Introduction

This FAQ answers common questions about deploying and operating the Intershop Commerce Platform. It covers topics like infrastructure, security, and questions regarding specific apps to help users configure and maintain their environments.

References

• Support Article - PWA FAQ

General

Can a Separate Test Environment be Provided?

Intershop does not typically provide a separate test environment.

However, when upgrading with a severe DBMigrate, it may be necessary to verify the execution on the PRD platform in advance in the Intershop Commerce Platform test environment.

In such exceptional cases, a separate test environment can be provided by prior arrangement.

How to Use a Transfer Server?

The following sections describe how to set up and use a transfer server for ICM 11+.

Setup

The following transfer servers are available:

• ops-ca-trans01.westeurope.cloudapp.azure.com (to be replaced)

• ops-ca-trans02.westeurope.cloudapp.azure.com

• ops-ca-dev-us-trans01.centralus.cloudapp.azure.com

To use these transfer servers for ICM 11+, implementation partners (DEV) must specify user access details on the customer system Confluence page. This involves determining which users can access specific SFTP user spaces and providing the corresponding public SSH keys.

The following standard SFTP users are available (replace CSTMR with the appropriate CustomerID):

• icm_CSTMR_int

• icm_CSTMR_uat

• icm_CSTMR_prd

• ish_dev_dumps_CSTMR

Connections are established via SFTP, not SSH.

Example:

$ sftp icm_CSTMR_int@ops-ca-trans01.westeurope.cloudapp.azure.com:/home      
Connected to ops-ca-trans01.westeurope.cloudapp.azure.com.
Changing to: /home
sftp> ls -l
drwxr-xr-x    5 1001     1001         4096 Aug 29  2023 Demo
sftp> ^D

The Intershop Cloud Operations team will roll out all keys to the related transfer server.

Usage

If an SFTP user is required for the transport framework (ICM jobs), we need to add SSH keys for the ICM appserver users within the ICM Pods.

ICM developers must generate the SSH keys themselves, place them in the site's file system within the Pods, and configure the transport framework accordingly.

Typically, one key is required per environment: PRD (LV+ED), UAT (LV+ED) and INT LV+ED), resulting in three keys in total.

For example, for a customer (replace CSTMR with the appropriate CustomerID), keys are deployed to /intershop/sites/root/units/root/transportconfigs/.

Private keys must be stored in the ADO GIT repository within the cartridge CSTMR_migrate/src/main/resources/resources/CSTMR_migrate/sites/root/units/root/transportconfigs/” in files prd_id.rsa.

Implementation partners must decide on the SSH key naming convention for UAT and INT shares, for example "test".

Example:

intershop@icm-CSTMR-int-edit-icm-as-6d75675867-x66wj:/intershop $ ls -l /intershop/sites/root/units/root/transportconfigs/
-rwxrwxrwx 1 intershop intershop 1743 Mar  3 17:17 prd_id_rsa
-rwxrwxrwx 1 intershop intershop  471 Mar  3 17:17 prd.pub
-rwxrwxrwx 1 intershop intershop 1751 Mar  3 17:17 test_id_rsa
-rwxrwxrwx 1 intershop intershop  473 Mar  3 17:17 test.pub

• Use the following path: /intershop/sites/CSTMR-Site/units/CSTMR/impex/config

• The path /intershop/sites/root/units/root/transportconfigs/ is to be used in the transport framework configs.

• The keys should be created with OpenSSH, ex: ssh-keygen -t ed25519 -C "intershop@CSTMR_INT"

• The implementation partner must submit the created SSH public keys via a Service Now ticket, so the OPS team can add them to GIT and deploy them.

How to Configure the Transport Framework for SFTP-Based Data Import/Export?

To enable the import or export of data from an SFTP-based transfer server or service to the Intershop application server and vice versa:

1. Log in to the Intershop Organization Management as a user that has at least the access privilege Transport Manager assigned.

   • URL: https://<my_domain>/INTERSHOP/web/BOS/SLDSystem

   • Organization: Operations

2. From the left menu, select Transport Configuration.

3. Select a transport configuration from the list or create a new one (Type: SFTP).

4. Enter the following configuration details:

Is There an Automatic Cleanup for .bacpac Files on the FTP Server?

There is no automatic cleanup of exported .bacpac files on the FTP server. The implementation partner is responsible for their maintenance and cleanup.

Which Time Zone Is Used on Server Side?

The server-side time zone is set to UTC and cannot be changed. This ensures consistency for platform processes. Use application-specific options to adjust the time zone as needed (e.g., in the back office).

