Qvalent/Westpac Entrust SSL/TLS Certificate Change
Google Chrome and Mozilla Firefox will stop trusting Symantec-issued SSL/TLS certificates. To mitigate this, the following URLs will have the SSL/TLS certificates replaced with EnTrust certificates:
- pnpnet.qvalent.com
- pnpnet.support.qvalent.com
- www.payway.com.au
- api.payway.com.au
Important Change Information for Qvalent/Westpac Customers
This page contains advice which must be actioned to ensure no loss of banking service with the Quickstream and PayWay Qvalent/Westpac products
Who might this change affect?
Any customer application which:
- Connects to any of the following URLs hosted by Qvalent used by our Quickstream and/or PayWay products AND
- Does not already have the relevant Entrust certificate authorities added to the application's SSL/TLS trust store.
| Quickstream | PayWay |
|---|---|
pnpnet.qvalent.com (Production Environment) | www.payway.com.au (Production Environment) |
pnpnet.support.qvalent.com (Test Environment) | api.payway.com.au (Production Environment) |
Why is Qvalent/Westpac making this change?
Mozilla and Google will begin removing trust for all SSL/TLS certificates issued by Verisign/Symantec Roots in September 2018 in new releases of their Internet browser applications. Whilst other vendors and applications may not be proceeding with this action, due to the use of these hosts by browsers from these vendors, we must proceed with this change before this deadline to ensure maximum compatibility with these services.
Qvalent has made the decision to move to Entrust as our new provider of SSL/TLS certificates for theses hosts. This means changing the structure of the certificates on these hosts which may result in distrust by applications.
When will this change be made?
Qvalent plans to make the certificate changes at the following dates/times:
| URL | Date and Time |
|---|---|
| pnpnet.support.qvalent.com (Test/Support Environment) | Monday May 14 @ 10:00am AEST |
| pnpnet.qvalent.com (Production Environment) | Tuesday August 7 @ 10:00am AEST |
api.payway.com.au (Production Environment) | Monday August 13 @ 10:00am AEST |
| www.payway.com.au (Production Environment) | Monday August 13 @ 10:00am AEST |
Customers however can take action now to prepare for these changes.
What certificates are being changed?
Qvalent will begin to issue server certificates for the above hosts from the following Root and Intermediate Certificates
Root Certificate
| Common Name (CN) | Entrust Root Certification Authority - G2 |
| Valid Until | 8/12/2030 |
| Thumbprint | 8c f4 27 fd 79 0c 3a d1 66 06 8d e8 1e 57 ef bb 93 22 72 d4 |
| Available from Entrust at | https://entrust.com/root-certificates/entrust_g2_ca.cer |
Intermediate Certificate
| Common Name (CN) | Entrust Certification Authority - L1K |
| Issued By | Entrust Root Certification Authority - G2 |
| Valid Until | 6/12/2030 |
| Thumbprint | f2 1c 12 f4 6c db 6b 2e 16 f0 9f 94 19 cd ff 32 84 37 b2 d7 |
| Available from Entrust at | https://entrust.com/root-certificates/entrust_l1k.cer |
How does this change affect my application?
When your application connects to one of the above hosts, it requests it validates the certificate issued to these hosts comes from a trusted certificate authority.
If you do not have the new Entrust root certificate authority hosts in your repository, then your application will not trust the Qvalent host.
If this happens, your application will not connect to our web service, which will result in a loss of banking service.
What must I do?
| Step | To Do |
|---|---|
| 1 | Read this detailed change advice and ensure it reaches all application owners which connect to Qvalent services to investigate the impact of this change. |
| 2 | Identify all applications which interact with these hosts and take action to prepare for this change immediately. |
| 3 | Validate preparedness of applications and systems for this change by ensuring all systems have the Entrust Root CA in their application’s trust store.
|
| 4 | Take immediate action to add the Entrust Root CA to your application's trust store if it is not present.
|
| 5 | Understand and be prepared to instigate business BCP processes in the event of any issues post change to ensure banking services continue with this loss of service |
| 6 | Understand and be prepared to gather application developer and systems administrator resources in the event of any issues post change. |
Further Information
Further Information regarding this change can be found at Further Information Regarding Qvalent/Westpac Entrust SSL/TLS Certificate Change.
Contact Us
For Quickstream Customers using pnpnet.qvalent.com or pnpnet.support.qvalent.com
Email quickstream@qvalent.com or phone the Quickstream helpdesk team on 1300 726 370 between 7:00am to 7:00pm (AEST), Monday to Friday.
For PayWay Customers using www.payway.com.au or api.payway.com.au
Email payway@qvalent.com or phone the Payway Helpdesk team on 1300 727 111 between 8.30am to 5.30pm (AEST), Monday to Friday.
Disclaimer
These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing, but may require update over time. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.