Acquia Commerce Manager security

Acquia Commerce Manager provides security across multiple levels of the service. For a complete list of Acquia security information, see Security and compliance.

Acquia Commerce Manager authentication

Acquia Commerce Manager API and modules require authentication in the form of a HMAC-SHA256 message hash as a header within the request. HMAC is a keyed-hash authentication code that calculates message authentication involving a cryptographic hash function in combination with a secret cryptographic key. Information about securing HTTP requests with HMAC can be found in RFC-2104.

Acquia Commerce Manager Drupal module

The Acquia Commerce Manager Drupal module uses HMAC along with OAuth2 to secure communication from the Acquia Commerce Connector Service to Drupal. The Drupal module uses Simple OAuth which takes advantage of OAuth2 Bearer tokens. Information about OAuth2 can be found in RFC-6749.

Commerce Connector Service

The Acquia Commerce Manager REST API calls authenticate using HMAC v2 to protect your data and ensure that your secret keys stay secure, while utilizing the Access Key ID and Secret Access Key associated with your Acquia Commerce Manager subscription. For more information about Acquia’s HMAC implementation, see the Acquia HMAC specification.

IP allowlisting

The Commerce Connector Service service maintains a pool of IP addresses per AWS region for its outbound client connections to eCommerce backends. The eCommerce system can allowlist this pool of IP addresses to help safeguard against external access.

Each IP pool is made up of a dedicated set of Amazon Elastic IP addresses (EIP) reserved in the Acquia Commerce Manager production accounts. The EIPs can be dynamically associated to running instances of the Commerce Connector Service, enabling the Commerce Connector Service service to update seamlessly in the background while still providing the eCommerce back end a known connection address.