ECommerce: Unterschied zwischen den Versionen
Zeile 9: | Zeile 9: | ||
http://www.nurdletech.com/https.html<br> | http://www.nurdletech.com/https.html<br> | ||
http://www.securityfocus.com/infocus/1820 | http://www.securityfocus.com/infocus/1820 | ||
== CodeSign == | |||
Das erweitern einer EXE Datei um ein Certifikat. | |||
Buying the code signing certs from Thawte will cost you $200 per year. Renewals cost ~ $153 US. Verisign charges $400 per year. Obviously I went with Thawte. The certs are the same, as all CA's have their root certs for codesigning enabled, this really isn't the case with SSL (https:// certificates) so you have to pick wisely when buying ssl cert. | |||
With the cert you can sign as many products as you wish, as long as they are from the company/organization which purchased the code signing cert. | |||
You are not required to renew the certificate, as long as you timestamp the program. You basically connect to a server that does timestamping and it stamps the certificate/program with a hardcoded date. If the certificate expires and there is a valid stamp on it then the certificate does not warn it is expired to the end users downloading your files. But you will need to renew the cert if you want to re-stamp new builds/updates of your files. You can use the freely available versign timestampign service to stamp your code with (instructions to do it are included in microsofts code signing sdk). | |||
Information on how to sign code is at: | |||
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp | |||
You can download the files (signcode.exe) at: | |||
http://www.microsoft.com/downloads/details.aspx?FamilyID=2B742795-D0F0-4A66-B27F-22A95FCD3425&displaylang=en | |||
Probably want to get the x86 executable as it's unlikely most people here are generating alpha executables (64 bit). | |||
You can get more information and purchase the certs from Thawte at: | |||
http://www.thawte.com/codesign/index.html | |||
Look at the Microsoft Authenticode Code Signing Certificate. | |||
As to questions about stealing a cert. It's possible but very very hard to do. Thawte sends you a .pvk file (private key file) and a certificate file. Both files are required to generate the certificate embedded into the exe. The hash of this certificate is unique to each executable and if the exe is modified in anyway the cert is nullified. Also you have the option when purchasing the code signing cert if you want to password protect it. This allows even more security as if anyone does get a hold of the cert and private key then they still need the password to sign with. | |||
Also the process to obtain a cert can take some time. It took me roughly 8 hours to receive it. You cannot as an individual in the US get a code signing cert. You must be a registered business with your state, country and they will require you to fax them documentation proving your business is valid. Then they will check your domain, all certs are tied with a domain - typically business domain so they check the whois records. As long as the REGISTRANT OF RECORD on the domain matches your legal company name EXACTLY then you are fine. For instance my legal company name is PGWARE LLC, thus thta is what had to be listed in teh registrant information for the domain; if I had just PGWARE then Thawte will decline my application. | |||
Finally you have to have a business phone number where they can contact you to verify the purchase. They will attempt to obtain a phone number from you by the use of phone directory service in your city, if you are not listed then they will attempt other means to find a phoone number to contact you at. If they are not able to find any number then you need to fax them a phone bill that shows your company name on it, and your telephone number on it. They will then call you and ask you basic questions on who ordered the certificate and details you entered when ordering - this allows them to confirm you are the person who really is getting the cert. If you have no phone number at all for your business fear not you can send in a notorized letter signed by a notary which states you give permission and authorization to distribute a certificate to your business; then fax it in to them. | |||
As long as you have everything in order and all documents ready to be faxed you can get the cert within a day's time. They do all these checks to make sure you are who you say you are. Also they want ot make it seem like they are actually doing something for that $200 you're sending them. | |||
