How to Configure Encryption Keys for Profiles System Data

  • Article

This topic provides instructions to generate and install the encryption keys that Microsoft Commerce Server 2009 R2 uses to encrypt and decrypt sensitive profile information.

You use the Profile Key Manager to create and work with encryption keys. For more information about the Profile Key Manager, see Profile Key Manager.

To configure the encryption keys, follow these steps:

  1. Generate the encryption keys. For more information about how to perform this step, see the procedure Generating Encryption Keys in this topic.

  2. Encrypt the encryption keys and store encrypted encryption keys in the registry. For more information about how to perform this step, see the procedure Encrypting Keys in this topic.

  3. Update configuration files to identify where in the registry the encrypted encryption keys are stored. See the following procedures in this topic:

    • Updating the Web.config File for the Profiles Service, and

    • Updating the ChannelConfiguration.config file with Encryption Key Information (if your applications use the Microsoft Multi-Channel Commerce Foundation), or

    • Updating the Web.config File with Encryption Key Information (if your applications do not use the Microsoft Multi-Channel Commerce Foundation)

  4. Repeat steps 2 and 3 on each server in the farm.

Note

You must use the same encryption keys that you create in step 1 on all the servers. You must perform steps 2 and 3 on each server. You cannot follow these steps only one time and copy the resulting files to the other servers.

Generating Encryption Keys

To generate encryption keys

  1. Log on to the computer as an administrator.

  2. Click Start, point to Programs, point to Microsoft Commerce Server 2009 R2 , point to Tools, and then click Commerce Server Tools Command Prompt.

  3. At the command prompt, type the following command:

    ProfileKeyManager.exe /kn /o keys.xml

    This command generates a file named keys.xml.

Encrypting Keys

To encrypt encryption keys

  1. Log on to the computer as an administrator.

  2. Copy the keys.xml file that you generated from the procedure Generating Encryption Keys to the local computer.

  3. Click Start, point to Programs, point to Microsoft Commerce Server 2009 R2 , point to Tools, and then click Commerce Server Tools Command Prompt.

  4. To encrypt the encryption keys and store the encrypted encryption keys in the registry, type the following command at the command prompt:

    ProfileKeyManager.exe /ke /kf keys.xml /o RegKeys.xml

  5. If you have another copy of the keys.xml file, delete the keys.xml file that you copied in step 1.

    Dd464531.alert_security(en-us,CS.95).gifSecurity Note:

    The keys.xml file contains the encryption keys in plain text format. By using these keys, someone could decrypt sensitive profile information. You will have to keep one copy of the keys.xml file so that you can generate encrypted encryption keys for other servers. However, you should make sure that the keys.xml file is secure. You should delete the keys.xml file from every other computer.

Updating the Web.config File for the Profiles Service

To update the Web.config file for the profiles Web service

  1. Edit the Web.config file for the Profiles Web service. The default location of this file is C:\Inetpub\wwwroot\<SiteName>ProfilesWebService\Web.config, where <SiteName> is the name of the Commerce Server 2009 R2 Web site.

  2. Change the value of the publicKey attribute of the profilesWebService element to the value of the PublicKey element in the RegKeys.xml file. If the publicKey attribute does not exist, add it.

  3. Change the value of the privateKey1 attribute of the profilesWebService element to the value of the PrivateKey element in the RegKeys.xml file. If the privateKey1 attribute does not exist, add it.

  4. Change the value of the keyIndex attribute of the profilesWebService element to "1". If the keyIndex attribute does not exist, add it.

    A sample profilesWebService element will resemble this:

    <profilesWebService
    siteName="CSharpSite"
    authorizationPolicyPath="ProfilesAuthorizationStore.xml"
    disableAuthorization="false"
    publicKey="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server\9.0\ Keys\Default,PublicKey"
    privateKey1="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server\9.0\Keys\Default,PrivateKey"
    keyIndex="1"
    searchResultsLimit="500"
    bypassProfileCache="true">
 ...
</profilesWebService>

Updating the ChannelConfiguration.config with Encryption Key Information

After you have encrypted the keys, you specify the location where the encrypted keys are stored in the registry. For Commerce Server 2009 R2 applications that use the Microsoft Multi-Channel Commerce Foundation, this is configured in the ChannelConfiguration.config file as shown in the following procedure.

Otherwise, for applications that do not use the Microsoft Multi-Channel Commerce Foundation, you specify the path in the Web.config file. See Updating the Web.config File with Encryption Key Information

To update the ChannelConfiguration.config with encryption key information

  1. Open the site ChannelConfiguration.config file.

  2. In ChannelConfiguration.config file, locate the <encryption> element (the path to this element is <CommerceChannelConfiguration><Sites><Site><profiles><encryption>).

  3. Specify the registry location where the public and private encryption keys are stored, as shown in the following example:

    <encryption keyIndex="1" publicKey="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CommerceServer\9.0 Keys\StorefrontSite2,PublicKey"
privateKey1="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CommerceServer\9.0 Keys\StorefrontSite2,PrivateKey" privateKey2="">
</encryption>

Updating the Web.config File with Encryption Key Information

For applications that do not use the Microsoft Multi-Channel Commerce Foundation, you add encryption key configuration to the Web.config file of the Web application as follows.

To update the Web.config with encryption key information

  1. Open the application Web.config file. The default location of this file is C:\Inetpub\wwwroot\<SiteName>\Web.config where <SiteName> is the name of the Commerce Server 2009 R2 Web site.

  2. Locate the add element that has a type attribute with the value "publicKey". Change the value of the value attribute of the add element to the value of the PublicKey element in the RegKeys.xml file.

  3. Locate the add element that has a type attribute with the value "privateKey1". Change the value of the value attribute of the add element to the value of the PrivateKey element in the RegKeys.xml file.

    A sample keys element will resemble this:

    <keys keyIndex="1">
    <add type="publicKey" value="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server\9.0\ Keys\Default,PublicKey"/>
    <add type="privateKey1" value="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server\9.0\Keys\Default,PrivateKey"/>
</keys>

See Also

Other Resources

profiles Element

profilesWebService Element

Updating the Application Runtime

Profile Key Manager

Securing the Deployment