Professional Documents
Culture Documents
October 2019
Note: In the examples below, the company name and details and
user details represent a fictitious sample. Any similarity to actual
company details is purely coincidental and not intended in any
manner.
iii
Contents
1 Send Us Your Comments..............................................................1-xx
1 Preface...........................................................................................1-xxi
Audience..................................................................................................................... 1-xxi
Documentation Accessibility ................................................................................. 1-xxi
Access to Oracle Support................................................................................... 1-xxi
Related Documents ................................................................................................. 1-xxi
Customer Support..................................................................................................... 1-xxi
Review Patch Documentation ...............................................................................1-xxii
Oracle Retail Documentation on the Oracle Technology Network...............1-xxii
Conventions ..............................................................................................................1-xxii
1 Getting Started.................................................................................1-1
Who Should Use This Guide..................................................................................... 1-1
Xstore Point of Service Suite Components and Modules.................................... 1-2
Xstore Point of Service .......................................................................................... 1-3
PA-DSS Validation ......................................................................................... 1-3
Xenvironment......................................................................................................... 1-3
DataLoader ............................................................................................................. 1-3
GenKeys .................................................................................................................. 1-3
Xcenter..................................................................................................................... 1-3
Xadmin .................................................................................................................... 1-4
EFTLink................................................................................................................... 1-4
InstallX .................................................................................................................... 1-4
WebLogic ................................................................................................................ 1-4
Jetty .......................................................................................................................... 1-4
Apache Tomcat ...................................................................................................... 1-4
JRE............................................................................................................................ 1-4
Xstore Point of Service Mobile............................................................................. 1-4
Oracle Retail Xstore Settlement ........................................................................... 1-5
Web Server.............................................................................................................. 1-5
Real-Time Product Integration with Xstore Point of Service.............................. 1-5
iv
jetty-X.X.X-OS-installer-YY.jar ..................................................................... 2-3
tomcat-X.X.X-OS-installer-YY.jar ................................................................. 2-3
Installation File Directories ........................................................................... 2-3
Installation File Directories .................................................................................. 2-4
oraclepdb_install,upgrade ............................................................................ 2-4
oracle_install,upgrade ................................................................................... 2-4
mssql_install,upgrade.................................................................................... 2-4
mssql-unicode_install, upgrade ................................................................... 2-4
Office Installation .zip Files.................................................................................. 2-4
OracleRetailXstoreOffice_X_X_X_X_CCC_V_V_V.zip............................. 2-4
OracleRetailXstoreCommon_X_X_X_X_X_CCC_V_V_V.zip .................. 2-5
Java ................................................................................................................................. 2-5
Java Runtime Environment (JRE)........................................................................ 2-5
Java Development Kit (JDK) ................................................................................ 2-6
Enable Unlimited Java Encryption .............................................................. 2-6
Create JRE Package................................................................................................ 2-6
Database ........................................................................................................................ 2-8
Oracle ...................................................................................................................... 2-8
Installation Directory ..................................................................................... 2-8
OPEN_CURSORS Setup for Oracle ............................................................. 2-8
MS SQL Server ....................................................................................................... 2-8
Creating Databases................................................................................................ 2-8
TLS Certificates............................................................................................................ 2-8
WebLogic....................................................................................................................... 2-9
Tomcat or Jetty ............................................................................................................. 2-9
Jetty & Tomcat Memory Values .......................................................................... 2-9
64-bit OS and JDK........................................................................................... 2-9
v
Configure WebLogic Server........................................................................ 3-18
Configure Datasources ................................................................................ 3-21
Edit Batch File or Shell Script ..................................................................... 3-23
Install Jetty ............................................................................................................ 3-25
Install Apache Tomcat ........................................................................................ 3-28
Loading Profil Group/Element Configurations .............................................. 3-31
Install Xstore Office DataLoader ............................................................................ 3-31
GUI Mode Installation ........................................................................................ 3-31
To Load Xadmin User Records via DataLoader (Optional)................... 3-32
Install Xstore Office POS Log Generator.............................................................. 3-32
GUI Mode Installation ........................................................................................ 3-33
Retrieve Files through SFTP.................................................................................... 3-33
vi
Java Runtime Environment (JRE)...................................................................... 4-11
Create JRE Package.............................................................................................. 4-11
Database ...................................................................................................................... 4-12
Oracle .................................................................................................................... 4-12
Microsoft SQL Server .......................................................................................... 4-12
TLS Certificates.......................................................................................................... 4-12
Xstore Point of Service Mobile................................................................................ 4-13
Install Xstore Mobile on Windows 10............................................................... 4-13
Set Screen Resolution (Windows 10 Only) ...................................................... 4-14
Build an Xstore Point of Service Mobile Client Application (iOS Only) ..... 4-15
Prerequisites.................................................................................................. 4-15
Create a New Xcode Project........................................................................ 4-15
Add XstoreMobile.framework to the Project ........................................... 4-16
Import Properties from XstoreMobile.framework Project ..................... 4-17
Update Icons and Launch Images.............................................................. 4-17
Configure Build Settings ............................................................................. 4-18
Set the Application’s Main Entry Point..................................................... 4-18
Configure your Apple Developer Provisioning Profiles........................ 4-18
Configure Verifone Support ....................................................................... 4-18
Configure Zebra or Symbol Support ......................................................... 4-20
Archive the Application .............................................................................. 4-23
Extract the Jetty Password Obfuscation Utility (Xstore Point of Service Mobile and
Xservices)..................................................................................................................... 4-25
Linux Pre-installation Procedures for Xenvironment......................................... 4-25
Linux Integration with APG Network Cash Drawer.......................................... 4-26
vii
Configure Xstore Point of Service for Address Verification Service............ 5-19
Enable Networked Cash Drawers..................................................................... 5-21
Install Xservices ......................................................................................................... 5-22
GUI Mode Installation ........................................................................................ 5-22
Login Configuration............................................................................................ 5-27
Install Xenvironment ................................................................................................ 5-28
Install Certificates for Xenvironment-Xstore Point of Service Communication5-
31
Configure Xenvironment for Thin Client............................................................. 5-31
Run Xenvironment as a Service......................................................................... 5-32
Windows........................................................................................................ 5-32
Linux (systemd) ............................................................................................ 5-33
Linux (init.d) ................................................................................................. 5-34
Xstore Point of Service Mobile Installation on Device ...................................... 5-36
iOS.......................................................................................................................... 5-36
Android................................................................................................................. 5-37
Create and Install SSL Certificates............................................................. 5-37
Install and Configure DataWedge ............................................................. 5-38
Configure Xstore Point of Service Mobile........................................................ 5-39
Configure Xstore Point of Service Mobile ................................................ 5-40
Additional Configuration............................................................................ 5-40
Functional Settings ....................................................................................... 5-42
Security Settings ........................................................................................... 5-42
Integrate with Xcommerce ................................................................................. 5-42
Writing Your Xcommerce Application ..................................................... 5-42
viii
Communication Ports ................................................................................................. 6-8
9 Internationalization..........................................................................9-1
Translation .................................................................................................................... 9-1
Localization................................................................................................................... 9-2
Configuration Accelerators........................................................................................ 9-2
ix
Multi-Keystroke Character Entry ............................................................................. 9-2
Fiscalization .................................................................................................................. 9-2
Features ................................................................................................................... 9-3
x
B-21
The instructions in this step should be followed by the Certificate AuthorityB-22
Install the Certificate on Android ..................................................................... B-23
Self-Signed Certificates: Oracle Retail Xstore Office.........................................B-23
Customer Responsibility: Oracle Retail Xstore Office.................................... B-23
What you need to know before creating certificates............................... B-23
Suggested certificate rotation strategy ...................................................... B-23
To create and deploy Self-Signed Certificates.......................................... B-24
Integrator’s Responsibility: Xstore Office ............................................................B-25
Self-Signed Certificates: Xservices.........................................................................B-26
Customer Responsibility: Xservices.................................................................. B-26
What you need to know before creating certificates............................... B-26
Suggested certificate rotation strategy ...................................................... B-26
To create and deploy Self-Signed Certificates for Xservices.................. B-27
Self-Signed Certificates: Apache ............................................................................B-28
Customer Responsibility: Apache..................................................................... B-28
What you need to know before creating certificates............................... B-28
Suggested certificate rotation strategy ...................................................... B-28
To create and deploy Self-Signed Certificates for Apache ..................... B-28
Integrator’s Responsibility: Web Server........................................................... B-30
Self-Signed Certificates for Xstore Point of Service Mobile.............................B-30
Install the Certificate on Android ..................................................................... B-32
Xenvironment Certificates .......................................................................................B-32
Generating and Importing the Key File (Windows)....................................... B-32
What you need to know before creating certificates............................... B-32
To create and deploy certificates for Xenvironment ............................... B-32
Digital Signatures......................................................................................................B-33
Digital Signatures - Windows............................................................................ B-34
Linux Instructions......................................................................................................B-37
Generating and Importing the Key File (Linux) ............................................. B-37
Installing OpenSSL in Linux .............................................................................. B-37
Generating the Key File in Linux ...................................................................... B-37
Importing the Key File in Linux ........................................................................ B-38
Digital Signatures - Linux .................................................................................. B-39
Annual Distribution Requirements.......................................................................B-41
Overview .............................................................................................................. B-41
Self-Signed Certificates................................................................................ B-41
Certificate Authority-Signed Certificates ................................................. B-42
Annual Key Rotation: Certificate Authority-Signed Certificates ....................B-43
For Xstore Point of Service and Xstore Office Application Server ............... B-43
For Xservices ........................................................................................................ B-45
For Apache............................................................................................................ B-48
Annual Key Rotation: Self-Signed Certificates ...................................................B-49
For Xstore Point of Service and Xstore Office Application Server ............... B-49
For Xservices ........................................................................................................ B-51
xi
For Apache............................................................................................................ B-52
Why Certificates Are Used.......................................................................................B-53
Types of Certificate Management ..........................................................................B-53
Certificate Authority ........................................................................................... B-53
Self-Signed Certificates ....................................................................................... B-54
Where Certificates Are Used ...................................................................................B-55
Xstore Point of Service to Xstore Office Application Server ......................... B-55
Xstore Point of Service to Xenvironment ......................................................... B-55
JMX console .......................................................................................................... B-55
Xenvironment and Xstore Office to Web Server............................................. B-55
Annual Requirements...............................................................................................B-55
Choosing a Certificate Management Strategy......................................................B-56
Certificates signed by a CA ................................................................................ B-56
Self-signed Certificates ....................................................................................... B-56
Certificates suspected to be compromised ...................................................... B-56
Terms used in this section........................................................................................B-56
xii
D PCI Best Practices: Implementation & Configuration ................. D-1
PCI Implementation Best Practices ......................................................................... D-1
About CISP Compliance...................................................................................... D-1
About the PCI Data Security Standard.............................................................. D-2
Audience......................................................................................................... D-2
What the reader should already know....................................................... D-2
How this appendix is organized ................................................................. D-2
PCI Best Practices Revision History................................................................... D-2
Overview of the Cardholder Data Environment ............................................. D-3
Cardholder Data Flow Diagram......................................................................... D-4
PCI Data Security Standard ...................................................................................... D-5
Build and Maintain a Secure Network .............................................................. D-5
Protect Cardholder Data...................................................................................... D-5
Maintain a Vulnerability Management Program............................................. D-5
Implement Strong Access Control Measures ................................................... D-5
Regularly Monitor and Test Networks ............................................................. D-5
Maintain an Information Security Policy .......................................................... D-5
Achieving PCI Compliance....................................................................................... D-6
Build and Maintain a Secure Network .............................................................. D-6
Requirement 1: Install and maintain a firewall configuration to protect
cardholder data.............................................................................................. D-6
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters..................................................................... D-7
Protect Cardholder Data.................................................................................... D-10
Requirement 3: Protect stored cardholder data ...................................... D-10
Requirement 4: Encrypt transmission of cardholder data across open, public
networks ....................................................................................................... D-13
Maintain a Vulnerability Management Program........................................... D-14
Requirement 5: Use and regularly update anti-virus software or programs
D-14
Requirement 6: Develop and maintain secure systems and applicationsD-14
Implement Strong Access Control Measures ................................................. D-15
Requirement 7: Restrict access to cardholder data by business need to know
D-15
Requirement 8: Assign a unique ID to each person with computer accessD-
15
Requirement 9: Restrict physical access to cardholder data ................. D-17
Regularly Monitor and Test Networks ........................................................... D-18
Requirement 10: Track and monitor all access to network resources and
cardholder data............................................................................................ D-18
Requirement 11: Regularly test security systems and processes........ D-18
Maintain an Information Security Policy ........................................................ D-19
Requirement 12: Maintain a policy that addresses information security for all
personnel ...................................................................................................... D-19
Credit Card Security Installation Checklist ........................................................ D-20
xiii
Password Management............................................................................................ D-21
Remote Access..................................................................................................... D-21
Windows .............................................................................................................. D-21
Employees with Access to Xstore Point of Service Applications ................ D-21
Database Users.................................................................................................... D-22
Xstore Point of Service Versioning Methodology.............................................. D-22
PCI Configuration Best Practices........................................................................... D-22
Clear virtual memory on shutdown ................................................................ D-23
Removal Historical Sensitive Authentication Data ....................................... D-23
Ensure the register has a firewall in place ...................................................... D-23
Windows 7, Windows 8, Windows 10, Windows Vista, Server 2008, Server
2008 R2, PosReady 7, and So On ............................................................... D-24
Change Operating System Shell ....................................................................... D-24
Disable Task Manager........................................................................................ D-25
Disable Sensitive Buttons on Windows Security Screen............................... D-26
Disable Fast User Switching.............................................................................. D-26
Disable UAC (User Account Control) on Windows Vista, 7, 8, 2k8, & 2k8R2D-26
Disable Command Prompt Support in Safe Mode ........................................ D-27
Configure Automatic OS Login........................................................................ D-27
Disable System Restore...................................................................................... D-28
Install Encryption Cipher File........................................................................... D-28
Review and Confirm Receipt Masking............................................................ D-28
PCI Compliant Delivery of Updates................................................................ D-29
PCI Compliant Remote Access ......................................................................... D-29
Verify User Logins Are Complex and Changed on a Regular Basis........... D-30
Operating System ........................................................................................ D-30
Encrypt the pagefile.sys file .............................................................................. D-30
Disable Complete Memory Dump................................................................... D-31
Enable Database & Operating System Audit Logging.................................. D-31
Delete expired certificates and keys................................................................. D-32
To delete an old certificate ......................................................................... D-32
To delete an old key .................................................................................... D-33
Database Communication Encryption.................................................................. D-34
Oracle ................................................................................................................... D-34
SQL Server ........................................................................................................... D-35
Turning off Database Communication Encryption ....................................... D-35
Oracle ............................................................................................................ D-35
SQL Server.................................................................................................... D-36
Data Privacy ............................................................................................................... D-36
Data Privacy Application Programming Interface Tool ............................... D-36
End User Access and Other Requests (Data Access) ............................. D-36
Data Removal............................................................................................... D-37
Anonymization ............................................................................................ D-39
Customer Consent....................................................................................... D-40
Enabling Data Privacy ....................................................................................... D-40
xiv
E Base OS and DB Configuration..................................................... E-1
Base Operating System Configurations .................................................................. E-1
Base Software Installation Configurations............................................................. E-2
Prerequisites ........................................................................................................... E-2
xv
G Replication ...................................................................................... G-1
Overview ...................................................................................................................... G-1
Replication System Objectives:........................................................................... G-1
Replication Design Overview .................................................................................. G-2
Re-sequencing Publisher .......................................................................................... G-2
How data is re-sequenced ................................................................................... G-2
Saving data to the Xstore Office database......................................................... G-3
Sending data to the Broadcaster......................................................................... G-3
Soft ordering - what can be expected? ....................................................... G-3
Soft ordering - why is it important? ........................................................... G-3
Running Multiple Xstore Office Instances in a Cluster...................................... G-4
xcenter.properties Settings........................................................................................ G-4
cluster.processes.enabled .................................................................................... G-4
replication.publisher.resequencing_delay.seconds ......................................... G-5
replication.publisher.polling_interval.milliseconds........................................ G-5
replication.publisher.threads_per_orgid .......................................................... G-5
dtv.xcrepl.db.driver.............................................................................................. G-5
dtv.xcrepl.db.url ................................................................................................... G-5
dtv.xcrepl.db.user................................................................................................. G-5
dtv.xcrepl.db.password ....................................................................................... G-5
Xstore Office Replication Database ........................................................................ G-5
rpl_replication_data Table .................................................................................. G-6
Periodic Maintenance of the rpl_replication_data Table......................... G-8
Monitoring the Replication Processes ........................................................ G-8
Replication GUI - Oracle Retail Xstore Office ...................................................... G-8
I Uninstall Procedures........................................................................I-1
Uninstalling Jetty.......................................................................................................... I-1
Uninstalling Apache Tomcat...................................................................................... I-1
xvi
Item Disposition...................................................................................................... J-3
Error Handling........................................................................................................ J-3
Logging .................................................................................................................... J-4
xvii
Revision History 16.0 ................................................................................................ L-13
Revision History 15.0.2, Revision 04 ...................................................................... L-15
Revision History 15.0.1, Revision 15 ...................................................................... L-15
Revision History 15.0, Revision 19 ......................................................................... L-15
Revision History 15.0, Revision 08 ......................................................................... L-16
Revision History 15.0, Revision 07 ......................................................................... L-16
Revision History 15.0, Revision 06 ......................................................................... L-16
Revision History 15.0, Revision 05 ......................................................................... L-16
Revision History 15.0, Revision 04 ......................................................................... L-16
Revision History 15.0, Revision 03 ......................................................................... L-17
Revision History 15.0, Revision 02 ......................................................................... L-17
Revision History 15.0 ................................................................................................ L-17
Revision History 7.1, Doc Version 02..................................................................... L-18
Revision History 7.1 .................................................................................................. L-18
Revision History 7.0, Doc Version 02..................................................................... L-18
Revision History 7.0 .................................................................................................. L-19
Revision History 6.5, Doc Version 05..................................................................... L-19
Revision History 6.5, Doc Version 04..................................................................... L-19
Revision History 6.5, Doc Version 03..................................................................... L-20
Revision History 6.5, Doc Version 02..................................................................... L-20
Revision History 6.5, Doc Version 01..................................................................... L-20
Revision History 6.0, Doc Version 03..................................................................... L-20
Revision History 6.0, Doc Version 02..................................................................... L-21
Revision History 6.0, Doc Version 01..................................................................... L-21
Revision History 5.5, Doc Version 06..................................................................... L-22
Revision History 5.5, Doc Version 05..................................................................... L-22
Revision History 5.5, Doc Version 04..................................................................... L-22
Revision History 5.5, Doc Version 03..................................................................... L-22
Revision History 5.5, Doc Version 02..................................................................... L-23
Revision History 5.5, Doc Version 01..................................................................... L-24
Revision History 5.0, Doc Version 02..................................................................... L-24
Revision History 5.0 .................................................................................................. L-25
Oracle Retail Xstore Suite Implementation and Security Guide, release 17.0.2.
Oracle welcomes customers' comments and suggestions on the quality and usefulness of
this document.
Your feedback is important, and helps us to best meet your needs as a user of our
products. For example:
• Are the implementation steps correct and complete?
• Did you understand the context of the procedures?
• Did you find any errors in the information?
• Does the structure of the information help you with your tasks?
• Do you need different information or graphics? If so, where, and in what format?
• Are the examples correct? Do you need more examples?
If you find any errors or have any other suggestions for improvement, then please tell us
your name, the name of the company who has licensed our products, the title and part
number of the documentation and the chapter, section, and page number (if available).
Note: Before sending us your comments, you might like to check that
you have the latest version of the document and if any concerns are
already addressed. To do this, access the Online Documentation
available on the Oracle Technology Network Web site. It contains the
most current Documentation Library plus all documents revised or
released recently.
xx
Preface
The Implementation and Security Guide describes the requirements and procedures to
install and configure this Oracle Retail Xstore Suite release.
Audience
This Implementation and Security Guide is for the following audiences:
• System administrators and operations personnel
• Database administrators
• System analysts and programmers
• Integrators and implementation staff personnel
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility
Program website at http://www.oracle.com/pls/topic/
lookup?ctx=acc&id=docacc.
Related Documents
For more information, see the following documents in the Xstore Suite 17.0.2
documentation set:
• Xstore Suite Release Notes
Customer Support
To contact Oracle Customer Support, access My Oracle Support at the following URL:
https://support.oracle.com
When contacting Customer Support, please provide the following:
• Product version and program/module name
• Functional and technical description of the problem (include business impact)
• Detailed step-by-step instructions to re-create
• Exact error message received
• Screen shots of each step you take
xxi
Review Patch Documentation
Conventions
The following text conventions are used in this document:
xxii
Conventions
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated
with an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code
in examples, text that appears on the screen, or text that you enter.
xxiii
1
Getting Started
The Xstore Point of Service Implementation and Security Guide provides general
information about Xstore Point of Service product architecture, the technical landscape,
the enterprise flow for your store systems, and the procedures and instructions
necessary to install or upgrade Xstore Point of Service and its components using InstallX.
Detailed instructions for creating public key certificates for use within a managed
network, specifically for use with Xstore Point of Service, Oracle Retail, Oracle Retail
Xstore Office, and Oracle Retail Xenvironment are also included in this guide.
Required Components
Xenvironment “Xenvironment”
DataLoader “DataLoader”
Xcenter “Xcenter”
(Oracle Retail
Xstore Office)
GenKeys “GenKeys”
Application “WebLogic”
Server
“Jetty”
“Apache Tomcat”
JRE “JRE”
Database Oracle
SQL Server
Optional Components
Xadmin “Xadmin”
(Oracle Retail
Xstore Office)
EFTLink “EFTLink”
PA-DSS Validation
Xstore Point of Service 17.0.2 is not eligible for PA-DSS validation because it relies on
third-party PA-DSS application that resides on the Pinpad terminal for storing,
processing or transmission of cardholder data. This is done through EFTLink (for more
information, see EFTLink). Additionally, Xstore Point of Service 17.0.2 does not permit
manual input of card data.
Xenvironment
The Xenvironment application manages register-to-register direct communication and
nightly processing. Xenvironment also prevents user access to the standard PC desktop
by replacing the operating system's default shell interface.
The Xenvironment application is installed on a POS register and provides a
communication link between the lead and non-lead registers. An internal messaging
framework enables Xenvironment to send messages between the Xenvironment engine
and the Xenvironment GUI, and between a lead register and non-lead registers. The
messaging framework also allows messages to be sent back and forth between
Xenvironment and the Xstore Point of Service application. Thus, Xstore Point of Service
can notify Xenvironment when a specific task must be completed. For example, store
closing processes handled by Xenvironment are started automatically when Xstore Point
of Service sends a message through this communication link. See the Oracle Retail
Xenvironment User Manual for detailed information about the Xenvironment application.
DataLoader
The DataLoader application is responsible for translating flat data files into database
data that can be used by the Xstore Suite. For example, many host systems can be
configured to export data to a delimited flat file. Then, that flat file is delivered to the
stores throughout the chain. Finally, the flat file is read in by the DataLoader and loaded
into the store databases for use. This is used for propagating data changes (such as
prices, employees, etc.) to Xstore Point of Service or Xstore Office databases throughout
the enterprise. See the Xstore Point of Service Host Interface Guide for detailed information
about the DataLoader application.
DataLoader is also responsible for loading data files from Oracle Retail Merchandising
Operations Management (MOM) into the Xstore Suite databases.
GenKeys
GenKeys is a utility used to create the Xstore Point of Service cipher files (.cip) used for
encryption, and for encrypting data using the Xstore Point of Service .cip files. This
utility combines the Encrypter utility and the GenKeys utility.
Xcenter
The Xcenter application (a part of Oracle Retail Xstore Office) is a Java messaging
framework that runs on an application server. Xstore Point of Service uses Xcenter for
reading and writing data. Xcenter provides data access through WebLogic, Tomcat, or
Jetty.
The Xcenter Database is a central data repository containing consolidated data from
specified database tables in every store. These POS transaction records from all stores
can be made available to host systems, analytics tools, and other transaction processing
engines. Xcenter is also an on-line data source for messaging-based inquiries originating
from Xstore Point of Service/Xenvironment. Data is made available to Xcenter by direct
persistence, replication, data loading, Xadmin, and deployment services, depending on
your deployment model.
Xadmin
Xadmin (a part of Oracle Retail Xstore Office) is an application used to administer Xstore
Point of Service’s corporate-based functions over the customer’s intranet, providing the
corporate office access to store-level data in the Xcenter database and the ability to
remotely manage many local Xstore Point of Service data and configuration options. See
the Oracle Retail Xstore Office User Guide for detailed information about the Xstore Office
application.
EFTLink
EFTLink is an efficient, platform-independent way of connecting Point of Sale (POS)
systems with multiple card readers and PIN Entry Devices (PEDs), as well as with a
wide range of Electronic Payment Systems (EPS). This allows EFTLink to serve as a
router and protocol converter that presents Xstore Point of Service with a standard
interface to card readers, PEDs, and the authorization systems used by a retailer. See the
Oracle Retail EFTLink Core Configuration Guide, the Oracle Retail EFTLink Framework
Installation Guide, and the Oracle Retail EFTLink Security Guide for detailed information
about the EFTLink application.
InstallX
InstallX is used to build the Xstore Point of Service installations, and to install Xstore
Point of Service and the associated components.
WebLogic
Oracle WebLogic is the preferred Java Application Server.
Jetty
Jetty is a Java Application Server.
Apache Tomcat
Tomcat is a Java Application Server.
JRE
Java runtime components are not included in the Xstore Point of Service distribution. An
InstallX component, jrepackager, is available in the tools folder of the InstallX distro and
can be used to create a platform-appropriate JRE that is suitable for use with Xstore Point
of Service components.
through a wireless connection, and offers Xstore Point of Service functions through a
mobile-friendly GUI presentation on a handheld device.
Web Server
A web server (for example, Apache or Internet Information Services) is used by Oracle
Retail Xstore Office for uploads, and by Xenvironment for uploads and downloads.
Before installing any components of the Xstore Office, it is necessary to prepare the
system on which the software will be installed.
System Requirements
Xstore Office is supported on the following software:
Type Software
Tomcat 9.0.11
Jetty 9.4.11
- .mnt
- .cip
<root_directory>
The extracted .zip file will create a set of directories and files, which will contain the
Xstore Office installation files.
artifacts
Build artifacts.
RTLog-Generator
Installation files for the RTLog Generator.
jetty-X.X.X-OS-installer-YY.jar
The installer for Jetty, where:
• X.X.X is the version number.
• OS is the operating system.
• YY is the build number.
tomcat-X.X.X-OS-installer-YY.jar
The installer for Tomcat, where:
• X.X.X is the version number.
• OS is the operating system.
• YY is the build number.
oraclepdb_install,upgrade
Installation and upgrade files for an Xstore Office system that connects to an Oracle
database that uses pluggable databases. Contains Office Installation .zip Files.
oracle_install,upgrade
Installation files for an Xstore Office system that connects to an Oracle database.
Contains Office Installation .zip Files.
mssql_install,upgrade
Installation and upgrade files for an Xstore Office system that connects to a Microsoft
SQL Server database that does not use Unicode characters. Contains Office Installation
.zip Files.
mssql-unicode_install, upgrade
Installation and upgrade files for an Xstore Office system that connects to a Microsoft
SQL Server database that uses Unicode characters. Contains Office Installation .zip Files.
OracleRetailXstoreOffice_X_X_X_X_CCC_V_V_V.zip
Extract this .zip file to create a directory that contains installation files for Xstore Office
and related software. This directory will have the format:
X.X.X.X.XXX_V.V.V
where:
• X.X.X.X.XXX is the version and build number.
• V.V.V is a customer release version.
This extracted directory will contain the following directories:
tools
Various tools used by the installation procedure and the Xstore Office. This includes the
following subdirectories:
- dataloader - Installation files for DataLoader.
- poslog - Installation files for the Xstore Office POS Log Generator.
xcenter
Installation files for Xstore Office.
