registerrewritecond

CyberSourceExtensionforMagentoInstallationGuide,Version3.
0.
0July,2018ExtractThisdocumentprovidesinstallationdetailsofCyberSourceMagentoExtension2ContentsInstallation3InstallationFrequentlyAskedQuestions4AppendixA–SecurityBestPractices6SecuringFiles6PasswordPolicy6SSL/TLSEncryption6SoftwareVersions7RemovingDefaultWebServers7SecuringWebServers7PasswordEmails8SecureAuthenticationCredentials9SecurityGoodPractice103Installation1.
PlaceanorderonMagentoMarketplacewithCyberSourcemodulehttps://marketplace.
magento.
com/cybersource-global-payment-management.
html2.
GotoMyProfile->MyProducts->AccessKeysandcopykeys2.
Createauth.
jsonfileinmagentorootdiretoryonyourserver{"http-basic":{"repo.
magento.
com":{"username":"Your_Public_Key","password":"Your_Private_key"}}}3.
Addasectiontoyourcomposer.
jsonorextendexisting"repositories":{"0":{"type":"composer","url":"https://repo.
magento.
com/"}},44.
Runcommandsinyourmagentorootdirectorycomposerrequirecybersource/global-payment-managementphpbin/magentomodule:enableCyberSource_AccountUpdaterCyberSource_AddressCyberSource_ApplePayCyberSource_AtpCyberSource_BankTransferCyberSource_CoreCyberSource_ECheckCyberSource_KlarnaFinancialCyberSource_PayPalCyberSource_SecureAcceptanceCyberSource_TaxCyberSource_VisaCheckoutphpbin/magentosetup:upgradephpbin/magentosetup:di:compilephpbin/magentosetup:static-content:deploySeeofficialMagento2extensionsinstallationguide:https://devdocs.
magento.
com/guides/v2.
2/comp-mgr/install-extensions.
htmlInstallationFrequentlyAskedQuestionsQuestion:Afterrunningcomposerupdateorcomposerrequirecybersource/global-payment-managementcommandthefollowingerrormessageisdisplayed:Therequestedpackagecybersource/global-payment-managementcouldnotbefoundinanyversion,theremaybeatypointhepackagename.
Answer:Thiserroroccursifyou:usewrongkeysdon'thavehttps://repo.
magento.
com/composerrepositoryspecifiedinyourcomposer.
jsonInordertoobtainproperkeysyouhaveto:1.
PurchasetheextensionfromMagentomarketplaceVisitCyberSourcePaymentextensionpageinMagentoMarketplacehttps://marketplace.
magento.
com/cybersource-global-payment-management.
html5ClickAddtoCartbutton.
GotoCheckoutfromtheCartpage.
LoginorregisterFinishcheckoutprocess2.
Aftercheckoutgotoyourprofile:GotoMyPurchasesandensureyouseeCyberSourceGlobalPaymentManagementmodulethere.
Gobacktoprofile->AccessKeysCreateoruseexistingpairofkeys,makesurethey'reenabled3.
Onceyougetthekeys,justfollowthesteps:Rename/movethefile~/.
composer/auth.
jsonRuncomposerrequirecybersource/global-payment-managementWhencomposerasksforusername/passwordenterthePublicKeyasusernameandPrivateKeyaspassword6AppendixA–SecurityBestPracticesSecuringFilesMakesureyourinstallationfilesareonlyaccessiblelocallybyproperlysettinguppermissionsand.
htaccessfile.
Setupfilepermissionsonthebasisof'needtoknow'and'leastprivilege'andensurethatallfilesthatgovernaccesstopartsoftheapplicationaresecured.
Ensurefilesarenotaccessibleoverthewebinterface.
Formoreinformationpleasereferto:https://blog.
nexcess.
net/2010/12/06/securing-magento-file-directory-permissions/PasswordPolicyEnforcestrongpasswordrequirementstoensuretheapplicationisprotectedfromabruteforceattack.
Formoreinformationpleasereferto:NISTDigitalIdentityGuidelines:https://pages.
nist.
gov/800-63-3/SSL/TLSEncryptionEnsureonlythelatestTLSstandardisenabledonanyconnections.
ExplicitlydisableanyTLSversionsthatarenotcurrent(attimeofwriting,onlyTLS1.
2isnotdeprecated).
EnsurethatCiphersuitesthathavebeendeprecatedaredisabled.
Formoreinformationpleasereferto:OpenSSLCipherSuiteNames:https://www.
openssl.
org/docs/manmaster/man1/ciphers.
html-CIPHER-SUITE-NAMESApacheHTTPSCipherSuiteRestriction:http://httpd.
apache.
org/docs/current/ssl/ssl_howto.
html7SoftwareVersionsEnsureallsoftwareversionsareontheverylatestversion.
ExamplesarePHP,JavaandtheMagentosoftwareitself.
