System Architecture

EFTLink connects to the OPI using only a secure HTTPS connection (using HTTP POST) and uses a Transport Layer Security (TLS) protocol version 1.2 or higher, additional restrictions to protocol and ciphers can be applied via dedicated configuration.

Note:

IMPORTANT

Please note that starting from version 24, strict validation of EPS device SSL certificates will be enforced using a dedicated truststore.

The OPI terminal certificate chain, with root or intermediate, should be provided by the OPI partner and imported on the EFTLink truststore; also note they may be different for production and test/stage environments.

Refer to the Oracle Retail EFTLink Framework and Configuration Installation Guide, Securing Communication to EPS Devices by Importing Trusted Xertificates section to set up the truststore with the required trusted certificates.

Also note that the core default configuration for protocols and ciphers may need changing for some OPI implementations. Please verify and eventually update the following configuration keys held within the opiretail.properties file:

  • truststore.ProtocolsWhiteList

  • truststore.CipherWhiteList

  • truststore.CipherBlackList

The above property keys should be updated with the device supported values by contacting the PSP vendor or by using tools to inspect the SSL connection such as:

openssl s_client -showcerts -connect <terminal ip:port>

Example of a terminal certificate details by inspecting with openssl command:

This image shows an example of a terminal certificate details by inspecting with openssl command.

Example of the TLS protocol and cipher used by a terminal by inspecting with openssl command:

This image shows an example of TLS protocol and cipher used by a terminal by inspecting with openssl command.

Following these examples, the reported certificate or it’s root should be imported on the EFTLink truststore. The protocol TLSv1.3 should be present in the truststore.ProtocolsWhiteList and TLS_AES_256_GCM_SHA384 in the truststore.CipherWhiteList configuration keys in opiretail.properties to allow EFTLink to connect to the terminal device.

Please always contact the OPI partner for any questions about production and test terminal certificates, TLS protocols, and ciphers.

Note:

The certificates and ciphers used by OPI implementations may change over time. Please contact your OPI partner for details on how they manage this.