topic Re: Production Certificate Upgrades begin May 26, 2015 in Integration and Testing

Production Certificate Upgrades begin May 26, 2015

RichardH — Fri, 24 Apr 2015 20:05:54 GMT

Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.

To see the full announcement, please see this blog post.

Re: Production Certificate Upgrades begin May 26, 2015

Dave51 — Mon, 27 Apr 2015 20:01:34 GMT

Our lower environment stopped working when calling apitest.authorize.net. While investigating I was informed that the Sandbox Environment moved to Dyanmic IP addresses. ( 23.x.x.x) My server is behind a firewall and the Secuirty Team is not comfortable approving PCI requests to any destination on the public net.

Do you have plans to move Production Environment to use Dynamic IP addresses as well?

Thank you, Dave51

Re: Production Certificate Upgrades begin May 26, 2015

RaynorC1emen7 — Mon, 27 Apr 2015 20:04:14 GMT

http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615

Yup it will go into production too.

Re: Production Certificate Upgrades begin May 26, 2015

kotowick — Mon, 27 Apr 2015 21:06:34 GMT

Richard,

In this post, you mentioned we need 3 certs.

However, you only mention one cert in this other post (Root 2 - GeoTrust Global CA).

We tested transactions with the test/sandbox API and it works on our production servers (becuase we have Root 2 - GeoTrust Global CA installed). Is there anything else we will need?

Re: Production Certificate Upgrades begin May 26, 2015

RichardH — Tue, 28 Apr 2015 17:09:30 GMT

We recommend everyone install all four certificates mentioned in our blog post, for minimal disruption, whether in Sandbox or Production:

Verizon Akamai SureServer CA G14-SHA2
Entrust Certification Authority – L1K
Entrust Root Certification Authority – G2
GeoTrust SSL CA - G4

Richard

Re: Production Certificate Upgrades begin May 26, 2015

Dave51 — Tue, 28 Apr 2015 17:26:18 GMT

I have just confirmed with my Network team that the firewall solution we use only allows IP. I can't create a rule by domain or URL. Do you have a white paper that I can bring to my internal teams ( Network and Security) to find a work around before Dynamic IP is actived in Produciton?

Thank you, Dave51

Re: Production Certificate Upgrades begin May 26, 2015

RichardH — Tue, 28 Apr 2015 20:36:08 GMT

Hello @Dave51

A good reference is this article by Matthew Pascucci of Algosec. In it he emphasizes using a DMZ on the perimeter to control inbound traffic (PCI 1.3.1) and controlling access between your internal systems and the DMZ to control unauthorized outbound traffic to the internet (PCI 1.3.5).

Richard

Re: Production Certificate Upgrades begin May 26, 2015

Dave51 — Wed, 29 Apr 2015 12:19:02 GMT

RichardH,

Appreciate the article. My server does sit in a DMZ zone between two firewalls. Will need to have a chat with my Network team.

Thank you, Dave51

Re: Production Certificate Upgrades begin May 26, 2015

Dave51 — Thu, 30 Apr 2015 14:54:51 GMT

Update: My Security Team has some concerns on this statement in the article. " Direct connections via IP address are strongly discouraged and will soon be disallowed." They site these reason for their concern and are asking why this direction was chosen.

* Changing to dynamic IP range without any identification of potential scope poses a significant security risk to our data as we cannot acertain with significant reliability our data is going to the correct destination.

* Authorization based on DNS lookup is insecure as these are easily spoofed.

* Is Authorize.net performing any ingress filtering from their customers?

Thank you, Dave51

Re: Production Certificate Upgrades begin May 26, 2015

Christophe — Thu, 30 Apr 2015 14:57:43 GMT

Is there any change for TLS support ? specifically, will TLS 1.0 still be supported ?

Re: Production Certificate Upgrades begin May 26, 2015

RichardH — Thu, 30 Apr 2015 15:25:18 GMT

@Christophe

We're not removing TLS 1.0 at this time, but merchants are always encouraged to support the strongest protocols possible which is currently TLS 1.2.

Richard

Re: Production Certificate Upgrades begin May 26, 2015

Lilith — Thu, 30 Apr 2015 15:46:46 GMT

@Dave51, can't you spoof IP addresses as well? In which case, direct IP address connections don't automatically provide more security, and in fact can defeat security since you have to disable TLS domain verification to connect.

We don't whitelist merchant IP connections. We do expect merchants to connect to our API endpoints by domain name and fully utilize TLS to secure the connection, however.

Re: Production Certificate Upgrades begin May 26, 2015

tpeierls — Thu, 07 May 2015 18:45:01 GMT

I just tested with test.authorize.net instead of secure.authorize.net and had no problems. Using Java 7 but didn't install any of the new certificates. Is test.authorize.net already enforcing SHA-2 or do I have to create a sandbox account?

Re: Production Certificate Upgrades begin May 26, 2015

flinacio — Thu, 14 May 2015 14:06:37 GMT

My company has some security limitations regarding dynamic IPs and domain connections, does anybody know when this infrastructure update is going to be implemented on production environment?

Re: Production Certificate Upgrades begin May 26, 2015

RichardH — Thu, 14 May 2015 19:59:01 GMT

Hello @flinacio

We are still waiting for the schedule for production. We will publish the information here as soon as possible.

Richard

Re: Production Certificate Upgrades begin May 26, 2015

RichardH — Thu, 14 May 2015 20:38:32 GMT

This Just In!

Our production release will occur around the first part of August. More details will be available in the next week or two and will be posted here in the community as well as through email to merchants, partners and developers.

Richard

Re: Production Certificate Upgrades begin May 26, 2015

Msimpson — Fri, 15 May 2015 00:02:47 GMT

Hello,

Will you please explain how can I know if I need to do anything about this? What are the use cases where I would need to do something?

I have a website with a secure certificate installed that connects to Authorize.net. Is this a use case where I would need to check and or do something?

Please be specific as I'm new to ssl. Thanks in advance.

Re: Production Certificate Upgrades begin May 26, 2015

icarroll — Fri, 15 May 2015 15:17:38 GMT

Hello.

We use the simple SIM (XML based) method to POST transactions to Authorize.net.

How do these certificate changes affect us or people like us?

Is this specific only to people using AIM?

Thanks!

Re: Production Certificate Upgrades begin May 26, 2015

RichardH — Fri, 15 May 2015 15:34:52 GMT

@Msimpson

The upgrades applies to all API endpoints your application may be using with HTTPS at Authorize.Net.

@icarroll

The impact for SIM is low since it is browser-driven and they already support these changes. If your implementation also connects using the Authorize.Net API (AIM), you will of course need to support these changes.

Richard

Re: Production Certificate Upgrades begin May 26, 2015

Lilith — Fri, 15 May 2015 15:43:16 GMT

@tpeierls Sorry for not responding sooner.

SHA-2 is a hash used to sign certificates (among other things) so it's not a matter of whether we're enforcing it, but whether your software will be able to use SHA-2 to validate our certificate's signature. SHA-2 has been around for over a decade at this point, so really we're concerned about legacy software here.

The certs on test.authorize.net and the rest of our Sandbox environment are currently signed using SHA-2. If your software can connect to test.authorize.net right now, you should be good on that front.

In August there will be other certificates your software will need to validate, also signed using SHA-2. And test.authorize.net should have that in place as well.