Server Class

Properties   Methods   Events   Config Settings   Errors  

The Server class provides support for the 3DS Server role as defined in the EMV® 3-D Secure (EMV 3DS) specification.

Class Name

IPWorks3DS_Server

Procedural Interface

 ipworks3ds_server_open();
 ipworks3ds_server_close($res);
 ipworks3ds_server_register_callback($res, $id, $function);
 ipworks3ds_server_get_last_error($res);
 ipworks3ds_server_get_last_error_code($res);
 ipworks3ds_server_set($res, $id, $index, $value);
 ipworks3ds_server_get($res, $id, $index);
 ipworks3ds_server_do_addextension($res, $id, $name, $critical, $data);
 ipworks3ds_server_do_addrequestfield($res, $name, $value, $valuetype);
 ipworks3ds_server_do_checkresponse($res, $response);
 ipworks3ds_server_do_config($res, $configurationstring);
 ipworks3ds_server_do_getchallengerequest($res);
 ipworks3ds_server_do_getmethoddata($res);
 ipworks3ds_server_do_getoperationresponse($res);
 ipworks3ds_server_do_getresultsresponse($res);
 ipworks3ds_server_do_interrupt($res);
 ipworks3ds_server_do_requestcardranges($res);
 ipworks3ds_server_do_reset($res);
 ipworks3ds_server_do_resettransactioninfo($res);
 ipworks3ds_server_do_sendauthrequest($res);

Remarks

This class is designed to be used in a web server, or in a process used by a web server to facilitate EMV® 3-D Secure (EMV 3DS) functionality. The class is used primarily for the browser-based flow, but also for some operations in the app-based flow as detailed in other parts of the documentation.

Connecting with SSL Client Authentication

Many directory servers require client authentication via a client certificate. The SSLCert* properties are used to load the SSL client certificate. In order to properly authenticate to the directory server the entire certificate chain must be presented to the directory server during the initial SSL handshake. The sections below describe options for making sure the CA chain is included.

Option 1: PFX With CA Certs

The first option is to specify a PFX file which includes both the client certificate, and CA certificates. In this case the class will read the CA certificates from the PFX file and include them in the request.

Option 2: SSLCACerts Configuration Setting

Another option is to specify the CA certificates separately from the client certificate. To do this the SSLCACerts configuration setting may be set to a CrLf separated list of CA certificates. For instance:

PHP Example

$ca_int = <<<EOT -----BEGIN CERTIFICATE----- MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw ... eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w F0I1XhM+pKj7FjDr+XNj -----END CERTIFICATE----- EOT; $ca_root = <<<EOT -----BEGIN CERTIFICATE----- MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp ... 8ECs48NRSON+/Pqm9Hxw1H3/yz2qLG4zTI7xJVDESZGEXadLwCJXD6OReX2F/BtU d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA -----END CERTIFICATE----- EOT; $server->doConfig('SSLCACerts=' . $ca_int . '\n' . $ca_root);

Option 3: CA Certs in Windows Store

When running on Windows the CA certificates will also be included in the request if they are present in the Personal store of the user under which the application is running.

Card Ranges

The application using the 3DS Server class should maintain a cache of card range information that can be queried when a transaction is initiated. The RequestCardRanges method will retrieve card range information to be cached.

RequestCardRanges requests card ranges and additional information from the directory server.

When a transaction is initiated, the first step that should be taken is to find information about the card range to which the card number belongs. This includes the protocol version(s) supported by the ACS and DS, and if one exists, any corresponding Method URL (used in the browser flow).

Results of this method should be cached in order to quickly look up information when processing transactions. It is recommended to call this method once every 24 hours at a minimum, and once per hour as a maximum to refresh the cache. The class will not cache the returned values; it is up to the user to cache these values in an appropriate location.

The first time this method is called, SerialNumber will be empty, indicating that all results should be returned. This is an offset the server will use to return only new updates to the card ranges (if any) since the last request. The SerialNumber will be populated after this method returns, and this value should be saved to be used in subsequent calls.

When a response is received, the card ranges will be made available via the component events and properties.

When MessageVersion is set to 2.3.1, the CardRangeData event will fire for each card range data object received, and the Ranges and ACSProtocolInfos properties will be populated to be accessed within the event handler. Optionally, the DS may return a list of URLs that the 3DS Server can use for communication with the DS. If present, these will be available via both the DSURL event and the DSURLs property.

When MessageVersion is set to 2.2.0 or 2.1.0, the CardRange event will fire for each card range that is returned, and the results will also be held in the CardRanges property.

The following properties are applicable when calling this method:

The following properties are populated after calling this method:

Note that when MessageVersion 2.3.1, the card range data is only available using the CardRangeData event.

When using MessageVersion 2.2.0 or 2.3.1, the returned ranges may include ACS Information Indicators. These are used to indicate additional functionality supported by the ACS for the card range(s). For 2.2.0, a ACSInformationIndicator field is exposed in both CardRanges collection and CardRange event. In version 2.3.1, this information is availalbe in the ACSProtocolInfos collection via the Indicator field. Possible values are:

  • 01 - Authentication Available at ACS
  • 02 - Attempts Supported by ACS or DS
  • 03 - Decoupled Authentication Supported
  • 04 - Whitelisting Supported
  • 05 - Device Binding Supported (2.3.1 only)
  • 06 - WebAuthn Authentication Supported (2.3.1 only)
  • 07 - SPC Authentication Supported (2.3.1 only)
  • 08 - Transaction Risk Analysis Exemption Supported (2.3.1 only)
  • 09 - Trust List Exemption Supported (2.3.1 only)
  • 10 - Low Value Exemption Supported (2.3.1 only)
  • 11 - Secure Corporate Payments Exemption Supported (2.3.1 only)
  • 80-99 - Reserved for DS Use

If an error is identified with the card range data received from the directory server when calling the RequestCardRanges method, the ResendRequestCardRanges configuration setting will be true, indicating that the request should be resent. When resending, if SerialNumber was specified for the initial request, it should be set to an empty string before calling RequestCardRanges again. Otherwise, the request can be sent without the serial number again, but the server may respond with an error due to multiple requests within an hour.

Note that retrieving card ranges can consume a lot of memory, especially when retrieving the initial set of ranges. The StoreCardRangeData and UseJsonDOM configuration settings can be set to help minimize the amount of memory used. A CardRangeTempPath setting can also be used to specify a temporary path to which the PRes packet will be temporarily written prior to parsing.

When using MessageVersion 2.3.1, if UseJsonDOM is false, the card ranges will need to be cached and processed after the RequestCardRanges method returns. The card ranges would then need to be processed in the order indicated by the CardRangeRecordsReadOrder configuration setting. A check will also need to be made for overlap of ranges. If issue(s) are found, the ReportCardRangeError configuration setting should be used to report the error to the directory server.

Method Invocation

The GetMethodData method prepares data to be transmitted to the ACS via the cardholder's browser.

When a transaction begins, the card range cache should be queried to find details about the card range to which the card number belongs. If a CardRangeMethodURL is defined for the card range, this method should be used to prepare data to be sent via the cardholder's browser to the CardRangeMethodURL.

If the CardRangeMethodURL is not set for the specified card range, set MethodCompletionIndicator to U before calling SendAuthRequest.

The following properties are applicable when calling this method:

This method returns a string which contains encoded data to be sent to the ACS. This includes ServerTransactionId and MethodNotificationURL. After calling this method, the returned string can be transmitted to the ACS via the cardholder's browser.

As per the EMVCo specification, create a hidden iframe in the browser and send a form with the field name threeDSMethodData containing the return value from this method and post the form to the CardRangeMethodURL.

The ACS will record information about the customer's environment and then POST back to the MethodNotificationURL. The page at this URL should expect a form variable with the name threeDSMethodData which will contain the original ServerTransactionId value in order to match the response with the request. The form variable value will be base64url encoded and may be passed directly to the CheckResponse method. The class will decode and parse the received value and populate ServerTransactionId with the value from the received data.

If the response from the ACS is not received within 10 seconds, set MethodCompletionIndicator to N before calling SendAuthRequest.

Sending the Authentication Request

SendAuthRequest begins the 3-D Secure transaction flow by sending an authentication request to the DirectoryServerURL.

After calling this method, check TransactionStatus to determine if the cardholder is authenticated (frictionless flow) or further cardholder interaction is required to complete the authentication (challenge flow).

Prior to calling SendAuthRequest, data must to be collected to facilitate fraud checks by the ACS. The following properties are applicable for both app-based and browser-based flows:

App-Based Flow

In the app-based flow, device specific information is prepared by the 3DS SDK on the customer's device. This is transmitted to the 3DS Server class via a secure channel, the specifics of which are outside the scope of the classs. Set ClientAuthRequest to this data prepared by the 3DS SDK.

Browser-Based Flow

Before calling this method, first check the cached card-range data to determine if a CardRangeMethodURL has been set by the ACS. Card range data may be retrieved by calling RequestCardRanges.

If no CardRangeMethodURL is present for the given card, set MethodCompletionIndicator to U.

If a CardRangeMethodURL has been specified by the ACS for the card number, the URL must be loaded in the cardholder's browser to allow the ACS to collect additional browser information for risk-based decision making. See the GetMethodData for further details.

Once the method URL invocation is complete, the authentication request may be sent. If the method URL invocation failed, set MethodCompletionIndicator to N before calling SendAuthRequest.

The following additional properties are applicable in browser-based flow:

Response Handling

After calling this method the TransactionStatus property holds the result. Possible values are:

Transaction Status Description
Y Authenticated successfully
C Cardholder challenge required
N Not authenticated
A Not authenticated, but a proof of authentication attempt was generated in AuthenticationValue
U Not authenticated due to technical or other issue
R Not authenticated because the issuer is rejecting authentication
D Challenge required; decoupled authentication confirmed
I Informational only; 3DS Requestor challenge preference acknowledged
S Challenge using SPC

If the transaction is authenticated (Y or A), no further steps are required. The flow is considered frictionless and the 3-D Secure processing is complete. If processing a payment, the AuthenticationValue and AuthenticationECI values can be included as proof of 3-D Secure authentication.

If the transaction requires a cardholder challenge (C, D or S), further steps are required.

If the transaction is not authenticated, TransactionStatusReason may contain details about the reason.

The following properties are applicable after calling this method:

Response Handling - App-Based Flow

After calling this method, ClientAuthResponse is populated with data to be transmitted back to the 3DS SDK. If a challenge is required, the ClientAuthResponse data is used by the 3DS SDK to start when initiating the challenge process.

The 3DS Server is responsible for indicating to the 3DS SDK the results of the SendAuthRequest process, and whether or not a challenge is required. Exactly how this is done is outside the scope of the classs themselves. The response to the 3DS SDK over the secure channel should include information on what to do next.

Note: The TransactionStatus is also populated in the 3DS Server class and may be inspected prior to transmitting ClientAuthResponse back to the 3DS SDK.

Response Handling - Browser-Based Flow

If TransactionStatus is C, then additional steps are required to complete the authentication. The GetChallengeRequest method should be called next to obtain data to be sent to the ACSURL in an authentication window in the customer's browser. Once authentication is complete, the ACS will post the results to the ResultsURL value that was specified when calling SendAuthRequest.

See the GetChallengeRequest method for more details.

If TransactionStatus is D, then decoupled authentication has been accepted by the ACS. DecoupledConfirmationIndicator will have a value of Y as well. Authentication will happen outside of the 3-D Secure flow and, when complete, the ACS will post the results to the ResultsURL that was specified when calling SendAuthRequest.

The DecoupledTimeRemaining value, which is calculated based on the DecoupledMaxTimeout value sent in the initial authentication request, can be checked to see the amount of time remaining before decoupled authentication must be completed. If the ACS does not post the results before this value runs out, it can be assumed that decoupled authentication was not successful.

SPC-Based Authentication

SPC (Secure Payment Confirmation) provides a method to perform a challenge using preestablished FIDO credentials when using a Browser. The SPC authentication can be initiated by the 3DS Requestor via an extra AReq/ARes message pair or by the ACS via a standard Browser Challenge Flow.

For an SPC authentication to execute correctly, the following prerequisites apply:

  1. The ACS has an enrolled FIDO authenticator on the device for this Cardholder.
  2. The 3DS Requestor and/or the ACS have detected that the Cardholder Browser supports the related SPC APIs (allow="payment *; publickey-credentialsget *"). For the ACS, this information can be obtained via the Browser User Agent data element or via data obtained via the 3DS Method.

SPC-based authentication can be enabled with the following additions:

Prior to sending the initial authentication request packet (AReq) using the SendAuthRequest method, the ThreeDSRequestorSpcSupport configuration setting should be set to True to indicate that SPC is supported by the 3DS Requestor.

If SPC is accepted by the ACS, the resulting TransactionStatus should be S. The response will also contain a list of enrolled FIDO (WebAuthn) credentials associated with the cardholder, and SPC transaction data. This data is available in the following configuration settings:

If a new instance of the Server component will be used after authentication to send the second AReq, the AuthenticationInformation value should be saved to be used later.

This information is relayed to the 3DS Requestor implementation, and the 3DS Requestor invokes the SPC authentication (SPC API) against the WebAuthn Credential list. The cardholder authenticates using the FIDO authenticator on their device, and the 3DS Requestor retrieves the Assertion Data from the SPC API call.

The 3DS Server is then configured to includes this FIDO Assertion Data is then included in a new authentication request by setting the ReqAuthData[Index] and a ReqAuthMethod[Index] of 09. If the AuthenticationInformation value was saved earlier, it can be set via the same configuration setting. If the 3DS Requestor encounters an error during SPC API invokation, this can be indicated using the SPCIncompletionIndicator.

The SendAuthRequest method should then be called again to transmit this data to the ACS (by way of the DS) in a second AReq.

When SendAuthRequest returns, the 3DS Server proceed the same as the regular browser-based flow when the ARes is returned.

When SPC authentication is to be performed, the authenticaton must be completed within 9 minutes. The component will automatically start an internal timer that can be checked using the CheckSPCTimeout configuration setting. This will return the number of seconds left for SPC authentication to complete. If the time has expired before receiving the Assertion Data from the 3DS Requestor, checking this configuration setting will cause the component to automatically send the second AReq message with an SPCIncompletionIndicator value of 03, indicating that SPC authentication timed out.

Note that SPC-based authentication is only available when a MessageVersion of 2.3.1 is used.

Challenge Interaction

If the TransactionStatus is C, a challenge is required.

The GetChallengeRequest method is used to build the Challenge Request (CReq) which will be sent in a form post to the ACSURL property via the cardholder browser.

An iframe should be created in the cardholder's browser, which will be used to send the challenge request and allow the cardholder and ACS to interact directly.

The size of the challenge window (iframe) may be any of the sizes listed in ChallengeWindowSize. Before calling this method set ChallengeWindowSize to the appropriate value to let the ACS know the size of the window on the cardholder's browser.

Calling this method will return a string which should be placed in a creq form variable.

The SessionData setting may also be set with any data that may be helpful to continue processing the transaction after the final challenge response is received at the NotificationURL. To prepare the session data for submission, query EncodedSessionData. The encoded string may then be placed in the threeDSSessionData form variable.

Note: The maximum length of the threeDSSessionData form variable, after being encoded, is 1024 bytes.

Example Form

Response Handling

Once the challenge has been completed by the cardholder, the directory server will post a Results Request (RReq) to the ResultsURL specified when calling SendAuthRequest. See CheckResponse and GetResultsResponse for more details.

The ACS will also post the Challenge Response to the NotificationURL specified when calling SendAuthRequest. This post contains data which may be parsed to verify the challenge results. See CheckResponse for more details.

Response Handling

After a challenge is complete, the Directory Server and ACS will POST data back to the web server for additional processing. CheckResponse parses a variety of messages that are sent to the Server as part of the authentication process.

The following messages can be parsed using this method:

  • The threeDSMethodData form variables received at the MethodNotificationURL
  • The Results Request (RReq) message received at the ResultsURL
  • The cres form variables received at the NotificationURL
  • The Operation Request Message (OReq) sent from a DS.

When calling the method, pass the message to be parsed as the Response parameter. The properties which are populated after calling this method vary depending on the type of message being parsed. See below for additional information.

Method Data from MethodNotificationURL

After calling GetMethodData, a request is made to the CardRangeMethodURL. After this, the ACS will make a POST to MethodNotificationURL to inform the requestor of completion. Retrieve the threeDSMethodData form variable value that was POSTed and pass it to this method. After calling this method, the following properties are populated:

The ServerTransactionId may be used to match the response with the request.

Results Request message from ResultsURL

When a challenge is completed for both app-based and browser-based flows, a POST is made to the ResultsURL with a Results Request message.

Prior to checking this RReq message, the ServerTransactionId can be extracted using the ExtractRReqServerTransactionId configuration setting. This value can then be used to look up details on the transaction that were saved prior to starting the challenge process, including the messageVersion which must be set via the MessageVersion property prior to passing the RReq message to the CheckResponse method.

Pass the body of the HTTP request received at ResultsURL to this method. This contains information about the results, and asks for a Results Response to be sent back containing the ResultsStatus.

After calling this method, the following properties are populated:

To respond to the POST, set ResultsStatus to the appropriate value and call GetResultsResponse to build a response message to be sent back to the directory server. Use the value from GetResultsResponse in the application as the body of the HTTP response. Set the Content-Type header to application/JSON; charset=utf-8

If TransactionStatus is D and TransactionStatusReason is 29 or 30, this indicates that decoupled authentication should now be performed. When building the Results Response, a ResultsStatus value of 04 should be used. Then, within 60 seconds, a new 3RI authentication must be started with the following field requirements:

Final Challenge Response from NotificationURL

In a browser-based flow, the challenge takes place directly between the cardholder and the ACS in a separate iframe or window. The ACS will POST the final challenge response to the NotificationURL after the challenge is complete. Retrieve the cres form variable value from the POST data and pass it to CheckResponse. After calling this method the following properties are populated:

In addition to the cres variable, a threeDSSessionData variable will be present if SessionData was set before calling GetChallengeRequest. The threeDSSessionData value POSTed to NotificationURL may be passed to EncodedSessionData. Query SessionData to get the decoded session data.

Operation Request Message (OReq)

OReq messages are used to communicate operational information from a DS to the 3DS Server. This message is not part of the 3-D Secure authentication flow.

When an OReq message is received, CheckResponse should be called to validate the message. There may be more than one OReq message sent in a sequence, and CheckResponse should be called for each. The current instance of the Server object can be cached for the duration of the OReq sequence until the final OReq is received. The Operation.SequenceNumber should also be set prior to calling CheckResponse. The component will verify the sequence number of the received OReq to ensure it's not out of sequence.

After calling this method, details are made available in Operation.

If any OReq data element fails validation, Operation.MessageStatus will be set to "02". If the OReq is valid, Operation.MessageStatus will be empty.

If the OReq is valid, determine if the final OReq has been received (Operation.SequenceNumber equals Operation.SequenceTotal). If these values match, the final OReq in the sequence has been received, and GetOperationResponse can be used to generate the ORes message.

For valid OReq messages that are not the final OReq in the sequence, the response should be HTTP Status 200 (OK) with an empty HTTP body.

Logging Notes

Logging in the component is handled through the Log event. This will fire anytime a message is built or a response is parsed, including error messages.

When the Log event is fired, the message in question is made available via the Message event parameter. Properties such as EphemeralKey and DeviceParams are also available when they are gathered by the Client. The other event arguments are LogType and LogLevel:

The LogType parameter indicates the type of the log entry. Possible values are:

  • "Info"
  • "RequestHeaders"
  • "ResponseHeaders"
  • "RequestBody"
  • "ResponseBody"
  • "ProxyRequest"
  • "ProxyResponse"
  • "FirewallRequest"
  • "FirewallResponse"
  • "AReq"
  • "ARes"
  • "CReq"
  • "CRes"
  • "RReq"
  • "RRes"
  • "PReq"
  • "PRes"
  • "Erro"
  • "EphemeralKey"
  • "DeviceParams"
The LogLevel configuration setting can be used to specify the detail of the logs raised through the Log event. The LogLevel parameter in the event indicates the log level to which the current message belongs.

It is recommended to output all messages raised in this event to a file for record keeping purposes, or for later debugging issues that may have come up.

The Server and Client components also have DataPacketIn and DataPacketOut events that fire anytime a data packet is received or sent, respectively. The entire data packet is then accessible in the DataPacket event parameter. For encrypted packets, this would contain the full encrypted data. This parameter may be inspected for advanced troubleshooting.

