Security

The Security section is used for setting up and maintaining digital certificates that are used for verification of connections with external parties and signing messages.

Security has the following sub menu options:

• Issuer Certificate - for setting up and maintaining the issuers' signing certificates that are used to sign PARes messages.

• AHS Certificate - for setting up and maintaining client certificates used for connections to the authentication history server.

• CAAS Certificate - for setting up and maintaining CAAS certificates used for connections to the remote CAAS server.

• SDK Certificate - for setting up and maintaining SDK signing certificates that are used to sign ACSSignedContent in ARes.

• Directory Server Certificate - for setting up and maintaining client certificates used for connections to the Directory Server to send RReq.

• OOB Certificate - for setting up and maintaining client certificates used for connections to the RESTful OOB adapters.

• Risk Certificate - for setting up and maintaining client certificates used for connections to the RESTful RBA adapters.

• Decoupled Authenticator Certificate - for setting up and maintaining client certificates used for connections to the RESTful Decoupled Authenticator adapters.

• CA Certificate - for setting up and maintaining trusted certificates. ActiveAccess uses CA certificates to validate server certificates in outbound connections to external servers such as authentication history server.

Issuer Certificate¶

Security > Issuer Certificate

This section is used to setup and maintain issuers' signing certificates. Issuer certificates are used to sign PARes messages. The issuer certificates must be issued by the certificate authority designated by the 3-D Secure provider for this purpose.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request for creating new certificate requests for issuers or groups

• Install Certificate for installation of signed certificates

• Delete Selected Certificates remove selected certificates.

The following fields and links are displayed for each issuer:

• Owner, either a group or an issuer, and links to the Group Details page or the Issuer Details page

• Owner Type - Shows whether the owner is a group or an issuer

• Provider - 3-D Secure provider of the certificate. The certificate is only used for 3-D Secure transactions, which belong to the same provider. Provider link enables certificate to be downloaded for viewing.

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organization Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) who issued the certificate

• Signature Algorithm – The hash algorithm used to sign the certificate.

Create Certificate Request¶

Security > Issuer Certificate > Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate used in signing PARes message must be signed by an appropriate CA which is designated by the scheme. You need a separately signed certificate for each supported scheme. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Select whether the CSR is for an Issuer or an Issuer Group and select the organization from the list

  • Select an authentication Provider (scheme) from the list

  • If the RSA Signing key is inactive, the Alias list is displayed and you will be required to select an Alias. The RSA Signing key that is created with the PCIDSS Key Retiring Utility or through Issuers > Key Management will remain inactive until a certificate request is created and signed by card schemes, then installed for the specified Alias

  • The Key size will be displayed once a provider and a key type (and alias, if available) have been selected. The key size is based on the size of the RSA Signing Key of the provider for each issuer.

  • Select the Hash Algorithm to be used to create the certificate request from the list. Defaults to SHA1.

  • Common Name - a descriptive name for the certificate, for example 'Any Bank Signing Certificate'

  • Organization name - for example 'Any Bank'

  • Organizational Unit - the name of the department within the organization to which this certificate belongs, for example 'Card Services'

  • City - for example 'Sydney'

  • Province full name - for example 'New South Wales'

  • Two-letter country code - for example AU for 'Australia.'

Install Certificate¶

Security > Issuer Certificate > Install Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same issuer and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Select the appropriate radio button to indicate whether the Issuer or the Issuer Group was previously used for creating the CSR.

• Select an authentication Provider (scheme) from the drop sdown list. Select the provider whose CA has signed the certificate.

• If the RSA Signing key is inactive, the Alias list is displayed and you will be required to select an Alias. The RSA Signing key that is created with the PCIDSS Key Retiring Utility or through Issuers > Key Management will remain inactive until a certificate request is created and signed by card schemes, then installed for the specified Alias.

• Use the Certificate content (file) field to locate the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (if in base64 text format) in the Certificate content field.

