Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

What is happening?

Starting in December 2015, we will begin disabling the TLS v1.0 and v1.1 encryption protocols. This approach will prevent any TLS v1.0 and v1.1 connection to access Qvalent/Westpac services. 

Why is this happening?

At Qvalent we treat the protection of our customers' data very seriously. Sometimes we need to make security improvements and retire older encryption protocols. This allows us to maintain the highest security standards and promote the safety of your data. 

To maintain alignment with these best practices and updated compliance requirements from the PCI Security Standards Council,  Qvalent will disable the use of TLS 1.0 and 1.1 for connections to Qvalent/Westpac services.

How do I know if we are ready for this change? 

After Quickstream disables TLS v1.0 and v1.1, any connection to Qvalent/Westpac services must use the TLS v1.2 encryption protocol. 

This change also impacts access to web sites such as: 

  • Westpac Quickstream
  • Westpac PayWay
  • Westpac iLink and WIBS
  • Westpac QuickSuper
  • Westpac Payments Plus and Supplier Finance
  • Westpac Invoice Finance
  • Westpac Batch Advantage

There two are different channels that need encryption to access Qvalent/Westpac services. These channels are:

  • Internet Browser
  • API integrations

An overview of each are below:

Internet Browsers

 When using most browsers, you will not have trouble accessing Qvalent/Westpac services. But you may have trouble if:

  •  You are not using a supported internet browser, or
  •  Your browser has disabled the supported encryption protocols

To quickly test your browser compatibility, you can visit our test page, which has TLS v1.0 and v1.1 disabled. 

If you are able to view the site without errors, access to services via your browser should not be impacted by this change. If you receive an error, the page displays Steps for Resolution. Following these steps will help you change the settings in your browser, or upgrade to a newer version.

Find out more about TLSv1.2 Browser Compatibility.

If you have Microsoft Internet Explorer, refer to the Internet Explorer Support for TLSv1.2 page for additional information.

 API Integrations

API Integrations are interfaces or applications that are separate from Quickstream, but use Quickstream data. If you have any API Integrations, please ensure that the TLS 1.1 and/or TLS 1.2 encryption protocols are enabled in those integrations.

 

API integrations that use Java will generally need to use Java 8 or higher to enable TLS 1.1 and TLS 1.2 in call-outs by default. Another option is to use Java 7 and enable TLS 1.1 and/or TLS 1.2 using the https.protocols Java system property, if applicable, and/or source code changes to enable TLS 1.1 and TLS 1.2 on SSLSocket and SSLEngine instances.

 

Services that run on Windows Server systems and use Microsoft Secure Channel for TLS will need to run on Windows Server 2008 R2 or higher. This generally includes most .NET applications and Microsoft Internet Information Server (IIS). Earlier versions of Windows Server do not support TLS 1.1 or TLS 1.2.

 

API Integrations that use OpenSSL will need to use OpenSSL 1.0.1 or newer. Earlier versions of OpenSSL do not support TLS 1.2 or TLS 1.1.

 

API Integrations using NSS will need to use 3.14 or newer (preferably 3.15.1 or newer). Versions prior to 3.14 do not support TLS 1.1, and versions prior to 3.15.1 do not support TLS 1.2.

 

To test the compatibility of an API client that uses SOAP to communicate with Quickstream:

 

  1. Set up an API client in a test environment.

  2. In that test environment, change the API client's login endpoint hostname from login.Quickstream.com or [MyDomain].my.Quickstream.com to tls1test.Quickstream.com.

    1. As an example, change https://login.Quickstream.com/services/Soap/u/32.0 to https://tls1test.Quickstream.com/services/Soap/u/32.0 while leaving the path as-is.

  3. Log in with that API client.

  4. If you see an error message that resembles the following: "INVALID_LOGIN: Invalid username, password, security token; or user locked out." or “Content is not allowed in prolog.”, then this test passed and your integration works with either TLS 1.1 or TLS 1.2.

    1. The presence of this response means that the underlying TLS connection was successful, despite the higher-level error. The TLS connection is the focus of this test.

  5. If you instead see an error message that involves TLS or HTTPS, then the test has failed. Your API client will require adjustments or upgrades to operate properly with Quickstream, when Quickstream deactivates TLS 1.0.

 

To test the compatibility of an API client that uses REST to communicate with Quickstream:

 

  1. Set up an API client in a test environment.

  2. In that test environment, change the API client's access token retrieval endpoint hostname from login.Quickstream.com or [MyDomain].my.Quickstream.com to tls1test.Quickstream.com.

    1. As an example, change https://na1.Quickstream.com/services/oauth2/token to https://tls1test.Quickstream.com/services/oauth2/token while leaving the path as-is.

  3. Alternatively, it's possible to change an API client's service URL from [instance].Quickstream.com or [MyDomain].my.Quickstream.com to tls1test.Quickstream.com.

    1. As an example, change https://na1.Quickstream.com/services/data/v32.0/ to https://tls1test.Quickstream.com/services/data/v32.0 while leaving the path as-is.

  4. If you see an OAuth error, an "INVALID_SESSION_ID Authorization required" error, or a "400 Bad Request" error, then this test passed.

    1. The presence of this response means that the underlying TLS connection was successful, despite the higher-level error. The TLS connection is the focus of this test.

 

  1. If you instead see an error message that involves TLS or https, then the test has failed. Your API client will require adjustments or upgrades to operate properly with Quickstream, when Quickstream deactivates TLS 1.0.

What action do I need to take?  

To maintain access to Qvalent and Westpac services make sure your browsers and integrations have TLS v1.2 enabled. 

If your browser or integration does not have TLS v1.2 enabled after we make this change, then your users will NOT be able to access Quickstream. 

We recommend that you begin planning to support TLS v1.2 as soon as possible. If you are in a corporate environment, contact your I.T. administrator.

We only have a small number of users, all of whom use regular browsers. What action do we need to take?

 To maintain seamless access to Qvalent and Westpac services, make sure that browsers connecting to Quickstream have TLS v1.2 encryption or higher enabled. 

 Your end user can visit our test page, which has TLS v1.0 and v1.1 disabled to test their browser compatibility. Your end users do not need to update their browsers if they pass the test.

When will Qvalent/Westpac disable TLS v1.0 and v1.1 encryption?

We plan to disable TLS v1.0 and v1.1 encryption according to the following schedule:

 

ServicesTLS v1.0 and v1.1 disablement schedule

Test environments

 

Production environments

 

 

Where can I get more information?

If you have any additional questions, please reach out to Customer Support by opening a case via the Help & Training portal.

  • No labels