Landing pages defined for given Search term

Specify landing pages for search terms in WCS FEP2+

From FEP2+ IBM provides a feature in management center where the user can specify specific landing pages for certain keywords entered. For example,

search term                                             landing page
help                                                         HelpContactUsView

My requirement was to technically display the same view (ContentDisplayView) but with different parameters based on different search terms like for search term "Terms and Conditions" it should be ContentDisplayView?emsName=xxx where as for "privacy policy" it should be 
ContentDisplayView?emsName=yyy 

I tried to configure a relative path by passing in the parameters but it doesn't work. And then I figured out that the landing page can be an absolute URL with url query parameters like shown below

For example, instead of ContentDisplayView as the landing page, you can have http://hostname/webapp/wcs/stores/servlet/ContentDisplayView?storeId=nnn&catalogId=xxx&emsName=zzz

This solves my requirement of associating the same landing page with different search terms and different URL parameters.

reference
http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/index.jsp?topic=%2Fcom.ibm.commerce.developer.doc%2Fconcepts%2Fcsdsearchindexschema.htm

Snapshot of high level concepts of Oracle DB for WCS Commerce Developer

Commerce Developer : Working with ORACLE

As a commerce developer working with Oracle back end, it is very important to have good understanding of SQL.

I am not a DBA, but the way I have learned was to started with basic Insert/Update/Delete, Select commands and using group by, order by
but progressively learned some handy SQL commands.

Refresh local schema for development.
I would use the script below for creating tablespace/schema/assign grants and import schema. Replace wcsatdev with the schema name of your choice.

drop tablespace atdata including contents and datafiles;
drop tablespace atindx including contents and datafiles;

create tablespace atdata
datafile 'C:\oracle\product\ORCL10G\atdata_01.dbf' size 250m reuse autoextend on;

create tablespace atindx
datafile 'C:\oracle\product\ORCL10G\atindx_01.dbf' size 250m reuse autoextend on;

drop user wcsatdev cascade;

create user wcsatdev identified by wcsatdev
default tablespace atdata
temporary tablespace temp
quota unlimited on atdata
quota unlimited on atindx;

grant connect,resource,create materialized view to wcsatdev;

grant create view to wcsatdev;

grant create synonym to wcsatdev;

create or replace directory dpdumpdir as 'C:\projects\db';

create or replace directory dplogdir as 'C:\projects\db';

GRANT READ, WRITE ON DIRECTORY DPDUMPDIR TO wcsatdev;

GRANT READ, WRITE ON DIRECTORY DPLOGDIR TO wcsatdev;

Using data pump in Oracle 10g, faster way to import.
impdp system/oracle@orcl10g dumpfile=DPDUMPDIR:export.dmp logfile=DPLOGDIR:from_wcsatdev_10g.log REMAP_SCHEMA=from_schema:to_schema PARALLEL=8 CONTENT=ALL



When ever you have a larger database on your local database, it is a good idea to run DB stats once in a while to improve performance.

exec dbms_stats.GATHER_SCHEMA_STATS(ownname=>'WCSATDEV',estimate_percent=>dbms_stats.auto_sample_size, CASCADE=>TRUE, DEGREE=>4)

Where degree will invoke the 4 parallel slaves, cascade is required for indexes.

Size of the Tables: Run this command in the schema

select SEGMENT_NAME,sum(BYTES)/(1024) size_in_kil from user_extents where segment_type='TABLE' group by SEGMENT_NAME order by size_in_kil desc;


Dropping Stage prop Triggers: Stage prop is a completely new discussion but on my local I run this for better performance.

set pages 0 lines 100 ;
spool drop_trigger1.sql ;
select 'drop trigger '||trigger_name||' ;' from user_triggers where trigger_name like '%STG_%' or trigger_name = 'STGLOG_STGRESERVED1' ;
spool off;
@drop_trigger1.sql;



Issues and Fixes:

java.sql.SQLException: ORA-01000: maximum open cursors exceeded

check for this. select count(*) from v$open_cursor;

Login with system previleges and type show parameter OPEN_CURSOR

Alter cursors
ALTER SYSTEM SET OPEN_CURSORS=4000 SCOPE=BOTH;

Soln: restart DB


Error: ORA-12514: TNS: listener does not currently know of service requested in connect descriptor.

I made these changes and since then i did not see the problem.
ORACLE_HOME\network\admin\listener.ora, Please look for HOST and change that to
HOST=Windows hostname
ORACLE_HOME\network\admin\tnsnames.ora
For the 10g local instance tnsentry: give localhost instead of the windows hostname
HOST=localhost

Sources: Raj Sangavi

Extending OOB framework for frontned error handling !!

Out of the box these 2 are good Articles:

http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/topic/com.ibm.commerce.developer.doc/concepts/csdcommanderror.htm

http://publib.boulder.ibm.com/infocenter/wchelp/v6r0m0/topic/com.ibm.commerce.developer.doc/concepts/csdjsperror.htm

Essentially there are following elements:
1. ECSystemException and ECApplicationException classes, that are used to throw exceptions from inside the controller.
2. Extending the ECMessage and ECMessageKey
3. The errors are intercepted by the ExtStoreErrorDataBean and mapped to resource bundles
4. Errors are displayed in JSP.

Define the property in ExtMessages_en_CA.properties (
_ERR_RESTRICTED_PROD = This item is restricted for delivery.


Extending ECMessage and ECMessageKey:

public interface EXTMessageKey extends ECMessageKey{
public static final String _ERR_RESTRICTED_PROD = "_ERR_RESTRICTED_PROD";

public static final String _ERR_MAX_NUM_OF_OF_CARTS_REACHED = "_ERR_MAX_NUM_OF_OF_CARTS_REACHED";

}

public class EXTMessage extends ECMessage{
//this file structure needs to be created inside toolkit properties folder
for com/ext/common/messages/EXTMessages.propertie

public final static String EXT_MESSAGES_RESOURCE_BUNDLE = "com.ext.common.messages.EXTMessages";

// final constants
public static final int USER = ECMessageType.USER;
public static final int SYSTEM = ECMessageType.SYSTEM;

// message severities
public static final long ERROR = ECMessageSeverity.ERROR;
public static final long WARNING = ECMessageSeverity.WARNING;
public static final long STATUS = ECMessageSeverity.STATUS;
public static final long INFO = ECMessageSeverity.INFO;

public EXTMessage(long msgSeverity, int msgType, String msgKey)
{
super(msgSeverity, msgType, msgKey, EXT_MESSAGES_RESOURCE_BUNDLE);
}

//system
public static final EXTMessage _ERR_MAX_NUM_OF_OF_CARTS_REACHED = new EXTMessage(ERROR, SYSTEM, EXTMessageKey._ERR_MAX_NUM_OF_OF_CARTS_REACHED);

public static final EXTMessage _ERR_PROCESSING_REQUEST = new EXTMessage(ERROR, SYSTEM, EXTMessageKey._ERR_PROCESSING_REQUEST);

//user
public static final EXTMessage _ERR_LOGIDPWDPSID_NOT_PRESENT = new EXTMessage(ERROR, USER, EXTMessageKey._ERR_LOGIDPWDPSID_NOT_PRESENT);

public static final EXTMessage _ERR_RESTRICTED_PROD = new EXTMessage(ERROR, USER, EXTMessageKey._ERR_RESTRICTED_PROD);
}


In the controller command, The error needs to be thrown as an exception for example:

throw new ExtendedApplicationException( EXTMessage._ERR_RESTRICTED_PROD,
CLASSNAME,
METHOD_NAME,
ORDER_SHOP_CART_VIEW,
true);

Developer overview on Access Control Policies !!