Is There a Microservice Framework Available in the Standard Intershop Commerce Platform Setup?

The Intershop Commerce Platform supports hosting and operation of custom microservices.

Since microservices are typically highly customized, costs depend on the required infrastructure resources and operational effort. Operational effort is influenced by factors such as the number of deployments, the number of incidents, etc.

Microservices are run in containers within a Kubernetes cluster. To prepare a detailed offer, a complete infrastructure sizing is required.

Infrastructure

How Are Services Exposed?

Services are exposed via Nginx. Each cluster has an external IP address and DNS names in the format:
<customer-system>-<environment>.platform.intershop.de.
Customers use C-NAME records to point their DNS to xyz.platform.intershop.de. This setup allows us to move customer instances between clusters without service interruption.

If a customer wants to use a top-level domain for a service, such as myshop.de, an A-NAME record must be used. Additional infrastructure can then be applied to provide a specific IP address for that name.

Is Zone Redundancy Supported for AKS?

Currently, our clusters operate in a single zone. However, clusters can be configured to use multiple zones. This configuration might lead to a performance loss if the Azure SQL Managed Instance is located in a different zone.

How Long Does It Take to Start a Pod?

ICM application server pods typically take approximately 60 seconds to start.

How Is Scaling Managed, and Who Is Responsible for It?

Scaling is managed either by implementation partners or the operations team. Deployment configurations include a replicaCount value that can scale the system up or down. Each namespace has resource quotas that limit the number of pods.

Security

What are the Requirements for DNS and SSL/TLS Certificates?

The customer is responsible for (external) domains and related DNS configuration, for example, for PWA/ICM or any external (headless) storefront. Therefore, the customer needs to provide corresponding SSL/TLS certificate(s) for each desired domain, e.g., one per ICM cluster or multiple certificates per ICM cluster in case of different channels made available under different domains, see below.

Generally, domain configuration should be done on a CNAME basis, whereas Intershop will provide the target domain name for corresponding environments and clusters.

Please consider that Intershop offers to set up an automatic Let's Encrypt certificate management process. For every domain a free-of-charge, secure, and automated certificate renewal process will be established. This reduces effort on the customer and Intershop sides to replace the certificate every year and reduces possible manual mistakes during certificate replacement.

The requirement for this is an already-configured DNS (CNAME) record for the related domain pointing to the Intershop platform.

In the future, the renewal of certificates will be 47 days (see here for details), which implies that we have to automate such configuration changes.

How Is the Web Application Firewall (WAF) Integrated?

The WAF is an optional package and is not included by default.

How Are Backups Stored, and Are They Immutable?

The shared file system is fully backed up once per day. Databases managed by Azure SQL Managed Instance support point-in-time recovery.

How Is Customer Separation Ensured in Kubernetes?

Each customized application and environment has its own namespace (e.g. cstmr-icm-int, cstmr-pwa-int). These namespaces are protected using Role-Based Access Control (RBAC) policies. Access to databases (JDBC connection string) is provided via Kubernetes Secrets, which are also secured by RBAC and Service Account.

Is the Database Connection Encrypted?

Yes, Azure SQL Managed Instances use transparent data encryption with system-managed encryption keys.

How Are Identities Managed?

We use “managed identities” created within the Kubernetes cluster context. These identities have access to container registries and are used to provide Docker images for the cluster.

How to Set up a VPN? (If Necessary)

General

By default, Intershop Commerce Platform solutions, hosted on Microsoft Azure, are accessible on the Internet via a public IP address. To grant customer and partner clients or servers access to Azure, their public addresses are kept on a whitelist. Those connections, for example, to storefront and back office sites or provided APIs are HTTPS-only and therefore TLS encrypted. TLS/SSL certificates are installed on the Azure web server tiers for that purpose. No additional VPN is required in this case.

A VPN is required if one of the clients or servers from partners or customers has no direct access to public internet. Typical cases are: internal services like mail (SMTP), ERP, or PIM. In this case, a VPN tunnel establishes a virtually direct and secured connection between the customer or partner and the Azure environment. Prior to configuring the VPN, precisely site-to-site (S2S) VPN, affected parties (e.g., the customer and Intershop) have to agree on networks to be used, i.e., one or more private IP address range(s). Those private IP ranges must not overlap with IPs or IP ranges already in use or planned to be used. For this reason, it is important for Intershop to know as early as possible whether a VPN is necessary and which private network range(s) should be used.

