Configuring SSL/TLS for Dispatcher Paragon Payment System

By default, Dispatcher Paragon Payment System is automatically redirecting all HTTP requests to encrypted HTTPS connection. In order to ensure secure connection, you need to use certificate trusted in your environment.

In case you want to communicate using unsecured HTTP, you have to set the following configuration option in the <payment_folder>\ps-conf \environment-configuration.properties configuration file:

web.channel=http

cashdesk.channel=http

restApi.channel=http

This is, however, not recommended.

This guide will help you with the configuration of the secured connection (HTTPS) to the Dispatcher Paragon Payment System, using a CA-signed certificate.

CA-signed certificate requirements

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the Dispatcher Paragon Payment System.

  • For importing the certificate you need an appropriate format - Java Keystore (.jks file) containing the private key and whole certificate chain. The procedure below is simplified by creating a new keystore instead of reusing the existing one.

  • Both the keystore and key itself need to be protected by a password

In case your key/certificate is in a different format than Java Keystore, convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening.

Configuring Dispatcher Paragon Payment System to use secure communication channel

This section describes the way how to make the web connection secure using the CA-signed certificate.

  1. Stop Dispatcher Paragon Payment System service on Dispatcher Paragon server.

  2. Copy your key/certificate in the Java Keystore format to the server where Dispatcher Paragon Payment System is installed.

  3. Set following attributes in <payment_folder>\conf\server.xml file:

    keystoreFile = "absolute/path/to/your/keystore.jks"
    keystorePass = "keystore protecting password"
    keyPass = "key protecting password"

    By default, keyPass attribute has the same value as keystorePass. Set this attribute if the key and the keystore are protected using different passwords.

  4. (OPTIONAL) To secure communication between Payment Gateway Plugin and Payment System by your certification authority, if a payment gateway is used, the path and protecting password to your truststore.jks file containing CA certificate need to be provided. The default password of the truststore is "bYOARJ741l" (without quotes). Add the new configuration properties truststore.path and truststore.password to the Payment System's configuration (<payment_folder>\ps-conf\environment-configuration.properties), see Security.

    In case you have important certificates in the truststore, you can use this same command to import your CA to the existing file. Just run this command inside the <payment_folder>\ps-conf directory.

    In this situation you also need to delete the default Dispatcher Paragon Payment System certificates from the current truststore (if they are not replaced yet):

    keytool -delete -alias certalias -keystore truststore.jks
    keytool -delete -alias ca_root -keystore truststore.jks
    keytool -delete -alias ca -keystore truststore.jks
  5. (OPTIONAL) Adding security to SMTP server. In order to establish secure communication between SMTP server and Dispatcher Paragon Payment System (e.g. for email notifications), you also need to import your certificate to the default keystore located in <payment folder>\java\lib\security\ folder. For this, you can use the keytool again:

    keytool -import -keystore <<payment folder>\java\lib\security\cacerts> -file <absolute path to your certificate> -alias <a name for the certificate>
  6. Start the Dispatcher Paragon Payment System service on Dispatcher Paragon server.

  7. Verify that Dispatcher Paragon Payment System is functional and uses your own certificate (open https://<payment_system_IP>:8443 in browser, click on the lock and view certificate button). In case you did not disable the automatic redirection to HTTPS, opening http://<payment_system_IP>:8080 address will be automatically redirected to https protocol.

Example of Tomcat HTTPS configuration

The configuration is stored in the <payment_folder>\conf\server.xml file.

Keep HTTP non-SSL port (default 8080) as the first in XML. Installer requires HTTP port to be the first in definition. HTTPS should be the second.

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" useBodyEncodingForURI="true" />
 
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${catalina.base}/ps-conf/keystore.jks"
keystorePass="*****"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.3"
ciphers="..."
useBodyEncodingForURI="true"
/>

The default, pre-installed private key is stored together with its corresponding certificate in the <payment_folder>\ps-conf\keystore.jks file. Both, keystore and private key, are protected by the same password specified in configuration file with attribute keystorePass.

When client authentication is required (clientAuth attribute is set to true) then some attributes about truststore need to be added/modified in the "Connector" above:

  • truststoreFile="<path-to-truststore>"

  • truststorePass="*****"

  • clientAuth="true"

The ciphers attribute contains list of cipher suites you want to support. Following configuration is recommended:

ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"

Terminal Server configuration

Communication between Terminal Server (client) and Dispatcher Paragon Payment System (server) is performed via REST API, secured by default with a certificate provided by Konica Minolta. Terminal Server has a copy of server certificate exported from Dispatcher Paragon Payment System and the thumbprint of these two files is validated.

After you change the certificate used by Dispatcher Paragon Payment System, it is needed to make it trusted on the Terminal Server machine. There are two options:

a. Replace the YPSClient.crt file in the <spoc_folder>\terminalserver\Certificates\ directory on Terminal Server machine by your yps.crt file (renamed to YPSClient.crt), containing only the server certificate (excluding your CA).

b. Import the your certificate authority to the machine with running Terminal Server (follow the guide Installing your Root CA to truststores of Dispatcher Paragon machines - Windows Certificate Store in the System communication hardening) and set the following system property:

ypsServerCertificateValidationType = STANDARD

YSoft Payment Machine configuration

Communication between YSoft Payment Machine - YPM (client) and Dispatcher Paragon Payment System - PS (server) is performed via TCP on ports 4197 and 4199. By default a YPM communicates over TLS protocol, the only supported version is TLSv1, it also supports only the following two cipher suites TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.

Default configuration of YPM and PS uses the protocol TLSv1 and the cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA. To support the stronger cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA the Java Cryptography Extension needs to be placed into <payment-folder>/Java/lib/security . Before the extension is used, a jurisdiction of a customer's country needs to be checked if the stronger cipher suite is allowed.

You have to set the following configuration option in the <payment_folder>\ps-conf\environment-configuration.properties configuration file:

spm.deprecated.protocol.support = true

To change the current configuration, the following DB queries needs to be run:

YPM security configuration
-- enable/disable SSL communication
-- 'false' to disable SSL - NOT RECOMMENDED
-- default value is 'true'
update configuration set value = 'true' where name = 'spm.sslEnabled';
 
-- change SSL request protocol
-- default and only supported by YPM is 'TLSv1'
update configuration set value = 'TLSv1' where name = 'spm.sslRequestProtocol';
 
-- change SSL cipher suites
-- to use the stronger cipher suite, the extension needs to be installed
-- default and only supported by YPM are '
update configuration set value = 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA' where name = 'spm.sslCiphersWhiteList';