Current version: 8.2

Hightlights of Sitecore Commerce Engine security features are:

  • HTTPS:// and SSL support

  • No credit card storage option

  • PCI Level 1 DSS 2.0 Certified Tokenization

  • Strong password enforcement

  • 90-day forced administrator password changes

  • Back office geographical and proximity real-time validations

  • Back office IP restriction access

Security in the Sitecore Commerce Service API is enforced as follows:

  • General: enforced at the service endpoint to determine whether a remote party can connect at all. This should be cert-based or based on a specific authenticated identity.

  • Command specific: enforced at the command level. Individuals are able to execute specific commands or not. This should be managed within the management tools in Sitecore 8.2. The service API should resolve and pass in claims that Sitecore Commerce uses to enforce this security.

Certificate validation

Certificates are commonly used for both encryption and identification.

The Sitecore Commerce Engine adds a middleware class to an application pipeline that performs Client Certificate validation. The middleware class requests the configuration via the Options model, and requests logging via dependency injection. When the HTTP request is received, the Invoke method runs for every request, and the configuration and logging types are passed to the Client Certificate validation middleware. The Invoke method will validate the certificate that is passed by using the X-ARR-ClientCert HTTP header, which is parsed as an X509Certificate2 class, to read the properties of the Certificate.

Enable certificate validation on both the server and client sides, as described below.

Server side certificate validation

Server side certificates are configured in the Commerce Engine. The certificates configuration section is located in the config.json file.


"Certificates": {
    "Certificates": [
        "Subject": "[enter certificate subject CN here]",
        "IssuerCN": "[enter certificate issuer CN here]",
        "Thumbprint": "[enter certificate thumbprinthere]"
    "ValidationEnabled": false 

The thumbprint must be formatted in all caps, with no spaces, and no Unicode.

By default, certificate validation is disabled. Certification validation supports multiple certificates, and for each certificate you must provide the common name (CN) subject, CN issuer, and thumbprint for the certificate.

Once the certificate validation in enabled on the Engine (server) side, all requests are validated. Invalid requests will return a 403 code. To troubleshoot validation errors, read the service's logs files.

Client side certificate validation

Client side certificates apply for the Storefront and Business Tools clients. These certificates are configured in Commerce Engine Connect. The certificates configuration section is in the Sitecore.Commerce.Engine.config file under ..\Website\App_Config\Include\Y.Commerce.Engine

The following provides an example of client side configuration:


<configuration xmlns:patch="">
    <commerceEngineConfiguration type="Sitecore.Commerce.Engine.Connect.CommerceEngineConfiguration, Sitecore.Commerce.Engine.Connect">
      <certificatePath>[enter path to certificate here]</certificatePath>

Do you have some feedback for us?

If you have suggestions for improving this article,