Troubleshooting

• Tracert (Windows) or traceroute (Linux)

• Telnet client

• cURL

• OpenSSL

• Keytool

• SoapUI

• Postman

• Useful websites

Troubleshooting network problems often prove to be a challenge, is the problem at the source (your) system, destination (our) system or (as it is most times) somewhere in between. A few troubleshooting tools are available, but they may need to be installed or enabled on the source system.

Only the first two (tracert and telnet) are natively found in current operating systems. The others will need to be installed if you plan to use them. The use of any of these depends upon the permission of your security/network team, and their usage may require skill sets and experiences beyond this content.

Tracert (Windows) or traceroute (Linux)

Tracert uses ICMP to log each system in the route between two systems. This will indicate if maybe a system is responding slowly or if an ISP route is inefficient.

All network troubleshooting should include a tracert if possible.

• Tracert uses ICPM not TCP, it does not follow normal firewall rules for an https connection, nonetheless it does follow the same Internet route.

• Often companies block ICMP (because it is a common protocol for “bad actors”). If tracert does not provide any route information (all *** timeouts), ICMP is blocked by your network security.

• Worldpay blocks ICMP, so once a signal reaches the Worldpay network, you will see *** timeouts. This is not a problem as we are interested in the route to Worldpay, and not necessarily what is occurring within the Worldpay network.

Telnet client

Unlike tracert, telnet is a TCP protocol and will pass through your firewall and test its access lists.

We request the telnet client be installed on your servers that reach out to Worldpay, but strongly do not recommend the telnet server be installed as it is an opportunity for bad actors.

Worldpay does not run telnet servers, so the telnet client, if successful, will connect and then give a blank screen. This is the desired response.

The syntax for telnet is: telnet <hostname> <port>

The hostname is found in the url between the protocol (https://) and the resources (everything after, and including the next slash “/”)

The port is determined by the protocol. Common protocols/ports used by WorldpayB2B are:

• https = port 443

• sftp = port 22

• rfc = 33xx: example the gateway service SAPGW00 = 3300, SAPGW01=3301…

To use telnet to check the connection to https://xipayapi.paymetric.com/PMXIGGE/XiPay30WS.asmx:

Enter: telnet xipayapi.paymetric.com 443 <enter>

cURL

cURL is a third-party product used in command line scripts to transfer data. It can be used to test a connection. This is primarily a linux utility, although a Windows version is available. The command to test a connection is: curl -v telnet:<hostname>:port

While not offering much more than telnet, the response “Connection refused” is an indication the port is accessible but, because we do not run a telnet server, nothing is responding.

OpenSSL

OpenSSL is a third-party certificate toolkit. This enables you to make a certificate signing request (csr) to add or replace a certificate, it is also used to create *.p12 files. A version of OpenSSL is included in the PAS directory (For SAP environments that use PAS).

As a troubleshooting tool, OpenSSL allow you to query information about the SSL certificate and list all intermediate certificates:

Openssl s_client -connect <hostname>:<port>

Keytool

Keytool is the JAVA certificate toolkit. It is not a replacement for OpenSSL, but is more of a complement to it adding features for JAVA-like environments.

To check your keystore:

keytool -list -v -keystore keystore.jks

To list your certificate authorities:

keytool -list -v -keystore cacerts

Note the following:

• A keystore is used to authenticate yourself.

• cacerts is where Java stores public certificates of root CAs.

• Java uses cacerts to authenticate the servers.

• keystore is where Java stores the private keys of the clients so that it can share it to the server when the server requests client authentication.

SoapUI

SoapUI allows you to create a SOAP script to send to XiPay (preferably Cert / QA as SoapUI is a test tool). Use of SoapUI is beyond the scope of this content.

Postman

Postman allows you to script APIs. These can be used to test a connection to QA, but, as with SoapUI, usage is beyond the scope of this content.

Useful websites

The following websites help you troubleshoot internet issues.

What is my IP address?

Often, we ask for your system’s IP address. Most systems behind a NAP firewall have an internal non-routable IP address, so ipconfig may say it is 10.xxx.xxx.xxx .or 17216.xxx.xxx or 192.168.xxx.xxx, but these are not the IP address hitting Worldpay systems, instead the firewall or proxy server is masking the internal IP and sending the communication to Worldpay across your public IP address.

To find the Public IP address, from the server, use your browser to go to: https://whatismyipaddress.com

What cyphers are supported?

To see the current set of supported ciphers, use www.ssllabs.com to query the Worldpay B2B endpoints.

How do I find Internet problems?

Internet outages can be viewed at https://www.thousandeyes.com/outages/

Is there another way to confirm the SSL certificate is valid?

https://www.sslshopper.com/ssl-checker.html is a web-based SSL certificate checker, it is easier to read than OpenSSL’s test and can confirm the validity of the certificate.