by Marcus Ledbetter | Apr 29, 2019 | eCommerce, eCommerce Security, magento, Navision
Integrating Magento with other platforms is always a challenge. Likewise, integrating Navision with other platforms is always a challenge. Naturally, trying to tackle a Magento Navision Integration project will not disappoint, if you are looking for a challenge! It is possible, however, and in this article we’ll provide a brief overview of how we approach getting Magento and Navision to talk to each other with our own clients.
No, There’s Not A Plugin For That
Let’s get this out of the way. You cannot simply go to the Magento Market place and grab a plugin to connect Magento with Navision. This can be a frustrating truth, however, if you consider the customized nature of Navision – it’s not hard to understand why. No two Navision installations are alike, and rarely are two Magento installations alike. Given that level of customization, there would be no way to create a one-size solution to integrate the two platforms. Often you’ll see plugins available, but when you investigate, you’ll see these are typically a custom development service for sale.
Our Approach to the Magento Navision Integration Project
First – Conquer the Language Barrier
Magento and Navision operate on different platforms. One sits in a linux environment with a MySQL database, while the other sits in a Windows environment with a MS SQL database. The two platforms alway speak different languages. Magento 2 utilizes a REST API that is quite customizeable. Navision relies on a SOAP API that takes a slightly different approach. Because both platforms have different access methods, and reside on different servers, the most common sense approach was to develop a stand-alone piece that communicates with both.
Next – Configure Each Platform
Magento: In Magento 2, in order to communicate via the API you must create a user, then assign that user API priveleges. These can be highly customized to only the software areas needed for the integration. i.e. billing, inventory, etc.
Navision: Navision utilizes a set of services called ‘Web Services’. After the 2009 release, Nav allows access to web services via NTLM authentication. Once enabled and configured, Web Services will make XML data available through a web interface. A user can view XML structure documents as well as perform CRUD options via the SOAP API.
Then – Develop the Middleware
Our solution centers around a piece of custom software, we develop, that operates in between the two platforms. This ‘middleware’ is designed to read and write data to both platforms and perform whichever operations we choose. Since we primarily work with Magento, and our preferred platform is Linux, we prefer to build our middleware in a LAMP / LEMP environment. We use an OOP PHP framework, typically running on a Linux / Nginx / MySQL environment. The basic structure of our solution is this:
- Middleware queries Magento via the REST API. (generate an array of orders, customers, products, etc)
- Middleware parses through each record and writes / updates that data to the Navision platform.
Finally – Create A Schedule
Once your middleware piece is testing and performing as planned, the most simple method of automation is to create a scheduled server script. There are numerous ways to do this, and most developers have their own preference. In a nutshell though – decide how often your script needs to run, and how to control record volume to keep in line with memory / resource constraints, and set your schedule accordingly.
Gotchas & Other Considerations
While the overall concept is simple, actually creating a fine-tuned integration is rarely that simple. You’ll likely run into to issues with memory, Navision server performance, bandwidth limitations, and more. The PHP > Magento API connection is fairly efficient. However, the connection to Navision can vary widely, depending on the setup. Some Navision setups can handle non-stop processing of data through web services, while others need to have it metered out in small doses to keep from having locked tables and such. There are also quirks with Navision to contend with – such as the way you have to create an empty record first, and then update it with data. Make a 2-step process where you would think it only needed to be one. There are many more, but this is our basic approach and the main goal here is to get you off on the right path.
Much of our Magento Navision Integration success can be traced back to this article: Freddy’s Blog – Connecting to NAV We Services from PHP. This is not Magento specific, but goes into detail about the basic PHP to NAV connection, using NTLM services, and even links to an NTLM library you can use in your custom application.
by Marcus Ledbetter | Jun 17, 2015 | eCommerce, eCommerce Security, Security
So far, 2015 has been a busy year from an eCommerce security standpoint. At our shop, our ecommerce solutions are primarily built on the Magento platform, with a few smaller shops electing to use WordPress with an eCommerce plugin. All the same – we have had to install many upgrades and patches over the last few months. Given all the activity as of late – I thought I would throw together a quick eCommerce Security Checklist. This article is for developers that might not be familiar with best practices for eCommerce security, or even online shop keepers that are wondering if they are doing everything they can to keep their store, and their customer’s data safe! We hope you find this useful and if you feel we have missed anything, please feel free to add it to the comments!