Property List


The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

AcceptLanguageHTTP accept language header value sent from the cardholder's browser.
AccountTypeIndicates the type of account.
AcquirerBINAcquiring institution identification code.
AcquirerCountryCodeAcquirer Country Code.
AcquirerMerchantIdAcquirer-assigned merchant identifier.
ACSProtocolInfoCountThe number of records in the ACSProtocolInfo arrays.
ACSProtocolInfoIndicatorAdditional information on the card range as supplied by the ACS.
ACSProtocolInfoProtocolVersionThe Protocol Version supported by the ACS for the card range.
ACSProtocolInfoSupportedMsgExtA list of message extensions supported by the ACS that contains the Assigned Extension Group Identifier and the Extension Version Number.
ACSProtocolInfoThreeDSMethodURLThe ACS URL that will be used by the 3DS Method for a particular protocol version.
ACSURLURL of the ACS to be used for the challenge.
AuthenticationECIValue to be passed in the authorization message.
AuthenticationIndicator3DS Requestor Authentication Indicator.
AuthenticationValueUsed to provide proof of authentication.
BillingAddressCityThe city of the address.
BillingAddressCountryThe country of the address.
BillingAddressLine1The first line of the street address or equivalent local portion of the address.
BillingAddressLine2The second line of the street address or equivalent local portion of the address.
BillingAddressLine3The third line of the street address or equivalent local portion of the address.
BillingAddressPostalCodeThe ZIP or other postal code of the address.
BillingAddressStateThe state or province of the address.
BrowserAcceptHeaderHTTP accept header sent from the cardholder's browser.
BrowserIPAddressIP address of the cardholder's browser.
BrowserJavaEnabledValAbility of the cardholder's browser to execute Java.
BrowserJavaScriptEnabledValAbility of the cardholder's browser to execute JavaScript.
BrowserLanguageThe cardholder's browser language.
BrowserScreenColorDepthThe screen color depth of the cardholder's browser.
BrowserScreenHeightThe screen height of the cardholder's browser.
BrowserScreenWidthThe screen width of the cardholder's browser.
BrowserTimeZoneThe timezone offset of the cardholder's browser.
BrowserUserAgentThe User-Agent provided by the cardholder's browser.
CardExpDateExpiration date of the PAN or Token.
CardholderEmailThe cardholder email address.
CardholderHomePhoneThe cardholder home phone number.
CardholderMobilePhoneThe cardholder mobile phone number.
CardholderNameName of the cardholder.
CardholderWorkPhoneThe cardholder work phone number.
CardNumberCustomer's account number that will be authenticated.
CardRangeCountThe number of records in the CardRange arrays.
CardRangeACSEndProtocolVersionThe most recent active protocol version that is supported by the ACS.
CardRangeACSInformationIndicatorAdditional information on the card range as supplied by the ACS.
CardRangeACSStartProtocolVersionThe earliest (i.
CardRangeActionThe action to be taken with the card range specified by the Start and End properties.
CardRangeDSEndProtocolVersionThe most recent active protocol version that is supported by the DS.
CardRangeDSStartProtocolVersionThe earliest (i.
CardRangeEndLast number in a range of credit card numbers returned by the Directory Server.
CardRangeMethodURLThe ACS URL that will be used by the 3DS method.
CardRangeStartFirst number in a range of credit card numbers returned by the Directory Server.
ChallengeWindowSizeChallenge window size.
ClientAuthRequestThe data received by the class to be sent in the authentication request.
ClientAuthResponseThe authentication response for an app-based flow.
DataPacketOutContains the data packet sent to the server.
DeviceChannelDevice channel.
DirectoryServerURLThe address of the Directory Server.
DSSupportedProtocolsProtocol Versions supported by the DS.
DSURLCountThe number of records in the DSURL arrays.
DSURLCountryCodeThe country for which the 3DS Server to DS URL can be used.
DSURLThreeDSServerToDsUrlURL that the 3DS Server uses to communicate with a DS for a particular card range.
ErrorPacketThe error packet.
ExtensionCountThe number of records in the Extension arrays.
ExtensionCriticalWhether the extension is critical.
ExtensionDataThe extension data as JSON.
ExtensionIdThe id of the specified extension.
ExtensionNameThe extension name.
MerchantCategoryCodeMerchant category code.
MerchantCountryCodeCountry code of the merchant.
MerchantNameMerchant name.
MessageCategoryThe category of the message.
MessageVersionProtocol version identifier.
MethodNotificationURLThe URL to which the method notification will be posted.
NotificationURLThe notification URL to which the challenge response is sent.
OperationInfoCategoryIndicates the category/type of information.
OperationInfoDescriptionDescribes the reason for the operational communication or the response to an action taken by the recipient.
OperationInfoExpirationDateThe date after which the relevance of the operational information expires.
OperationInfoMessageStatusIndicates the status of the operational request message sequence from the source of the OReq.
OperationInfoPriorTransactionIdThe transaction ID of the prior transaction to which the operational information refers.
OperationInfoPriorTransactionIdTypeThe type of transaction ID of the prior transaction to which the operational information refers.
OperationInfoSequenceIdUniquely identifies a message sequence and will remain constant in the sequence of messages.
OperationInfoSequenceNumberThe current message in the sequence.
OperationInfoSequenceTotalThe total number of messages in the sequence and will remain constant in the sequence of messages.
OperationInfoSeverityIndicates the importance/severity level of the operational information.
ProxyAuthSchemeThe type of authorization to perform when connecting to the proxy.
ProxyAutoDetectWhether to automatically detect and use proxy system settings, if available.
ProxyPasswordA password if authentication is to be used for the proxy.
ProxyPortThe Transmission Control Protocol (TCP) port for the proxy Server (default 80).
ProxyServerIf a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.
ProxySSLWhen to use a Secure Sockets Layer (SSL) for the connection to the proxy.
ProxyUserA username if authentication is to be used for the proxy.
PurchaseAmountPurchase amount to be authorized.
PurchaseCurrencyIdentifies the type of currency used by the merchant.
PurchaseDateThe date of the transaction.
PurchaseExponentMinor units of currency.
RangeCountThe number of records in the Range arrays.
RangeEndThe final card number in the current range.
RangeStartThe first card number in the current range.
RecurringExpDateRecurring expiration date.
RecurringFrequencyThe number of days between recurring payments.
RequestorIdDirectory server assigned 3DS Requestor identifier.
RequestorNameDirectory server assigned 3DS Requestor name.
RequestorURL3DS Requestor website or customer care site.
ResultsStatusThe status of the Results Request.
ResultsURL3DS Server URL.
SDKTypeType of the 3DS SDK used for the app-based flow.
SerialNumberSerial number indicating the state of the current card range cache.
ServerTransactionIdServer transaction identifier.
ShippingAddressCityThe city of the address.
ShippingAddressCountryThe country of the address.
ShippingAddressLine1The first line of the street address or equivalent local portion of the address.
ShippingAddressLine2The second line of the street address or equivalent local portion of the address.
ShippingAddressLine3The third line of the street address or equivalent local portion of the address.
ShippingAddressPostalCodeThe ZIP or other postal code of the address.
ShippingAddressStateThe state or province of the address.
SSLAcceptServerCertEffectiveDateThe date on which this certificate becomes valid.
SSLAcceptServerCertExpirationDateThe date on which the certificate expires.
SSLAcceptServerCertExtendedKeyUsageA comma-delimited list of extended key usage identifiers.
SSLAcceptServerCertFingerprintThe hex-encoded, 16-byte MD5 fingerprint of the certificate.
SSLAcceptServerCertFingerprintSHA1The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.
SSLAcceptServerCertFingerprintSHA256The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.
SSLAcceptServerCertIssuerThe issuer of the certificate.
SSLAcceptServerCertPrivateKeyThe private key of the certificate (if available).
SSLAcceptServerCertPrivateKeyAvailableWhether a PrivateKey is available for the selected certificate.
SSLAcceptServerCertPrivateKeyContainerThe name of the PrivateKey container for the certificate (if available).
SSLAcceptServerCertPublicKeyThe public key of the certificate.
SSLAcceptServerCertPublicKeyAlgorithmThe textual description of the certificate's public key algorithm.
SSLAcceptServerCertPublicKeyLengthThe length of the certificate's public key (in bits).
SSLAcceptServerCertSerialNumberThe serial number of the certificate encoded as a string.
SSLAcceptServerCertSignatureAlgorithmThe text description of the certificate's signature algorithm.
SSLAcceptServerCertStoreThe name of the certificate store for the client certificate.
SSLAcceptServerCertStorePasswordIf the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.
SSLAcceptServerCertStoreTypeThe type of certificate store for this certificate.
SSLAcceptServerCertSubjectAltNamesComma-separated lists of alternative subject names for the certificate.
SSLAcceptServerCertThumbprintMD5The MD5 hash of the certificate.
SSLAcceptServerCertThumbprintSHA1The SHA-1 hash of the certificate.
SSLAcceptServerCertThumbprintSHA256The SHA-256 hash of the certificate.
SSLAcceptServerCertUsageThe text description of UsageFlags .
SSLAcceptServerCertUsageFlagsThe flags that show intended use for the certificate.
SSLAcceptServerCertVersionThe certificate's version number.
SSLAcceptServerCertSubjectThe subject of the certificate used for client authentication.
SSLAcceptServerCertEncodedThe certificate (PEM/Base64 encoded).
SSLCertEffectiveDateThe date on which this certificate becomes valid.
SSLCertExpirationDateThe date on which the certificate expires.
SSLCertExtendedKeyUsageA comma-delimited list of extended key usage identifiers.
SSLCertFingerprintThe hex-encoded, 16-byte MD5 fingerprint of the certificate.
SSLCertFingerprintSHA1The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.
SSLCertFingerprintSHA256The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.
SSLCertIssuerThe issuer of the certificate.
SSLCertPrivateKeyThe private key of the certificate (if available).
SSLCertPrivateKeyAvailableWhether a PrivateKey is available for the selected certificate.
SSLCertPrivateKeyContainerThe name of the PrivateKey container for the certificate (if available).
SSLCertPublicKeyThe public key of the certificate.
SSLCertPublicKeyAlgorithmThe textual description of the certificate's public key algorithm.
SSLCertPublicKeyLengthThe length of the certificate's public key (in bits).
SSLCertSerialNumberThe serial number of the certificate encoded as a string.
SSLCertSignatureAlgorithmThe text description of the certificate's signature algorithm.
SSLCertStoreThe name of the certificate store for the client certificate.
SSLCertStorePasswordIf the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.
SSLCertStoreTypeThe type of certificate store for this certificate.
SSLCertSubjectAltNamesComma-separated lists of alternative subject names for the certificate.
SSLCertThumbprintMD5The MD5 hash of the certificate.
SSLCertThumbprintSHA1The SHA-1 hash of the certificate.
SSLCertThumbprintSHA256The SHA-256 hash of the certificate.
SSLCertUsageThe text description of UsageFlags .
SSLCertUsageFlagsThe flags that show intended use for the certificate.
SSLCertVersionThe certificate's version number.
SSLCertSubjectThe subject of the certificate used for client authentication.
SSLCertEncodedThe certificate (PEM/Base64 encoded).
SSLServerCertEffectiveDateThe date on which this certificate becomes valid.
SSLServerCertExpirationDateThe date on which the certificate expires.
SSLServerCertExtendedKeyUsageA comma-delimited list of extended key usage identifiers.
SSLServerCertFingerprintThe hex-encoded, 16-byte MD5 fingerprint of the certificate.
SSLServerCertFingerprintSHA1The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.
SSLServerCertFingerprintSHA256The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.
SSLServerCertIssuerThe issuer of the certificate.
SSLServerCertPrivateKeyThe private key of the certificate (if available).
SSLServerCertPrivateKeyAvailableWhether a PrivateKey is available for the selected certificate.
SSLServerCertPrivateKeyContainerThe name of the PrivateKey container for the certificate (if available).
SSLServerCertPublicKeyThe public key of the certificate.
SSLServerCertPublicKeyAlgorithmThe textual description of the certificate's public key algorithm.
SSLServerCertPublicKeyLengthThe length of the certificate's public key (in bits).
SSLServerCertSerialNumberThe serial number of the certificate encoded as a string.
SSLServerCertSignatureAlgorithmThe text description of the certificate's signature algorithm.
SSLServerCertStoreThe name of the certificate store for the client certificate.
SSLServerCertStorePasswordIf the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.
SSLServerCertStoreTypeThe type of certificate store for this certificate.
SSLServerCertSubjectAltNamesComma-separated lists of alternative subject names for the certificate.
SSLServerCertThumbprintMD5The MD5 hash of the certificate.
SSLServerCertThumbprintSHA1The SHA-1 hash of the certificate.
SSLServerCertThumbprintSHA256The SHA-256 hash of the certificate.
SSLServerCertUsageThe text description of UsageFlags .
SSLServerCertUsageFlagsThe flags that show intended use for the certificate.
SSLServerCertVersionThe certificate's version number.
SSLServerCertSubjectThe subject of the certificate used for client authentication.
SSLServerCertEncodedThe certificate (PEM/Base64 encoded).
TimeoutA timeout for the class.
TransactionStatusThe transaction status from the last parsed message (ARes, RReq, or CRes).

Method List


The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

AddExtensionAdds an extension to the collection.
AddRequestFieldAdds a field to the data in the request.
CheckResponseParses the specified message.
ConfigSets or retrieves a configuration setting.
GetChallengeRequestBuilds the Challenge Request (CReq) for browser-based flow.
GetMethodDataPrepares method data to be sent to the ACS before the authentication request is sent.
GetOperationResponseBuilds and returns the Operation Response Message (ORes) to be sent back to the Directory Server.
GetResultsResponseBuilds and returns the Results Response Message (RRes) to be sent back to the directory server.
InterruptInterrupts the current action.
RequestCardRangesRequests card ranges from the directory server.
ResetClears all properties to their default values.
ResetTransactionInfoResets transaction specific information.
SendAuthRequestSends the authentication request to the directory server.

Event List


The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

CardRangeFired when the response to a Preparation Request Message (PReq) is received.
CardRangeDataFired when the response to a Preparation Request Message (PReq) is received. This event is used for card range data returned when version 2.3.1 of the protocol is used.
DataPacketInFired when receiving a data packet from the server.
DataPacketOutFired when sending a data packet to the server.
DSURLFired for each DS URL present in the Preparation Response Message (PRes).
ErrorInformation about errors during data delivery.
LogFires once for each log message.
MessageExtensionFired when a Message Extension is present in a message being parsed.
SSLServerAuthenticationFired after the server presents its certificate to the client.
SSLStatusFired when secure connection progress messages are available.

Config Settings


The following is a list of config settings for the class with short descriptions. Click on the links for further details.

AccountAgeIndicatorCardholder Account Age Indicator.
AccountChangeDateCardholder Account Change Date.
AccountChangeIndicatorCardholder Account Change Indicator.
AccountDateDate cardholder account opened.
AccountDayTransactionsNumber of account transactions in the last day.
AccountIdCardholder Account Identifier.
AccountPasswordChangeDateCardholder Account Password Change Date.
AccountPasswordChangeIndicatorCardholder Account Password Change Indicator.
AccountProvisioningAttemptsNumber of account provisioning attempts in the last day.
AccountPurchaseCountCardholder Account Purchase Count.
AccountRequestorIDCardholder Account Requestor ID.
AccountYearTransactionsNumber of account transactions in the last year.
ACSChallengeMandatedIndicatorACS Challenge Mandated Indicator.
ACSOperatorIdACS identifier assigned by DS.
ACSReferenceNumberUnique ACS Reference Number.
ACSRenderingDeviceUserInterfaceModeUser interface mode the ACS will present to cardholder.
ACSRenderingInterfaceChallenge interface type presented to cardholder.
ACSRenderingUITemplateChallenge type presented to cardholder.
ACSSignedContentString value of the JWS object of the ARes message created by the ACS.
ACSTransactionIdUnique transaction identifier assigned by the ACS.
AddressMatchAddress Match Indicator.
AllowNullMethodURLAllow null MethodURL when retrieving card ranges.
AppIPApp IP Address.
AppURLIndicator3DS Requestor App URL Indicator.
AuthenticationInformation3DS Requestor Prior Transaction Authentication Information.
AuthenticationMethodA comma separated list of authentication types used by the issuer.
AuthenticationTypeType of authentication method used by the issuer.
BroadInfoBroadcast Information.
BroadInfoCategoryBroadcast Information Category.
BroadInfoDescriptionBroadcast Information Description.
BroadInfoExpiryDateBroadcast Information Expiry Date.
BroadInfoRecipientsBroadcast Information Recipient(s).
BroadInfoSeverityBroadcast Information Severity.
BroadInfoSourceBroadcast Information Source.
BrowserUserDeviceIdBrowser User Device ID.
BrowserUserIdBrowser User ID.
CardholderInformationInformation text presented to Cardholder during the transaction.
CardholderInformationIssuerImageIssuer image presented to the Cardholder during the transaction.
CardholderInformationPaymentSystemImagePayment system image presented to the Cardholder during the transaction.
CardRangeRecordsReadOrderIndicates the order in which to process the card range records from the PRes message.
CardRangeTempPathTemporary path where card range data is written.
CardSecurityCodeCard Security Code.
CardSecurityCodeStatusCard Security Code Status.
CardSecurityCodeStatusSourceCard Security Code Status Source.
ChallengeCancellationIndicatorChallenge Cancellation Indicator.
ChallengeErrorReportingACSTransIDChallenge Error Reporting ACS Transaction ID.
ChallengeErrorReportingDSTransIDChallenge Error Reporting DS Transaction ID.
ChallengeErrorReportingErrorCodeChallenge Error Reporting Error Code.
ChallengeErrorReportingErrorComponentChallenge Error Reporting Error Class.
ChallengeErrorReportingErrorDescriptionChallenge Error Reporting Error Description.
ChallengeErrorReportingErrorDetailChallenge Error Reporting Error Detail.
ChallengeErrorReportingErrorMessageTypeChallenge Error Reporting Error Message Type.
ChallengeErrorReportingMessageTypeChallenge Error Reporting Message Type.
ChallengeErrorReportingMessageVersionChallenge Error Reporting Message Version.
ChallengeErrorReportingSDKTransIDChallenge Error Reporting SDK Transaction ID.
ChallengeErrorReportingThreeDSServerTransIDChallenge Error Reporting Server Transaction ID.
ChallengeTimeRemainingAmount of time left to complete challenge.
CheckSPCTimeoutTime remaining for SPC authentication to complete.
ClearCustomRequestFieldsClear the custom request fields internal collection.
ContinueParsingCardRangesOnErrorWhether or not to continue parsing card ranges when a validation error is encountered.
DecoupledConfirmationIndicatorACS Decoupled Confirmation Indicator.
DecoupledMaxTimeout3DS Requestor Decoupled Max Time.
DecoupledRequestIndicator3DS Requestor Decoupled Request Indicator.
DecoupledTimeRemainingTime remaining before a RReq should be received during a decoupled authentication.
DeliveryEmailAddressMerchandise Delivery Email Address.
DeliveryTimeframeMerchandise Delivery Timeframe.
DeviceBindingStatusDevice Binding Status.
DeviceBindingStatusSourceDevice Binding Status Source.
DeviceInfoRecognisedVersionDevice Information Recognized Version.
DeviceRenderingInterfaceSDK Interface Device Rendering Types supported.
DeviceRenderingUITypeSDK UI Types supported.
DSEndProtocolVersionDS End Protocol Version.
DSReferenceNumberDS Reference Number.
DSStartProtocolVersionDS Start Protocol Version.
DSTransactionIdDirectory server transaction ID.
EMVPaymentTokenIndicatorEMV Payment Token Indicator.
EMVPaymentTokenSourceEMV Payment Token Source.
EnableDownloadCardRangeDataFileCard Range Data Download Indicator.
EncodedSessionDataEncoded session data that is sent in the challenge request and returned in the challenge response.
EncryptedDeviceInfoSDK Encrypted Data.
ErrorCodeCode from the last error message.
ErrorDescriptionDescription from the last error message.
ErrorDetailAdditional details from the last error message.
ExtractRReqServerTransactionIdExtacts the ServerTransactionId from the RReq packet.
GiftCardAmountTotal gift card(s) amount.
GiftCardCountTotal number of gift cards purchased.
GiftCardCurrencyGift Card Currency.
IncomingExtensionCountThe number of extensions received from the directory server.
IncomingExtensionCritical[Index]Whether the extension is critical.
IncomingExtensionData[Index]The extension data as JSON.
IncomingExtensionId[Index]The id of the specified extension.
IncomingExtensionName[Index]The extension name.
IncomingRawExtensionsThe full JSON formatted extension data received from the directory server.
InstalmentPaymentDataMax authorizations permitted for installment payments.
InteractionCounterInteraction Counter.
LogLevelLevel of logging enabled.
MaskSensitiveWhether to mask sensitive data in the Log event.
MessageTypeType of message that is passed.
MethodCompletionIndicator3DS Method Completion Indicator.
MultiTransactionAcquirerMerchantIDAcquirer Merchant ID.
MultiTransactionAVNumberUseAV Number Use.
MultiTransactionAVValidityTimeAV Validity Time.
MultiTransactionCountThe total number of additional transactions specified.
MultiTransactionMerchantAmountMerchant Amount.
MultiTransactionMerchantCurrencyCodeMerchant Currency Code.
MultiTransactionMerchantCurrencyExponentMerchant Currency Exponent.
MultiTransactionMerchantNameMerchant Name.
MultiTransactionSellerIDSeller ID.
OutgoingRawExtensionsThe full JSON formatted extension data sent to the directory server.
PaymentAccountAgePayment Account Age.
PaymentAccountAgeIndicatorPayment Account Age Indicator.
PaymentTokenEMV Payment Token.
PaymentTokenAdditionalDataEMV Payment Token Additional Data.
PaymentTokenCryptogramEMV Payment Token Cryptogram.
PaymentTokenStatusIndicatorEMV Payment Token Status Indicator.
PersistCustomRequestFieldsWhether or not to store custom request fields for subsequent requests.
PreOrderDateExpected date pre-ordered purchase will be available.
PreOrderPurchaseIndicatorPre-Order Purchase Indicator.
ProtocolVersionProtocol version identifier.
RecurringAmountRecurring Amount.
RecurringAmountIndicatorRecurring Amount Indicator.
RecurringCurrencyRecurring Currency.
RecurringDateRecurring Date.
RecurringExponentRecurring Currency Exponent.
RecurringFrequencyIndicatorRecurring Frequency Indicator.
ReorderItemsIndicatorReorder Items Indicator.
ReportCardRangeErrorReport a Card Range Error to the DS.
ReqAuthCountNumber of 3DS Requestor Authentication Data objects.
ReqAuthData[Index]3DS Requestor Authentication Data.
ReqAuthMethod[Index]3DS Requestor Authentication Method.
ReqAuthTimestamp[Index]3DS Requestor Authentication Timestamp.
RequestorChallengeInd3DS Requestor Challenge Indicator.
ResendRequestCardRangesWhether or not to resend the card ranges request.
SdkAppIdSDK App ID.
SdkAuthenticationTypeSDK Authentication Type.
SDKEphemeralPublicKeyPublic key class of the ephemeral key pair generated by the Client.
SDKMaxTimeoutSDK Maximum Timeout.
SDKMaxTimeoutSDK Maximum Timeout.
SDKReferenceNumberAssigned SDK reference number.
SDKServerSignedContentSDK Server Signed Content.
SDKTransactionIdSDK Transaction ID.
SDKWrappedDefault-SDK Wrapped Indicator.
SellerInfoSeller Information.
ServerOperatorId3DS Server identifier.
SessionDataSession data that is sent in the challenge request and returned in the challenge response.
ShipAddressUsageDateShipping address first usage date.
ShipAddressUsageIndicatorShipping address usage indicator.
ShipIndicatorShipping method indicator.
ShipNameIndicatorShipping Name Indicator.
SPCIncompletionIndicatorSPC Incompletion Indicator.
SPCTransactionAdditionalDataSPC Transaction Additional Data.
SPCTransactionChallengeSPC Transaction Challenge.
SPCTransactionChallengeInfoTextSPC Transaction Challenge Information Text.
SPCTransactionCurrencySPC Transaction Currency.
SPCTransactionDisplayNameSPC Transaction Display Name.
SPCTransactionExtensionIndicatorSPC Transaction WebAuthn SPC Extension Indicator.
SPCTransactionIconSPC Transaction Icon.
SPCTransactionIssuerImageSPC Transaction Issuer Default Image.
SPCTransactionIssuerImageDarkSPC Transaction Issuer Dark Mode Image.
SPCTransactionIssuerImageMonochromeSPC Transaction Issuer Monochrome Image.
SPCTransactionPayeeNameSPC Transaction Payee Name.
SPCTransactionPayeeOriginSPC Transaction Payee Origin.
SPCTransactionPSImageSPC Transaction Payment System Default Image.
SPCTransactionPSImageDarkSPC Transaction Payment System Dark Mode Image.
SPCTransactionPSImageMonochromeSPC Transaction Payment System Monochrome Image.
SPCTransactionTimeoutSPC Transaction Transaction Timeout.
SPCTransactionValueSPC Transaction Value.
SplitSDKLimitedLimited Split-SDK Indicator.
SplitSDKVariantSplit-SDK Variant.
StoreCardRangeDataWhether or not to store the card ranges in the CardRanges collection.
SuspiciousAccountActivitySuspicious account activity indicator.
TaxIdTax ID.
ThreeDSMethodId3DS Method ID.
ThreeDSRequestorSpcSupport3DS Requestor SPC Support.
ThreeRIIndicator3RI Indicator.
TransactionChallengeExemptionTransaction Challenge Exemption.
TransactionCharacteristicsTransaction Characteristics.
TransactionStatusReasonReason for value of TransactionStatus.
TransactionStatusReasonInfoTransaction Status Reason Information.
TransactionTypeTransaction Type.
TrustListStatusTrust List Status.
TrustListStatusSourceTrust List Status Source.
UseAESGCMWhether or not to use AESGCM as the encryption algorithm.
UseJsonDOMWhether or not the class should build an internal DOM when parsing card ranges.
WebAuthnCredentialListCountThe total number of WebAuthen Credentials.
WebAuthnCredentialListRelyingPartyIdWebAuthn Credential List: Relying Party ID.
WebAuthnCredentialListWebAuthnCredentialWebAuthn Credential List: WebAuthn Credential.
WhitelistStatusWhitelist Status.
WhitelistStatusSourceWhitelist Status Source.
XChildCountThe number of child elements of the current element.
XChildName[i]The name of the child element.
XChildXText[i]The inner text of the child element.
XElementThe name of the current element.
XParentThe parent of the current element.
XPathProvides a way to point to a specific element in the returned XML or JSON response.
XSubTreeA snapshot of the current element in the document.
XTextThe text of the current element.
LogSSLPacketsControls whether SSL packets are logged when using the internal security API.
OpenSSLCADirThe path to a directory containing CA certificates.
OpenSSLCAFileName of the file containing the list of CA's trusted by your application.
OpenSSLCipherListA string that controls the ciphers to be used by SSL.
OpenSSLPrngSeedDataThe data to seed the pseudo random number generator (PRNG).
ReuseSSLSessionDetermines if the SSL session is reused.
SSLCACertFilePathsThe paths to CA certificate files on Unix/Linux.
SSLCACertsA newline separated list of CA certificates to be included when performing an SSL handshake.
SSLCheckCRLWhether to check the Certificate Revocation List for the server certificate.
SSLCheckOCSPWhether to use OCSP to check the status of the server certificate.
SSLCipherStrengthThe minimum cipher strength used for bulk encryption.
SSLClientCACertsA newline separated list of CA certificates to use during SSL client certificate validation.
SSLEnabledCipherSuitesThe cipher suite to be used in an SSL negotiation.
SSLEnabledProtocolsUsed to enable/disable the supported security protocols.
SSLEnableRenegotiationWhether the renegotiation_info SSL extension is supported.
SSLIncludeCertChainWhether the entire certificate chain is included in the SSLServerAuthentication event.
SSLKeyLogFileThe location of a file where per-session secrets are written for debugging purposes.
SSLNegotiatedCipherReturns the negotiated cipher suite.
SSLNegotiatedCipherStrengthReturns the negotiated cipher suite strength.
SSLNegotiatedCipherSuiteReturns the negotiated cipher suite.
SSLNegotiatedKeyExchangeReturns the negotiated key exchange algorithm.
SSLNegotiatedKeyExchangeStrengthReturns the negotiated key exchange algorithm strength.
SSLNegotiatedVersionReturns the negotiated protocol version.
SSLSecurityFlagsFlags that control certificate verification.
SSLServerCACertsA newline separated list of CA certificates to use during SSL server certificate validation.
TLS12SignatureAlgorithmsDefines the allowed TLS 1.2 signature algorithms when SSLProvider is set to Internal.
TLS12SupportedGroupsThe supported groups for ECC.
TLS13KeyShareGroupsThe groups for which to pregenerate key shares.
TLS13SignatureAlgorithmsThe allowed certificate signature algorithms.
TLS13SupportedGroupsThe supported groups for (EC)DHE key exchange.