OracleRetailXstoreCommon_X_X_X_X_X_CCC_V_V_V.zip
Extract this .zip file to create a directory X_X_X_X_X_CCC_V_V_V, where:
• X_X_X_X_X is the version and build number.
• CCC is the customer ID (XST for base Xstore Office).
• V_V_V is the customer release version.
This extracted directory will contain the following directory:
tools
Various tools used by the installation procedure and the Xstore Office. This includes the
following subdirectories:
- genkeys - Installation files for the GenKeys utility. This includes the string
encryption utility (see Appendix A: “String Encrypter Utility”) used to encrypt
information in the installation procedure, and generates security keys for use by
Xstore Office.
- jrepackager - Creates a JRE .zip file used by the installation procedure.
Java
Several Java components must be installed as part of the Xstore Office installation
procedure.
Perform the following procedures:
• “Java Runtime Environment (JRE)”
• “Java Development Kit (JDK)”
• “Create JRE Package”
a. Change the jre.package property to the correct location and name of the Java
Runtime Environment (JRE) package.
For example:
* In Windows:
jre.package=C\:\\temp\\jre-8u141-windows-i586.tar.gz
* In Linux:
jre.package=/tmp/jre-8u141-windows-i586.tar.gz
b. Change the platform.os property to the correct platform operating system:
* Linux 32-bit: linux
* Linux 64-bit: linux_64
* Windows 32-bit: windows
* Windows 64-bit: windows_64
10. Save and close the ant.install.properties file.
11. Open a command prompt.
12. Navigate to the jrepackager directory extracted from the
OracleRetailXstoreCommon_X_X_X_X_X_CCC_V_V_V.zip file. See “Xstore Office
Installation .zip File” for more information.
13. In the command prompt, create the JRE package with the command:
- In Windows:
java –jar xstore-17.0.2.XXX-V.V.V-CCC-jrepackager-windows.jar
- In Linux:
java –jar xstore-X.X.X.X.XXX-V.V.V-CCC-jrepackager-linux.jar
where:
- X.X.X.X.XXX is the version and build number.
- XXX is a build number
- V.V.V is a customer release version
- CCC is the three-letter customer ID
14. Open the .zip file created by the JRE packager process.
15. Extract the jre directory to the root directory in Windows, or the /opt directory in
Linux. For example, in Windows, you would have the directory:
C:\jre
In Linux you would have the directory:
/opt/jre
Java setup for Xstore Office is complete.
Database
You will need a database either installed on the local system, or network access to a
database server. The database must be one of the following:
Oracle
In order for Xstore Office installs to proceed without errors, a number of objects need to
be created within the Oracle database instance before running the Xstore Office schema
script.
Installation Directory
Xstore Office assumes that the Oracle database has been installed in the oradata folder
for the Oracle instance.
• On Linux, this would be similar to /u01/app/oradata/xstore
• On Windows, this would be similar to c:\app\oracle\oradata\xstore.
MS SQL Server
If you are using an MS SQL Server database, it must have the following properties:
• The instance name must be MSSQLSERVER.
• The Authentication Mode must be Mixed Mode (SQL Server authentication and
Windows authentication).
Creating Databases
The Xstore Office installation process does not automatically create databases. You must
create your own databases on your local system.
Xstore Office requires three databases to be created:
• An Xcenter database.
• An Xadmin database.
• An Xcenter replication database.
TLS Certificates
Several Xstore Office components require TLS certificates to encrypt inter-process
communication. You must either create your own, or receive these certificates from a
certificate authority.
If you will be creating your own certificates, you will need OpenSSL & Keytool Utility.
See Appendix B: “Public Key Certificates” for more information.
• If you are installing Xstore Office components for the first time, you will likely not
know all the security certificates you will require. The installation procedures will
inform you of the certificates you will require as you need them.
• If you have installed Xstore Office before, it is recommended that you either reuse
existing security certificates, or create new certificates prior to installing Xstore
Office components.
WebLogic
If you are installing WebLogic as your application server, see the Installation Guide for
Oracle WebLogic Server for installation prerequisites.
Tomcat or Jetty
If you are installing Tomcat or Jetty as your application server, you must download and
install a Java 8 SE Development Kit (JDK 8) from Oracle, and your JAVA_HOME variable
must point to that JDK for either Jetty or Tomcat to be installed. Additionally, you must
have Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8
applied to the JRE within the JDK.
Overview
InstallX is used to assemble the Xstore Office application. This installation application is
used to package the Xstore Office application and to install and configure its associated
utilities. It is customer, operating system, and database platform independent.
Note: You must always use the same salt value when creating cipher
files.
Important: If you are using a salt value other than the default, you
must create and apply a customer overlay to your project. See the
Oracle Retail Xstore POS and Xstore Office Development Environment
Setup (MOS ID 2158739.1) and Oracle Retail Xstore POS and Xstore Office
Build Server Setup White Paper (MOS ID 2055918.1) on My Oracle
Support (http://support.oracle.com/) for procedures on creating and
applying customer overlays.
For example:
wrapper.java.additional.4=-Ddtv.CustomerId=XST
14. Save the file.
wrapper.app.parameter.2=-all
wrapper.app.parameter.3=2007-01-01
wrapper.app.parameter.4=2007-12-31
17. Change the wrapper.app.parameter.3 property to the date on which the
certificate will be first valid.
For example:
wrapper.app.parameter.3=2017-01-01
18. Change the wrapper.app.parameter.4 property to the last date on which the
certificate will be valid.
For example:
wrapper.app.parameter.4=2017-12-31
19. Save the file.
20. In a command prompt, navigate to the GenKeys directory configured in step 3.
21. Run the command:
Windows:
gen-keys.bat
Linux:
./gen-keys.sh
22. The rotating cipher key files are generated.
SCHEMA scripts have been provided, and a PROD data and a TEST
data script are provided for each Organization ID.
Important: For the Xcenter schema, the values entered for the
$(DbTblspace), $(DbSchema), and $(DbUser) values must match the
values set at build time. See the Xstore Point of Service and Xstore Office
Development Environment Setup document for more information.
- On many databases:
* $(DbName) - Desired name of the database.
* $(DbDataFilePath) - Location of data files in the file system.
- On all Oracle databases:
* $(DbIndexFilePath) - Location of index files in the file system.
* $(DbTblspace) - The desired database tablespace name.
Note: For the Xcenter schema, this must be consistent with the value
used at build time (default value: xstore).
Note: or the Xcenter schema, this must be consistent with the value
used at build time (default value: dtv).
Note: or the Xcenter schema, this must be consistent with the value
used at build time (default value: pos).
• Keystore Password (The password chosen when the Xstore Office TLS certificates
were created).
• Security Key Alias (The alias chosen when the Xstore Office TLS certificates were
created).
• Password that Xstore Point of Service will use to access Xstore Office.
• Tomcat only - Username and password that will be used to access the
Administration consoles.
• Jetty and Tomcat only - Jetty/Tomcat memory values (See “Jetty & Tomcat Memory
Values” of Chapter 2, “Prerequisites for Installing Xstore Office”).
• Jetty and Tomcat only - Copy the following files into the same directory as the
installer:
- Any cipher files you created by GenKeys (the .cip files created by GenKeys in
“Create Cipher Key Files”).
Pre-Installation Configuration
38. Create the following directories for each organization hosted by the Xstore Office
server, where <ORGID> is the organization ID. The locations of these directories are
configurable; the locations below are default locations:
- Windows:
* c:\filetransfer\auto\org<ORGID>
* c:\fileuploads\org<ORGID>
* c:\poslog\org<ORGID>
- Linux:
* /filetransfer/auto/org<ORGID>
* /fileuploads/org<ORGID>
* /poslog/org<ORGID>
39. Open the file xcenter-config.zip in an archive browser (for example, 7-Zip).
This file is found in the xcenter directory extracted from the
OracleRetailXstoreOffice_X_X_X_X_CCC_V_V_V.zip file. See “Xstore Office
Installation .zip File” for more information.
40. Navigate into the directory xcenter-config.
41. Open the file xcenter.properties in a text editor (for example, Notepad or
emacs).
42. Enter the correct information for the following properties:
a. xcenter.org.id - Organization ID.
b. dtv.CustomerId - Three-letter customer code.
c. dtv.CustomerId.salt - Salt value.
d. dtv.config.path - Configuration path for queries:
* If you are using SQL Server, edit this property as follows to run SQL Server
customer-related queries (each property is all on one line):
dtv.config.path=:db/sql/mssql:cust:cust/loyalty:
cust/loyalty/award:order:locate:relate:version1:
MASTER/DEFAULT:dataloader:xcenter:xcenter/mssql:
xcenter/event_log:xcenter/xbr
e. *.connectionfactory - Verify the .connectionfactory line is appropriate for
the database platform:
* For Oracle (the property is all on one line):
dtv.datasource.connectionfactory=
oracle.jdbc.pool.OracleDataSource
* For Oracle PDB (the property is all on one line):
dtv.datasource.connectionfactory=
oracle.jdbc.pool.OracleDataSource
* For SQL Server (the property is all on one line):
dtv.datasource.connectionfactory=
com.microsoft.sqlserver.jdbc.SQLServerDataSource
f. Database URLs are a configured for each Xstore Office database:
Also, ensure all the user names and passwords are encrypted.
* If you are using WebLogic as your app server, use the following settings:
dtv.local.db.url=jndi:jdbc/Local
dtv.xadmin.db.url=jndi:jdbc/XcenterAdmin
dtv.xcrepl.db.url=jndi:jdbc/XcenterReplication
* If you are using Jetty or Tomcat as your app server, the URL configuration
depends upon the type of database on which you are running:
Oracle (each property is all on one line)
dtv.local.db.url=jdbc:oracle:thin:@localhost:1521:
<Xcenter_Database_SID>
dtv.xadmin.db.url=jdbc:oracle:thin:@localhost:1521:
<Xadmin_Database_SID>
dtv.xcrepl.db.url=jdbc:oracle:thin:@localhost:1521:
<Xcenter_Replication_Database_SID>
Oracle PDB (each property is all on one line)
dtv.local.db.url=jdbc:oracle:thin:@localhost:1521/
<Xcenter_Database_PDB>
dtv.xadmin.db.url=jdbc:oracle:thin:@localhost:1521/
<Xadmin_Database_PDB>
dtv.xcrepl.db.url=jdbc:oracle:thin:@localhost:1521/
<Xcenter_Replication_Database_PDB>
SQL Server (each property is all on one line)
dtv.local.db.url=jdbc:sqlserver://localhost;
databaseName=<Xcenter_Database_Name>;
sendStringParametersAsUnicode=true
dtv.xadmin.db.url=jdbc:sqlserver://localhost;
databaseName=<Xadmin_Database_Name>;
sendStringParametersAsUnicode=true
dtv.xcrepl.db.url=jdbc:sqlserver://localhost;
databaseName=<Xcenter_Replication_Database_Name>;
sendStringParametersAsUnicode=true
If you are using a non-default SQL Server instance, the URL will need to be
updated to include the ";instancename=<instance_name>" details. For
example (each property is all on one line):
dtv.local.db.url=jdbc:sqlserver://localhost;
instancename\=<SQLServerInstance>;
databaseName=<Xcenter_Database_Name>;
sendStringParametersAsUnicode=true
dtv.xadmin.db.url=jdbc:sqlserver://localhost;
instancename\=<SQLServerInstance>;
databaseName=<Xadmin_Database_Name>;
sendStringParametersAsUnicode=true
dtv.xcrepl.db.url=jdbc:sqlserver://localhost;
instancename\=<SQLServerInstance>;
databaseName=<Xcenter_Replication_Database_Name>;
sendStringParametersAsUnicode=true
g. Database user names and passwords:
Tip: Use the String Encrypter Utility to encrypt the strings for this
section. (See Appendix A: “String Encrypter Utility”).
dtv.xadmin.baseURL=https://localhost:8443/xadmin/
j. Email Configuration - Configure the following properties for email alerts:
dtv.xadmin.smtp.host=localhost
dtv.xadmin.smtp.port=25
dtv.xadmin.smtp.auth=false
dtv.xadmin.smtp.user=
dtv.xadmin.smtp.password=
dtv.xadmin.smtp.sender=noreply@xadmin.com
k. For the web server, configure the URL, username, and password:
dtv.deployment.StagingHostBaseURL=https://staginghost/
dtv.deployment.StagingHostUsername=
Pj4+MAAAAADvHIxh8KlKpMb58080fuVH
dtv.deployment.StagingHostPassword=
Pj4+MAAAAACxzvu3yc0wTglnR9h+w5f6
l. Configure the replication properties. (Refer to Appendix G: “Replication” for
more information).
* Replication publishing to Xcenter - The re-sequencing publisher process
(including all related threads) can be individually enabled/disabled on each
instance of Xcenter.
cluster.processes.enabled=true
replication.publisher.resequencing_delay.seconds=10
replication.publisher.polling_interval.milliseconds=
3000
replication.publisher.threads_per_orgid=3
cluster.processes.enabled determines whether or not the server will
have replication publisher functionality enabled and whether clustering
processes will be enabled.
replication.publisher.resequencing_delay.seconds
determines the amount of time records remain at rest in the replication
queue before they are eligible for processing (to provide time for the records
arriving out-of-order to regain their initial ordering).
replication.publisher.polling_interval.milliseconds
determines how frequently the replication publisher threads will check for
new data in the queue when no data was encountered on the previous
check. When data was present during the prior check, this delay is not taken
into account.
replication.publisher.threads_per_orgid determines how many
replication publisher threads will be hosted, per organization ID, on this
server. This should generally be set to a value equal to the number of CPU
cores in the system hosting the instance.
m. Configure the file upload types. (Separate the valid values with commas).
deployment.FileType.JRE=zip
Note: JRE file extension, defaults to zip. Valid Values: zip, exe, etc.
deployment.FileType.DATA=mnt,rep,reo,dat
Note: Data update (for DataLoader), defaults to mnt, rep, reo, dat.
Valid Values: mnt, rep, reo, dat, etc.
deployment.FileType.CONFIG=
deployment.FileType.APPUPD=jar
deployment.FileType.COMPRESSED_DATA=
deployment.FileType.CIP=cip
deployment.FileType.DEBITBIN=debit.txt
deployment.FileType.NEW=newExt
deployment.FileType.ENVUPD=tar.gz
Note: This file upload type provides the ability to upload tarball files
(.tar.gz) as application updates to Xenvironment.
deployment.FileType.TRANSARMOR_BIN=tgx
This config
(deployment.dataloader_file.character_encoding in
Xadmin) controls how DataLoader files are generated by Xadmin.
Xstore Point of Service must be configured the same so that it can
digest those DataLoader files properly.
xcenter.properties Sample
xcenter.org.id=1
xcenter.rtl_location.id=0
xcenter.wkstn.id=0
dtv.CustomerId=XST
dtv.CustomerId.salt=DTV
dtv.config.path=:cust:cust/loyalty:cust/loyalty/award:purge:purge/
oracle:order:locate:relate:24x7:version1:MASTER/
DEFAULT:dataloader:xcenter:xcenter/event_log:xcenter/xbr
dtv.local.db.url=jdbc:oracle:thin:@localhost:1521:xcenter
# PDB dtv.local.db.url=jdbc:oracle:thin:@localhost:1521/xcenter
dtv.local.db.user=Pj4+MAAAAABEJKQVOAJI+5sGlAQ30XIQ
dtv.local.db.password=Pj4+MAAAAABEJKQVOAJI+5sGlAQ30XIQ
dtv.xadmin.db.url=jdbc:oracle:thin:@localhost:1521:xcenter
# PDB dtv.xadmin.db.url=jdbc:oracle:thin:@localhost:1521/xcenter
dtv.xadmin.db.user=Pj4+MAAAAABEJKQVOAJI+5sGlAQ30XIQ
dtv.xadmin.db.password=Pj4+MAAAAABEJKQVOAJI+5sGlAQ30XIQ
dtv.xcrepl.db.url=jdbc:oracle:thin:@localhost:1521:xcenter
# PDB dtv.xcrepl.db.url=jdbc:oracle:thin:@localhost:1521/xcenter
dtv.xcrepl.db.user=Pj4+MAAAAABEJKQVOAJI+5sGlAQ30XIQ
dtv.xcrepl.db.password=Pj4+MAAAAABEJKQVOAJI+5sGlAQ30XIQ
dtv.xadmin.baseURL=https://localhost:8443/xadmin/
dtv.xadmin.smtp.host=localhost
dtv.xadmin.smtp.port=25
dtv.xadmin.smtp.auth=false
dtv.xadmin.smtp.user=
dtv.xadmin.smtp.password=
dtv.xadmin.smtp.sender=noreply@xadmin.com
dtv.xadmin.smtp.starttls=true
dtv.deployment.StagingHostBaseURL=https://staginghost/
dtv.deployment.StagingHostUsername=Pj4+MAAAAADvHIxh8KlKpMb58080fuVH
dtv.deployment.StagingHostPassword=Pj4+MAAAAACxzvu3yc0wTglnR9h+w5f6
dtv.pospoll.workingDir=file:/pospoll
cloud.sftp.host=localhost
cloud.sftp.username=Pj4+MP3///9WvtrRwjWZCQRQ+NUzDeqj
cloud.sftp.password=Pj4+MP3///9WvtrRwjWZCQRQ+NUzDeqj
cloud.sftp.locate.workingDir=locate
cloud.sftp.relate.workingDir=relate
cloud.sftp.nfe.workingDir=nfe
cloud.http.locate.endpoint=https://HOST:PORT/Locate/faws/FileService/
OROB-IMPORTS
cloud.http.locate.timeout.connect=30
cloud.http.locate.timeout.read=30
cloud.http.locate.compress=true
cloud.http.locate.username=Pj4+MAAAAADvHIxh8KlKpMb58080fuVH
cloud.http.locate.password=Pj4+MAAAAACxzvu3yc0wTglnR9h+w5f6
#####-----------------------------------------------------------------
##### cluster processes enabled
#####
##### This configuration is a "master switch" that can enable/disable
##### ALL clustering-related processes, including replication,
broadcasting,
##### and the SFTP file-transfer processes (loading promotions from
Customer
##### Engagement, order broker updates, etc). When disabled, this
Xcenter
##### node really ends up just running the various DTX query servlets
used
##### by Xstore.
cluster.processes.enabled=true
#####-----------------------------------------------------------------
##### cluster server number
#####
#####-----------------------------------------------------------------
##### Replication publishing to Xcenter
#####-----------------------------------------------------------------
replication.publisher.resequencing_delay.seconds=10
replication.publisher.polling_interval.milliseconds=3000
replication.publisher.threads_per_orgid=3
# DB DRIVER
#dtv.datasource.connectionfactory=com.microsoft.sqlserver.jdbc.SQLServ
erDataSource
# DB URL
#dtv.local.db.url=jdbc:sqlserver://localhost;databaseName=xcenter_test
#dtv.xadmin.db.url=jdbc:sqlserver://localhost;databaseName=xadmin_test
#dtv.xcrepl.db.url=jdbc:sqlserver://
localhost;databaseName=xcenter_replication
# DB URL (Unicode)
#dtv.local.db.url=jdbc:sqlserver://
localhost;databaseName=xcenter_test;sendStringParametersAsUnicode=true
#dtv.xadmin.db.url=jdbc:sqlserver://
localhost;databaseName=xadmin_test;sendStringParametersAsUnicode=true
#dtv.xcrepl.db.url=jdbc:sqlserver://
localhost;databaseName=xcenter_replication;sendStringParametersAsUnico
de=true
## JNDI EXAMPLES ##
# DB DRIVER
# Required for detection of SQL Dialect. Configured as per prior
examples.
# DB URL
deployment.FileType.JRE=zip
deployment.FileType.DATA=mnt,rep,reo,dat
deployment.FileType.CONFIG=
deployment.FileType.APPUPD=jar,sig
deployment.FileType.COMPRESSED_DATA=
deployment.FileType.CIP=cip
deployment.FileType.DEBITBIN=debit.txt
deployment.FileType.NEW=newExt
deployment.FileType.ENVUPD=tar.gz
deployment.FileType.TRANSARMOR_BIN=tgx
deployment.dataloader_file.character_encoding=UTF-8
# IDCS
#### Populated by CHEF ###
idp.connectionURL=https://localhost:443
idcs.tenant=
idcs.hostname=
idcs.xcenter.redirect.uri=
idcs.xcenter.response.type=
idcs.xcenter.authorization.scope=
43. Save the file and then answer Yes when prompted to save your changes in the
archive.
44. Configure the broadcasters in the xcenter-spring-beans.xml file (located
in the same directory as xcenter.properties), then Save the file. See
45. Open the file the xadmin-log4j2.xml file in the directory xcenter-config with
the xcenter-config.zip file.
This file can be found in the xcenter directory extracted from the
OracleRetailXstoreOffice_X_X_X_X_CCC_V_V_V.zip file. See “Xstore Office
Installation .zip File” for more information.
46. Change the following lines as necessary:
- If using WebLogic:
<Properties>
<Property name="log.dir.name">${sys:user.dir}</Property>
<!--<Property name="log.dir.name">${sys:jetty.logs}</
Property> -->
<!--<Property name="log.dir.name">${sys:catalina.home}/
logs</Property> -->
</Properties>
- If using Jetty:
<Properties>
<!--<Property name="log.dir.name">${sys:user.dir}</
Property>-->
<Property name="log.dir.name">${sys:jetty.logs}</
Property>
<!--<Property name="log.dir.name">${sys:catalina.home}/
logs</Property> -->
</Properties>
- If using Tomcat:
<Properties>
<!--<Property name="log.dir.name">${sys:user.dir}</
Property>-->
<!--<Property name="log.dir.name">${sys:jetty.logs}</
Property>-->
<Property name="log.dir.name">${sys:catalina.home}/
logs</Property>
</Properties>
47. Save the file and then answer Yes when prompted to save your changes in the
archive.
48. Open the file xcenter-log4j2.xml in the directory xcenter-config in the file
xcenter-config.zip
This file can be found in the xcenter directory extracted from the
OracleRetailXstoreOffice_X_X_X_X_CCC_V_V_V.zip file. See “Xstore Office
Installation .zip File” for more information.
49. Change the following configuration lines as needed:
- If using WebLogic:
<Property name="log.dir.name">${sys:user.dir}</Property>
<!-- <Property name="log.dir.name">${sys:jetty.logs}</
Property> -->
<!-- <Property name="log.dir.name">${sys:catalina.home}/
logs</Property> -->
- If using Jetty:
<!-- <Property name="log.dir.name">${sys:user.dir}</
Property> -->
<Property name="log.dir.name">${sys:jetty.logs}</Property>
<!-- <Property name="log.dir.name">${sys:catalina.home}/
logs</Property> -->
- If using Tomcat:
<!-- <Property name="log.dir.name">${sys:user.dir}</
Property> -->
<!-- <Property name="log.dir.name">${sys:jetty.logs}</
Property> -->
<Property name="log.dir.name">${sys:catalina.home}/logs</
Property>
50. Save the file and then answer Yes when prompted to save your changes in the
archive.
51. Perform the appropriate installation procedure:
- If installing WebLogic, continue with “Install WebLogic”.
- If Installing Jetty, continue with “Install Jetty”.
- If installing Apache Tomcat, skip to “Install Apache Tomcat”.
Install WebLogic
For information and procedures about installing Oracle WebLogic Server, see the
Installation Guide for Oracle WebLogic Server. This installation must include:
• A domain created using the Basic WebLogic Server Domain Template.
• A user that can be used to connect to the management console and configure the
server.
• The Xcenter, Xadmin, and Xcenter Replication databases have been created on the
database server. and the appropriate scripts have been run against them.
To complete the installation of WebLogic, do the following:
• Enable Only Strong Cipher Suites
• Enable Secure Cookies
<listen-port>7002</listen-port>
...
</ssl>
Note: There are two weblogic.xml files. In the home directory for
WebLogic:
• webapps/xadmin/WEB-INF/weblogic.xml
• webapps/xcenter/WEB-INF/weblogic.xml
<session-descriptor>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
</session-descriptor>
* Linux:
/usr/local/xcenter-config/res/ssl/.truststore
- Custom Trust Keystore Type - Select JKS.
- Custom Trust Keystore Passphrase - Enter the password for the for the
WebLogic truststore file.
- Confirm Custom Trust Keystore Passphrase - Re-enter the password for the for
the WebLogic truststore file.
67. Click Save.
68. Click the SSL tab.
69. Configure the security key settings:
- Identity and Trust Locations - Select Keystores.
- Private Key Locaiton - Select from Custom Identity Keystore.
- Private Key Alias - Enter the Xcenter key alias in the Xcenter keystore file.
- Private Key Passphrase - Enter the password for the Xcenter TLS security key.
- Confirm Private Key Passphrase - Re-enter the password for the Xcenter TLS
security key.
- Certificate Location - Select from Custom Identity Keystore.
- Trusted Certificate Authorities - Select from Custom Trust Keystore.
70. Click Save.
71. Click Activate Changes.
72. Click Data Sources in the Domain Structure screen.
73. Click the Lock & Edit button.
Configure Datasources
109.Click the Connection Pool tab for the xcenter datasource.
110.Click the Advanced link.
111.Configure the Connection Pool settings for the xcenter datasource:
- Maximum Capacity - Enter 75.
- Minimum Capacity - Enter 5.
- Statement Cache Size - Enter 64.
- Wrap Data Types - Unselect this option.
112.Click Save.
113.Click the Connection Pool tab for the xadmin datasource.
114.Configure the Connection Pool settings for the xadmin datasource:
115.Click the Advanced link.
Linux
EXPORT JAVA_VENDOR=Oracle
EXPORT JAVA_VM=-server
EXPORT USER_MEM_ARGS=-Xms4096m -Xmx4096m
-XX:MaxMetaspaceSize=256m
-XX:+UseG1GC -XX:+ParallelRefProcEnabled
EXPORT JAVA_OPTIONS=-Dweblogic.wsee.StateCleanInterval=6000
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
-Djava.awt.headless=true
-Dorg.eclipse.persistence.moxy.annotation.xml-value-
extension=true
Windows
SET JAVA_VENDOR=Oracle
SET JAVA_VM=-server
SET USER_MEM_ARGS=-Xms4096m -Xmx4096m -
XX:MaxMetaspaceSize=256m
-XX:+UseG1GC -XX:+ParallelRefProcEnabled
SET JAVA_OPTIONS=-Dweblogic.wsee.StateCleanInterval=6000
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
-Djava.awt.headless=true
-Dorg.eclipse.persistence.moxy.annotation.xml-value-
extension=true
140.If you are running Xstore Office using WebLogic, and using an Apache web server,
add the following configuration to the JAVA_OPTIONS variable setting:
-Dhttp.keepAliveCache.socketHealthCheckTimeout=1
The setting would be the following:
Linux
EXPORT JAVA_OPTIONS=-Dweblogic.wsee.StateCleanInterval=6000
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
-Djava.awt.headless=true
-Dorg.eclipse.persistence.moxy.annotation.xml-value-
extension=true -Dhttp.keepAliveCache.socketHealthCheckTimeout=1
Windows
SET JAVA_OPTIONS=-Dweblogic.wsee.StateCleanInterval=6000
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
-Djava.awt.headless=true
-Dorg.eclipse.persistence.moxy.annotation.xml-value-
extension=true -Dhttp.keepAliveCache.socketHealthCheckTimeout=1
141.Install the Xcenter and Xadmin .war files in the Domain Structure screen.
142.Confirm that WebLogic is running by logging into it with a web browser. The format
for the URL is:
https://<server_hostname>:<server_port>/xcenter/dtx/
GetById?NAME=Party&ID=<organization_id>::0
Install Jetty
...continued from step 51
146.In a file manager, navigate in the <root_directory> extracted from the Xstore
Office Installation .zip File.
147.Copy the Xcenter keystore file to the jetty_installer directory (for example,
server.keystore from “Certificate Authority-Signed Certificates: Oracle Retail
Xstore Office” or “Self-Signed Certificates: Oracle Retail Xstore Office” in
Appendix B: “Public Key Certificates”).
148.Launch the Jetty Installer. jetty-x.x.x-installer.jar.
