Reference - CaaS Technical FAQ

1 Introduction

This document provides frequently asked questions and answers about the Intershop CaaS offering.

2 Who is Responsible for Signing off UAT Changes?

The CaaS partner can trigger deployments on UAT in self service, see Reference - CaaS Responsibilities Matrix.

Any other changes to the system that go beyond this must be agreed with Intershop in advance. The changes most likely affect system behavior and must be implemented in the production environment. The goal is to have consistent system settings for all environments.

3 How are Rollbacks Handled?

See Guide - CaaS DevOps - Intershop Commerce Management | Rollback.

4 Is There a Deployment Schedule That Intershop Recommended and How Will Intershop Tackle Urgent Deployments?

See Guide - CaaS DevOps - Intershop Commerce Management | Scheduling.

5 Can Customer Patch Files Be Added to the eserver1/lib Folder?

In principle, any changes to the system should only be made on the basis of releases.

6 Where Can the PWA Be Hosted OOTB?

The hosting and operation of the PWA is offered by Intershop as an additional service (front-end as a service).

As the PWA is typically highly individualized, the costs depend on the infrastructure resources required and the operational effort. The latter depends, for example, on the factors of the number of deployments, number of incidents, etc.

The PWA is operated using containers in a Kubernetes cluster. In order to prepare a concrete offer, a sizing of the entire infrastructure is necessary. 

7 Is There a Microservice Framework Available in the Standard CaaS Setup?

Hosting and operation of custom Microservices is offered by Intershop as an additional service. 

As Microservices are typically highly individualized, the costs depend on the infrastructure resources required and the operational effort. The latter depends, for example, on the factors of the number of deployments, number of incidents, etc.

Microservices are operated using containers in a Kubernetes cluster. In order to prepare a concrete offer, a sizing of the entire infrastructure is necessary. 

8 How to Configure the Mail Service of ICM?

To use the mail service of ICM (app server), it is necessary to set correct Mail-From addresses, e.g., in pipeline:

  • core/release/pipelines/ProcessPasswordReminder.pipeline: <configurationValues name="DefaultEmailFrom" value="info@test.intershop.de"/>

Each app server runs a Postfix mail server. This server catches all mails via localhost and forwards them to the customers mail server.

In Intershop Commerce Management it looks like this:

All other configuration items such as host name, port, email address, login user and password are set directly by the Intershop PPS team on each app server directly.

9 How to Configure the Transport Framework for SFTP-Based Data Import/Export?

To enable the import or export of data from an SFTP-based transfer server or service to the Intershop application server and vice versa:

  1. Log in to the ICM Operations back office as a user that has at least the access privilege Transport Manager assigned.
    • URL: https://<my_domain>/INTERSHOP/web/BOS/SLDSystem
    • Organization: Operations
  2. Go to Transport Configuration.
  3. Select a transport configuration from the list or create a new one (Type: SFTP).
  4. Enter the following configuration details:

    Configuration DetailsDataNotes
    Remote Location/homeSubdirectories can be created later if necessary.
    Authentication methodKey
    User name<user name>_int
    <user name>_uat
    <user name>_prd
    The username depends on the environment.
    Pass phrase
    The pass phrase is not used, but a required field when you use the web form, so it is necessary to type in anything.
    Key File Path/home/intershop/.ssh/id_rsa

10 How to Login to Jenkins with Microsoft Account?

  1. Open the Jenkins web console https://ishXX-ci.fse.intershop.de/jenkins/ and click the Microsoft button:
  2. If you are already signed with your Microsoft account, select it or use option Use another account and enter your credentials:
  3. After this you see the Jenkins web console:

11 What are the Requirements for DNS and SSL/TLS Certificates?

Customer is responsible for (external) domains and related DNS configuration for example for ICM/PWA Storefront. Therefore customer needs to provide corresponding SSL/TLS certificate(s) for each desired domain, e.g., one per ICM cluster or multiple ones per ICM cluster in case of different channels made available under different domains, see below.

Generally, domain configuration should be done on CNAME base, whereas Intershop will provide target domain name for corresponding environments and clusters. 