If any of you guys are interested in doing it and have any problems along the way just message me here or email me and I'll lend some assistance. | |||
--- | |||
Julian the cert is signed into the exe by the user of the signcode.exe program. It adds an additional section into the exe header which contains the cert. | |||
When usign the codesign.exe you can pass commandline params to generate the digital certificate within the exe. When you right click on a exe that is signed , click the PROPERTIES and there is a new tab within the properties sheet of the executable entitled DIGITAL CERTIFICATE. | |||
Here is how to sign: | |||
signcode.exe -spc mycert.spc -v mykey.pvk -n "My Program" -i http://www.url.com -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll MYPROG.EXE | |||
mycert.spc is the file Thawte/verisign sends to you, it is the certificate. MyKey.pvk is the private key thwate/verisign also sends to you which contains your private key and password (if a password was set). Note you cannot change the password without buying a new cert. | |||
"My Program" is just a friendly name you can give your program and is displayed in the Security box when shown to a user downloading you file. http://www.url.com is the url to your website, this lets a user click on your program name (friendly name) and it takes them to the website. Finally you include the optional timestamp (you should timestamp, so when the certificate expires the file is still signed). Then you pass the filename/path to your exe that needs to be signed. | |||
== Internet Ablagen == | == Internet Ablagen == |
Version vom 10. Oktober 2006, 12:07 Uhr
Die B2B Fähigkeiten des OrgaMon ermöglichen es Dienstleistungen des OrgaMon von aussen zu benutzten. Dazu wird im Moment, die von jedem System beherschte XML-RPC Schnittstelle benutzt. Der benutzte TCP/IP Port ist frei einstellbar.
Funktions Überblick
Erstmalig werden Funktionen f?ch䦴sabl䵦e aus OrgaMon in einem Zentralen Modul (eCommerce) gesammelt. Das Ziel ist, den ganzen Webshop bzw. alle Webanfragen ausschließlich über eCommerce Modul laufen zu lassen. Dabei werden auch erstmals "r" Connections und "w" Connections eingesetzt, was dem zukünftigen raib-Servern zugute kommt (Clustering). Nun eine Liste aller eCommerce Funktionen:
SSL Ablagen
http://www.nurdletech.com/https.html
http://www.securityfocus.com/infocus/1820
CodeSign
Das erweitern einer EXE Datei um ein Certifikat.
Buying the code signing certs from Thawte will cost you $200 per year. Renewals cost ~ $153 US. Verisign charges $400 per year. Obviously I went with Thawte. The certs are the same, as all CA's have their root certs for codesigning enabled, this really isn't the case with SSL (https:// certificates) so you have to pick wisely when buying ssl cert.
With the cert you can sign as many products as you wish, as long as they are from the company/organization which purchased the code signing cert.
You are not required to renew the certificate, as long as you timestamp the program. You basically connect to a server that does timestamping and it stamps the certificate/program with a hardcoded date. If the certificate expires and there is a valid stamp on it then the certificate does not warn it is expired to the end users downloading your files. But you will need to renew the cert if you want to re-stamp new builds/updates of your files. You can use the freely available versign timestampign service to stamp your code with (instructions to do it are included in microsofts code signing sdk).
Information on how to sign code is at: http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp
You can download the files (signcode.exe) at: http://www.microsoft.com/downloads/details.aspx?FamilyID=2B742795-D0F0-4A66-B27F-22A95FCD3425&displaylang=en
Probably want to get the x86 executable as it's unlikely most people here are generating alpha executables (64 bit).
You can get more information and purchase the certs from Thawte at:
http://www.thawte.com/codesign/index.html
Look at the Microsoft Authenticode Code Signing Certificate.
As to questions about stealing a cert. It's possible but very very hard to do. Thawte sends you a .pvk file (private key file) and a certificate file. Both files are required to generate the certificate embedded into the exe. The hash of this certificate is unique to each executable and if the exe is modified in anyway the cert is nullified. Also you have the option when purchasing the code signing cert if you want to password protect it. This allows even more security as if anyone does get a hold of the cert and private key then they still need the password to sign with.
