OSF Builder Suite For Salesforce Commerce Cloud :: Credentials

Provides various credential types for OSF Builder Suite For Salesforce Commerce Cloud plugins

 

Two Factor Authentication

Introduction

Two-factor authentication for code deployment is a PCI requirement, to be used on the Staging instance only. Code deployment is not possible to Production. However, standard one-factor code deployment can be used to all other instances, including Development and Sandbox instances.

The Staging instance has the following hostnames:

Hostname To be used...
cert.staging.web.customer.demandware.net for code deployments.
staging-web-customer.demandware.net by merchants, developer, etc. to work with the Business Manager or preview in the storefront.

Two factor authentication Certificate.zip file

The Certificate.zip file is attached to a SFCC support case for the customer who originated the request to enable two-factor authentication.

This file contains:

  • $name.key
  • $name.crt
  • $name.srl
  • $name.txt

$name is an identifier unique to a particular customer. For example, it can reflect the instance or company name. These files should be considered highly sensitive. While they are only part of what is needed to upload SSL customization to the SFCC system, they should be provided to a single trusted employee within your organization, typically the administrator of your SFCC instances.

$name.txt contains the pass phrase that was used to create the certificate. You must provide this pass phrase every time you sign a key request.

For example:

cert.merchant.sitename.net_01.key  
cert.merchant.sitename.net_01.crt  
cert.merchant.sitename.net.srl  
cert.merchant.sitename.net_01.txt  

 

Creating and using certificates

1. Create a new key and request using OpenSSL

1.1 Extract the Certificate.zip file in a new empty folder.

1.2 Open the command prompt and cd to the folder above.

1.3 Enter the following command to generate a request:

openssl req -new -sha256 -newkey rsa:2048 -nodes -out $user.req -keyout $user.key

$user indicates the user that this key is for. We recommend that it be the same as the Business Manager user they are authenticating against. For example, if the SFCC instance username is jsmith, the certificate should be named jsmith.

Note: When prompted for information to be included in the certificate request, please provide information for the user that will be using the certificate (for example, jsmith).


CAUTION: Do not use generic names such as Release Team.

The output should be as follows:

Generating a 2048 bit RSA private key  
....................++++++++++++  
........++++++++++++  
writing new private key to '$user.key'  
-----  
You are about to be asked to enter information that will be incorporated into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value, If you enter '.', the field will be left blank.  
-----  
Country Name (2 letter code) [AU]:  
State or Province Name (full name) [Some-State]:  
Locality Name (city) []:  
Organization Name (company) [Internet Widgits Pty Ltd]:  
Organizational Unit Name (section) []:  
Common Name (YOUR name) []:  
Email Address []:  
Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:  

Note: The last two fields are optional. We recommend that you leave them blank. The challenge password is not used.

1.4 Fill out the request with your company name information and a valid email address.

This should be the valid email address of the person using the certificate.

For example:

Country Name (2 letter code) [AU]: US  
State or Province Name (full name) [Some-State]: Massachusetts  
Locality Name (city) []:  
Organization Name (company) [Internet Widgits Pty Ltd]: Your Organizational Unit Name (section) []:  
Customer Services  
Common Name (YOUR name) []: John Smith  
Email Address []: jsmith@domain.com  
Please enter the following 'extra' attributes to be sent with your certificate request  
A challenge password []:  
An optional company name []:

Note: SFCC supports OpenSSL ( http://www.openssl.org/ ) certificates.

2. Sign the certificate request ($user.req) with your certificate

2.1 Enter the following OpenSSL command into the command prompt:

openssl x509 -CA $name.crt -CAkey $name.key -CAserial $name.srl -req -in $user.req -out $user.pem -days $days

$days - the number of valid days for this client certificate following creation

$name - the name provided by SFCC

$user - the user of the client certificate you are signing. For example: jsmith

Note: The $name portion of the $name.srl file may be slightly different from other $name files. Make sure you enter the file name correctly.

For example:

openssl x509 -CA cert.staging.web.customer.demandware.net_01.crt -CAkey cert.staging.web.customer.demandware.net_01.key -CAserial cert.staging.web.customer.demandware.net.srl -req -in jsmith.req -out jsmith.pem -days 365

The certificate will be valid until it expires or you ask SFCC to revoke all certificates. Therefore you must plan carefully when assigning certificates to users.

The output of this command should look as follows:

Signature ok  
subject=/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX/emailAddress=user@co.com  
Getting CA Private Key  
Enter pass phrase for $name.key:  

2.2 Enter the pass phrase (contained in $name.txt) to sign the certificate.

3. Export the certificate and client information to pkcs12 format.

3.1 Enter the following command into the command prompt:

openssl pkcs12 -export -in $user.pem -inkey $user.key -certfile $name.crt -name "$user" -out $user.p12

$name is the name provided by SFCC.

$user is the user of the client certificate you are signing.

For example:

openssl pkcs12 -export -in jsmith.pem -inkey jsmith.key -certfile cert.staging.web.customer.demandware.net_01.crt -name "jsmith" -out jsmith.p12

3.2 Specify an export password for this file.

This password must be provided to the end user who will be loading the certificate into Studio or another keystore.

The pkcs12 certificate can be used to connect to a Staging instance via Eclipse. The certificate can also be used with other WebDAV clients, such as the Windows built in WebDAV client.

 

Version history

https://github.com/jenkinsci/osf-builder-suite-for-sfcc-credentials-plugin/releases