Configuring SSL/TLS for YSoft SafeQ Payment System
By default, YSoft SafeQ Payment System is automatically redirecting all HTTP requests to encrypted HTTPS connection. In order to ensure secure connection, you need to use certificate trusted in your environment.
In case you want to communicate using unsecured HTTP, you have to set the following configuration option in the <payment_folder>\ps-conf \environment-configuration.properties (usually C:\SafeQ6\YPS\ps-conf \environment-configuration.properties ) configuration file:
web.channel=http
cashdesk.channel=http
restApi.channel=http
This is, however, not recommended.
This guide will help you with the configuration of the secured connection (HTTPS) to the YSoft SafeQ Payment System, using a CA-signed certificate.
CA-signed certificate requirements
The certificate must be signed by a certification authority trusted in your environment.
Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the YSoft SafeQ Payment System.
For importing the certificate you need an appropriate format - Java Keystore (.jks file) containing the private key and whole certificate chain. The procedure below is simplified by creating a new keystore instead of reusing the existing one.
Both the keystore and key itself need to be protected by a password
In case your key/certificate is in a different format than Java Keystore, convert it following the guide in Conversions between different keystores and certificate types.
In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening.
Configuring YSoft SafeQ Payment System to use secure communication channel
This section describes the way how to make the web connection secure using the CA-signed certificate.
Stop YSoft SafeQ Payment System service on YSoft SafeQ server.
Copy your key/certificate in the Java Keystore format to the server where YSoft SafeQ Payment System is installed.
Set following attributes in <payment_folder>\conf\server.xml file:
keystoreFile = "absolute/path/to/your/keystore.jks"
keystorePass = "keystore protecting password"
keyPass = "key protecting password"
By default, keyPass attribute has the same value as keystorePass. Set this attribute if the key and the keystore are protected using different passwords.
(OPTIONAL) To secure communication between Payment Gateway Plugin and Payment System by your certification authority, if a payment gateway is used, the path and protecting password to your truststore.jks file containing CA certificate need to be provided. The default password of the truststore is "bYOARJ741l" (without quotes). Add the new configuration properties truststore.path and truststore.password to the Payment System's configuration (<payment_folder>\ps-conf\environment-configuration.properties), see Security.
In case you have important certificates in the truststore, you can use this same command to import your CA to the existing file. Just run this command inside the <payment_folder>\ps-conf directory.
In this situation you also need to delete the default YSoft SafeQ Payment System certificates from the current truststore (if they are not replaced yet):
keytool -delete -alias certalias -keystore truststore.jks
keytool -delete -alias ca_root -keystore truststore.jks
keytool -delete -alias ca -keystore truststore.jks
(OPTIONAL) Adding security to SMTP server. In order to establish secure communication between SMTP server and YSoft SafeQ Payment System (e.g. for email notifications), you also need to import your certificate to the default keystore located in <payment folder>\java\lib\security\ folder. For this, you can use the keytool again:
keytool -import -keystore <<payment folder>\java\lib\security\cacerts> -file <absolute path to your certificate> -alias <a name for the certificate>
Start the YSoft SafeQ Payment System service on YSoft SafeQ server.
Verify that YSoft SafeQ Payment System is functional and uses your own certificate (open https://<payment_system_IP>:8443 in browser, click on the lock and view certificate button). In case you did not disable the automatic redirection to HTTPS, opening http://<payment_system_IP>:8080 address will be automatically redirected to https protocol.
Example of Tomcat HTTPS configuration
The configuration is stored in <payment_folder>\conf\server.xml (usually C:\SafeQ6\YPS\conf\server.xml)
Keep HTTP non-SSL port (default 8080) as the first in XML. Installer requires HTTP port to be the first in definition. HTTPS should be the second.
<!-- Define a non-SSL HTTP/
1.1
Connector on port
8080
-->
<Connector port=
"8080"
protocol=
"HTTP/1.1"
connectionTimeout=
"20000"
redirectPort=
"8443"
useBodyEncodingForURI=
"true"
/>
<Connector port=
"8443"
protocol=
"org.apache.coyote.http11.Http11NioProtocol"
maxThreads=
"200"
scheme=
"https"
secure=
"true"
SSLEnabled=
"true"
keystoreFile=
"${catalina.base}/ps-conf/keystore.jks"
keystorePass=
"*****"
clientAuth=
"false"
sslProtocol=
"TLS"
sslEnabledProtocols=
"TLSv1.2,TLSv1.1,TLSv1"
ciphers=
"..."
useBodyEncodingForURI=
"true"
/>
The default, pre-installed private key is stored together with its corresponding certificate in <payment_folder>\ps-conf\keystore.jks file. Both, keystore and private key, are protected by the same password specified in configuration file with attribute keystorePass.
When client authentication is required (clientAuth attribute is set to true) then some attributes about truststore need to be added/modified in the "Connector" above:
truststoreFile="<path-to-truststore>"
truststorePass="*****"
clientAuth="true"
The ciphers attribute contains list of cipher suites you want to support. Following configuration is recommended:
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
Terminal Server configuration
Communication between Terminal Server (client) and YSoft SafeQ Payment System (server) is performed via REST API, secured by default with a certificate provided by Y Soft. Terminal Server has a copy of server certificate exported from YSoft SafeQ Payment System and the thumbprint of these two files is validated.
After you change the certificate used by YSoft SafeQ Payment System, it is needed to make it trusted on the Terminal Server machine. There are two options:
a. Replace the YPSClient.crt file in <spoc_folder>\terminalserver\Certificates\ directory on Terminal Server machine by your yps.crt file (renamed to YPSClient.crt), containing only the server certificate (excluding your CA).
b. Import the your certificate authority to the machine with running Terminal Server (follow the guide Installing your Root CA to truststores of YSoft SafeQ machines - Windows Certificate Store in the System communication hardening) and set the following system property:
ypsServerCertificateValidationType = STANDARD
YSoft Payment Machine configuration
Communication between YSoft Payment Machine - YPM (client) and YSoft SafeQ Payment System - PS (server) is performed via TCP on ports 4197 and 4199. By default a YPM communicates over TLS protocol, the only supported version is TLSv1, it also supports only the following two cipher suites TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
Default configuration of YPM and PS uses the protocol TLSv1 and the cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA. To support the stronger cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA the Java Cryptography Extension needs to be placed into <payment-folder>/Java/lib/security . Before the extension is used, a jurisdiction of a customer's country needs to be checked if the stronger cipher suite is allowed.
To change the current configuration, the following DB queries needs to be run:
-- enable/disable SSL communication
-- 'false' to disable SSL - NOT RECOMMENDED
-- default value is 'true'
update
configuration
set
value =
'true'
where
name
=
'spm.sslEnabled'
;
-- change SSL request protocol
-- default and only supported by YPM is 'TLSv1'
update
configuration
set
value =
'TLSv1'
where
name
=
'spm.sslRequestProtocol'
;
-- change SSL cipher suites
-- to use the stronger cipher suite, the extension needs to be installed
-- default and only supported by YPM are '
update
configuration
set
value = 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA
' where name = '
spm.sslCiphersWhiteList';