Also the process to obtain a cert can take some time. It took me roughly 8 hours to receive it. You cannot as an individual in the US get a code signing cert. You must be a registered business with your state, country and they will require you to fax them documentation proving your business is valid. Then they will check your domain, all certs are tied with a domain - typically business domain so they check the whois records. As long as the REGISTRANT OF RECORD on the domain matches your legal company name EXACTLY then you are fine. For instance my legal company name is PGWARE LLC, thus thta is what had to be listed in teh registrant information for the domain; if I had just PGWARE then Thawte will decline my application.
Finally you have to have a business phone number where they can contact you to verify the purchase. They will attempt to obtain a phone number from you by the use of phone directory service in your city, if you are not listed then they will attempt other means to find a phoone number to contact you at. If they are not able to find any number then you need to fax them a phone bill that shows your company name on it, and your telephone number on it. They will then call you and ask you basic questions on who ordered the certificate and details you entered when ordering - this allows them to confirm you are the person who really is getting the cert. If you have no phone number at all for your business fear not you can send in a notorized letter signed by a notary which states you give permission and authorization to distribute a certificate to your business; then fax it in to them.
As long as you have everything in order and all documents ready to be faxed you can get the cert within a day's time. They do all these checks to make sure you are who you say you are. Also they want ot make it seem like they are actually doing something for that $200 you're sending them.
If any of you guys are interested in doing it and have any problems along the way just message me here or email me and I'll lend some assistance.
---
Julian the cert is signed into the exe by the user of the signcode.exe program. It adds an additional section into the exe header which contains the cert.
When usign the codesign.exe you can pass commandline params to generate the digital certificate within the exe. When you right click on a exe that is signed , click the PROPERTIES and there is a new tab within the properties sheet of the executable entitled DIGITAL CERTIFICATE.
Here is how to sign:
signcode.exe -spc mycert.spc -v mykey.pvk -n "My Program" -i http://www.url.com -$ commercial -t http://timestamp.verisign.com/scripts/timstamp.dll MYPROG.EXE
mycert.spc is the file Thawte/verisign sends to you, it is the certificate. MyKey.pvk is the private key thwate/verisign also sends to you which contains your private key and password (if a password was set). Note you cannot change the password without buying a new cert.
"My Program" is just a friendly name you can give your program and is displayed in the Security box when shown to a user downloading you file. http://www.url.com is the url to your website, this lets a user click on your program name (friendly name) and it takes them to the website. Finally you include the optional timestamp (you should timestamp, so when the certificate expires the file is still signed). Then you pass the filename/path to your exe that needs to be signed.
Internet Ablagen
Internetablagen dienen der fortgesetzten Dokumentation der Auftragsergebnisse im InterNet. Der Auftraggeber kann jederzeit Ergebnisportionen einsehen oder in sein EDV-System integrieren. Dabei werden auf dem OrgaMon WebServer virtuelles Host eingerichtet, einer für jeden Auftraggeber.
- Anlegen des Benutzers ~SubDomain~
Der Benutzername sollte der TopLevelDomain Prefix des Auftraggebers sein. Die Auftraggeber sei eine Zahnradfabrik. Deren Domain ist http://www.zf.com. Somit ist unser SubDomain zf. Zukünftiger Datenaustausch erfolgt über die Adresse http://zf.orgamon.de. Erster Schritt ist die Anlage des Benutzers zf. Um die Erklärung allgemein zu halten verwenden wir ab jetzt anstelle von "zf" immer ~SubDomain~.
