1. Using Oracle Commerce
  2. Secure Your Service
  3. Perform security tasks

Perform security tasks

This section lists the tasks you must perform to harden the security of your instance of Commerce.

Obtain an SSL certificate

The storefront uses SSL to encrypt sensitive data while it is being communicated between the web server and the customer’s browser. To activate SSL and correctly identify your company with your storefront, an SSL certificate is required.

You must obtain an SSL certificate for your company so it can be installed on the web server. After the certificate is installed, the customer’s browser displays several trust indicators, including the HTTPS URL protocol and the padlock icon, when he or she visits your store. For more information, contact your Oracle Support representative.

Secure your Commerce logins

A username and password are required to access the Commerce administration interface. You receive one initial username and password from Oracle as part of the process of setting up your service. Change the password immediately by following these steps:

  1. Log into the Commerce administration interface.
  2. Click the Settings icon and select Access Control.
  3. Click the name of the initial user.
  4. Ensure the Email Address field contains a valid email address to which you have access.

    Note: If you add or change the email address, and then click Save, you may have to refresh the Access Control page for the new value to appear.

  5. Click Reset User Password.
  6. The system sends an email to the specified address. Use the link contained in the email to change the password.

All administration interface passwords automatically expire after 90 days. After this period, users will be unable to access the service until they reset their passwords. To do so, they should click the Can’t Sign In link on the login page and follow instructions.

If your service has been upgraded from a previous release, the 90-day period starts after the upgrade.

User accounts are locked after six unsuccessful attempts to access the system.

Refer to Create new user profiles for instructions on how to create additional user accounts and for information on the different access levels you can assign. It is highly recommended that you give each user the least amount of access he or she requires. Commerce enforces the password requirements described in Create new user profiles, but you should ensure additional secure practices around login credentials, for example by not emailing passwords to new users and by recommending regular password changes.

Ensure that accounts are deactivated promptly if they are no longer needed, for example when an employee leaves the company. See Deactivate and reactivate user profiles.

Implement Storefront Single Sign-On

Oracle Commerce enables you to integrate customer logins on your storefront with an external customer data store or identity management tool. For example, suppose you have an existing informational website with a large number of customer accounts. When you create a new Commerce site, you may want to provide existing customers with accounts on the commerce site. . For more information, refer to Implement storefront SSO for account-based shoppers.