1. Secure your eCommerce Software
This eCommerce usage chart was compiled by AheadWorks, a premium supplier of Magento Extensions. Check them out at AheadWorks.com
There are so many eCommerce platforms out there. As I mentioned, most of our projects fall under Magento or WooCommerce – heavy on the Magento side. As you can see in the chart on the right, Magento and WooCommerce make up close to half of all eCommerce platforms out there! This means they are well respected and popular, but it also means they have a bit target on their backs. Take every precaution to make sure your eCommerce software is updated and secure! Below are some steps to help you do just that.
- Magento Security Patches: Magento, specifically, uses a security patch method of handling urgent updates. Unfortunately, there is no quick “click this button to update” feature within the Magento interface. You have to have your developer apply these patches, unless you are comfortable logging in through a terminal window and applying them yourself. Magento has released 3 critical patches this year alone and if you are using a magento site, it is critical that you install them. You can test your site for vulnerability and find out more about the patches here: Magento Security Patch Page & Testing Tool
- WordPress Automatic Updates: If you are using the WordPress platform, with WooCommerce or any other eCommerce plugin, we highly recommend taking advantage of their automated update features. Wordpress releases updates quite often and they are generally in response to security threats. The WordPress team is quite vigilant in making sure their core software is as secure as possible. For more information on configuring automatic updates, visit this page: Configuring Automatic Background Updates
- WordPress Plugin Updates: Securing WordPress is only half of the battle. Unfortunately, you can have a fully secured WordPress installation and with even ONE out of date plugin, your whole site could be at risk! Since we are dealing with eCommerce, we would be naturally interested in making sure that WooCommerce, WP eCommerce, or whatever platform you use is updated. However – every single plugin in your WordPress site can be a potential security risk. Make sure they are all updated and as a general rule of thumb, if they aren’t critically necessary to your site – delete them! People are generally unaware how a seemingly simple plugin feature can be exploited to hack into your site. UPDATE THOSE PLUGINS!
- WordPress Theme Updates: While you are at it – make sure theme files are updated as well. Many of the more modern wordpress themes come bundled with all kinds of tools and widgets that could be subject to vulnerabilities. Check your Wordpress update notifications periodically to make sure there isn’t an available update. NOTE: Updating a theme can potentially trash your website if you, or your developer made changes to the theme’s core pages. If you are unsure, ask your developer. When you can, always develop using a Child Theme – this way, you can take advantage of your master theme updates without the risk of losing all of your page design settings! Read here about child theme development strategies. It’s really pretty easy and it makes for a MUCH safer setup.
2. SSL Security
If you use an eCommerce tool such as MagentoGo, Volusion or other hosted solution – you won’t have to worry too much about this. If your site is self hosted, either on your own server, or a server your web developer set up, then you NEED to take these steps!
Note: This section only applies if your site has an SSL certificate. If you access your shop like this: https://www.myshop.com then you are using an SSL certificate. If your site is processing transactions and taking credit card information under a regular http://www.myshop.com address, you are not using SSL. If that is the case, you NEED to be using SSL. Talk to your developer immediately and get this taken care of. If your site only takes payments through third party services such as PayPal, and all transactions happen OFF of your site, then you have nothing to worry about and you can skip this SSL Security section altogether.
- Heartbleed Bug Vulnerability: Late last year, a huge vulnerability was discovered in the software that manages SSL security on web servers (OpenSSL). They called this the Heartbleed bug and everyone was encouraged to update their software to newer, patched versions. You can check your site for this vulnerability here: Heartbleed Vulnerability Scanner
- Poodle Vulnerability: Funny name – not so funny if you don’t have it fixed! This is a vulnerability that has to do with what types of SSL protocols your server allows. Many servers, by default, allow SSLv2 and SSLv3. Both of these are vulnerable and you want to make sure that your server only allows TLS varieties of SSL protocols. You can check for this vulnerability here: Poodle Vulnerability Scanner
- General SSL Health: This tool is one we use quite often and it scans your server and reports back on several SSL security issues. The result of the scan will be a grade letter – A through F. If you run this and get a C, D or F – you need to talk to your developer or host and get the issues resolved. A score of C – you might still be ok, depending on which issues it flagged. If the scanner comes back with any items in red – then you NEED to pay attention to those! View the SSLLabs Server Scanning Tool.