yast Sicherheit und Benutzer->Benutzer anlegen un bearbeiten <ALT>&<H> für "Hinzufügen" Bei "Benutzername": ~SubDomain~ eintragen Bei "Passwort": Das generierte Passwort aus dem Orgamon eintragen <ALT>&<D> für Details Bei "Homeverzeichnis": /srv/www/htdocs/~SubDomain~ Bei "Leeres Home": eine Haken machen! Bei "Login-Shell": /bin/false Bei "Standardgruppe": "ftp" auswählen Bei "weitere Gruppen": nur "www", "ftp" darf angehakt sein! <ALT>&<W> für weiter. <ALT>&<E> für Anlegen. yast Verlassen
- Internetablage vor-befüllen
# # Sicherstellen, dass samba Vollzugriff auf die Ablage # hat. chmod 777 /srv/www/htdocs/~SubDomain~ # für index.php sorgen # für sort.txt sorgen chmod 666 sort.txt
- PHP - Script zur Dateianzeige
<?php define(SortOrderFileName,"sort.txt"); function save($s) { $fp = fopen(SortOrderFileName,"w"); fputs($fp,$s); fclose($fp); } function load() { $fp = fopen(SortOrderFileName,"r"); $s = trim(fgets($fp,10)); fclose($fp); return $s; } // Beim allerersten Skriptaufruf if (!file_exists(SortOrderFileName) AND !isset($sortorder)) { $sortorder = "name"; // Standard-Einstellung save($sortorder); } // Beim jeweils ersten Skriptaufruf if (file_exists(SortOrderFileName) AND !isset($sortorder)) { $sortorder = load(); } // Beim erneuten Skriptaufruf if (file_exists(SortOrderFileName) AND isset($sortorder)) { save($sortorder); } ?> <html> <HEAD> <Title>Dateiablage</title> <META HTTP-EQUIV="Pragma" content="no-cache"> <META HTTP-EQUIV="Cache-Control" content="no-cache, must-revalidate"> <META HTTP-EQUIV="Expires" content="0"> <STYLE TYPE="text/css"> <!-- P.breakhere { page-break-before: always; } table.border { border-color:#000000; border-style:solid; } td { padding-left:5px; padding-right:5px; border-color:#000000; border-style:solid; border-bottom-style:solid; border-width:0px; border-bottom-width:0px; font-family:Verdana; font-size:13px; } a:link { font-family:Verdana,Arial; font-size:13px; color:#cc0000; text-decoration:none; } a:visited { font-family:Verdana,Arial; font-size:13px; color:#999999; text-decoration:none; } a:active { font-family:Verdana,Arial; font-size:13px; color:#cc0000; text-decoration:none; } a:hover { font-family:Verdana,Arial; font-size:13px; color:#cc0000; text-decoration:none; background-color:#C8D8E0; } a:link.head { font-family:Verdana,Arial; font-size:13px; color:#000040; text-decoration:underline; } a:visited.head { font-family:Verdana,Arial; font-size:13px; color:#000040; text-decoration:underline; } a:active.head { font-family:Verdana,Arial; font-size:13px; color:#000040; text-decoration:underline; } a:hover.head { font-family:Verdana,Arial; font-size:13px; color:#000040; text-decoration:underline; } --> </STYLE> </HEAD> <body bgcolor="#ffffff"> <center> <table class=border cellpadding=0 cellspacing=2 border=1 width=500> <tr><td colspan=2><b>zip Dateiablage</b><br><br></td></tr> <tr> <td width=70% bgcolor="#C8D8E0"><font face="Verdana" size=-1><a class="head" href="./<?php echo basename($PHP_SELF); ?>?sortorder=name"><b> <?php echo "Dateiname</b></a>"; if ($sortorder=="name") { echo " v"; } ?> </td> <td width=30% bgcolor="#C8D8E0"><font face="Verdana" size=-1><a class="head" href="./<?php echo basename($PHP_SELF); ?