This topic describes security improvements in the last several releases of WebSphere Commerce.
Ongoing security assessment
The WebSphere Commerce product lines normally undergo security analysis from an independent group of IBM Security experts. These experts perform security analysis from the point of view of a user with only access to WebSphere Commerce through a browser to the more privileged users that have an account on the same system that WebSphere Commerce server is running. The feedback from the security experts' analysis is used to continually improve the security of WebSphere Commerce.
Security improvements in WebSphere Commerce 5.7
WebSphere Commerce now uses the WebSphere Member Manager as a shared API between WebSphere Commerce and LDAP (at the backend). The LDAP support from previous releases has been replaced by similar support within WebSphere Member Manager. The WebSphere Commerce member subsystem replicates data from WebSphere Member Manager rather than LDAP, and uses WebSphere Member Manager for user authentication. With this support, you can write an adapter to own custom repository, and have WebSphere Commerce understand how to create records in that repository as well as read from that repository. And because the WebSphere Member Manager API is now accessible from the WebSphere Commerce EJB container, any custom commands can now communicate with a backend repository through the WebSphere Member Manager API. If you have your own customer database, you can write a WebSphere Member Manager adapter to synchronize the customers and customer organizations to the WebSphere Commerce database. Through custom code, you can perform searches and updates on to your back end systems through the WebSphere Member Manager API.
All security improvements made in previous releases have been carried forward in WebSphere Commerce 5.7.
Security improvements in WebSphere Commerce 5.6
All security improvements made in previous releases have been carried forward in WebSphere Commerce 5.6.
Security improvements in WebSphere Commerce 5.5
WebSphere Commerce 5.5 has added policy group subscription to the access control infrastructure. This has been retained for WebSphere Commerce 5.6
In WebSphere Commerce 5.4, a policy was applied to resources owned by descendants of the policy owner. If different organizations in the same organization hierarchy wanted different levels of access control, achieving the different levels could be difficult. Furthermore, if the organization hierarchy was very deep, understanding all the policies that applied to an organization close to the bottom of the hierarchy could be confusing.
In order to make things simpler and more explicit in WebSphere Commerce 5.5, policies are first grouped into policy groups, based on business and access control requirements. For example, one policy group could have the policies needed to support contracts, while another could allow only registered users to shop. Then, depending on an organization's business and access control requirements, the organization would explicitly subscribe to the appropriate policy groups. When an organization subscribes to policy groups, only the policies in those policy groups will apply to the organization's resources. Its ancestor organizations' policies will not apply. However, if an organization does not explicitly subscribe to policy groups, it will inherit the policy subscription of its closest ancestor that is subscribing.
Security improvements in WebSphere Commerce 5.4
The following section lists the security enhancements in WebSphere Commerce 5.4 relative to WebSphere Commerce Suite 5.1 and retained in WebSphere Commerce 5.6. Most of these enhancements were made in the WebSphere Commerce Business Edition 5.1 release. These enhancements are generally applicable to the:
- WebSphere Commerce site administrator
- System administrator
- WebSphere Commerce developer
Note that sometimes these roles are interchangeable.
Enhancements for the Site Administrator
The following are WebSphere Commerce security enhancements that are generally targeted to a site administrator:
- Access control
- Access control framework -- A key enhancement is that a new access control framework has been implemented in WebSphere Commerce 5.4 and retained in WebSphere Commerce 5.6 (along with the new policy group enhancement in WebSphere Commerce 5.5). This new framework uses access control policies to determine if a given user is permitted to perform a given action on a given resource. The new access control framework provides fine-grained access control. It works in conjunction with, but does not replace the access control provided by the WebSphere Application Server.
The new access control framework enhances the previous access control in the following ways:
- It is expressive...
- It captures the intent of a large variety of access policies. The framework is generic so that it can handle a vast array of user groups, resource groups, actions groups and relationship groups.
- It is hierarchical...
- Access control policies belong to policy groups. Policy groups to which an organization subscribes can also be implicitly applied to its sub-organizations.
- It is customizable...
- Access control policies are externalized from the application code, so changes to policies can be made without recompiling code.
- It is compact...
- The new framework scales well. The number of access control policies grows with the number of business processes and not the number of objects. Most of the grouping framework is based on implicit conditions, so as long as the conditions are satisfied, the policy will apply.
- Cross-site scripting -- Reject any user request that contain attributes or characters that are designated as not allowed, using the Cross Site Scripting Protection node of the WebSphere Commerce Configuration Manager.
- Access control framework -- A key enhancement is that a new access control framework has been implemented in WebSphere Commerce 5.4 and retained in WebSphere Commerce 5.6 (along with the new policy group enhancement in WebSphere Commerce 5.5). This new framework uses access control policies to determine if a given user is permitted to perform a given action on a given resource. The new access control framework provides fine-grained access control. It works in conjunction with, but does not replace the access control provided by the WebSphere Application Server.
- Authentication
- Password storage
- WebSphere Commerce encrypts and stores a one-way hash of passwords using the SHA-1 hashing scheme in the WebSphere Commerce database, rather than storing the passwords themselves. This ensures that user passwords are not decipherable by anyone, including the site or system administrator.
