Secure > Enhance site security
Changing the session encryption key
External facing data, such as cookie encryption, is encrypted by an encryption key that is specified in the Instance/SessionKey attribute in the WebSphere Commerce configuration file. This key is generated and is different from the merchant key that is specified during instance creation. The merchant key is still responsible for encrypting sensitive data that is stored in the database, for example, credit card numbers. It is highly recommended that you change the session key at the same time you change the merchant key. According to PCI specification, the merchant key should be changed at least annually.
Before you begin
- Log on as the non-root user.
- Verify the test server is stopped and that Rational Application Developer is not running.
Verify the following WebSphere Commerce Fix Packs are installed:
- WebSphere Commerce Fix Pack 1 or above.
Procedure
- Complete one of the following tasks:
- Log on as a non-root user.
- Log on with a user ID that is a member of the Windows Administration group.
- Navigate to the following directory:
- WC_INSTALL/bin
- WCDE_INSTALL\bin
- Run the update session key script to generate a new key:
- config_ant -DinstanceXml=WC_INSTALL\instances\instance\xml\instance.xml -buildfile WC_INSTALL\config\ant\updateSessionKey.xml install
- ./config_ant.sh -DinstanceXml=WC_INSTALL/instances/instance/xml/instance -buildfile WC_INSTALL/config/ant/updateSessionKey.xml install
- updateSessionKey.bat
- Confirm the status from the following location:
- The status message appears in the command window where you issued the check status command.
- WCDE_INSTALL\logs\updateSessionKey.log
- Start the WCS instance.
- Navigate to the following directory:
- WC_INSTALL/bin
- Run the following to propagate the change to wc-server.xml:
- config_ant -DinstanceName=demo UpdateEAR
- ./config_ant.sh -DinstanceName=demo UpdateEAR
- Restart the WCS instance.