AcceptLanguage Property (IPWorks3DS_Server Class)

HTTP accept language header value sent from the cardholder's browser.

Object Oriented Interface

public function getAcceptLanguage();
public function setAcceptLanguage($value);

Procedural Interface

ipworks3ds_server_get($res, 1 );
ipworks3ds_server_set($res, 1, $value );

Default Value

''

Remarks

Value representing the browser language preference present in the HTTP header, as defined in IETF BCP 47.

This property accepts a comma separated list of language tags. For example: en,fr-FR

Valid for MessageVersion 2.3.1 only.

Data Type

String

AccountType Property (IPWorks3DS_Server Class)

Indicates the type of account.

Object Oriented Interface

public function getAccountType();
public function setAccountType($value);

Procedural Interface

ipworks3ds_server_get($res, 2 );
ipworks3ds_server_set($res, 2, $value );

Default Value

''

Remarks

This is included in the Authentication Request Message (AReq) sent to the directory server. Required if the 3-D Secure Requestor is asking the cardholder which account type they are using before making the purchase. Required in some markets (for example, for merchants in Brazil). Otherwise, this is optional.

Valid values are as follows:

01Not applicable
02Credit
03Debit

Data Type

String

AcquirerBIN Property (IPWorks3DS_Server Class)

Acquiring institution identification code.

Object Oriented Interface

public function getAcquirerBIN();
public function setAcquirerBIN($value);

Procedural Interface

ipworks3ds_server_get($res, 3 );
ipworks3ds_server_set($res, 3, $value );

Default Value

''

Remarks

This value correlates to the Acquirer BIN as defined by each payment system or directory server. This field is required to be set for payment authentication.

Data Type

String

AcquirerCountryCode Property (IPWorks3DS_Server Class)

Acquirer Country Code.

Object Oriented Interface

public function getAcquirerCountryCode();
public function setAcquirerCountryCode($value);

Procedural Interface

ipworks3ds_server_get($res, 4 );
ipworks3ds_server_set($res, 4, $value );

Default Value

''

Remarks

The code of the country where the acquiring institution is located (in accordance with ISO 3166).

This value should be formatted as a ISO 3166-1 numeric three-digit country code.

Valid for MessageVersion 2.3.1 only.

Data Type

String

AcquirerMerchantId Property (IPWorks3DS_Server Class)

Acquirer-assigned merchant identifier.

Object Oriented Interface

public function getAcquirerMerchantId();
public function setAcquirerMerchantId($value);

Procedural Interface

ipworks3ds_server_get($res, 5 );
ipworks3ds_server_set($res, 5, $value );

Default Value

''

Remarks

This field contains the merchant identifier assigned by the acquirer. The merchant id is required to be set for payment authentication.

Data Type

String

ACSProtocolInfoCount Property (IPWorks3DS_Server Class)

The number of records in the ACSProtocolInfo arrays.

Object Oriented Interface

public function getACSProtocolInfoCount();

Procedural Interface

ipworks3ds_server_get($res, 6 );

Default Value

0

Remarks

This property controls the size of the following arrays:

The array indices start at 0 and end at ACSProtocolInfoCount - 1.

This property is read-only and not available at design time.

Data Type

Integer

ACSProtocolInfoIndicator Property (IPWorks3DS_Server Class)

Additional information on the card range as supplied by the ACS.

Object Oriented Interface

public function getACSProtocolInfoIndicator($acsprotocolinfoindex);

Procedural Interface

ipworks3ds_server_get($res, 7 , $acsprotocolinfoindex);

Default Value

''

Remarks

Additional information on the card range as supplied by the ACS. This field is a comma separated list of values returned from the server; possible values are:

01Authentication Available at ACS
02Attempts Supported by ACS or DS
03Decoupled Authentication Supported
04Trust List Supported
05Device Binding Supported
06WebAuthn Authentication Supported
07SPC Authentication Supported
08Transaction Risk Analysis Exemption Supported
09Trust List Exemption Supported
10Low Value Exemption Supported
11Secure Corporate Payments Exemption Supported
12-79Reserved for EMVCo future use (values invalid until defined by EMVCo)
80-99Reserved for DS use

The $acsprotocolinfoindex parameter specifies the index of the item in the array. The size of the array is controlled by the ACSProtocolInfoCount property.

This property is read-only and not available at design time.

Data Type

String

ACSProtocolInfoProtocolVersion Property (IPWorks3DS_Server Class)

The Protocol Version supported by the ACS for the card range.

Object Oriented Interface

public function getACSProtocolInfoProtocolVersion($acsprotocolinfoindex);

Procedural Interface

ipworks3ds_server_get($res, 8 , $acsprotocolinfoindex);

Default Value

''

Remarks

The Protocol Version supported by the ACS for the card range.

The $acsprotocolinfoindex parameter specifies the index of the item in the array. The size of the array is controlled by the ACSProtocolInfoCount property.

This property is read-only and not available at design time.

Data Type

String

ACSProtocolInfoSupportedMsgExt Property (IPWorks3DS_Server Class)

A list of message extensions supported by the ACS that contains the Assigned Extension Group Identifier and the Extension Version Number.

Object Oriented Interface

public function getACSProtocolInfoSupportedMsgExt($acsprotocolinfoindex);

Procedural Interface

ipworks3ds_server_get($res, 9 , $acsprotocolinfoindex);

Default Value

''

Remarks

A list of message extensions supported by the ACS that contains the Assigned Extension Group Identifier and the Extension Version Number.

This field is a comma separate list of values returned from the server in the following format:

id,version;id2,version2;...

The $acsprotocolinfoindex parameter specifies the index of the item in the array. The size of the array is controlled by the ACSProtocolInfoCount property.

This property is read-only and not available at design time.

Data Type

String

ACSProtocolInfoThreeDSMethodURL Property (IPWorks3DS_Server Class)

The ACS URL that will be used by the 3DS Method for a particular protocol version.

Object Oriented Interface

public function getACSProtocolInfoThreeDSMethodURL($acsprotocolinfoindex);

Procedural Interface

ipworks3ds_server_get($res, 10 , $acsprotocolinfoindex);

Default Value

''

Remarks

The ACS URL that will be used by the 3DS Method for a particular protocol version.

The $acsprotocolinfoindex parameter specifies the index of the item in the array. The size of the array is controlled by the ACSProtocolInfoCount property.

This property is read-only and not available at design time.

Data Type

String

ACSURL Property (IPWorks3DS_Server Class)

URL of the ACS to be used for the challenge.

Object Oriented Interface

public function getACSURL();
public function setACSURL($value);

Procedural Interface

ipworks3ds_server_get($res, 11 );
ipworks3ds_server_set($res, 11, $value );

Default Value

''

Remarks

This field contains the fully qualified URL of the ACS to be used for the challenge. This will be populated after the call to SendAuthRequest method if the Authentication Response Message (ARes) indicates that a challenge is required.

Data Type

String

AuthenticationECI Property (IPWorks3DS_Server Class)

Value to be passed in the authorization message.

Object Oriented Interface

public function getAuthenticationECI();

Procedural Interface

ipworks3ds_server_get($res, 12 );

Default Value

''

Remarks

This property is determined by the Access Control Server (ACS), and is filled after the call to SendAuthRequest (for a frictionless flow), or when the Results Request Message (RReq) is parsed using CheckResponse (for a challenge flow).

This property contains the two digit Electronic Commerce Indicator (ECI) value, which is to be submitted in a credit card authorization message. This value indicates to the processor that the customer data in the authorization message has been authenticated. The data contained within this property is only valid if the TransactionStatus is "Y" or "A".

This property is read-only.

Data Type

String

AuthenticationIndicator Property (IPWorks3DS_Server Class)

3DS Requestor Authentication Indicator.

Object Oriented Interface

public function getAuthenticationIndicator();
public function setAuthenticationIndicator($value);

Procedural Interface

ipworks3ds_server_get($res, 13 );
ipworks3ds_server_set($res, 13, $value );

Default Value

'01'

Remarks

Indicates the type of Authentication request. This data element provides additional information to the ACS to determine the best approach for handing an authentication request. Included in the Authorization Request Message (ARes) sent by the SendAuthRequest method. Possible values are:

01Payment - default
02Recurring
03Installment
04Add Card
05Maintain Card
06Verify Cardholder
07Billing Agreement
08Split Shipment
09Delayed Shipment
10Split Payment
11-79Reserved for EMVCo future use (values invalid until defined by EMVCo)
80-99Reserved for DS use

Data Type

String

AuthenticationValue Property (IPWorks3DS_Server Class)

Used to provide proof of authentication.

Object Oriented Interface

public function getAuthenticationValue();

Procedural Interface

ipworks3ds_server_get($res, 14 );

Default Value

''

Remarks

This property is determined by the Access Control Server (ACS), and is filled after the call to SendAuthRequest (for a frictionless flow), or when the Results Request Message (RReq) is parsed using CheckResponse (for a challenge flow).

This property will be valid if the TransactionStatus is "Y" or "A". The value may be used to provide proof of authentication.

This property is read-only.

Data Type

String

BillingAddressCity Property (IPWorks3DS_Server Class)

The city of the address.

Object Oriented Interface

public function getBillingAddressCity();
public function setBillingAddressCity($value);

Procedural Interface

ipworks3ds_server_get($res, 15 );
ipworks3ds_server_set($res, 15, $value );

Default Value

''

Remarks

The city of the address. The maximum length is 50 characters.

Data Type

String

BillingAddressCountry Property (IPWorks3DS_Server Class)

The country of the address.

Object Oriented Interface

public function getBillingAddressCountry();
public function setBillingAddressCountry($value);

Procedural Interface

ipworks3ds_server_get($res, 16 );
ipworks3ds_server_set($res, 16, $value );

Default Value

''

Remarks

The country of the address. The format is a 3 digit country code as defined in ISO 3166-1.

Data Type

String

BillingAddressLine1 Property (IPWorks3DS_Server Class)

The first line of the street address or equivalent local portion of the address.

Object Oriented Interface

public function getBillingAddressLine1();
public function setBillingAddressLine1($value);

Procedural Interface

ipworks3ds_server_get($res, 17 );
ipworks3ds_server_set($res, 17, $value );

Default Value

''

Remarks

The first line of the street address or equivalent local portion of the address. The maximum length is 50 characters.

Data Type

String

BillingAddressLine2 Property (IPWorks3DS_Server Class)

The second line of the street address or equivalent local portion of the address.

Object Oriented Interface

public function getBillingAddressLine2();
public function setBillingAddressLine2($value);

Procedural Interface

ipworks3ds_server_get($res, 18 );
ipworks3ds_server_set($res, 18, $value );

Default Value

''

Remarks

The second line of the street address or equivalent local portion of the address. The maximum length is 50 characters.

Data Type

String

BillingAddressLine3 Property (IPWorks3DS_Server Class)

The third line of the street address or equivalent local portion of the address.

Object Oriented Interface

public function getBillingAddressLine3();
public function setBillingAddressLine3($value);

Procedural Interface

ipworks3ds_server_get($res, 19 );
ipworks3ds_server_set($res, 19, $value );

Default Value

''

Remarks

The third line of the street address or equivalent local portion of the address. The maximum length is 50 characters.

Data Type

String

BillingAddressPostalCode Property (IPWorks3DS_Server Class)

The ZIP or other postal code of the address.

Object Oriented Interface

public function getBillingAddressPostalCode();
public function setBillingAddressPostalCode($value);

Procedural Interface

ipworks3ds_server_get($res, 20 );
ipworks3ds_server_set($res, 20, $value );

Default Value

''

Remarks

The ZIP or other postal code of the address. The maximum length is 16 characters.

Data Type

String

BillingAddressState Property (IPWorks3DS_Server Class)

The state or province of the address.

Object Oriented Interface

public function getBillingAddressState();
public function setBillingAddressState($value);

Procedural Interface

ipworks3ds_server_get($res, 21 );
ipworks3ds_server_set($res, 21, $value );

Default Value

''

Remarks

The state or province of the address. The maximum length is 3 characters and should be the country subdivision code defined in ISO 3166-2.

Data Type

String

BrowserAcceptHeader Property (IPWorks3DS_Server Class)

HTTP accept header sent from the cardholder's browser.

Object Oriented Interface

public function getBrowserAcceptHeader();
public function setBrowserAcceptHeader($value);

Procedural Interface

ipworks3ds_server_get($res, 22 );
ipworks3ds_server_set($res, 22, $value );

Default Value

''

Remarks

This field contains the exact content of the HTTP accept header as sent to the merchant from the cardholder's user agent. This field is required only if the cardholder's user agent supplied a value.

Data Type

String

BrowserIPAddress Property (IPWorks3DS_Server Class)

IP address of the cardholder's browser.

Object Oriented Interface

public function getBrowserIPAddress();
public function setBrowserIPAddress($value);

Procedural Interface

ipworks3ds_server_get($res, 23 );
ipworks3ds_server_set($res, 23, $value );

Default Value

''

Remarks

This field contains the IP address of the cardholder's browser as returned by the HTTP headers.

Data Type

String

BrowserJavaEnabledVal Property (IPWorks3DS_Server Class)

Ability of the cardholder's browser to execute Java.

Object Oriented Interface

public function getBrowserJavaEnabledVal();
public function setBrowserJavaEnabledVal($value);

Procedural Interface

ipworks3ds_server_get($res, 24 );
ipworks3ds_server_set($res, 24, $value );

Default Value

0

Remarks

This field contains a value representing the ability of the cardholder's browser to execute Java.

Possible values are as follows:

jeNotPresent (0)Not Present
jeTrue (1)True
jeFalse (2)False

Data Type

Integer

BrowserJavaScriptEnabledVal Property (IPWorks3DS_Server Class)

Ability of the cardholder's browser to execute JavaScript.

Object Oriented Interface

public function getBrowserJavaScriptEnabledVal();
public function setBrowserJavaScriptEnabledVal($value);

Procedural Interface

ipworks3ds_server_get($res, 25 );
ipworks3ds_server_set($res, 25, $value );

Default Value

0

Remarks

This field contains a value representing the ability of the cardholder's browser to execute JavaScript.

Possible values are as follows:

bjeNotPresent (0)Not Present
bjeTrue (1)True
bjeFalse (2)False

Data Type

Integer

BrowserLanguage Property (IPWorks3DS_Server Class)

The cardholder's browser language.

Object Oriented Interface

public function getBrowserLanguage();
public function setBrowserLanguage($value);

Procedural Interface

ipworks3ds_server_get($res, 26 );
ipworks3ds_server_set($res, 26, $value );

Default Value

''

Remarks

This field contains the cardholder's browser language as defined in IETF BCP 47.

Data Type

String

BrowserScreenColorDepth Property (IPWorks3DS_Server Class)

The screen color depth of the cardholder's browser.

Object Oriented Interface

public function getBrowserScreenColorDepth();
public function setBrowserScreenColorDepth($value);

Procedural Interface

ipworks3ds_server_get($res, 27 );
ipworks3ds_server_set($res, 27, $value );

Default Value

''

Remarks

This field contains a value representing the bit depth of the color palette, in bits per pixel, for displaying images.

For MessageVersion 2.1.0, this field is required. If BrowserJavaEnabledVal is False, a value of 1 can be used. When using MessageVersion of 2.2.0 or 2.3.1 and both BrowserJavaEnabledVal and BrowserJavaScriptEnabledVal are False, no value is required.

Data Type

String

BrowserScreenHeight Property (IPWorks3DS_Server Class)

The screen height of the cardholder's browser.

Object Oriented Interface

public function getBrowserScreenHeight();
public function setBrowserScreenHeight($value);

Procedural Interface

ipworks3ds_server_get($res, 28 );
ipworks3ds_server_set($res, 28, $value );

Default Value

''

Remarks

This field contains the total height of the cardholder's screen in pixels.

For MessageVersion 2.1.0, this field is required. If BrowserJavaEnabledVal is False, a value of 0 can be used. When using MessageVersion of 2.2.0 or 2.3.1 and both BrowserJavaEnabledVal and BrowserJavaScriptEnabledVal are False, no value is required.

Data Type

String

BrowserScreenWidth Property (IPWorks3DS_Server Class)

The screen width of the cardholder's browser.

