Certificate authentication
Certificate authentication is used for systems going through Commerce Engine (CE) Connect, like the SXA Storefront.
The caller must provide the X-ARR-ClientCert
header in the request headers with valid certificate information. The expected certificate information (for example, issuer, thumbprint) is stored in the Commerce Engine config.json
file.
We strongly recommend that you secure the Commerce Engine against unauthorized use.
Consider the following security measures to safeguard production Commerce deployment:
-
Avoid unnecessarily exposing Commerce Engine service endpoints to the public network.
-
Implement IP restrictions to limit the clients that can communicate with the Commerce Engine.
-
Change the certificate on a regular basis and ensure to replace related references in the engine
config.json
and theSitecore.Commerce.Engine.Connect.config
files.
The following is a sample of the certificate section in the Commerce Engine config.json
file:
"Certificates": {
"Certificates": [
{
"Thumbprint": "F1D8349D784BF672B99103C1C204A57556DD263A"
"Subject": "CN=storefront.engine",
"IssuerCN": "CN=storefront.engine",
}
]
}
The same thumbprint must be stored in the CE Connect configuration file for the Storefront: c:\inetpub\wwwroot<storefront>\App_Config\Include\Y.Commerce.Engine\Sitecore.Commerce.Engine.Connect.config
.