AHS Certificate¶

Security > AHS Certificate

This section is used to set up and maintain SSL client certificates which are used to authenticate ActiveAccess to the authentication history server. Note that not all 3‑D Secure providers may require an authentication history server. Check with the 3‑D Secure provider regarding creating AHS client certificates and the designated CA for signing the certificates.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request links to the AHS Certificate Request page for creating a new AHS client certificate request

• Install Certificate links to the Install AHS Certificate page for installation of the signed AHS client certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys

• Import Certificate links to the Import AHS Certificate page for direct installation of a signed AHS client certificate which contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• Owner - the 3-D Secure provider and links to the Export AHS Certificate page. The certificate is only used for 3-D Secure transactions which belong to the same provider.

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organization Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Certificate Request¶

Security > AHS Certificate > AHS Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Provider (scheme)

  • Common Name - a descriptive name for the certificate for example 'Any Bank AHS Client Certificate'.

  • Organization - the name of your organization for example 'Any Bank'.

  • Organization Unit - the name of the department within the organization to which this certificate belong for example 'Card Services'.

  • City - for example 'Sydney'.

  • Province - enter the state or province full name for example 'New South Wales'.

  • Two-letter country code for example AU for 'Australia'.

  • Key size ,defaults to 1024.

  • Hash Algorithm used to create the certificate request, defaults to SHA1.

Install AHS Certificate¶

Security > AHS Certificate > Install AHS Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Provider (scheme) - Select the provider whose CA has signed the certificate.

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export AHS Certificate¶

Security > AHS Certificate > Export AHS Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• Provider (scheme).

• Type, the options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import AHS Certificate¶

Security > AHS Certificate > Import AHS Certificate

The 3-D Secure provider may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• Provider (scheme) .

• Select the certificate Format. Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format.

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

CAAS Certificate¶

Security > CAAS Certificate

This section is used to set up and maintain SSL client certificates which are used to authenticate ActiveAccess to the CAAS server. Note that the CAAS server may use mutual SSL authentication to verify the client, which in this case is ActiveAccess. Check with the CAAS server provider for more details.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request for creating a new CAAS client certificate request

• Install Certificate for installation of the signed CAAS client certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys

• Import Certificate for direct installation of a signed CAAS client certificate that contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• Certificate Information links to the Export CAAS Certificate page. The Certificate Information contains certificate details such as Common Name (CN), Organization (O), Organization Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Certificate Request¶

Security > CAAS Certificate > CAAS Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Common Name - a descriptive name for the certificate for example 'caas-client'.

  • Organization - the name of your organization for example 'Internet Widgits Pty Ltd'.

  • Organization Unit - the name of the department within the organization to which this certificate belong for example 'Caas Services'.

  • City for example 'Sydney'.

  • Province - enter the full name of the state or province, for example 'New South Wales'.

  • Two-letter country code, for example AU for 'Australia'.

  • Select a Key size from the list. Defaults to 1024.

  • Select the Hash Algorithm to be used to create the certificate request from the list. Defaults to SHA1.

Install CAAS Certificate¶

Security > CAAS Certificate > Install CAAS Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export CAAS Certificate¶

Security > CAAS Certificate > Export CAAS Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• Select the export Type from the list. The options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format drop down list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import CAAS Certificate¶

Security > CAAS Certificate > Import CAAS Certificate

The CAAS server operator may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• Select the certificate Format. Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format.

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

SDK Certificate¶

New_Section

Security > SDK Certificate

This section is used to set up and maintain SDK signing certificates which are used to sign the ACSSignedContent of ARes to the SDK via DS Server.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request for creating a new SDK client certificate request

• Install Certificate for installation of the signed SDK client certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys.

• Import Certificate for direct installation of a signed SDK client certificate that contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• Certificate Information links to the Export SDK Certificate page. The Certificate Information contains certificate details such as Common Name (CN), Organization (O), Organization Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Certificate Request¶

Security > SDK Certificate > SDK Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Common Name - a descriptive name for the certificate for example 'sdk-client'.

  • Organization - the name of your organization for example 'Internet Widgits Pty Ltd'.

  • Organization Unit - the name of the department within the organization to which this certificate belong for example 'SDK Services'.

  • City for example 'Sydney'.

  • Province - enter the full name of the state or province, for example 'New South Wales'.