149.Specify the directory where Jetty will be installed.
Tip: Oracle recommends you keep the default value. Using the
default installation directory specified here makes it easier to locate the
directory if troubleshooting is needed.
150.Click Next.
151.Set up the Jetty TLS Configuration:
a. Java Keystore - If the server.keystore file is detected in the installation
folder, this field is completed by default. If you did not place it in the installation
folder as instructed in step 147, use the browse button to locate the
server.keystore file.
b. Keystore Password - Type the password chosen when the TLS certificates were
created, then confirm the password in the field below.
c. SSL Key Alias - Type the alias chosen when the TLS certificates were created.
152.Click Next.
153.Specify the memory values for the Jetty service.
Note: The system checks the maximum heap size (Xmx Value)
specified here.
154.Click Next.
155.Configure the ports and threads:
a. Jetty Server Port Number - TCP/IP port used by the Jetty server.
If, at any point, you must stop the installation, click the “Cancel”
button. You will be prompted to confirm the cancellation. Click the
“Yes” button to cancel the installation and exit the GUI.
Tip: Oracle recommends you keep the default value. Using the
default installation directory specified here makes it easier to locate the
directory if troubleshooting is needed.
176.Click Next.
177.Enter the Tomcat SSL Configuration information:
a. Java Keystore - If the server.keystore file is detected in the installation
folder, this field is completed by default. If you did not place it in the installation
folder as instructed in step • on page 5, use the browse button to locate the
server.keystore file.
b. Keystore Password - The password chosen when the TLS certificates were
created, then confirm the password in the field below.
c. SSL Key Alias - The alias chosen when the TLS certificates were created.
d. Salt Value - Enter the encryption salt value to be used.
178.Click Next.
179.Specify the memory values for the Tomcat service.
197.Confirm that Xadmin is running by logging into it with a web browser. The format
for the URL is:
https://<server_hostname>:<server_port>/xadmin
FOR EXAMPLE, IF:
• server_hostname: xstore.office.biz
• server_port: 8443
• organization_id: 1000
THEN THE URL=
https://xstore.office.biz:8443/xadmin
198.If you are installing Xstore Office DataLoader, continue with “Install Xstore Office
DataLoader”.
199.If you are installing Xstore Office POSLog Generator, continue with “Install Xstore
Office POS Log Generator”.
Tip: Oracle recommends you keep the default values specified here
unless you are advised otherwise.
214.Click Next.
215.Click Install Xcenter DataLoader to begin the installation.
216.Click OK, the Exit when the installation is complete.
217.Run DataLoader to verify it runs as expected.
Before installing any components of the Xstore Point of Service, it is necessary to prepare
the system on which the software will be installed.
System Requirements
Note: Oracle Retail assumes that the retailer has applied all required
fixes for supported compatible technologies.
Hardware Requirements
The minimum hardware requirements for a system running Xstore Point of Service
depend upon whether the system is a Lead Register or a Non-Lead Register.
Lead Register
Following is a list of the minimum processor and memory requirements needed to
provide the best operating environment in the store to run Xstore Point of Service,
Xenvironment, and DataLoader.
Lead register requirements also apply to systems that will be required to perform as a
Lead in disaster recovery situations.
Processor: Intel Core i5-5350U dual-core processor >= 1.8GHz or equivalent
Memory: 8GB
Non-Lead Register
Following is a list of the minimum processor and memory requirements needed to
provide the best operating environment in the store to run Xstore Point of Service,
Xenvironment, and DataLoader.
Processor: Intel Celeron 3765U dual-core processor >= 1.9GHz or equivalent
Memory: 4GB
Supported Software
Xstore Point of Service is supported on the following software:
Windows POSReady 7
Windows 7
Windows 10
Supported Peripherals
Xstore Point of Service supports the following hardware peripherals:
Type Hardware
Type Hardware
Register/PC HP RP5-5810
HP RP5800
Oracle MICROS Workstation 620
Oracle MICROS Workstation 650
Workstation 310 See Workstation 310 and 610 Windows 10 IOT Enterprise
Supported Peripherals LTSB 2016 (1607) or later
Workstation 610
Scanners
• Motorola DS4208
• Symbol LS 2108
• Symbol LS 2208
Cash Drawers
• APG 4000 series
• Micros
Printers
• Epson TM-H6000IV
• Epson TM-T88V
Fiscal Printers
• Custom K3-F
• Epson FP81/90
Line Display
• MICROS Line Display
Fingerprint Scanner
• Digital Persona U are U 4500
• EikonTouch 510
• Oracle Biometric Fingerprint Module for Oracle MICROS Workstation
<root_directory>
The extracted .zip file will create a set of directories and files, which will contain the
Xstore Point of Service installation files.
artifacts
Build artifacts.
oraclepdb_install,upgrade
Installation and upgrade files for an Xstore Office system that connects to an Oracle
database that uses pluggable databases. Contains Point-of-Service Installation .zip Files.
oracle_install,upgrade
Installation files for an Xstore Office system that connects to an Oracle database.
Contains Point-of-Service Installation .zip Files.
mssql_install,upgrade
Installation and upgrade files for an Xstore Office system that connects to a Microsoft
SQL Server database that does not use Unicode characters. Contains Point-of-Service
Installation .zip Files.
mssql-unicode_install, upgrade
Installation and upgrade files for an Xstore Office system that connects to a Microsoft
SQL Server database that uses Unicode characters. Contains Point-of-Service Installation
.zip Files.
OracleRetailXstorePointofService_X_X_X_X_CCC_V_V_V.zip
Extract this .zip file to create a directory that contains installation files for Xstore Office
and related software. This directory will have the format:
X.X.X.X.XXX_V.V.V
where:
• X.X.X.X.XXX is the version and build number
• V.V.V is a customer release version
This extracted directory will contain the following directories:
pos
Installation files for the Xstore Point of Service software. This includes the following
subdirectory:
• mobile - Installation files for Xstore Point of Service Mobile.
xenvironment
Installation files for Xenvironment.
xservices
Installation files Xstore Point of Service web services.
OracleRetailXstoreCommon_X_X_X_X_X_CCC_V_V_V.zip
Extract this .zip file to create a directory X_X_X_X_X_CCC_V_V_V, where:
• X_X_X_X_X is the version and build number.
• CCC is the customer ID (XST for base Xstore Office).
• V_V_V is the customer release version.
This extracted directory will contain the following directories:
tools
Various tools used by the installation procedure and the Xstore Office. This includes the
following subdirectories:
- genkeys - Installation files for the GenKeys utility. This includes the string
encryption utility (see Appendix A: “String Encrypter Utility”) used to encrypt
information in the installation procedure, and generates security keys for use by
Xstore Office.
- jrepackager - Creates a JRE .zip file used by the installation procedure.
Java
Several Java components must be installed as part of the Xstore Point of Service
installation procedure.
Perform the following procedures:
• “Java Runtime Environment (JRE)”
• “Create JRE Package”
Database
You will need a database either installed on the local system, or network access to a
database server. The database must either an Oracle or a Microsoft SQL Server database.
Oracle
Xstore Point of Service assumes that the Oracle database has been installed in the
oradata folder for the Oracle instance.
• On Linux, this would be similar to /u01/app/oradata/xstore
• On Windows, this would be similar to c:\app\oracle\oradata\xstore.
TLS Certificates
Several Xstore Point of Service components require TLS certificates to encrypt inter-
process communication. You must either receive these certificates from a certificate
authority, or you must create your own.
Important: Place all keystore files in the same directory as the Xstore
Point of Service installer. The installer will automatically find these
keystore files when they are in the same directory.
If you will be creating your own certificates, you will need OpenSSL & Keytool Utility.
See Appendix B: “Public Key Certificates” for more information.
• If you are installing Xstore Point of Service components for the first time, you will
likely not know all the security certificates you will require. The installation
procedures will inform you of the certificates you will require as you need them.
• If you have installed Xstore Point of Service before, it is recommended that you
either reuse existing security certificates, or create new certificates prior to installing
Xstore Point of Service components.
1. Obtain the appropriate appx bundle file that represents the Xstore Mobile Universal
Windows Platform (UWP) app.
2. Enable side-loading of the UWP apps through the Windows UI or by using a
registry edit command.
reg add
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
AppModelUnlock" /t REG_DWORD /f /v "AllowAllTrustedApps" /d
"1"
3. Generate a new signing certificate. This will tell you the thumbprint of the certificate
when it succeeds.
https://docs.microsoft.com/en-us/windows/uwp/packaging/sign-app-package-
using-signtool.
C:\Program Files (x86)\Windows
Kits\10\bin\<versionNumber>\x64\signtool.exe sign /fd SHA256 /
a /f <certificate-name> /p <password> <package-
name>.appxbundle
6. Import the PFX certificate that you generated in the LocalMachine store. The
TrustedPeople certificate store is recommended for this purpose. Use the following
Windows PowerShell command.
$pwd = ConvertTo-SecureString -String <password> -Force -
AsPlainText
Import-PfxCertificate -FilePath <certificate-name> -
CertStoreLocation Cert:\LocalMachine\<Certificate Store Name>
-Password $pwd
7. Install the appx bundle package onto the device.
Note: The .NET Native Framework, the .NET Native Runtime and the
Microsoft VC Libs packages must be installed on the device prior to
this app package being installed. These packages can be obtained from
the Windows 10 SDK. Installing the dependencies is a one-time
operation per device.
Prerequisites
You will be required to set up a relationship with Apple to obtain and manage the
necessary developer provisioning profiles and certificates. As part of that program, you
will receive a signing certificate (.p12 file) and a .mobileprovision file. These
artifacts are used to sign your application.
Note: These files must be moved to the trash. Do not just delete the
references.
- AppDelegate.h
- AppDelegate.m
- ViewController.h
- ViewController.m
- Main.storyboard
- LaunchScreen.storyboard
- Info.plist
* config.xml
* www
* Xstore-Info.plist
d. Click Add.
The file list closes and the file is added.
Note: You may need to click a different tab, then return to the General
tab to refresh the choices in the LaunchImage menu.
#import <UIKit/UIKit.h>
#import <XstoreMobile/XstoreMobile.h>
A menu opens.
31. Click Add Files to Xstore.
32. Click the General tab.
33. Add XstoreMobileVerifoneSupport.framework to the Embedded Binaries:
a. Click the + in the Embedded Binaries section.
A file list opens.
b. Click XstoreMobileVerifoneSupport.framework.
c. Click Add.
34. If necessary, add XstoreMobileVerifoneSupport.framework to the Linked
Frameworks and Libraries:
a. Click the + in the Linked Frameworks and Libraries section.
A file list opens.
b. Click XstoreMobileVerifoneSupport.framework.
c. Click Add.
35. Copy the file VMF.framework to the root directory of the project.
36. Right click Xstore in the left pane.
A menu opens.
37. Click Add Files to Xstore.
A file list opens.
38. Click VMF.framework.
39. Click Add.
40. Add VMF.framework to the Linked Frameworks and Libraries:
a. Click the + in the Linked Frameworks and Libraries section.
A file list opens.
b. Click VMF.framework.
c. Click Add.
41. Edit the main.m file to include the highlighted information:
//
// main.m
// Xstore
//
#import <UIKit/UIKit.h>
#import <XstoreMobile/XstoreMobile.h>
#import <XstoreMobileVerifoneSupport/VerifoneHardwareDelegate.h>
@autoreleasepool {
// Inspect for hardware devices
NSArray *hardware = [[EAAccessoryManager
sharedAccessoryManager] connectedAccessories];
Note: The content will be different if you are integrating with both a
Verifone device and a Zebra device. Speak with your Xstore Point of
Service product representative for assistance integrating more than
one device with Xstore Point of Service Mobile.
//
// main.m
// Xstore
//
#import <UIKit/UIKit.h>
#import <XstoreMobile/XstoreMobile.h>
#import <XstoreMobileZebraSupport/ZebraScannerDelegate.h>
60. Ensure that the Supported external accessory protocols contains the following
value:
com.motorolasolutions.CS4070_ssi
61. Click the Capabilities tab.
62. Enable the Background Modes section.
A list of options opens.
63. Enable External accessory communication in the Background Modes section.
64. If necessary, configure the background mode for the CS4070:
Note: These steps are only required if you are installing Xstore Point
of Service Mobile on a device that uses the Zebra or Symbol CS4070
scanner peripheral.
Xcode UI
After setting up the application, create an application archive that can be installed on an
iOS device:
65. Click Archive in the Product menu.
A archiving window opens.
66. Click Export... in the right pane.
A list of export methods opens.
67. Select Save for Enterprise Deployment.
Note: This is the most commonly used option. You may use a
different export method, if necessary.
Xcodebuild
After setting up the application, create an application archive that can be installed on an
iOS device:
78. Open a terminal window.
79. Navigate to the Xcode project directory in the terminal.
80. Run the following command:
xcodebuild archive -project Xstore.xcodeproj -scheme Xstore
-archivePath Xstore
81. Create an options.plist file in the Xcode project directory.
82. Enter the following content into the options.plist file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://
www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>enterprise</string>
<key>compileBitcode</key>
<false/>
<key>teamID</key>
<string>{your 10 digit Apple Developer teamID}</string>
</dict>
</plist>
Where:
{your 10 digit Apple Developer teamID} is the team ID for your Apple
Developer account.
5. Grant the xstore user access to the shutdown command with the following
command:
chmod +s /sbin/shutdown
6. Create the following folders and give the xstore user full access to them:
/opt/environment
/opt/updates
/opt/xstoredb/backup
/opt/jre
7. Transfer ownership of the directory /opt/xstoredb/backup to the oracle user
with the following command:
chown –R oracle:users /opt/xstoredb
8. Grant additional access to the /opt/xstoredb and /opt/xstoredb/backup
directories with the following commands:
chmod –R 775 /opt/xstoredb
chmod g+s /opt/xstoredb/backup
Overview
InstallX is used to build and install builds of the Xstore Point of Service application and
associated server-based components. This installation application is used to package,
install and configure the Xstore Point of Service application, associated server-based
components, and utilities. It is customer, operating system, and database platform
independent.
InstallX maintains the order in any properties files it updates (using ant tasks) during the
install. The properties are carried over into the base-xstore.properties which is
human-readable and retains comments and line breaks.
baseconfigure.bat does not change ordering or remove comments in any properties
files it touches. For example, you can edit system.properties, re-order it to your
liking, and add comments. baseconfigure.bat is able to update values in it and
retain the formatting.
Silent Mode
Silent mode, also referred to as “unattended mode”, allows you to set customization
options in a properties text file before running InstallX. This allows for the InstallX
process to be run without user interaction. It is designed for deployments when user
interaction is not possible or not desired.
For example, the following command is used to launch the InstallX Xstore Point of
Service Installer in Silent Mode:
c:\jre\bin\java -jar xstore-version-XYZ-appname.jar
GUI Mode
GUI mode provides an interactive graphical interface that guides you through a wizard-
style process to install applications in a demo or lab environment. You will be prompted
with a series of configuration choices and deployment options to customize your
installation.
For example, the following command is used to launch the InstallX Xstore Point of
Service Installer in GUI Mode:
c:\jre\bin\java -jar xstore-version-XYZ-appname.jar gui
Where...
B.B.B.B is the base release version
V.V.V is the customer release version
P.P is the patch release version
CCC is the three-letter customer ID
pos is the app name
TYPE is the installer type (install, upgrade, update, patch)
In Linux:
installDir = /opt/xstore-genkeys
4. Change the customerId.salt property to your salt value.
Note: You must always use the same salt value when creating
certificates. It is recommended that you use a value that is at least 8
characters in length and difficult to guess.
Important: If you are using a salt value other than the default, you
must create and apply a customer overlay to your project. See the
Oracle Retail Xstore POS and Xstore Office Development Environment
Setup (MOS ID 2158739.1) and Oracle Retail Xstore POS and Xstore Office
Build Server Setup White Paper (MOS ID 2055918.1) on My Oracle
Support (http://support.oracle.com/) for procedures on creating and
applying customer overlays.
Windows:
gen-keys.bat
Linux:
./gen-keys.sh
22. The rotating cipher key files are generated.
Installation Procedure
31. Open a command prompt.
32. In the command prompt, navigate to the pos directory extracted from the
OracleRetailXstorePointofService_X_X_X_X_CCC_V_V_V.zip file. See “Xstore Point
of Service Installation .zip File” in Chapter 4, “Prerequisites for Installing Xstore
Point of Service” for more information.
33. Run the Xstore Point of Service installation procedure with the command:
c:\jre\bin\java -jar xstore-X.X.X.X.XXX-V.V.V-P.P-CCC-pos-
install.jar GUI
where:
- X.X.X.X.XXX is the version and build number
- V.V.V is a customer release version
- P.P is a patch number
- CCC is the three-letter customer ID
The Xstore Point of Service installation window opens to the welcome screen.
34. Click Next.
35. Select the installation type:
a. Full Service Workstation - Perform a full installation of Xstore Point of Service.
b. Thin Client Workstation - Perform an installation of a thin client version of
Xstore Point of Service. This is the Windows tablet version of Xstore Point of Service
Mobile.
c. Full Service plus Mobile Server - Perform a full installation of Xstore Point of
Service, including a server for Xstore Point of Service Mobile.
d. Lane Check Out - Perform a full installation of Xstore Point of Service with the
Lane Checkout Interface.
36. Click Next.
- If you selected Thin Client Workstation in step 35, continue with the next step.
- If you selected an option other than Thin Client Workstation in step 35,
continue with step 39.
37. Enter the Install Location configurations:
Important: If you are using a salt value other than the default, you
must create and apply a customer overlay to your project.
a. Payroll/OT Rule: Rule used to determine whether a worker logged overtime for
the day.
b. Send Sale Tax Type: Rule used when applying sales tax to a send-sale item.
c. Salt: Salt used when creating certificates (must match the salt entered in step 4).
d. Dataloader File Encoding: Character encoding that Dataloader should expect in
host interface files.
45. Click Next.
- If you selected Full Service plus Mobile Server in step 35, continue with the
next step.
- If you selected Lane Check Out in step 35, continue with step 51.
- If you did not select Full Service plus Mobile Server in step 35, continue with
step 53.
46. Enter the Xstore Mobile Settings:
a. Xstore Mobile install dir: Directory where Xstore Point of Service Mobile will
be installed.
b. Configurations: Additional configuration path elements for Xstore Point of
Service Mobile.
c. Server Key Alias: The key alias used for the Xstore Point of Service Mobile key
added to the keystore.
d. Server Keystore Password (OBF): The password for the keystore, in Jetty's
proprietary Obfuscated format. For more information, see Extract the Jetty
Password Obfuscation Utility (Xstore Point of Service Mobile and Xservices) in
Chapter 4, “Prerequisites for Installing Xstore Point of Service”.
To obfuscate a password:
i) Open a command prompt (for example, cmd in Windows or xterm in
Linux).
ii) In the command prompt, navigate to the directory where you placed the
Jetty password obfuscation utility (see Extract the Jetty Password
Obfuscation Utility (Xstore Point of Service Mobile and Xservices)).
iii) Run the command:
c:\jre\bin\java -cp jetty-util-<version>.jar
org.eclipse.jetty.util.security.Password <password>
where:
<version> version of the Jetty password obfuscation utility.
<password> is the password to obfuscate.
The output of the command will look like the following (if the password is
allgoodthings):
allgoodthings
OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MD5:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The output line starting with OBF: will be used during the installation
procedure.
e. RSA Private Key Path: Full pathname to the RSA private key.
f. RSA Private Key Password: Encrypted password required to use the RSA
private key. Use the String Encrypter Utility to encrypt this value.
47. Click Next.
48. If the directory entered for Xstore Mobile install dir does not exist, click Yes when
prompted whether to create it.
49. Enter the Xstore Mobile Form Factor Settings:
a. Handheld Server Register #: Register number for the register operating as the
server for handheld devices.
b. Tablet Server Register #: Register number for the register operating as the
server for tablet devices.
c. Thin Client Server Register #: Register number for the register operating as the
server for thin client devices.
d. Disable Mobile Server start?: If checked, the system will not receive requests
from handheld devices.
e. Disable Tablet Server start?: If checked, the system will not receive requests
from tablet devices.
f. Disable Thin Client Server start?: If checked, the system will not receive
requests from thin client devices.
b. Velocity MacroLibrary: The path to the MacroLibrary with additional scripts for
the interpreter.
52. Click Next.
53. Enter the Email Server settings:
a. Mail Server Host: The email server host name or IP address.
Note: If you are integrating Xstore Point of Service with RXM, there
are additional configurations that must be performed for the
integration to work correctly. These configurations are described in
Configure Xstore Point of Service for Retail Extension Module.
Note: If you are integrating Xstore Point of Service with AVS, there
are additional configurations that must be performed for the
integration to work correctly. These configurations are described in
Configure Xstore Point of Service for Retail Extension Module.
67. If you selected Order Broker in step 57, enter the Order Broker Integration Settings
for Oracle Retail Order Broker Cloud Service.
a. Order Broker Service WSDL Location: URL for the Order Broker Cloud Service
web service.
b. Order Broker Username: Encrypted username used to log into Order Broker
Cloud Service. Use the String Encrypter Utility to encrypt this value.
c. Order Broker Password: Encrypted password used to log into Order Broker
Cloud Service. Use the String Encrypter Utility to encrypt this value.
d. Order Broker Service Timeout: Timeout (in seconds) to use when connecting to
Order Broker Cloud Service.
e. Order Broker-Xstore System Code: System code that Xstore Point of Service
will be using in Order Broker Cloud Service. This value is defined in Order Broker
Cloud Service and simply needs to be specified in Xstore Point of Service.
f. Order Broker Destination: Identifies what should be sent to Order Broker
Cloud Service as the destination in a request message. This is set in Order Broker
Cloud Service and dictated by Order Broker Cloud Service.
68. Click Next.
69. If you selected Order Management in step 57, enter the Order Management
Integration Settings for Oracle Retail Order Management Cloud Service.
a. Order Management Service WSDL Location: URL for the Order Management
Cloud Service web service.
b. Order Management Username: Encrypted username used to log into Order
Management Cloud Service. Use the String Encrypter Utility to encrypt this value.
c. Order Management Password: Encrypted password used to log into Order
Management Cloud Service. Use the String Encrypter Utility to encrypt this value.
d. Order Management Service Timeout: Timeout (in seconds) to use when
connecting to Order Management Cloud Service.
e. Order Management-Xstore System Code: System code that Xstore Point of
Service will be using in Order Management Cloud Service. This value is defined in
Order Management Cloud Service and simply needs to be specified in Xstore Point of
Service.
70. Click Next.
71. If you selected Xcenter in step 57, enter the Xcenter Application Server Settings for
Xstore Office.
a. App Server Host: Hostname for Xstore Office.
b. App Server Port: Port for Xstore Office.
c. App Server Username: Encrypted username for Xstore Office. Use the String
Encrypter Utility to encrypt this value.
d. App Server Password: Encrypted password for Xstore Office. Use the String
Encrypter Utility to encrypt this value.
Note: The App Server Customer Name and App Server Password are
specified in the WebLogic installation, the Jetty installation step 159, or
Tomcat installation step 187.
e. Keystore Pwd: Encrypted password for the Xstore Office keystore. Use the String
Encrypter Utility to encrypt this value.
f. Truststore Pwd: Encrypted password for the Xstore Office truststore. Use the
String Encrypter Utility to encrypt this value.
72. Click Next.
73. Enter the Schema Creation details:
a. Database Admin Username: Encrypted username for the database
administrator. Use the String Encrypter Utility to encrypt this value.
ii) Database Password: Encrypted password for the master database. Use the
String Encrypter Utility to encrypt this value.
b. Schema Owner:
i) Database Username: Encrypted username for the schema owner. Use the
String Encrypter Utility to encrypt this value.
ii) Database Password: Encrypted password for the schema owner. Use the
String Encrypter Utility to encrypt this value.
85. Click Next.
86. Enter the Training Data Source Settings for the training database.
a. Training Host: Hostname for the training database.
b. Training Database: Name of the training database.
If you are integrating with SIM (see step 61), do the following:
103.Uncomment the following, highlighted line in the file system.properties.
Note: This file is located in the root directory of the Xstore Point of
Service installation.
#********************************
# -- SIM
#********************************
dtv.config.path.-380=:sim
104.Load items into Xstore Office and SIM databases as necessary.
Note: The inventory items in Xstore Point of Service and SIM must be
the same. Neither Xstore Point of Service nor SIM automatically
populate items in the other software.
Note: This file is located in the root directory of the Xstore Point of
Service installation.
dtv.config.path.-390=:rxm
106.If necessary, set the following configuration in the file system.properties:
dtv.data2.access.impl.PersistenceConstants.manageCase=false
Note: This file is located in the root directory of the Xstore Point of
Service installation.
dtv.config.path.-425=:qas
dtv.config.path.-450=:avs
118.Create a cust_config\version1\spring directory in the Xstore Point of Service
root directory.
119.Open a text editor (for example, emacs in Linux or Wordpad in Windows).
120.Enter the following text in the text editor:
<context:annotation-config />
<!--
The following two beans generate identify a complete
XstoreProxy; Spring will gather as many of
these object as have been defined into a list and set the list
on the proxySelector bean.
-->
<bean id="oracleProxyAddress" class="java.net.InetSocketAddress">
<!-- constructor-arg value="www-proxy.us.oracle.com" / -->
<!--
This class provides a way to configure a proxy server for
specific web services. It does not have to
be injected into any class because the mere instantiation of
the class makes it replace the
the default proxy selector.
-->
<bean id="proxySelector"
class="dtv.servicex.impl.CustomProxySelector" init-method="init"/>
</beans>
a14853e3f73eb9b315c2cbe139ae9d438671f0c5ac00f9643524773989187aec1
77b962769c1a44b2ad16f3970cb3f1abfe02400b1c451d22c8b68b6efb9041717
844bd5b7493e059aefe657acb7e973e0560ab5361678bc45a7add88e77aeb668c
0a2396e8a4fe5486051534e3569b59a2c31352b62ba2ff5db890d8721fc2b4641
1ee27169
Install Xservices
Perform the following steps to customize the settings for the installation. The GUI
screens are used to capture settings, and the resulting properties are captured in the
ant.install.properties file.
1. Copy the folder to a temporary location (Recommended).
2. In a Command Prompt, navigate to the folder where the installer is located and type
the following command:
c:\jre\bin\java -jar xservices-B.B.B.B-V.V.V-P.P-CCC-
xservices.jar GUI
Important: If you are using a customer ID other than the default, you
must create and apply a customer overlay to your project. See the
Oracle Retail Xstore POS and Xstore Office Development Environment
Setup (MOS ID 2158739.1) and Oracle Retail Xstore POS and Xstore Office
Build Server Setup White Paper (MOS ID 2055918.1) on My Oracle
Support (http://support.oracle.com/) for procedures on creating and
applying customer overlays.
Important: If you are using a salt value other than the default, you
must create and apply a customer overlay to your project.
a. Database URL: Connection string defining the location of the Xstore Point of
Service backup database.
b. Encrypted Username: Encrypted username used to log into the Xstore Point of
Service backup database. Use the String Encrypter Utility to encrypt this value.
c. Encrypted Password: Encrypted password used to log into the Xstore Point of
Service backup database. Use the String Encrypter Utility to encrypt this value.
9. Verify/specify the Xstore Office Data Source settings, then click Next.
b. Order Broker WSDL URL: URL for the Order Broker Cloud Service WSDL.
c. Order Broker user name: Encrypted user name used to connect to Order Broker
Cloud Service. Use the String Encrypter Utility to encrypt this value.
d. Order Broker password: Encrypted password used to connect to Order Broker
Cloud Service. Use the String Encrypter Utility to encrypt this value.
12. Verify/specify the Authorizations settings, then click Next.
a. Host 1: Connection string used to connect to the first authorization host.
b. Host 2: Connection string used to connect to the second authorization host.
c. Xpay user name: Encrypted user name used to connect to the Xpay server. Use
the String Encrypter Utility to encrypt this value.
d. Xpay password: Encrypted password used to connect to the Xpay server. Use the
String Encrypter Utility to encrypt this value.
