EFT Server determines whether certificate keys used on EFT Server are current and reports the status in the PCI DSS Compliance Report. Refer to Possible PCI DSS Compliance Report Outcomes for more information.
EFT Server supports authentication using just SSL (Secure Sockets Layer, a protocol designed and implemented by Netscape Communications, provides for encryption of a session, authentication of a server, and optionally a client, and message authentication.) certificates for FTPS (File Transfer Protocol Secure; (commonly referred to as FTP/SSL); way in which FTP software can perform secure file transfers, involving the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels.), HTTPS (A secure HTTP connection; HTTP is used, but with TCP port 443 and an additional encryption/authentication layer between the HTTP and TCP.), and AS2 (Applicability Statement 2; a specification for data exchange, to perform the task of sending and receiving data via a secure connection. AS2 is also referred to as EDIINT AS2 or EDI over the Internet AS2.) connections, rather than password-based login. This is similar to SFTP (Secure File Transfer Protocol; a network protocol designed by the IETF to provide secure file transfer and manipulation facilities over the secure shell (SSH) protocol.) authentication in which a particular SFTP key is associated with a user account (on the user account's Security tab); when the user logs in and provides the key, as long as the keys match they are allowed to proceed. Unlike SFTP, SSL offers the option to authenticate using both password and certificate rather one or the other.
Normally, when a client supplies an SSL certificate for the SSL handshake (if requested by EFT Server), EFT Server determines whether that certificate is in the global trusted list. If the certificate is trusted, EFT Server completes the process of negotiating a shared secret and then moves on to the authentication stage, requesting a username followed by a password. If the user enters the wrong password (or no password at all), the authentication attempt fails, even though a certificate was found in the trusted store that matched the client’s certificate.
|
|
EFT Server determines whether certificate keys used on EFT Server are current and reports the status in the PCI DSS Compliance Report. Refer to Possible PCI DSS Compliance Report Outcomes for more information. |
With certificate-based authentication, the sequence of steps would be virtually the same. If certificate-based authentication is enabled, and after the client’s username has been provided, but prior to EFT Server requesting the user’s password, EFT Server verifies that the public-key of the provided certificate matches the certificate in the trusted store that is associated with (mapped to) this particular user’s account. If a match is made, that user is automatically authenticated for that session. If the protocol expects a username/password sequence, EFT Server always returns TRUE, regardless of the password supplied by the client (whether null or invalid pass).
|
|
Compliance with PCI DSS (Multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.) requires that users change their password upon initial login. Because this login method does not use a password, it potentially violates the PCI DSS and is, therefore, not available with PCI DSS-enabled Sites. |
To specify SSL certificate-based logins for client connections
In EFT Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the Site that you want to configure.
In the right pane, click the Connection Options tab.
Select the Require SSL certificates from connected clients check box.
Click Apply to save the changes on EFT Server.