There are 2 levels of access controls provided for WebSphere Commerce.
1. WAS protects EJB's and Servlets.
2. WebSphere Commerce provides low level fine grained access control  framework based on access control policies to various types of users (registered/guest/customer service rep/sales managers).
and
3. It is always recommended to guard a WebSphere Commerce Server is always by a Firewall that will help internet clients from not being able to directly access resource in WebSphere Commerce.

WebSphere Application Server layer security and access control: 

1. Servlets and EJB's are configured to be invoked only by a chosen identity through declarative security and hence during EJB creation, we select use identity of EJB server and using identity of EJB server field ensures that all EJB beans run under the same identity for security.
2. WAS provides multiple security features such as 1. Global Security. 2. security domains can be configured with different scope 3. WAS utilizes SSL for secure connection between client and server and hence any third party integration's requires certificates to be installed. 4. In cases where standard authentication is not sufficient, WAS supports JAAS for higher level of security.

WebSphere Commerce Access Control Framework: Authorization model

Info center provides a good read on users/actions/resources//relationships but i am going to start with the practical case. There are always cases when we need to implement a custom access policy but most of the times, when adding access control in *ACP.xml. There are 2 levels of access control

•    Command Level access control
•    Resource Level access control

"Access control policies are enforced by the access control Policy Manager. 

In general, when a user attempts to access a protected resource, the access control policy manager first determines what access control policies are applicable for that user 

and then, based upon the applicable access control policies, it determines if the user is allowed to perform the requested operation on the given resource".

Most developers need to get the basic view and command level entries right, which is explained below and only on few times, would get an opportunity to implement custom access policy.

1. We create actions for views and commands
<Action Name="ABCItemExtView" CommandName="ABCItemExtView" />
<Action Name="ABCSyncPersonControllerCmd" CommandName="ABCSyncPersonControllerCmd" />
<Action Name="com.custom.soi.member.commands.ABCSyncPersonControllerCmd" CommandName="com.custom.soi.member.commands.ABCSyncPersonControllerCmd"></Action>
2. Assign actions to action groups as ActionGroupAction for views 
E.g. action groups
<ActionGroup Name="ProductManagersViews" OwnerID="RootOrganization">

<ActionGroup Name="AllSiteUsersViews" OwnerID="RootOrganization">

<ActionGroup Name="RegisteredUserViews" OwnerID="RootOrganization">
<ActionGroup Name="CustomerServiceRepresentativeViews" OwnerID="RootOrganization">
Assignment example:
<ActionGroup Name="ProductManagersViews" OwnerID="RootOrganization">
      <ActionGroupAction Name="ABCItemExtView"/>

     </ActionGroup>

<ActionGroup Name="RegisteredUserViews" OwnerID="RootOrganization">
       <ActionGroupAction Name="ABCSyncPersonControllerCmd" />
</ActionGroup&gt

3. Creating resource categories for commands
ResourceBeanClass="com.custom.soi.member.commands.ABCSyncPersonControllerCmd">

4. Assigning resource category to resource groups for commands as ResourceGroupResource
e.g. Resource groups
<ResourceGroup Name="AllSiteUserCmdResourceGroup" OwnerID="RootOrganization">
<ResourceGroup Name="CustomerServiceRepCmdResourceGroup" OwnerID="RootOrganization">
<ResourceGroup Name="RegisteredUserCmdResourceGroup" OwnerID="RootOrganization">

<ResourceGroup Name="BecomeUserCmdsResourceGroup" OwnerID="RootOrganization">
Assignment example:
<ResourceGroup Name="AllSiteUserCmdResourceGroup" OwnerID="RootOrganization">
<ResourceGroupResource Name="com.custom.soi.member.commands.ABCSyncPersonControllerCmdResourceCategory" />
</ResourceGroup>

Run acpload or in V7, dataloader will take care of it as it would internally run the ACPLoad
CMD:
select * from acresgrp where acresgrp_id in
(
select acresgrp_id from acresgpres where acrescgry_id =
(select acrescgry_id from acrescgry where resclassname like '%ABCSyncPersonControllerCmd%')
)

VIEWS:
select * from acpolicy where acactgrp_id in (select acactgrp_id
from acactactgp where acaction_id
in (select ACACTION_ID from ACACTION where ACTION = 'ABCItemExtView'))

select groupname from ACACTACTGP a, ACACTGRP b where acaction_id = (select acaction_id from ACACTION where action like '%ABCItemExtView%')
and a.acactgrp_id = b.acactgrp_id


Reference:
http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/index.jsp?topic=/com.ibm.commerce.data.doc/refs/rdmattrdict.htm

Acronyms:
WAS: WebSphere Application Server
SSL : Secure Socket Layer
JAAS: Java Authenticating and Authorization services

Optimistic locking implementation in Websphere Commerce (WCS)

Optimistic locking implementation in EJB

If you are using EJB's in WCS and optimistic locking avoids database deadlocks and helps lower locks placed on the database and allows more applications to run concurrently against the database.Optimistic locking is implemented by creating OPTCOUNTER column for each table.

1) Add OPTCOUNTER column in the table and optCounter CMP field with unchecked getter\setter methods option in creating new field in CMP bean.
2) Map the table OPTCOUNTER to the optCounter field as a CMP managed field, I see this step missing for all EJB's currently implemented so I did not add optCounter mapping either for the new EJB.
3) Adding this.initializeOptCounter(new XCustomKey(this.customId))  in ejbCreate method()
4) Adding optimistic locking in DeploymentDescriptor --> Bean tab, by checking the Concurrency Control (Enable Optimistic locking)
 5) Adding triggers for optCounter and also a file to add these.