- ccenc.*.cip
- config.*.cip
- pinfo.*.cip
- rcpt.*.cip
21. Import the client certificate for Xstore Office into xservices-config/res/ssl
by copying the .truststore file from xstore\res\ssl to xservices-
config\res\ssl.
22. Perform the certificate generation steps for xservices and place the keystore file in
the xservices-config folder. (See Appendix B: “Public Key Certificates”).
23. Create an obfuscated password for Jetty:
a. Open a Command Prompt and navigate to the xservices folder
(c:\xservices).
b. Run the following command, substituting <version> with the version of the
Jetty password obfuscation utility and replacing <keystore password> with
the password you want to use:
c:\jre\bin\java -cp lib\jetty-util-<version>.jar
org.eclipse.jetty.util.security.Password <keystore password>
c. The output of that command will look like this (if the password is
allgoodthings):
allgoodthings
OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MD5:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
d. Copy the string on the line starting with OBF: (including OBF) into three places
in jetty-ssl.xml (C:\xservices-config):
* Password
* KeyPassword
* TrustPassword
<Configure class="org.eclipse.jetty.server.Server" id="Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
...
<Arg name="sslContextFactory">
<New
class=
"org.eclipse.jetty.util.ssl.SslContextFactory"
id="sslContextFactory">
...
<Set name="KeyStorePassword">
OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</Set>
<Set name="KeyManagerPassword">
OBF:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</Set>
...
</New>
...
e. Save the changes.
Login Configuration
After installing Xservices, you will need to configure the login information used to
connect to Xservices:
24. Create an SHA512 hash of each user password:
a. Open a command prompt (for example cmd in Windows, or xterm in Linux).
b. In the command prompt, navigate to the lib directory within the Xstore Point of
Service root directory. The default location is:
* c:\xstore in Windows
* /opt/xstore in Linux
c. Enter the following command:
c:\jre\bin\java -cp dtv-password.jar
oracle.retail.xstore.passwd.impl.Ssha2Hasher
d. Enter the password to hash.
e. Copy the hashed password to someplace where it can be retrieved easily.
f. Repeat steps c-e for each password to be hashed.
25. Configure the Xservices users and passwords (see step 24) in the
sec_user_password table in the Xstore Point of Service database. See the Xstore
Point of Service Database Dictionary for information about this table.
26. Assign the ADMIN role to each Xservices user in the sec_user_role table in the
Xstore Point of Service database. See the Xstore Point of Service Database Dictionary for
more information about this table.
27. Navigate to the Xservices root directory configured in step 2.
28. Enter the etc directory.
29. Edit the login.conf file in a text editor (for example, Wordpad or emacs).
30. Set the following configurations:
Install Xenvironment
To install Xenvironment:
1. Open a command prompt.
2. Navigate to the xenvironment directory extracted from the
OracleRetailXstorePointofService_X_X_X_X_CCC_V_V_V.zip file. See “Xstore Point
of Service Installation .zip File” in Chapter 4, “Prerequisites for Installing Xstore
Point of Service” for more information.
3. Run the Xenvironment installer in GUI mode:
c:\jre\bin\java -jar xenvironment-X.X.X.X.XXX-V.V.V-P.P-CCC-
install.jar GUI
where:
- X.X.X.X.XXX is the version and build number
- V.V.V is a customer release version
- P.P is the patch release version
- CCC is the three-letter customer ID.
The installation GUI opens.
4. Click Next.
5. Select the installation options:
a. Select an installation directory: Select the directory where Xenvironment will
be installed.
b. Register Type: Type of register:
* Lead Workstation/Server - A fixed register in a retail (that is, non-grocery)
store, or a back office server that serves as the lead register.
31. Set the value of the new registry key to the following:
c:\windows\system32\wscript.exe //B
c:\environment\start_eng.vbs
32. Configure Assigned Access to launch Xstore Point of Service Mobile for the user:
a. Open Settings as an administrator.
b. Open Accounts in the Settings window.
c. Open Family & Other People.
d. Open Set up assigned access.
e. Select the user that will run the Xstore Point of Service.
f. Select the Xstore Point of Service Mobile application.
g. Click OK.
The Xstore Point of Service Mobile application will open automatically when the
assigned user logs in.
Windows
1. Stop Xenvironment, if necessary.
2. Navigate to the cust_config\version1 directory in the Xenvironment directory.
Linux (systemd)
If your Linux system uses the /etc/systemd directory for services, do the following:
1. Stop Xenvironment, if necessary.
2. Navigate to the directory where Xenvironment is installed.
[Service]
Type=forking
ExecStart=/opt/environment/start_eng.sh 'start'
ExecStop=/opt/environment/start_eng.sh 'stop'
ExecReload=/opt/environment/start_eng.sh 'restart'
[Install]
WantedBy=multi-user.target
5. Save the file as /etc/systemd/system/xenv_eng.service.
6. In a terminal window, enter the following command:
systemctl enable xenv_eng.service
Linux (init.d)
If your Linux system uses the /etc/init.d directory for services, do the following:
1. Stop Xenvironment, if necessary.
2. Open a text editor (for example, emacs or vi).
3. Enter the following into the text editor:
#!/bin/sh
# /etc/init.d/xenv_eng
#
# System startup script for Xenvironment Point of Service
engine service/daemon
#
### BEGIN INIT INFO
# Provides: xenv_eng
# Required-Start: $null
# Required-Stop: $null
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Xenvironment engine daemon
# Description: Start Xenvironment engine as a daemon
### END INIT INFO
case "$1" in
start)
su xstore -c '/opt/environment/start_eng.sh start'
;;
stop)
su xstore -c '/opt/environment/start_eng.sh stop'
;;
restart)
$0 stop
$0 start
;;
status)
su xstore -c '/opt/environment/start_eng.sh status'
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac
4. Save the file as /etc/init.d/xenv_eng.
5. Run the following command:
sudo chown xstore /etc/init.d/xenv_eng
6. Set the file permission to 750 with the following command:
sudo chmod 750 /etc/init.d/xenv_eng
7. Change user to root with the following command:
sudo -s
8. Execute the following command:
chkconfig --set xenv_eng on
iOS
Installation of Xstore Point of Service Mobile on an iOS device requires the use of mobile
device management (MDM) software:
1. Use your MDM software to install the prepared Xstore Point of Service Mobile on
the device(s). See Build an Xstore Point of Service Mobile Client Application (iOS
Only) in Chapter 4, “Prerequisites for Installing Xstore Point of Service” for more
information.
2. Install the certificate authority on the device:
a. Create a cacert.cer certificate:
i) On a Mac, double-click the cacert.pem file (see cacert.pem in Appendix B:
“Public Key Certificates”).
ii) The cacert.pem files opens in Keychain Access.
iii) Right click the cacert.pem file in Keychain Access.
iv) Export the file as a .cer file.
A cacert.cer file is created.
Android
CA-Signed Certificate
1. Copy the provided certificate file to the storage of the Android device. If you used the
certificate creation process Certificate Authority‐Signed Certificates: Xstore Point of Service
Mobile, in Appendix B: “Public Key Certificates”, this is the cacert.pem file.
2. If necessary, change the extension of the file from .pem to .cer.
3. Open the device’s security menu.
4. In the security menu of the Android device, enable a face unlock, pattern, PIN, or
password lock screen.
5. In security menu of the Android device, select the Install from storage option and,
when prompted for the name, select the file that was copied to the device's storage.
Self-Signed Certificate
1. Export the certificate from the keystore file by typing the following command:
- Code 39 (Default)
- QR Code (Default)
- Code 93
10. Exit the barcode decoder screen to return to the profile screen.
11. If necessary, enable MSR input. This option is not available on the Motorola TC70.
Continue with Associate the profile with Xstore Point of Service Mobile.
Server Configuration
Enter the server configuration information on the device:
1. Enter the hostname or IP address for the Xstore Point of Service Mobile server.
2. Enter the server port:
- Handheld: Enter 8443.
- Tablet: Enter 8543.
- Thin Client: Enter 8643.
3. Select Test Connection to test the connection to the server.
- If the test is successful, continue the procedure.
- If the test fails, check the hostname and port, and the network connection.
4. If necessary, perform Location Configuration.
5. Select Save.
6. Configuration is complete.
Location Configuration
To configure the location information in Xstore Point of Service Mobile:
1. Select Location Details in the configuration screen.
2. Enter the store number.
3. Enter the register number.
4. Select Save.
5. Ensure the device is enabled in Xstore.
6. Select Save.
7. Xstore Point of Service Mobile returns to the Server Configuration screen.
Additional Configuration
Additional configuration of Xstore Point of Service Mobile is performed through the
back office component of Xstore Point of Service.
For initial configuration, or whenever changing the Register number, a pop-up message
appears with a token.
The server will initially block a device from running Xstore Point of Service Mobile until
an administrator goes into a new function (Mobile Client Device Access) within Manage
Hardware in Xstore Point of Service’s Back Office to enable the newly configured device.
Administrators can also use this new function in Xstore Point of Service’s Back Office to
disable access to any currently enabled mobile device.
See also the Xstore Point of Service Manager’s Guide for more information about these
configurations.
Functional Settings
Inventory
• Prompt For a Quantity After Manual Entry Of An Item? - Determines whether
Xstore Point of Service and Xstore Point of Service Mobile will prompt for a quantity
after a user enters an item ID.
• Prompt For a Quantity After Scanning An Item? - Determines whether Xstore Point
of Service and Xstore Point of Service Mobile will prompt for a quantity after the
user scans an item.
Inventory Count
• Enable Count Sheet Mode? - Determines whether count sheets are used in
inventory counts. This must be set to False for any implementation using Xstore Point of
Service Mobile.
Item Options
• Show item images? - Determines whether images will be shown for items in Xstore
Point of Service Mobile.
Security Settings
Xstore Point of Service Mobile also uses the following user security settings for Xstore
Point of Service:
• Search Inventory Count - Permission to search for inventory counts.
• Create Inventory Count - Permission to create inventory counts.
• Complete Inventory Count - Permission to complete inventory counts.
• Cancel Inventory Count - Permission to cancel inventory counts.
• arg1value and arg2value are the values for the parameters sent to the
Xcommerce application
An Xcommerce iOS app must register the xstorecommerce URL scheme in its
Info.plist properties file. This will tell the operating system that when Xstore
attempts to open a url that starts with xstorecommerce://, iOS will know that it
needs to launch the Xcommerce app.
The parameters passed to the Xcommerce app are initialized on the server in Spring-
configured code.
Info.plist File
Enter the following in the Info.plist file for your Xcommerce application:
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLSchemes</key>
<array>
<string>xstorecommerce</string>
</array>
</dict>
</array>
• arg1value and arg2value are the values for the parameters being sent to Xstore
Point of Service from Xcommerce
The parameters passed back to Xstore Point of Service will be handled on the server in
the same Spring-configured code as the initial setup mentioned in the iOS: Outbound
Call to the Xcommerce Application.
IXcommerceHandler Interface
There is an IXcommerceHandler interface that a class can implement, based on the
Xcommerce application’s requirements. This interface includes methods for:
• server side parsing of any parameters to send to the Xcommerce application
• processing the parameters returned to Xstore Point of Service from Xcommerce.
public interface IXcommerceHandler {
Map<String, String> getInitialParameters();
List<XcommerceItem> processResponseData(Map<String, String>
argResponseData);
}
getInitialParameters retrieves the parameters to send to Xcommerce. This method
allows for the server-side setup of any parameters that need to be sent to the Xcommerce
application.
Spring Configuration
See mobile-beans.xml for how this is all put together:
xcommerceHandlerServiceFactory this uses the ServiceLocatorFactoryBean
pattern, and is wired up with an IXcommerceHandlerServiceFactory.
The xcommerceHandlerServiceFactory factory returns an IXcommerceHandler.
xcommerceHandler (DefaultXcommerceHandler) - Defines a default
implementation of the IXcommerceHandler.
• Xstore Point of Service Mobile - This is an optional feature. Xstore Point of Service
Mobile is cross-platform, running both on Apple and Android devices using thin-
client technology, but presented with an app-like feel.
Oracle project managers can work with you to determine these requirements.
Installation Requirements
When you are ready to install Xstore Point of Service, review this section to make sure
you understand what’s needed for the install and have completed any pre-install steps.
See the Xstore Point of Service Release Notes for the platforms supported in each Xstore
Point of Service version.
The following components must be installed prior to beginning the Xstore Point of
Service install. As noted above, the instructions for installing these components are not
included in this guide.
• Operating system fully installed and configured (See “Base Operating System
Configurations”)
• Database platform fully installed and configured (See “Base Software Installation
Configurations”)
The build/installation type will indicate the steps the installer will perform:
• Install - Installs a new Xstore Point of Service version on a clean machine. On a
system with an existing Xstore Point of Service version, it will delete the existing
version and databases and replace it with the new.
• Upgrade - Applies a new base version, updates the database, and applies the
customer overlay.
• Update - Retains the existing Xstore Point of Service version, updates the database,
and applies a new customer overlay.
• Patch - Applies critical fixes and may update the database.
The following steps will be completed based on the type of installer: Install, Upgrade,
Update, or Patch:
Table 6-1: Installer Types/Steps Performed
4. Backup previous
installation
1. When applicable.
Communication Ports
Application Port Protocol Where? Comments
Xenvironment 9097 HTTP Store 9097 is the specialized web server that's
Engine File over TLS optimized for serving files. It's 6-10 times
Server faster than downloading files from the
IPC server. Currently, the only files
downloaded via this service are the
database backups.
Xstore 8443 HTTP Store & If running Xstore Payment in the store,
Payment IPC over TLS Corp the Xstore Payment ports should be
opened in the firewall on the POS system.
Xstore 8543 HTTP Store & If running Xstore Payment in the store,
Payment GUI over TLS Corp the Xstore Payment ports should be
opened in the firewall on the POS system.
Oracle 1521 TCP/IP Store & Store systems and Database Servers at
Corp corporate.
Leverages industry-standard JDBC driver.
SQL Server 1433 TCP/IP Store & Store systems and Database Servers at
Corp corporate.
Leverages industry-standard JDBC driver.
Xstore Point of 4886 HTTP Store This port is hosted by Xstore Point of
Service Lane over TLS Service Lane Checkout User Interface
Checkout User hardware module to allow Xstore Point of
Interface Service Lane Checkout User Interface
Hardware client module to send receipts to a receipt
Module printer.
Table 6-1: Additional Communication Ports for the Oracle Retail Xstore Point-of-Service,
Lane Checkout User Interface
Note: The listed Gserver port is only used when the network com-
munication for this component is activated. The in-memory communi-
cation is the default mode.
4. Other 3rd Party Systems - You must specify details and provide a diagram
illustrating the configuration.
All data saved to the StorePrimary or Local data sources is replicated to Oracle Retail
Xstore Office.
Overview
InstallX is used to build and release installations of the Xstore Suite applications and
associated server-based components. This section provides instructions for using
InstallX to upgrade, update, or patch the Xstore Suite:
• Upgrade - Applies a new base version and applies the customer overlay. During an
upgrade, InstallX will re-order any unordered files. For example, base-
xstore.properties will be reformatted to include the arbitrary ordering and
comments that are included.
If there are any keys in the old base-xstore.properties that do not exist in the
new, they will be placed at the bottom of the file and commented out with a hash
("#") sign.
• Update - Retains the existing Xstore Point of Service version and applies a new
customer overlay.
• Patch - Applies critical fixes.
InstallX can invoke a call to Xenvironment to process any pending deployments during,
or shortly after, applying an update or upgrade with the required configuration.
Note: The steps in this section use the “upgrade” install type in the
commands as an example. Be sure to select the appropriate installer
type: upgrade, update, or patch for the function you want to perform.
Refer to Chapter 5, “Install Xstore Point of Service” for information about installing
Xstore Point of Service.
<root_directory>
The extracted .zip file will create a set of directories and files, which will contain the
Xstore Point of Service installation files.
artifacts
Build artifacts.
oraclepdb_install,upgrade
Installation and upgrade files for an Xstore Office system that connects to an Oracle
database that uses pluggable databases. Contains Point-of-Service Installation .zip Files.
oracle_install,upgrade
Installation files for an Xstore Office system that connects to an Oracle database.
Contains Point-of-Service Installation .zip Files.
mssql_install,upgrade
Installation and upgrade files for an Xstore Office system that connects to a Microsoft
SQL Server database that does not use Unicode characters. Contains Point-of-Service
Installation .zip Files.
mssql-unicode_install, upgrade
Installation and upgrade files for an Xstore Office system that connects to a Microsoft
SQL Server database that uses Unicode characters. Contains Point-of-Service Installation
.zip Files.
OracleRetailXstorePointofService_X_X_X_X_X_CCC_V_V_V.zip
Extract this .zip file to create a directory that contains installation files for Xstore Office
and related software. This directory will have the format:
X.X.X.X.XXX_V.V.V
where:
• X.X.X.X.XXX is the version and build number
• V.V.V is a customer release version
This extracted directory will contain the following directories:
pos
Installation files for the Xstore Point of Service software. This includes the following
subdirectory:
• mobile - Installation files for Xstore Point of Service Mobile.
xservices
Installation files Xstore Point of Service web services.
xenvironment
Installation files for Xenvironment.
OracleRetailXstoreCommon_X_X_X_X_X_CCC_V_V_V.zip
Extract this .zip file to create a directory X_X_X_X_X_CCC_V_V_V, where:
• X_X_X_X_X is the version and build number.
• CCC is the customer ID (XST for base Xstore Office).
• V_V_V is the customer release version.
This extracted directory will contain the following directories:
genkeys
Installation files for the GenKeys utility. This includes the string encryption utility (see
Appendix A: “String Encrypter Utility”) used to encrypt information in the installation
procedure, and generates security keys for use by Xstore Office.
jrepackager
Creates a JRE .zip file used by the installation procedure.
DataLoader
“Dataloader Upgrade”
Xenvironment
“Upgrading Xenvironment”
Note: The update.ok file serves as a flag file, meaning that its
presence is checked, not its contents. (The contents of this update.ok
file are irrelevant). The update.ok flag file will be deleted during the
update process.
Jetty or Tomcat
Note: If using Tomcat rather than Jetty, simply substitute Tomcat for
the Jetty locations shown in the procedure.
If using Tomcat, you must rename the xcenter and xadmin war files to
xcenter.war and xadmin.war.
By default, the names of these files include build number information.
They must be renamed to xcenter.war and xadmin.war before use.
Dataloader Upgrade
1. Copy the dataloader folder (located in the tools folder) to a temporary location
and open it.
2. Open the dataloader subdirectory.
3. Open ant.install.properties file and confirm the values. Edit as needed.
4. In a Command Prompt navigate to the folder where the installer is located and enter
the following command:
c:\jre\bin\java -jar xstore-B.B.B.B.B-V.V.V-CCC-dataloader-
upgrade.jar
Xservices Upgrade
Note: Updates and Upgrades are only applied on systems where
Xservices is installed.
Upgrading Xenvironment
Important: Updates and Upgrades are only applied on systems
where Xenvironment is installed.
Translation
Translation is the process of interpreting and adapting text from one language into
another. Although the code itself is not translated, components of the application that are
translated may include the following, among others:
• Graphical user interface (GUI)
• Error messages
The following components are not usually translated:
• Documentation (for example, Online Help, Release Notes, Installation Guide, User
• Guide, Operations Guide)
• Batch programs and messages
• Log files
• Configuration Tools
• Reports
• Demo data
• Training Materials
The user interface for Xstore Point of Service has been translated into:
• EN - English
• ES - Spanish
• DE - German
• IT - Italian
• JA- Japanese
• RU - Russian
• FR - French
• PT-BR- Brazilian Portuguese
Internationalization 9-1
Localization
Localization
The default country settings, can be overridden to suit the specific retailers requirements
during the installation of Xstore Point of Service
The country settings include country specific configurations and features such as:
• Date/Time formats
• Default address and printed address formats
• Default phone and post code formats, default receipt formats
• Capture customer info, when tenders or cash tenders exceed defined thresholds
• Automated Store Close Z-Reports
• Fiscal printer and other fiscalization support
Configuration Accelerators
For information about configuration accelerators (localization packs), including
procedures for applying them, see the Xstore Suite Configuration Accelerator Guide. This
document is available on My Oracle Support, Doc ID 1994467.1.
Fiscalization
Xstore Point of Service supports features, base frameworks and extensions to help
support fiscal, tax, currency and general selling rules and requirements in different
countries, regions, and tax authorities, especially within fiscal countries.
Many countries and regions have specific requirements, some of which are best practice,
and others are mandated by the country and/or the country’s tax authorities.
Some of these fiscal features and rules are included within the localization country
settings.
Features
Fiscal Printer Support
Framework extensions enable the support of fiscal printers with minimal integration
requirements.
Currency Rounding
Rules that control currency rounding effects based on configurable criteria are
supported by Xstore Point of Service.
Enforced End of Day
Xstore Point of Service is able to enforce cessation of trading to comply with regulations
in some regions and localities.
Extended Address Syntaxes
Xstore Point of Service supports extended address syntaxes such as neighborhood and
county address fields.
Digital Signature Support
Xstore Point of Service supports fiscal digital signatures enforced in some fiscal
locations.
Invoice Printing
Xstore Point of Service produces an invoice a well as a receipt in certain localities.
Enhanced Transaction Mixing Rules
Xstore Point of Service supports enhanced rules for controlling contents of transactions
and the mixing of basket line types, to comply with regulations in many countries.
Sequential Numbers by Store
Xstore Point of Service supports sequential numbers by store, instead of by individual
register, e.g. for invoice numbers, credit notes etc.
Transaction Discounts displayed in Total Section
The transaction discounts are displayed in the Total section on the item display, instead
of displaying discounts against each item, to comply with regulations in some countries.
Storage and Search by Fiscal Receipt/Invoice Number
Xstore Point of Service supports storage and search by fiscal receipt/invoice number, to
comply with regulations in some countries.
Printing of Receipts for cancelled Transactions
Xstore Point of Service Suite allows for filling in store, and for searching for cancelled
receipts.
Display Items Tax Code and Tax Summary on Receipt
Xstore Point of Service allows for more flexibility of receipt contents, and is a
requirement in certain countries.
The Encrypter utility is a stand-alone package that allows you to run encrypt.bat for
encryption of text using Xstore Suite cipher keys.
- For Windows, execute encrypt.bat to run the string Encrypter.
- For Linux, execute encrypt.sh to run the string Encrypter.
1. Double-click the encrypt.bat (or encrypt.sh) utility.
2. Complete the fields as needed.
a. customer - Salt value. This is not the customer code, unless the customer code is being
used as the salt value.
b. keystore - Location of the GenKeys certificate files.
c. value - String to be encrypted.
d. cipher - Do not change this value.
3. Click the encrypt button to create the encrypted string in the result field.
4. Click the copy button to copy the encrypted value to the system clipboard.
Introduction
In the interest of data security, retailers require the ability to manage the public key
certificates that are used when one part of the Point of Sale (POS) solution communicates
with another. This section will concentrate on public key certificates for use within a
managed network, specifically for use with Xstore Point of Service, Oracle Retail Xstore
Office, Xenvironment, and the web server.
A JRE must exist on the secured system before you can create the TLS
certificates.
When the term “certificate” appears in this document, it refers to a public key certificate.
The tools referenced in this document are OpenSSL and Sun’s keytool utility. The steps in
this guide assume that both utilities have been installed and added to the system path. (See
“OpenSSL & Keytool Utility”). Other tools could potentially be used in place of these;
however, to keep things simple we will only cover one way of doing things.
Important: The private key that goes with a public key certificate is
considered extremely sensitive information since it is used to initiate
an encrypted communication session that may contain customers’
cardholder data.
For this reason, Oracle will not store or create a customer’s production
private keys on its corporate network, nor will Oracle accept a private
key file in any form. This policy has been adopted to provide
additional security protection to our customers.
The steps in this guide assume that both OpenSSL and Sun’s keytool utility have been
installed and added to the system path. A JRE must exist on the secured system before
you can create the TLS certificates. See “Create JRE Package” of Chapter 2, “Prerequisites
for Installing Xstore Office” or “Create JRE Package” of Chapter 4, “Prerequisites for
Installing Xstore Point of Service”.
- To add the keytool utility to your system (if you have finished installing
GenKeys), you would enter the following to the end of the Path:
;c:\jre\bin
Note: This assumes that you have completed “Create JRE Package” in
Chapter 4, “Prerequisites for Installing Xstore Point of Service”.
Windows
1. Open a command prompt and type the following sequence of commands:
md c:\cert\sslcert
cd c:\cert\sslcert
md certs
md private
echo 100001 > serial
echo on > certindex.txt
2. Continue with “openssl.cnf”.
Linux
1. In a shell command window (for example, xterm), run the following sequence of
commands:
mkdir /opt/cert/sslcert
cd /opt/cert/sslcert
mkdir certs
mkdir private
echo 100001 > serial
touch certindex.txt
Keep the shell window open while performing the next steps.
2. Continue with “openssl.cnf”.
openssl.cnf
Certificate Authority (CA) signed TLS certificates require you to create an
openssl.cnf file, which defines configurations for the TLS certificates.
To create the openssl.cnf file:
1. Navigate to the c:\cert\sslcert or /opt/cert/sslcert directory.
2. Open a text-editing program (for example, Notepad, emacs, Wordpad, or vi).
3. Copy the following OpenSSL configuration information into the text-editing
program (for example, Notepad, emacs, Wordpad, or vi), editing the highlighted
fields as indicated:
#
# OpenSSL configuration file.
#
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 395
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
keyUsage = digitalSignature,keyCertSign
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
0.organizationName_default = <Your Company>
organizationalUnitName = Organizational Unit Name
(department, division)
organizationalUnitName_default = <Your Organizational Unit>
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = <Your Email Address>
localityName = Locality Name (city, district)
localityName_default = <Your City>
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = <Your State>
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
countryName_default = <Your 2-Letter Country Code>
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Province
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
cacert.pem
Many of the certificates used in the Xstore Suite require a certificate signed by a
certificate authority. To create your own certificate authority to sign your certificates, the
procedures in this manual use a cacert.pem file.
To create a cacert.pem file, do the following:
1. Open a command prompt.
2. Enter the following command:
- In Windows:
cd c:\cert\sslcert
md private
- In Linux:
cd /opt/cert/sslcert
md private
3. Enter the following command in the sslcert directory:
- In Windows:
openssl req -new -x509 -extensions v3_ca -keyout
private\cakey.pem -out cacert.pem -days 3653 -config
openssl.cnf
- In Linux:
openssl req -new -x509 -extensions v3_ca -keyout private/
cakey.pem -out cacert.pem -days 3653 -config ./openssl.cnf
Note: -days 3653 option - This value (ten years until expiration)
would typically only be used on a root certificate so that you do not
have to reissue it so often. At eight or nine years, you could generate an
additional root certificate and distribute both for one-two years.
c. Back up the two files that are created: cacert.pem located in the sslcert
directory and cakey.pem located in the sslcert/private directory.
Validation
Important: The procedures in this appendix assume a consistent use
of the values listed below.
When you create a certificate authority, the following entries are validated:
• Organization Name - This is the exact legal name of your organization. When
prompted, always enter the same value for your Organization Name.
• State or Province Name - This is the state or province where your organization is
located. This value cannot be abbreviated. When prompted, always enter the same
value for your State or Province Name.
• Country Name - This is the two-letter ISO code for your country. When prompted,
always enter the same value for your Country Name.
When prompted for a key password, press [Enter] to use the same
password as the keystore. Oracle recommends using the same
password for both the keystore password and the key password.
b. Answer the questions when prompted. (NOTE: The questions may appear in a
different order than shown in the table below. Answer each question
appropriately using the table below as a guide).
First and Last Name (aka The hostname or IP address that will localserver
Common Name) be used to access the server.
Organizational Unit Use this field to remind you what the Xcenter-
certificate is used for. YYYYMMDD
The OU must be different on each key.
(One option is to add a date to make it
unique).
Note: Including the date in the aliases will help avoid someone
removing an old CA certificate too soon when rolling out a new CA
certificate. It is recommended that you have an overlapping period
when certificates issued with both the old and the new CA certificates
are acceptable.
