cancel
Showing results for 
Search instead for 
Did you mean: 

Production Certificate Upgrades begin May 26, 2015

Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.

 

To see the full announcement, please see this blog post.

RichardH
Administrator Administrator
Administrator
172 REPLIES 172

Our lower environment stopped working when calling apitest.authorize.net.  While investigating I was informed that the Sandbox Environment moved to Dyanmic IP addresses.  ( 23.x.x.x)  My server is behind a firewall and the Secuirty Team is not comfortable approving PCI requests to any destination on the public net. 

Do you have plans to move Production Environment to use Dynamic IP addresses as well?

 

Thank you, Dave51

Dave51
Member

Richard,

 

In this post, you mentioned we need 3 certs.

 

However, you only mention one cert in this other post (Root 2 - GeoTrust Global CA).

 

We tested transactions with the test/sandbox API and it works on our production servers (becuase we have Root 2 - GeoTrust Global CA installed). Is there anything else we will need?

 

We recommend everyone install all four certificates mentioned in our blog post, for minimal disruption, whether in Sandbox or Production:

 

  • Verizon Akamai SureServer CA G14-SHA2
  • Entrust Certification Authority – L1K
  • Entrust Root Certification Authority – G2
  • GeoTrust SSL CA - G4

Richard

I have just confirmed with my Network team that the firewall solution we use only allows IP.  I can't create a rule by domain or URL. Do you have a white paper that I can bring to my internal teams ( Network and Security) to find a work around before Dynamic IP is actived in Produciton?

Thank you, Dave51

Hello @Dave51

 

A good reference is this article by Matthew Pascucci of Algosec.  In it he emphasizes using a DMZ on the perimeter to control inbound traffic (PCI 1.3.1) and controlling access between your internal systems and the DMZ to control unauthorized outbound traffic to the internet (PCI 1.3.5).

 

Richard

RichardH,

 Appreciate the article. My server does sit in a DMZ zone between two firewalls. Will need to have a chat with my Network team.

Thank you, Dave51

Update: My Security Team has some concerns on this statement in the article. " Direct connections via IP address are strongly discouraged and will soon be disallowed."   They site these reason for their concern and are asking why this direction was chosen.

* Changing to dynamic IP range without any identification of potential scope poses a significant security risk to our data as we cannot acertain with significant reliability our data is going to the correct destination.

* Authorization based on DNS lookup is insecure as these are easily spoofed.

* Is Authorize.net performing any ingress filtering from their customers?

 

Thank you, Dave51

Is there any change for TLS support ? specifically, will TLS 1.0 still be supported ?

 

Christophe
Contributor