CREATE or REPLACE TRIGGER perf_xcustom_1 before update ON XCUSTOM for each row
WHEN ((new.optcounter is null) or (new.optcounter = old.optcounter))
begin if (:old.optcounter < 32767) then :new.optcounter := :old.optcounter + 1; else :new.optcounter := 1; end if; END;

From Infocenter explanation for implementing trigger:
For optimistic locking to work properly, every query that updates a database table row must increment the OPTCOUNTER column value, or reset it to 1 when the current value is 32767. The WebSphere Commerce server uses this technique. However, if database table rows are updated by other code or manual procedures that do not update the OPTCOUNTER column values, then the database triggers defined in the WC_installdir/schema/db_type/wcs.perf.trigger.sql (where db_type is the database type (DB2, Oracle)) schema files ensure that the OPTCOUNTER column values are incremented properly.

Reference:
http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/topic/com.ibm.commerce.admin.doc/concepts/cpmoptlock.htm

Integrating BING MAPS (NOT google maps) with WCS v7

Bing provides an interesting to alternative to Google maps for integration and if you want to integrate using Jquery. Please copy paste the example in a .html file and test it with a zip-code or city.

The key that I have in the example below will expire in 90 days so please use the below link to create a new key:
http://www.microsoft.com/maps/

Copy the below section after this line in a .html  file:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Use Bing Maps REST Services with jQuery to build an autocomplete box and find a location dynamically</title>
    <script src="http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.5.1.js" type="text/javascript"></script>
    <script src="http://ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.js" type="text/javascript"></script>
    <link href="http://ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/themes/redmond/jquery-ui.css" rel="stylesheet" type="text/css" />
    <style type="text/css">
        .ui-autocomplete-loading
        {
            background: white url('images/ui-anim_basic_16x16.gif') right center no-repeat;
        }
        #searchBox
        {
            width: 25em;
        }
    </style>

    <script type="text/javascript">
        $(document).ready(function () {
            $("#searchBox").autocomplete({
                source: function (request, response) {
                    $.ajax({
                        url: "http://dev.virtualearth.net/REST/v1/Locations",
                        dataType: "jsonp",
                        data: {
                            key: "AlJKmxkiJg2u0CIDEyaTM6CWC9jQ_q1pf4_xzxPdEJoaT_KsgKRy73ksHyl24oe5",
                            q: request.term
                        },
                        jsonp: "jsonp",
                        success: function (data) {
                            var result = data.resourceSets[0];
                            if (result) {
                                if (result.estimatedTotal > 0) {
                                    response($.map(result.resources, function (item) {
                                        return {
                                            data: item,
                                            label: item.name + ' (' + item.address.countryRegion + ')',
                                            value: item.name
                                        }
                                    }));
                                }
                            }
                        }
                    });
                },
                minLength: 1,
                change: function (event, ui) {
                    if (!ui.item)
                        $("#searchBox").val('');
                },
                select: function (event, ui) {
                    displaySelectedItem(ui.item.data);
                }
            });
        });

        function displaySelectedItem(item) {
            $("#searchResult").empty().append('Result: ' + item.name).append(' (Latitude: ' + item.point.coordinates[0] + ' Longitude: ' + item.point.coordinates[1] + ')');
        }
    </script>
</head>
<body>
    <div>
        <div class="ui-widget">
            <label for="searchBox">
                Search:
            </label>
            <input id="searchBox" />
        </div>
        <div id="searchResult" class="ui-widget" style="margin-top: 1em;">
        </div>
    </div>
</body>
</html>

OWASP TOP 10, How WCS OOB addresses these vulnerabilities or provides frameworks to help

How WCS OOB addresses these vulnerabilities or provides frameworks to help.

The goal of this blog is to explain how the OWASP top 10 are protected in WCS out of the box.

OWASP (Open Web Application Security Project)is used to educate web application architects\developers\testers\managers regarding the most common security vulnerabilities.

Always abide these common security principles:
Accept known good.
Default Deny.
Principle of least privileges.
Using Layered Security or Defense in Depth.

The OWASP Top 10 is a list updated by OWASP every year of the top 10 security risks.

A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Frequently,

A1: XSS is caused by vulnerabilities such as introduce worms,hijack sesssions, etc in the sites that allow user supplied data that is not encoded and validated properly.

WCS Protection:
In wc-server.xml starting 6.0.0.4 the XSS could be specified at every module
and prohibited characters can be specified in the list.
It is a good to have a whilte list for input validation and there is a black list in wc-server.xml for restricting.
e.g.
<XSiteScriptingProtection
display="false"
enabled="true" name="Cross Site Scripting Protection">
<ProhibitedAttrs display="false"/>
<ProhibitedChars display="false">
<Character
display="false" name="&lt;SCRIPT"/>
<Character
display="false" name="&lt;%"/>
<Character
display="false" name="&amp;lt;%"/>
<Character
display="false" name="SCRIPT>"/>
<Character
display="false" name="&amp;lt;SCRIPT"/>
<Character
display="false" name="JAVASCRIPT:"/>
<Character
display="false" name="&amp;#x73;&amp;#x63;&amp;#x72;&amp;#x69;&amp;#x70;&amp;#x74;"/>
</ProhibitedChars>

it provides the input validation framework that can be used to validate the input text by regular expressions.

In JSP you can use the UIUtil to validate:
<%@page import="com.ibm.commerce.tools.util.UIUtil"%>
<%=UIUtil.toJavaScript(java.lang.String.valueOf(pageContext.getAttribute("storeId")))%>

It is always recommended to validate data on the server side, client side validation can be broken by hackers.


A2 - Injection Flaws could result in is caused modifying, deleting or viewing unauthorized data.when user specified data is passed to SQL interpreter as a command.

WCS Protection:In WCS and J2EE in general using prepared statements with specific parameters and validating the parameters is a generally used practice.
Dynamic query front end should be minimized for customer facing applications.

A3 - Malicious File Execution could result in server compromise and virus attacks and this is caused by Remote file inclusion and remote code execution that allows applications to accept files that could result in include hostile files and data.

WCS Protection: WCS being a J2EE App is executed in a JVM run by a sandbox protected by a security manager. It is very important to configure the security manger and the app is demanding permissions appropriately.
Strong user input validation helps even this vulnerability.
Firewalls for web servers should be protected and have a exact or a whitelist of ports and IP addresses that it can allow connections from.
At the OS level, a good idea to segment the file system in production and having an appropriate demarcation.


A4 - Insecure Direct Object Reference could cause unauthorized access to data and files hosted in a web application and this is caused by having direct references such as file, directory, a database key such as orderId, userId exposed in the web application html code or cookies.

WCS Protection:: It has Access controls in place for protection when exposing database keys OrderId,UserId..etc. It has a cookie WC_AUTHENTICATION_148499839 and the value is appended with a uniquely generated code.
148499839%2csFggXZ6m06QiSRLRI9c8DuYlQPc%3d
Access controls for commands and views are protected in commerce by a ACPolicy.xml and all custom commands\views\resources should be correctly defined in these files.