Object Oriented Interface

public function getBrowserScreenWidth();
public function setBrowserScreenWidth($value);

Procedural Interface

ipworks3ds_server_get($res, 29 );
ipworks3ds_server_set($res, 29, $value );

Default Value

''

Remarks

This field contains the total width of the cardholder's screen in pixels.

For MessageVersion 2.1.0, this field is required. If BrowserJavaEnabledVal is False, a value of 0 can be used. When using MessageVersion of 2.2.0 or 2.3.1 and both BrowserJavaEnabledVal and BrowserJavaScriptEnabledVal are False, no value is required.

Data Type

String

BrowserTimeZone Property (IPWorks3DS_Server Class)

The timezone offset of the cardholder's browser.

Object Oriented Interface

public function getBrowserTimeZone();
public function setBrowserTimeZone($value);

Procedural Interface

ipworks3ds_server_get($res, 30 );
ipworks3ds_server_set($res, 30, $value );

Default Value

''

Remarks

This field contains the difference between UTC time and the cardholder's browser local time in minutes.

For MessageVersion 2.1.0, this field is required. If BrowserJavaEnabledVal is False, a value of 0 can be used. When using MessageVersion of 2.2.0 or 2.3.1 and both BrowserJavaEnabledVal and BrowserJavaScriptEnabledVal are False, no value is required.

Data Type

String

BrowserUserAgent Property (IPWorks3DS_Server Class)

The User-Agent provided by the cardholder's browser.

Object Oriented Interface

public function getBrowserUserAgent();
public function setBrowserUserAgent($value);

Procedural Interface

ipworks3ds_server_get($res, 31 );
ipworks3ds_server_set($res, 31, $value );

Default Value

''

Remarks

This field contains the exact content of the HTTP User-Agent header.

Data Type

String

CardExpDate Property (IPWorks3DS_Server Class)

Expiration date of the PAN or Token.

Object Oriented Interface

public function getCardExpDate();
public function setCardExpDate($value);

Procedural Interface

ipworks3ds_server_get($res, 32 );
ipworks3ds_server_set($res, 32, $value );

Default Value

''

Remarks

This field contains the expiration date of the PAN or Token supplied in the CardNumber property. The format for this field is YYMM.

Data Type

String

CardholderEmail Property (IPWorks3DS_Server Class)

The cardholder email address.

Object Oriented Interface

public function getCardholderEmail();
public function setCardholderEmail($value);

Procedural Interface

ipworks3ds_server_get($res, 33 );
ipworks3ds_server_set($res, 33, $value );

Default Value

''

Remarks

This field contains the cardholder email address to be sent to the directory server when calling SendAuthRequest.

Data Type

String

CardholderHomePhone Property (IPWorks3DS_Server Class)

The cardholder home phone number.

Object Oriented Interface

public function getCardholderHomePhone();
public function setCardholderHomePhone($value);

Procedural Interface

ipworks3ds_server_get($res, 34 );
ipworks3ds_server_set($res, 34, $value );

Default Value

''

Remarks

This field contains the home phone number provided by the card holder.

Phone numbers must be specified in the following format: CountryCode-Subscriber (e.g. 1-1234567899)

The "-" is used to separate the "Country Code" and "Subscriber" sections. The values are then formatted according to the EMVCo specification (a JSON object) in the request like so:

  "homePhone": {
    "cc": "1",
    "subscriber": "1234567899"
  }

Data Type

String

CardholderMobilePhone Property (IPWorks3DS_Server Class)

The cardholder mobile phone number.

Object Oriented Interface

public function getCardholderMobilePhone();
public function setCardholderMobilePhone($value);

Procedural Interface

ipworks3ds_server_get($res, 35 );
ipworks3ds_server_set($res, 35, $value );

Default Value

''

Remarks

This field contains the mobile phone number provided by the cardholder.

Phone numbers must be specified in the following format: CountryCode-Subscriber (e.g. 1-1234567899)

The "-" is used to separate the "Country Code" and "Subscriber" sections. The values are then formatted according to the EMVCo specification (a JSON object) in the request like so:

  "homePhone": {
    "cc": "1",
    "subscriber": "1234567899"
  }

Data Type

String

CardholderName Property (IPWorks3DS_Server Class)

Name of the cardholder.

Object Oriented Interface

public function getCardholderName();
public function setCardholderName($value);

Procedural Interface

ipworks3ds_server_get($res, 36 );
ipworks3ds_server_set($res, 36, $value );

Default Value

''

Remarks

This property contains the name of the cardholder. Limited to the alphanumeric characters listed in EMV Book 4, Annex B. Required to be set unless market or regional mandates restricts sending this information.

Data Type

String

CardholderWorkPhone Property (IPWorks3DS_Server Class)

The cardholder work phone number.

Object Oriented Interface

public function getCardholderWorkPhone();
public function setCardholderWorkPhone($value);

Procedural Interface

ipworks3ds_server_get($res, 37 );
ipworks3ds_server_set($res, 37, $value );

Default Value

''

Remarks

This field contains the work phone number provided by the cardholder.

Phone numbers must be specified in the following format: CountryCode-Subscriber (e.g. 1-1234567899)

The "-" is used to separate the "Country Code" and "Subscriber" sections. The values are then formatted according to the EMVCo specification (a JSON object) in the request like so:

  "homePhone": {
    "cc": "1",
    "subscriber": "1234567899"
  }

Data Type

String

CardNumber Property (IPWorks3DS_Server Class)

Customer's account number that will be authenticated.

Object Oriented Interface

public function getCardNumber();
public function setCardNumber($value);

Procedural Interface

ipworks3ds_server_get($res, 38 );
ipworks3ds_server_set($res, 38, $value );

Default Value

''

Remarks

This property contains the customer's credit card number (PAN) or token that will be used in the authorization request for payment transactions. This property is 13-19 characters long.

Data Type

String

CardRangeCount Property (IPWorks3DS_Server Class)

The number of records in the CardRange arrays.

Object Oriented Interface

public function getCardRangeCount();

Procedural Interface

ipworks3ds_server_get($res, 39 );

Default Value

0

Remarks

This property controls the size of the following arrays:

The array indices start at 0 and end at CardRangeCount - 1.

This property is read-only and not available at design time.

Data Type

Integer

CardRangeACSEndProtocolVersion Property (IPWorks3DS_Server Class)

The most recent active protocol version that is supported by the ACS.

Object Oriented Interface

public function getCardRangeACSEndProtocolVersion($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 40 , $cardrangeindex);

Default Value

''

Remarks

The most recent active protocol version that is supported by the ACS.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeACSInformationIndicator Property (IPWorks3DS_Server Class)

Additional information on the card range as supplied by the ACS.

Object Oriented Interface

public function getCardRangeACSInformationIndicator($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 41 , $cardrangeindex);

Default Value

'0'

Remarks

Additional information on the card range as supplied by the ACS. This property is a comma separate list of values returned from the server; possible values are:

  • 01 - Authentication Available at ACS
  • 02 - Attempts Supported by ACS or DS
  • 03 - Decoupled Authentication Supported
  • 04 - Whitelisting Supported
  • 05 - Device Binding Supported (2.3.1 only)
  • 06 - WebAuthn Authentication Supported (2.3.1 only)
  • 07 - SPC Authentication Supported (2.3.1 only)
  • 08 - Transaction Risk Analysis Exemption Supported (2.3.1 only)
  • 09 - Trust List Exemption Supported (2.3.1 only)
  • 10 - Low Value Exemption Supported (2.3.1 only)
  • 11 - Secure Corporate Payments Exemption Supported (2.3.1 only)
  • 80-99 - Reserved for DS Use

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeACSStartProtocolVersion Property (IPWorks3DS_Server Class)

The earliest (i.

Object Oriented Interface

public function getCardRangeACSStartProtocolVersion($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 42 , $cardrangeindex);

Default Value

''

Remarks

The earliest (i.e. oldest) active protocol version that is supported by the ACS.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeAction Property (IPWorks3DS_Server Class)

The action to be taken with the card range specified by the Start and End properties.

Object Oriented Interface

public function getCardRangeAction($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 43 , $cardrangeindex);

Default Value

''

Remarks

The action to be taken with the card range specified by the CardRangeStart and CardRangeEnd fields. Possible values are:

  • A - Add the card range to the cache (default value)
  • D - Delete the card range from the cache
  • M - Modify the card range data
If the SerialNumber was not included in the Card Range Request, the Action will be A (add) for all ranges returned. If no action is returned for the card range (empty value), it can be assumed that the action for the range is A.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeDSEndProtocolVersion Property (IPWorks3DS_Server Class)

The most recent active protocol version that is supported by the DS.

Object Oriented Interface

public function getCardRangeDSEndProtocolVersion($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 44 , $cardrangeindex);

Default Value

''

Remarks

The most recent active protocol version that is supported by the DS.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeDSStartProtocolVersion Property (IPWorks3DS_Server Class)

The earliest (i.

Object Oriented Interface

public function getCardRangeDSStartProtocolVersion($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 45 , $cardrangeindex);

Default Value

''

Remarks

The earliest (i.e. oldest) active protocol version that is supported by the DS.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeEnd Property (IPWorks3DS_Server Class)

Last number in a range of credit card numbers returned by the Directory Server.

Object Oriented Interface

public function getCardRangeEnd($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 46 , $cardrangeindex);

Default Value

''

Remarks

Last number in a range of credit card numbers returned by the Directory Server.

This property contains the final card number in the current range. The first number in the current range is contained in CardRangeStart, and the action (add or delete) to take on this range is contained in CardRangeAction. Note that the card ranges must be processed in the order returned.

Card ranges returned by a Card Range Request are for credit cards that support 3-D Secure. If the customer's credit card number is not within one of these ranges, you cannot use 3-D Secure for that card. Examples of card numbers that may not be eligible for 3-D Secure are check cards, corporate cards, and gift cards.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeMethodURL Property (IPWorks3DS_Server Class)

The ACS URL that will be used by the 3DS method.

Object Oriented Interface

public function getCardRangeMethodURL($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 47 , $cardrangeindex);

Default Value

''

Remarks

The ACS URL that will be used by the 3DS method.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

CardRangeStart Property (IPWorks3DS_Server Class)

First number in a range of credit card numbers returned by the Directory Server.

Object Oriented Interface

public function getCardRangeStart($cardrangeindex);

Procedural Interface

ipworks3ds_server_get($res, 48 , $cardrangeindex);

Default Value

''

Remarks

First number in a range of credit card numbers returned by the Directory Server.

This property contains the first card number in the current range. The final number in the current range is contained in CardRangeEnd, and the action (add or delete) to take on this range is contained in CardRangeAction. Note that the card ranges must be processed in the order returned.

Card ranges returned by a Card Range Request are for credit cards that support 3-D Secure. If the customer's credit card number is not within one of these ranges, you cannot use 3-D Secure for that card. Examples of card numbers that may not be eligible for 3-D Secure are check cards, corporate cards, and gift cards.

The $cardrangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the CardRangeCount property.

This property is read-only and not available at design time.

Data Type

String

ChallengeWindowSize Property (IPWorks3DS_Server Class)

Challenge window size.

Object Oriented Interface

public function getChallengeWindowSize();
public function setChallengeWindowSize($value);

Procedural Interface

ipworks3ds_server_get($res, 49 );
ipworks3ds_server_set($res, 49, $value );

Default Value

1

Remarks

This field indicates the dimensions of the challenge window that has been displayed to the cardholder. The ACS shall reply with content that is formatted to appropriately render in this window to provide the best possible user experience.

Preconfigured sizes are width x height in pixels of the window displayed in the cardholder browser. Possible values are:

1250 x 400
2390 x 400
3500 x 600
4600 x 400
5Full screen

This value is included in the Challenge Request Message (CReq) generated by the component when the GetChallengeRequest methods are called.

Data Type

Integer

ClientAuthRequest Property (IPWorks3DS_Server Class)

The data received by the class to be sent in the authentication request.

Object Oriented Interface

public function getClientAuthRequest();
public function setClientAuthRequest($value);

Procedural Interface

ipworks3ds_server_get($res, 50 );
ipworks3ds_server_set($res, 50, $value );

Default Value

''

Remarks

The 3DS SDK should prepare data to be sent by the 3DS Server class. Set ClientAuthRequest to the data received from the 3DS SDK before calling SendAuthRequest.

See the 3DS SDK documentation for details on preparing this data.

Data Type

String

ClientAuthResponse Property (IPWorks3DS_Server Class)

The authentication response for an app-based flow.

Object Oriented Interface

public function getClientAuthResponse();

Procedural Interface

ipworks3ds_server_get($res, 51 );

Default Value

''

Remarks

This property is populated after calling SendAuthRequest, and is only applicable for the app-based flow. If a challenge is required, this data should be sent back to the 3DS SDK over the secure channel.

See SendAuthRequest for more details about handling the response.

This property is read-only.

Data Type

String

DataPacketOut Property (IPWorks3DS_Server Class)

Contains the data packet sent to the server.

Object Oriented Interface

public function getDataPacketOut();

Procedural Interface

ipworks3ds_server_get($res, 52 );

Default Value

''

Remarks

After calling either the RequestCardRanges, or SendAuthRequest methods, this property will contain the entire data packet that was sent. Also, after calling the GetChallengeRequest or GetResultsResponse method, this property will contain the constructed messages. The contents of this property should be logged for each transaction.

This property is read-only and not available at design time.

Data Type

String

DeviceChannel Property (IPWorks3DS_Server Class)

Device channel.

Object Oriented Interface

public function getDeviceChannel();
public function setDeviceChannel($value);

Procedural Interface

ipworks3ds_server_get($res, 53 );
ipworks3ds_server_set($res, 53, $value );

Default Value

'02'

Remarks

This field indicates the type of channel interface being used to initiate the transaction.

Possible values include:

01App-based
02 - defaultBrowser
033DS Requestor Initiated (3RI)

Data Type

String

DirectoryServerURL Property (IPWorks3DS_Server Class)

The address of the Directory Server.

Object Oriented Interface

public function getDirectoryServerURL();
public function setDirectoryServerURL($value);

Procedural Interface

ipworks3ds_server_get($res, 54 );
ipworks3ds_server_set($res, 54, $value );

Default Value

''

Remarks

This is the URL to which the RequestCardRanges and SendAuthRequest methods post.

Data Type

String

DSSupportedProtocols Property (IPWorks3DS_Server Class)

Protocol Versions supported by the DS.

Object Oriented Interface

public function getDSSupportedProtocols();
public function setDSSupportedProtocols($value);

Procedural Interface

ipworks3ds_server_get($res, 55 );
ipworks3ds_server_set($res, 55, $value );

Default Value

0

Remarks

The active protocol versions supported by the Directory Server. A bitwise OR of the following values:

2.1.00x02
2.2.00x04
2.3.10x08

Data Type

Integer

DSURLCount Property (IPWorks3DS_Server Class)

The number of records in the DSURL arrays.

Object Oriented Interface

public function getDSURLCount();

Procedural Interface

ipworks3ds_server_get($res, 56 );

Default Value

0

Remarks

This property controls the size of the following arrays:

The array indices start at 0 and end at DSURLCount - 1.

This property is read-only and not available at design time.

Data Type

Integer

DSURLCountryCode Property (IPWorks3DS_Server Class)

The country for which the 3DS Server to DS URL can be used.

Object Oriented Interface

public function getDSURLCountryCode($dsurlindex);

Procedural Interface

ipworks3ds_server_get($res, 57 , $dsurlindex);

Default Value

''

Remarks

The country for which the 3DS Server to DS URL can be used.

The $dsurlindex parameter specifies the index of the item in the array. The size of the array is controlled by the DSURLCount property.

This property is read-only and not available at design time.

Data Type

String

DSURLThreeDSServerToDsUrl Property (IPWorks3DS_Server Class)

URL that the 3DS Server uses to communicate with a DS for a particular card range.

Object Oriented Interface

public function getDSURLThreeDSServerToDsUrl($dsurlindex);

Procedural Interface

ipworks3ds_server_get($res, 58 , $dsurlindex);

Default Value

''

Remarks

URL that the 3DS Server uses to communicate with a DS for a particular card range. If the DS Country Code is absent, the 3DS Server can use this URL for all card ranges.

The $dsurlindex parameter specifies the index of the item in the array. The size of the array is controlled by the DSURLCount property.

This property is read-only and not available at design time.

Data Type

String

ErrorPacket Property (IPWorks3DS_Server Class)

The error packet.

Object Oriented Interface

public function getErrorPacket();

Procedural Interface

ipworks3ds_server_get($res, 59 );

Default Value

''

Remarks

If an error is encountered while parsing a received packet using the CheckResponse method, this field will be populated with an error packet to be sent back to the server.

If the message being parsed is an error, this field will be populated with the received error packet itself.

This property is read-only.

Data Type

String

ExtensionCount Property (IPWorks3DS_Server Class)

The number of records in the Extension arrays.

Object Oriented Interface

public function getExtensionCount();
public function setExtensionCount($value);

Procedural Interface

ipworks3ds_server_get($res, 60 );
ipworks3ds_server_set($res, 60, $value );

Default Value

0

Remarks

This property controls the size of the following arrays:

The array indices start at 0 and end at ExtensionCount - 1.

This property is not available at design time.

Data Type

Integer

ExtensionCritical Property (IPWorks3DS_Server Class)

Whether the extension is critical.

Object Oriented Interface

public function getExtensionCritical($extensionindex);
public function setExtensionCritical($extensionindex, $value);

Procedural Interface

ipworks3ds_server_get($res, 61 , $extensionindex);
ipworks3ds_server_set($res, 61, $value , $extensionindex);

Default Value

false

Remarks

Whether the extension is critical.

This setting specifies whether the recipient must understand the contents of the extension to interpret the entire message.

The $extensionindex parameter specifies the index of the item in the array. The size of the array is controlled by the ExtensionCount property.

This property is not available at design time.

Data Type

Boolean

ExtensionData Property (IPWorks3DS_Server Class)

The extension data as JSON.

Object Oriented Interface

public function getExtensionData($extensionindex);
public function setExtensionData($extensionindex, $value);

Procedural Interface

ipworks3ds_server_get($res, 62 , $extensionindex);
ipworks3ds_server_set($res, 62, $value , $extensionindex);

Default Value

''

Remarks

The extension data as JSON.

This setting specifies the JSON formatted extension data.

The $extensionindex parameter specifies the index of the item in the array. The size of the array is controlled by the ExtensionCount property.

This property is not available at design time.

Data Type

String

ExtensionId Property (IPWorks3DS_Server Class)

The id of the specified extension.

Object Oriented Interface

public function getExtensionId($extensionindex);
public function setExtensionId($extensionindex, $value);

Procedural Interface

ipworks3ds_server_get($res, 63 , $extensionindex);
ipworks3ds_server_set($res, 63, $value , $extensionindex);

Default Value

''

Remarks

The id of the specified extension.

This setting specifies a unique identifier for the extension.

The $extensionindex parameter specifies the index of the item in the array. The size of the array is controlled by the ExtensionCount property.

This property is not available at design time.

Data Type

String

ExtensionName Property (IPWorks3DS_Server Class)

The extension name.

Object Oriented Interface

public function getExtensionName($extensionindex);
public function setExtensionName($extensionindex, $value);

Procedural Interface

ipworks3ds_server_get($res, 64 , $extensionindex);
ipworks3ds_server_set($res, 64, $value , $extensionindex);

Default Value

''

Remarks

The extension name.

This setting specifies the name of the extension as defined by the extension owner.

The $extensionindex parameter specifies the index of the item in the array. The size of the array is controlled by the ExtensionCount property.

This property is not available at design time.

Data Type

String

MerchantCategoryCode Property (IPWorks3DS_Server Class)

Merchant category code.

Object Oriented Interface

public function getMerchantCategoryCode();
public function setMerchantCategoryCode($value);

Procedural Interface

ipworks3ds_server_get($res, 65 );
ipworks3ds_server_set($res, 65, $value );

Default Value

''

Remarks

DS-specific code describing the Merchant's type of business, product, or service. Required to be set prior to calling SendAuthRequest.

Data Type

String

MerchantCountryCode Property (IPWorks3DS_Server Class)

Country code of the merchant.

Object Oriented Interface

public function getMerchantCountryCode();
public function setMerchantCountryCode($value);

Procedural Interface

ipworks3ds_server_get($res, 66 );
ipworks3ds_server_set($res, 66, $value );

Default Value

''

Remarks

This field contains the country code of the merchant. This value correlates to the Merchant Country Code as defined by each Payment System or DS. Required to be set prior to calling SendAuthRequest.

Data Type

String

MerchantName Property (IPWorks3DS_Server Class)

Merchant name.

Object Oriented Interface

public function getMerchantName();
public function setMerchantName($value);

Procedural Interface

ipworks3ds_server_get($res, 67 );
ipworks3ds_server_set($res, 67, $value );

Default Value

''

Remarks

The name of the merchant as assigned by the acquirer or payment system. Required to be set prior to calling SendAuthRequest.

Data Type

String

MessageCategory Property (IPWorks3DS_Server Class)

The category of the message.

Object Oriented Interface

public function getMessageCategory();
public function setMessageCategory($value);

Procedural Interface

ipworks3ds_server_get($res, 68 );
ipworks3ds_server_set($res, 68, $value );

Default Value

''

Remarks

This field identifies the category of the message (Payment Authentication or Non-Payment Authentication). This will be sent in the Authentication Request Message (AReq) sent by the component when SendAuthRequest is called, and in the Results Request Message (RReq) received from the directory server (populated after calling CheckResponse.

Possible values include:

01 (default)PA (Payment Authentication)
02NPA (Non-Payment Authentication)

Data Type

String

MessageVersion Property (IPWorks3DS_Server Class)

Protocol version identifier.

Object Oriented Interface

public function getMessageVersion();
public function setMessageVersion($value);

Procedural Interface

ipworks3ds_server_get($res, 69 );
ipworks3ds_server_set($res, 69, $value );

Default Value

'2.1.0'

Remarks

The protocol version number of the specification used by the system creating this message.