Versionsthatarebranchedshouldhavethelatestpatchesfromthatbranchinstalled.
Formoreinformationpleasereferto:Magento:https://magento.
com/security/patchesPHP:http://php.
net/downloads.
phpApacheSecurityVulnerabilities:http://httpd.
apache.
org/security_report.
htmlRemovingDefaultWebServersSoftwarepackagessuchasApacheinstalldefaultwebpagesand/orwebserverinstances.
Ifthewebserverinstanceisnotrequired,itisbestpracticetodisabletheservice.
Iftheserviceisneeded,removedefaultpagesanddefaultinstalldirectories(/docs,/examples,etc.
).
Formoreinformationpleasereferto:GoogleHackingMini-Guide:http://www.
informit.
com/articles/article.
aspp=170880&seqNum=2&rl=1SecurityFocus-SecuringApache:Step-by-Step:http://www.
securityfocus.
com/infocus/1786SecuringWebServersThefollowingstepscanbetakentoreduceand/oreliminatetheriskofinformationdisclosureasaresultofusinghostnamesinURLs:UselocaldomainnamesratherthanIPaddresses.
Removereferencestobackendsystemnames,IP'sandports.
Donotdisclosesystemand/orprogramuserID'stoapplicationusers.
Maintainallerrorcodesanddebuginformationinnon-useraccessibleerrorlogs.
8Formoreinformationpleasereferto:OWASP-SecuritybyDesignPrinciples:https://www.
owasp.
org/index.
php/Security_by_Design_PrinciplesThefollowingstepscanbetakentosecureinsecurecommandsonApache:UsetheApachemodrewritemoduletodenyHTTPrequestsortopermitonlythemethodsneededtomeetsiterequirementsandpolicy.
ProhibitedHTTPmethodscanbedisabledwiththefollowingmod_rewritesyntax.
RewriteEngineOnRewriteCond%{REQUEST_METHOD}^TRACE|TRACK|PUT|DELETE|HEAD|OPTIONS|CONNECTRewriteRule.
*-[F]Alternatively,notethatApacheversions1.
3.
34,2.
0.
55,and2.
2supportdisablingtheTRACEmethodnativelyviatheTraceEnabledirective.
Formoreinformationpleasereferto:TestingforHTTPMethods:https://www.
owasp.
org/index.
php/Test_HTTP_Methods_(OTG-CONFIG-006)ApacheHTTPServermod_rewrite:http://httpd.
apache.
org/docs/mod/mod_rewrite.
htmlPasswordEmailsMagentoemailsthepasswordtousersinplaintextasstandard.
Thisisnotgoodsecuritypracticeandcanleadtoinformationdisclosureattacksviasocialengineeringorothermeans(copying).
Inordertoprotectyourcustomersfromthis,itisrecommendedtoremoveplaintextpasswordssentviaemail.
Thestepstopreventthisareasbelow:InMagento,dothefollowing:1.
Fromadmin,gotoMarketing/EmailTemplates2.
ClickAddNewTemplateorangebutton93.
InLoaddefaulttemplate,selectNewAccounttemplateandloadit4.
Afterloadtemplate,inTemplateContent,findalineshowplaintextpasswordandremoveit5.
ClickSaveTemplate.
Formoreinformationpleasereferto:NISTDigitalIdentityGuidelinesSP800-63-3:https://pages.
nist.
gov/800-63-3/SecureAuthenticationCredentialsAuthenticationCredentialsmustbestoredinasecuremanner,accordingtoindustrygoodpractice.
SecuringauthenticationcredentialsshouldbeviamethodssuchasstrongEncryption,usingindustrystandardencryptionmethodologies.
Formoreinformationpleasereferto:NationalInstituteofStandardsandTechnology:https://pages.
nist.
gov/800-63-3/10SecurityGoodPracticeAnyimplementationoftheMagentosoftwarepackageshouldbeundertakenwithcare.
Duediligenceshouldbeperformedwhenlookingatconfigurationsettingsandindustrygoodpracticeguidelinesshouldbefollowedatalltimes.
CyberSecurityattacksandsubsequentbreechescanbebranddamagingandputcustomer'spersonaldataatrisk.
Formoreguidelinesongeneralsecuritygoodpractice,pleaseseethefollowingexternalsources:NationalInstituteofStandardsandTechnology:https://www.
nist.
gov/PCIDSS:https://www.
pcisecuritystandards.
org/pci_security/CenterforInternetSecurity:https://www.
cisecurity.
org/MagentoSecurityBestPractices:https://magento.
com/security/best-practicesOWASP:https://www.
owasp.
org/index.
php/Main_PageSANSInstitute:https://www.
sans.
org/InternationalOrganizationforStandardization(ISO)–ISO27001and27002andanyotherapplicablestandards:https://www.
iso.
org/standards.
html