>?sortorder=date"><b> <?php echo "Ablagedatum</b></a>"; if ($sortorder=="date") { echo " v"; } ?> </td> </tr> <!-- BEGIN BAUSTELLE --> <?php $filename = array(); $filedate = array(); $n = 0; if ($handle = opendir('.')) { while (false !== ($file = readdir($handle))) { if (strpos($file,".zip")>1) { $filename[$n] = $file; $filedate[$n] = filemtime($file); $n++; } } closedir($handle); } // $sortorder = "name"; switch($sortorder) { case("name") : array_multisort($filename, SORT_ASC, $filedate, SORT_DESC); break; case("date") : array_multisort($filedate, SORT_DESC, $filename, SORT_ASC); break; } for ($i = 0; $i < $n; $i++) { $fn = $filename[$i]; $fd = $filedate[$i]; echo "<tr>"; // Datei-Name if (strpos($fn,".html")>1) { echo "<td bgcolor=#FFFFCC><font face=\"Verdana\" size=-1>"; echo "<a href=$fn>"; echo $fn; echo "</a></td>"; } else { echo "<td bgcolor=#E8F4F8><font face=\"Verdana\" size=-1>"; echo "<a href=$fn>"; echo $fn; echo "</a></td>"; } // Datei-Datum echo "<td bgcolor=#E8F4F8><font face=\"Verdana\" size=-1>"; echo date ("d.m.Y", $fd); echo " "; echo date ("H:i:s", $fd); echo "</td>"; echo "</tr>"; } ?> <!-- END BAUSTELLE --> <!-- INSERT BAUSTELLE --> </table> </center> </body> </html>
- Virtueller Host auf die Ablage leiten
# # Datei /etc/apache2/vhosts.d/~SubDomain~.orgamon.de.conf # <VirtualHost *> ServerName ~SubDomain~.orgamon.de DocumentRoot /srv/www/htdocs/~SubDomain~ </VirtualHost> <Directory /srv/www/htdocs/~SubDomain~> AuthType Basic AuthName "Mandant Ablage" AuthUserFile /srv/www/htdocs/~SubDomain~/.htpasswd Require user ~SubDomain~ </Directory>
Verzeichnisschutz mit htpassed
leider fehlte auf meinem Suse 9.2 der Befehl htpasswd. (Ich hab in mir von einem anderen Server gezogen, was ich dazu alles tun musste das Ding zum Laufen zu bringen: Ich rede nicht gerne davon!). Also ist die erste Hürde, das Ding zu installieren, danach ist es einfach
# Wechsle in das html Verzeichnis, das Du schützen willst # Wird ~DasPasswort~ weggelassen wird über die KOmmandozeile # 2 fach nachgefragt. htpasswd -cb .htpasswd ~SubDomain~ ~DasPasswort~
XML RPC
abu.ArtikelSuche(SuchStr: string): array of integer; { ARTIKEL_R } // Suchmaschine f?ikelsuche abu.ArtikelPreis(AUSGABEART_R, ARTIKEL_R:integer): double; // liefert den Preis des Artikels in dieser Ausgabeart // kostenlos = 0; // // cPreis_vergriffen = -1.0; // Artikel nicht mehr lieferbar. // cPreis_aufAnfrage = -2.0; // keine Preisinformation verf? abu.Land(LAND_R: integer): string; // liefert die Landesbezeichnung (als ISO-K? abu.KontoInfo(PERSON_R: integer): double; // liefert den Kontostand des Kunden (zu zahlen!) // erzeugt als Nebeneffekt die aktuelle "Mahnung.html" abu.BestellInfo(PERSON_R: integer): integer; // liefert den Lieferr?nd des Lieferanten (Erwartete Mengen!) // erzeugt als Nebeneffekt die aktuelle "Bestellung.html" abu.Bestellen(PERSON_R: integer): integer; // erstellt aus dem Einkaufswagen des Kunden eine tats䣨liche // Bestellung. Die (neue) Beleg-Nummer wird zur?eben. // abu.ArtikelVersendetag(AUSGABEART_R, ARTIKEL_R:integer): integer; // // GELBE STATI // 0=keine Info ?erf?eit vorhanden // // ROTE STATI: // 1=entg?vergriffen // 2=zur Zeit vergriffen, Neuauflage jedoch ungewiss // 3=zur