For this example, we will assume that we were given a cacert.pem file.
a. Copy the cacert.pem file to the c:\cert\xstore directory. Secure channels
are not required for receiving the root certificate because no private key
information is included in the file.
b. Type the following command in the c:\cert\xstore directory:
keytool -import -file cacert.pem -keystore server.keystore
-alias myrootca-YYYYMMDD
c. When prompted, enter the keystore password.
d. When prompted, type y or yes to trust the certificate. The certificate is added to
the keystore.
7. Import the Signed Request into the Keystore.
For this example, we will assume that we were given
xcenter-YYYYMMDD.der.cer to work with.
a. Copy xcenter-YYYYMMDD.der.cer to the c:\cert\xcenter folder. Secure
channels are not required for receiving the signed certificate request file because
no private key is included in the file.
b. Type the following command in the C:\cert\xcenter directory:
keytool -import -trustcacerts -file xcenter-
YYYYMMDD.der.cer
-keystore server.keystore -alias xcenter-YYYYMMDD
c. When prompted, enter the keystore password. The certificate reply is installed
in the keystore.
d. The resulting server.keystore will be used during the Jetty/Tomcat install.
See “Install an Application Server: WebLogic, Jetty, or Tomcat” of Chapter 3,
“Install Xstore Office” for installation instructions.
The root certificate must be created by the customer and provided to the person
installing the software in order for the following steps to be executed.
After installing Xstore Point of Service, perform the following steps to import the root
certificate into Xstore Point of Service’s truststore.
1. Run the following command in the xcenter directory to import the root certificate
into Xstore Point of Service’s Truststore.
- Windows:
keytool -import -file cacert.pem -keystore
\xstore\res\ssl\.truststore -alias myrootca-YYYYMMDD
- Linux:
keytool -import -file cacert.pem -keystore
/opt/xstore/res/ssl/.truststore -alias myrootca-YYYYMMDD
2. When prompted, enter the keystore password.
3. When prompted, type y or yes to trust the certificate.
4. Place the truststore file on every Xstore Point of Service register in the field, and
verify that appropriate DataSourceConfig or InstallX settings are in place on every
system as well.
5. Run the following command in the xcenter directory to import the root certificate
into Xenvironment’s truststore.
- Windows:
keytool -import -file cacert.pem -keystore
\environment\res\ssl\.truststore -alias myrootca-YYYYMMDD
- Linux:
keytool -import -file cacert.pem -keystore
/opt/environment/res/ssl/.truststore -alias
myrootca-YYYYMMDD
6. Place the .truststore file on every Xenvironment system in the field.
b. Answer the questions when prompted. (NOTE: The questions may appear in a
different order than shown in the table below. Answer each question
appropriately using the table below as a guide).
First and Last Name (aka The hostname or IP address that will StoreName
Common Name) be used to access the server.
Organizational Unit Use this field to remind you what the Xservices-
certificate is used for. YYYYMMDD
The OU must be different on each key.
(One option is to add a date to make it
unique).
Before proceeding with this step, you should have your certificate request file ready.
For this example, we will assume that we were given xservices-YYYYMMDD.req
to work with. Details on creating certification requests are outlined in step 2.
a. Copy xservices-YYYYMMDD.req to the sslcert directory on the Certificate
Authority system. Secure channels are not required for receiving the request
because no private key is included in the request file.
b. Enter the following command in the sslcert directory:
openssl ca -out xservices-YYYYMMDD.cer -config openssl.cnf
-infiles xservices-YYYYMMDD.req
c. When prompted, enter the password for ./private/cakey.pem.
d. When prompted to sign the certificate, type y or yes.
e. When prompted to commit the certificate, type y or yes.
f. Run the following lines in the C:\cert\sslcert directory. This assumes you
used the base path names.
* Windows:
set OPENSSL_CONF=c:\cert\sslcert\openssl.cnf
openssl x509 -in xservices-YYYYMMDD.cer -out
xservices-YYYYMMDD.der.cer -outform DER
* Linux:
set OPENSSL_CONF=/opt/cert/sslcert/openssl.cnf
openssl x509 -in xservices-YYYYMMDD.cer -out
xservices-YYYYMMDD.der.cer -outform DER
g. Return the resulting .der.cer file to the party that submitted the request file
along with the cacert.pem file. Secure channels are not required because the
signed certificate file does not contain any private key information.
6. Import the Root Certificate into the Keystore.
Note: Including the date in the aliases will help avoid someone
removing an old CA certificate too soon when rolling out a new CA
certificate. It is recommended that you have an overlapping period
when certificates issued with both the old and the new CA certificates
are acceptable.
For this example, we will assume that we were given a cacert.pem file.
a. Copy the cacert.pem file to the xservices directory. Secure channels are not
required for receiving the root certificate because no private key information is
included in the file.
b. Enter the following command in the xservices directory:
keytool -import -file cacert.pem -keystore keystore -alias
myrootca-YYYYMMDD
c. When prompted, enter the keystore password.
d. When prompted, type y or yes to trust the certificate.
7. Import the Signed Request into the Keystore.
Prerequisites:
1. Both OpenSSL and Sun’s keytool utility must be installed and added to the system
path. See “OpenSSL & Keytool Utility” for more information.
2. The openssl.cnf and cacert.pem files must exist. See “Create a Certificate
Authority” for more information. If you have already created a certificate authority
while following this guide for another product, use the certificate authority that was
created at that time.
4. Submit the resulting .csr file to the certificate assigning authority to be signed.
Secure channels are not required for sending the request because no private key
information is included in the request file.
After installing the web server, perform the following steps to import the CA's public
key. See Chapter 3, “Install Xstore Office” for more information.
1. Enter the following command in the C:\cert\apache directory to import the CA's
public key into xcenter-config's truststore.
- Windows:
keytool -import -file cacert.pem -alias myrootca-YYYYMMDD
-keystore c:\xcenter-config\res\ssl\.truststore
- Linux:
keytool -import -file cacert.pem -alias myrootca-YYYYMMDD
-keystore /opt/xcenter-config/res/ssl/.truststore
2. When prompted, enter and confirm the keystore password.
3. When prompted to trust the certificate, type y or yes.
4. Place the truststore file on every Xstore Point of Service register in the field.
5. Run the following command in the apache directory to import the root certificate
into Xenvironment’s truststore.
- Windows:
keytool -import -file cacert.pem -alias myrootca-YYYYMMDD
-keystore \environment\res\ssl\.truststore
- Linux:
keytool -import -file cacert.pem -alias myrootca-YYYYMMDD
-keystore /opt/environment/res/ssl/.truststore
6. Place the .truststore file on every Xenvironment system in the field.
1. To create a directory structure for key creation, type the following commands:
- Windows:
md C:\cert\xstoremobile
cd C:\cert\xstoremobile
- Linux:
mkdir /opt/cert/xstoremobile
cd /opt/cert/xstoremobile
2. To create a Keystore, Key, and Certificate Signing Request, type the following
command:
keytool -genkey -keystore keystore -alias
xstoremobile-YYYYMMDD -keyalg RSA -keysize 2048 -ext
SAN=DNS:<hostname>[,DNS:<hostname>...] -validity 395
Where YYYYMMDD is the year, month, date day on which the certificate is created.
If you have to use IP addresses as SAN parameter, see the example below.
Example:
-ext
SAN=DNS:hostname1,IP:10.198.51.100.1,DNS:hostname2,IP:10.198.5
1.100.2, [...]
Note: You can use any combination of DNS and IPs in the same SAN
parameter separated by commas.
First and Last Name (aka The hostname or IP address that will StoreName
Common Name) be used to access the server.
Organizational Unit Use this field to remind you what the XstoreMobile-
certificate is used for. YYYYMMDD
The OU must be different on each key.
(One option is to add a date to make it
unique).
Note: Secure channels are not required because the signed certificate
file does not contain any private key information.
Note: Including the date in the aliases will help avoid someone
removing an old CA certificate too soon when rolling out a new CA
certificate. It is recommended that you have an overlapping period
when certificates issued with both the old and the new CA certificates
are acceptable.
For this example, we will assume that we were given a cacert.pem file.
a. Copy the cacert.pem file to the c:\cert\xstoremobile folder. Secure
channels are not required for receiving the root certificate because no private
key information is included in the file.
b. Run the following command in the c:\cert\xstoremobile directory:
keytool -import -file cacert.pem -keystore keystore -alias
myrootca-YYYYMMDD
c. When prompted, enter the keystore password.
d. When prompted, type y or yes to trust the certificate.
7. Import the Signed Request into the Keystore.
When prompted for a key password, press [Enter] to use the same
password as the keystore. Oracle recommends using the same
password for both the keystore password and the key password.
b. Answer the questions when prompted. (The questions may appear in a different
order than shown in the table below. Answer each question appropriately using
the table below as a guide).
First and Last Name (aka The hostname or IP address that will StoreName
Common Name) be used to access the server.
Organizational Unit Use this field to remind you what the Xcenter-
certificate is used for. YYYYMMDD
The OU must be different on each key.
(One option is to add a date to make it
unique).
After installing Xstore Point of Service, perform the following steps to import the
Certificate into Xstore Point of Service's Truststore. (See “Install Xstore Point of Service”
of Chapter 5, “Install Xstore Point of Service”)
1. To import the Certificate into Xstore Point of Service's Truststore, type the following
command:
- Windows:
b. Answer the questions when prompted. (NOTE: The questions may appear in a
different order than shown in the table below. Answer each question
appropriately using the table below as a guide).
First and Last Name (aka The hostname or IP address that will StoreName
Common Name) be used to access the server.
Organizational Unit Use this field to remind you what the Xservices-
certificate is used for. YYYYMMDD
The OU must be different on each key.
(One option is to add a date to make it
unique).
1. To create a directory structure for key creation, type the following commands:
- Windows:
md C:\cert\apache
cd C:\cert\apache
- Linux:
mkdir /opt/cert/apache
cd /opt/cert/apache
2. To generate a self-signed certificate, type the following command in the apache
directory:
openssl req -x509 -nodes -days 395 -newkey rsa:2048 -keyout
server.key -out server.crt
3. Answer the questions when prompted. This information will be incorporated into
the certificate request. (NOTE: The questions may appear in a different order than
shown in the table below. Answer each question appropriately using the table below
as a guide).
4. Retain the server.key and server.crt files for the Apache installer.
5. The server.crt file, along with the server.key file that was originally-
generated, will be used by the Xstore Office web server. See Chapter 3, “Install
Xstore Office” for more information.
After installing the web server and Xenvironment, perform the following steps to
import the public key into xcenter-config's truststore. See Chapter 3, “Install Xstore
Office” for more information.
1. To import the public key into xcenter-config's truststore, type the following
command in the apache directory:
- Windows:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore c:\xcenter-config\res\ssl\.truststore
- Linux:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore /opt/xcenter-config/res/ssl/.truststore
2. When prompted, enter the keystore password.
3. When prompted, type y or yes to trust the certificate.
4. Place the truststore file on every Xstore Point of Service register in the field.
5. Run the following command in the apache directory to import the root certificate
into Xenvironment’s truststore.
- Windows:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore \environment\res\ssl\.truststore
- Linux:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore /opt/environment/res/ssl/.truststore
6. Place the .truststore file on every Xenvironment system in the field.
Example:
-ext
SAN=DNS:hostname_1,IP:10.198.51.100.1,DNS:hostname_2,IP:10.198
.51.100.2, [...]
Note: You can use any combination of DNS and IPs in the same SAN
parameter separated by commas.
Xenvironment Certificates
Generating and Importing the Key File (Windows)
Digital Signatures
If you are using .sig digital signature files to validate updates, you will need to
perform additional steps to prepare the system for signature file creation.
12. Copy the certificate portion of the updates-YYYYMMDD.cer file to the clipboard.
This is the part of the file that begins with the -----BEGIN CERTIFICATE-----
line and ends with the -----END CERTIFICATE----- line.
13. Open the file updates.pem in a text-editing program (for example, Wordpad).
14. Paste the certificate portion of the updates-YYYYMMDD.cer file to the end of the
updates.pem file and save the updates.pem file.
The final file should appear similar to the following:
-----BEGIN CERTIFICATE-----
MIIEpzCCA4+gAwIBAgIJAMDrmOAxJeeNMA0GCSqGSIb3DQEBBQUAMIGTMRYwFAYD
VQQKEw1NSUNST1MtUmV0YWlsMQwwCgYDVQQLFANSJkQxJzAlBgkqhkiG9w0BCQEU
GGFtZXNrZUBtaWNyb3MtcmV0YWlsLmNvbTEOMAwGA1UEBxMFU29sb24xCzAJBgNV
BAgTAk9IMQswCQYDVQQGEwJVUzEYMBYGA1UEAxMPQWxleGFuZGVyIE1lc2tlMB4X
DTEwMDUxMTE4MDA0NloXDTIwMDUxMTE4MDA0NlowgZMxFjAUBgNVBAoTDU1JQ1JP
Uy1SZXRhaWwxDDAKBgNVBAsUA1ImRDEnMCUGCSqGSIb3DQEJARYYYW1lc2tlQG1p
Y3Jvcy1yZXRhaWwuY29tMQ4wDAYDVQQHEwVTb2xvbjELMAkGA1UECBMCT0gxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQDEw9BbGV4YW5kZXIgTWVza2UwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDX7JAB8DigCn0TpjA8/c1HI1EPfCkUSJWmCoPC
FZzyDJHAT0KcAI6c6zGQ4wPqI502Kq12aQBwG3+rGyuZ0if/9eM//3FXUpnyOiue
kismbkXvrU87/NMF59boM5N70jG7hyiIbeEydqnxDljHpFLOYgEa31Mh7kANoj2M
KJHK/MrIC862F0qmzjnWkuqIIoF2xuyBzbBSpOMt1JVqmz679gh6O4PF6HpajghQ
pgiy89iEFP+x5DP76BPjEj26yZ483rawCOIHf87VkX8jZo59AgMBAAGjgfswgfgw
A1UdIwSBwDCBvYAULDDh4nTEockZ9E836vTqjP1Kc3uhgZmkgZYwgZMxFjAUBgNV
BAoTDU1JQ1JPUy1SZXRhaWwxDDAKBgNVBAsUA1ImRDEnMCUGCSqGSIb3DQEJARYY
CBMCT0gxCzAJBgNVBAYTAlVTMRgwFgYDVQQDEw9BbGV4YW5kZXIgTWVza2WCCQDA
65jgMSXnjTANBgkqhkiG9w0BAQUFAAOCAQEAPkY4OOPWBjlhJ29523AnR2kY5cji
IOb87I2s6DOedba0IAposGKhCoiZ9RbPf6GB44V87y2fOG9aU3l/7b8pQUW7NtkB
j8M43II+zh7BZ1V9onYi6vNLGfF2l0/yZM6/MaxbQiJ42RF/un5hhVvk23Y7ufw1
WVbhwlVYdEbkyh4SXPfoMyXdwg7HMCDqbED1nT+YtDci0/iFI+an8Xc0lKGIsaG+
TStPa5KW6aZmoaZ32A34W4fLOQamxmJzxxDRzDkvsziIWYzzUARK+vPHxoH/dYuw
fRY4OQ+FbgSzyZj3yA0uD5cpbwBZ0xK8t5kYqufgJH1WFbZ65JucJiL8zw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZDCCAkwCAxAAATANBgkqhkiG9w0BAQUFADCBkzEWMBQGA1UEChMNTUlDUk9T
LVJldGFpbDEMMAoGA1UECxQDUiZEMScwJQYJKoZIhvcNAQkBFhhhbWVza2VAbWlj
cm9zLXJldGFpbC5jb20xDjAMBgNVBAcTBVNvbG9uMQswCQYDVQQIEwJPSDELMAkG
A1UEBhMCVVMxGDAWBgNVBAMTD0FsZXhhbmRlciBNZXNrZTAeFw0xMDA1MTExODAz
MDBaFw0xMTA2MTAxODAzMDBaMFoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDEW
MBQGA1UEChHNTUlDUk9TLVJldGFpbDEMMAoGA1UECwwDUiZEMRgwFgYDVQQDEw9B
Vbs7C/OITctKFro8JbPLwR85D5z7C9QJvzrZzwY6KZTpht+bl4UOxvBlr8wLZNH4
iGOqCUzRz90uSc1hX2jJ7w0WOHb//63bAoBhgva39HUbpM/tjpV3jWV9GfLYR4Xp
bfSdxIE4cSmQlfCsNw9cmzVDeexj6kPIQU9TFKIovAmgiLYxaMCPElDlTvIq4HWq
mviW0MX4aR/TvYyagemNWdaUDa7UxEZuiiua2YP3JKT7VFAe2LTJHKqfgdJLowcY
gNpkA0/3GIzQIKnGCAlTAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAWwrp4qPbek
Iu+89+oUv3IImKzF1j58UYwGpSTvsxfLhEZVmdPLft/6oVCvdRi2mpxTrorkaYwl
1xoFiudz79x9J8HoB73WRgQKR/dP9/rfOTI9BkDC2DvSPe5q339y4LxUupKdT66R
yr9sUdZ4bRjYJ8cFyCbxR6g6+v7vGAC/T64vLLaLeJ6Ck8+DaS4FOJJHW9J24ht2
vhU9ptLjZLhi2950zGmH1VXjwuUg6LbxZLxyXKr2P4XAHgdjZDqVGUzLRF5rzXo5
NycMDUHmqPw=
-----END CERTIFICATE-----
Linux Instructions
Generating and Importing the Key File (Linux)
In order to run Xenvironment with the GUI, you must import a TLS certificate into the
GUI’s truststore as a key file. This is done through line commands in a command
window. You may use your own keys, or you can use OpenSSL to create key files.
- Email Address: Enter your email address, or the email address of the
administrator responsible for the register systems.
The openssl program generates the file cacert.pem.
The program displays the following information (note that the information is an
example, and should not match your certificate):
Owner: EMAILADDRESS=******@******.com, CN=******, OU=******,
O=******, L=******, ST=******, C=***
Issuer: EMAILADDRESS=******@******.com, CN=******, OU=******,
O=******, L=******, ST=******, C=***
Serial number: *********************************
Valid from: Mon Feb 16 09:51:08 EST 2009 until: Thu Feb 14
09:51:08 EST 2019
Certificate fingerprints:
MD5: ***********************************************
SHA256: *********************************************************
Trust this certificate? [no]:
The final line prompts whether to trust the certificate.
4. Enter y or yes.
The program displays the following to confirm that the key file was imported:
Certificate was added to keystore
5. In the Command Prompt, enter the following command:
keytool -import -keystore /opt/xstore/res/ssl/.truststore -alias
xenv -file /opt/cert/sslcert/cacert.pem
The keytool import program prompts you for the keystore password.
6. Enter the keystore password. The default value for the password is “allgoodthings”.
The program displays the following information (note that the information is an
example, and should not match your certificate):
Owner: EMAILADDRESS=******@******.com, CN=******, OU=******,
O=******, L=******, ST=******, C=***
Issuer: EMAILADDRESS=******@******.com, CN=******, OU=******,
O=******, L=******, ST=******, C=***
Serial number: ************(shortened for brevity here)
Valid from: Mon Feb 16 09:51:08 EST 2009 until: Thu Feb 14
09:51:08 EST 2019
Certificate fingerprints:
MD5: ***********************************************
SHA256: *********************************************************
Trust this certificate? [no]:
The final line prompts whether to trust the certificate.
7. Enter y or yes.
The program displays the following to confirm that the key file was imported:
Certificate was added to keystore
The installation process is complete.
kismbkXvrU87/NMF59boM5N70jG7hyiIbeEydqnxDljHpFLOYgEa31Mh7kANoj2M
KJHK/MrIC862F0qmzjnWkuqIIoF2xuyBzbBSpOMt1JVqmz679gh6O4PF6HpajghQ
pgiy89iEFP+x5DP76BPjEj26yZ483rawCOIHf87VkX8jZo59AgMBAAGjgfswgfgw
A1UdIwSBwDCBvYAULDDh4nTEockZ9E836vTqjP1Kc3uhgZmkgZYwgZMxFjAUBgNV
BAoTDU1JQ1JPUy1SZXRhaWwxDDAKBgNVBAsUA1ImRDEnMCUGCSqGSIb3DQEJARYY
CBMCT0gxCzAJBgNVBAYTAlVTMRgwFgYDVQQDEw9BbGV4YW5kZXIgTWVza2WCCQDA
65jgMSXnjTANBgkqhkiG9w0BAQUFAAOCAQEAPkY4OOPWBjlhJ29523AnR2kY5cji
IOb87I2s6DOedba0IAposGKhCoiZ9RbPf6GB44V87y2fOG9aU3l/7b8pQUW7NtkB
j8M43II+zh7BZ1V9onYi6vNLGfF2l0/yZM6/MaxbQiJ42RF/un5hhVvk23Y7ufw1
WVbhwlVYdEbkyh4SXPfoMyXdwg7HMCDqbED1nT+YtDci0/iFI+an8Xc0lKGIsaG+
TStPa5KW6aZmoaZ32A34W4fLOQamxmJzxxDRzDkvsziIWYzzUARK+vPHxoH/dYuw
fRY4OQ+FbgSzyZj3yA0uD5cpbwBZ0xK8t5kYqufgJH1WFbZ65JucJiL8zw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZDCCAkwCAxAAATANBgkqhkiG9w0BAQUFADCBkzEWMBQGA1UEChMNTUlDUk9T
LVJldGFpbDEMMAoGA1UECxQDUiZEMScwJQYJKoZIhvcNAQkBFhhhbWVza2VAbWlj
cm9zLXJldGFpbC5jb20xDjAMBgNVBAcTBVNvbG9uMQswCQYDVQQIEwJPSDELMAkG
A1UEBhMCVVMxGDAWBgNVBAMTD0FsZXhhbmRlciBNZXNrZTAeFw0xMDA1MTExODAz
MDBaFw0xMTA2MTAxODAzMDBaMFoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDEW
MBQGA1UEChHNTUlDUk9TLVJldGFpbDEMMAoGA1UECwwDUiZEMRgwFgYDVQQDEw9B
Vbs7C/OITctKFro8JbPLwR85D5z7C9QJvzrZzwY6KZTpht+bl4UOxvBlr8wLZNH4
iGOqCUzRz90uSc1hX2jJ7w0WOHb//63bAoBhgva39HUbpM/tjpV3jWV9GfLYR4Xp
bfSdxIE4cSmQlfCsNw9cmzVDeexj6kPIQU9TFKIovAmgiLYxaMCPElDlTvIq4HWq
mviW0MX4aR/TvYyagemNWdaUDa7UxEZuiiua2YP3JKT7VFAe2LTJHKqfgdJLowcY
gNpkA0/3GIzQIKnGCAlTAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAWwrp4qPbek
Iu+89+oUv3IImKzF1j58UYwGpSTvsxfLhEZVmdPLft/6oVCvdRi2mpxTrorkaYwl
1xoFiudz79x9J8HoB73WRgQKR/dP9/rfOTI9BkDC2DvSPe5q339y4LxUupKdT66R
yr9sUdZ4bRjYJ8cFyCbxR6g6+v7vGAC/T64vLLaLeJ6Ck8+DaS4FOJJHW9J24ht2
vhU9ptLjZLhi2950zGmH1VXjwuUg6LbxZLxyXKr2P4XAHgdjZDqVGUzLRF5rzXo5
NycMDUHmqPw=
-----END CERTIFICATE-----
14. Turn on signature validation in the cust_config/environment.properties
file with the following setting:
security.signaturevalidation=True
15. Save the file.
Self-Signed Certificates
If you are using self-signed certificates, the generated certificate will need to be added to
the servers and all client systems.
Refer to “Annual Key Rotation: Self-Signed Certificates” if you are using Self-signed
certificates.
Old keys and certificates should be removed once the keys and
certificates reach the end of their usable life.
Note: The steps in this section assume that both OpenSSL and Sun’s
keytool utility have been installed and added to the system path. See
“OpenSSL & Keytool Utility”.
1. To create a new certificate and certificate signing request, type the following
command in the C:\cert\xstore or /opt/cert/xstore directory. The
originally-generated keystore file should be in the working directory.
keytool -genkey -keystore server.keystore -alias
xcenter-YYYYMMDD -keyalg RSA -keysize 2048 -ext
SAN=DNS:<hostname>[,DNS:<hostname>...] -validity 395
-dname "CN=<common_name>, OU=<organizational_unit>,
O=<organization_name>, L=<city>, S=<territory>, C=<country>"
a. When prompted, enter the keystore password.
b. When prompted, press [Enter] to use the same password as the keystore
(Recommended).
c. Enter the following command in the xstore directory:
keytool -certreq -keystore server.keystore -alias
xcenter-YYYYMMDD -file xcenter-YYYYMMDD.req -ext
SAN=DNS:<hostname>[,DNS:<hostname>...]
d. When prompted, enter the keystore password.
2. Submit the resulting req file to the certificate assigning authority to be signed.
Secure channels are not required for sending the request because no private key
information is included in the request file.
Before proceeding with this step, you should have your certificate request file ready.
For this example, we will assume that we were given xcenter-YYYYMMDD.req to
work with.
a. Copy xcenter-YYYYMMDD.req to the c:\cert\sslcert or
/opt/cert/sslcert directory on the Certificate Authority system. Secure
channels are not required for receiving the request because no private key is
included in the request file.
b. Enter the following command in the c:\cert\sslcert or
/opt/cert/sslcert directory:
openssl ca -out xcenter-YYYYMMDD.cer -config openssl.cnf
-infiles xcenter-YYYYMMDD.req
c. Type the password for ./private/cakey.pem.
d. When prompted to sign the certificate, type y or yes.
e. When prompted to commit the certificate, type y or yes.
f. Enter the following commands in the sslcert directory. This assumes you used
the base path names.
* Windows:
set OPENSSL_CONF=c:\cert\sslcert\openssl.cnf
openssl x509 -in xcenter-YYYYMMDD.cer -out
xcenter-YYYYMMDD.der.cer -outform DER
* Linux:
set OPENSSL_CONF=/opt/cert/sslcert/openssl.cnf
openssl x509 -in xcenter-YYYYMMDD.cer -out
xcenter-YYYYMMDD.der.cer -outform DER
g. Return the resulting .der.cer file to the party that submitted the request file
along with the cacert.pem file. Secure channels are not required because the
signed certificate file does not contain any private key information.
4. Import the Signed Request into the Keystore.
For this example, we will assume that we were given
xcenter-YYYYMMDD.der.cer to work with.
a. Copy xcenter-YYYYMMDD.der.cer to the c:\cert\xstore or
/opt/cert/xstore directory. Secure channels are not required for receiving
the signed certificate request file because no private key is included in the file.
b. Enter the following command in the xstore directory:
keytool -import -trustcacerts -file
xcenter-YYYYMMDD.der.cer -keystore server.keystore -alias
xcenter-YYYYMMDD
- Windows:
ren c:\jetty-x.x.x\etc\server.keystore
server.keystore.preYYYYMMDD
copy server.keystore c:\jetty-x.x.x\etc
- Linux:
mv /opt/jetty-x.x.x/etc/server.keystore
/opt/jetty-x.x.x/etc/server.keystore.preYYYYMMDD
cp server.keystore /opt/jetty-x.x.x/etc
6. Update the certificate alias name in the jetty-xcenter.xml file.
For Jetty, the connector that needs to be updated should look similar to the
following. The certAlias will need to be updated to match the alias of the newly
generated key.
<Set name="certAlias">jetty-YYYYMMDD</Set>
7. Restart Jetty to begin using the new key.
For Xservices
Note: In addition to replacing the alias and certificate signing request
names with updated appropriate names, as was done during the
generation of the initial keys, the originally determined values should
be substituted into this command in the following locations:
• First and Last Name (aka Common Name) should be entered in place of
<common name>
• Organizational Unit should be entered in place of <organizational_unit>
• The OU must be different on each key. (One option is to add a date to make
it unique).