Possible values are:

2.1.0 (Default)
2.2.0
2.3.1
The message version number is set by the 3DS Server which originates the protocol with the AReq message (when SendAuthRequest is called). The message version number does not change during a 3DS transaction.

Data Type

String

MethodNotificationURL Property (IPWorks3DS_Server Class)

The URL to which the method notification will be posted.

Object Oriented Interface

public function getMethodNotificationURL();
public function setMethodNotificationURL($value);

Procedural Interface

ipworks3ds_server_get($res, 70 );
ipworks3ds_server_set($res, 70, $value );

Default Value

''

Remarks

This property specifies the URL to which the ACS will post when the method execution has completed. This must be set before calling GetMethodData. See GetMethodData for more details.

Data Type

String

NotificationURL Property (IPWorks3DS_Server Class)

The notification URL to which the challenge response is sent.

Object Oriented Interface

public function getNotificationURL();
public function setNotificationURL($value);

Procedural Interface

ipworks3ds_server_get($res, 71 );
ipworks3ds_server_set($res, 71, $value );

Default Value

''

Remarks

This property specifies the URL to which the final challenge response is POSTed in a browser-based flow. This must be set before calling SendAuthRequest.

After the challenge interaction is complete the ACS will post data to the URL specified in this property to notify the application that the challenge is complete. The data received at this URL can be processed by calling CheckResponse. See GetChallengeRequest and CheckResponse for more details.

Data Type

String

OperationInfoCategory Property (IPWorks3DS_Server Class)

Indicates the category/type of information.

Object Oriented Interface

public function getOperationInfoCategory();

Procedural Interface

ipworks3ds_server_get($res, 72 );

Default Value

''

Remarks

Indicates the category/type of information.

01 General
02 Operational alert
03 Public Key Certificate expiry
04 Letter of Approval/Attestation of Compliance expiry
05 Fraud
06 Other
80-99 Reserved for DS use

This property is read-only and not available at design time.

Data Type

String

OperationInfoDescription Property (IPWorks3DS_Server Class)

Describes the reason for the operational communication or the response to an action taken by the recipient.

Object Oriented Interface

public function getOperationInfoDescription();

Procedural Interface

ipworks3ds_server_get($res, 73 );

Default Value

''

Remarks

Describes the reason for the operational communication or the response to an action taken by the recipient.

This property is read-only and not available at design time.

Data Type

String

OperationInfoExpirationDate Property (IPWorks3DS_Server Class)

The date after which the relevance of the operational information expires.

Object Oriented Interface

public function getOperationInfoExpirationDate();

Procedural Interface

ipworks3ds_server_get($res, 74 );

Default Value

''

Remarks

The date after which the relevance of the operational information expires.

This property is read-only and not available at design time.

Data Type

String

OperationInfoMessageStatus Property (IPWorks3DS_Server Class)

Indicates the status of the operational request message sequence from the source of the OReq.

Object Oriented Interface

public function getOperationInfoMessageStatus();
public function setOperationInfoMessageStatus($value);

Procedural Interface

ipworks3ds_server_get($res, 75 );
ipworks3ds_server_set($res, 75, $value );

Default Value

''

Remarks

Indicates the status of the operational request message sequence from the source of the OReq.

01 Successfully received messages
02 Message sequence is broken
03 Requested action is not supported or not executed by the 3DS Server or ACS when OReq message was received
80-99 Reserved for DS use

This property is not available at design time.

Data Type

String

OperationInfoPriorTransactionId Property (IPWorks3DS_Server Class)

The transaction ID of the prior transaction to which the operational information refers.

Object Oriented Interface

public function getOperationInfoPriorTransactionId();

Procedural Interface

ipworks3ds_server_get($res, 76 );

Default Value

''

Remarks

The transaction ID of the prior transaction to which the operational information refers.

This property is read-only and not available at design time.

Data Type

String

OperationInfoPriorTransactionIdType Property (IPWorks3DS_Server Class)

The type of transaction ID of the prior transaction to which the operational information refers.

Object Oriented Interface

public function getOperationInfoPriorTransactionIdType();

Procedural Interface

ipworks3ds_server_get($res, 77 );

Default Value

0

Remarks

The type of transaction ID of the prior transaction to which the operational information refers.

01 3DS Server
02 DS
03 ACS

This property is read-only and not available at design time.

Data Type

Integer

OperationInfoSequenceId Property (IPWorks3DS_Server Class)

Uniquely identifies a message sequence and will remain constant in the sequence of messages.

Object Oriented Interface

public function getOperationInfoSequenceId();

Procedural Interface

ipworks3ds_server_get($res, 78 );

Default Value

''

Remarks

Uniquely identifies a message sequence and will remain constant in the sequence of messages.

This property is read-only and not available at design time.

Data Type

String

OperationInfoSequenceNumber Property (IPWorks3DS_Server Class)

The current message in the sequence.

Object Oriented Interface

public function getOperationInfoSequenceNumber();
public function setOperationInfoSequenceNumber($value);

Procedural Interface

ipworks3ds_server_get($res, 79 );
ipworks3ds_server_set($res, 79, $value );

Default Value

0

Remarks

The current message in the sequence. Set this before calling CheckResponse when an OReq packet is received. The component will verify the sequence number of the received OReq to ensure it's not out of sequence.

This property is not available at design time.

Data Type

Integer

OperationInfoSequenceTotal Property (IPWorks3DS_Server Class)

The total number of messages in the sequence and will remain constant in the sequence of messages.

Object Oriented Interface

public function getOperationInfoSequenceTotal();

Procedural Interface

ipworks3ds_server_get($res, 80 );

Default Value

0

Remarks

The total number of messages in the sequence and will remain constant in the sequence of messages.

This property is read-only and not available at design time.

Data Type

Integer

OperationInfoSeverity Property (IPWorks3DS_Server Class)

Indicates the importance/severity level of the operational information.

Object Oriented Interface

public function getOperationInfoSeverity();

Procedural Interface

ipworks3ds_server_get($res, 81 );

Default Value

''

Remarks

Indicates the importance/severity level of the operational information.

01 Critical
02 Major
03 Minor
04 Informational
80-99 Reserved for DS use

This property is read-only and not available at design time.

Data Type

String

ProxyAuthScheme Property (IPWorks3DS_Server Class)

The type of authorization to perform when connecting to the proxy.

Object Oriented Interface

public function getProxyAuthScheme();
public function setProxyAuthScheme($value);

Procedural Interface

ipworks3ds_server_get($res, 82 );
ipworks3ds_server_set($res, 82, $value );

Default Value

0

Remarks

The type of authorization to perform when connecting to the proxy. This is used only when the ProxyUser and ProxyPassword properties are set.

ProxyAuthScheme should be set to authNone (3) when no authentication is expected.

By default, ProxyAuthScheme is authBasic (0), and if the ProxyUser and ProxyPassword properties are set, the class will attempt basic authentication.

If ProxyAuthScheme is set to authDigest (1), digest authentication will be attempted instead.

If ProxyAuthScheme is set to authProprietary (2), then the authorization token will not be generated by the class. Look at the configuration file for the class being used to find more information about manually setting this token.

If ProxyAuthScheme is set to authNtlm (4), NTLM authentication will be used.

For security reasons, setting this property will clear the values of ProxyUser and ProxyPassword.

Data Type

Integer

ProxyAutoDetect Property (IPWorks3DS_Server Class)

Whether to automatically detect and use proxy system settings, if available.

Object Oriented Interface

public function getProxyAutoDetect();
public function setProxyAutoDetect($value);

Procedural Interface

ipworks3ds_server_get($res, 83 );
ipworks3ds_server_set($res, 83, $value );

Default Value

false

Remarks

Whether to automatically detect and use proxy system settings, if available. The default value is false.

Data Type

Boolean

ProxyPassword Property (IPWorks3DS_Server Class)

A password if authentication is to be used for the proxy.

Object Oriented Interface

public function getProxyPassword();
public function setProxyPassword($value);

Procedural Interface

ipworks3ds_server_get($res, 84 );
ipworks3ds_server_set($res, 84, $value );

Default Value

''

Remarks

A password if authentication is to be used for the proxy.

If ProxyAuthScheme is set to Basic Authentication, the ProxyUser and ProxyPassword properties are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If ProxyAuthScheme is set to Digest Authentication, the ProxyUser and ProxyPassword properties are used to respond to the Digest Authentication challenge from the server.

If ProxyAuthScheme is set to NTLM Authentication, the ProxyUser and ProxyPassword properties are used to authenticate through NTLM negotiation.

Data Type

String

ProxyPort Property (IPWorks3DS_Server Class)

The Transmission Control Protocol (TCP) port for the proxy Server (default 80).

Object Oriented Interface

public function getProxyPort();
public function setProxyPort($value);

Procedural Interface

ipworks3ds_server_get($res, 85 );
ipworks3ds_server_set($res, 85, $value );

Default Value

80

Remarks

The Transmission Control Protocol (TCP) port for the proxy ProxyServer (default 80). See the description of the ProxyServer property for details.

Data Type

Integer

ProxyServer Property (IPWorks3DS_Server Class)

If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

Object Oriented Interface

public function getProxyServer();
public function setProxyServer($value);

Procedural Interface

ipworks3ds_server_get($res, 86 );
ipworks3ds_server_set($res, 86, $value );

Default Value

''

Remarks

If a proxy ProxyServer is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

If the ProxyServer property is set to a domain name, a DNS request is initiated. Upon successful termination of the request, the ProxyServer property is set to the corresponding address. If the search is not successful, an error is returned.

Data Type

String

ProxySSL Property (IPWorks3DS_Server Class)

When to use a Secure Sockets Layer (SSL) for the connection to the proxy.

Object Oriented Interface

public function getProxySSL();
public function setProxySSL($value);

Procedural Interface

ipworks3ds_server_get($res, 87 );
ipworks3ds_server_set($res, 87, $value );

Default Value

0

Remarks

When to use a Secure Sockets Layer (SSL) for the connection to the proxy. The applicable values are as follows:

psAutomatic (0)Default setting. If the URL is an https URL, the class will use the psTunnel option. If the URL is an http URL, the class will use the psNever option.
psAlways (1)The connection is always SSL-enabled.
psNever (2)The connection is not SSL-enabled.
psTunnel (3)The connection is made through a tunneling (HTTP) proxy.

Data Type

Integer

ProxyUser Property (IPWorks3DS_Server Class)

A username if authentication is to be used for the proxy.

Object Oriented Interface

public function getProxyUser();
public function setProxyUser($value);

Procedural Interface

ipworks3ds_server_get($res, 88 );
ipworks3ds_server_set($res, 88, $value );

Default Value

''

Remarks

A username if authentication is to be used for the proxy.

If ProxyAuthScheme is set to Basic Authentication, the ProxyUser and ProxyPassword properties are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If ProxyAuthScheme is set to Digest Authentication, the ProxyUser and ProxyPassword properties are used to respond to the Digest Authentication challenge from the server.

If ProxyAuthScheme is set to NTLM Authentication, the ProxyUser and ProxyPassword properties are used to authenticate through NTLM negotiation.

Data Type

String

PurchaseAmount Property (IPWorks3DS_Server Class)

Purchase amount to be authorized.

Object Oriented Interface

public function getPurchaseAmount();
public function setPurchaseAmount($value);

Procedural Interface

ipworks3ds_server_get($res, 89 );
ipworks3ds_server_set($res, 89, $value );

Default Value

''

Remarks

This field contains the purchase amount to be authorized. The transaction amount is to be presented with an implied decimal point. For example, US $10.00 must be represented as 1000, and $0.10 is likewise simply 10. The allowable number of significant digits as well as the positioning of any implied decimal point is dictated by the designated PurchaseExponent. This field may not contain a negative number.

Data Type

String

PurchaseCurrency Property (IPWorks3DS_Server Class)

Identifies the type of currency used by the merchant.

Object Oriented Interface

public function getPurchaseCurrency();
public function setPurchaseCurrency($value);

Procedural Interface

ipworks3ds_server_get($res, 90 );
ipworks3ds_server_set($res, 90, $value );

Default Value

'840'

Remarks

This field contains the three digit number assigned by the signing member or processor to identify the currency in which PurchaseCurrency is expressed. This property should contain the ISO-4217 numeric code. For example, the ISO code for US Dollars is "840".

Data Type

String

PurchaseDate Property (IPWorks3DS_Server Class)

The date of the transaction.

Object Oriented Interface

public function getPurchaseDate();
public function setPurchaseDate($value);

Procedural Interface

ipworks3ds_server_get($res, 91 );
ipworks3ds_server_set($res, 91, $value );

Default Value

''

Remarks

This field contains the date and time of the purchase, expressed in UTC. The format of this field must be: YYYYMMDDHHMMSS

Data Type

String

PurchaseExponent Property (IPWorks3DS_Server Class)

Minor units of currency.

Object Oriented Interface

public function getPurchaseExponent();
public function setPurchaseExponent($value);

Procedural Interface

ipworks3ds_server_get($res, 92 );
ipworks3ds_server_set($res, 92, $value );

Default Value

'2'

Remarks

This field indicates the minor units, or number of decimal places, of the currency specified in the PurchaseCurrency property. For instance, the Japanese Yen has a value of "0", the US Dollar a value of "2", and the Kuwati Dinar a value of "3".

Data Type

String

RangeCount Property (IPWorks3DS_Server Class)

The number of records in the Range arrays.

Object Oriented Interface

public function getRangeCount();

Procedural Interface

ipworks3ds_server_get($res, 93 );

Default Value

0

Remarks

This property controls the size of the following arrays:

The array indices start at 0 and end at RangeCount - 1.

This property is read-only and not available at design time.

Data Type

Integer

RangeEnd Property (IPWorks3DS_Server Class)

The final card number in the current range.

Object Oriented Interface

public function getRangeEnd($rangeindex);

Procedural Interface

ipworks3ds_server_get($res, 94 , $rangeindex);

Default Value

''

Remarks

The final card number in the current range.

The $rangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the RangeCount property.

This property is read-only and not available at design time.

Data Type

String

RangeStart Property (IPWorks3DS_Server Class)

The first card number in the current range.

Object Oriented Interface

public function getRangeStart($rangeindex);

Procedural Interface

ipworks3ds_server_get($res, 95 , $rangeindex);

Default Value

''

Remarks

The first card number in the current range.

The $rangeindex parameter specifies the index of the item in the array. The size of the array is controlled by the RangeCount property.

This property is read-only and not available at design time.

Data Type

String

RecurringExpDate Property (IPWorks3DS_Server Class)

Recurring expiration date.

Object Oriented Interface

public function getRecurringExpDate();
public function setRecurringExpDate($value);

Procedural Interface

ipworks3ds_server_get($res, 96 );
ipworks3ds_server_set($res, 96, $value );

Default Value

''

Remarks

This field contains the date after which no further authorizations shall be performed. The format of this field must be: YYYYMMDD

Required when AuthenticationIndicator is 02 or 03, or when ThreeRIIndicator is 01 or 02.

Data Type

String

RecurringFrequency Property (IPWorks3DS_Server Class)

The number of days between recurring payments.

Object Oriented Interface

public function getRecurringFrequency();
public function setRecurringFrequency($value);

Procedural Interface

ipworks3ds_server_get($res, 97 );
ipworks3ds_server_set($res, 97, $value );

Default Value

''

Remarks

This field indicates the minimum number of days between authorizations.

Required when AuthenticationIndicator is 02 or 03, or when ThreeRIIndicator is 01 or 02.

Data Type

String

RequestorId Property (IPWorks3DS_Server Class)

Directory server assigned 3DS Requestor identifier.

Object Oriented Interface

public function getRequestorId();
public function setRequestorId($value);

Procedural Interface

ipworks3ds_server_get($res, 98 );
ipworks3ds_server_set($res, 98, $value );

Default Value

''

Remarks

This field contains the 3DS Requestor identifier as assigned by the directory server. This is sent in the Authentication Request Message (AReq) sent by the component in the SendAuthRequest method.

Data Type

String

RequestorName Property (IPWorks3DS_Server Class)

Directory server assigned 3DS Requestor name.

Object Oriented Interface

public function getRequestorName();
public function setRequestorName($value);

Procedural Interface

ipworks3ds_server_get($res, 99 );
ipworks3ds_server_set($res, 99, $value );

Default Value

''

Remarks

This field contains the 3DS Requestor name as assigned by the directory server. This is sent in the Authentication Request Message (AReq) sent by the component in the SendAuthRequest method.

Data Type

String

RequestorURL Property (IPWorks3DS_Server Class)

3DS Requestor website or customer care site.

Object Oriented Interface

public function getRequestorURL();
public function setRequestorURL($value);

Procedural Interface

ipworks3ds_server_get($res, 100 );
ipworks3ds_server_set($res, 100, $value );

Default Value

''

Remarks

This field contains the fully qualified URL of the 3DS Requestor website or customer care site. This is sent in the Authentication Request Message (AReq) sent by the component in the SendAuthRequest method.

Data Type

String

ResultsStatus Property (IPWorks3DS_Server Class)

The status of the Results Request.

Object Oriented Interface

public function getResultsStatus();
public function setResultsStatus($value);

Procedural Interface

ipworks3ds_server_get($res, 101 );
ipworks3ds_server_set($res, 101, $value );

Default Value

0

Remarks

This field contains the status of the results request and is used when generating the Results Response Message (RRes) via the GetResultsResponse method. This will indicate if the message was successfully received for further processing or provide more detail to the ACS on why the challenge could not be completed.

Possible values include:

01Results Request Received for further Processing.
02Challenge Request not sent to ACS by 3DS Requestor (3DS Server or 3DS Requestor opted out of the challenge).
03ARes challenge data not delivered to the 3DS Requestor due to technical error.
043DS Server will process Decoupled Authentication in a subsequent authentication.

Before calling GetResultsResponse, the Server can use the value of the RequestorChallengeInd to determine whether or not a value of 02 is appropriate. It must use the necessary error handling logic when processing ARes messages to determine whether or not a value of 03 is appropriate.

If the TransactionStatus is D and a DecoupledRequestIndicator value of F or B was used, ResultsStatus should be set to 04 and a separate 3RI authentication should be initiated within 60 seconds.

Data Type

Integer

ResultsURL Property (IPWorks3DS_Server Class)

3DS Server URL.

Object Oriented Interface

public function getResultsURL();
public function setResultsURL($value);

Procedural Interface

ipworks3ds_server_get($res, 102 );
ipworks3ds_server_set($res, 102, $value );

Default Value

''

Remarks

Full qualified URL of the 3DS Server to which the directory server will send the Results Request Message (RReq) after the challenge has completed. This is sent to the directory server when calling the SendAuthRequest method.

Data Type

String

SDKType Property (IPWorks3DS_Server Class)

Type of the 3DS SDK used for the app-based flow.

Object Oriented Interface

public function getSDKType();
public function setSDKType($value);

Procedural Interface

ipworks3ds_server_get($res, 103 );
ipworks3ds_server_set($res, 103, $value );

Default Value

'01'

Remarks

Indicates the type of 3DS SDK. This provides additional information to the DS and ACS to determine the best approach for handling the transaction.

Valid values are:

01Default-SDK
02Split-SDK
When Default-SDK is selected (01), SDKWrapped can be used to indicate if the Default-SDK is embedded as a wrapped component in the 3DS Requestor App.

When Split-SDK is selected (02), SplitSDKVariant will indicate the implementation charactistics of the Split-SDK client, and SplitSDKLimited can be used to indicate if the Split-SDK client has limited capabilities.

This property is valid for MessageVersion 2.3.1 only.

Data Type

String

SerialNumber Property (IPWorks3DS_Server Class)

Serial number indicating the state of the current card range cache.

Object Oriented Interface

public function getSerialNumber();
public function setSerialNumber($value);

Procedural Interface

ipworks3ds_server_get($res, 104 );
ipworks3ds_server_set($res, 104, $value );

Default Value

''

Remarks

If this element is present when submitting a Preparation Request Message (PReq) with the RequestCardRanges method, the directory server returns card ranges that have been updated since the time of the response which returned this serial number. If this element is not present, the directory server returns all card ranges. This field is updated with a new serial number after each call to RequestCardRanges.

Data Type

String

ServerTransactionId Property (IPWorks3DS_Server Class)

Server transaction identifier.

Object Oriented Interface

public function getServerTransactionId();
public function setServerTransactionId($value);

Procedural Interface

ipworks3ds_server_get($res, 105 );
ipworks3ds_server_set($res, 105, $value );

Default Value

''

Remarks

Universally unique transaction identifier assigned by the 3DS Server to identify a single transaction. This value is generated by the class when GetMethodData or SendAuthRequest is called.

Data Type

String

ShippingAddressCity Property (IPWorks3DS_Server Class)

The city of the address.

Object Oriented Interface

public function getShippingAddressCity();
public function setShippingAddressCity($value);

Procedural Interface

ipworks3ds_server_get($res, 106 );
ipworks3ds_server_set($res, 106, $value );

Default Value

''

Remarks

The city of the address. The maximum length is 50 characters.

Data Type

String

ShippingAddressCountry Property (IPWorks3DS_Server Class)

The country of the address.

Object Oriented Interface

public function getShippingAddressCountry();
public function setShippingAddressCountry($value);

Procedural Interface

ipworks3ds_server_get($res, 107 );
ipworks3ds_server_set($res, 107, $value );

Default Value

''

Remarks

The country of the address. The format is a 3 digit country code as defined in ISO 3166-1.

Data Type

String

ShippingAddressLine1 Property (IPWorks3DS_Server Class)

The first line of the street address or equivalent local portion of the address.

Object Oriented Interface

public function getShippingAddressLine1();
public function setShippingAddressLine1($value);

Procedural Interface

ipworks3ds_server_get($res, 108 );
ipworks3ds_server_set($res, 108, $value );

Default Value

''

Remarks

The first line of the street address or equivalent local portion of the address. The maximum length is 50 characters.

