Securing your Nexcess-based Siteworx Drupal website's Ubercart using SSL

""
Posted Tue, 11/08/2011 - 14:54 by monicadear
Security, by http://www.flickr.com/photos/saveoursmile/5433411025/sizes/m/in/photostream/

 

Here is a step-by-step process to work through securing your Ubercart site on our specific hosting recommendation, Nexcess.
 
Requirements: 
1) Dedicated IP address
2) Certificate Signing Request (CSR)
3) Purchase Secure Sockets Layer (SSL) certificate
4) Change Drupal's .htaccess rewrite rule to match Base URL
Drupal Site "base URL" is the same as what is listed on CSR
5) OPTIONAL, RECOMMENDED: SecurePages Module and Secure Pages Hijack Prevention
 
 
For Authorize.net enabling:
Authorize.net API Login ID and Transaction Key
Ubercart, Credit Card, and Authorize Modules turned on
FTP to create a new folder outside of document root
 
 
 
 
 
1) You must first purchase a dedicated IP address. You can purchase this directly through the Nexcess.net hosting control panel.
 
2) Now it's time to get the SSL Certificate. First log in to your Siteworx account and go to SSL Certificate
 
Link: http://docs.nexcess.net/ssl-tutorial
 
3) Install the "Private Key" by clicking "Setup Private Key". You may already have a private key from another SSL certificate previously used on another website, but typically, if this is a new site, you will "Generate" a new key.
 
4) Set up your Certificate Signing Request (CSR).
 
If you already have an SSL certificate, you do not need to take this step. If you are ordering SSL directly from Nexcess's provider (RapidSSL), please specify the information regarding your company.
 
NOTE: there is a difference between "www.mywebsite.com" and "mywebsite.com"
Consider what is version of the domain name you choose to use (with the www. or without the www.), and then stick with that.
 
5) Order your SSL certificate ($69.95 for 3 years as of November 2010)
https://orders.nexcess.net/?p=ssl
 
6) It will take 3-5 days for you to receive the confirmation of your order.
 
7) Once you have your certificate (usually sent to you in an e-mail), you may return to your hosting SSL section and paste it into the Certificate box.
 
Include the "BEGIN CERTIFICATE" and "END CERTIFICATE" tags.
 
Click "Install"
 
8) Your website should now have the SSL enabled, test by going to:
 
http://www.mywebsite.com
 
as well as
 
https://www.mywebsite.com
 
 
9) Now we turn our attention to configuring Drupal and Ubercart for these updated settings.
 
http://www.ubercart.org/docs/user/15055/securing_your_site
 
10) Review your .htaccess file (change to htaccess.txt, make changes, re-upload, and rename to .htaccess, check permissions)
 
Find this text:
 # If your site can be accessed both with and without the 'www.' prefix, you
  # can use one of the following settings to redirect users to your preferred
  # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
 
And follow the instructions. Either redirect users to the "mywebsite.com" option, or to the "www.mywebsite.com" option.
 
This step rewrites any new link on your site to that version, e.g. if you choose the www. version, then
 
http://mywebsite.com/this-is-my-page/123
will be rewritten to:
http://www.mywebsite.com/this-is-my-page/123
 
 
 
11) OPTIONAL: If you find you continue to have issues, consider changing your "baseURL", found here:
/sites/default/settings.php 
search for: "Base URL (optional)."
 
Uncomment the $base_url and change it to the correct URL that matches your choice in step #4
 
 
12) The SecurePages module assists you in specifying which pages are secured within the Drupal installation.
http://drupal.org/project/securepages
 
Also consider adding-on the Seucre Pages Hijack Prevention module, which may help with mixed http:// (non-secure) and https:// (secure) page mixing within a site.
http://drupal.org/project/securepages_prevent_hijack
 
 
We typically place modules into the /sites/all/modules/ folder. Unpack the zipped files there.
 
Then, go to the administration page:
http://example.com/admin/build/securepages (example.com being your actual site's URL)
 
and configure. The most common Ubercart paths to protect are:
 
node/add*
node/*/edit
user/*
admin/*
cart*
uc_paypal*
cgi-bin/webscr
taxes/calculate
 
 
Whenever a visitor goes to a page with these prefixes, the SecurePages module will switch it to the SSL-encrypted version. This is important for any page that requires personal information such as contact information or credit card details (such as when you use Authorize.net).
 
 
Suggested "paths to ignore":
 
user/autocomplete/*
logout
 
 
At this point, your Ubercart configuration will be secured and the site is encrypting sensitive information. Test this by going through the checkout process to see if the site goes to the https:// version of the page.
 
 
 
 
13) If you are using Ubercart to accept credit card data directly on the checkout page, these following steps apply.
 
Additional documentation: http://www.ubercart.org/docs/user/7104/accepting_credit_card_payments
 
14) Credit Card keys:
 
You must create and specify a new filepath to a folder outside of the HTML document root version of your website where the system will store the encryption key.
 
Once this is set, you should not change it.
 
http://www.example.com/admin/store/settings/payment/edit/methods
 
For example, you will use FTP to create the folder, (at the same level as the "html" folder for Nexcess hosting) and in the Drupal Ubercart configuration, tell the system what the filepath is, for example:
 
../private
or 
../thekeys
or some other secret folder
 
Make sure that the folder has the correct permissions on it, so Ubercart may write to this folder.
 
 
15) If you are using Authorize.net, you must first set up an Authorize.net account, and then you will receive the an API Login ID and a Transaction Key from Authorize.net Keep this infomration safe.
 
 
16) Ubercart comes bundled with payment options, including 2Checkout, Authorize.net, Cybersource, Google Checkout, and PayPal.
 
PayPal is easiest to configure - you simply need a PayPal account.
 
Authorize.net functionality is as follows:
 
 
17) First make sure that the Authorize.net and Credit Card modules are turned on in:
 
 
 
18) Next, go to the details of the payment gateway directly (within Store administration | Configuration | Payment settings | Edit | Payment gateways
 
You will see the Authorize.net field - expand it and place your API Login ID and Transaction Key inside.
 
We use the following selections:
 
"Authorize and capture immediately"
 
"Enable this payment gateway for use.
 
Live transactions in a live account
 
ARB settings: Transaction mode: Production (if Automated Recurring Billing ARB - is turned on within your Authorize Account) or Disabled (if ARB is turned off)
 
CIM settings: Transaction mode: Production (if turned on) or Disabled (if turned off).
 
http://www.example.com/admin/store/settings/payment/edit/gateways
 
 
19) At this point, Authorize.net is turned on. Through Ubercart on your Drupal site, and you may securely accept credit card information directly on your site and securely pass the information to Authorize.net for payment processing.
 
 
20) Now you may configure new products for sale within your store:
 
http://www.example.com/node/add/product
 
and the new products may be purchased by a customer and placed in their card
 
https://www.example.com/cart
 
(notice that the cart is on the SSL-enabled site)
 
 
 
That's it!