  • Two-letter country code, for example AU for 'Australia'.

  • Select a Key size from the list. Defaults to 1024.

  • Select the Hash Algorithm to be used to create the certificate request from the list. Defaults to SHA1.

Install SDK Certificate¶

Security > SDK Certificate > Install SDK Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export SDK Certificate¶

Security > SDK Certificate > Export SDK Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• Select the export Type from the list. The options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format drop down list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import SDK Certificate¶

Security > SDK Certificate > Import SDK Certificate

The SDK server operator may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• Select the certificate Format. Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format.

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

Directory Server Certificate¶

Security > Directory Server Certificate

This section is used to set up and maintain client certificates used for connections to the Directory Server to send RReq.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request links to the Directory Server Certificate Request page for creating a new Directory Server certificate request

• Install Certificate links to the Install Directory Server Certificate page for installation of the signed Directory Server certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys

• Import Certificate links to the Import Directory Server Certificate page for direct installation of a signed Directory Server certificate which contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• Owner - the 3-D Secure provider and links to the Export Directory Server Certificate page. The certificate is only used for 3-D Secure transactions which belong to the same provider.

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organizational Unit (OU), Location (L), State (ST) and Country (C), Key size, Hash algorithm.

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Certificate Request¶

Security > Directory Server Certificate > Directory Server Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Provider (scheme)

  • Common Name - a descriptive name for the certificate for example 'Any Bank Directory Server Certificate'.

  • Organization - the name of your organization for example 'Any Bank'.

  • Organizational Unit - the name of the department within the organization to which this certificate belong for example 'Card Services'.

  • City - for example 'Sydney'.

  • Province - enter the state or province full name for example 'New South Wales'.

  • Two-letter country code for example AU for 'Australia'.

  • Key size ,defaults to 1024.

  • Hash Algorithm used to create the certificate request, defaults to SHA1.

Install Directory Server Certificate¶

Security > Directory Server Certificate > Install Directory Server Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Provider (scheme) - Select the provider whose CA has signed the certificate.

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export Directory Server Certificate¶

Security > Directory Server Certificate > Export Directory Server Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• Provider (scheme).

• Type, the options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import Directory Server Certificate¶

Security > Directory Server Certificate > Import Directory Server Certificate

The 3-D Secure provider may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• Provider (scheme) .

• Select the certificate Type Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format.

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

OOB Certificate¶

Security > OOB Certificate

This section is used to set up and maintain client certificates used for connections to the RESTful OOB adapters.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request links to the OOB Adapter Connector Certificate Request page for creating a new OOB adapter connector certificate request

• Install Certificate links to the Install OOB Adapter Connector Certificate page for installation of the signed OOB adapter connector certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys

• Import Certificate links to the Import OOB Adapter Connector Certificate page for direct installation of a signed OOB adapter connector certificate which contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• OOB adapter connector name - links to the Export OOB Adapter Connector Certificate page.

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organizational Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Certificate Request¶

Security > OOB Adapter Connector Certificate > OOB Adapter Connector Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • OOB adapter connector - select from the list.

  • Common Name - a descriptive name for the certificate for example 'Any Bank OOB Adapter Connector Certificate'

  • Organization - the name of your organization for example 'Any Bank'

  • Organizational Unit - the name of the department within the organization to which this certificate belong for example 'Card Services'

  • City - for example 'Sydney'

  • Province - enter the state or province full name for example 'New South Wales'

  • Two-letter country code for example AU for 'Australia'

  • Key size ,defaults to 1024

  • Hash Algorithm used to create the certificate request, defaults to SHA1.

Install OOB Adapter Connector Certificate¶

Security > OOB Adapter Connector Certificate > Install OOB Adapter Connector Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• OOB adapter connector - select from the list

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export OOB Adapter Connector Certificate¶

Security > OOB Adapter Connector Certificate > Export OOB Adapter Connector Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• OOB Adapter Connector - select from the list.

• Type, the options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import OOB Adapter Connector Certificate¶

Security > OOB Adapter Connector Certificate > Import OOB Adapter Connector Certificate

The 3-D Secure provider may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• OOB Adapter Connector - select from the list.

