Whitelists and Trust Certificates

Trust Certificate

All source systems and integration points need to be compatible with the Sectigo Certificate. The superbundle.crt file provided with PAS contains the CA Certificate. See Paymetric Adapter for SAP (PAS) Connections for instructions on configuring if needed.

Validate Connectivity for Whitelists and Trust Certificates

For the Windows and Linux tests below, use the hostname only. Do not use the protocol prefix https:// or anything after .com. For example, "cert-xipayapi.worldpay.com”.

All tests should be run from the system making the connection (usually the server), not the client’s workstation.

The ping and tracert commands can be used to confirm name resolution and connectivity up to the WAF access point. Failed responses do not indicate a problem.

PAS Validate Firewall Rules and Trust Certificate

PAS GUI for Windows has a built-in “validate” utility. This is the best method for confirming connectivity. Validate has well documented return codes which simplifies troubleshooting.

PAS for RHEL (Linux) does not offer a GUI interface; you can use the command, XiPayNetTester --progid <progidvalue> --gateway <gatewayhostvalue> operation 11

Where

  • progidvalue = the Program ID

  • gatewayhostvalue = the gatewayhost value for the Auth Program ID

  • Operation Number 11 = Ping (validate)

For Ping Operation, you should receive a StatusCode '400' and a Message populated with data. If no StatusCode is returned, the test failed.

Windows Validate Firewall Rules

There are two methods to check for basic connectivity and firewall rules if exists:

To check for basic connectivity and that firewall rules exist.

  1. From a command prompt enter, telnet <hostname> 443

    Requires telnet client be loaded on the server.

  2. telnet will make a quick connection to the host, then give a blank screen. This is an indication of a good connection.

  3. Type “quit” to return to command prompt

  1. Powershell runs on all windows systems since Windows XP SP and is an integrated component since Windows 7 and Server 2008 R2, so installing Powershell should not be an issue, like it is sometimes with telnet.

  2. Powershell also gives a positive response, which is much more intuitive than the blank screen a successful telnet gives.

  3. From a command prompt enter, powershell Test-NetConnection -Computername <hostname> -Port 443

Results

  • List basic connection details, indicating success

  • "Name Resolution of <hostname> failed" indicating either mistyped hostname or a dns problem

  • "TCP connect to (<resolved IP address>) failed" indicating firewall rule is blocking the port

NOTE for PAS: This will only test basic computer to computer connectivity (the firewall rules), to confirm the PAS service connects to XiPay or XiSecure, please use the "Validate" feature built into PAS.

How to Check for the CA Certificate in the Windows Certificate Store

From a command line ether, powershell "Get-ChildItem Cert: -Recurse | Select-String 'Entrust Root Certification Authority'"

Results

  • Either lists the certificate found in the keystore - OR -

  • No response (i.e., the certificate was not found)

For PAS: PAS does not use the Windows certificate store, so this test is totally irrelevant for PAS. To confirm the PAS service connects to XiPay or XiSecure, use the "Validate" feature built into PAS.

For DI-SE Servers Not P2PE, but if you are running a DI-SE server on site, even if it is an IIS session on PAS, this test should be performed for the DI-SE server.

For JAVA and JAVA-type applications on IIS, These do not use the Windows certificate store, please use the "keystore" utility listed below.

Windows and Linux Verify Trust Certificate

A webserver may have multiple instances of the keystore (default name: cacerts) on it. The CA certificate (superbundle.crt) must be installed in the keystore in the web container making the call to the Service. Also, the validation below must be done on the exact same cacerts file, so please determine its path first (<cacerts_path>).

Keytool is a JAVA utility, often not in the default path, so please find it’s path first (<keytool_path>)

  1. From the command line, enter <keytool_path>keytool -list -v <cacerts_path>cacerts > cacerts.txt

  2. Using a text editor (example: vi in Linux or Notepad in Windows) search for the string Sectigo

  3. If found, success.

  4. If not found, run the command, <keytool_path>keytool -import -trustcacerts -file <path>superbundle.crt -keystore <cacerts_path>cacerts cacerts, and then repeat step 1.

Linux Validate Firewall Rules

To check for basic connectivity and firewall rules if exists.

  1. From a command prompt enter telnet <hostname> 443

    Requires telnet client be loaded on the server.

  2. telnet will make a quick connection to the host, then give a blank screen. This is an indication of a good connection.

  3. Type “quit” to return to command prompt.

  1. From a command prompt enter nc -z -v <hostname> 443

  2. nc provides a “succeeded!” - OR - “Connection Refused” response