1 Reply Latest reply on Mar 7, 2019 1:06 PM by Patricio - HGBU LAD Presales-Oracle

    SSL/TLS Certificates for OPERA

    Patricio - HGBU LAD Presales-Oracle

      Does OPERA require certificates? If so, what type of certificates are supported?

      Is SSL / TLS the same?

        • 1. Re: SSL/TLS Certificates for OPERA
          Patricio - HGBU LAD Presales-Oracle

          Yes, SSL/TLS are mostly the same: security protocols. SSL (Secure Socket Layer) is the predecessor or TLS (Transport Layer Security). TLS 1.2 is the latest vesion and considered the most secure

           

          To comply with PCI rules (specifically PA-DSS 8.2.c) we add a TLS certificate to the OPERA app servers to allow for HTTPS secure protocol instead of plain HTTP.

          Depending on the OPERA version there are different options. Basically versions from 5.4.0.x up to 5.4.2.x allow for self signed certificates, while versions 5.4.3 and above require an external certificate (internal certificate authorities may also work).SHA2 / TLS1.2 certificates are supported. You can check this public document for more details (look for "Secure Socket Layer (SSL) and OPERA)

           

          In case the customer needs some guidance deciding on certificates, here's some good insight courtesy of Fabricio Titiro  from EAME presales:

           

          "SSL Vendors market their products same as we do for example with OPERA Premium, Standard, Lite.

           

          They offer different products depending on complexity of the customer environment, the more risky and valuable they offer a more expensive product.

           

          Sometimes more expensive doesn't means more secure, they offer also Higher Insurance in case of a criminal activity not protected by the SSL.

           

          This topic can be very difficult and within deployment we had experience a lot of confusion so your point is totally clear.

           

          In the end, the customer is asking for advice and while we do not recommend a particular vendor this is why I used to do:

           

          A) Provide High Level Guidance on Vendors.

           

          Normally I recommend three options. The top two are owned by Symantec and are the market leaders. They are fast and efficient.

          Go Daddy is cheap but if the customer is familiar with "Self Service" and time is not an issue is also a good option.

           

          Verisign

          Thawte

          Go Daddy

           

          B) Provide High Level Guidance on Certificates

           

          Here below you can see the explanation in the vendors words on what is the difference between each one. All are good for OPERA, OXI, etc its just a matter of more or less security, insurance, etc

           

          https://www.thawte.com/ssl/?tid=a_box_buyssl

           

          https://uk.godaddy.com/web-security/ssl-certificate/ev-ssl-certificate?countryview=1

           

          https://www.verisign.com/en_US/website-presence/website-optimization/ssl-certificates/index.xhtml

           

          C) Conclusion

           

          Most of the customers from my experience go for the mid range vendor: Thawte and the mid range certificate the EV.

           

          Its important to consider if the server will be or not publicly available. If publicly published the highest security is recommended."