- Password Invalidation
- Require users to change their passwords when they are logging in to the system for the first time, using the Password Invalidation node of the WebSphere Commerce Configuration Manager.
- Account policy
- Set up an account policy for your site to define the account-related policies in use, by using the Account policy page of the WebSphere Commerce Administration Console.
- Password policy
- Set up a password policy for your site to control a user's password selection characteristics using the Password policy page of the WebSphere Commerce Administration Console.
- Account Lockout policy
- Set up an account lockout policy for your site to reduce the chances of a user account being compromised using the Account lockout policy page of the WebSphere Commerce Administration Console.
- Authorization
- Password protected commands
- Require users to enter their passwords if they are running requests that run designated commands, using the Password Protected Commands node of the WebSphere Commerce Configuration Manager.
- Encrypted data
- Database update tool
- Update encrypted data such as passwords and credit card information as well as the merchant key in a WebSphere Commerce database, using the Database Update Tool node of the WebSphere Commerce Configuration Manager.
- Session management
- Login Timeout
- Log off a user that is inactive for an extended period and request they log back on to the system, using the Login Timeout node. This enhancement is invoked through the WebSphere Commerce Configuration Manager.
- Logging
- Access logging
- Quickly identify any security threats against WebSphere Commerce by enabling access logging. This enhancement is invoked through the WebSphere Commerce Configuration Manager.
Enhancements for the System Administrator
The following are security enhancements made in WebSphere Commerce 5.4 and retained in WebSphere Commerce 5.6 that are generally targeted to a site administrator:
- An important security enhancement is the ability to configure the WebSphere Commerce administrative tools to run on a nonstandard port number (for example, port 8000 as opposed to port 443). By restricting access to this port, you can limit access to the administration tools to your local network or intranet.
- From the WebSphere Commerce Administration Console Launch a security program that checks and deletes temporary WebSphere Commerce files that may contain potential security exposures using the Launch security check page.
Enhancements for the WebSphere Commerce Programmer
A key enhancement is that a new access control framework was implemented in WebSphere Commerce 5.4 and retained in WebSphere Commerce 5.6. This framework uses access control policies to determine if a given user is permitted to perform a given action on a given resource. The new access control framework provides fine-grained access control. It works in conjunction with, but does not replace the access control provided by the WebSphere Application Server.
The new access control framework enhances the previous access control in the following ways:
- It is expressive...
- It captures the intent of a large variety of access policies. The framework is generic so that it can handle a vast array of user groups, resource groups, actions groups and relationship groups.
- It is hierarchical...
- Access control policies owned by an organization are also applied to sub-organizations.
- It is customizable...
- Access control policies are externalized from the application code, so changes to policies can be made without recompiling code.
- It is compact...
- The new framework scales well. The number of access control policies grows with the number of business processes and not the number of objects. Most of the grouping framework is based on implicit conditions, so as long as the conditions are satisfied, the policy will apply.
Security improvements in WebSphere Commerce Suite 5.1 Pro Edition
While Commerce Suite 5.1 represented a new e-commerce architecture and was a complete rewrite of the C++-based Commerce Suite 4.1, it contained all the security features of previous WebSphere Commerce Suite versions, plus it added new security improvements. These improvements have been inherited by WebSphere Commerce 5.6.
Commerce Suite 5.1 continued the protection against unauthorized access to WebSphere Commerce Suite administrators and shoppers resources that was provided by earlier releases by:
- Continuing support for access control features that ensure the WebSphere Commerce Suite user is either authenticated or in SSL mode before gaining access to or submitting sensitive information.
- Assigning WebSphere Commerce Suite commands to groups such that only the Site Administrator or Store level Administrators can execute a specific command, followed the same model as Commerce Suite 4.1.
General security enhancements
With the rewrite of Commerce Suite 5.1 in Java, a number of inherent security problems that plagues software written in C++ were removed. Java does not use pointers, thus it has eliminated the buffer overflow problem that is a security vulnerability of most C++ based software. By complying with the industry standard J2EE specifications, WebSphere Commerce uses strong type checking to ensure the server does not execute rogue statements specified by devious individuals.
The industry standard Triple DES (data encryption standard) algorithm was used to protect sensitive information in the WebSphere Commerce system. The package containing the Triple DES algorithm is digitally signed such that if the package were tampered the WebSphere Commerce Server would not start. These enhancements are retained in WebSphere Commerce 5.6.
Session management
The WebSphere Commerce session management was completely rewritten for maximum security, using a unique technique to ensure cookies are not stolen. By using an authentication cookie that only flows over SSL (secure sockets layer) and consist of an encrypted timestamp, the rewritten session management design guarded against session hijacking.
Authentication
System and application passwords needed by the WebSphere Commerce Server during execution were securely encrypted, using a merchant specified 128- bit key, and stored in the WebSphere Commerce configuration files. Sensitive information that appears in the users URL entry box is encrypted to protect shoppers from unauthorized disclosure.
Logging
The WebSphere Commerce log system was designed with security as a key consideration so that sensitive information such as shopper's password and credit card information was not logged by default to the WebSphere Commerce log files.