In Websphere Commerce, the user authentication process is always performed under SSL. This ensures that a third party using network-sniffing programs cannot snoop on the network when a user submits a password. Passwords are never decrypted during the authentication process, as is the common security practice. All user passwords are one-way hashed and encrypted using a 128-bit key, known as the merchant key. The merchant key is specified during installation and configuration of the WebSphere Commerce system.

Each Full WebSphere Commerce Test Environment will have a merchant key associated with it. This is the merchant key that was entered during Database instance creation.
Typically its value is: 1a1a1a1a1a1a1a1a
You can obtain the Merchant key by following these steps.
Steps:
I. In case you are working in the Client environ, follow steps II thru V for determining the merchant key.
II. Open Windows Explorer.
III. The merchant key is typically present in the location : WCDE_Install\conf\xml\config.xml
(e.g. D:\CommerceToolkit\conf\xml\config.xml)
IV. Find the entry inside config.xml which says “MerchantKey=”
V. This value (typically encrypted) is the Merchant Key for the current Database instance in action.
VI. In the server environment, the merchant key is located at
(Commerce Server Install Directory)\instances\(Instance Name)\xml\(InstanceName.xml)
(e.g.D:\ProgramFiles\WebSphere\CommerceServer561\instances\wcs1\xml\wcs1.xml)

Note:
I. What you find in WCDE_Install\conf\xml\config.xml
(e.g. D:\CommerceToolkit\conf\xml\config.xml) as the value of the Merchant key field is actually the encrypted version of 1a1a1a1a1a1a1a1a
II. You can obtain the plain-text (un-encrypted) value of the merchant key by placing the following scriptlet in any of the JSPs and run it on the server :
<"%=com.ibm.commerce.server.WcsApp.configProperties.getMerchantKey()%">

Labels: Commerce concepts