Example: The customer has a mail service on its private network, without direct access to public internet. It should be used to send e-mails originating in an Azure based Intershop Commerce Management environment (ICM). As the mail service has no access to public internet and therefore cannot be directly connected to, a VPN tunnel between Azure, where ICM is hosted, and the private network where the related mail service’s hosts are located is required.

Technical

To create a VPN tunnel between Azure and your (or your partners) on-premise infrastructure, Intershop requires the following information:

Apps: PWA

This document focuses on questions around operations. For more detailed questions about developing with the PWA, refer to Support Article - PWA FAQ.

Where Can the PWA Be Hosted OOTB?

Intershop Commerce Platform offers hosting and operation of the PWA.

As the PWA is typically highly individualized, the costs depend on the infrastructure resources required and the operational effort. The latter depends, for example, on the factors of the number of deployments, number of incidents, etc.

The PWA is operated using containers in a Kubernetes cluster. In order to prepare a concrete offer, a sizing of the entire infrastructure is necessary. 

Apps: ICM

Who is Responsible for Signing off UAT Changes?

The Intershop Commerce Platform partner can trigger deployments on UAT in self service, see Reference - Intershop Commerce Platform - Responsibilities Matrix.

Any other changes to the system that go beyond this must be agreed with Intershop in advance. The changes most likely affect system behavior and must be implemented in the production environment. The goal is to have consistent system settings for all environments.

How to Configure the Mail Service?

From ICM 11+, the mail service is handled directly in the ICM application. For details, see Cookbook - Mail Service.

Is There a Customized Maintenance Page for ICM N as There Was for ICM 7.10?

No. There is no special page or maintenance mode in ICM N Web Adapter containers that could be turned on. There will be no Web Adapter in new ICM versions in the near future.

How to Access Log Files?

With the transition from a VM-based to a Kubernetes-based infrastructure, log files are now accessible through our monitoring service, New Relic. Access to the monitoring will be handled by the user managment process. Developers need such access by default, because of this access should be requested by the initial user request, while customer contacts can request access if needed.

Each customer platform system has its own dedicated New Relic account. Within this account, you will find a log section that allows you to filter log data as needed.

How Does the ’ICM Shared Filesystem Sync’ Work?

This job is used to sync ICM environments, for example, UAT and INT. The sync is only done from Live to Live or Edit to Edit, but not from Live to Edit. The sync only takes place from higher to lower environments (for example, from PROD to PRE).

Which Version of the Database Backup Does the Point-in-time Restore Job Retrieve?

By default, recovery is only possible in a time frame of 7 days, independent of your backup schedule (weekly backup/daily backup/concrete backup). An extension is possible, but increases the costs. The maximum is 30 days.

The exact backup process is performed as for an Azure-managed database in Azure and is therefore not under the control of Intershop.

Is it Possible to Import .bacpac Files Directly from the FTP Server?

There is no automatic cleanup of exported .bacpac files on the FTP server. The implementation partner is responsible for their maintenance and cleanup.

Will Restore be Pseudonymized?

Pseudonymization is only done from PRD to a lower environment. Test users might be excluded. These need to be provided by partners and customers.

Data is replaced by random data, which can cause confusion in some corner cases.

How to Roll Back After the Maintenance Window?

In some cases, critical/blocking issues identified after the environment has been upgraded and went operational may require a rollback after the maintenance window.

Therefore, create a service desk ticket. If a database change happened, the old database will be restored within a full rollback.

Will Restore Have a Performance Impact on the PRD Live Environment?

This question refers to performing an ICM DB MSSQL PointInTime Restore with the following parameters:

• RESTORE_TIME=NOW

• RESTORE_SOURCE=prod-live

• RESTART_CLUSTER_AFTER_RESTORE=false

In this case, Restore should not affect the production system, since the target is usually UAT or INT. Nevertheless, we recommend that you perform the recovery at a time when traffic is low.

How to Reduce PRD Downtime for Platform Deployment with DBMigrate?

Whether DBMigrate needs too much time can already be checked in the lower environment. If this is the case, DBMigrate can be split or switched to DBPrepare (recommended).

Is a Reverse DBMigrate Possible?

At present Intershop does not provide a reference SQL script for a reverse DBMigrate.

Please create a service desk ticket and we will make you an offer.

Can a Partner Provide a Custom robots.txt?

Yes, a partner can provide a custom robots.txt file for the Intershop Commerce Platform Web Adapter (ICM-WA) using the Kustomize functionality. This allows for environment-specific configurations without altering the base Helm chart.

For detailed instructions and examples, please refer to the Intershop Helm charts documentation: ConfigMapMounts Kustomize.