Zeit vergriffen, Neuauflage jedoch sicher // // // GR܎E STATI: // 10=heute lieferbar (=ist am Lager, ohne Mengenangabe) // 11=morgen lieferbar (=wurde z.B. mit dieser Zusage bereits bestellt und kommt morgen) // 12=in 2 Tagen lieferbar... (=ist z.B. in dieser Zeit zu beschaffen) // 13=in 3 Tagen lieferbar... // 14= ... usw ... // // GR܎E STATI: // 101= heute lieferbar (=ist am Lager, Lagermenge=1) // 102= heute lieferbar (=ist am Lager, Lagermenge=2) // 103= heute lieferbar (=ist am Lager, Lagermenge=3) // ... usw. // // GR܎E STATI: // >20020101= Konkretes Lieferdatum (z.B. Erscheinungsdatum!) // 20031003= am 03.10.2003 lieferbar (da es z.B. an diesem Tag erscheint) // (Vorbestellungen nat? m?ch) // abu.Verlag(VERLAG_R:integer): string; // Names des Verlages zu einem Verlags-RID // ACHTUNG: aus geschichtlichen Gr?sind VERLAG_R zumeist als PERSON_R(s) // zu verstehen! abu.Versandkosten(PERSON_R:integer): double; // Liefert passend zum "Kunden,Umfang des Einkaufswagen,Versandart des Kunden" die // passenden Versandkosten. Im Moment als dummy immer 3,33 ?. abu.ArtikelInfo(AUSGABEART_R, ARTIKEL_R, LAND_R, VERLAG_R) : double, string; // Multi-Info-Funktion f?tere Informationen zu Artikel-Daten // Ergebnisse: Preis, "ISO-Landeskennzeichen" "-" "Verlag" abu.BasePlug():array of string; // // liefert diverse Informations-String: // // 1) Datenbankname // 2) OrgaMon Versions-Nummer // 3) IBO Versions-Nummer // 4) Indy Versions-Nummer // 5) PDF Pfad (public) // 6) Musik Pfad // 7) HTML-Pfad (Rechnungen) // 8) Bild-URL (Icons und Logos auf externer Site) // 9) TPicUpload Versions-Nummer (Bilder hochladen) // 10) TMS FlexCel Versions-Nummer (XLS Dokument-Ausgabe) // 11) jcl Versions-Nummer // 12) jvcl Versions-Nummer // 13) Artikel-Bilder-URL (Artikelfotos auf externer Site) //
abu.ArtikelRabattPreis(AUSGABEART_R,ARTIKEL_R,PERSON_R) : array of double; // // wie Artikel-Preis, soll jedoch bei Kunden mit Rabatt-Code verwendet werden, // diese Funktion liefert noch die Rabatt-Zahl dazu! // abu.PersonNeu : integer; { PERSON_R } // // Eine neue Person wird angelegt. Der (neue) RID wird als Ergebnis ge- // liefert. Der Webshop kann nun weitere Eintragungen machen. // abu.Ort(PERSON_R) : string; { Adress-Ortsangabe } // // Zu der angegebenen Person wird die Orts-Angabe zusammengestellt. // Dazu wird Land, Plz, Ortsname und Ortsteil landesspeziefisch // kombiniert. abu.Rabatt(PERSON_R) : boolean; // Zu der angegebenen Person wird ermittelt, ob sie Rabatte bekommt. // Wenn ja wird true, andernfalls false zur?eben. abu.Preis(AUSGABEART_R,ARTIKEL_R,PERSON_R) : array of double; // // Ersetzt in Zukunft die beiden Methoden abu.ArtikelPreis und abu.ArtikelRabattPreis // Falls der Kunde Rabatte bekommt, was beim Login mit abu.Rabatt gepr?rd, // wird der Funktion der wirkliche PERSON_R ?ben, andernfalls 0. // R?ewerte sind der Preis und der Rabatt (in Prozent, 0 bei PERSON_R == 0). // // result[0] Preis in Euro // result[1] Rabatt in % // result[2] Netto-Flag: ("1" = JA | "0" = NEIN) // result[3] Netto-wie-Brutto-Flag: ("1"= JA | "0" = NEIN) // abu.Miniscore(PERSON_R,ARTIKEL_R); // // Beantragt das Versenden von Miniscores des Artikels ARTIKEL_R // an den Benutzer PERSON_R //