11.1 DNS Intershop Commerce Management (ICM)

Basically, three environments (Production (PRD), User Acceptance Test (UAT) and Integration (INT)) with two clusters each (live (LV) and edit (ED)) are provided for standard ICM system. Therefore at least six (6) domains are required, optionally more (if so, number of domains has to be the same for each tier, e.g., INT and UAT and PRD), for example:

  • PRD (LV): shop.myDomain.com
    • optional if needed:
      • shop-de.myDomain.com
      • shop-nl.myDomain.com
      • shop-fr.myDomain.com
  • PRD (ED): shop-edit.myDomain.com
    • optional if needed:
      • shop-edit-de.myDomain.com
      • shop-edit-nl.myDomain.com
      • shop-edit-fr.myDomain.com
  • UAT (LV): uat-live.myDomain.com
    • optional if needed:
      • uat-live-de.myDomain.com
      • uat-live-nl.myDomain.com
      • uat-live-fr.myDomain.com
  • UAT (ED): uat-edit.myDomain.com
    • optional if needed:
      • uat-edit-de.myDomain.com
      • uat-edit-nl.myDomain.com
      • uat-edit-fr.myDomain.com
  • INT (LV): int-live.myDomain.com
    • optional if needed:
      • int-live-de.myDomain.com
      • int-live-nl.myDomain.com
      • int-live-fr.myDomain.com
  • INT (ED): int-edit.myDomain.com
    • optional if needed:
      • int-edit-de.myDomain.com
      • int-edit-nl.myDomain.com
      • int-edit-fr.myDomain.com

11.2 DNS Intershop Progressive Web App (PWA)

Applies only, if PWA is in use.

Customer needs to provide additional domains. Only live (LV) clusters use PWA, edit (ED) cluster usually do not need PWA as a main purpose is to perform and check content changes. PWA domains could be seperated by channels (channel specific) as well. Therefore at least three (3) domains are needed, for example:

  • PRD (LV):  shop-pwa.myDomain.com
    • optional if needed:
      • shop-de-pwa.myDomain.com
      • shop-nl-pwa.myDomain.com
      • shop-fr-pwa.myDomain.com
  • UAT (LV):  shop-uat-pwa.myDomain.com
    • optional if needed:
      • uat-de-pwa.myDomain.com
      • uat-nl-pwa.myDomain.com
      • uat-fr-pwa.myDomain.com
  • INT (LV):  shop-int-pwa.myDomain.com
    • optional if needed:
      • int-de-pwa.myDomain.com
      • int-nl-pwa.myDomain.com
      • int-fr-pwa.myDomain.com

11.3 DNS Intershop Order Management (IOM)

Applies only if IOM is in use. 

In addition to the ICM, corresponding domains and certificates are also required for the IOM. As IOM is only connected to the live (LV) cluster of each environment, independent of the number of channels, three (3) domains are required.

  • PRD: shop-oms.myDomain.com
  • UAT: uat-oms.myDomain.com
  • INT: int-oms.myDomain.com

11.4 Types of SSL/TLS certificates

General note: provided SSL/TLS certificates shall have a valid duration period of 1 (one) year. Intershop requires both public key(s), the certificate(s) as well as private key file(s).

OptionSSL/TLS Certification RelationCertificate (example)Domain (example)Notes
BasicONE SSL/TLS certificate per ONE domain

certificate 1 →

certificate 2 →

certificate 3 →

certificate 4 →

channelA.myDomain.com

channelB.myDomain.com

channelC.mySecondDomain.com

channelD.myThirdDomain.com

  • Each domain in use requires its own certificate
  • May become expensive/complex when using multiple domains/channels
SANONE TLS/SSL certificate per MULTIPLE domains


SAN certificate 1 →

channelA.myDomain.com, 

channelB.myDomain.com, 

channelC.mySecondDomain.com,

channelD.myThirdDomain.com

  • Certificate contains SANs (Subject Alternative Name(s))
  • Commonly called "multi-domain" certificate (although naming is not entirely correct)
  • May be best/cheapest/most wanted option as customer can select which domains certification is valid before handing over certificate to Intershop
  • Can handle different domains/subdomains
  • Also see: https://support.dnsimple.com/articles/what-is-ssl-san/
WildcardONE TLS/SSL certificate per ALL subdomains of a certain single domain

wildcard certificate 1 →

wildcard certificate 2 →

wildcard certificate 3 →

*.myDomain.com

*.mySecondDomain.com

*.myThirdDomain.com

  • Cheaper for a large amount of domains to handle
  • Customer needs to take note that handling over a certificate for all subdomains of a certain domain

11.5 CSR (Certificate signing request)

If a certificate does not yet exist, it can be ordered from a CA (certificate authority). A CSR is required for this. Depending on the certificate issuer, at least the certificate type (see 11.4) and a fully qualified domain name are required to create a CSR.
Information that can/must be included in a certificate:


InformationDescription
CNCommon NameThis is the fully qualified domain name
OOrganization NameUsually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp.
OUOrganizational UnitInternal organization department/division name
LLocalityTown, city, village, etc. name
STStateProvince, region, county or state. This should not be abbreviated
CCountryThe two-letter ISO code for the country where your organization is located
EMAILEmail AddressThe organization contact, usually of the certificate administrator or IT department

We create a CSR for the customer if he requests it with the necessary data via the service desk.

