Internet Connectivity to XML Gateway

 

This document outlines the standard process for obtaining an AT&T Digicert partner certificate your application can use to communicate securely with our systems. This process is the standard way external clients interface with AT&T internal systems, and is available to you at no cost. These client certificates are managed by AT&T’s Corporate Security team, and have a yearly renewal period.

At a high level, to receive your client certificate: first submit a Certificate Signing Request (CSR). AT&T will respond with a CSR response you can install in your application keystore. Once whitelisted, this certificate installed, along with the AT&T root CA, will grant your application access to our systems.

It takes between 5-8 days from to complete the onboarding steps. Renewals take 1-2 days.

For LSR, use AT&T Application Name - ATT LSR XML

For ASR, LSR use Sponsor “Robin Christopher" and for EBTA use “Kelly Kraft"

 

For LSR XML Gateway team and ASR, email is g07129@att.com


For EBTA, use m45680@att.com

 

Table of Contents:

Onboarding overview    1

Example onboarding openssl implementation   2

Renewal overview    3

Example renewal openssl implementation   4

Example Portecle Renewal implementation   4

Frequently asked questions  4

 

Onboarding overview

 

It is critical the email address used be valid for 1 year, as the certificate renewal notices will be sent to that address.

1.    Generate the CSR (Certificate Signing Request).

a.    It is recommended to use 2 alpha-only words as your Common Name, like “your name”.

b.    It is recommended that no special characters [.,&, etc] are used in your Common Name.

c.    Must use exact strings “ATT Services Inc” as the organization name and organizational unit field will be blank.

d.    Make note of your common name for Step 3.

 

2.    Submit the CSR at the AT&T Digicert Partner Certificate site:

Using the “Enroll for a Digital ID using a CSR” link, located beneath the Enroll link

        https://pki.symauth.com/certificate-service/?ac=926954&pf=2.16.840.1.113733.1.16.1.2.3.1.1.779867187

3.    Send email to the XML Gateway team. Include the following info:  Your company name, the renewal email address, the Common name used in Step 1.

 

4.    Assuming step 3 was done, typically within 24 hours AT&T will reply with email stating your certificate is ready.

a.    Email the XML Gateway team to notify them this action has occurred. They will then begin the process of having your certificate added to the AT&T Internet proxy whitelist. This process will take 4-7 days.

b.    Install the CSR Response certs, along with the AT&T Root CA in your application. The AT&T Root CA is available at the AT&T VeriSign Partner Certificate site, using the “Install CA” link.

 

5.    XML Gateway team will notify you when certificate has been added. Your application will now be able to access the XML Gateway URLs.

 

 

Example onboarding openssl implementation

 

There are many certificate & application frameworks, resulting in a various implementations of steps 1-4.  If you find it helpful, what follows are the specific steps using OpenSSL to complete these steps & generate a p12 keystore file for an application to use. 

 

Generate private key

openssl genrsa -des3 -out new.prvkey 2048

 

Enter pass phrase for new.prvkey: ******

Verifying - Enter pass phrase for new.prvkey: ******

Generate CSR

openssl req -new -key new.prvkey -out new.csr

 

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:Missouri

Locality Name (eg, city) []:Saint Louis

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ATT Services Inc

Organizational Unit Name (eg, section) and organizational unit field will be blank

Common Name (eg, YOUR name) []:your name

Email Address []:youremail@address.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:******

An optional company name []:

Submit CSR to AT&T. Response email will include a “p7b” file

Download .p7b file & public key from the above link and can follow the appl cert guide from link below:

Search criteria should be Email address and certificate status (All Certificates)

https://pki.symauth.com/certificate-service/didc-search.xhtml?pf=null

Convert CSR Response &

CA Cert to needed formats

Converting .p7b to .cer

openssl pkcs7 -print_certs -in <cert_from_mail>.p7b -out ATT.cer

**Combine the Root, Intermediate and Application certificates into one single Base 64 .cer file.

Converting .cer to .pfx with private key

openssl pkcs12 -export -in ATT.cer -inkey <private_key_during _csr_generation>.key -out ATT.pfx -certfile ATT.cer

