TSYS Global Technology Services

Enterprise Application Services

Web Services Hosting Guide

GTS DTIS
March, 2017
Version 1.2

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
 Document History

Date Version Reason For Issue Updated By

March 15, 2015 1.0 Initial creation of document Scott Anderson
March 31, 2015 1.1 Added error handling information Scott Anderson

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
Table of Contents
1.0 Overview............................................................................................................................................................. 4
2.0 Architecture Overview........................................................................................................................................ 4
2.1 Architecture Diagram...................................................................................................................................... 5
3.0 Connection and Security Access Requirements................................................................................................. 6
3.1 Customer Line Connection (Dedicated/Private Circuit)...................................................................................6
3.2 Internet Connection......................................................................................................................................... 6
3.3 Internet VPN Connection................................................................................................................................ 6
4.0 Access Control................................................................................................................................................... 6
4.0 TSYS Incoming Messaging DNS Resolution...................................................................................................... 7
4.1 Customer/Private & Internet VPN DNS Hosting.............................................................................................. 7
4.2 Internet DNS Hosting...................................................................................................................................... 7
5.0 TSYS Outgoing Messaging................................................................................................................................ 7
6.0 TSYS Internal Application Failover..................................................................................................................... 7
6.1 Application Tier Active/Active configuration.................................................................................................... 7
6.2 Application Tier Active/Passive configuration.................................................................................................. 7
6.3 Application Tier Active/DR configuration......................................................................................................... 8
7.0 TSYS Certificates............................................................................................................................................... 8
7.1 SSL Cypher and.............................................................................................................................................. 8
7.2 TSYS SSL Certificates.................................................................................................................................... 8
7.3 Mutual Auth Certificate.................................................................................................................................... 8
7.4 Signing Certificate........................................................................................................................................... 9

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
1.0 Overview
TSYS has deployed an industry proven API Gateway Appliance technology to quickly expose our Web Services
for consumption by our Customers. Through the use of a scaled hardware solution TSYS is able to offer its Web
Services across a common connection point, allowing cross system access through a single dedicated Customer
connection. Additionally it allows us to implement and update the highest security standards through repeatable
processes, allowing faster deployments while still securing our most critical data.

2.0 Architecture Overview

The API Gateway infrastructure is built on a common architecture model, and deployed in an Active/Active
capacity across both of our Columbus Data Center locations. Each of the TSYS Data Centers in Columbus are
available for real time traffic at all times, with automated failover between the two locations. During the
implementation phase we advise our customers to setup access to both of our Columbus Data Center locations in
order to utilize this failover feature. Under normal circumstances the primary Data Center will be the same as
your processing TS1/2 Mainframe region.

The high level data flow is listed below, with an accompanying diagram to follow.

Data Flow
 Customer will resolve a URL used to route to the TSYS hosted Web Service endpoint. The
DNS will either be hosted on the TSYS DNS Servers or hosted internally at the Customers
site.
 The Web request will route to the TSYS Client Facing firewalls.
 The TSYS Firewalls will translate the request to a dedicated F5 Load Balancer connection
point for that Customer.
 The F5 Load Balancer will balance traffic to a cluster of API Gateway Appliances.
 Based on Context Path, or WSDL Schema Mapping, the API Gateway will route to the TSYS
back-end application for fulfillment.
The Request will be fulfilled, and a Response sent back to the Customer as a synchronous
transaction.

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
2.1 Architecture Diagram
3.0 Connection and Security Access Requirements
There are three primary connection methods into TSYS for Web Services.
1. Client Line
2. Internet
3. Internet VPN

Each connection method has different security requirements. Essentially the less secure the connection method
the more security required at the setup and/or message layer. Additional security measures are supported in lieu
of the standard protocols below and can be implemented at the Customers request.

3.1 Client Line Connection (Dedicated/Private Circuit)

The Client Line connection is the most secure connection method into TSYS due to encryption
being enforced on the wide area network (WAN) segment, also known as router to router-based
encryption. This ensures all communication between the Customer and TSYS are encrypted
regardless of the API being used. The Web Service interface must also enforce TLS v1.2 (SSL is
no longer supported) for a second layer of encryption using the third party issued TLS
Certificates.