A5 - Cross Site Request Forgery (CSRF): It could compromise the authorized users data and using his credentials exploit other system vulnerabilities as an authorized user. This is mainly caused by remotely taking control of user's session and forging requests from the victim's browser.
XSRF could use the XSS vulnerability to exploit other system vulnerabilities.
Each request a valid unique token that is passed back and forth.

WCS Protection: WCS offers out of the box protection against this vulnerability starting with WCS FixPack 6.0.0.8.
Please find below the configuration and code required to address. The action needs to be updated in struts-config-ext.xml with csrfProtected attribute.

<action parameter="com.ibm.commerce.usermanagement.commands.UserRegistrationUpdateCmd" path="/UserRegistrationUpdate" type="com.ibm.commerce.struts.BaseAction"><set-property property="https" value="0:1"><set-property property="authenticate" value="0:0">
<set-property property="csrfProtected" value="10101:1">
</set-property>
# Edit the JSP file that invokes this action to include the authToken URL parameter.
For example:
<input name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1" type="hidden">

Do use HTTP Post when sending sensitive data.
WCS also has configurable transaction LoginTimeout in wc-server.xml.

A6 - Information Leakage and Improper Error Handling: It could result in powerful attacks and the web application details such as configuration information, internal workings, etc can be leaked via html outputs or long error messages

WCS Protection: Out of the box provides ECApplicationException and ECSystemException and it allows all the errors generated to be forwarded to a common view.
The detailed messages can be disabled and commerce provides a framework to define user friendly messages for these exception using ECMessage and ECMessageHelper.
Making sure all the coders follow the common exception flow handling.
Also if you are using custom logging framework make sure all the sensitive data is masked in the logs.
This framework and exceptions can be extended to incorporate custom features. Some websites also tend to send the user back to home page on any system exception.


A7 - Broken Authentication and Session Management, this vulnerability could lead to breaking into user\admin passwords and also violating privacy laws. This is caused by flaws in authentication mechanisms and poor session management.

WCS Protection: It uses one way hash for the password protection and it protects the passwords from being decrypted.
WCS Commerce admin console provides an interface to define password policy and account policy and this policy is configurable and can be modified on a periodical basis.
WCS allows configuration using struts configuration to define URL's that require authentication.
WCS uses secure authentication cookie (WC_AUTHENTICATION_ID) to manage authentication data
All administrative functions are hosted on applications such as Accelerator\Admin Console\Org admin console and these are open on ports 8000,8002,8004. These ports should not be open to internet and all these users who have access to these internal applications should be governed by good password and account policies just like external users.


A8 - Insecure Cryptographic Storage
This could lead to compliance violations such as PCI and also sensitive data such as credit card information could be leaked. This is mostly caused by weak cryptographic algorithms and the key management.


WCS Protection:
WCS uses strong triple DES algorithm for encryption. That meets the PCI DSS standards.
WCS also provides KLF framework to change the encryption key periodically and allows to re encrypt the sensitive data using the new key.
Do not create new cryptographic algorithms use standard API e.g. bouncycastle.
Store private keys with extreme care.


WCS out of the box introduces keyword krypto on protected sensitive information.

e.g. Out of the box in wc-server.xml
<ProtectedParameters name="Protected Parameters">
<Parameter display="false" name="cardNumber"/>
<Parameter display="false" name="password"/>
<Parameter display="false" name="passwordVerify"/>
<Parameter display="false" name="passwordOld"/>
</ProtectedParameters>

Also there are 2 other elements that should be defined appropriately ProtectedMultiValuedParameters and NonEncryptedParameters

A9 - Insecure Communications
This would result in compliance failures and could expose the private data for spoofing.
This is resulted from not using encrypted network traffic. Opening your webservers to a limited blacklists of Port and IP Addresses.

WCS Protection:
Using SSL when transmitting sensitive data can be achieved by configuring the corresponding actions and views
e.g.
<set-property property="authenticate" value="0:1"/>
<set-property property="https" value="0:1"/>

For back end applications communicating with external applications, make sure the firewall is opened for specific IP Addresses any communication required.

A10 - Failure to Restrict URL Frequently, could result in exposing a certain function or data to unauthorized users. This could be resulted from not having access control checks to protect resources\urls

WCS Protection: out of the box offers access control mechanism and also roles for segmenting authorized content. The access control matrix should be included as a apart of the design and development and URL's and Actions are appropriately protected.

The access control framework: It divides Views and Commands that require authentication and authorization is handled by the access control policies.


This was the list from earlier to 2010.

2010 has a couple more vulnerabilitiesA10:

Unvalidated Redirects and Forwards

Add a URLRedirectFilter element in the Module element as shown in the following example:
<module contextpath="/webapp/wcs/stores" fileservletenabled="false" name="Stores" urlmappingpath="/servlet" webalias="/wcsstore">
<initparameters adapters="XML/HTTP, BrowserAdapter" contextsetname="Store" handledoubleclick="true">
<urlredirectfilter enable="true">
<allowedhost name="www.mycompany1.com">
<allowedhost name="www.mycompany2.com">
<alloweddomain name="mycompany3.com">
</alloweddomain>
</allowedhost>

A6: Security Misconfiguration :

Applying the latest patches at OS\DB\Application server and Commerce server and making sure the security configuration is correctly done.



ref:
http://www.owasp.org/index.php/Main_Page

DB Clean which Can impact the performance of overall site

DB Clean:
In my opinion next to Dynacache\EdgeCaching strategies for a site. I would consider DB Clean a very important aspect of improving site performance for WCS. It would also prevent any junk car issues.

Out of the box, commerce provides a table for adding these queries CLEANCONF table, which is good enough for most basic queries for complex cleanup operations, it is very important to use store procedures.

High Level commerce deletes required for
1. Address
2. CtxMgmt
3. Guest users
4. Orders
5. Schedulers
6. Staglog
7. CustomData

e.g.
insert into cleanconf (OBJECTNAME, TYPE, STATEMENT, NAMEARG, SEQUENCE, DAYSARG)
values (
'activity', 'remove-obsolete-ctxmgmt',
'delete from ctxmgmt where lastaccesstime < (sysdate - ?)',
'no', 1, 'yes');

Crontab utility in unix/solaris can be used to schedule these jobs. Usually it is very important to wrap this in a shell script and use some logging and also capture the PID, if you need to kill a process.

Testing tool intgeration with Websphere Commerce(WCSv7) : Rspec, Cucumber, Selenium, Watir & Buzz around BDD, TDD

I will soon have an article on building a front end store using ROR for Websphere commerce and it will be really useful to automate the test scripts using RSpec and one of the automation tools out there.

This is meant to be 101 for these concepts and I have added links below for deep diving.

BDD and TDD are paradigms essentially bringing the prominence of writing test cases before development and also making it easier on non coders to understand the test cases.

