Identifying the changes on Security Module

Objective

After completing this lesson, you will be able to explain the new features on Security Module in SAP Commerce Cloud

Security features

1. Advanced Password Security

To enhance security, deprecated password hashing algorithms like MD5, PBKDF2, SHA-1, SHA-256, and SHA-512 have been deactivated by default. The new preferred default is the Argon2 algorithm, replacing bcrypt. This transition introduces a configurable rehashing mechanism on login, controlled in the advanced.properties file, with:

Code Snippet
1
legacy.password.encoding.enabled=false

Any attempts to use unsafe password encoders will now be flagged with an exception in the log, ensuring your passwords are always handled securely.

2. Session Invalidations for Enhanced Security

Now you can ensure that HTTP sessions are invalidated immediately after a password change, preventing old sessions from remaining active. By setting the property (default is false):

Code Snippet
1
invalidate.current.authentication.on.password.change=true

both the session and the token used during the password change will be invalidated instantly, mitigating risks associated with session hijacking.

3. One-Time Password (OTP) Functionality

Elevate your security measures with the support for one-time passwords (OTP). This feature introduces robust two-factor authentication (2FA), adding an extra layer of security by validating the ownership of the given email during customer logins.

Specifically, with

Code Snippet
1
otp.customer.login.token.max.verification.attempts=3 #(default)

you can set the maximum number of failed login attempts for the one-time token generation (to prevent Brute Force Attacks). In addition, to enable OTP in SAP Commerce Cloud, composable storefront, please see Login with Verification Token.

4. Mutual TLS (mTLS) Support

The addition of mutual Transport Layer Security (mTLS) allows for bi-directional authentication of connections on environment endpoints. This feature not only uses certificates for secure client access but also enables endpoint-specific domain configurations, enhancing security, especially when integrating with Content Delivery Networks (CDNs).

5. Enhanced Protection Against Brute Force Attacks

Introducing 'SAPBruteForceOAuthLoginAttempts', a new model to log failed OAuth client login attempts separately from the existing 'BruteForceLoginAttempts' model. Please note, this requires an update to your database (by deploying a new build with the migration data mode) to reflect changes.

Additionally, in 2211.30/32, it's possible to disable the admin user login via:

Code Snippet
1
admin.login.enabled=false

This can be used as a preventive measure against brute force attacks. This update improves security by ensuring that admin privileges are safeguarded from unauthorized access attempts. But do remember to have other admin users that are part of the admingroup so that the admin privileges are not lost completely.

6. Logging Enhancement

To keep a closer eye on configuration changes, the 2211.30/32 update ensures:

  1. All assignments where permissions are granted, removed, or denied are now logged in audit logging. This enhancement allows for easy retrieval of change information, facilitating better control and auditing of internal processes.
  2. Modifications to Backoffice widgets and cockpit configuration (e.g. via Application Orchestrator/F4) are stored in Media Storage and can be viewed in systems like Open Kibana for CLS Logging (via specific keyword: BACKOFFICE_CONFIGURATION_CHANGE), enabling admins to track and compare changes.

Log in to track your progress & complete quizzes