Data Type

String

ShippingAddressLine2 Property (IPWorks3DS_Server Class)

The second line of the street address or equivalent local portion of the address.

Object Oriented Interface

public function getShippingAddressLine2();
public function setShippingAddressLine2($value);

Procedural Interface

ipworks3ds_server_get($res, 109 );
ipworks3ds_server_set($res, 109, $value );

Default Value

''

Remarks

The second line of the street address or equivalent local portion of the address. The maximum length is 50 characters.

Data Type

String

ShippingAddressLine3 Property (IPWorks3DS_Server Class)

The third line of the street address or equivalent local portion of the address.

Object Oriented Interface

public function getShippingAddressLine3();
public function setShippingAddressLine3($value);

Procedural Interface

ipworks3ds_server_get($res, 110 );
ipworks3ds_server_set($res, 110, $value );

Default Value

''

Remarks

The third line of the street address or equivalent local portion of the address. The maximum length is 50 characters.

Data Type

String

ShippingAddressPostalCode Property (IPWorks3DS_Server Class)

The ZIP or other postal code of the address.

Object Oriented Interface

public function getShippingAddressPostalCode();
public function setShippingAddressPostalCode($value);

Procedural Interface

ipworks3ds_server_get($res, 111 );
ipworks3ds_server_set($res, 111, $value );

Default Value

''

Remarks

The ZIP or other postal code of the address. The maximum length is 16 characters.

Data Type

String

ShippingAddressState Property (IPWorks3DS_Server Class)

The state or province of the address.

Object Oriented Interface

public function getShippingAddressState();
public function setShippingAddressState($value);

Procedural Interface

ipworks3ds_server_get($res, 112 );
ipworks3ds_server_set($res, 112, $value );

Default Value

''

Remarks

The state or province of the address. The maximum length is 3 characters and should be the country subdivision code defined in ISO 3166-2.

Data Type

String

SSLAcceptServerCertEffectiveDate Property (IPWorks3DS_Server Class)

The date on which this certificate becomes valid.

Object Oriented Interface

public function getSSLAcceptServerCertEffectiveDate();

Procedural Interface

ipworks3ds_server_get($res, 113 );

Default Value

''

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

Data Type

String

SSLAcceptServerCertExpirationDate Property (IPWorks3DS_Server Class)

The date on which the certificate expires.

Object Oriented Interface

public function getSSLAcceptServerCertExpirationDate();

Procedural Interface

ipworks3ds_server_get($res, 114 );

Default Value

''

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

Data Type

String

SSLAcceptServerCertExtendedKeyUsage Property (IPWorks3DS_Server Class)

A comma-delimited list of extended key usage identifiers.

Object Oriented Interface

public function getSSLAcceptServerCertExtendedKeyUsage();

Procedural Interface

ipworks3ds_server_get($res, 115 );

Default Value

''

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

Data Type

String

SSLAcceptServerCertFingerprint Property (IPWorks3DS_Server Class)

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertFingerprint();

Procedural Interface

ipworks3ds_server_get($res, 116 );

Default Value

''

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

Data Type

String

SSLAcceptServerCertFingerprintSHA1 Property (IPWorks3DS_Server Class)

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertFingerprintSHA1();

Procedural Interface

ipworks3ds_server_get($res, 117 );

Default Value

''

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

Data Type

String

SSLAcceptServerCertFingerprintSHA256 Property (IPWorks3DS_Server Class)

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertFingerprintSHA256();

Procedural Interface

ipworks3ds_server_get($res, 118 );

Default Value

''

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

Data Type

String

SSLAcceptServerCertIssuer Property (IPWorks3DS_Server Class)

The issuer of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertIssuer();

Procedural Interface

ipworks3ds_server_get($res, 119 );

Default Value

''

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

Data Type

String

SSLAcceptServerCertPrivateKey Property (IPWorks3DS_Server Class)

The private key of the certificate (if available).

Object Oriented Interface

public function getSSLAcceptServerCertPrivateKey();

Procedural Interface

ipworks3ds_server_get($res, 120 );

Default Value

''

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The SSLAcceptServerCertPrivateKey may be available but not exportable. In this case, SSLAcceptServerCertPrivateKey returns an empty string.

This property is read-only.

Data Type

String

SSLAcceptServerCertPrivateKeyAvailable Property (IPWorks3DS_Server Class)

Whether a PrivateKey is available for the selected certificate.

Object Oriented Interface

public function getSSLAcceptServerCertPrivateKeyAvailable();

Procedural Interface

ipworks3ds_server_get($res, 121 );

Default Value

false

Remarks

Whether a SSLAcceptServerCertPrivateKey is available for the selected certificate. If SSLAcceptServerCertPrivateKeyAvailable is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

Data Type

Boolean

SSLAcceptServerCertPrivateKeyContainer Property (IPWorks3DS_Server Class)

The name of the PrivateKey container for the certificate (if available).

Object Oriented Interface

public function getSSLAcceptServerCertPrivateKeyContainer();

Procedural Interface

ipworks3ds_server_get($res, 122 );

Default Value

''

Remarks

The name of the SSLAcceptServerCertPrivateKey container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

Data Type

String

SSLAcceptServerCertPublicKey Property (IPWorks3DS_Server Class)

The public key of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertPublicKey();

Procedural Interface

ipworks3ds_server_get($res, 123 );

Default Value

''

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

Data Type

String

SSLAcceptServerCertPublicKeyAlgorithm Property (IPWorks3DS_Server Class)

The textual description of the certificate's public key algorithm.

Object Oriented Interface

public function getSSLAcceptServerCertPublicKeyAlgorithm();

Procedural Interface

ipworks3ds_server_get($res, 124 );

Default Value

''

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

Data Type

String

SSLAcceptServerCertPublicKeyLength Property (IPWorks3DS_Server Class)

The length of the certificate's public key (in bits).

Object Oriented Interface

public function getSSLAcceptServerCertPublicKeyLength();

Procedural Interface

ipworks3ds_server_get($res, 125 );

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

Data Type

Integer

SSLAcceptServerCertSerialNumber Property (IPWorks3DS_Server Class)

The serial number of the certificate encoded as a string.

Object Oriented Interface

public function getSSLAcceptServerCertSerialNumber();

Procedural Interface

ipworks3ds_server_get($res, 126 );

Default Value

''

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

Data Type

String

SSLAcceptServerCertSignatureAlgorithm Property (IPWorks3DS_Server Class)

The text description of the certificate's signature algorithm.

Object Oriented Interface

public function getSSLAcceptServerCertSignatureAlgorithm();

Procedural Interface

ipworks3ds_server_get($res, 127 );

Default Value

''

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

Data Type

String

SSLAcceptServerCertStore Property (IPWorks3DS_Server Class)

The name of the certificate store for the client certificate.

Object Oriented Interface

public function getSSLAcceptServerCertStore();
public function setSSLAcceptServerCertStore($value);

Procedural Interface

ipworks3ds_server_get($res, 128 );
ipworks3ds_server_set($res, 128, $value );

Default Value

'MY'

Remarks

The name of the certificate store for the client certificate.

The SSLAcceptServerCertStoreType property denotes the type of the certificate store specified by SSLAcceptServerCertStore. If the store is password-protected, specify the password in SSLAcceptServerCertStorePassword.

SSLAcceptServerCertStore is used in conjunction with the SSLAcceptServerCertSubject property to specify client certificates. If SSLAcceptServerCertStore has a value, and SSLAcceptServerCertSubject or SSLAcceptServerCertEncoded is set, a search for a certificate is initiated. Please see the SSLAcceptServerCertSubject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

MYA certificate store holding personal certificates with their associated private keys.
CACertifying authority certificates.
ROOTRoot certificates.

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

Data Type

Binary String

SSLAcceptServerCertStorePassword Property (IPWorks3DS_Server Class)

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Object Oriented Interface

public function getSSLAcceptServerCertStorePassword();
public function setSSLAcceptServerCertStorePassword($value);

Procedural Interface

ipworks3ds_server_get($res, 129 );
ipworks3ds_server_set($res, 129, $value );

Default Value

''

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Data Type

String

SSLAcceptServerCertStoreType Property (IPWorks3DS_Server Class)

The type of certificate store for this certificate.

Object Oriented Interface

public function getSSLAcceptServerCertStoreType();
public function setSSLAcceptServerCertStoreType($value);

Procedural Interface

ipworks3ds_server_get($res, 130 );
ipworks3ds_server_set($res, 130, $value );

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

0 (cstUser - default)For Windows, this specifies that the certificate store is a certificate store owned by the current user.

Note: This store type is not available in Java.

1 (cstMachine)For Windows, this specifies that the certificate store is a machine store.

Note: This store type is not available in Java.

2 (cstPFXFile)The certificate store is the name of a PFX (PKCS#12) file containing certificates.
3 (cstPFXBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in PFX (PKCS#12) format.
4 (cstJKSFile)The certificate store is the name of a Java Key Store (JKS) file containing certificates.

Note: This store type is only available in Java.

5 (cstJKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in Java Key Store (JKS) format.

Note: This store type is only available in Java.

6 (cstPEMKeyFile)The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
7 (cstPEMKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a private key and an optional certificate.
8 (cstPublicKeyFile)The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
9 (cstPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a PEM- or DER-encoded public key certificate.
10 (cstSSHPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains an SSH-style public key.
11 (cstP7BFile)The certificate store is the name of a PKCS#7 file containing certificates.
12 (cstP7BBlob)The certificate store is a string (binary) representing a certificate store in PKCS#7 format.
13 (cstSSHPublicKeyFile)The certificate store is the name of a file that contains an SSH-style public key.
14 (cstPPKFile)The certificate store is the name of a file that contains a PPK (PuTTY Private Key).
15 (cstPPKBlob)The certificate store is a string (binary) that contains a PPK (PuTTY Private Key).
16 (cstXMLFile)The certificate store is the name of a file that contains a certificate in XML format.
17 (cstXMLBlob)The certificate store is a string that contains a certificate in XML format.
18 (cstJWKFile)The certificate store is the name of a file that contains a JWK (JSON Web Key).
19 (cstJWKBlob)The certificate store is a string that contains a JWK (JSON Web Key).
21 (cstBCFKSFile)The certificate store is the name of a file that contains a BCFKS (Bouncy Castle FIPS Key Store).

Note: This store type is only available in Java and .NET.

22 (cstBCFKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in BCFKS (Bouncy Castle FIPS Key Store) format.

Note: This store type is only available in Java and .NET.

23 (cstPKCS11)The certificate is present on a physical security key accessible via a PKCS#11 interface.

To use a security key, the necessary data must first be collected using the CertMgr class. The ListStoreCertificates method may be called after setting CertStoreType to cstPKCS11, CertStorePassword to the PIN, and CertStore to the full path of the PKCS#11 DLL. The certificate information returned in the CertList event's CertEncoded parameter may be saved for later use.

When using a certificate, pass the previously saved security key information as the SSLAcceptServerCertStore and set SSLAcceptServerCertStorePassword to the PIN.

Code Example. SSH Authentication with Security Key: certmgr.CertStoreType = CertStoreTypes.cstPKCS11; certmgr.OnCertList += (s, e) => { secKeyBlob = e.CertEncoded; }; certmgr.CertStore = @"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"; certmgr.CertStorePassword = "123456"; //PIN certmgr.ListStoreCertificates(); sftp.SSHCert = new Certificate(CertStoreTypes.cstPKCS11, secKeyBlob, "123456", "*"); sftp.SSHUser = "test"; sftp.SSHLogon("myhost", 22);

99 (cstAuto)The store type is automatically detected from the input data. This setting may be used with both public and private keys and can detect any of the supported formats automatically.

Data Type

Integer

SSLAcceptServerCertSubjectAltNames Property (IPWorks3DS_Server Class)

Comma-separated lists of alternative subject names for the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertSubjectAltNames();

Procedural Interface

ipworks3ds_server_get($res, 131 );

Default Value

''

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

Data Type

String

SSLAcceptServerCertThumbprintMD5 Property (IPWorks3DS_Server Class)

The MD5 hash of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertThumbprintMD5();

Procedural Interface

ipworks3ds_server_get($res, 132 );

Default Value

''

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLAcceptServerCertThumbprintSHA1 Property (IPWorks3DS_Server Class)

The SHA-1 hash of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertThumbprintSHA1();

Procedural Interface

ipworks3ds_server_get($res, 133 );

Default Value

''

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLAcceptServerCertThumbprintSHA256 Property (IPWorks3DS_Server Class)

The SHA-256 hash of the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertThumbprintSHA256();

Procedural Interface

ipworks3ds_server_get($res, 134 );

Default Value

''

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLAcceptServerCertUsage Property (IPWorks3DS_Server Class)

The text description of UsageFlags .

Object Oriented Interface

public function getSSLAcceptServerCertUsage();

Procedural Interface

ipworks3ds_server_get($res, 135 );

Default Value

''

Remarks

The text description of SSLAcceptServerCertUsageFlags.

This value will be one or more of the following strings and will be separated by commas:

  • Digital Signature
  • Non-Repudiation
  • Key Encipherment
  • Data Encipherment
  • Key Agreement
  • Certificate Signing
  • CRL Signing
  • Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

Data Type

String

SSLAcceptServerCertUsageFlags Property (IPWorks3DS_Server Class)

The flags that show intended use for the certificate.

Object Oriented Interface

public function getSSLAcceptServerCertUsageFlags();

Procedural Interface

ipworks3ds_server_get($res, 136 );

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of SSLAcceptServerCertUsageFlags is a combination of the following flags:

0x80Digital Signature
0x40Non-Repudiation
0x20Key Encipherment
0x10Data Encipherment
0x08Key Agreement
0x04Certificate Signing
0x02CRL Signing
0x01Encipher Only

Please see the SSLAcceptServerCertUsage property for a text representation of SSLAcceptServerCertUsageFlags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

Data Type

Integer

SSLAcceptServerCertVersion Property (IPWorks3DS_Server Class)

The certificate's version number.

Object Oriented Interface

public function getSSLAcceptServerCertVersion();

Procedural Interface

ipworks3ds_server_get($res, 137 );

Default Value

''

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

Data Type

String

SSLAcceptServerCertSubject Property (IPWorks3DS_Server Class)

The subject of the certificate used for client authentication.

Object Oriented Interface

public function getSSLAcceptServerCertSubject();
public function setSSLAcceptServerCertSubject($value);

Procedural Interface

ipworks3ds_server_get($res, 138 );
ipworks3ds_server_set($res, 138, $value );

Default Value

''

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

FieldMeaning
CNCommon Name. This is commonly a hostname like www.server.com.
OOrganization
OUOrganizational Unit
LLocality
SState
CCountry
EEmail Address

If a field value contains a comma, it must be quoted.

Data Type

String

SSLAcceptServerCertEncoded Property (IPWorks3DS_Server Class)

The certificate (PEM/Base64 encoded).

Object Oriented Interface

public function getSSLAcceptServerCertEncoded();
public function setSSLAcceptServerCertEncoded($value);

Procedural Interface

ipworks3ds_server_get($res, 139 );
ipworks3ds_server_set($res, 139, $value );

Default Value

''

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The SSLAcceptServerCertStore and SSLAcceptServerCertSubject properties also may be used to specify a certificate.

When SSLAcceptServerCertEncoded is set, a search is initiated in the current SSLAcceptServerCertStore for the private key of the certificate. If the key is found, SSLAcceptServerCertSubject is updated to reflect the full subject of the selected certificate; otherwise, SSLAcceptServerCertSubject is set to an empty string.

This property is not available at design time.

Data Type

Binary String

SSLCertEffectiveDate Property (IPWorks3DS_Server Class)

The date on which this certificate becomes valid.

Object Oriented Interface

public function getSSLCertEffectiveDate();

Procedural Interface

ipworks3ds_server_get($res, 140 );

Default Value

''

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

Data Type

String

SSLCertExpirationDate Property (IPWorks3DS_Server Class)

The date on which the certificate expires.

Object Oriented Interface

public function getSSLCertExpirationDate();

Procedural Interface

ipworks3ds_server_get($res, 141 );

Default Value

''

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

Data Type

String

SSLCertExtendedKeyUsage Property (IPWorks3DS_Server Class)

A comma-delimited list of extended key usage identifiers.

Object Oriented Interface

public function getSSLCertExtendedKeyUsage();

Procedural Interface

ipworks3ds_server_get($res, 142 );

Default Value

''

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

Data Type

String

SSLCertFingerprint Property (IPWorks3DS_Server Class)

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Object Oriented Interface

public function getSSLCertFingerprint();

Procedural Interface

ipworks3ds_server_get($res, 143 );

Default Value

''

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

Data Type

String

SSLCertFingerprintSHA1 Property (IPWorks3DS_Server Class)

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Object Oriented Interface

public function getSSLCertFingerprintSHA1();

Procedural Interface

ipworks3ds_server_get($res, 144 );

Default Value

''

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

Data Type

String

SSLCertFingerprintSHA256 Property (IPWorks3DS_Server Class)

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Object Oriented Interface

public function getSSLCertFingerprintSHA256();

Procedural Interface

ipworks3ds_server_get($res, 145 );

Default Value

''

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

Data Type

String

SSLCertIssuer Property (IPWorks3DS_Server Class)

The issuer of the certificate.

Object Oriented Interface

public function getSSLCertIssuer();

Procedural Interface

ipworks3ds_server_get($res, 146 );

Default Value

''

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

Data Type

String

SSLCertPrivateKey Property (IPWorks3DS_Server Class)

The private key of the certificate (if available).

Object Oriented Interface

public function getSSLCertPrivateKey();

Procedural Interface

ipworks3ds_server_get($res, 147 );

Default Value

''

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The SSLCertPrivateKey may be available but not exportable. In this case, SSLCertPrivateKey returns an empty string.

This property is read-only.

Data Type

String

SSLCertPrivateKeyAvailable Property (IPWorks3DS_Server Class)

Whether a PrivateKey is available for the selected certificate.

Object Oriented Interface

public function getSSLCertPrivateKeyAvailable();

Procedural Interface

ipworks3ds_server_get($res, 148 );

Default Value

false

Remarks

Whether a SSLCertPrivateKey is available for the selected certificate. If SSLCertPrivateKeyAvailable is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

Data Type

Boolean

SSLCertPrivateKeyContainer Property (IPWorks3DS_Server Class)

The name of the PrivateKey container for the certificate (if available).

Object Oriented Interface

public function getSSLCertPrivateKeyContainer();

Procedural Interface

ipworks3ds_server_get($res, 149 );

Default Value

''

Remarks

The name of the SSLCertPrivateKey container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

Data Type

String

SSLCertPublicKey Property (IPWorks3DS_Server Class)

The public key of the certificate.

Object Oriented Interface

public function getSSLCertPublicKey();

Procedural Interface

ipworks3ds_server_get($res, 150 );

Default Value

''

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

Data Type

String

SSLCertPublicKeyAlgorithm Property (IPWorks3DS_Server Class)

The textual description of the certificate's public key algorithm.

Object Oriented Interface

public function getSSLCertPublicKeyAlgorithm();

Procedural Interface

ipworks3ds_server_get($res, 151 );

Default Value

''

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

Data Type

String

SSLCertPublicKeyLength Property (IPWorks3DS_Server Class)

The length of the certificate's public key (in bits).

Object Oriented Interface

public function getSSLCertPublicKeyLength();

Procedural Interface

ipworks3ds_server_get($res, 152 );

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

Data Type

Integer

SSLCertSerialNumber Property (IPWorks3DS_Server Class)

The serial number of the certificate encoded as a string.

Object Oriented Interface

public function getSSLCertSerialNumber();

Procedural Interface

ipworks3ds_server_get($res, 153 );

Default Value

''

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

Data Type

String

SSLCertSignatureAlgorithm Property (IPWorks3DS_Server Class)

The text description of the certificate's signature algorithm.

Object Oriented Interface

public function getSSLCertSignatureAlgorithm();

Procedural Interface

ipworks3ds_server_get($res, 154 );

Default Value

''

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

Data Type

String

SSLCertStore Property (IPWorks3DS_Server Class)

The name of the certificate store for the client certificate.

Object Oriented Interface

public function getSSLCertStore();
public function setSSLCertStore($value);

Procedural Interface

ipworks3ds_server_get($res, 155 );
ipworks3ds_server_set($res, 155, $value );

Default Value

'MY'

Remarks

The name of the certificate store for the client certificate.

The SSLCertStoreType property denotes the type of the certificate store specified by SSLCertStore. If the store is password-protected, specify the password in SSLCertStorePassword.

SSLCertStore is used in conjunction with the SSLCertSubject property to specify client certificates. If SSLCertStore has a value, and SSLCertSubject or SSLCertEncoded is set, a search for a certificate is initiated. Please see the SSLCertSubject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

MYA certificate store holding personal certificates with their associated private keys.
CACertifying authority certificates.
ROOTRoot certificates.

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

Data Type

Binary String

SSLCertStorePassword Property (IPWorks3DS_Server Class)

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Object Oriented Interface

public function getSSLCertStorePassword();
public function setSSLCertStorePassword($value);

Procedural Interface

ipworks3ds_server_get($res, 156 );
ipworks3ds_server_set($res, 156, $value );

Default Value

''

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Data Type

String

SSLCertStoreType Property (IPWorks3DS_Server Class)

The type of certificate store for this certificate.

Object Oriented Interface

public function getSSLCertStoreType();
public function setSSLCertStoreType($value);

Procedural Interface

ipworks3ds_server_get($res, 157 );
ipworks3ds_server_set($res, 157, $value );

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

0 (cstUser - default)For Windows, this specifies that the certificate store is a certificate store owned by the current user.

Note: This store type is not available in Java.

1 (cstMachine)For Windows, this specifies that the certificate store is a machine store.

Note: This store type is not available in Java.

2 (cstPFXFile)The certificate store is the name of a PFX (PKCS#12) file containing certificates.
3 (cstPFXBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in PFX (PKCS#12) format.
4 (cstJKSFile)The certificate store is the name of a Java Key Store (JKS) file containing certificates.