TDD: Test driven development
1. Writing automated test scripts before actually starting to write codes.
2. It is a great idea using any programming language but traditionally development with languages such as Java was pretty high hence it was skipped as the larger development life cycle was blamed for it.
But It makes great sense for using this approach for ROR (Ruby).
3. Test driven development brings lot of clarity to the design in the very early stage of the development cycle.

e.g.

BDD: Behavior Driven Development
1. It extends the concept of the TDD and takes it one level further as it makes writing test scripts in a very expressive way and no programmatic way.
2. It really helps non programmers (BA, QA, PM) to understand the test cases as they are expressed in a simple English like language.
3. Using 'should' when describing the behavior of software to help clarify responsibility and questioning the requirements.
4. Using 'ensure' when describing responsibilities of software to differentiate outcomes in the scope of the code in question from side-effects of other elements of code.
5. Using mocks to stand-in for collaborating modules of code essentially stubbed out without the actual implementation.

e.g. RSPec, Cucumber

Selenium: Selenium IDE and Selenium RC. (Remote Control)

Selenium IDE provides automated way of recoding tests from a Firefox plug in and it has a powerful feature to validate tests by providing several commands to assert the results. It also provides a powerful mechanism to export the test case into a programming language such as Java, Ruby (RSpec),Perl, .etc.

Selenium RC: is a tool that allows you to launch browser sessions and run Selenium tests against those browsers.
To do this, the Selenium RC server acts as an intercepting proxy for the browser

Selenium-IDE does not directly support:

* condition statements
* iteration
* logging and reporting of test results
* error handling, particularly unexpected errors
* database testing
* test case grouping
* re-execution of failed tests
* test case dependency
* screenshot capture of test failures

Flash is not supported as a part of the Selenium-IDE but there is a flash extension for Selenium Flash and it also requires changing the actual Flash action scripts to add methods to be called from Selenium. It is not a very good practice.

The results from the tests can be verified by connecting from the database.

Watir: Watir is automated testing framework. It does not have a IDE of it's own but there is a testwide recorder that can be used. A combination of RSpec and Watir really makes very readable test scripts. It offers Flash support on firefox but I could not find a lot of documentation around this. So I have my doubt's around automating Flash components.

Cucumber is designed to allow you to execute automated integration tests. It is a tool for implementing Behavior Driven Development.It can work in Conjecture with Rspec.

Each feature is expressed as a Give\When\Then

Given: Preconditions to be filled.
When: This section defines what feature does (i.e., the behaviour, the steps).
Then: Testable out come that can be validated.

Introduction on Websphere MQ

Good explanation !!

Reference: IBM Education support team tv !!

IBM WCS v7 (WAS) integration with IBM WebSphere Message Broker V7.0

A great material from IBM education team !!

Source : IBM Support team tv

Enabling Store Enhancement feature for WCS v7

Enabling Store Enhancement feature for WCS v7

Table of Contents

1.0         Enabling starter store enhancements. 1

2.0         Before you begin. 3

3.0         Steps to follow: 6

4.0         What to do next 13

5.0         Troubleshooting: WebSphere Commerce feature pack issues. 14

Reference: 16

Note: This document only summarizes the steps of configuration for more details do select the selected URL with CTRL+Click from keyboard.

1.0       Enabling starter store enhancements

After you install the feature pack, you must enable the starter store enhancements feature to take advantage of the store features.

After you enable the starter store enhancements feature, the following store archive (.sar) files are available for publishing:

• MayUJoy starter store (MayUJoy.sar)

Provides all the pages and features necessary for a functioning consumer direct online store for the Chinese market.

• Brazil starter store (Brazil.sar)

Provides all the pages and features necessary for a functioning consumer direct online store for the Brazilian market.

• Madisons starter store enhancements (MadisonsEnhancements.sar):
• Remote widgets store enhancements
• Digital wallet functionality
• Coshopping functionality
• Search integration
• Subscriptions and recurring orders
• Support for Management Center price lists and price rules
• Store pages that are tagged with the latest set of WebSphere Commerce analytics tags for IBM Digital Analytics, formerly known as Coremetrics Analytics
• e-Marketing Spots that support dynamic recommendations from IBM Product Recommendations, formerly known as Coremetrics Intelligent Offer
• Dynamic kit integration with Sterling Configurator
• Facebook integration
• Elite starter store enhancements (EliteEnhancements.sar and EliteStorefrontAssetStore-FEP.sar):
• Search integration
• Store pages that are tagged with the latest set of WebSphere Commerce analytics tags for IBM Digital Analytics, formerly known as Coremetrics Analytics
• e-Marketing Spots that support dynamic recommendations from IBM Product Recommendations, formerly known as Coremetrics Intelligent Offer
• Dynamic kit integration with Sterling Configurator
• Madisons mobile enhancements (MadisonsMobileEnhancements.sar):
• Mobile starter stores for smartphone and tablet devices:
• Mobile web starter stores
• Mobile applications for Android and iOS
• Aurora starter store (Aurora.sar):
• IBM Tealeaf Customer Experience integration
• e-Marketing Spot and wish list feeds
• Click-to-edit function
• Advanced Search page
• Support for Dojo 1.8
• Hebrew language translation
• Tolerance for tablet devices
• Product-specific swatch images

Note: There are no enhancement store archive (.sar) files for the Aurora starter store. To obtain the latest Aurora store features for a specific feature pack, republish the Aurora.sar file after you install the feature pack and enable starter store enhancements.[VT1] 

• Aurora mobile enhancements (AuroraMobile.sar):
• Mobile starter stores for smartphone and tablet devices:
• Mobile web starter stores
• Mobile applications that use IBM Worklight

2.0     Before you begin

1)    Ensure that you are logged on as the WebSphere Commerce non-root user.

2)    Ensure that you are logged on as a user that has *SECOFR authority.

3)    Review the prerequisite steps in Enabling features.

