Configuring SSL encryption
Meet the PA-DSS requirements for SSL encryption and configure the encryption correctly.
For PCI DSS-compliance, follow these guidelines when you enable SSL encryption:
- The API must be encrypted to securely transmit passwords.
- All MCI endpoints must be encrypted when cardholder data is sent over public networks.
- The ECI must be enabled for synchronization of encryption keys between cluster instances.
- SSL and early TLS are not considered strong cryptography. Payment applications must not use, or support the use of, SSL or early TLS. Therefore, TLS 1.0 and 1.1 must be disabled for API, MCI, and ECI.
For each interface that uses SSL encryption, encrypted SSL certificate files must be provided. IBM Safer Payments needs two files to support an encrypted connection. The server certificate and the private key in PEM format. The storage location of these files can be configured on the SSL Settings page. See Creating certificates with OpenSSL for details on how to create the required certificates.
- In the user interface, click the Cluster tab.
- Click the first instance of the Cluster Settings table.
- Scroll down to the Interfaces section. Click the Application Programming tab.
- Select the application programming interface (API), Reject TLS
1.0, and Reject TLS 1.1 checkboxes.
Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.
- Click the Encrypted Communication tab. Click the Encrypted
Communication Interface (ECI), Reject TLS 1.0, and
Reject TLS 1.1 checkboxes.
Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.
- Click the Message Command tab. Click the Message Command
Interface (MCI), Reject TLS 1.0, and Reject TLS
1.1 checkboxes.
Add the file paths for the Certificate file, Certificate private key file, and Diffie Hellman file.
Repeat for each endpoint.
- Repeat these steps for each instance.
- SSL settings are individual for each instance because different instances running on different computers with different IP addresses require different certificates.
- Enabling SSL encryption and changing the settings takes effect immediately.
- From now on you are prompted to enter the certificate passphrase on the console during startup for each instance. See Starting and stopping instances for details.