Configuring SSL encryption

Meet the PA-DSS requirements for SSL encryption and configure the encryption correctly.

Note: TLS is the successor of SSL. The term SSL is used to refer to the secure communication technologies within IBM® Safer Payments. In the IBM Safer Payments interfaces, all equivalent elements are named SSL.

For PCI DSS-compliance, follow these guidelines when you enable SSL encryption:

  • The API must be encrypted to securely transmit passwords.
  • All MCI endpoints must be encrypted when cardholder data is sent over public networks.
  • The ECI must be enabled for synchronization of encryption keys between cluster instances.
  • SSL and early TLS are not considered strong cryptography. Payment applications must not use, or support the use of, SSL or early TLS. Therefore, TLS 1.0 and 1.1 must be disabled for API, MCI, and ECI.
Note: The FLI and SCI do not support SSL encryption but instead encrypt attribute data based on the encryption settings defined in IBM Safer Payments.

For each interface that uses SSL encryption, encrypted SSL certificate files must be provided. IBM Safer Payments needs two files to support an encrypted connection. The server certificate and the private key in PEM format. The storage location of these files can be configured on the SSL Settings page. See Creating certificates with OpenSSL for details on how to create the required certificates.

  1. In the user interface, click the Cluster tab.
    Figure 1. Cluster settings
    This image is explained in the surrounding text.
  2. Click the first instance of the Cluster Settings table.
  3. Scroll down to the Interfaces section. Click the Application Programming tab.
    Figure 2. API - SSL settings
    This image is explained in the surrounding text.
  4. Select the application programming interface (API), Reject TLS 1.0, and Reject TLS 1.1 checkboxes.

    Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.

  5. Click the Encrypted Communication tab. Click the Encrypted Communication Interface (ECI), Reject TLS 1.0, and Reject TLS 1.1 checkboxes.

    Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.

  6. Click the Message Command tab. Click the Message Command Interface (MCI), Reject TLS 1.0, and Reject TLS 1.1 checkboxes.

    Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.

    Repeat for each endpoint.

  7. Repeat these steps for each instance.
Note:
  • SSL settings are individual for each instance because different instances running on different computers with different IP addresses require different certificates.
  • Enabling SSL encryption and changing the settings takes effect immediately.
  • From now on you are prompted to enter the certificate passphrase on the console during startup for each instance. See Starting and stopping instances for details.