How to Secure a Commerce Routing Service

This topic provides information to help you secure the routing service to protect the Commerce Foundation and Commerce Server Core Systems as part of a mitigation strategy against potential attacks.

When defined in the application Web.config file, the routing service user name and password are written and saved in clear text, exposing the routing service identity to potential risk. Just defining a new identity in the application Web.config file using a location tag is not sufficient to secure the routing service identity: as long it remains in the application Web.config file, the routing service credentials are saved in clear text and therefore remain exposed to potential attacks.

You can mitigate that risk by creating and encrypting a distinct Web.config file which only contains the routing service identity configuration.

Prerequisites

• You have considered all aspects of a secure deployment.

• This procedure requires the creation of a Web.config file. You must have access to a development workstation with Microsoft Visual Studio.

• You know the domain account and password used for the routing service.

To secure the Routing Service

Perform the following procedures to secure the routing service:

1. Create a New Routing Service Identity Configuration .

2. Encrypt the Routing Web.config File.

3. Grant Access to the UserIdClaimStore

Create a New Routing Service Identity Configuration

By default, the routing service is defined in the application Web.config file and runs under the application pool identity of the host application. For enhanced security, create a distinct Web.config file to contain the new identity for the routing service.

1. Create a Web.config file inside the routing service folder. The routing service folder is the folder that contains the RoutingService.svc file, under the virtual folder of the host Web application. For more information on how to create Web.config files, see https://go.microsoft.com/fwlink/?LinkId=202785.

2. In the routing service Web.config file, define your routing service identity.

Important Note:
The Web.config file should only contain configuration required to define the routing service identity as shown in the following example.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<configuration>
  <system.web>
     <identity impersonate="true" userName="SomeDomain\RoutingServiceAcct" password="MyPrivatePassword"/>
  </system.web>
</configuration>

Encrypt the Routing Service Web.config File

Encrypt the content of the routing service Web.config file to protect its content.

1. In Visual Studio, open a Command Prompt window.

2. Go to the routing service folder and execute the command to encrypt the content of the file, for example:

   aspnet_regiis -pef "system.web/identity" "c:\inetpub\wwwroot\wss\virtudirectories\8000\Router\"
   

3. Verify that the content of the routing service Web.config file is encrypted. The content of the file should be similar to the following example.

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <configuration>
     <system.web>
        <identity configProtectionProvider="RsaProtectedConfigurationProvider">
           <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
              xmlns="http://www.w3.org/2001/04/xmlenc#">
              <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
              <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                 <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                       <KeyName>Rsa Key</KeyName>
                    </KeyInfo>
                    <CipherData>
                       <CipherValue>hEUq4UaFUlUKXoXsgVXAdQELKjmoX3jY7Ns6so1NMxaXjhH7oxr4CRQf8zDf3wIvjeYQeUOG0ahFrlPlG447dmMIs/RUe/zdXk/Ob7x3u8dJcIfGOzQqzdIeCK0P5tvdpuWO7Zwnyma+K401069PonHTZ63RonmflrLi4Kgomu0=</CipherValue>
                    </CipherData>
                 </EncryptedKey>
              </KeyInfo>
              <CipherData>
                 <CipherValue>WFvurCS9QBd/+z38t8HL3P2Kg2+sk0C/9F+eUm0mKefRVcHlkLeXToz/9Qgt+LByROH14f4UZQZ5PE6y/MSbNZFQwK9NmATSp5Xsc67vJSY0GHJZSO7GoNZvlKKrZ4Ig</CipherValue>
              </CipherData>
           </EncryptedData>
        </identity>
        <authentication mode="Windows" />
     </system.web>
   </configuration>
   

Grant Access to UserIdClaimStore

After you have configured and encrypted the content of the routing service Web.config file, add the routing service ID as an authorized user in the UserIdclaimStore.

1. In the ChannelConfiguration.config file, add the routing service ID to the UserIdClaimStore as an authorized user. In the following example, the <RoutingServiceId> is added to the UserIdClaimStore. The UserIdClaimStore is also shown to contain the ID of the site, in this case <solutionStorefrontID>.

   <claimStore name="UserIdClaimStore" issuer="UserIdClaimStore" type="Microsoft.Commerce.Server.CommerceUserIdClaimStore, Microsoft.Commerce.Server, Version=9.0.0.0, Culture=neutral,PublicKeyToken=31bf3856ad364e35">
      <Configuration customElementName="commerceUserIdClaimStore" customElementType="Microsoft.Commerce.Server.Configuration.CommerceUserIdClaimStoreElement, Microsoft.Commerce.Server, Version=9.0.0.0, Culture=neutral,PublicKeyToken=31bf3856ad364e35">
         <commerceUserIdClaimStore authorizedUsers="<Domain>\<RoutingSvcID>;<Domain>\<solutionStorefrontID>" />
      </Configuration>
   </claimStore>
   

Important   In a farm deployment, the same routing service identity must exist on each server that is part of the farm. Copy the routing service Web.config file that contains the encrypted routing service identity and paste it onto each server in the farm.  In a two-tier deployment, also update the UserIdClaimStore accordingly in the ChannelConfiguration.config file on each server within the farm.