Setting up security for ShopSite
How do I set up my ShopSite store so that orders are logged securely, through https:// ?
Solution ID: S02779
There are two different circumstances that we will include instructions for:
You own a digital certificate (from VeriSign, Thwaite, etc.) for your domain name.
You are using a certificate that is shared among multiple users (domains) on one machine.
You own a digital certificate for your domain name.
Most of the time in this situation, there isn't much that needs to be done. From the back office, go to Main | Config | Technical Settings. In the setting for secure URL of back office cgi's, you'll put in the same URL that you use for the back office, except you'll access it through https://. Example: If you normally use http://www.mydomain.com/cgi-bin/bo as the URL of back office cgi's, then you'll want to use https://www.mydomain.com/cgi-bin/bo as the secure URL of back office cgi's. The procedure will be the same for the URL of shopping basket cgi's.
If after trying this you get "404, not found" errors when trying to order securely or retrieve your orders securely through the back office, this probably means that your secure server and your regular web server do not share the same configuration. In this case, you will have to configure the server as if your are using a shared certificate, and follow the instructions below.
You are using a certificate that is shared among multiple users on one machine.
This situation usually requires more work. In this case, what you'll want to do is set up a new cgi directory through the web server configuration for the back office and shopping basket. The process for this will be different depending on your web server. We'll explain the process for the three most common web servers:
1. Apache, ApacheSSL, Stronghold, and other NCSA web servers.
For these web servers, you'll want to create a new ScriptAlias on the secure domain for the cgi-bin directory that back office and shopping basket are located in. The ScriptAlias's are usually set up in the srm.conf file, but it can also be added in the httpd.conf file in most versions of Apache (in Stronghold, it usually has to be done in the httpd.conf file). If your secure domain is set up as a virtual host, the ScriptAlias will have to be included in the directive. A ScriptAlias has the format of:
ScriptAlias /fakename/ /realname/
ScriptAlias /cgi-shop-secure/ /usr/local/etc/httpd/cgi-bin/
essentially maps https://www.securedomain.com/cgi-shop-secure to the directory /usr/local/etc/httpd/cgi-bin/. Then, you would put in the back office ( Main | Config | Technical Settings ) https://www.securedomain.com/cgi-shop-secure/bo as the URL of secure back office cgi's, and the same for the shopping basket cgi's (but with /sb at the end). A separate ScriptAlias for each directory is not required, as long as they share the same parent directory.
2.Internet Information Server (for NT servers).
With IIS you'll need to create a new virtual directory under the secure domain for both the back office and shopping basket directories. These virtual directories will have the same properties associated with them as the two virtual directories that you created under the original domain. NOTE: Unlike Apache, you MUST create two separate virtual directories, one for the shopping basket and one for the back office. Creating a virtual directory for their shared parent directory will not work.
3.Netscape (for NT or UNIX).
The instructions for the Netscape web server will be for Netscape Enterprise Server v 3.5. Other versions of Enterprise, as well as Fast Track and Commerce server will be similar.
Go to the Netscape Server Administration for the https server. Click on the 'Programs' menu option (top frame), then click on 'CGI Directory' in the left frame. You will create a new cgi directory by entering in a URL prefix and the 'CGI directory'. The value of 'CGI directory' should be the path to your cgi directory. With Netscape, setting up a cgi directory for a shared parent directory of the back office and shopping baskets will work fine. For example, if your directories are set up as:
/www/cgi-bin/bo and /www/cgi-bin/sb
Then you could set up a cgi directory like this:
URL prefix: http://www.securedomain.com/cgi-shop
CGI directory: /www/cgi-bin/
Then you could set up https://www.securedomain.com/cgi-shop/bo and https://www.securedomain.com/cgi-shop/sb as the secure URL's of back office and shopping basket cgi's.
Often after setting up security, you'll get a message when trying to retrieve orders securely of "Error: User Name could not be determined". With NCSA, make sure that the AllowOverride directive for the cgi-bin directory that you're running ShopSite from is set to "All". With Netscape, go to Server Preferences from the Administration page of the secure server and set up the ACL through 'Restrict Access'. Through IIS, verify the Directory Security setting for the bo virtual directory through the secure domain. Make sure that Basic Authentication is set up.
Some ISP's set each user up with a secure directory and force them to put the html files and cgi's that they want accessed securely in this directory (usually named something like shtdocs). At no time should you ever copy your cgi's into this 7directory and try to run them from that directory ? this will not work. One thing that does work sometimes in this situation is to create a symbolic link (on UNIX systems) from the shtdocs directory to your actual cgi directory. This will only work for the shopping basket, as the password protection will not work for the back office using this method. Also, there is an Apache directive (FollowSymLinks) that many systems have set that does not allow you to access files via the browser through a symbolic link. For these reasons, we recommend that you set the server up with the above options.
No related articles were found.
No attachments were found.
13th of November, 2008