09-20-06 06:22 PM
The steps you list would work, but I'd recommend a slightly different
approach that may be a little easier:
1) Update web.config for all servers in your farm to point to a registry
key for the encryption keys:
<profiles>
<userProfile>...</userProfile>
<encryption>
<keys keyIndex="1">
<add type="publicKey"
value=" registry:HKLM\SOFTWARE\Microsoft\Commerc
e Server 2007
Keys\MySite\Date,PublicKey" />
<add type="privateKey1"
value=" registry:HKLM\SOFTWARE\Microsoft\Commerc
e Server 2007
Keys\MySite\Date,PrivateKey" />
<add type="privateKey2" value="" />
</keys>
</encryption>
and
<profilesWebService
siteName="MySite"
keyIndex="1"
publicKey=" registry:HKLM\SOFTWARE\Microsoft\Commerc
e Server 2007
Keys\MySite\Date,PublicKey"
privateKey1=" registry:HKLM\SOFTWARE\Microsoft\Commerc
e Server 2007
Keys\MySite\Date,PrivateKey"
.. />
2) Run ProfileKeyManager /kn /o to create the encryption key in a text
file (Keys_Date.xml). To make things easier, you may want to make this
file visible on a share.
3) Deploy the same web.config (from above) to every server in your farm.
4) On each server in your farm run:
ProfileKeyManager /ke /kf "<path>\Keys_Date.xml" /reg:
"HKLM\SOFTWARE\Microsoft\Commerce Server 2007 Keys\MySite\Date"
This encrypts the keys in Keys_Date.xml using DPAPI and inserts them into
the registry.
This approach saves you the pain of editing web.config on each server. You
just need to be able to run ProfileKeyManager on each system, which should
be fairly straight-forward. I also recommend using the <Date> subkey to
organize your keys, as this makes it easier to roll your encryption keys at
a later date.
Hope this helps,
David
--------------------
Reply-To: "Thomas" <thomas@newsgroup.nospam>
From: "Thomas" <thomas@newsgroup.nospam>
References: <1A0B45F8-F688-4A02-AF1F-38C796FF3266@microsoft.com>
<s66scAp1GHA.396@TK2MSFTNGXA01.phx.gbl>
<A79D6D10-65D9-473B-9892-6ED5D68A7701@microsoft.com>
<Z62yQF41GHA.4548@TK2MSFTNGXA01.phx.gbl>
Subject: Re: Encryption-ERROR
Date: Fri, 15 Sep 2006 12:00:39 -0700
Lines: 190
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-RFC2646: Format=Flowed; Original
Message-ID: <#5B#HlP2GHA.480@TK2MSFTNGP06.phx.gbl>
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: 216.52.216.2
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.commerceserver.general:18437
X-Tomcat-NG: microsoft.public.commerceserver.general
Can you be more specific is how to setup this up? Let's presume that I'm
going
to have a CS web farm so I presume I would want to make sure the keys are
actually stored in the config files so that all of the servers are
encrypting
and decrypting with the same key.
1. Run <CS install dir>\Tools\ProfileKeyManager /kn /o
This spits the out the key hash to a text file.
2. Go into the Web.Config for the site and adjust profiles like so:
<profiles>
<userProfile>...</userProfile>
<encryption>
<keys keyIndex="1">
<add type="publicKey" value="<hash value copied from the
output
file from step 1?>" />
<add type="privateKey1" value="<hash value copied from the
output file from step 1?>" />
<add type="privateKey2" value="<hash value copied from the
output file from step 1?>" />
</keys>
</encryption>
3. Then...? Go into the Web.Config file for profile web service and...?
<rant>
This is another example of something that should be in the installation of
the
program and is documented poorly. Developers shouldn't have to go on a
which
hunt just to add a profile to the system.
</rant>
Thomas
"David Hargis [MSFT]" <davidhargis@online.microsoft.com> wrote in messag
e
news:Z62yQF41GHA.4548@TK2MSFTNGXA01.phx.gbl...
>
> You'll need to add the same keys to web.config of the StarterSite (runtime
> site) in the profiles section. Here's an example:
>
> <profiles>
> <userProfile
> profileDefinition="UserObject"
> userIdProperty="GeneralInfo.user_id"
> organizationIdProperty="AccountInfo.org_id"
> catalogSetIdProperty="AccountInfo.user_catalog_set"
> userIdSource="ASP.NET"
> userIdKey="GeneralInfo.email_address"
> userIdTarget="GeneralInfo.user_id"/>
> <organizationProfile
> profileDefintion="Organization"
> organizationIdProperty="GeneralInfo.org_id"
> catalogSetIdProperty="GeneralInfo.org_catalog_set"/>
> <encryption>
> <keys keyIndex="1">
> <add
> type="publicKey"
> value=" registry:HKEY_LOCAL_MACHINE\SOFTWARE\Mic
rosoft\Commerce Server
> 2007 Keys\StarterSite,PublicKey"/>
> <add
> type="privateKey1"
> value=" registry:HKEY_LOCAL_MACHINE\SOFTWARE\Mic
rosoft\Commerce Server
> 2007 Keys\StarterSite,PrivateKey"/>
> <add
> type="privateKey2"
> value=""/>
> </keys>
> </encryption>
> </profiles>
>
> - David
>
> --------------------
> Thread-Topic: Encryption-ERROR
> thread-index: AcbWlfikydK4cZTpT92xy4T3IFdTyw==
> X-WBNR-Posting-Host: 70.88.248.145
> From: examnotes <Xcel@discussions.microsoft.com>
> References: <1A0B45F8-F688-4A02-AF1F-38C796FF3266@microsoft.com>
> <s66scAp1GHA.396@TK2MSFTNGXA01.phx.gbl>
> Subject: RE: Encryption-ERROR
> Date: Tue, 12 Sep 2006 11:05:03 -0700
> Lines: 70
> Message-ID: <A79D6D10-65D9-473B-9892-6ED5D68A7701@microsoft.com>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="Utf-8"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> Content-Class: urn:content-classes:message
> Importance: normal
> Priority: normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> Newsgroups: microsoft.public.commerceserver.general
> Path: TK2MSFTNGXA01.phx.gbl
> Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.commerceserver.general:18389
> NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
> X-Tomcat-NG: microsoft.public.commerceserver.general
>
> David - thank you for the response.
>
> I am using the new Starter Site, however I am not run the SampleDateImport
> since I have my own data to play with.
>
> I have implemented the keys in the profile web service which now lets me
> save a credit card through the Business Applications. However I am still
> generating an error when trying to Order via the web/store. If I look in
> the
> event viewer of the Server I am getting the following error: Error
> Obtaining
> Handle to Public Key Container.
>
> Please Advise.
>
> Chris...
>
> "David Hargis [MSFT]" wrote:
>
> SampleDataImport.exe
> Then
> all
> and
> rights.
>
>
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this
> message are best directed to the newsgroup/thread from which they
> originated.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 Attachment:
This has been downloaded 0 time(s).
[ Post a follow-up to this message ]
| 