2.1  Enabling features After you install a WebSphere Commerce feature pack, you can enable any of the included features to enhance your WebSphere Commerce instance. Before you begin Each WebSphere Commerce feature pack contains features that you can enable. In the runtime environment, to enable the features included in the WebSphere Commerce feature pack, you must have a WebSphere Commerce instance created. In a staging environment, ensure that you run the stagingprop utility before you enable features. In a staging environment, both the staging and production servers must satisfy the following condition: The WebSphere Commerce application and the WebSphere Commerce database are at the same feature pack level. Back up your database. Refer to your database user manual for information on backup and restore procedures.  It is recommended that you use the latest DB2 fix pack available for your DB2 version.  There are issues that are related to database schema creation when you use DB2 V9.7 Fix Pack 5 or later. See: Database schema creation might fail on DB2 V9.7 Fix Pack 5 (or later) when you install or upgrade from a WebSphere Commerce version older than V7.0.0.6   Important: If you plan to use DB2 Version 9.7 database, you must change the development database type before you enable features.  If you have custom table spaces, you must ensure that the SQL files that rely on the table spaces are modified to reference the names of your custom table spaces. Depending on the feature pack level you have installed, modify one or more of the following files:  WC_installdir/components/foundation/schema/fep1/db2/wcs.schema.foundation.sql  WC_installdir/components/foundation/schema/fep2/db2/wcs.schema.foundation.sql  WC_installdir/components/foundation/schema/fep3/db2/wcs.schema.foundation.sql  WC_installdir/components/foundation/schema/fep4/db2/wcs.schema.foundation.sql  WC_installdir/components/location-services/schema/fep4/db2/wcs.schema.location-services.sql  WC_installdir/components/foundation/schema/fep5/db2/wcs.schema.foundation.sql  WC_installdir/components/foundation/schema/fep6/db2/wcs.schema.foundation.sql In each applicable SQL file, you must change any table space references so that they point to your custom table spaces. Feature packs are cumulative, so if you are on a later feature pack, files for lower-level feature packs will already be present on your system and will need to be modified.  Ensure that you have all of your changes checked into software configuration management (SCM).  Disconnect SVN before feature enablement. It can be re-enabled after feature enablement is complete.   Ensure that Windows Indexing and Windows Search services are disabled. If these services are enabled they can prevent the clean-up of working directories, which can cause feature disablement to fail About this task If you enable a high-level feature, lower-level features are enabled automatically. The following table shows the dependencies between the features. Functional area When you enable this feature... These dependent features are automatically enabled  Location-based services  location-services ·         management-center ·         foundation Store enhancements Includes: ·          Remote widgets ·          Coshopping functionality ·          Search integration ·          Subscriptions and recurring orders ·          Price rules and price lists ·          IBM Product Recommendations, formerly known as Coremetrics Intelligent Offer ·          Dynamic kit integration with Sterling Configurator ·          Search engine optimization (SEO) store-enhancements ·         management-center ·         foundation  Content versioning  content-version ·         management-center ·         foundation Management Center management-center ·         foundation WebSphere Commerce foundation foundation Procedure Enable one or more features (FP 4 onwards):  WebSphere Commerce foundation  Management Center  Starter store enhancements  Content Versioning  Location-based services[VT2]  NOTE: For more details follow the Hyperlink by CTRL+Click on eeach link above  Note: Any features that are enabled before you run the setdbtype command must be re-enabled.

4)    Ensure that the test server is stopped and that Rational Application Developer is not running.

5)    Ensure that your administrative server is started. For example:

o    If WebSphere Commerce is managed by WebSphere Application Server Deployment Manager (dmgr), start the deployment manager and all node agents. Your cluster can also be started.

o    If WebSphere Commerce is not managed by dmgr, start the WebSphere Application Server server1.

6)    Determine how you are going to deploy the WebSphere Commerce search server:

Deploying the WebSphere Commerce search server locally (standard deployment mode)

Deploys the search server locally on a separate application server profile. This method enables the WebSphere Commerce server to statically bind to the local dedicated search server and avoid outgoing network communications to a remote machine.

Deploying the WebSphere Commerce search server remotely (advanced deployment mode)

Deploys the search server remotely, depending on your environment. It prepares the deployment package to copy and run the deployment scripts on a remote search machine, where a search profile and web module is deployed.

Note:

To support personalization in remote widgets and feeds, persistent sessions and personalization ID must be enabled. When you run the enablement script, the script checks the WebSphere Commerce configuration file for the current settings:

	Enabled	Disabled
Persistent sessions	The script does not change the setting.	The script enables persistent sessions. The script sets the Cookie expiry (days) value to -1. As a result, sessions do not persist because the number of days is a negative number. To persist sessions, change the Cookie expiry (days) value to a positive number of days.
Personalization ID	The script does not change the setting.	The script enables personalization ID.

3.0       Steps to follow:

1. Complete one of the following tasks:
• Log on as a WebSphere Commerce non-root user.
• Log on with a user ID that is a member of the Windows Administration group.
• Log on with a user profile that has *SECOFR authority.
2. Go to the following directory:
• WC_installdir/bin
• WCDE_installdir\bin
3. As the WebSphere Commerce non-root user, increase the file handle limit.
• Increase the file handle limit with the command: ulimit -n 8192
• As the root user grant USE authority to the non-root user. Switch to the non-root user and issue the command: ulimit -n 8192. You can also issue the command as the root user, then switch to the non-root user.
4. Run the enablement script. Running the starter store enhancements enablement script also enables the Management Center feature. That is, if the Management Center feature is disabled, it is enabled after you run the starter store enhancements enablement script.
• config_ant.bat -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=store-enhancements -DdbUserPassword=db_password [-DdbaPassword=dba_password] [-DSolrWASAdminUser = solr_wasadminuser] [-DSolrWASAdminPassword =solr_wasadminpassword] [-Dscchost=HostForScheduledJobs] [search_server_config] [-DsearchPort=searchPort]
• ./config_ant.sh -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=store-enhancements -DdbUserPassword=db_password [-DSolrWASAdminUser = solr_wasadminuser] [-DSolrWASAdminPassword = solr_wasadminpassword] [-Dscchost=HostForScheduledJobs] [search_server_config] [-DsearchPort=searchPort]
• ./config_ant.sh -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=store-enhancements -DdbUserPassword=db_password [-DdbaPassword=dba_password] [-DSolrWASAdminUser = solr_wasadminuser] [-DSolrWASAdminPassword =solr_wasadminpassword] [-Dscchost=HostForScheduledJobs] [search_server_config] [-DsearchPort=searchPort]
• enableFeature.bat -DfeatureName=store-enhancements

Where:

instanceName

The name of the WebSphere Commerce instance with which you are working (for example, demo).

featureName

The name of the WebSphere Commerce feature to enable (for example, store-enhancements).

dbUserPassword

The password for the user who is connecting to the database.

dbaPassword

The dbaPassword is required when you are enabling the feature on an Authoring server.

SolrWASAdminUser

The WebSphere Application Server administrator user ID for the Solr cell. This parameter is required only if all three of the following conditions are met:

• You enabled a previous version of Search from an earlier WebSphere Commerce feature pack
• You enabled WebSphere Administration Server administrative security on the Search server
• You are not specifying remoteSearchEngine=true

SolrWASAdminPassword

The WebSphere Application Server administrator password for the Solr cell. This parameter is required only if all three of the following conditions are met:

• You enabled a previous version of Search from an earlier WebSphere Commerce feature pack
• You enabled WebSphere Administration Server administrative security on the Search server
• You are not specifying remoteSearchEngine=true

scchost

The name of the host (server) on which the scheduled job runs. Use this parameter if your organization chooses to schedule jobs to run only on a specific host.