• Organization Name should be entered in place of <organization_name>
• City or Locality should be entered in place of <city>
• State or Province Name should be entered in place of <territory>
• Two-letter country code should be entered in place of <country>
1. To create a new certificate and certificate signing request, type the following
command in the C:\cert\xservices directory. The originally-generated keystore
file should be in the working directory.
keytool -genkey -keystore keystore -alias xservices-YYYYMMDD
-keyalg RSA -keysize 2048 -ext
SAN=DNS:<hostname>[,DNS:<hostname>...] -validity 395 -dname
"CN=<common_name>, OU=<organizational_unit>,
O=<organization_name>, L=<city>, S=<territory>, C=<country>"
a. When prompted, enter the keystore password.
b. When prompted, press [Enter] to use the same password as the keystore
(Recommended).
c. Type the following command in the C:\cert\xservices or
/opt/cert/xservices directory:
keytool -certreq -keystore keystore -alias
xservices-YYYYMMDD -file xservices-YYYYMMDD.req -ext
SAN=DNS:<hostname>[,DNS:<hostname>...]
d. When prompted, enter the keystore password.
2. Submit the resulting req file to the certificate assigning authority to be signed.
Secure channels are not required for sending the request because no private key
information is included in the request file.
3. Sign the Certificate Signing Request with the Root Certificate.
For Apache
Note: This process creates new files, so make sure you retain copies of
the previous server.key, server.csr, and server.crt files for
archival purposes. Oracle recommends creating a subdirectory to hold
the three files used previously and renaming the files with a date or
other identifying information before following these steps.
1. To create a new certificate and certificate signing request, type the following
command in the C:\cert\apache or /opt/cert/apache directory:
openssl req -nodes -days 395 -newkey rsa:2048 -keyout
server.key -out server.csr -config
<location of ssl conf file>/openssl.cnf
a. Answer all questions when prompted. See “To create and deploy Certificate
Authority-Signed Certificates for Apache”.
2. Submit the resulting csr file to the certificate assigning authority to be signed.
Secure channels are not required for sending the request because no private key
information is included in the request file.
3. Sign the Certificate Signing Request with the Root Certificate.
For this example, we will assume that we were given server.csr to work with.
a. Copy server.csr to the c:\cert\sslcert or /opt/cert/sslcert folder
on the Certificate Authority system. Secure channels are not required for
receiving the request because no private key is included in the request file.
b. Type the following command in the C:\cert\apache or /opt/cert/apache
directory:
openssl ca -out server.crt -config openssl.cnf -infiles
server.csr
c. Type the password for ./private/cakey.pem.
d. When prompted to sign the certificate, type y or yes.
e. When prompted to commit the certificate, type y or yes.
f. Return the resulting crt file to the party that submitted the request file along
with the cacert.pem file. Secure channels are not required because the signed
certificate file does not contain any private key information.
4. Remove the previous year's server.csr and server.key from the conf folder
(apache-x.x.x\conf). Remember to rename and move the previous certificates
for archival purposes.
5. Place the new files in the apache-x.x.x\conf folder, replacing the previous year’s
files.
6. Restart Apache to begin using the new key.
1. To create and self-sign a new certificate, type the following command in the
C:\cert\xstore or /opt/cert/xstore directory. The originally-generated
keystore file should be in the working directory.
keytool -genkey -keystore server.keystore -alias
xcenter-YYYYMMDD -keyalg RSA -keysize 2048 -ext
SAN=DNS:<hostname>[,DNS:<hostname>...] -validity 395
-dname "CN=<common_name>, OU=<organizational_unit>,
O=<organization_name>, L=<city>, S=<territory>, C=<country>"
a. When prompted, enter the keystore password.
b. When prompted, press [Enter] to use the same password as the keystore
(Recommended).
c. Type the following command in the xstore directory:
keytool -selfcert -alias xcenter-YYYYMMDD -keystore
server.keystore -validity 395
d. When prompted, enter the keystore password.
2. To export the Certificate, type the following command in the C:\cert\xstore or
/opt/cert/xstore directory:
keytool -export -alias xcenter-YYYYMMDD -keystore
server.keystore -rfc -file xcenter-YYYYMMDD.cer
a. When prompted, enter the keystore password.
3. To import the Certificate into Xstore Point of Service's Truststore, type the following
command in the xstore directory.
- Windows:
keytool -import -file xcenter-YYYYMMDD.cer -keystore
\xstore\res\ssl\.truststore -alias xcenter-YYYYMMDD
- Linux:
keytool -import -file xcenter-YYYYMMDD.cer -keystore
/opt/xstore/res/ssl/.truststore -alias xcenter-YYYYMMDD
a. When prompted, enter the keystore password.
b. When prompted, type y or yes to trust the certificate.
4. Deploy the updated truststore file to all Xstore Point of Service registers.
5. Once the new truststore has been fully rolled out, back up the existing deployed
keystore file and add the newly created keystore file by running the following
commands in the C:\cert\xstore or /opt/cert/xstore directory:
- Windows:
ren c:\jetty-x.x.x\etc\server.keystore
server.keystore.preYYYYMMDD
copy server.keystore c:\jetty-x.x.x\etc
- Linux:
mv /opt/jetty-x.x.x/etc/server.keystore
/opt/jetty-x.x.x/etc/server.keystore.preYYYYMMDD
cp server.keystore /opt/jetty-x.x.x/etc
6. Update the certificate alias name in the jetty-xcenter.xml file. On Jetty 9.x.x,
the jetty-xcenter.xml is stored in the C:\jetty-x.x.x\etc or
/opt/jetty-x.x.x/etc directory.
For Jetty 9.x.x, the connector that needs to be updated should look similar to the
following. The certAlias will need to be updated to match the alias of the newly
generated key:
<Set name="certAlias">jetty-YYYYMMDD</Set>
7. Restart Jetty to begin using the new key.
For Xservices
Note: In addition to replacing the alias and certificate signing request
names with updated appropriate names, as was done during the
generation of the initial keys, the originally determined values should
be substituted into this command in the following locations:
• First and Last Name (aka Common Name) should be entered in place of
<common name>
• Organizational Unit should be entered in place of <organizational_unit>
• The OU must be different on each key. (One option is to add a date to make
it unique).
• Organization Name should be entered in place of <organization_name>
• City or Locality should be entered in place of <city>
• State or Province Name should be entered in place of <territory>
• Two-letter country code should be entered in place of <country>
1. To create and self-sign a new certificate, type the following commands in the
C:\cert\xservices or /opt/cert/xservices directory. The originally-
generated keystore file should be in the working directory.
keytool -genkey -keystore keystore -alias xservices-YYYYMMDD
-keyalg RSA -keysize 2048 -ext
SAN=DNS:<hostname>[,DNS:<hostname>...] -validity 395 -dname
"CN=<common_name>, OU=<organizational_unit>,
O=<organization_name>, L=<city>, S=<territory>, C=<country>"
a. When prompted, enter the keystore password.
b. When prompted, press [Enter] to use the same password as the keystore
(Recommended).
c. Type the following command in the C:\cert\xservices or
/opt/cert/xservices directory:
keytool -selfcert -alias xservices-YYYYMMDD -keystore
keystore -validity 395
d. When prompted, enter the keystore password.
2. Remove the previous year's server certificate from the keystore file by running the
following command in the C:\cert\xservices or /opt/cert/xservices
directory.
For this example, we will assume that the previous year's keystore was named
xservices-YYYYMMDD. The appropriate alias will need to be substituted as
needed.
keytool -delete -keystore keystore -alias xservices-YYYYMMDD
a. When prompted, enter the keystore password.
3. Back up the existing deployed keystore file and add the newly created keystore file
by running the following commands in the C:\cert\xservices or
/opt/cert/xservices directory.
- Windows:
ren c:\xservices-config\keystore keystore.preYYYYMMDD
copy keystore c:\xservices-config
- Linux:
mv /opt/xservices-config/keystore
/opt/xservices-config/keystore.preYYYYMMDD
copy keystore /opt/xservices-config/
4. Restart Xservices to begin using the new key.
For Apache
Note: This process creates new files, so make sure you retain copies of
the files for archival purposes. Oracle recommends creating a
subdirectory to hold the files used previously and renaming the files
with a date or other identifying information before following these
steps.
1. Create and self-sign a new certificate by running the following command in the
C:\cert\apache or /opt/cert/apache directory:
openssl req -x509 -nodes -days 395 -newkey rsa:2048 -keyout
server.key -out server.crt
a. Answer all questions when prompted. See “To create and deploy Self-Signed
Certificates for Apache”.
2. Enter the following command in the C:\cert\apache or /opt/cert/apache
directory to import the server.crt into xcenter-config's truststore.
- Windows:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore c:\xcenter-config\res\ssl\.truststore
- Linux:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore /opt/xcenter-config/res/ssl/.truststore
a. When prompted, enter the keystore password.
b. When prompted to trust the certificate, type y or yes.
3. Place the Truststore file on every Xstore Point of Service register in the field.
4. Run the following command in the apache directory to import the root certificate
into Xenvironment's Truststore.
- Windows:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore\environment\res\ssl\.truststore
- Linux:
keytool -import -file server.crt -alias apache-YYYYMMDD
-keystore /opt/environment/res/ssl/.truststore
5. Place the .truststore file on every Xenvironment system in the field.
Certificate Authority
A CA can be authenticated by another CA, or it can be a Root Certificate Authority. For
eCommerce, a chain of CAs will always end with a public Root Certificate Authority.
This is because a Root Certificate Authority must be "trusted" by the client machine to
operate smoothly. A web browser will show a warning if the server's certificate was not
signed by a trusted root CA out-of-the-box. In the case of CA-signed certificates, the
browser warnings can be avoided by importing the CA's cert into the trusted
certification providers list. A Java program without special coding will fail to connect if
the certificate does not have a signature from a trusted CA.
Web browsers include a database of trusted public Certificate Authorities when they are
distributed. Additional trusted certificates can typically be imported through a menu
within the web browser. Java distributions have a similar database of trusted public
Certificate Authorities, but any additional certificates must be managed by a program
written in Java. These are typically stored in a truststore that a Java program can
reference.
If you already have an internal CA set up with a certificate that was signed by a public
CA (VeriSign, Entrust, etc.), any certificates issued by your CA can be used without
distributing that public CA's trust information. Only the internal CA's information
would need to be distributed.
If you don't already have such a CA set up, you can save yourself the cost of a signed CA
certificate without the extra management overhead of self-signed certificates by setting
up an internal CA and publishing the trust information in the appropriate locations in
your infrastructure. Such a CA is sometimes called a Root Certificate Authority or Root
CA.
Once you add a Root CA's certificate to the various Certificate Trust Lists (CTLs), any
certificates signed by this Root CA will work the same as those signed by a public CA
like VeriSign, Entrust, and many others.
Refer to “Certificate Authority-Signed Certificates: Oracle Retail Xstore Office” or
“Certificate Authority-Signed Certificates: Xservices” for more information.
Self-Signed Certificates
If a public key certificate is not signed by a Certificate Authority, it is said to be "self-
signed”. Since no external entity has "signed" the certificate, you have only the word of
the certificate itself that it is valid. For a self-signed certificate to function like a certificate
issued by a public CA, the certificate must be added to the CTL on each client.
Refer to “Self-Signed Certificates: Oracle Retail Xstore Office” or “Self-Signed
Certificates: Xservices” for more information.
JMX console
When Xstore Point of Service is running, it opens port 2020 for its JMX console. The
server certificate is stored in the Java keystore at xstore/res/ssl/.keystore. The
certificate stored under the "xstore" alias is used by default. The keystore password lives
in the system.properties file.
Since sensitive data is never displayed in the JMX console, you may be wondering why
we use HTTPS for this portal. HTTPS is used to protect the login password that is passed
from the browser to Xstore Point of Service when accessing the JMX console. Since this
password is not cardholder data, the default public key certificate was created with an
expiration date in the future. The current certificate is set to expire on October 22, 2025,
ten years after it was created.
The certificate for the JMX console is typically managed as part of an Xstore Point of
Service build, but if you have distributed the certificate for an internal CA across your
infrastructure, it might make sense to change Xstore Point of Service's JMX console to
use a certificate signed by that CA.
In addition to the JMX Console, Xstore Point of Service opens an additional HTTPS port
using the same certificate that is used for the JMX Console. This port is used for
communication from the environment to Xstore Point of Service (primarily to see the
messages field with closing steps).
Annual Requirements
PCI requirements mandate that encryption keys are rotated annually. This means that
you must generate and distribute new certificates every year.
• If you are using self-signed certificates, the generated certificate must be added to
both the servers and all client systems.
• If you are using CA-signed certificates, the annual distribution of certificates would
only need to deliver them to the servers since a signing CA typically only expires
every ten years.
As a result, if you have a certificate server, the annual distribution of keys is easier
because there are fewer places that have to be maintained.
See “Annual Distribution Requirements” for the steps you must take each year to avoid
expired certificates.
Certificates signed by a CA
If a certificate is signed by a CA, only the certificate of the signing CA needs to be in the
Certificate Trust List (CTL) for the certificate to be trusted. The public key certificate for
your internal CA will be maintained by InstallX for Xstore Point of Service builds.
Self-signed Certificates
For a self-signed certificate to be trusted, the certificate itself must be added to the CTL.
Private key
The half of a public/private key pair that is secured. In public/private key encryption, a
private key is used to decrypt information.
Public key
The half of a public/private key pair that is openly shared. In public/private key
encryption, a public key is used to encrypt information.
Public/private key pair
A set of asynchronous keys that are generated at the same time. In public/private key
encryption, data encrypted with the public key can be decrypted using the private key.
Root certificate authority
A root certificate authority is a public certificate authority that is typically included in
standard certificate trust lists.
Self-signed certificate
A certificate whose only signature is one created with the private key that goes with the
public key that is part of the certificate.
Truststore
A keystore that contains public keys for client and servers to be trusted for TLS
communication.
Overview
In the interest of data security, retailers require the ability to manage the components of
credit and debit card data encryption. Oracle has provided a utility which a customer
can use to manage the keys for encrypting this sensitive data.
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage and
protection of debit and credit card account data anywhere it is stored. This standard has
many requirements associated with it that relate both to your Point Of Sale and
Corporate applications. This utility should be properly secured on your corporate
network and access limited to "need to know" employees within your organization.
One of the PCI requirements states that retailers are responsible for rotating their
encryption keys on at least an annual basis. GenKeys provides the ability to comply with
this requirement by allowing you to set the effective and expiration dates for the keys.
Multiple keys can be created by changing the effective and expiration dates in the
configuration file and running the utility.
Encryption keys should have overlapping effective and expiration dates to account for
situations where returns or cancelled layaways might require an older key to process the
transaction. The overlap should be consistent with your corporate return and special
transaction cancellation policies.
The encryption key files are considered extremely sensitive information since they are
used to encrypt your customers' cardholder data. Due to this fact, Oracle will not store or
create a customer's production cipher key file on its corporate network, nor will Oracle
accept a production cipher key file in any form. This policy has been adopted to provide
additional security protection to our customers. Accordingly, Oracle will not include the
customer's cipher key file in their PCI release. The customer is responsible for creating
the file and distributing it to their stores prior to deploying their PCI release.
Encryption keys at corporate must be kept as long as the data that is encrypted using
those keys is kept.
Note: See “Delete expired certificates and keys” for more information
about removing old keys. Old keys and certificates should be removed
once the keys and certificates reach the end of their usable life.
The PCI DSS states, "Keep cardholder data storage to a minimum. Develop a data
retention and disposal policy. Limit storage amount and retention time to that which is
required for business, legal, and/or regulatory purposes, as documented in the data
retention policy". The development and implementation of a Data Retention Policy
(DRP) is a significant factor in the overall security of your environment.
A DRP forms an important foundation for helping to manage an organization's data. The
creation of a DRP is a complex task that requires exhaustive research and the assistance
of qualified legal counsel. The scope of your DRP should reach far beyond the PCI DSS,
and you should work closely with your legal counsel to ensure your compliance with the
laws and governmental regulations that pertain specifically to your organization.
Upon implementation of your DRP, you should contract with a Visa-approved PCI
assessment company to review the DRP's impact on the storage of payment card data, in
compliance with Requirement #3 of the PCI DSS.
You must choose which type of key(s) you want to create, and modify each section of
gen-keys.conf accordingly. All other sections, with the exception of section 4 and
possibly section 5 if it is being used, must be completely commented out (begin each line
with the "#" character). See “Create Cipher Key Files” of Chapter 3, “Install Xstore
Office” or “Create Cipher Key Files” of Chapter 5, “Install Xstore Point of Service” for
procedural information.
File Description
ccenc*.cip Contains the key used to encrypt credit and debit card data. This file should
be rotated yearly unless a compromise is suspected at which time you should
deploy a new key immediately.
config*.cip Contains the key used to encrypt any configuration file. For example,
database connection information
pinfo.cip Contains the key used to encrypt personal information. For example, Social
Security Numbers.
rcpt*.cip Contains the key used to encrypt the copy of the receipt stored in the Xstore
Point of Service database.
NOT_YET_EFFECTIVE The best cipher option is not yet Generate a cipher with both an
effective. Encryption will still effective date and an expiration
occur, but a warning message date that are current.
will be displayed during each
transaction.
FAILOVER The fail-over cipher is being Verify that valid cipher files are
used. Encryption will still occur, in place for "ccenc" and that the
but a warning message will be "dtv.CustomerId" system
displayed during each property matches the value used
transaction. to generate the key. Remember,
the customer ID is case-sensitive.
NO_EXPIRATION The most current cipher has no Generate a cipher with both an
expiration date. Encryption will effective date and an expiration
still occur, but a warning will be date that are current.
displayed during each
transaction.
use The usage code of the cipher. (for In combination with the effective date, the
example, ccenc) usage uniquely identifies a cipher.
eff The effective date of the cipher In combination with the usage code, the
in YYYY-MM-DD format. (for effective date uniquely identifies a cipher. At
example, 2014-01-01) the time of encryption, the effective date is a
criterion when picking one cipher ahead of
another. At decryption, the effective date is
used to pick the same cipher used for
encryption.
exp The expiration date of the cipher The effective date is used as a criterion for
in YYYY-MM-DD format. (for picking one cipher over another.
example, 2014-12-31)
id The hexadecimal values that will This information can be used to pick a cipher
appear as the first 8 bytes in data at the time of decryption. This is included to
that was encrypted using this avoid mistakes in calculating this value in an
cipher. for example, external system.
3E3E3E30E5653201 would
indicate that an account number
credit card encrypted with this
cipher would start with the bytes
0x3E, 0x3E, 0x3E, 0x30, 0xE5,
0x65, 0x32, and 0x01.
alg The algorithm in use for this The same algorithm that was used to encrypt
cipher. for example, AES/CBC/ the data must be used when decrypting the
PKCS5Padding data.
key The randomly generated key The key is used to encrypt or decrypt data.
that is always used by this
cipher. The key is encrypted
using the public key that was
provided and Base-64 encoded.
md5 The MD5 of the CIP file that was This could be used to make sure the
created. information you have in the ciphers.csv
matches up with a given CIP file.
Generate Key 1
Let's say that we have generated a key for the "ccenc" usage with an effective date of
January 1, 2015 and an expiration date of December 31, 2015. The console output would
be recorded in xstore-wrapper-######.log where ###### is today's date.
Two files would be created: ciphers.csv and ccenc-2015-01-01.cip.
Console
generated ccenc eff:2015-01-01 exp:2015-12-31
--ALL CIPHERS--
***********ccenc.2015-01-01***********
v4 eff:2015-01-01 exp:2015-12-31 alg:AES/CBC/PKCS5Padding
keysize:256 (C:\genkeys\res\keys\ccenc.2015-01-01.cip)
v4 eff:FAILOVER_INSTANCE exp:2999-12-31 alg:AES/CBC/PKCS5Padding
keysize:256 (FAILOVER)
v3 eff:FAILOVER_INSTANCE exp:2999-12-31 alg:AES/ECB/PKCS5Padding
keysize:256 (FAILOVER)
ciphers.csv Contents
use,eff,exp,id,alg,key,iv,md5
ccenc,2015-01-01,2015-12-31,3E3E3E3055773301,AES/CBC/
PKCS5Padding,N5zu5iN7uwGI2nMI5XT+N8hhZFyg04MzH3br1/
JCH06wbONKIfcv6PN44rgSlpNddZEtkLbYRCjiggxhXRQpOQmy3QqyKLNZKfDlntR
T/GZdGp4XSAPE1N/T3O7ldOgPMG82bm6Mm9164KBgxke5f/
CPOtHPI0ZNVSmPBG7l1j7D+ItAUMkyKaVkngjp6yQncBpnCrihF9/
p6SQeUrrjiLWX53WW8lhKNg62B2SehOGHqs/45r/
ZAkkCDWWpKmWLKt1ebOAcvyePGn6Col2RwvH4ajvxsil6en935CsGn4pkgUtoEeEm
rPJnhERWrtejTMMsWHw6w37g9OzhYr4nwQ==,DVV+G/
lPX30M56A9hmgQhycwlZDu0SfpR2aMvnEp734xiHeckWgZ4SXicJE+dUuCUf7OUC1
JEyZ5xUgDGXtLe6Sa/eOCsfbS090v3UL5osAK0QRcwdxb6W2osRTevVnZJp3d/
VgHJKa9PuAjU0PbCLlqEGcdy5mBsfBFpUVcYlEC7EHtmSd6MpZnIvYnp1hyB92S8J
YpTlk7mcTpOGyAKFk95IG77acHoaC8eGNCLE+RlyOmtPBZw8lGzVcSVoAPb3DmY3X
hdKmJG/S6rtoqhEyAIOkp8mrTZvvpoCNTJSD/pF8iM25NsDV9gzud+l/
0ghlT7lhJ7Nj7tkZWTS6mdQ==,9c070f91cf349b6a02063d8589318f21
ccenc.2015-01-01.cip Contents
*v4.DTV.KqSEI/tbGDsVgH74DJ3sAg==.mUXmubP13L2pnDL2/
0e9SRZzLjl2oH0jtJ6+mPRvxTw92nXN6d/
5+Yp4fQTaDhmtrlTLC42jf8Qn8AB4dMf/
VhrZErglr1H8BRXmNKisY7Oy653i5Ft2gEJ6UYivjs5j2ei7zpDGJORiH5UQHQB7N
A==
Deploy Key 1
Let's say we deploy the CIP file to a register and tender a transaction with credit card
number 4444111122223333.
ttr_credit_debit_tndr_lineitm.acct_nbr Contents
Pj4+MFV3MwFSsSP+mTAGnNn/OU2xTFfY37RC3u1NDIjeazC9AV/Zxw==
Generate Key 2
Now, we generate another key with effective date February 2, 2015 and expiration date
December 31, 2015. A line is appended to ciphers.csv and the file ccenc-2015-02-01.cip is
created.
Console
generated ccenc eff:2015-02-01 exp:2015-12-31
--ALL CIPHERS--
***********ccenc***********
v4 eff:2015-02-01 exp:2015-12-31 alg:AES/CBC/PKCS5Padding
keysize:256 (C:\genkeys\res\keys\ccenc.2015-02-01.cip)
v4 eff:2015-01-01 exp:2015-12-31 alg:AES/CBC/PKCS5Padding
keysize:256 (C:\genkeys\res\keys\ccenc.2015-01-01.cip)
v4 eff:FAILOVER_INSTANCE exp:2999-12-31 alg:AES/CBC/PKCS5Padding
keysize:256 (FAILOVER)
v3 eff:FAILOVER_INSTANCE exp:2999-12-31 alg:AES/ECB/PKCS5Padding
keysize:256 (FAILOVER)
ciphers.csv Contents
use,eff,exp,id,alg,key,iv,md5
ccenc,2015-01-01,2015-12-31,3E3E3E3055773301,AES/CBC/
PKCS5Padding,N5zu5iN7uwGI2nMI5XT+N8hhZFyg04MzH3br1/
JCH06wbONKIfcv6PN44rgSlpNddZEtkLbYRCjiggxhXRQpOQmy3QqyKLNZKfDlntR
T/GZdGp4XSAPE1N/T3O7ldOgPMG82bm6Mm9164KBgxke5f/
CPOtHPI0ZNVSmPBG7l1j7D+ItAUMkyKaVkngjp6yQncBpnCrihF9/
p6SQeUrrjiLWX53WW8lhKNg62B2SehOGHqs/45r/
ZAkkCDWWpKmWLKt1ebOAcvyePGn6Col2RwvH4ajvxsil6en935CsGn4pkgUtoEeEm
rPJnhERWrtejTMMsWHw6w37g9OzhYr4nwQ==,DVV+G/
lPX30M56A9hmgQhycwlZDu0SfpR2aMvnEp734xiHeckWgZ4SXicJE+dUuCUf7OUC1
JEyZ5xUgDGXtLe6Sa/eOCsfbS090v3UL5osAK0QRcwdxb6W2osRTevVnZJp3d/
VgHJKa9PuAjU0PbCLlqEGcdy5mBsfBFpUVcYlEC7EHtmSd6MpZnIvYnp1hyB92S8J
YpTlk7mcTpOGyAKFk95IG77acHoaC8eGNCLE+RlyOmtPBZw8lGzVcSVoAPb3DmY3X
hdKmJG/S6rtoqhEyAIOkp8mrTZvvpoCNTJSD/pF8iM25NsDV9gzud+l/
0ghlT7lhJ7Nj7tkZWTS6mdQ==,9c070f91cf349b6a02063d8589318f21
ccenc,2015-02-01,2015-12-31,3E3E3E30B9773301,AES/CBC/
PKCS5Padding,M2X6VxBHc/
dgDsudVtn7EMW9nQ4xKRu8eBI5gKNfz4ajYj45zb2TS4fOCiMxu/
nmQiQIqKMO+fc/IZ9YHgCDS6etNVcLEK3cSHxo65XboNm/
ojTiWzDYN62PlsKJfHY9OetNuavOnGYFLitNuql8O1jC0J1zIgTTZRgL8qSm6bGdk
MmfRT3u6QNjJEMUFtYIVSNGfAgXtFm0jAaBHvL3vFlmN64AatuTgFBLkIJbbCNe5f
wsxnq3ZptI/Uo5sMrR4fgLGSxlbWOhEgbFu+rlEk+MT8JS12/
424Brcx762Q9AUPdkT4P+yWqbqj4muGmt+PIeE13xs9vChFTjyJmMHQ==,gNDiX8t
VJW8+WEnpb2wjb5FuszSx4y0FHnjfqIx/
3NmcmwiKUXPZsRr5rkCiCCF0r3k2sAwfwsdS4QMc9AgwA0JZdqzRVWWdcNwrI8jyg
sm1VcD40q3QGFALfS8RFG7RWMLg3/
Jw1evF3h1vJMKwaQFh9cO5m2kYunoJ53aFQy2gV/qEqWPEbxcJpUt/
8DoFQduhTGyG9gY3uUfhwCJ80Sp4JtZnXJOL3Ngq1P4lGuEnQkdOhce1N/
YmWmvE7w53kj+/
tIvgXEdQINRphxpR7guqoDp5AA0Vr0UpmDa1O0kXRvaDXhHrjbG+RsP0wItV02ow5
aflnPdWh3yT0iFT7Q==,08894dfc84e285cec371656517785c69
ccenc.2015-02-01.cip Contents
*v4.DTV.zpepeYYyGv9Nernx2NlvfA==.yqqVr9k7Eb8H90Z+qFOIMm4Rbi7aS+c5
Ua+GlzBnLey0FbGl5Zs1SC0oI9lGlNeAkWgAs0FuspE+i8Yb2TgRFzbBWXymLVCD/
80GvfA0WA4TZNUi2U3PqndjoUjyOoS9XwkCZ9tLM8u4svuI9j+sug==
Deploy Key 2
Let's say we deploy the new key on February 2, 2015 and ring another transaction with
account number 4444111122223333.
ttr_credit_debit_tndr_lineitm.acct_nbr Contents
Pj4+MLl3MwHSl+0u9d8Euu2HeEA6pdwhbWoKfpfM1pV6jkkkSyRSGQ==
For example:
v4 eff:FAILOVER_INSTANCE exp:2999-12-31 alg:AES/CBC/PKCS5Padding
keysize:256 (FAILOVER)
If a file ending with .cip is in the res/keys, but is not a valid CIP for the customer, only the
existence of the file will be reported as a line starting with ERROR.