• Select the certificate Type Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

Risk Certificate¶

Security > Risk Certificate

This section is used to set up and maintain client certificates used for connections to the RESTful RBA adapters.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request links to the Risk Adapter Connector Certificate Request page for creating a new Risk adapter connector certificate request

• Install Certificate links to the Install Risk Adapter Connector Certificate page for installation of the signed Risk adapter connector certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys

• Import Certificate links to the Import Risk Adapter Connector Certificate page for direct installation of a signed Risk adapter connector certificate which contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• Risk Adapter Connector name - links to the Export Risk Adapter Connector Certificate page

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organizational Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Risk Adapter Connector Certificate Request¶

Security > Risk Certificate > Risk Adapter Connector Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Risk adapter connector - select from the list.

  • Common Name - a descriptive name for the certificate for example 'Any Bank Risk Adapter Connector Certificate'

  • Organization - the name of your organization for example 'Any Bank'

  • Organizational Unit - the name of the department within the organization to which this certificate belong for example 'Card Services'

  • City - for example 'Sydney'

  • Province - enter the state or province full name for example 'New South Wales'

  • Two-letter country code for example AU for 'Australia'

  • Key size ,defaults to 1024

  • Hash Algorithm used to create the certificate request, defaults to SHA1.

Install Risk Adapter Connector Certificate¶

Security > Risk Certificate > Install Risk Adapter Connector Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Risk adapter connector - select from the list

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export Risk Adapter Connector Certificate¶

Security > Risk Certificate > Export Risk Adapter Connector Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• Risk adapter connector - select from the list

• Type, the options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import Risk Adapter Connector Certificate¶

Security > Risk Adapter Connector Certificate > Import Risk Adapter Connector Certificate

The 3-D Secure provider may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• Risk adapter connector - select from the list

• Select the certificate Type Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

Decoupled Authenticator Certificate¶

Security > Decoupled Authenticator Certificate

This section is used to set up and maintain client certificates used for connections to the RESTful Decoupled Authenticator adapters.

The following fields and links are displayed:

• Currently installed certificates list

• Create Certificate Request links to the Decoupled Authenticator Adapter Connector Certificate Request page for creating a new Decoupled Authenticator adapter connector certificate request

• Install Certificate links to the Install Decoupled Authenticator Adapter Connector Certificate page for installation of the signed Decoupled Authenticator adapter connector certificate

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates and associated private keys

• Import Certificate links to the Import Decoupled Authenticator Adapter Connector Certificate page for direct installation of a signed Decoupled Authenticator adapter connector certificate which contains a private key as well as a public key.

The following fields and links are displayed for each provider:

• Decoupled Authenticator Adapter Connector name - links to the Export Decoupled Authenticator Adapter Connector Certificate page

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organizational Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate

• Signature Algorithm - The hash algorithm used to sign the certificate.

Create Decoupled Authenticator Adapter Connector Certificate Request¶

Security > Decoupled Authenticator Certificate > Decoupled Authenticator Adapter Connector Certificate Request

Use this section to create a certificate signing request (CSR) that can be sent to a designated certificate authority (CA) to obtain a signed certificate. The certificate is used in connection to the authentication history server designated by the 3-D Secure provided and must be signed by a CA approved by the respective 3-D Secure provider. The CSR is created in standard PKCS#10 format.

Use the following fields to create a CSR:

• Each scheme may have certain requirements regarding the format and content of CSR fields that need to be entered here. Please contact the scheme for information regarding creating a CSR. Please note that some fields may not be required by a scheme and that the following explanations are generic.

  • Decoupled Authenticator adapter connector - select from the list.

  • Common Name - a descriptive name for the certificate for example 'Any Bank Decoupled Authenticator Adapter Connector Certificate'

  • Organization - the name of your organization for example 'Any Bank'

  • Organizational Unit - the name of the department within the organization to which this certificate belong for example 'Card Services'

  • City - for example 'Sydney'

  • Province - enter the state or province full name for example 'New South Wales'

  • Two-letter country code for example AU for 'Australia'

  • Key size ,defaults to 1024

  • Hash Algorithm used to create the certificate request, defaults to SHA1.

