KLF in WebSphere Commerce

KLF is part of the PCI Compliance requirements.

I was working on KLF (Key Locater Framework) a few days ago for a client. KLF is part of the PCI Compliance requirements. It consists of two parts:
1.    Merchant key should be separated out from the main configuration file (i.e. the instance xml)
2.    Merchant key should be split into two parts, and should be held by two people (i.e. No one knows the entire key)

KLF has been around for a while, although few companies implement it. It is actually my first implementation.  The instruction is lacking to say the least. The only place to find the instruction is WebSphere Commerce Info Center under the manual for MigrateEncryptedInfo utility.  There are three examples in that page, and if you are looking to implement KLF for the first time, you should be reading example 2.

There are few reminders:

1.    Backup your DB first. In case you screwed up anything, the first thing IBM would ask is “restoring the DB”.

2.    The format of the key configuration files are as the following

<?xml version=”1.0″ encoding=”UTF-8″?>
<keys xmlns=”http://www.ibm.com/xmlns/prod/WebSphereCommerce”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://www.ibm.com/xmlns/prod/WebSphereCommerce

C:\WebSphere\CommerceServer\wc.ear\xml\config\xsd\key.xsd”>
<key value=”12344567890abcdef” />
</keys>

The key value field should be blank for merchant key file. It will be automatically filled in after the script has been run. The newMerchantKey files are temporary files initially holding each half of the key in plain text.

3.    You need to copy the merchant key file to the application repository manually (i.e. the installedApp under the corresponding profile).