Note: This store type is only available in Java.

5 (cstJKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in Java Key Store (JKS) format.

Note: This store type is only available in Java.

6 (cstPEMKeyFile)The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
7 (cstPEMKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a private key and an optional certificate.
8 (cstPublicKeyFile)The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
9 (cstPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a PEM- or DER-encoded public key certificate.
10 (cstSSHPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains an SSH-style public key.
11 (cstP7BFile)The certificate store is the name of a PKCS#7 file containing certificates.
12 (cstP7BBlob)The certificate store is a string (binary) representing a certificate store in PKCS#7 format.
13 (cstSSHPublicKeyFile)The certificate store is the name of a file that contains an SSH-style public key.
14 (cstPPKFile)The certificate store is the name of a file that contains a PPK (PuTTY Private Key).
15 (cstPPKBlob)The certificate store is a string (binary) that contains a PPK (PuTTY Private Key).
16 (cstXMLFile)The certificate store is the name of a file that contains a certificate in XML format.
17 (cstXMLBlob)The certificate store is a string that contains a certificate in XML format.
18 (cstJWKFile)The certificate store is the name of a file that contains a JWK (JSON Web Key).
19 (cstJWKBlob)The certificate store is a string that contains a JWK (JSON Web Key).
21 (cstBCFKSFile)The certificate store is the name of a file that contains a BCFKS (Bouncy Castle FIPS Key Store).

Note: This store type is only available in Java and .NET.

22 (cstBCFKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in BCFKS (Bouncy Castle FIPS Key Store) format.

Note: This store type is only available in Java and .NET.

23 (cstPKCS11)The certificate is present on a physical security key accessible via a PKCS#11 interface.

To use a security key, the necessary data must first be collected using the CertMgr class. The ListStoreCertificates method may be called after setting CertStoreType to cstPKCS11, CertStorePassword to the PIN, and CertStore to the full path of the PKCS#11 DLL. The certificate information returned in the CertList event's CertEncoded parameter may be saved for later use.

When using a certificate, pass the previously saved security key information as the SSLCertStore and set SSLCertStorePassword to the PIN.

Code Example. SSH Authentication with Security Key: certmgr.CertStoreType = CertStoreTypes.cstPKCS11; certmgr.OnCertList += (s, e) => { secKeyBlob = e.CertEncoded; }; certmgr.CertStore = @"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"; certmgr.CertStorePassword = "123456"; //PIN certmgr.ListStoreCertificates(); sftp.SSHCert = new Certificate(CertStoreTypes.cstPKCS11, secKeyBlob, "123456", "*"); sftp.SSHUser = "test"; sftp.SSHLogon("myhost", 22);

99 (cstAuto)The store type is automatically detected from the input data. This setting may be used with both public and private keys and can detect any of the supported formats automatically.

Data Type

Integer

SSLCertSubjectAltNames Property (IPWorks3DS_Server Class)

Comma-separated lists of alternative subject names for the certificate.

Object Oriented Interface

public function getSSLCertSubjectAltNames();

Procedural Interface

ipworks3ds_server_get($res, 158 );

Default Value

''

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

Data Type

String

SSLCertThumbprintMD5 Property (IPWorks3DS_Server Class)

The MD5 hash of the certificate.

Object Oriented Interface

public function getSSLCertThumbprintMD5();

Procedural Interface

ipworks3ds_server_get($res, 159 );

Default Value

''

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLCertThumbprintSHA1 Property (IPWorks3DS_Server Class)

The SHA-1 hash of the certificate.

Object Oriented Interface

public function getSSLCertThumbprintSHA1();

Procedural Interface

ipworks3ds_server_get($res, 160 );

Default Value

''

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLCertThumbprintSHA256 Property (IPWorks3DS_Server Class)

The SHA-256 hash of the certificate.

Object Oriented Interface

public function getSSLCertThumbprintSHA256();

Procedural Interface

ipworks3ds_server_get($res, 161 );

Default Value

''

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLCertUsage Property (IPWorks3DS_Server Class)

The text description of UsageFlags .

Object Oriented Interface

public function getSSLCertUsage();

Procedural Interface

ipworks3ds_server_get($res, 162 );

Default Value

''

Remarks

The text description of SSLCertUsageFlags.

This value will be one or more of the following strings and will be separated by commas:

  • Digital Signature
  • Non-Repudiation
  • Key Encipherment
  • Data Encipherment
  • Key Agreement
  • Certificate Signing
  • CRL Signing
  • Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

Data Type

String

SSLCertUsageFlags Property (IPWorks3DS_Server Class)

The flags that show intended use for the certificate.

Object Oriented Interface

public function getSSLCertUsageFlags();

Procedural Interface

ipworks3ds_server_get($res, 163 );

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of SSLCertUsageFlags is a combination of the following flags:

0x80Digital Signature
0x40Non-Repudiation
0x20Key Encipherment
0x10Data Encipherment
0x08Key Agreement
0x04Certificate Signing
0x02CRL Signing
0x01Encipher Only

Please see the SSLCertUsage property for a text representation of SSLCertUsageFlags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

Data Type

Integer

SSLCertVersion Property (IPWorks3DS_Server Class)

The certificate's version number.

Object Oriented Interface

public function getSSLCertVersion();

Procedural Interface

ipworks3ds_server_get($res, 164 );

Default Value

''

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

Data Type

String

SSLCertSubject Property (IPWorks3DS_Server Class)

The subject of the certificate used for client authentication.

Object Oriented Interface

public function getSSLCertSubject();
public function setSSLCertSubject($value);

Procedural Interface

ipworks3ds_server_get($res, 165 );
ipworks3ds_server_set($res, 165, $value );

Default Value

''

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

FieldMeaning
CNCommon Name. This is commonly a hostname like www.server.com.
OOrganization
OUOrganizational Unit
LLocality
SState
CCountry
EEmail Address

If a field value contains a comma, it must be quoted.

Data Type

String

SSLCertEncoded Property (IPWorks3DS_Server Class)

The certificate (PEM/Base64 encoded).

Object Oriented Interface

public function getSSLCertEncoded();
public function setSSLCertEncoded($value);

Procedural Interface

ipworks3ds_server_get($res, 166 );
ipworks3ds_server_set($res, 166, $value );

Default Value

''

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The SSLCertStore and SSLCertSubject properties also may be used to specify a certificate.

When SSLCertEncoded is set, a search is initiated in the current SSLCertStore for the private key of the certificate. If the key is found, SSLCertSubject is updated to reflect the full subject of the selected certificate; otherwise, SSLCertSubject is set to an empty string.

This property is not available at design time.

Data Type

Binary String

SSLServerCertEffectiveDate Property (IPWorks3DS_Server Class)

The date on which this certificate becomes valid.

Object Oriented Interface

public function getSSLServerCertEffectiveDate();

Procedural Interface

ipworks3ds_server_get($res, 167 );

Default Value

''

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

Data Type

String

SSLServerCertExpirationDate Property (IPWorks3DS_Server Class)

The date on which the certificate expires.

Object Oriented Interface

public function getSSLServerCertExpirationDate();

Procedural Interface

ipworks3ds_server_get($res, 168 );

Default Value

''

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

Data Type

String

SSLServerCertExtendedKeyUsage Property (IPWorks3DS_Server Class)

A comma-delimited list of extended key usage identifiers.

Object Oriented Interface

public function getSSLServerCertExtendedKeyUsage();

Procedural Interface

ipworks3ds_server_get($res, 169 );

Default Value

''

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

Data Type

String

SSLServerCertFingerprint Property (IPWorks3DS_Server Class)

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Object Oriented Interface

public function getSSLServerCertFingerprint();

Procedural Interface

ipworks3ds_server_get($res, 170 );

Default Value

''

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

Data Type

String

SSLServerCertFingerprintSHA1 Property (IPWorks3DS_Server Class)

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Object Oriented Interface

public function getSSLServerCertFingerprintSHA1();

Procedural Interface

ipworks3ds_server_get($res, 171 );

Default Value

''

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

Data Type

String

SSLServerCertFingerprintSHA256 Property (IPWorks3DS_Server Class)

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Object Oriented Interface

public function getSSLServerCertFingerprintSHA256();

Procedural Interface

ipworks3ds_server_get($res, 172 );

Default Value

''

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

Data Type

String

SSLServerCertIssuer Property (IPWorks3DS_Server Class)

The issuer of the certificate.

Object Oriented Interface

public function getSSLServerCertIssuer();

Procedural Interface

ipworks3ds_server_get($res, 173 );

Default Value

''

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

Data Type

String

SSLServerCertPrivateKey Property (IPWorks3DS_Server Class)

The private key of the certificate (if available).

Object Oriented Interface

public function getSSLServerCertPrivateKey();

Procedural Interface

ipworks3ds_server_get($res, 174 );

Default Value

''

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The SSLServerCertPrivateKey may be available but not exportable. In this case, SSLServerCertPrivateKey returns an empty string.

This property is read-only.

Data Type

String

SSLServerCertPrivateKeyAvailable Property (IPWorks3DS_Server Class)

Whether a PrivateKey is available for the selected certificate.

Object Oriented Interface

public function getSSLServerCertPrivateKeyAvailable();

Procedural Interface

ipworks3ds_server_get($res, 175 );

Default Value

false

Remarks

Whether a SSLServerCertPrivateKey is available for the selected certificate. If SSLServerCertPrivateKeyAvailable is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

Data Type

Boolean

SSLServerCertPrivateKeyContainer Property (IPWorks3DS_Server Class)

The name of the PrivateKey container for the certificate (if available).

Object Oriented Interface

public function getSSLServerCertPrivateKeyContainer();

Procedural Interface

ipworks3ds_server_get($res, 176 );

Default Value

''

Remarks

The name of the SSLServerCertPrivateKey container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

Data Type

String

SSLServerCertPublicKey Property (IPWorks3DS_Server Class)

The public key of the certificate.

Object Oriented Interface

public function getSSLServerCertPublicKey();

Procedural Interface

ipworks3ds_server_get($res, 177 );

Default Value

''

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

Data Type

String

SSLServerCertPublicKeyAlgorithm Property (IPWorks3DS_Server Class)

The textual description of the certificate's public key algorithm.

Object Oriented Interface

public function getSSLServerCertPublicKeyAlgorithm();

Procedural Interface

ipworks3ds_server_get($res, 178 );

Default Value

''

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

Data Type

String

SSLServerCertPublicKeyLength Property (IPWorks3DS_Server Class)

The length of the certificate's public key (in bits).

Object Oriented Interface

public function getSSLServerCertPublicKeyLength();

Procedural Interface

ipworks3ds_server_get($res, 179 );

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

Data Type

Integer

SSLServerCertSerialNumber Property (IPWorks3DS_Server Class)

The serial number of the certificate encoded as a string.

Object Oriented Interface

public function getSSLServerCertSerialNumber();

Procedural Interface

ipworks3ds_server_get($res, 180 );

Default Value

''

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

Data Type

String

SSLServerCertSignatureAlgorithm Property (IPWorks3DS_Server Class)

The text description of the certificate's signature algorithm.

Object Oriented Interface

public function getSSLServerCertSignatureAlgorithm();

Procedural Interface

ipworks3ds_server_get($res, 181 );

Default Value

''

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

Data Type

String

SSLServerCertStore Property (IPWorks3DS_Server Class)

The name of the certificate store for the client certificate.

Object Oriented Interface

public function getSSLServerCertStore();

Procedural Interface

ipworks3ds_server_get($res, 182 );

Default Value

'MY'

Remarks

The name of the certificate store for the client certificate.

The SSLServerCertStoreType property denotes the type of the certificate store specified by SSLServerCertStore. If the store is password-protected, specify the password in SSLServerCertStorePassword.

SSLServerCertStore is used in conjunction with the SSLServerCertSubject property to specify client certificates. If SSLServerCertStore has a value, and SSLServerCertSubject or SSLServerCertEncoded is set, a search for a certificate is initiated. Please see the SSLServerCertSubject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

MYA certificate store holding personal certificates with their associated private keys.
CACertifying authority certificates.
ROOTRoot certificates.

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

This property is read-only.

Data Type

Binary String

SSLServerCertStorePassword Property (IPWorks3DS_Server Class)

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Object Oriented Interface

public function getSSLServerCertStorePassword();

Procedural Interface

ipworks3ds_server_get($res, 183 );

Default Value

''

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

This property is read-only.

Data Type

String

SSLServerCertStoreType Property (IPWorks3DS_Server Class)

The type of certificate store for this certificate.

Object Oriented Interface

public function getSSLServerCertStoreType();

Procedural Interface

ipworks3ds_server_get($res, 184 );

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

0 (cstUser - default)For Windows, this specifies that the certificate store is a certificate store owned by the current user.

Note: This store type is not available in Java.

1 (cstMachine)For Windows, this specifies that the certificate store is a machine store.

Note: This store type is not available in Java.

2 (cstPFXFile)The certificate store is the name of a PFX (PKCS#12) file containing certificates.
3 (cstPFXBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in PFX (PKCS#12) format.
4 (cstJKSFile)The certificate store is the name of a Java Key Store (JKS) file containing certificates.

Note: This store type is only available in Java.

5 (cstJKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in Java Key Store (JKS) format.

Note: This store type is only available in Java.

6 (cstPEMKeyFile)The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
7 (cstPEMKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a private key and an optional certificate.
8 (cstPublicKeyFile)The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
9 (cstPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a PEM- or DER-encoded public key certificate.
10 (cstSSHPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains an SSH-style public key.
11 (cstP7BFile)The certificate store is the name of a PKCS#7 file containing certificates.
12 (cstP7BBlob)The certificate store is a string (binary) representing a certificate store in PKCS#7 format.
13 (cstSSHPublicKeyFile)The certificate store is the name of a file that contains an SSH-style public key.
14 (cstPPKFile)The certificate store is the name of a file that contains a PPK (PuTTY Private Key).
15 (cstPPKBlob)The certificate store is a string (binary) that contains a PPK (PuTTY Private Key).
16 (cstXMLFile)The certificate store is the name of a file that contains a certificate in XML format.
17 (cstXMLBlob)The certificate store is a string that contains a certificate in XML format.
18 (cstJWKFile)The certificate store is the name of a file that contains a JWK (JSON Web Key).
19 (cstJWKBlob)The certificate store is a string that contains a JWK (JSON Web Key).
21 (cstBCFKSFile)The certificate store is the name of a file that contains a BCFKS (Bouncy Castle FIPS Key Store).

Note: This store type is only available in Java and .NET.

22 (cstBCFKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in BCFKS (Bouncy Castle FIPS Key Store) format.

Note: This store type is only available in Java and .NET.

23 (cstPKCS11)The certificate is present on a physical security key accessible via a PKCS#11 interface.

To use a security key, the necessary data must first be collected using the CertMgr class. The ListStoreCertificates method may be called after setting CertStoreType to cstPKCS11, CertStorePassword to the PIN, and CertStore to the full path of the PKCS#11 DLL. The certificate information returned in the CertList event's CertEncoded parameter may be saved for later use.

When using a certificate, pass the previously saved security key information as the SSLServerCertStore and set SSLServerCertStorePassword to the PIN.

Code Example. SSH Authentication with Security Key: certmgr.CertStoreType = CertStoreTypes.cstPKCS11; certmgr.OnCertList += (s, e) => { secKeyBlob = e.CertEncoded; }; certmgr.CertStore = @"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"; certmgr.CertStorePassword = "123456"; //PIN certmgr.ListStoreCertificates(); sftp.SSHCert = new Certificate(CertStoreTypes.cstPKCS11, secKeyBlob, "123456", "*"); sftp.SSHUser = "test"; sftp.SSHLogon("myhost", 22);

99 (cstAuto)The store type is automatically detected from the input data. This setting may be used with both public and private keys and can detect any of the supported formats automatically.

This property is read-only.

Data Type

Integer

SSLServerCertSubjectAltNames Property (IPWorks3DS_Server Class)

Comma-separated lists of alternative subject names for the certificate.

Object Oriented Interface

public function getSSLServerCertSubjectAltNames();

Procedural Interface

ipworks3ds_server_get($res, 185 );

Default Value

''

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

Data Type

String

SSLServerCertThumbprintMD5 Property (IPWorks3DS_Server Class)

The MD5 hash of the certificate.

Object Oriented Interface

public function getSSLServerCertThumbprintMD5();

Procedural Interface

ipworks3ds_server_get($res, 186 );

Default Value

''

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLServerCertThumbprintSHA1 Property (IPWorks3DS_Server Class)

The SHA-1 hash of the certificate.

Object Oriented Interface

public function getSSLServerCertThumbprintSHA1();

Procedural Interface

ipworks3ds_server_get($res, 187 );

Default Value

''

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLServerCertThumbprintSHA256 Property (IPWorks3DS_Server Class)

The SHA-256 hash of the certificate.

Object Oriented Interface

public function getSSLServerCertThumbprintSHA256();

Procedural Interface

ipworks3ds_server_get($res, 188 );

Default Value

''

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

Data Type

String

SSLServerCertUsage Property (IPWorks3DS_Server Class)

The text description of UsageFlags .

Object Oriented Interface

public function getSSLServerCertUsage();

Procedural Interface

ipworks3ds_server_get($res, 189 );

Default Value

''

Remarks

The text description of SSLServerCertUsageFlags.

This value will be one or more of the following strings and will be separated by commas:

  • Digital Signature
  • Non-Repudiation
  • Key Encipherment
  • Data Encipherment
  • Key Agreement
  • Certificate Signing
  • CRL Signing
  • Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

Data Type

String

SSLServerCertUsageFlags Property (IPWorks3DS_Server Class)

The flags that show intended use for the certificate.

Object Oriented Interface

public function getSSLServerCertUsageFlags();

Procedural Interface

ipworks3ds_server_get($res, 190 );

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of SSLServerCertUsageFlags is a combination of the following flags:

0x80Digital Signature
0x40Non-Repudiation
0x20Key Encipherment
0x10Data Encipherment
0x08Key Agreement
0x04Certificate Signing
0x02CRL Signing
0x01Encipher Only

Please see the SSLServerCertUsage property for a text representation of SSLServerCertUsageFlags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

Data Type

Integer

SSLServerCertVersion Property (IPWorks3DS_Server Class)

The certificate's version number.

Object Oriented Interface

public function getSSLServerCertVersion();

Procedural Interface

ipworks3ds_server_get($res, 191 );

Default Value

''

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

Data Type

String

SSLServerCertSubject Property (IPWorks3DS_Server Class)

The subject of the certificate used for client authentication.

Object Oriented Interface

public function getSSLServerCertSubject();

Procedural Interface

ipworks3ds_server_get($res, 192 );

Default Value

''

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

FieldMeaning
CNCommon Name. This is commonly a hostname like www.server.com.
OOrganization
OUOrganizational Unit
LLocality
SState
CCountry
EEmail Address

If a field value contains a comma, it must be quoted.

This property is read-only.

Data Type

String

SSLServerCertEncoded Property (IPWorks3DS_Server Class)

The certificate (PEM/Base64 encoded).

Object Oriented Interface

public function getSSLServerCertEncoded();

Procedural Interface

ipworks3ds_server_get($res, 193 );

Default Value

''

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The SSLServerCertStore and SSLServerCertSubject properties also may be used to specify a certificate.

When SSLServerCertEncoded is set, a search is initiated in the current SSLServerCertStore for the private key of the certificate. If the key is found, SSLServerCertSubject is updated to reflect the full subject of the selected certificate; otherwise, SSLServerCertSubject is set to an empty string.

This property is read-only and not available at design time.

Data Type

Binary String

Timeout Property (IPWorks3DS_Server Class)

A timeout for the class.

Object Oriented Interface

public function getTimeout();
public function setTimeout($value);

Procedural Interface

ipworks3ds_server_get($res, 194 );
ipworks3ds_server_set($res, 194, $value );

Default Value

30

Remarks

If the Timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.

If Timeout is set to a positive value, the class will wait for the operation to complete before returning control.

The class will use DoEvents to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not freeze and remains responsive.

If Timeout expires, and the operation is not yet complete, the class fails with an error.

Note: By default, all timeouts are inactivity timeouts, that is, the timeout period is extended by Timeout seconds when any amount of data is successfully sent or received.

The default value for the Timeout property is 30 seconds.

Data Type

Integer

TransactionStatus Property (IPWorks3DS_Server Class)

The transaction status from the last parsed message (ARes, RReq, or CRes).

Object Oriented Interface

public function getTransactionStatus();

Procedural Interface

ipworks3ds_server_get($res, 195 );

Default Value

''

Remarks

Indicates whether a transaction qualifies as an authenticated transaction or account verification. Possible values are:

YAuthentication/account verification successful.
NNot authenticated/account not verified; transaction denied.
UAuthentication/account verification could not be performed; technical or other problem as indicated in ARes or RReq.
AAttempts processing performed; not authenticated/verified, but a proof of attempted authentication/verification is provided.
CChallenge required; additional authentication is required using the CReq/CRes.
RAuthentication/account verification rejected; issuer is rejecting authentication/verification and request that authorization not be attempted.
DChallenge required; decoupled authentication confirmed.
IInformational only; 3DS Requestor challenge preference acknowledged.

Note: The CRes message can contain only a value of Y or N. Values of D and I are only applicable for 3DS version 2.2.0.

This property is read-only.

Data Type

String

AddExtension Method (IPWorks3DS_Server Class)

Adds an extension to the collection.

Object Oriented Interface

public function doAddExtension($id, $name, $critical, $data);

Procedural Interface

ipworks3ds_server_do_addextension($res, $id, $name, $critical, $data);

Remarks

Data necessary to support requirements not otherwise defined in the 3-D Secure message are carried in Message Extensions. AddExtension adds a new extension to the Extensions collection.

Note: The maximum number of extensions is 10.

AddRequestField Method (IPWorks3DS_Server Class)

Adds a field to the data in the request.