ERROR: c:\genkeys\res\keys\ccenc.2017-01-02.cip
c:\genkeys\res\keys\ccenc.2017-01-02.cip is corrupt or has been
tampered with
version - (for example, v3 or v4)
- v1 Indicates the CIP is a version 1 cipher. These ciphers were stored encrypted
with Triple-DES and did not support key rotation. (NOT PCI-COMPLIANT)
- v2 Indicates the CIP is a version 2 cipher. These ciphers were stored encrypted
with AES-128 and did not support key rotation. (NOT PCI-COMPLIANT)
- v3 Indicates the CIP is a version 3 cipher. These ciphers are stored encrypted
using AES-256 and support key rotation. However, these ciphers should only be
used for decrypting legacy data encrypted by Xstore Point of Service versions
previous to 15.0. (As long as a newer cipher is v4, the v4 cipher will be used for
encryption.)
- v4 Indicates the CIP is a version 4 cipher. These ciphers are stored encrypted
using AES-256 and support key rotation. They are used for encryption and
decryption in Xstore Point of Service version 15.0 and up.
eff - The effective date of the cipher. (for example, eff:2017-01-01, eff:NULL_INSTANCE,
and eff:FAILOVER_INSTANCE)
- This date is when the cipher will first be selected for encryption purposes.
- This date serves as the unique identifier for the cipher. (for example, For key
rotation to function properly, only one ccenc key may have a given effective
date).
- NULL_INSTANCE indicates that there is no effective date. (A cipher with an
effective date will be selected ahead of this one for encryption).
- FAILOVER_INSTANCE indicates that there is no effective date and no CIP file.
(Any cipher with an effective date or even the NULL_INSTANCE would be
selected ahead of the cipher).
exp - The expiration date of the key. (for example, exp:2017-12-31,
exp:NULL_INSTANCE, and exp:FAILOVER_INSTANCE)
- This date is used in selecting a preferred key for encryption.
- Decryption will continue to work after this date.
alg - The algorithm used with this cipher. (for example, alg:AES/CBC/PKCS5Padding)
- The first part of the algorithm (AES, DES, or DESede) indicates the actual
algorithm that is used with the cipher.
- The second part indicates the mode used with the cipher.
* CBC or 'cipher block chaining' is used with all generated ciphers. When keys
are generated, an initialization vector (IV) is also randomly generated and
stored in the CIP file. This effectively increases the key size from 256 to 384.
* CBC or the same mode is used with the FAILOVER ciphers. ECB mode is
used for older version of FAILOVER ciphers.
- The third part (PKCS5Padding) indicates the padding scheme used with the
cipher.
* PKCS5Padding indicates that PKCS#5 padding is used.
keysize - The key-size for this cipher. (for example, keysize:256)
location - Where this cipher is stored. (for example, c:\xstore-
genkeys\res\keys\rcpt.cip or FAILOVER)
- FAILOVER indicates that there is no CIP file for this cipher. There is one
FAILOVER cipher for each usage. These cannot be removed. Changing these
ciphers requires use of a "nuclear option" which would invalidate all ciphers
ever generated for the customer.
key - The key is stored in a CIP file, but is not displayed by the cipher report for obvious
reasons.
iv - The initialization vector (IV) is stored in a CIP file, but is not displayed by the cipher
report for obvious reasons.
Rotating Key-Encryption-Key
A Key-Encryption-Key (KEK) is used to encrypt and decrypt data-encryption keys. The
KEK size is 256 bits in size and uses the same strong symmetric encryption algorithm
that is used for the data encryption/decryption process. The KEK is calculated using a
sophisticated algorithm at application start-up and is kept in volatile RAM while the
application is running.
Customers have an ability to rotate KEKs by modifying a configuration parameter that is
used to calculate the KEK. The following steps detail this change.
1. Back up the old cipher files in a separate, safe, and secure directory.
2. Open the system.properties file for the GenKeys installation in a text editor.
3. Change the dtv.CustomerId.salt setting to a new value. Use a value that is long
enough (at least 8 characters) and hard to guess.
Important: If you are using a salt value other than the default, you
must create and apply a customer overlay to your project. See the
Oracle Retail Xstore POS and Xstore Office Development Environment
Setup (MOS ID 2158739.1) and Oracle Retail Xstore POS and Xstore Office
Build Server Setup White Paper (MOS ID 2055918.1) on My Oracle
Support (http://support.oracle.com/) for procedures on creating and
applying customer overlays.
6. Re-encrypt all configuration entries that were encrypted with the old ciphers;
7. For all applications, update all configuration files with the new encrypted values.
Important: The following text should all be entered on one line, with
a space in place of the line wraps seen below.
The same "keytool" can be used to import a public key from an external process.
Example usage is shown below.
Example
# --------------------------------------------------------------
# Section 5: Define information used for secondary export during
generation
wrapper.java.additional.5=-Ddtv.keygen.export.keystore=res/keys/
.keystore
wrapper.java.additional.6=-Ddtv.keygen.export.key.alias=export
wrapper.java.additional.7=-
Ddtv.keygen.export.keystore.password=publicpassword
Save your changes. Continue with “Create Cipher Key Files” of Chapter 3, “Install
Xstore Office” or “Create Cipher Key Files” of Chapter 5, “Install Xstore Point of
Service”.
Audience
This document is intended for the following audiences:
- Oracle Installers/Programmers
- Oracle Customer Service
- Oracle Training Personnel
- MIS Personnel
- Oracle Customers
3. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
When a request for support is made to your support organization or to a third party
vendor, they may need one or more of these passwords to do their job. Any time that a
password is given out, it should be changed to maintain PCI compliancy.
Additionally, Xstore Point of Service has the capability to enforce complex passwords for
access to all Back Office applications, including reporting and Back Office utilities.
Complex passwords can be enforced, including minimum length, alphanumeric
passwords, periodic rotation, and lockout after failed login attempts. All Xstore Point of
Service POS user passwords are stored securely in the database through an SHA256
Hash. Oracle recommends that customers using Xstore Point of Service implement
complex passwords for access to Back Office applications in accordance with the Visa
CISP Security Standard.
For all other system components, including operating system, network devices, and
access points, Oracle recommends changing all vendor-supplied default passwords to a
complex password.
The table below lists the available options, and the minimum recommended settings.
See the Xstore Point of Service Frameworks & Technologies Guide for additional information.
Table D-1: Password options and minimum recommended settings
4. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
The data contained in the Database is further protected due to the operating system
lockdown from the Xstore Point of Service environment with daily changing passwords.
Furthermore, current POS systems that are on private, local networks prevent all outside
database access. The merchant is responsible for assessing security access by way of
default passwords and security parameters on any other systems that contain credit card
data at the corporate office.
* The Xstore Point of Service DB Power User name and password are both supplied by
the customer. This is the user account that Xstore Point of Service uses to connect to the
database.
Screen Saver
Use the screen saver to help secure the system when users are away:
• Ensure the screen saver is enabled.
• Configure the screen saver to display the logon screen when on resume.
Password Policy
Set the following Password Policy settings (in the Account Policies folder):
• Enforce password history - 4 passwords remembered
• Maximum password age - 90 days
• Minimum password age - 0 days
• Minimum password length - 8 characters
• Password must meet complexity requirements - Enabled
• Store passwords using reversible encryption - Disabled
Wireless Environments
For wireless environments, change wireless vendor defaults, including but not limited
to, default service set identifier (SSID), password, and SNMP community strings.
Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for
encryption and authentication. This must be done to maintain PCI compliancy.
For more information, refer to the Payment Application Data Security Standard (PA-
DSS) document.
For more information on Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters of the PCI Data Security Standard please
consult the PCI Security Standards Council website, "Payment Card Industry Data
Security Standard":
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
5. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
A DRP forms an important foundation for helping manage an organization's data. The
creation of a DRP is a complex task that requires exhaustive research and the assistance
of qualified legal counsel. The scope of your DRP should reach far beyond the PCI DSS,
and you should work closely with your legal counsel to ensure your compliance with the
laws and governmental regulations that pertain specifically to your organization.
Upon implementation of your DRP, you should contract with a Visa-approved PCI
assessment company to review the DRP's impact on the storage of payment card data in
compliance with Requirement 3 of the PCI DSS.
Xstore Point of Service can be configured to purge transactional data, including sensitive
cardholder data, through XML configuration options. The configuration option to
accomplish this PCI requirement is listed below.
Xstore Point of Service XML Configuration File - PurgeConfig.xml
<Group name="Transaction" order="10" age="365">
Set the age value to the desired number of days of transactional information to retain
and Xstore Point of Service will purge data older than the value during the nightly
closing process.
Data Encryption
Note: Starting with version 16.0, Xstore Point of Service does not store
primary account numbers (PAN). For this reason, Xstore Point of
Service is not eligible for PA-DSS validation.
Sensitive data is encrypted on the Xstore Point of Service system when at rest. Xstore
Point of Service employs the industry-standard algorithm AES 256 to encrypt this
sensitive data.
Xstore Point of Service stores information (data at rest) in the following areas:
- The main Xstore Point of Service database
- The replication database
- The training database
- The backup database
Each of these areas contains both sensitive and non-sensitive information.
This database is replicated during the nightly closing process to the replication &
training databases on each register at the store.
Access to these databases is granted through standard SQL tools provided that the
merchant provides the required authentication credentials to a given user. The database
connection string that Xstore Point of Service uses to connect to the main Xstore Point of
Service database is encrypted with standard AES encryption to prevent unauthorized
access to the database and is stored in a core configuration file.
The Xstore Point of Service security design requires the use of an encryption key to
facilitate encrypting the sensitive data with AES 265. Xstore Point of Service allows the
end user to change or rotate the AES key as often as desired. This will be referred to as
key rotation. The AES encryption keys are stored in a cipher file which must be located
in c:\xstore\res\keys or /opt/xstore/res/keys on each register. Keys within
the cipher file have the following attributes:
- Effective Date - Date the key is in effect and to be used by Xstore Point of
Service.
- Expiration Date - Date the key expires. Xstore Point of Service parses the cipher
file during its nightly closing process and deletes any keys that are expired.
6. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Wireless transmissions of cardholder data must be encrypted over both public and
private networks. Encrypt transmissions by using WiFi Protected Access (WPA or
WPA2) technology, IPSEC VPN, or TLS. Always restrict access based on media access
code (MAC) address.
Sensitive data stored in the Xstore Point of Service database is encrypted via a strong
encryption algorithm (AES). Sensitive data is defined as the cardholder account number
as well as application access passwords. The encryption key for sensitive data can be
rotated by the end user.
Xstore Point of Service does not use end-user messaging technology to transmit
cardholder data over a network.
For more information on Requirement 4: Encrypt transmission of cardholder data across
open, public networks of the PCI Data Security Standard, please consult the PCI Security
Standards Council website, "Payment Card Industry Data Security Standard":
https:// www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
7. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
8. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
changes, and the installation of available security patches, depend on site specific
protocol and practices.
In order to comply with Requirement 6 of the PCI standard, all Operating Systems (OS)
must be patched and updated regularly.
When a critical update is released, the site must install that update to ensure that system
security is as strong as possible. Antivirus definitions must also be installed on all PCs,
and should be kept up to date with the most recent virus definitions. Check the
documentation provided by your antivirus software provider as well as for your
Operating System for steps to ensure that your software is up to date.
See “Disable System Restore” for procedural information.
To make sure your site develops and maintains secure systems and applications in
compliance with Requirement 6: Develop and maintain secure systems and applications
of the PCI Data Security Standard, please consult the PCI Security Standards Council
website, "Payment Card Industry Data Security Standard":
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
9. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
The Xstore Point of Service POS application provides the ability to assign a unique user
ID and a complex password to each associate at the store level that will be processing
customer transactions. Each user can be assigned different security levels to restrict
access to POS functionality and information available within the POS application.
Oracle strongly recommends that the merchant also assign unique usernames and
complex passwords to all PCs, servers, and databases with payment applications and
cardholder data. The passwords for both the Xstore Point of Service POS application and
systems containing cardholder data should be a minimum length of 7 and should be
alpha numeric.
As mentioned in “Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters”, we suggest that these passwords be changed
on a regular basis in accordance with a policy set up by you, the merchant.
Further, new passwords should not repeat any of the last four passwords used. The
merchant is responsible for ensuring that this functionality is implemented across their
chain and that data access is also controlled at the corporate office for any non-Oracle
systems that contain sensitive credit card information. Additionally, Oracle recommends
that you encrypt all passwords during transmission and storage, on all system
components.
Additional password guidelines include:
- Do not use group, shared, or generic accounts and passwords.
- Change user passwords at least every 90 days.
- Limit repeated access attempts by locking out the user ID after not more than six
attempts.
- Set the lockout duration to thirty minutes or until an administrator enables the
user ID.
- If a session has been idle for more than 15 minutes, require the user to reenter
the password to reactivate the terminal.
Xstore Point of Service configuration options for password configuration are as follows:
Table D-2: Password configuration options
Option Description
Password Age The number of days for which a password is valid before it
expires. (Enabled by default, default value= 90 days.)
Minimum Password Length The minimum number of characters required for a password.
Minimum Alpha Characters The minimum number of alpha characters that must be in the
password.
Minimum Numeric The minimum number of numeric characters that must be in the
Characters password.
Password History Length The number of unique passwords that must be entered before a
duplicate one can be entered.
Maximum Idle Time The amount of time Xstore Point of Service waits before
securing the register. (Enabled by default, default wait seconds
value = 300.)
10. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Option Description
Account Lockout The number of invalid password entries before the user is locked
out. (Enabled by default, default value= 3 retries.)
New Employee Password Dictates if Xstore Point of Service will require a new employee
Expire to change their password when they initially log in.
Furthermore, Oracle advises users to control access, via unique usernames and PCI-
compliant complex passwords, to any PCs, servers, and databases with payment
applications and cardholder data.
Oracle mandates a two-factor authentication for remote access to the site's network by
Oracle, Inc. employees, administrators, and third parties. Technologies such as remote
authentication and dial-in service (RADIUS), terminal access controller access control
system (TACACS) with tokens, or VPS based on TLS or IPSEC with individual
certificates must be used.
Remote Access
Remote access software security features must always be used and implemented.
Therefore, default settings in the remote access software must be changed so that a
unique username and complex password is used for each customer. Never use the
default password and adhere to the PCI DSS password requirements established in
Requirement 8 on page 15. The new password must contain a minimum of eight
characters, including a combination of numbers and letters.
Connections must only be allowed from specific, known IP/MAC addresses. Strong
authentication or complex passwords for logins must be used. Encrypted data
transmission and account lockout after a certain number of failed attempts must be
enabled. For additional security, the systems should be configured so that a remote user
can establish a Virtual Private Network (VPN) connection via a firewall before access is
allowed. Logging functions must be enabled for security purposes. Access to customer
passwords must always be restricted.
All non-console administrative access must be encrypted using technologies such as
SSH, VPN, or TLS (transport layer security) for web-based management and other non-
console administrative access. Telnet must never be used for administration.
For more information on Requirement 8: Assign a unique ID to each person with
computer access of the PCI Data Security Standard, please consult the PCI Security
Standards Council website, "Payment Card Industry Data Security Standard":
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
11. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Xstore Point of Service provides data access security in the form of a proprietary shell
program that replaces the Windows-based Explorer shell. This shell program effectively
restricts access to all Windows and third party based applications by requiring customer
defined passwords (configured by default to change daily) to access applications other
than our Point of Sale (POS) and authorization programs. The merchant is responsible
for restricting data access at the corporate level for non Oracle systems that contain
credit card data.
To make sure your site is set up in compliance with Requirement 9: Restrict physical
access to cardholder data of the PCI Data Security Standard, please consult the PCI
Security Standards Council website, "Payment Card Industry Data Security Standard":
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
12. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
In accordance with the Visa USA PCI Data Security Standard, Oracle strongly
recommends regular testing of security systems and processes. To make sure your site's
security systems and processes are set up in compliance with Requirement 11: Regularly
test security systems and processes of the PCI Data Security Standard, please consult the
PCI Security Standards Council website, "Payment Card Industry Data Security
Standard": https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
13. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
14. PCI DSS Requirements and Security Assessment Procedures, Version 3.2 April 2016.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Password Management
Oracle is not permitted to manage these passwords for you. This section provides a
sample log sheet for all password management.
Remote Access
Vendors may connect remotely to your server to support you. This connection should be
protected by a complex password.
Windows
Each individual in your organization should also be given their own Windows Login. A
separate Windows login should be given to each vendor.
Database Users
Your Xstore Point of Service database requires the user accounts listed below to be
present. These accounts will need their passwords changed every 90 days. Each
individual in your organization that needs direct database access should be given their
own database login and should only be given access to what they need. A separate
database login should be given to each vendor.
SA
XstoreDBPowerUser*
* The XstoreDBPowerUser name and password are both supplied by the customer. This
is the user account that Xstore Point of Service uses to connect to the database.
• Windows® 7 and 8 have a built-in software firewall that should be enabled when
running Xstore Point of Service. The firewall should be enabled before installing the
Xstore Point of Service software.
• See “Firewall Port Exceptions:” for more information.
Instructions for the ensuring the register has a firewall in place are provided below for
the following operating systems:
• Windows 7, Windows 8, Windows 10, Windows Vista, Server 2008, Server 2008 R2,
PosReady 7, and So On
Click Regedit.Exe.
Click Regedit.Exe.
Click gpedit.msc.
Disable UAC (User Account Control) on Windows Vista, 7, 8, 2k8, & 2k8R2
Set the EnableLUA dword value to 0 in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Sy
stem.
Click Regedit.Exe.
Tip: You can also disable System Restore using the registry:
Set the DisableConfig and DisableSR dword values to 1 in the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\SystemRestore path of the registry.
• Require that remote access take place over a VPN via a firewall as opposed to
allowing connections directly from the internet.
• Enable logging for auditing purposes.
• Restrict access to customer passwords to authorized reseller/integrator personnel.
• Establish customer passwords.
• Remote connectivity applications must be manually started to accept an incoming
connection rather than always waiting for a connection. Therefore, the software
must be configured accordingly.
Operating System
PC users must have unique usernames and complex passwords which are rotated on a
regular basis. The importance of using and maintaining a secure password scheme is
twofold. First, it greatly reduces the risk of un-authorized access to the Xstore Point of
Service server. Second, it facilitates proper auditing trails required for PCI compliancy.
Passwords that are complex should be on by default for all administrators and those
employees who have access to administrative functions.
1. Click Start.
2. Click Control Panel.
3. Click Performance and Maintenance.
4. Click System.
5. Click Settings in the Advanced tab under Startup and Recovery.
6. Select the Small Memory Dump option, and click Ok button to save the change.
7. Restart Windows in order for your changes to take effect.
3. Confirm that the certificate has been deleted from the keystore:
keytool -list <keystore_file>
Oracle
Encryption of communication between Xstore Point of Service and an Oracle database is
configured in the DataSourceConfig.xml file. By changing the values of the
OjdbcThinClientEncryptionLevel and OjdbcThinClientChecksumLevel
parameters, you can either enable or disable encryption.
The parameters can have the following values:
• REJECTED
• ACCEPTED
• REQUESTED
• REQUIRED
A typical configuration could be as follows:
<!-- To turn on encryption, set OjdbcThinClientEncryptionLevel to
REQUESTED. To turn off, set to ACCEPTED. -->
<Property key="OjdbcThinClientEncryptionLevel"
value="REQUESTED" />
<Property key="OjdbcThinClientEncryptionTypes"
value="(AES256)" />
<!-- To turn on checksum, set OjdbcThinClientChecksumLevel to
REQUESTED. To turn off, set to ACCEPTED. -->
<Property key="OjdbcThinClientChecksumLevel" value="REQUESTED" />
<Property key="OjdbcThinClientChecksumTypes" value="(SHA256)" />
Please see Oracle Database Advanced Security Administratorʹs Guide for more information
on other possible options.
SQL Server
Encryption of communication between Xstore Point of Service and a SQL Server
database in configured in the xstore-base.properties file. Adding or changing the
encrypt and trustServerCertificate properties in the database connection string
determine whether database communications are encrypted.
A typical configuration could be:
jdbc:sqlserver://thehostname:1433;databaseName=xstore;
sendStringParametersAsUnicode=false;encrypt=true;
trustServerCertificate=true
Please see Connecting with SSL Encryption for more on other possible options.
Oracle
To turn off encryption between Xstore Point of Service and an Oracle database, update
the data sources configurations (except Xstore Office) in DataSourceConfig.xml:
1. Open the file DataSourceConfig.xml.
2. Turn off encryption for each DataSource group (except Xstore Office):
a. Find the key="OjdbcThinClientEncryptionLevel" property setting.
b. Change the value to ACCEPTED for the
key="OjdbcThinClientEncryptionLevel" property setting:
<Property key="OjdbcThinClientEncryptionLevel"
value="ACCEPTED" />
c. Find the key="OjdbcThinClientChecksumLevel" property setting.
SQL Server
To turn off encryption between Xstore Point of Service and a SQL Server database, set the
encrypt value in the SQL Server connection string to encrypt=false in the
DataSourceConfig.xml file
For example:
jdbc:sqlserver://localhost:1433;databaseName=xstore;
sendStringParametersAsUnicode=false;encrypt=false;
Data Privacy
The Xstore Suite has many features that allow it to maintain data privacy.
Important: The web service methods described in this section are not
available through software in the Xstore Suite. You must create your
own user interface or command line tools that will then call the
methods in the Omnichannel Data Privacy API.
Data Removal
The Omnichannel Data Privacy API Tool allows the retailer to remove personal data for
a specified person by anonymizing or deleting the data. The response to the request
indicates whether the removal was successful.
GET <server>:<port>/xcenter/rest/privatedata/validateForget/
<organization_id>::<party_id>?type=customer
where:
• <server> is the name of the Xstore Office server.
• <port> is the HTTP port for the REST API interface
• <organization_id> is the ID for your organization
• <party_id> is the Xstore Office ID for the customer
After receiving this request, Xstore Office will return one of the following status codes:
• 200 - Customer record safe for removal.
• 412 - Customer record not safe for removal.
Deleting a user through the Omnichannel Data Privacy API Tool does
not remove the user data from the database. The data is only
anonymized so that the data cannot be connected with a user.
DELETE <server>:<port>/xcenter/rest/privatedata/
<organization_id>::<party_id>?type=employee
where:
• <server> is the name of the Xstore Office server.
• <port> is the HTTP port for the REST API interface
• <organization_id> is the ID for your organization
• <party_id> is the Xstore Office ID for the employee
After receiving this request, Xstore Office will validate that the employee can be
removed (see Web Service - Validate Employee for Removal). If the employee record can
be safely removed, Xstore Office will notify Xstore Point of Service systems to
anonymize data for the employee.
• 200 - Removal successful.
• 412 - Removal unsuccessful or cannot be performed (see Web Service - Validate
Employee for Removal).
Anonymization
When removing personal data for a specified person, the system replaces the personal
data with blank fields.
DELETE <server>:<port>/xcenter/rest/privatedata/
<organization_id>::<party_id>?type=employee
where:
• <server> is the name of the Xstore Office server.
• <port> is the HTTP port for the REST API interface
• <organization_id> is the ID for your organization
• <party_id> is the Xstore Office ID for the employee
After receiving this request, Xstore Office will validate that the employee can be
anonymized (see Web Service - Validate Employee for Anonymization). If the employee
record can be safely anonymized, Xstore Office will notify Xstore Point of Service
systems to anonymize data for the employee.
• 200 - Anonymization successful.
• 412 - Anonymization unsuccessful or cannot be performed (see Web Service -
Validate Employee for Anonymization).
Customer Consent
When accessing a customer record or collecting information about a customer, Xstore
Point of Service may be configured to record and store the customer's consent to having
their data collected.
Overview
Important: All broadcaster-related configuration is done by defining
Spring beans in the xcenter-spring-beans.xml configuration file.
This file is located in the xcenter-config directory.
The broadcaster system in Xstore Office is used to transmit PosLog data to other
systems. The data is transmitted just as Xstore Office receives it from the registers via the
Replication system.
The broadcaster system has the ability to handle JAXB object format, Raw string format,
or a “subset” format of PosLog data to meet the differing requirements of various 3rd
party systems. (See “Supported PosLog Data Formats”).
For example, web services for Customer Engagement Cloud Service systems expect a
POSLOGType type JAXB object; however, the XBR system requires raw string PosLog data
which is exactly the same as what is sent from Xstore Point of Service to Xstore Office.
The architecture of the broadcaster system makes it possible to develop additional
custom broadcasters capable of sending data to any other remote 3rd party system.
Although all existing Xstore Office broadcasters communicate only to SOAP web
services, the broadcaster system's architecture is technology-agnostic regarding the
technical requirements of the remote systems. Broadcasters can be implemented that
send data to an FTP server, a REST web service, a message queue, email, a twitter
account, etc.
Generic Broadcasters
Generic broadcasters allow customers to develop their own SOAP web server using one
of the Xstore Office generic WSDLs. Once such a server is implemented and running,
Xstore Office can easily be configured to broadcast data to that server, without requiring
any custom Xstore Office development. The key to this scenario is that the customer's
web service must be implemented using one of the generic, unmodified Oracle WSDLs.
These WSDLs were created by the Xstore Office development team and are included
with the base Xstore Office software. Generic broadcasters can successfully broadcast
data to a remote server provided that server strictly adheres to the Oracle WSDL.
Object Format
SOAP web services support the ability to define methods that can accept and return
"objects" which are defined by the XML Schema Definition (XSD) language.
The Customer Engagement Cloud Service broadcaster is a broadcaster that uses the
object-based approach. Customer Engagement Cloud Service has a public SOAP web
service for accepting PosLog data. The service has a method which accepts an XSD-
defined PosLog object. This XSD is part of the web service's WSDL; it is defined and
controlled by the Customer Engagement Cloud Service project team. The Xstore Office
Customer Engagement Cloud Service broadcaster must convert each PosLog object that
needs to be sent to Customer Engagement Cloud Service into Customer Engagement
Cloud Service's PosLog XSD format before sending it.
Having a web service defined by SOAP and XSDs generally makes it easier for
developers to write software that manipulates the data being sent/received because they
can be manipulated directly as objects in their native programming language.
A disadvantage to this approach is that the SOAP/XSD definitions are very rigid,
meaning if (for example) some additional, retailer-specific new information needs to be
included in the PosLog, and this data needs to be sent by a broadcaster and captured by
a remote server, then both the broadcaster and the remote server would have to be given
modified versions of the SOAP/XSD documents, and code changes must be made in
order to include the new data. These are not necessarily difficult changes to make, but
the important part is that code changes/re-compiling will be required.
Subset Format
In some cases, an external system may only be interested in just a few key pieces of
information from each PosLog transaction. There is no requirement that a broadcaster
send all of the data in each PosLog. In fact, a broadcaster does not need to send every
record; it can decide to ignore or filter out certain PosLog transactions based on any kind
of logic that can be programmed.
The remote system dictates what pieces of information should be sent, and in what
format.
For example, if the remote system only wants to know the Id of the transaction and the
total amount paid, then a broadcaster for this system can be written to simply send only
those few pieces (a subset) of information.
Type of
Sends Remote Who owns/ Server
Broadcaster PosLog data Service defines service authentication
Name as Interface interface requirements
XBR Broadcaster raw XML SOAP web XBR project team Proprietary
string service application-level
(WSDL) authentication (as
required by the
XBR server)
Generic String raw XML SOAP web Xstore Office HTTP basic
Broadcaster string service project team authentication
(WSDL) (optional)
trn_poslog_work_item Table
Name Data Type Allow Null
service_id Field
Each configured broadcaster is indicated by the service_id field. Each PosLog
transaction record which is replicated into Xstore Office is also queued into this table for
each configured broadcaster (indicated by service_id).
The default service_id for each Broadcaster is as follows:
work_status Field
As the broadcasters process their respective records, the statuses of their records are
maintained in the work_status field.