Install Decoupled Authenticator Adapter Connector Certificate¶

Security > Decoupled Authenticator Certificate > Install Decoupled Authenticator Adapter Connector Certificate

Use this section to install a certificate which is signed by the CA. The signed certificate must correspond to a previously created CSR for the same provider and must be in standard PKCS#7 format.

Use the following fields to install a signed certificate:

• Decoupled Authenticator adapter connector - select from the list

• Click the Choose File / Browse… button adjacent to Certificate content (file), to locate and select the PKCS#7 file that contains the signed certificate or copy and paste the signed CSR (base64 text format) into the Certificate content text box.

Export Decoupled Authenticator Adapter Connector Certificate¶

Security > Decoupled Authenticator Certificate > Export Decoupled Authenticator Adapter Connector Certificate

Use this section to export the SSL client certificate in a number of formats including PKCS#12 which allows you to export both private and public keys.

Use the following fields to export a certificate:

• Decoupled Authenticator adapter connector - select from the list

• Type, the options are:

  • KeyStore - to export both private and public keys

  • Certificate - to export the public key in DER binary encoded X509 format

  • Certificate path - to export the entire certificate chain in P7B format.

• If the export type selected is KeyStore, select from the Format list:

  • PFX to export in standard PKCS#12 format

  • JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications.

• If the export type selected is KeyStore, enter a File password to protect the private key.

Import Decoupled AuthenticatorDecoupled Authenticator Adapter Connector Certificate¶

Security > Decoupled Authenticator Adapter Connector Certificate > Import Decoupled Authenticator Adapter Connector Certificate

The 3-D Secure provider may issue an SSL certificate which contains both the public and private key and is already signed. You may install this type of certificate using the import functionality provided in this section.

Use the following fields to import a certificate:

• Decoupled Authenticator adapter connector - select from the list

• Select the certificate Type Supported formats are JKS to export in the Java KeyStore format used by the Java Keytool and most Java-based applications or PFX to export in standard PKCS#12 format

• Click the Choose File / Browse… button to locate and select the File

• Enter the File password which is used to protect the private key.

CA Certificate¶

Security > CA Certificate

This section is used to set up and maintain trusted certificate authority certificates. ActiveAccess uses this list in order to validate the certificate chain of installed certificates and to authenticate remote connections to external SSL enable servers such as the authentication history server.

ActiveAccess is installed with the most recent CA certificates from 3-D Secure providers. However, you may need to maintain and add new certificates they may be introduced at a later time by the 3-D Secure provider or in order to test with non-production 3-D Secure systems that use a different CA.

The following fields and links are displayed:

• Currently installed certificates list

• Import CA Certificate links to the Import CA Certificate page for installation of trusted root certificates.

• Delete Selected Certificates link used with the Select checkbox to remove selected certificates.

The following fields and links are displayed for each provider:

• Owner - the 3-D Secure provider. Clicking on the link allows you to save the certificate in DER binary encoded X509 certificate format.

• Type - displays the key type

• Certificate Information - Certificate details such as Common Name (CN), Organization (O), Organizational Unit (OU), Location (L), State (ST) and Country (C)

• Validity - Shows the validity period of the certificate

• Status - The status of a certificate can either be Valid, Expired or Not signed. You need to reapply for certificates before they expire. A certificate status is shown as not signed if the certificate is not signed by a trusted certificate authority.

• Issuer - The certificate authority (CA) that issued the certificate.

• Signature Algorithm - The hash algorithm used to sign the certificate.

Import Certificate¶

Security > CA Certificate > Import CA Certificate

This section allows you to install additional trusted root certificates.

ActiveAccess is installed with the most recent CA certificates from 3-D Secure providers. However, you may need to maintain and add new certificates they may be introduced at a later time by the 3-D Secure provider or in order to test with non-production 3-D Secure systems that use a different CA.

Use the following fields to import a certificate:

• Provider - select the scheme from the list

• Key type - select the key type from the list

• Click the Choose File / Browse… button to locate and select the File. ActiveAccess supports X509 certificates in DER encoded binary or based64 encoded formats.