The WebSphere Commerce scheduler runs the RefreshRegistry command to ensure that the latest data from the CMDREGtable is used by the WebSphere Commerce CommandRegistry. The job runs only if the CMDREG table was modified. It runs only once, shortly after enablement is completed. By default, this scheduled job run is set to run on any host. If you want to run on a specific host, use this parameter to define the specific host.

Note: The search server is deployed when the foundation feature is enabled.

remoteSearchEngine

Use this parameter with a value of true when you are deploying Solr search server on a remote machine.

The search_server_config options help automate updating the web server configuration for IBM HTTP Server. If you do not use this option, you must manually configure your web server after you run the enablement script, as described in the next step. When thesearch_server_config options are used, WebSphere Commerce search helps automate creating the web server configuration. This automation is achieved by passing in more configuration parameters when you run the enablement scripts.

Important: The automated web server configuration supports IBM HTTP Server (IHS) only. That is, it does not support or include steps for configuring non-IHS web servers such as IIS and SunOne. For other types of web servers, consult the documentation that is provided by the web server vendor to update the configuration.

This approach includes the following considerations:

• The WebSphere Commerce search web server's httpd.conf file is automatically created.
• You can set up a valid configuration where the WebSphere Commerce search and WebSphere Commerce web servers have separate configuration files. That is, you do not need to manually update the plugin-cfg.xml files.
• If preferred, you do not need to install another copy of IBM HTTP Server. The same installation can be shared with the WebSphere Commerce web server.

A second IHS process is launched to handle search HTTP requests that use the same IHS installation. A second process ensures that the configurations do not collide, while easing configuration and maintenance.

Important: You can skip updating the web server configuration if you previously enabled the feature foundation and passed in thesearch_server_config parameters during the enablement. you can also skip the update if your Solr web server is already configured.

The following list shows the available parameters with brief explanations of each. Examples can be seen in the following task, along with more-detailed descriptions of each parameter and when it is needed and not needed:

• Configuring the WebSphere Commerce search web server

The scripts validate the values that are provided for any required parameters. If values for required parameters are blank, the scripts do not proceed. The error message indicates which values must be specified. An example of such an error can be viewed in the following troubleshooting reference:

• Troubleshooting: Ant properties error occurs during feature enablement

Where search_server_config includes the following parameters that help automate updating the web server configuration for IBM HTTP Server:

autoConfigSearchWebserver

The flag that turns on or off the automation. It indicates whether to automatically configure the IHS web server. The default value is false.

If set to false, or if not specified in the script, you must manually configure your search web server.

isShareWCWebserverProduct

Indicates whether the IHS server is shared with WebSphere Commerce. The default value is false.

If set to true, the parameter values listed below are automatically retrieved. However, you must specify the FTP password, as it is not typically stored on disk for security purposes.

searchWebserverHostname

The fully qualified host name for the WebSphere Commerce Search web server.

searchWebserverOS

Indicates which operating system is used on the search web server host.

searchWebserverInstallLocation

The WebSphere Commerce search installation location.

searchPluginInstallLocation

The WebSphere Commerce search plug-in installation location. This parameter is required when you use a separate IHS installation.

searchRemoteConfigPath

The path on the remote IHS machine where the WebSphere Commerce Search web server's file is stored.

searchIsConfigViaFTP

Indicates whether to transfer the configuration files using FTP.

The FTP parameters include:

searchFtpServerPort

The WebSphere Commerce search FTP server port.

searchFtpUserId

The WebSphere Commerce search FTP user ID.

searchFtpUserPwd

The WebSphere Commerce search FTP user password.

searchIsConfigViaNFS

Indicates whether to transfer the configuration files using a locally mapped or mounted drive.

The mapped parameters are:

searchMappedConfigPath

The directory to which the search web server configuration files are copied.

Files and directories are created under the searchMappedConfigPath/instance_name_solr directory.

Examples

The following examples outline the typical scenarios when configuring the WebSphere Commerce search web server:

Replace [search_server_config] in the command line with the following parameter if you are:

• Not using the automated IHS web server configuration.

-DautoConfigSearchWebserver=false

Replace [search_server_config] in the command line with the following parameters if you are:

• Using the automated IHS web server configuration,
• Sharing the IHS from your WebSphere Commerce instance, and
• Your IHS is local.

-DautoConfigSearchWebserver=true -DisShareWCWebserverProduct=true

Replace [search_server_config] in the command line with the following parameters if you are:

• Using the automated IHS web server configuration,
• Sharing the IHS from your WebSphere Commerce instance,
• Your IHS is remote, and
• Your WebSphere Commerce web server does not use FTP or NFS for remote configuration. Or your WebSphere Commerce web server uses NFS for remote configuration and the NFS mount is in place.

-DautoConfigSearchWebserver=true -DisShareWCWebserverProduct=true

Or, if your WebSphere Commerce web server uses FTP for remote configuration:

-DautoConfigSearchWebserver=true -DisShareWCWebserverProduct=true -DsearchFtpUserPwd=your_FTP_password

Where your_FTP_password is the password for the FTP server running on your IHS web server host.

Or, when you want to ensure that FTP or NFS is not used for remote configuration:

-DautoConfigSearchWebserver=true -DisShareWCWebserverProduct=true -DsearchIsConfigViaFTP=false -DsearchIsConfigViaNFS=false

Replace [search_server_config] in the command line with the following parameters if you are:

• Using the automated IHS web server configuration,
• Using a separate IHS,
• Your IHS is remote, and
• You are not automatically transferring the files to the remote machine.

-DautoConfigSearchWebserver=true -DisShareWCWebserverProduct=false

-DsearchWebserverHostname=yourSearchIHSHostName

-DsearchWebserverInstallLocation=thePathToIHSInstallDirOnYourSearchIHSHost

-DsearchPluginInstallLocation=thePathToPluginInstallDirOnYourSearchIHSHost

-DsearchRemoteConfigPath=pathWhereSearchIHSConfigFilesWillReside

For example:

-DautoConfigSearchWebserver=true -DisShareWCWebserverProduct=false

-DsearchWebserverHostname=search.example.com

-DsearchWebserverInstallLocation=/usr/IBM/WebSphere/HTTPServer

-DsearchPluginInstallLocation=/usr/IBM/WebSphere/HTTPServer/Plugins

-DsearchRemoteConfigPath=/usr/IBM/WebSphere/HTTPServer/solrHttpConf1

searchPort

The WebSphere Application Server virtual host port number to listen on for the WebSphere Commerce search application.

The value must be a valid and available TCP port.

The default value is 3737.