Note: The types of error values found in the work_status field are
subject to change, and are completely dependent on how each
broadcaster is implemented. There is no strict global standard of error
codes in this field. Aside from "NEW", and "COMPLETE", any other
value in work_status can be considered as some kind of error code.
Broadcaster Configuration
Important: There is no automated migration path for performing a
version upgrade. All broadcasters will need to be manually
reconfigured in the xcenter-spring-beans.xml config file.
Note: For more information about Spring, refer to the documentation at:
http://static.springsource.org/spring/docs/4.3.x/spring‐framework‐reference/html/
http://static.springsource.org/spring/docs/4.3.x/spring‐framework‐reference/html/
beans.html#beans‐factory‐xml‐import
The broadcaster bean Ids are named arbitrarily, and the names are only referenced
within this file (with one exception, serenadeServiceConfig). Refer to “Order
Management System Cloud Service Broadcaster” for more information about this
exception.
A fundamental rule of Spring requires every bean ID to be unique.
A Spring bean defines each broadcaster. (This bean must also be added to the main list of
broadcasters in order for that broadcaster to run when Xstore Office starts up).
Getting Started
To configure a broadcaster, you will need the following information:
1. Organization Id - Each broadcaster bean must define an Org Id.
2. Broadcaster service id - Each broadcaster bean must define a
broadcasterServiceId. The name is arbitrary; the existing examples in the
config file can be used.
3. Broadcaster implementation class - This is determined by what kind of remote
system you are broadcasting to (for example, Customer Engagement Cloud Service,
XBR, etc.).
4. All information required to connect to the remote system (such as hostname, port,
username/password, etc.).
Most broadcaster beans must refer to another Spring bean which defines a Jaxws
connection/configuration information bean: either a JaxWsPortProxyFactoryBean
or MrJaxWsPortProxyFactoryBean (see “Jaxws Broadcaster Configuration” for
more information).
1 Broadcaster Id - Each broadcaster needs a unique Spring bean Id. These Ids must be
unique within this config file, but the actual Id is arbitrary and can be anything. These
Ids are only used to tie things together within the Spring config file.
2 Broadcaster implementation class - This is the Java class in Xstore Office that
implements IBroadcaster and is designed to communicate with a specific type of
remote server (i.e. the RelateBroadcaster class can broadcast to a Customer
Engagement Cloud Service server).
3 orgId - This is the orgId of the Xstore Point of Service PosLog data that this
broadcaster should process. (In most single-org Xstore Office installations this value will
be 1, not 1000 as shown in this example).
4 broadcasterServiceId - This Id, along with the orgId, uniquely identifies this
broadcaster within the Xstore Office broadcaster system. When a PosLog record is added
to the trn_poslog_work_item table for this broadcaster, the service_id field in
that table is initialized with this configured broadcasterServiceId. This enables
each broadcaster to individually keep track of what data it is responsible for processing.
Also, the broadcasterServiceId will show up in various administrative tools in the
Oracle Retail Xstore Office user interface, so that administrators can refer to particular
broadcasters. Refer to the Oracle Retail Xstore Office User Guide for more information.
5A and 5B References to remote service connection info - Each broadcaster needs to
refer to a second Spring bean to get additional configuration information about how it
can connect to the remote system. The Id of this bean is also arbitrary, but a wise
convention is to base it on the Id of the broadcaster bean
("postTransactionRelate_1"), and append it with the kind of connection
implementation that's being used (for example,
"postTransactionRelate_1_jaxws"). All sample broadcaster configurations are
named using this convention.
6 Various broadcaster configuration parameters - These parameters control certain
aspects of timing and behavior of this broadcaster. All broadcasters have these same set
of parameters. The default values are generally sufficient.
Parameter Name
Default
Description Value Unit
workQueueBatchReadSize
How many records in a batch for broadcaster to load at once 100 PosLog
record
pollingIntervalMillis
retrySleepMillis
threadcount
<property name="filters">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcastFilter">
<ref bean="onlyIncludeRetailSaleAndPostVoid" />
</list>
</property>
<property name="xmlModifiers">
<list value-type=
"com.micros_retail.xcenter.broadcast.IXMLModifier">
<ref bean="removePCIData"/>
</list>
</property>
</bean>
<property name="broadcasterList">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcaster">
<ref bean="postTransactionRelate_1"/>
<!-- <ref bean="postTransactionXBR_1"/> -->
<!-- <ref bean="postTransactionSerenade"/> -->
<!-- <ref bean="genericObjBroadcaster_1"/> -->
<!-- <ref bean="genericStrBroadcaster_1"/> -->
<!-- <ref bean="ReSA_Broadcaster"/> -->
</list>
</property>
</bean>
4. Save the file.
XBR Broadcaster
There are a few special considerations related to the XBR SOAP web service that have an
impact on the XBR broadcaster.
• Proprietary authentication
The XBR SOAP web service uses a proprietary form of authentication that requires
special configuration in xcenter-spring-beans.xml. The config file contains a
sample configuration for the XBR broadcaster, and includes detailed comments on
how to configure its authentication parameters.
• TLS
Because the server hosting the XBR SOAP web service is configured to use TLS (the
url for the web service starts with https), it is necessary to export the public key from
the XBR server's keystore, and import/install it into Xstore Office's truststore in order
to facilitate communication between two systems. For details about the public key,
please refer to Appendix B: “Public Key Certificates”.
As mentioned above, the XBR broadcaster needs to send authentication info using a
proprietary technique (it does not use standard http basic authentication). The
XBRAuthHandlerResolver class implements this technique. You must define a Spring
bean using this class, specifying the encrypted username and password of the XBR
server. Then, set the "handlerResolver" property of the XBR
JaxWsPortProxyFactoryBean to use that XBRAuthHandlerResolver.
To configure and enable XBR Broadcaster on an organization with an
organization_id of 1, perform the following steps.
<bean id="postTransactionXBR_1"
class="com.micros_retail.xcenter.broadcast.xbr.XBRBroadcaster">
<property name="serviceInterface"
value="com.micros_retail.xcenter.poslog.xbr.PosLogServices" />
<property name="wsdlDocumentUrl" value=
"classpath:wsdl/xbr/PosLogServices-XBR.wsdl" />
<property name="namespaceUri" value="http://ws.xbr.dtv/" />
<property name="serviceName" value="PosLogServicesService" />
<property name="portName" value="PosLogServicesPort" />
<property name="customProperties"
ref="jaxwsCustomProperties" />
<property name="handlerResolver"
ref="postTransactionXBR_1_auth"/>
</bean>
<property name="broadcasterList">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcaster">
<property name="filters">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcastFilter">
<ref bean="crossChannelReturnFilter" />
</list>
</property>
<property name="broadcasterList">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcaster">
</bean>
4. Save the file.
<property name="filters">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcastFilter">
<ref bean="onlyIncludeRetailSaleTransactions" />
</list>
</property>
<property name="xmlModifiers">
<list value-type=
"com.micros_retail.xcenter.broadcast.IXMLModifier">
<ref bean="removePCIData"/>
</list>
</property>
<property name="broadcasterList">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcaster">
<property name="xmlModifiers">
<list value-type=
"com.micros_retail.xcenter.broadcast.IXMLModifier">
<ref bean="removePCIData"/>
</list>
</property>
<property name="broadcasterList">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcaster">
To configure and enable a Retail Sales Audit (ReSA) broadcaster in an organization with
an organization_id of 1, perform the following steps.
<property name="xmlModifiers">
<list value-type=
"com.micros_retail.xcenter.broadcast.IXMLModifier">
<ref bean="removePCIData"/>
</list>
</property>
</bean>
2. Specify the broadcaster endpointAddress parameters as needed.
3. Specify an encrypted username and password as needed.
4. In xcenter-spring-beans.xml uncomment/add the ReSA broadcaster bean
reference to the list below as necessary. The broadcaster will not run unless it is
added to this list.
<bean id="broadcasterManager"
class="com.micros_retail.xcenter.broadcast.BroadcasterManager" >
<property name="broadcasterList">
<list value-type=
"com.micros_retail.xcenter.broadcast.IBroadcaster">
The following examples show how to set up multiple broadcasters of the same type to
either multiple Org Ids or to a single Org Id.
Note: You can also rename the bean Ids to be more meaningful for
your installation since the bean Ids are arbitrary.
Broadcaster Processing
Several things may happen during the broadcasting process. How the broadcaster
handles these situations is totally up to each implemented broadcaster. All current
broadcasters generally work as follows.
After attempting to broadcast a PosLog message, the attempt either succeeds or fails:
• Success - When the attempt succeeds, the broadcaster marks the
trn_poslog_work_item.work_status field as "COMPLETE" and moves on to
the next record.
• Failure - When the attempt fails, it needs to assess the kind of failure and either try
to broadcast it again, or give up.
Generally, the only type of failures that broadcasters attempt to try again are "failure
to establish communication" errors. This is the scenario where it appears that the
remote system did not receive the PosLog data. In this case, the broadcaster will
keep trying to send the data until communications are re-established.
Other types of failures are generally not re-tried, especially "application level" errors.
The Broadcaster will simply mark it with corresponding error information in the
trn_poslog_work_item.error_details field, status information in the
trn_poslog_work_item.work_status field, and no further processing is
attempted.
No Re‐try example:
The Customer Engagement Cloud Service broadcaster sends a PosLog to Customer
Engagement Cloud Service, and Customer Engagement Cloud Service sends back an error
code indicating ʺIllegal tender typeʺ (for example). The broadcaster will log this error code
into the work_status and error_details fields; however, the broadcaster will not try to send it
again because Customer Engagement Cloud Service did in fact receive the data. The
broadcasterʹs mission is complete at this point, so it moves on to the next record.
Service ID : POST_TRANSACTION_RELATE
RETRY_SLEEP_MILLIS : 5000 (default)
WORK_QUEUE_BATCH_READ_SIZE : 100 (default)
POLLING_INTERVAL_MILLIS : 10000 (default)
Status : Running
• The scripts also delete replication records which have been fully, successfully
processed, and are "sufficiently old", which by default is 3 days, but is an easily
adjustable parameter in the script.
Essentially, the deletion script looks like this (SQL Server syntax, and defining
"sufficiently old" as 3 days):
delete from trn_poslog_work_item where work_status = 'COMPLETE'
and update_date < GETDATE()-3
Developer’s Notes
Developing a Custom Broadcaster
As a developer charged with creating a new broadcaster, you should be aware that one
of the primary things your broadcaster needs to do is to adapt Xstore Office PosLog data
to whatever format is required by the remote system.
The broadcaster system architecture is capable of providing Xstore Office PosLog data in
two formats: the raw XML string format, and an XSD-defined object format.
Overview
Replication is the process used to copy and distribute data from one database to another,
and to synchronize between the databases to maintain consistency.
• The replication system must provide administrators with the ability to view
performance metrics, solve problems, and recover from faults.
• The replication system must reasonably preserve soft ordering of replication data
(especially in a multi-instance installation) to ensure the integrity of Xstore Office's
replicated database. Soft ordering means the chronological order of the replication
objects sent by the registers within each store should be preserved.
• Xstore Point of Service saves data to local ctl_replication_queue
• Xstore Point of Service replication process sends data to Xstore Office
• Replication data received by servlet
• Replication data is saved to the Xstore Office Replication DB (and into a table called
rpl_replication_data)
• Xstore Office replication queue processed and saved to Xstore Office DB
Replication G-1
Replication Design Overview
• (Any records which fail to be saved to the Xstore Office DB will simply remain
inside of the Replication DB (in the rpl_replication_data table), and will have
an appropriate error status code set)
Re-sequencing Publisher
The end goal of replication is to save replicated data to the Xstore Office database, and to
send some of that data to external systems using Xstore Office's Broadcaster system. (See
Appendix F: “Xstore Office Broadcaster System” for more information about Xstore
Office's Broadcaster system).
If multiple instances of Xstore Office are all receiving replication data, replicated data
may arrive into Xstore Office chronologically out-of-order, resulting in the need for "re-
sequencing".
To preserve order when multiple instances of Xstore Office are putting data into the
replication database, data partitioning—specifically by store IDs—is used. To assign
ranges of store IDs to each running re-sequencing publisher thread, the replication
system queries Xstore Office's loc_retail_loc table for a sorted list of store IDs, and
evenly (as much as possible) divides all of the stores IDs by the total number of running
threads.
Each re-sequencing publisher thread (including all such threads running across all
instances of Xstore Office) is automatically assigned a specific range of store IDs to
process. This ensures that any single store's replication data can only be processed by a
single re-sequencing publisher thread, and that the act of re-sequencing a store's
replication data cannot be affected by other threads.
The re-sequencing publisher process (including all related threads) can be individually
enabled/disabled on each instance of Xstore Office. See cluster.processes.enabled in the
“xcenter.properties Settings”.
The number of re-sequencing publisher threads running simultaneously on each
application server is set by the replication.publisher.threads_per_orgid configuration
option. See “xcenter.properties Settings”. As the property name suggests, each
organization id gets its own set of threads since data across organizations must be
segregated. The number of threads cannot be customized for each organization.
the maximum Xstore Point of Service timestamp of all of the objects that arrived before
the delay.
Thus, the configured delay time is the maximum amount of "tolerance" Xstore Office
grants for un-ordered data to arrive into the replication database, while still being able to
keep its soft-ordering promise (see “Soft ordering - what can be expected?”).
An Xstore Point of Service "customer account" table has a record for a customer's
running balance. If the DTX operations are not processed in Xstore Office (via
replication) in the same order that they were processed in the store, the computed
account balance may not match what was computed on Xstore Point of Service.
xcenter.properties Settings
See “Pre-Installation Configuration” of Chapter 3, “Install Xstore Office” for more
information about this file.
cluster.processes.enabled
This property controls whether this instance of Xstore Office will run any re-sequencing
publisher threads.
replication.publisher.resequencing_delay.seconds
This property defines the time delay used to allow re-sequencing to work. See “How
data is re-sequenced” for details. Many factors determine what this value should be; a
reasonable range could be from 5 to 300 seconds.
Valid Values: (number of seconds)
replication.publisher.polling_interval.milliseconds
This property defines how often the re-sequencing publisher will poll the
rpl_replication_data table for new objects to process. 3000 is a reasonable value
for this.
replication.publisher.threads_per_orgid
This property defines how many replication re-sequencing publisher threads will be
running on this instance of Xstore Office. This same number is used for each
organization ID's data (for example, if this installation of Xstore Office manages 2
organization IDs of data, and replication.publisher.threads_per_orgid = 3,
then there will be 6 total threads running).
dtv.xcrepl.db.driver
JDBC driver to be used for the Xstore Office replication database.
dtv.xcrepl.db.url
JDBC connection URL to be used for the Xstore Office replication database.
dtv.xcrepl.db.user
Encrypted username string to connect to the Xstore Office replication database.
dtv.xcrepl.db.password
Encrypted password string to connect to the Xstore Office replication database.
rpl_replication_data Table
Table G-1: rpl_replication_data Table
publish_status VARCHAR2(32) Any value from the This field is where the replication
Java enum process stores the processing status
ReplPublishStatus: of each replication object. Each
NEW, object starts as NEW, and is
REPROCESS, transitioned to either COMPLETE
UNBROADCASTE (fully processed),
D, COMPLETE, or UNBROADCASTED (saved to
ERROR. Xstore Office database but failed to
make it to the Broadcaster system),
or ERROR (failed to get saved to
Xstore Office database). Only
records marked as COMPLETE
may be safely deleted from this
table. When the ERROR record is
reprocessed, its status will be
changed to REPROCESS and be
picked up by replication system
again.
- If no filters are specified, the system searches all that apply. The maximum
number of rows returned in the data table are 500, and a warning will be
displayed if the result set is more than that. The records in the data table are
sorted by update date (the last modified date) by default, and can be reordered
by clicking on the column headers.
Delete - Delete replication error.
Reprocess - Reprocess the replication error record.
A data table shows the search result. The detail information about each result (error
detail, system runtime stack trace) can be found by clicking on each row on the table. A
popup window opens to show these details. Reprocess information is also shown
(reprocess user id, last reprocess time, total reprocess attempts).
See the Oracle Retail Xstore Office User Guide for more information about this feature.
e-Receipts
If e-Receipts are not being sent by Xstore Point of Service, you may need to set the
<UseTLS> option to false in SystemConfig.xml. This option is highlighted in
Example.
Example
<Email dtype="Default">
<!-- DefaultMailHost needs to be modified to identify the
email host of (usually) the home office. -->
<DefaultMailHost dtype="String">server.company.abc</
DefaultMailHost>
...
<UseTLS dtype="Boolean">false</UseTLS>
...
<!-- This needs to be modified to reflect the valid email
address of (usually) a store manager. -->
<DefaultRecipient dtype="String">storeManager@thisOrg.abc</
DefaultRecipient>
...
<!-- When UseTestingMode = true, only email addresses
containing any of the strings in the comma-separated value of
TestingModeAddressFilter will be targeted for emails. When
UseTestingMode = false, all emails will be delivered regardless
of the target email address. -->
<UseTestingMode dtype="Boolean">true</UseTestingMode>
...
</Email>
Uninstall procedures for Jetty and Apache Tomcat are included in this appendix.
Uninstalling Jetty
Follow the procedure in this section if you need to uninstall Jetty for any reason.
1. Stop Jetty:
- Windows: Stop the service through the Services window (accessed through the
control panel).
- Linux: Kill the application.
2. On Windows, remove the service:
a. Navigate to the Jetty installation directory.
b. Run the file UninstallJetty.bat.
3. Remove the Jetty installation folder.
1. Stop Tomcat:
- Windows: Stop the service through the Services window (accessed through the
control panel).
- Linux: Kill the application.
2. On Windows, remove the service.
a. Navigate to the Tomcat installation directory.
b. Run the command:
tomcat9.exe //DS//<service name>
Overview
Xstore Point of Service can use Oracle Store Inventory Management (SIM) to manage
inventory information. Xstore Point of Service uses the following functions in SIM:
• Inventory Inquiry: This feature is provided to enable Xstore Point of Service to
check the item inventory in Home Store, Buddy Store, Specific Store, and Transfer
zone. The Item Inventory feature is available to Xstore Point of Service client only
when the Xstore Point of Service client is in the Online mode.
• Item Basket: This feature is provided for line busting using the Store Inventory
Management handheld. The items in a customer basket are scanned using the Store
Inventory Management handheld and staged in the Store Inventory Management
database. Xstore Point of Service can then look up the basket details and add the line
items to the sell item screen.
• Serial Number Validation and Update: Xstore Point of Service supports serialized
items. The operator is prompted to enter/scan the serial number of the serialized
item on the Xstore Point of Service client. The serial number that is entered is then
validated by interfacing with Store Inventory Management. Once the transaction is
tendered, the serialized items along with the captured serial number are sent to
Store Inventory Management for updating the status of the particular serial number.
• Inventory Reservation: Xstore Point of Service interfaces with Store Inventory
Management to send the order transactions so that the items can be marked as
reserved in Store Inventory Management. Also, once the items are picked up or
delivered to the customer, the status needs to be updated in Store Inventory
Management.
• Real Time Inventory Status Update: This interface sends Xstore Point of Service
transactions to Store Inventory Management to update the inventory status based on
the transactions.
Xstore Point of Service communicates with SIM through web services. See “Integration
using a Web Service”..
Item Disposition
The retailer can map the SIM inventory adjustment reason codes with the Xstore Point of
Service reason codes and send it to SIM in the web service call.
SIM uses these reason codes to identify the item disposition against the reason code and
updates the inventory buckets appropriately. SIM processes the web service call and
increments the SOH, performing the inventory adjustment based on the disposition.
The following item dispositions are the valid mapped dispositions:
• Available to Sell (ATS) to TRBL -- This disposition moves the inventory from
Available to Unavailable. For the retailer, this means the stock is taken in and made
unavailable to sell.
• ATS to Distributed (DIST) -- This disposition moves the inventory from Available to
Out of inventory. End result the SOH is incremented and then again decremented.
For the store person, this means the return is accepted and the item which was
returned is not in a condition to keep it back on the rack and it is destroyed.
Error Handling
Error handling is limited to logging errors during the inventory lookup. The exceptions
such as IOException and invalidItem that occur during WSService communication are
re-thrown as WSException, as well as logged for error tracking and resolution.
Logging
Xstore Point of Service to Store Inventory Management uses Log4J for logging. The
following logging levels can be used:
• Info: For logging information messages.
• Debug: For logging all the debug messages.
• Error: For logging application errors.
The logging level can be configured with log4J.xml. See Configuring Logging in Xstore
Point of Service for more information.
This section provides a guideline for the order in which the Oracle Retail applications
should be installed. If a retailer has chosen to use only some of the applications, the
order is still valid, less the applications not being installed.
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
Added Fiscal Module • Added the Fiscal Module Unit (FMU) to table 4-3
Unit (FMU)
Description of Change
Description of Change
Description of Change
Description of Change
Additional step added • Added an additional step to import HTTP server certificate into
when the HTTP server Xenvironment (\environment\res\ssl\.truststore or /opt/
certificate is generated environment/res/ssl/.truststore).
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Prerequisites for • Added Linea Pro 5 to supported peripherals for 5th and 6th
Installing Xstore Point generation iPods.
of Service
• Changed name of Jetty password obfuscation utility to jetty-util-
9.4.8.vXXXXXXXX.jar.
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Description of Change
Prerequisites for • Added Windows 10 IOT Enterprise LTSB 2016 (1607) to list of
Installing Xstore Office supported operating systems.
• Added “Backup and Recovery” section.
Prerequisites for • Added Windows 10 IOT Enterprise LTSB 2016 (1607) to list of
Installing Xstore Point supported operating systems.
of Service
• Added “Backup and Recovery” and “Geolocation and Device
Identifiers” sections.
Install Xstore Point of • Added step for adding the encrypted cash drawer credential to
Service the system.properties file to the “Enable Networked Cash
Drawers” section.
Description of Change
Description of Change
Prerequisites for • Returned SQL Server 2012 SP1 and SQL Server 2014 SP1 to the list
Installing Xstore Office of supported databases.
Prerequisites for • Returned SQL Server 2012 SP1 and SQL Server 2014 SP1 to the list
Installing Xstore Point of supported databases.
of Service
Install Xstore Point of • Added “Configure Xenvironment for Thin Client” section.
Service
Description of Change
Install Xstore Point of • Added step for selecting the installation type.
Service
• Removed advanced installation option selection.
• Removed Disable Mobile startup? and Disable Tablet startup?
settings from installation procedure.
• Added RSA Private Key Path and RSA Private Key Password
settings for Xstore POS Mobile.
• Added Customer Engagement Auth. Token Name setting for
ORCE integration.
• Added Schema Creation Details step in installation
procedure.
• Added Xstore POS Lane Checkout Interface installation
procedure.
• Removed “Xenvironment System Password” section.
• Replaced specific version number for Jetty obfuscation password
utility with a <version> placeholder.
Lane Checkout User • Removed Xstore POS Lane Checkout Interface installation
Interface procedure.
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Prerequisites for • Added DataLogic Magellan 1100i, Ingenico iSC250, and Toshiba
Installing Xstore Point TCxWave 6140-100 to table “Supported Hardware Peripherals for
of Service Xstore Point of Service “.
Description of Change
Description of Change
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Install Xstore Office • In “Edit Batch File or Shell Script”, updated setting within
USER_MEM_ARGS to -Xms4096m.
• In “Edit Batch File or Shell Script”, now include Linux and
Windows versions of the file.
Description of Change
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Description of Change
Description of Change
Description of Change
Entire document • Changed “Xstore for Grocery” to “Xstore Point of Service Lane
Checkout User Interface User Guide”.
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Description of Change
Install Xstore Point of • Removed RXM Username and RXM Password from RXM step.
Service
• Added RXM Container Username, RXM Container Password,
RXM Application Username, RXM Application Password, and
RXM Site ID to configurations in the RXM step.
Description of Change
Description of Change
Getting Started • In Xstore Point of Service section, described why it is not eligible
for PA-DSS validation.
Prerequisites for • Replaced Micros WS5 MSR with Oracle Micros WS620/WS650
Installing Xstore Point MSR in list MSRs in Supported Peripherals.
of Service
• Removed IBM ANPOS MSR from list of MSRs in Support
Peripherals.
• Replaced Epson TM-T88IV with Epson TM-T88V to list of receipt
printers in Supported Peripherals.
• Added Epson TM-H6000IV to list of receipt printers in Supported
Peripherals.
• Added Ingenico iSC250 to list of supported signature capture/PIN
pad/MSR devices in Supported Peripherals.
• Replaced Micros 2010 Line Display with Oracle Micros
Workstation 620/650 Line Display in list of supported pole
displays in Supported Peripherals.
Description of Change
Prerequisites for • Removed Red Hat Linux 6 and 7 from list of supported operating
Installing Xstore Point systems.
of Service
• Removed Linea Pro 5 peripheral from Supported Hardware for
Xstore POS Mobile.
• Updated mobile operating systems for Xstore POS Mobile.
• Removed support for Workstation 610.
• Changed JRE to 8.
• Changed JDK to 8.
• Changed JCE Policy to 8.
• Removed step setting JAVA_HOME variable.
• Added Jetty Obfuscation Utility information.
• Updated operating systems for Xstore POS Mobile.
• Removed Epson TM-H6000 II, Epson TM-H6000 III, Epson TM-
T88III, Epson TM-T88V, IBM 4610 Suremark from list of
supported receipt printers.
• Removed Ingenico iSC250, VeriFone MX850, VeriFone MX860,
VeriFone MX870 (no keypad) from list of supported Signature
Capture/PIN Pad/MSR devices
Install Xstore Point of • Added additional information for Xstore POS Mobile installation.
Service
• Removed steps for PayPal integration.
• Updated fields for 16.0.
• Added RXM integration, including “Configure Xstore Point of
Service for Retail Extension Module” section.
• Added AVS integration, including “Configure Xstore Point of
Service for Address Verification Service” section.
• Added UFTP installation procedure.
• Removed steps and information for configuring Xstore Payment.
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Install WebLogic • Added exmple for theformat of the ssl block in the config.xml file
Enable Only Strong
Cipher Suites
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
Install Xstore Office • Updated “xcenter.properties Sample” with new sample file
• Added “Configure WebLogic Server” section
Prerequisites for • Added “Workstation 610, 620 and 650 Systems with Oracle
Installing Xstore Point Databases” section
of Service
Description of Change
Description of Change
Updated entire document and all procedures to reflect Oracle formatting and standards.
PCI Best Practices • Removed version numbers list from first page.
• Added Overview of the Cardholder Data Environment diagram.
• Added Cardholder Data Flow Diagram diagram.
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
The following changes were made to address the vulnerability (Heartbleed) in OpenSSL for
Apache:
Public Key Certificates • When installing on Linux, OpenSSL 1.0.1g (or a newer 1.0.1
version, if available) should be installed replacing OpenSSL
v1.0.0* Light.
Installing Xstore • 2013 C++ Runtimes have replaced Visual C++ 2010 SP1 Runtimes
(x86).
Description of Change
Public Key Certificates • Added new steps for adding Xcenter's cert in Xenvironment’s
trusted ca bundle. Xenvironment needs Xcenter's cert in its
trusted ca bundle because it directly requests deployments from
Xcenter. Certs are now required for both Xcenter and the Apache
server.
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
Description of Change
PCI Best Practices • Added information and procedures for deleting expired
certificates and keys once the keys and certificates reach the end
of their usable life.
Description of Change
Apache Install • Moved create upload folder step from prerequisite to post install.
Description of Change
Description of Change
Communication Ports • Xstore JMX Console, port 2020 - removed recommendation for not
opening a firewall.
• Xpay Ports - added store location and notes.
Apache Install • Added prerequisite for creating an upload folder in the htdocs
folder in the Apache install.
Uninstalling Appendix • Removed uninstall procedures from the main flow and added
them to a new appendix.
DataLoader Install • Added “To Load Xcenter Admin User Records via DataLoader”
procedure.
Description of Change
Xenvironment • Added troubleshooting tip for Xstore version 4.8 and below.
• Updated install procedure.
JBoss Install • Removed the step for enabling authentication in the Xcenter EAR
file (no longer needed)
Description of Change
Description of Change