This document provides an architectural overview and integration steps for connecting applications deployed to the Salesforce Commerce Cloud (SFCC) with the Cequence Application Security Platform.
Architectural Overview
Traffic flow without Cequence ASP
Traffic flow with Cequence ASP
Cequence ASP works with SalesForce Commerce Cloud (SFCC) to provide SFCC hosted applications with comprehensive API visibility and governance and Bot detection and mitigation solutions. The SaaS provided Cequence ASP is integrated with SalesForce Commerce Cloud as stacked content delivery network inline to the traffic flow, serving as the frontline to incoming client requests. Redirection is accomplished through a straightforward DNS update to redirect application traffic to the Cequence CDN. A failover path is also configured, such that traffic is forwarded directly to the SFCC eCDN application origin entry point, in the event that the Cequence ASP becomes unavailable for any reason.
Within Cequence ASP, incoming content is examined in a two stage manner. Cequence Defender, the first stage, optimized for high performance, quickly evaluates each message based on policy defined detection and mitigation rules. It determines fraud or threat levels, and, if safe, forwards a sanitized version of the request on to the SFCC embedded Content Delivery Network (eCDN) where it will be forwarded to the application. When indicated by policy, Cequence Defender also may take mitigation actions, including blocking or redirecting the response in various ways. Cequence Defender also asynchronously provides the Cequence UAP analytics engines with a normalized version of the traffic for further risk assessment, evaluation, and policy-based governance.
Integration
In Salesforce
These steps are usually performed by the application customer.
1. Configure an External CDN or Third-Party Proxy
Select:
site | Merchant Tools | SEO | Customer CDN Settings.
2. Configure for custom Client IP Header
This will allow SFCC to identify the custom request header injected by Cequence as containing the the client IP.
Under: Dynamic Content > Client IP Header Name
enter value: cequence-client-ip
3. Configure WAF Trusted IP List.
- Go to
Administration | Sites | Embedded CDN Settings | Configure Zone | Select Zone | Firewall
Add the Cequence ASP Egress IP (provided by the Cequence Team) to the Firewall Trusted IP to the WAF Trusted IP List.
4. Configure the DNS redirection to the Cequence CDN.
- Create a new DNS hostname record for the origin application
( e.g., customerapp.example.com becomes origin-customerapp.example.com.) - Revise the DNS entry for the application to point to the a Cequence provided DNS CNAME
(e.g., customerapp.example.com CNAME to customerapp.cequence.cloud).
Cequence Application Security Platform Configuration
These steps are done by Cequence:
-
CNAME Target
Cequence will provide the DNS CNAME target to the customer. This CNAME target will be used by the customer to update their DNS record for the protected application. Once completed, all application traffic will be processed by Cequence before reaching the SFCC origin.
-
TLS Certificate
Cequence will request from the customer DNS validation to be able to issue a TLS certificate (using AWS Certificate Manager) for the protected application.
- Upstream Domain Provision
Cequence will provision the upstream domain for the protected application, to be able to route traffic to the SFCC origin. - Application Availability Monitoring
Cequence will continuously monitor the Cequence ASP tenant for availability using the Amazon Route53 failover routing policy. In the rare event of the Cequence tenant going offline, all application traffic will be seamlessly routed directly to the SFCC origin, bypassing Cequence completely in order to ensure application uptime and availability.