If you sell things online, AND you take credit card information ON your website, please make sure you have a proper SSL certificate installed. Get with your developer or host and find out what to do. You can even give us a shout and we would be glad to tell you what you need to do – or do it for you if you need us to. As I said before – if your sales all happen somewhere else, such as PayPal, 2CheckOut, or something like that, then you don’t have anything to worry about.
3. Secure your Admin Panel
Keep this guy out of your site’s admin panel!
Some hacks happen through known vulnerabilities where hackers can exploit something as simple as an image directory that still has write access and upload their own files to gain access to your site. Many times, however, hackers use known admin panel logins to simply log into your sites admin panel and then do whatever they want!. Don’t make it so easy on them! Below are some steps you need to consider to secure your admin access.
- Change Admin Username: Please, please PLEASE – do NOT use “admin” as your username. This is the default username for many systems and hackers are counting on this. They have software that guesses passwords – and it only works if they know your username to begin with! If you use a non-standard username like “MyStoreAdmin” or something that doesn’t even have the word “admin” in it, then no only would they have to guess the password, they would have to guess your username first. That is often enough to make a hacker move along to a site with a much less savvy administrator.
- Changing the Admin Path: Wordpress sites use /wp-admin for their admin panel. Magento uses /admin by default. Most sites have a default admin panel link and again, the hackers know this. If you change this to something non standard, it basically takes your site off of the hacker’s “low hanging fruit” list. Make breaking in even a little bit difficult and they often move on to another target. In Magento, you choose the path during setup. In WordPress – changing this is easiest with a security plugin that offers this option. We have used the iThemes Security plugin on many sites and it works really well.
4. Secure Transactions
In your store’s eCommerce settings – you have a lot of control over the types of transactions you allow, and how those transactions are processed. Below are some things to consider when taking people’s money online:
- Never Store a Credit Card Number: For reasons I do not understand, many eCommerce apps, including the great Magento, still offer offline credit card processing as a standard payment option. NEVER (i can’t repeat this enough) use this option. This is the option that saves the credit card number in fully readable fashion, for you to manually process later. They trust you will delete the number – but many people do not. I have seen this happen to store owners before and it is not pretty. The fines and liability you will face are significant.
- Use Off-Site Processing When Possible: If you are a small shop and you do not have a merchant account, a gateway account and all of that good stuff yet – that’s ok! Taking payments with PayPal express, or any host of other off-site processors might be a small headache to your clients, but it saves a lot of grief in the end. Sure – you’ll eventually want to handle everything on your site, but when you are starting out – it’s a good idea to use these services as long as you can. In fact, I find that on a lot of our websites that offer both – a huge portion of shoppers still prefer to use PayPal over entering their credit card numbers on our sites.
5. PCI-DSS Auditing / Compliance
There are countless smaller shops out there that never give PCI-DSS compliance a second thought. Unfortunately, even if you sell 1 item a year, if your site is hacked and that breach results in credit card numbers or other personal information being released into the wild, the Payment Card Institute can, and will come down on you. If your site is established and is a regular part of your revenue stream, then you really have little excuse to ignore PCI-DSS compliance. We don’t have time to go into what all is involved in PCI-DSS compliance in this article, but you can find out more here: Why Comply with PCI Security Standards?
The biggest rule of thumb in dealing with your site’s security is to be PROactive and not reactive. Spending half an hour installing that patch is much better than losing days trying to rebuild a site that has been hacked, defaced and trashed. As bad as that is, it can always be worse. If you operate a store and your customer’s data is stolen and used fraudulently – you could be looking at significant liability if they are able to trace the breach back to your site. When you are dealing with eCommerce, security is simply too critical of an issue to take lightly. We hope this has been helpful and again – if you have anything to add or share, please leave a comment! That only makes the article more useful for others.