Code Deployment and Security

Salesforce B2C Commerce offers PCI compliance capabilities so that you, the merchant, can offer a secure site and online shopping experience to your customers. In addition to the standard secure connections used by your customers (that entail server authentication), you can also ensure that no code is uploaded to your online system without proper authentication of source. B2C Commerce utilizes authentication of the server performed by the client (standard SSL) and client authentication performed by the server.

Salesforce highly recommends that you make use of this level of security, but ultimately, you have the choice whether or not to activate it. To activate security surrounding the deployment of custom B2C Commerce code, there are two elements to consider. First, you must notify B2C Commerce so the proper security mechanism can be put in place for your unique system. Second, you must ready your system and your engineer's systems to respond properly to the security measures.

Authentication Measures

Before you activate the client authentication measures on B2C Commerce, you must have your in-house authentication measures in place. You must have a certificate chain for each developer working on B2C Commerce. For example, you would have a VeriSign (or similar) certificate and then a company certificate issued by VeriSign, then a user certificate issued by the company. Each workstation intended to deliver code to B2C Commerce must have client authentication credentials in place. The B2C Commerce authentication process will check these credentials whenever there is an attempt to upload code to the system. If the proper credentials are not in place on the source machine, no code will be uploaded to B2C Commerce from that machine. Get operations are not performed without a valid SSL handshake either.

For example, even if a developer uploads code to 10 B2C Commerce instances and assuming that each server uses the same logic, only one set of credentials is required.

All of these credentials are stored in a file on each development machine. This file must be placed in the Studio install directory of each machine intending to be used for uploading B2C Commerce code.

The keystore file is server connection-specific. When you create a server connection, the dialog asks for the location of the keystore file and the keystore file password. The file is used for the initial communication and then is copied into the server project directory once the project is created.