Import using .pfx


Import using .cer

keytool -importkeystore -destkeystore <destination_cert>.p12 -deststoretype pkcs12 -srckeystore ATT.pfx


keytool -import -alias KeystoreAlias -file ApplicationDigitalCert.cer
 


Renewal overview

 

The renewal steps are a subset of the onboarding steps: submit CSR, install response in application keystore. If using the same Common Name as your expiring cert, use the below steps. If you are changing the Common Name in any way, you must contact XML Gateway team, and you will go through the onboarding process again with your new name.

Renewal steps:

1.    Generate the CSR from your application. Use exact strings “ATT Services Inc” as the organization name and as the organizational unit field will be blank. Per note above, use the same Common Name the expiring cert uses. (If you do not remember your old Common Name, it can be found on the AT&T VeriSign Partner site, using Search function with your renewal email address.)

 

2.    Submit the CSR at the AT&T Digicert Partner site:

       https://pki.symauth.com/certificate-service/?ac=926954&pf=2.16.840.1.113733.1.16.1.2.3.1.1.779867187

 

Using the “Enroll for a Digital ID using a CSR” link, located beneath the Enroll link.

 

3.    Typically within 24 hours AT&T will reply with email stating your certificate is ready.

 

4.    Install the CSR response cert in your application. 

 

 

Example renewal openssl implementation

 

The steps are identical to the “Example onboarding openssl implementation” steps.

Will result in a new cert.p12 file, ready to drop in place of old p12 file.

 

 

Example Portecle Renewal implementation

 

Portecle is an open source GUI tool for managing keystores. These steps can be used as an alternative to above command line steps.

https://clec.att.com/clec_xmlsupport/portecleRenewalSteps.htm

 

 

Frequently asked questions

 

Q. I am having problems. Are there any utilities available to validate my keystore has been built correctly

A. Yes, the “Internet Connectivity Tester” can dump contents of a p12 keystore, and also send a test transaction directly from your browser, for validation purposes.

 

Q. I have forgotten when my cert will expire, how can I find out

A. Search for your common name, or email, using Search function on the Digicert ATT website

 

Q. My company has a firewall & I need to know what IP address AT&T initiated transactions (Notifications, Order Responses, AVCs, etc) will appear to come from, as to have them added to our IP whitelist.

A. Traffic can originate from any of the following IP address ranges: 144.160.130.*; 144.160.5.*; 144.160.98.*; 144.160.226.*. If at all possible you should open these up. At any given time only 1 single IP is used, and we can supply that to you, but it may change without warning.

 

Q. What are the URLs for the services?

A. URLs are found in the onboarding spreadsheet

 

Q. I want to receive AT&T initiated transactions (Notifications, Order Responses, AVCs, etc) on a non-standard port (not 443), is this possible?

A. No, this is a limitation of being an Internet customer & mandated to us via AT&T’s security policy. We do offer Direct Circuit access to our systems if you find the Internet environment too restrictive.

 

Q. Yearly renewals are troublesome, is there some way to setup a longer renewal period?

A. No, this is a limitation of being an Internet customer & mandated to us via AT&T’s security policy. We do offer Direct Circuit access to our systems if you find the Internet environment too restrictive.

 

Q. My version of openssl is giving me errors when running the Example openssl implementation instructions

A. These steps have been tested with latest version of openssl on Solaris, and version 1.0.0 from openssl.org on Windows. The Windows version reports errors during last step, but still produces a working p12 file. The Unix version does not produce errors.

 

Q. I need single PEM file to load into my app, not a p12.

A. > openssl pkcs12 -in cert.p12 -out newCert.pem

 

Q. How does the SSL security for unsolicited messages from ATT->client work? (like for AVCs or Order Responses)

A. Such SSL connection will have a Digicert chain terminating with the root: Digicert Class 3 Public Primary Certification Authority - G5. Please ensure such is present in your truststore.