How to Configure Encryption Keys for Profiles System Data

For the latest version of Commerce Server 2007 Help, see the Microsoft Web site.

This topic provides instructions to generate and install the encryption keys that Commerce Server uses to encrypt and decrypt sensitive profile information.

You use the Profile Key Manager to create and work with encryption keys. For more information about the Profile Key Manager, see Profile Key Manager.

To configure the encryption keys, follow these steps:

  1. On one of the business management servers, generate the encryption keys. For more information about how to perform this step, see the procedure "To generate encryption keys".

  2. Encrypt the encryption keys and store encrypted encryption keys in the registry. For more information about how to perform this step, see the procedure "To encrypt encryption keys".

  3. Update the Web.config files to identify where in the registry the encrypted encryption keys are stored. For more information about how to perform this step, see the procedures "To update the Web.config file for the profiles Web service" and "To update the Web.config file for the application".

  4. Repeat steps 2 and 3 on the other business management servers.

  5. Repeat steps 2 and 3 on every Web server.

The following procedures contain detailed instructions to complete each of these tasks.

Note

You must use the same encryption keys that you create in step 1 on all the servers. You must perform steps 2 and 3 on each server. You cannot follow these steps only one time and copy the resulting files to the other servers.

To generate encryption keys

  1. Log on to the computer as an administrator.

  2. Click Start, point to Programs, point to Microsoft Commerce Server 2007 , point to Tools, and then click Commerce Server Tools Command Prompt.

  3. At the command prompt, type the following command:

    ProfileKeyManager.exe /kn /o keys.xml
    

    This command generates a file that is named keys.xml.

To encrypt encryption keys

  1. Log on to the computer as an administrator.

  2. Copy the keys.xml file that you generated by using the procedure "To generate encryption keys" to the local computer.

  3. Click Start, point to Programs, point to Microsoft Commerce Server 2007 , point to Tools, and then click Commerce Server Tools Command Prompt.

  4. To encrypt the encryption keys and store the encrypted encryption keys in the registry, type the following command at the command prompt:

    ProfileKeyManager.exe /ke /kf keys.xml /o RegKeys.xml
    
  5. If you have another copy of the keys.xml file, delete the keys.xml file that you copied in step 1.

    Aa544806.alert_security(en-US,CS.70).gifSecurity Note:

    The keys.xml file contains the encryption keys in plain text format. By using these keys, someone could decrypt sensitive profile information. You will have to keep one copy of the keys.xml file so that you can generate encrypted encryption keys for other servers. However, you should make sure that the keys.xml file is secure. You should delete the keys.xml file from every other computer.

To update the Web.config file for the profiles Web service

  1. Edit the Web.config file for the profiles Web service. The default location of this file is C:\Inetpub\wwwroot\<SiteName>ProfilesWebService\Web.config, where <SiteName> is the name of the Commerce Server Web site.

  2. Change the value of the publicKey attribute of the profilesWebService element to the value of the PublicKey element in the RegKeys.xml file. If the publicKey attribute does not exist, add it.

  3. Change the value of the privateKey1 attribute of the profilesWebService element to the value of the PrivateKey element in the RegKeys.xml file. If the privateKey1 attribute does not exist, add it.

  4. Change the value of the keyIndex attribute of the profilesWebService element to "1". If the keyIndex attribute does not exist, add it.

    A sample profilesWebService element will resemble this:

    <profilesWebService
        siteName="CSharpSite"
        authorizationPolicyPath="ProfilesAuthorizationStore.xml"
        disableAuthorization="false"
        publicKey="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server 2007 Keys\Default,PublicKey"
        privateKey1="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server 2007 Keys\Default,PrivateKey"
        keyIndex="1"
        searchResultsLimit="500"
        bypassProfileCache="true">
     ...
    </profilesWebService>
    

To update the Web.config file for the application

  1. Edit the Web.config file for the Commerce Server Web application. The default location of this file is C:\Inetpub\wwwroot\<SiteName>\Web.config where <SiteName> is the name of the Commerce Server Web site.

  2. Locate the add element that has a type attribute that has a value of "publicKey". Change the value of the value attribute of the add element to the value of the PublicKey element in the RegKeys.xml file.

  3. Locate the add element that has a type attribute that has a value of "privateKey1". Change the value of the value attribute of the add element to the value of the PrivateKey element in the RegKeys.xml file.

    A sample keys element will resemble this:

    <keys keyIndex="1">
        <add type="publicKey" value="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server 2007 Keys\Default,PublicKey" />
        <add type="privateKey1" value="registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server 2007 Keys\Default,PrivateKey " />
    </keys>
    

See Also

Other Resources

profiles Element

profilesWebService Element

Updating the Application Runtime

Profile Key Manager

Securing the Deployment