Enable SSL for database connections in runtime environments

As you update the site to be General Data Protection Regulation (GDPR) ready, you may need to take additional steps so that customer data is encrypted during all communication, both internal and external. To help encrypt the communication between your servers and the database, you can set up a Secure Sockets Layer (SSL) connection.

By default, data that is communicated between WebSphere Commerce servers and the database is not encrypted. WebSphere Commerce only encrypts communication between the Transaction server and Search server and between the Store server and Search server. If you need to encrypt the communication, set up the SSL connection for only the following servers, which directly interface with the database:

The Customization server and Store server do not communicate directly with the database.


Before beginning

Configure DB2 to use SSL before you switch to the protocol in WebSphere Commerce.

  1. Configure the database to use SSL. See Configure Secure Sockets Layer (SSL) support in a DB2 database.

  2. Extract the certificate that was created in the previous step, and copy it to the WebSphere Commerce environment. SSL uses the certificate to connect the database to WebSphere Commerce utilities.

  3. DB2 supports encryption within the database. See the DB2 version 11 Data encryption page.


Procedure

Transaction server

  1. Import the database server certificate for the Transaction server. .

  2. Configure the data source to support SSL for the Transaction server.

    Option Description
    In a running Docker container

    1. Open the Transaction server Docker container

    2. Run the command run update-datasource-db jdbc/WCDataSource dbName dbHost dbSSLPort true to update the port and sslConnection settings. For example, 

        run update-datasource-db jdbc/WCDataSource mall mydbhostname.com 50001 true

      For more information about the update-datasource-db command and its parameters, see Run Engine commands for Transaction server.

    In a custom Docker image

    1. In the host server, create a folder named tsapp.

    2. Following the instructions for Transaction servers in Configure database connections in Docker images, add the parameters to the custConfiguration.sh file to update the port and sslConnection settings. Save the file in the tsapp folder and complete the instructions in Configure database connections in Docker images to build the new containers.

Search server

  1. Import the database server certificate for the Search server.

  2. Configure the database connection for the Search server.

    Option Description
    In a running Docker container

    1. Open the Search server Docker container.

    2. Run the command run update-datasource-db jdbc/wcdb dbName dbHost dbSSLPort true to update the port and sslConnection. For example, 

        run update-datasource-db jdbc/WCDataSource mall mydbhostname.com 50001 true

      For more information about the update-datasource-db command and its parameters, see
      Run Engine commands for Search server.

    In a custom Docker image

    1. In the host server, create a folder named search.

    2. Following the instructions for Search servers in Configure database connections in Docker images, add the parameters to the custConfiguration.sh file to update the port and sslConnection settings. Save the file in the search folder and complete the instructions in Configure database connections in Docker images to build the new containers.

Utility server Docker container

  1. Enable an SSL connection for the Utility server Docker container.

    1. Stop any existing containers. For example, if we are using Docker Compose, we can use the following command: 

        docker-compose -f path_to_docker-compose.yml_file stop

    2. Remove any existing containers. For example, if we are using Docker Compose, run the following commands: 

        docker-compose -f path_to_docker-compose.yml_file rm utils

    3. Edit the Compose file for the Utility server Docker container, docker-compose.yml. Update the following initial environment variables.

        DBPORT
        Change to the value of the database server security port SSL_SVCENAME.

        ENABLE_DB_SSL
        Set the value to true.

      For example, if we are using Docker Compose, update the following code in the file: 

         
utils:
     ...
     environment:
       ...
       - DBPORT=db_ssl_svcename
       ...
       - ENABLE_DB_SSL=true

      For more information and a sample docker-compose.yml file, see Deploying a WebSphere Commerce authoring environment with Docker Compose.

    4. Deploy the Utility server Docker container based on the updated configuration. For example, if we are using Docker Compose, run the following command: 

        docker-compose -f path_to_docker-compose.yml_file up -d utils

      For more information about Docker image configuration parameters, see Docker container start up configuration parameters.

  2. Import the SSL certificate to the Java SDK default truststore.

    1. Copy the database server certificate from the Utility host to the new container.

    2. Go to /opt/WebSphere/AppServer/java/8.0/bin

    3. Use Keytool to import the certificate. 

        /keytool -import -file cert_location -keystore /opt/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts 
-alias alias -storepass key_store_password

      Where:

        cert_location
        The location path where the certificate is.

        key_store_password
        The password to the trust keystore. The default password of the Java SDK default truststore is changeit.


Related concepts
General Data Protection Regulation (GDPR) and WebSphere Commerce