's why I don't get the encryption key in the Web.config and in the registry..
Is there any updated version of this app that didn't throw the error ??



E:\Commerce Server 2006 Starter Site Beta>SampleDataImport.exe "c:\Inetpub\wwwro
ot\StarterSite"
Loading data into site: StarterSite


Unhandled Exception: System.MissingMethodException: Method not found: 'Microsoft
.CommerceServer.Orders.OrderManagementContext Microsoft.CommerceServer.Orders.Or
derManagementContext.Create(System.String)'.
  at CommerceSite.SampleDataImport.CreateOrderContext()
  at CommerceSite.SampleDataImport.Run()
  at CommerceSite.SampleDataImport.Main(String[] args)

Chad

# re: CS 2007 - Secure by Default @ Tuesday, May 30, 2006 7:45 PM

Unfortunately - no - there is no updated version of that utility. You should be able to do this manually as well - i.e. update the registry keys (or create them) and populate them with private/public key values you can generate via the ProfileKeyManager.exe (which you should be able to find in the %Commerce_Server_Root%\Tools folder).

nihitk

# re: CS 2007 - Secure by Default @ Wednesday, May 31, 2006 4:38 PM

Thank's Nikhil..

I did what you described above.. A pair of private and public keys were generated, and I've already registered them into the registry according to the path described in <encryption> section.

However, it failed with the following error below..
It looks to me it found the key location, but failing when trying to verify it..



Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Decryption failed while reading the registry secret.

Source Error:


Line 209:                returns null or if the userIdTarget key does not exist.        
Line 210:            -->
Line 211: <profiles siteName="StarterSite">
Line 212: <userProfile profileDefinition="UserObject" userIdProperty="GeneralInfo.user_id" organizationIdProperty="AccountInfo.org_id" catalogSetIdProperty="AccountInfo.user_catalog_set" userIdSource="ASP.NET" userIdKey="GeneralInfo.email_address" userIdTarget="GeneralInfo.user_id"/>
Line 213: <organizationProfile profileDefintion="Organization" organizationIdProperty="GeneralInfo.org_id" catalogSetIdProperty="GeneralInfo.org_catalog_set"/>

Chad

# re: CS 2007 - Secure by Default @ Wednesday, May 31, 2006 6:28 PM

Thank's for your help.. I've solved the encryption issue problem..

Chad

# re: CS 2007 - Secure by Default @ Wednesday, May 31, 2006 6:38 PM

Great to know that the issue is resolved. What was the last error due to? Was it because you were trying to load a profile encrypted earlier with some other key?

nihitk

# re: CS 2007 - Secure by Default @ Thursday, June 01, 2006 2:34 AM

First, I tried to use the encryption keys used in my Beta image, that I found aren't portable accross different images. Second, I also had profiles encrypted with other keys that I wasn't aware of. By doing clean installation, I manage to overcome the error.
So, for those who is doing Starter Site installation in RC image (new image, not just upgrading the beta image), make sure to include <encryption> section, and generate new keys and registered it in the registry as described in the previous exchanges.
Those steps are supposed to be performed by SampleDataImport.exe, however since
SampleDataImport.exe isn't working for RC, they have to be done manually..  

Chad

# More Commerce Server Postings @ Thursday, June 22, 2006 4:36 PM

We have finally shipped and have more time to develop tutorials and blog more about Commerce Server 2007.&amp;nbsp;...

Alan Faulkner's Connected Commerce Blog

# CS 2007: Things you didn't know about the Customer and Orders Manager UI @ Monday, August 07, 2006 10:57 PM

Just wanted to highlight a couple of points about the Customer and Orders Manager Business Application...

Nihit Kaul's WebLog

# re: CS 2007 - Secure by Default @ Thursday, September 14, 2006 8:13 AM

We are considering using commerce 2007 as our new backend when we choose to upgrade from site server 3 ( :/ )
I have managed to get the Startersite up except for Checkout and using an card, i've been reading abit but i just cant get past the problem. After reading abit on this site and pushing the keys into the registry i now get this error:

Parser Error Message: Decryption failed while reading the registry secret.

Source Error:


Line 228: returns null or if the userIdTarget key does not exist.        
Line 229: -->
Line 230: <profiles siteName="StarterSite">
Line 231: <encryption>
Line 232: <keys keyIndex="1">

I registered the keys as binary in the path it looks for them, is there anyone that has any help for me on this subject pleaser?

Bård Pedersen

# re: CS 2007 - Secure by Default @ Thursday, September 14, 2006 11:50 AM

Hi,

Do you have the userIdTarget key defined (one of the previous comments in this thread mention it as well)? Also do you have a clean new installation and new profiles or existing profiles with encrypted properties that you are trying to load?

I would suggest you post this to the Newsgroups for a better response. Make sure to include details about the questions I just asked as well.

Thanks,
Nihit

nihitk

# re: CS 2007 - Secure by Default @ Friday, September 15, 2006 2:35 AM

Hi,
Thanks for the response, i have an clean install of the site with new profiles, i will goto the newsgroup aswell :) Thank you again for the reply

Bård Pedersen

# Things you didn't know about the Customer and Orders Manager UI @ Tuesday, October 17, 2006 6:48 PM

Just wanted to highlight a couple of points about the Customer and Orders Manager Business Application

Commerce Team Blog

# re: CS 2007 - Secure by Default @ Tuesday, February 13, 2007 3:13 PM

The version of SelfSSL in the IISResource Kit has a bug that only allows one website to have SSL at a time. A more recent version - without the bug - is available through the IIS Diagnostics Toolkit. See the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=9bfa49bc-376b-4a54-95aa-73c9156706e7&DisplayLang=en

Adam Kahtava

# re: CS 2007 - Secure by Default @ Thursday, March 08, 2007 5:00 AM

Hi I am facing problem with the Orders web service.

when i try to access the Customer and Order manager, i get the error that " the Order web service is currently unavailable".

When i look at the event log it gives me the following information

Application [w3wp.exe]. Authentication failed. The user credentials were not accepted by ISA Server.  Verify that the user account running this application has the required permissions.

I have given write permission to the user group which was created for the Orders and still i am getting this error.

Thanks in advance.

RockyBalbova

# re: CS 2007 - Secure by Default @ Thursday, March 08, 2007 12:10 PM

Hi,

You should post this to the CS 2007 forums so that more people can help out with the issue (wondering if there is anything ISA specific).

I first guess would be to check the IIS Application Pool identity and to make sure that the user that is running as, has the required privileges etc.

Thanks,

Nihit

nihitk

# re: CS 2007 - Secure by Default @ Wednesday, March 28, 2007 8:52 AM

me too, i have the same problem !!!!!

when i try to access the Customer and Order manager, i get the error that " the Order web service is currently unavailable".

People i dont know what to do , i have tried every thign an nohting worked please can any one help ?

thnkx in advance

echos

# re: CS 2007 - Secure by Default @ Monday, April 02, 2007 1:43 PM

Hi Echos,

Please post your issue to the MSDN Commerce Server Forums (and search over there for this issue as well).

You should include details on what errors messages and event viewer entries you are seeing on the server.

Thanks,

Nihit

nihitk

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
Page view tracker