Client/Private Line Requirements:

1. Router to Router based encryption
2. TLS v1.2 encryption between TSYS and Customer gateway.

3.2 Internet Connection

The Internet connection is the least secure connection method into TSYS. In order to ensure a
higher level of security over an open public network we have employed other security
mechanisms to ensure a trusted relationship between the two endpoints. Trust is established
through client issued certificates, also known as Mutual Authentication or 2-Way SSL. The
message is also secured using the digital signing with x509 issued certificates by both the server
and client.

Internet Line Requirements:

1. TLS v1.2 Encryption between TSYS and Customer gateway
2. Client side issued Mutual Authentication certificates.
3. Digital Signing of XML request and response using x509 certificates.

3.3 Internet VPN Connection

There is an option to implement a VPN over the public internet. This employs router to router-
based encryption over the public Internet. The VPN connection removes the need for Digital
Signing; however Mutual Authentication is still required.

Internet VPN Requirements:

1. TLS v1.2 Encryption between TSYS and Customer gateway
2. Client side issued Mutual Authentication certificates.

4.0 Access Control

As an additional security layer there are IP restrictions on the TSYS Firewall for all Web Service traffic. The TSYS
Customer IP Addresses must be whitelisted on the TSYS Firewalls for access into the service. Additionally,

CONFIDENTIAL
©2021 Total System Services, Inc. All rights reserved worldwide.
access is only allowed outbound from TSYS to pre-identified Customer systems. In order to establish access
between the TSYS and Customer API’s a ‘Network Services Access Questionnaire’ should be filled out and
returned to TSYS. Please include all Secondary/DR/Failover IP Addresses for the Production service, and also
any additional testing IP Addresses for the UAT services. The Project Manager and/or Customer Service
Representative can provide the Access Questionnaire on request.

4.0 TSYS Incoming Messaging DNS Resolution

TSYS offers DNS resolution through GTM DNS Servers integrated into our LTM F5 Load Balancers that offer
automatic failover through a DNS Update. There are limitations based on some Customer implementations of the
services highlighted below.

4.1 Customer/Private & Internet VPN DNS Hosting

TSYS offers DNS resolution for Private Circuit connections incoming to TSYS. DNS will resolve
over the Internet and will be limited to the TSYS Firewall Address. If internal routing at the
Customer location requires the resolution of non TSYS owned IP addresses the Customer will be
required to host the resolution internally.

4.2 Internet DNS Hosting.

For Internet hosted services TSYS will offer DNS resolution for the Internet routable IP Address.
The TSYS DNS Servers are integrated with our Load Balancers and offer automatic failover for
TSYS hosted service failure.

5.0 TSYS Outgoing Messaging

Due to TSYS Internal routing, and the need to white list only approved IP Addresses for outgoing communication,
TSYS cannot utilize Internet hosted DNS for outbound resolution. Each of the customer provided IP Addresses
must be white listed on the TSYS Firewall and will have a corresponding NAT’d address at TSYS.

6.0 TSYS Internal Application Failover

Each of the TSYS Web Service Application systems has their own Failover/DR plan, below is a high-level
overview of each of those scenarios and how they are managed behind the API Gateway Infrastructure. Please
reach out to the Product owner and/or Customer Service Representative for more detail if needed.

6.1 Application Tier Active/Active configuration

If the Application Tier is setup in an Active/Active configuration, meaning the application is live for
real time communication in each Data Center during published available times. If your primary
published endpoint is NDC you will route to the NDC API Gateway solution, which in turn will
route the NDC Hosted Application environment. If an event occurs the external failover scenarios
will be executed, and traffic will route to the alternate data center in effect routing to the alternate
application data center.

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
 6.2 Application Tier Active/Passive configuration
If the Application Tier is setup in an Active/Passive configuration the API Gateway interfaces will
be Active in both Data Centers, and route internally to the primary DataCenter location for the
Application. From a Customer Perspective both the TSYS Data Center locations will be available
for real time traffic during operational hours.

7.0 TSYS Certificates

TSYS Issues Third Party signed certificates through Verisign for TLS, Mutual Auth, and Digital Signing. TSYS
can support trusted Third Party signed certificates from our Customers. In some cases Self Signed and/or
internal Customer CA certificates are permitted for non TLS use, it will need to be approved by the TSYS
Information Security team if requested.