12 How to Access the Database and Manage Related Data?

For information on how to access and manage the database, please refer to Guide - CaaS Database Handling.

13 How to Access the Log Files?

13.1 ICM and IOM

On INT (ED+LV) there are read-only mounts for accessing ICM PRD+UAT (LV+ED) and IOM PRD log files as well:

/var/intershop/logs/prd/lv
/var/intershop/logs/prd/ed
/var/intershop/logs/uat/lv
/var/intershop/logs/uat/ed
/var/intershop/logs/iom/prd

13.2 PWA

This task requires Azure CLI and kubectl on your local machine. Alternatively you may use https://shell.azure.com.

To access PWA logs or check the status of a pod do the following:

  1. Connect to the cluster by using Azure CLI: az aks get-credentials --subscription $subscription -g $resource-group -n $name

    Info

    Subscription, namespace and resource information as well as information on permissions can be found in your Customer System Confluence page.
  2. Use kubectl for exploring the namespace:
    • List all pods: kubectl get pods -n $namespace
    • Status of a single pod: kubectl describe pod -n $namespace $pod
    • Log messages of a pod: kubectl logs -n $namespace $pod

14 How to Set up a VPN? (if Necessary)

14.1 General

By default, CaaS Intershop solutions, hosted on Microsoft Azure, are accessible on the Internet via a public IP address. To grant customer and partner clients or servers access to Azure, their public addresses are kept on a whitelist. Those connections, for example to storefront and back office sites or provided APIs are HTTPS-only and therefore TLS encrypted. TLS/SSL certificates are installed on the Azure web server tiers for that purpose. No additional VPN is required in this case.

A VPN is required if one of the clients or servers from partners or customers has no direct access to public internet. Typical cases are: internal services like mail (SMTP), ERP or PIM. In this case, a VPN tunnel establishes a virtually direct and secured connection between the customer or partner and the Azure environment. Prior to configuring the VPN, precisely site-to-site (S2S) VPN, affected parties (e.g. customer and Intershop) have to agree on networks to be used, i.e. one or more private IP address range(s). Those private IP ranges must not overlap with IPs or IP ranges already in use or planned to be used. For this reason, it is important for Intershop to know as early as possible whether a VPN is necessary and which private network range(s) should be used.

Example: The customer has a mail service on its private network, without direct access to public internet. It should be used to send e-mails originating in an Azure based Intershop Commerce Management environment (ICM). As the mail service has no access to public internet and therefore cannot be directly connected to, a VPN tunnel between Azure, where ICM is hosted, and the private network where the related mail service’s hosts are located is required.

14.2 Technical

To create a VPN tunnel between Azure and your (or your partners) on-premise infrastructure, Intershop requires the following information:

Public IP address of your device

This is the device on your (or your partners) side. Intershop needs this IP address to establish a connection.

While configuring the VPN in Azure, Intershop will get a public IP address for the opposite side.

Intershop will communicate the newly created public IP address as soon as possible.

Address space of your local network(s)

Azure needs to know the private address ranges corresponding to your network.

Each VPN gateway needs to know the local area networks of both sides, otherwise it will not work.

Multiple subnets are possible but may not overlap.

Type of VPN

  • PolicyBased = IKEv1 or
  • RouteBased = IKEv2 (recommended)

Azure supports IKEv1 and IKEv2, but it depends on your device which type can be used.

Intershop may check the requirements for you, this requires type and firmware version of your device.

For more information please see the compatibility list:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Note

IKEv1 (PolicyBased VPN) is no longer recommended for a productive environment. Microsoft has decided to limit the PolicyBased VPN to the Basic SKU in December 2017. That limits the bandwidth to 100 Mbps.
Shared Key (PSK)Both VPN devices have to use the same shared key. Intershop will create a key if no key is provided by the customer.

 

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Tickets