If the script runs successfully in the runtime environment, a BUILD SUCCESSFUL message appears in the command window where you ran the script and in the WC_installdir/instances/instance_name/logs/enablestore-enhancements_timestamp.log file. For enablement details, see theWC_installdir/instances/instance_name/logs/enablestore-enhancements_timestamp.log log file.

If the script runs successfully, the message enableFeature.bat completed is displayed in the command window. For enablement details, see the WCDE_installdir\logs\enableFeature.log file.

5. Configure the Web server for the Solr application

The following configuration options are available, depending on your web server and WebSphere Commerce Feature Pack version:

• WebSphere Commerce search deployment tasks include steps to manually update the web server configuration for IBM HTTP Server (IHS).

This approach includes the following considerations:

• You created the WebSphere Commerce search web server httpd.conf file.
• A directive to listen on the search virtual host port is added.
• The web server plug-in is installed on the web server host.
• WebSphere Commerce search deployment tasks include steps to help automate updating the web server configuration when using IBM HTTP Server (IHS). This automation is achieved by optionally passing in more configuration parameters when you are running the enablement scripts during the previous step. For more information, see the previous step.
• For configuring non-IHS web servers such as IIS and SunOne, consult the provided documentation to update the configuration.
5. Republish the application:

1. Open WebSphere Commerce Developer and switch to the Enterprise Explorer view.
2. Right click LOBTools and select OpenLaszlo Migration > Compare Customizations.
3. Rebuild any projects that are required to be rebuilt in the workspace. For example:
• Rebuild LOBTools. Right-click LOBTools, then select Build OpenLazlo Project
4. Start the WebSphere Commerce Test Server. Some errors are displayed in the console. These errors can be safely ignored.
5. In the Servers view, right-click the test server then click Publish.
6. Wait for the application to finish publishing and to restart. Ensure that no errors are displayed.

g.            If you customized a previous version of Management Center, see Migrating Management Center to migrate those customizations to the latest Management Center version.

4.0       What to do next

• Ensure that you publish the Madisons store archive after you install Feature Pack 1 or later. You might see a different store name for Madison starter store, depending on your version of the installed Feature Pack. If Feature Pack 1 is installed, the store name isMadisons.sar. If Feature Pack 2 or later is installed, the store name is Madisons-FEP.sar. When you install Fix Pack 1 or later, a new version of Madisons.sar is installed, containing the latest fixes and necessary extension points. The Brazil starter store, MayUJoy starter store, and Madisons starter store enhancements store archives do not function correctly with earlier versions of the Madisons starter store.
• If you are enabling starter store enhancements in the WebSphere Commerce development environment, the default configuration includes a Derby database with all base, non-feature pack, starter stores, including the Madisons starter store, pre-published. If you require a feature pack version of a starter store, publish the feature pack version by using a different store name. You can create a database without the pre-published stores or restore to a clean bootstrap Derby database. Then, you can publish the feature pack version of the starter store. Also, when you configure the WebSphere Commerce development environment you can select to a new bootstrap Derby database without the prepublished starter stores.
• See: First steps after enabling features.
•  

5.0       Troubleshooting: WebSphere Commerce feature pack issues

If you encounter problems while installing a WebSphere Commerce feature pack or enabling a feature on a WebSphere Commerce instance, review this section for common issues.

• Troubleshooting: WebSphere Commerce feature pack install or uninstall failed
  Review this information if the installation or uninstallation of a WebSphere Commerce feature pack fails.
• Troubleshooting: Checking that the WebSphere Commerce feature pack is installed on your machine
  After installing a WebSphere Commerce feature pack, you want to ensure that the feature pack is installed correctly.
• Troubleshooting: Checking that a WebSphere Commerce feature is enabled on your instance
  After installing a feature pack, you can enable one or more features. You enable a feature on a WebSphere Commerce instance. After enabling the feature you should verify the enablement is successful.
• Troubleshooting: Errors ORA-01017, SQL30082N occur during feature enablement
  When you are enabling a feature on your WebSphere Commerce instance, a BUILD FAILED message is displayed.
• Troubleshooting: Errors WASX7023E, WASX7213I, WASX8011W, WASX7206W occur during feature enablement
  During a configuration or administration task, such as feature enablement, you receive errors similar to the following:"
• Troubleshooting: Database connectivity
  You can encounter database connectivity issues when you are creating instances, applying fix packs, enabling features, or running many WebSphere Commerce utilities. You can use the database connection validation utility to determine whether any configured database parameters that required to establish a database connection is invalid.
• Troubleshooting: web.xml was not found error after enabling features
  After enabling all features, the application server starts successfully, but the Management Center cannot be accessed. An error in the logs states that "web.xml was not found".
• Troubleshooting: java.net.SocketTimeoutException error logged
  A java.net.SocketTimeoutException is met while performing a WebSphere Application Server operation over SOAP.
• Troubleshooting: ConnectorNotAvailableException while executing wsadmin script
  Feature enablement or disablement fails while executing a wsadmin script, such as a jacl script.
• Troubleshooting: WebSphere Commerce feature enablement fails with a NullPointerException or OutOfMemoryError
  When you attempt to enable a feature, the operation fails with a NullPointerException or an OutOfMemoryError.
• Troubleshooting: Unable to use the unzip command to decompress downloaded e-images
  After transferring an e-image to a Linux or Solaris system, you are unable to use the unzip command to unzip the e-image zip file.
• Troubleshooting: CMDREG data not properly restored during foundation feature disablement
  In WebSphere Commerce Version 7 Feature Packs 1, 2 and 3, when foundation is enabled, component specific rows are extracted from the existing CMDREG table and saved to a file. This occurs during enablement immediately before updates are applied to the CMDREG table. When foundation is disabled, the data is restored from that backup file so that the table is restored to its pre-enablement state.
• Troubleshooting: Massload error when using DB2
  When using DB2 v9.5 Fix Pack 4 or Fix Pack 5, or DB2 v9.7 Fix Pack 1, if you perform an operation that uses the massload utility, such as creating an instance, installing a fix pack, or issuing a setdbtype command, the operation might fail.
• Troubleshooting: Ant properties error occurs during feature enablement
  When you try to enable a feature, you receive an error that states that values must be given for required Ant properties.
• Troubleshooting: IllegalArgumentException after feature enablement
  Receive IllegalArgumentException in SystemOut.log after you upgrade or migrate from a lower feature pack to a higher feature pack and enable a feature.
• Troubleshooting: DB2 SQL Error: SQLCODE=-552, SQLSTATE=42502 during feature enablement
  When you attempt to enable a feature on Microsoft Windows 2008, you receive the following error: DB2 SQL Error: SQLCODE=-552, SQLSTATE=42502.

 

Reference:

IBM WCS Info center

---

 [VT1]Tarunam : Just check if we need this or not or before Feature pack enablement should be sufficient.

 [VT2]Tarunam: These are pre-requisites so follow on SOS basis.