7.1 TSYS SSL Certificates

TSYS uses a Third Party issued wildcard certificate hosted on the API Gateway devices. The
Public CA/Roots can be downloaded from the Public site listed below by selecting the Download
option.

Internet Connection SSL Certificates

Test/Verification Env (ewsaccessv.tsysecom.com)

[will be provided at the time of setup]

Prod Env (ewsaccess.tsysecom.com)

[will be provided at the time of setup]

VPN/MPLS Circuit Connection SSL Certificates

Test/Verification Env (wsaccessv.tsysecom.com)

[will be provided at the time of setup]

Prod Env (wsaccess.tsysecom.com)

[will be provided at the time of setup]

7.2 Mutual Auth Certificate

TSYS uses a Third Party issued named Mutual Auth certificates for external Customers that can
support CN validation above the standard chain validation. For Customers that cannot support
the CN validation TSYS will issue an internally signed Mutual Auth certificate. TSYS can support
Customer issued internal or Third Party signed Mutual Auth Certificate. TSYS cannot support
Mutual Auth Certificates issued longer than 2 years.

[will be provided at the time of setup]

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
 7.3 Signing Certificate
TSYS uses a Third Party issued named Signing Certificate for all Request and Responses that
have a signing requirement, you can download the TSYS issued signing certificate from the public
link below. TSYS can support a Customer issued internal or Third Party signing certificate, both
the Request and Response must be signed. TSYS cannot support signing certificates issued
longer than 2 years.

TSYS North America (xmlsigning.tsysecom.com)

[will be provided at the time of setup]

8.0 API Error Handling

One of the features of the API Gateway solution is top layer authorization/authentication of the messages. With
this feature there is custom error logic to indicate the functional issue with the service to provide more visibility into
the true root cause of the failure. We have several Standard Error Templates used on the Gateway servers with
the primary templates shown below, these are usually tailored to the same specifications of the backend TSYS
Application for coding consistency and best practices. Each error issued from the API Gateway will indicate the
fault in detail in the message.

Please note that an error at the backend Application layer of the service will have unique error codes, for more
information please reach out to your Customer Service representative at TSYS or the Application Production
contact.

8.1 Soap 1.1 Fault Template

Default Error Code: 500

Content Type: text/xml; charset="utf-8"
Default Message Format:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>%abortmsg%</faultstring>
<detail>
<fs:Detail xmlns:fs="http://www.forumsystems.com/2004/04/soap-fault-detail">
<fs:SystemName>%sysname%</fs:SystemName>
<fs:User>%username%</fs:User>
<fs:Policy>%policy%</fs:Policy>
<fs:TaskList>%tasklist%</fs:TaskList>
<fs:Task>%task%</fs:Task>
</fs:Detail>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.
8.2 Soap 1.2 Fault Template

Default Error Code: 500

Content Type: application/soap+xml; charset="utf-8"
Default Message Format:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Body>
<soap:Fault>
<soap:Code>
<soap:Value>soap:Receiver</soap:Value>
</soap:Code>
<soap:Reason>
<soap:Text xml:lang="en-US">%abortmsg%</soap:Text>
</soap:Reason>
<soap:Detail>
<fs:Detail xmlns:fs="http://www.forumsystems.com/2004/04/soap-fault-detail">
<fs:SystemName>%sysname%</fs:SystemName>
<fs:User>%username%</fs:User>
<fs:Policy>%policy%</fs:Policy>
<fs:TaskList>%tasklist%</fs:TaskList>
<fs:Task>%task%</fs:Task>
</fs:Detail>
</soap:Detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>

8.3 XML Template

Default Error Code: 500

Content Type: text/xml; charset="utf-8"
Default Message Format:
<<fs:Error xmlns:fs="http://www.forumsystems.com/2004/04/error">
<fs:Message>%abortmsg%</fs:Message>
<fs:SystemName>%sysname%</fs:SystemName>
<fs:User>%username%</fs:User>
<fs:Policy>%policy%</fs:Policy>
<fs:TaskList>%tasklist%</fs:TaskList>
<fs:Task>%task%</fs:Task>
</fs:Error>

CONFIDENTIAL
© Total System Services, Inc. All rights reserved worldwide.