...
Type of Certificate | Area | Purpose | Owner / Process | Resources |
|---|---|---|---|---|
TLS/SSL certificates (Pricefx exposes a web service or page) | Access to Pricefx operated web services. Anything under the domains https://<somename>.pricefx.com and https://<somename>.pricefx.eu. | To secure the communication connection (data-in-transit encryption). These certificates are all signed and trusted by a commonly acknowledged Certificate Authority (CA) which are commonly trusted by all major browsers. I.e. even after a certificate changes, any client should trust the new certificate by a shared CA trust. Mileage varies for other clients (in particular in integration space). Please be aware that - – following general industry and browser standards & and recommendations - – we aim for shorter certificate lifetimes (a few months). So expect regular certificate rollovers. Please also note that we are following follow standard common security practices around the support and - – more importantly - – the de-support of old and outdated security/encryption properties such as ciphers and encryption protocols. Most notableynotably, we only support TLS 1.2 or newer and only cipher suites that are considered “strong”. Very old and outdated clients may not support these. | These certificates are maintained by Pricefx. | https://api.pricefx.com/rest-api/authentication/ Pricefx only: https://pricefx.atlassian.net/wiki/spaces/EN/pages/3673391182/JWT+authentication+with+external+JWT+token+to+pricefx+partition |
TLS/SSL certificates (Pricefx as client) | Access to outside web services (customer or public). | To secure the communication connection. Just like above, but reverse. Pricefx (should) trust all commonly used CA signed certificates. However, if e.g. the customer uses self-signed certificates, they (their public part) need to be imported client-side to be trusted. | The owner of the certificate needs to renew and distribute the updated public parts before the expiry date. | |
Single sign-on (SAML Certificate) | User login to Pricefx applications | Enables single sign-on to Pricefx applications. Certificates are used to verify the SAML signature and ensure that the login grant comes from a trusted source (the Identity Provider). For this purpose Pricefx needs to know the public certificate part from the Identity Provider to validate the signature. Most common identity providers roll over (renew) these certificates on a regular basis. | Customer IT department issues this certificate and distributes it manually to Pricefx for installation or publishes it in the federationmetadata.xml manifest (which needs to be set as trust anchor in Pricefx). |
...