Object Oriented Interface

public function doAddRequestField($name, $value, $valuetype);

Procedural Interface

ipworks3ds_server_do_addrequestfield($res, $name, $value, $valuetype);

Remarks

This method can be used to extend the requests constructed by the class. When this method is called, the component will add the specified field to the end of the request.

CheckResponse Method (IPWorks3DS_Server Class)

Parses the specified message.

Object Oriented Interface

public function doCheckResponse($response);

Procedural Interface

ipworks3ds_server_do_checkresponse($res, $response);

Remarks

CheckResponse parses a variety of messages that are sent to the Server as part of the authentication process.

The following messages can be parsed using this method:

  • The threeDSMethodData form variables received at the MethodNotificationURL
  • The Results Request (RReq) message received at the ResultsURL
  • The cres form variables received at the NotificationURL
  • The Operation Request Message (OReq) sent from a DS.

When calling the method, pass the message to be parsed as the Response parameter. The properties which are populated after calling this method vary depending on the type of message being parsed. See below for additional information.

Method Data from MethodNotificationURL

After calling GetMethodData, a request is made to the CardRangeMethodURL. After this, the ACS will make a POST to MethodNotificationURL to inform the requestor of completion. Retrieve the threeDSMethodData form variable value that was POSTed and pass it to this method. After calling this method, the following properties are populated:

The ServerTransactionId may be used to match the response with the request.

Results Request message from ResultsURL

When a challenge is completed for both app-based and browser-based flows, a POST is made to the ResultsURL with a Results Request message.

Prior to checking this RReq message, the ServerTransactionId can be extracted using the ExtractRReqServerTransactionId configuration setting. This value can then be used to look up details on the transaction that were saved prior to starting the challenge process, including the messageVersion which must be set via the MessageVersion property prior to passing the RReq message to the CheckResponse method.

Pass the body of the HTTP request received at ResultsURL to this method. This contains information about the results, and asks for a Results Response to be sent back containing the ResultsStatus.

After calling this method, the following properties are populated:

To respond to the POST, set ResultsStatus to the appropriate value and call GetResultsResponse to build a response message to be sent back to the directory server. Use the value from GetResultsResponse in the application as the body of the HTTP response. Set the Content-Type header to application/JSON; charset=utf-8

If TransactionStatus is D and TransactionStatusReason is 29 or 30, this indicates that decoupled authentication should now be performed. When building the Results Response, a ResultsStatus value of 04 should be used. Then, within 60 seconds, a new 3RI authentication must be started with the following field requirements:

Final Challenge Response from NotificationURL

In a browser-based flow, the challenge takes place directly between the cardholder and the ACS in a separate iframe or window. The ACS will POST the final challenge response to the NotificationURL after the challenge is complete. Retrieve the cres form variable value from the POST data and pass it to CheckResponse. After calling this method the following properties are populated:

In addition to the cres variable, a threeDSSessionData variable will be present if SessionData was set before calling GetChallengeRequest. The threeDSSessionData value POSTed to NotificationURL may be passed to EncodedSessionData. Query SessionData to get the decoded session data.

Operation Request Message (OReq)

OReq messages are used to communicate operational information from a DS to the 3DS Server. This message is not part of the 3-D Secure authentication flow.

When an OReq message is received, CheckResponse should be called to validate the message. There may be more than one OReq message sent in a sequence, and CheckResponse should be called for each. The current instance of the Server object can be cached for the duration of the OReq sequence until the final OReq is received. The Operation.SequenceNumber should also be set prior to calling CheckResponse. The component will verify the sequence number of the received OReq to ensure it's not out of sequence.

After calling this method, details are made available in Operation.

If any OReq data element fails validation, Operation.MessageStatus will be set to "02". If the OReq is valid, Operation.MessageStatus will be empty.

If the OReq is valid, determine if the final OReq has been received (Operation.SequenceNumber equals Operation.SequenceTotal). If these values match, the final OReq in the sequence has been received, and GetOperationResponse can be used to generate the ORes message.

For valid OReq messages that are not the final OReq in the sequence, the response should be HTTP Status 200 (OK) with an empty HTTP body.

Config Method (IPWorks3DS_Server Class)

Sets or retrieves a configuration setting.

Object Oriented Interface

public function doConfig($configurationstring);

Procedural Interface

ipworks3ds_server_do_config($res, $configurationstring);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

GetChallengeRequest Method (IPWorks3DS_Server Class)

Builds the Challenge Request (CReq) for browser-based flow.

Object Oriented Interface

public function doGetChallengeRequest();

Procedural Interface

ipworks3ds_server_do_getchallengerequest($res);

Remarks

The GetChallengeRequest method is used to build the Challenge Request (CReq) which will be sent in a form post to the ACSURL property via the cardholder browser.

An iframe should be created in the cardholder's browser, which will be used to send the challenge request and allow the cardholder and ACS to interact directly.

The size of the challenge window (iframe) may be any of the sizes listed in ChallengeWindowSize. Before calling this method set ChallengeWindowSize to the appropriate value to let the ACS know the size of the window on the cardholder's browser.

Calling this method will return a string which should be placed in a creq form variable.

The SessionData setting may also be set with any data that may be helpful to continue processing the transaction after the final challenge response is received at the NotificationURL. To prepare the session data for submission, query EncodedSessionData. The encoded string may then be placed in the threeDSSessionData form variable.

Note: The maximum length of the threeDSSessionData form variable, after being encoded, is 1024 bytes.

Example Form

Response Handling

Once the challenge has been completed by the cardholder, the directory server will post a Results Request (RReq) to the ResultsURL specified when calling SendAuthRequest. See CheckResponse and GetResultsResponse for more details.

The ACS will also post the Challenge Response to the NotificationURL specified when calling SendAuthRequest. This post contains data which may be parsed to verify the challenge results. See CheckResponse for more details.

GetMethodData Method (IPWorks3DS_Server Class)

Prepares method data to be sent to the ACS before the authentication request is sent.

Object Oriented Interface

public function doGetMethodData();

Procedural Interface

ipworks3ds_server_do_getmethoddata($res);

Remarks

The GetMethodData method prepares data to be transmitted to the ACS via the cardholder's browser.

When a transaction begins, the card range cache should be queried to find details about the card range to which the card number belongs. If a CardRangeMethodURL is defined for the card range, this method should be used to prepare data to be sent via the cardholder's browser to the CardRangeMethodURL.

If the CardRangeMethodURL is not set for the specified card range, set MethodCompletionIndicator to U before calling SendAuthRequest.

The following properties are applicable when calling this method:

This method returns a string which contains encoded data to be sent to the ACS. This includes ServerTransactionId and MethodNotificationURL. After calling this method, the returned string can be transmitted to the ACS via the cardholder's browser.

As per the EMVCo specification, create a hidden iframe in the browser and send a form with the field name threeDSMethodData containing the return value from this method and post the form to the CardRangeMethodURL.

The ACS will record information about the customer's environment and then POST back to the MethodNotificationURL. The page at this URL should expect a form variable with the name threeDSMethodData which will contain the original ServerTransactionId value in order to match the response with the request. The form variable value will be base64url encoded and may be passed directly to the CheckResponse method. The class will decode and parse the received value and populate ServerTransactionId with the value from the received data.

If the response from the ACS is not received within 10 seconds, set MethodCompletionIndicator to N before calling SendAuthRequest.

GetOperationResponse Method (IPWorks3DS_Server Class)

Builds and returns the Operation Response Message (ORes) to be sent back to the Directory Server.

Object Oriented Interface

public function doGetOperationResponse();

Procedural Interface

ipworks3ds_server_do_getoperationresponse($res);

Remarks

This method builds the Operation Response Message (ORes) to be sent back to the Directory Server in an HTTP reply to the final Operation Request (OReq) message. It returns a JSON object containing the fields required for the ORes.

When an OReq message is received, CheckResponse should be called to validate the message. There may be more than one OReq message sent in a sequence, and CheckResponse should be called for each. While several OReq messages may be received in a sequence (totalling Operation.SequenceTotal), the ORes message is only expected to be generated using GetOperationResponse after the final OReq. For valid intermediate OReq messages the response should be HTTP Status 200 (OK) with an empty HTTP body.

After passing the final received OReq message to the CheckResponse method, all the properties required to be set before building the ORes will have been populated except for Operation.MessageStatus, which indicates whether or not the message was successfully received for further processing, or provides more detail to the DS on why the requested action could not be completed.

Possible values include:

01Successfully received messages.
02Message sequence is broken.
03Requested action is not supported or not executed by the 3DS Server or ACS when OReq message was received.
04Reserved for DS use

If any OReq data element fails validation from CheckResponse, Operation.MessageStatus will be set to "02". The ErrorPacket can be queried and should be returned to the DS.

For valid OReq messages, Operation.MessageStatus will be empty. Next, determine if the final OReq has been received (Operation.SequenceNumber equals Operation.SequenceTotal). If these values match, the final OReq in the sequence has been received, and GetOperationResponse can be used to generate the ORes message.

Once Operation.MessageStatus has been set, GetOperationResponse can be called and will return a string containing the reply to be sent in the response. In the HTTP server, use the string returned from this method as the body of the reply and set the Content-Type header to application/JSON; charset=utf-8

GetResultsResponse Method (IPWorks3DS_Server Class)

Builds and returns the Results Response Message (RRes) to be sent back to the directory server.

Object Oriented Interface

public function doGetResultsResponse();

Procedural Interface

ipworks3ds_server_do_getresultsresponse($res);

Remarks

This method builds the Results Response Message (RRes) to be sent back to the directory server in the HTTP reply to the Results Request (RReq). It returns a JSON object containing the fields required for the RRes.

After passing the received RReq message to the CheckResponse method, all the properties required to be set before building the RRes will have been populated except for ResultsStatus, which indicates whether or not the message was successfully received for further processing, or provides more detail to the ACS on why the challenge could not be completed.

Possible values include:

01Results Request Received for further Processing.
02Challenge Request not sent to ACS by 3DS Requestor (3DS Server or 3DS Requestor opted out of the challenge).
03ARes challenge data not delivered to the 3DS Requestor due to technical error.

The Server can use the value of the RequestorChallengeInd to determine whether or not a value of 02 is appropriate. It must use the necessary error handling logic when processing ARes messages to determine whether or not a value of 03 is appropriate.

Once ResultsStatus has been set, GetResultsResponse can be called and will return a string containing the reply to be sent in the response. In the HTTP server, use the string returned from this method as the body of the reply and set the Content-Type header to application/JSON; charset=utf-8

Interrupt Method (IPWorks3DS_Server Class)

Interrupts the current action.

Object Oriented Interface

public function doInterrupt();

Procedural Interface

ipworks3ds_server_do_interrupt($res);

Remarks

This method interrupts any processing that the class is currently executing.

RequestCardRanges Method (IPWorks3DS_Server Class)

Requests card ranges from the directory server.

Object Oriented Interface

public function doRequestCardRanges();

Procedural Interface

ipworks3ds_server_do_requestcardranges($res);

Remarks

RequestCardRanges requests card ranges and additional information from the directory server.

When a transaction is initiated, the first step that should be taken is to find information about the card range to which the card number belongs. This includes the protocol version(s) supported by the ACS and DS, and if one exists, any corresponding Method URL (used in the browser flow).

Results of this method should be cached in order to quickly look up information when processing transactions. It is recommended to call this method once every 24 hours at a minimum, and once per hour as a maximum to refresh the cache. The class will not cache the returned values; it is up to the user to cache these values in an appropriate location.

The first time this method is called, SerialNumber will be empty, indicating that all results should be returned. This is an offset the server will use to return only new updates to the card ranges (if any) since the last request. The SerialNumber will be populated after this method returns, and this value should be saved to be used in subsequent calls.

When a response is received, the card ranges will be made available via the component events and properties.

When MessageVersion is set to 2.3.1, the CardRangeData event will fire for each card range data object received, and the Ranges and ACSProtocolInfos properties will be populated to be accessed within the event handler. Optionally, the DS may return a list of URLs that the 3DS Server can use for communication with the DS. If present, these will be available via both the DSURL event and the DSURLs property.

When MessageVersion is set to 2.2.0 or 2.1.0, the CardRange event will fire for each card range that is returned, and the results will also be held in the CardRanges property.

The following properties are applicable when calling this method:

The following properties are populated after calling this method:

Note that when MessageVersion 2.3.1, the card range data is only available using the CardRangeData event.

When using MessageVersion 2.2.0 or 2.3.1, the returned ranges may include ACS Information Indicators. These are used to indicate additional functionality supported by the ACS for the card range(s). For 2.2.0, a ACSInformationIndicator field is exposed in both CardRanges collection and CardRange event. In version 2.3.1, this information is availalbe in the ACSProtocolInfos collection via the Indicator field. Possible values are:

  • 01 - Authentication Available at ACS
  • 02 - Attempts Supported by ACS or DS
  • 03 - Decoupled Authentication Supported
  • 04 - Whitelisting Supported
  • 05 - Device Binding Supported (2.3.1 only)
  • 06 - WebAuthn Authentication Supported (2.3.1 only)
  • 07 - SPC Authentication Supported (2.3.1 only)
  • 08 - Transaction Risk Analysis Exemption Supported (2.3.1 only)
  • 09 - Trust List Exemption Supported (2.3.1 only)
  • 10 - Low Value Exemption Supported (2.3.1 only)
  • 11 - Secure Corporate Payments Exemption Supported (2.3.1 only)
  • 80-99 - Reserved for DS Use

If an error is identified with the card range data received from the directory server when calling the RequestCardRanges method, the ResendRequestCardRanges configuration setting will be true, indicating that the request should be resent. When resending, if SerialNumber was specified for the initial request, it should be set to an empty string before calling RequestCardRanges again. Otherwise, the request can be sent without the serial number again, but the server may respond with an error due to multiple requests within an hour.

Note that retrieving card ranges can consume a lot of memory, especially when retrieving the initial set of ranges. The StoreCardRangeData and UseJsonDOM configuration settings can be set to help minimize the amount of memory used. A CardRangeTempPath setting can also be used to specify a temporary path to which the PRes packet will be temporarily written prior to parsing.

When using MessageVersion 2.3.1, if UseJsonDOM is false, the card ranges will need to be cached and processed after the RequestCardRanges method returns. The card ranges would then need to be processed in the order indicated by the CardRangeRecordsReadOrder configuration setting. A check will also need to be made for overlap of ranges. If issue(s) are found, the ReportCardRangeError configuration setting should be used to report the error to the directory server.

Reset Method (IPWorks3DS_Server Class)

Clears all properties to their default values.

Object Oriented Interface

public function doReset();

Procedural Interface

ipworks3ds_server_do_reset($res);

Remarks

This method clears all properties to their default values.

ResetTransactionInfo Method (IPWorks3DS_Server Class)

Resets transaction specific information.

Object Oriented Interface

public function doResetTransactionInfo();

Procedural Interface

ipworks3ds_server_do_resettransactioninfo($res);

Remarks

This method must be called between transactions when using the same class instance.

Each transaction that is attempted uses transaction specific values that should not be re-used in subsequent transactions. Call this method to make sure that any transaction specific information is cleared between transactions.

This method resets only the transaction specific information without resetting any other values which have been configured. This allows re-use of the same component instance.

In a Browser-Based flow the following are reset:

SendAuthRequest Method (IPWorks3DS_Server Class)

Sends the authentication request to the directory server.

Object Oriented Interface

public function doSendAuthRequest();

Procedural Interface

ipworks3ds_server_do_sendauthrequest($res);

Remarks

SendAuthRequest begins the 3-D Secure transaction flow by sending an authentication request to the DirectoryServerURL.

After calling this method, check TransactionStatus to determine if the cardholder is authenticated (frictionless flow) or further cardholder interaction is required to complete the authentication (challenge flow).

Prior to calling SendAuthRequest, data must to be collected to facilitate fraud checks by the ACS. The following properties are applicable for both app-based and browser-based flows:

App-Based Flow

In the app-based flow, device specific information is prepared by the 3DS SDK on the customer's device. This is transmitted to the 3DS Server class via a secure channel, the specifics of which are outside the scope of the classs. Set ClientAuthRequest to this data prepared by the 3DS SDK.

Browser-Based Flow

Before calling this method, first check the cached card-range data to determine if a CardRangeMethodURL has been set by the ACS. Card range data may be retrieved by calling RequestCardRanges.

If no CardRangeMethodURL is present for the given card, set MethodCompletionIndicator to U.

If a CardRangeMethodURL has been specified by the ACS for the card number, the URL must be loaded in the cardholder's browser to allow the ACS to collect additional browser information for risk-based decision making. See the GetMethodData for further details.

Once the method URL invocation is complete, the authentication request may be sent. If the method URL invocation failed, set MethodCompletionIndicator to N before calling SendAuthRequest.

The following additional properties are applicable in browser-based flow:

Response Handling

After calling this method the TransactionStatus property holds the result. Possible values are:

Transaction Status Description
Y Authenticated successfully
C Cardholder challenge required
N Not authenticated
A Not authenticated, but a proof of authentication attempt was generated in AuthenticationValue
U Not authenticated due to technical or other issue
R Not authenticated because the issuer is rejecting authentication
D Challenge required; decoupled authentication confirmed
I Informational only; 3DS Requestor challenge preference acknowledged
S Challenge using SPC

If the transaction is authenticated (Y or A), no further steps are required. The flow is considered frictionless and the 3-D Secure processing is complete. If processing a payment, the AuthenticationValue and AuthenticationECI values can be included as proof of 3-D Secure authentication.

If the transaction requires a cardholder challenge (C, D or S), further steps are required.

If the transaction is not authenticated, TransactionStatusReason may contain details about the reason.

The following properties are applicable after calling this method:

Response Handling - App-Based Flow

After calling this method, ClientAuthResponse is populated with data to be transmitted back to the 3DS SDK. If a challenge is required, the ClientAuthResponse data is used by the 3DS SDK to start when initiating the challenge process.

The 3DS Server is responsible for indicating to the 3DS SDK the results of the SendAuthRequest process, and whether or not a challenge is required. Exactly how this is done is outside the scope of the classs themselves. The response to the 3DS SDK over the secure channel should include information on what to do next.

Note: The TransactionStatus is also populated in the 3DS Server class and may be inspected prior to transmitting ClientAuthResponse back to the 3DS SDK.

Response Handling - Browser-Based Flow

If TransactionStatus is C, then additional steps are required to complete the authentication. The GetChallengeRequest method should be called next to obtain data to be sent to the ACSURL in an authentication window in the customer's browser. Once authentication is complete, the ACS will post the results to the ResultsURL value that was specified when calling SendAuthRequest.

See the GetChallengeRequest method for more details.

If TransactionStatus is D, then decoupled authentication has been accepted by the ACS. DecoupledConfirmationIndicator will have a value of Y as well. Authentication will happen outside of the 3-D Secure flow and, when complete, the ACS will post the results to the ResultsURL that was specified when calling SendAuthRequest.

The DecoupledTimeRemaining value, which is calculated based on the DecoupledMaxTimeout value sent in the initial authentication request, can be checked to see the amount of time remaining before decoupled authentication must be completed. If the ACS does not post the results before this value runs out, it can be assumed that decoupled authentication was not successful.

SPC-Based Authentication

SPC (Secure Payment Confirmation) provides a method to perform a challenge using preestablished FIDO credentials when using a Browser. The SPC authentication can be initiated by the 3DS Requestor via an extra AReq/ARes message pair or by the ACS via a standard Browser Challenge Flow.

For an SPC authentication to execute correctly, the following prerequisites apply:

  1. The ACS has an enrolled FIDO authenticator on the device for this Cardholder.
  2. The 3DS Requestor and/or the ACS have detected that the Cardholder Browser supports the related SPC APIs (allow="payment *; publickey-credentialsget *"). For the ACS, this information can be obtained via the Browser User Agent data element or via data obtained via the 3DS Method.

SPC-based authentication can be enabled with the following additions:

Prior to sending the initial authentication request packet (AReq) using the SendAuthRequest method, the ThreeDSRequestorSpcSupport configuration setting should be set to True to indicate that SPC is supported by the 3DS Requestor.

If SPC is accepted by the ACS, the resulting TransactionStatus should be S. The response will also contain a list of enrolled FIDO (WebAuthn) credentials associated with the cardholder, and SPC transaction data. This data is available in the following configuration settings:

If a new instance of the Server component will be used after authentication to send the second AReq, the AuthenticationInformation value should be saved to be used later.

This information is relayed to the 3DS Requestor implementation, and the 3DS Requestor invokes the SPC authentication (SPC API) against the WebAuthn Credential list. The cardholder authenticates using the FIDO authenticator on their device, and the 3DS Requestor retrieves the Assertion Data from the SPC API call.

The 3DS Server is then configured to includes this FIDO Assertion Data is then included in a new authentication request by setting the ReqAuthData[Index] and a ReqAuthMethod[Index] of 09. If the AuthenticationInformation value was saved earlier, it can be set via the same configuration setting. If the 3DS Requestor encounters an error during SPC API invokation, this can be indicated using the SPCIncompletionIndicator.

The SendAuthRequest method should then be called again to transmit this data to the ACS (by way of the DS) in a second AReq.

When SendAuthRequest returns, the 3DS Server proceed the same as the regular browser-based flow when the ARes is returned.

When SPC authentication is to be performed, the authenticaton must be completed within 9 minutes. The component will automatically start an internal timer that can be checked using the CheckSPCTimeout configuration setting. This will return the number of seconds left for SPC authentication to complete. If the time has expired before receiving the Assertion Data from the 3DS Requestor, checking this configuration setting will cause the component to automatically send the second AReq message with an SPCIncompletionIndicator value of 03, indicating that SPC authentication timed out.

Note that SPC-based authentication is only available when a MessageVersion of 2.3.1 is used.

CardRange Event (IPWorks3DS_Server Class)

Fired when the response to a Preparation Request Message (PReq) is received.

Object Oriented Interface

public function fireCardRange($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 1, array($this, 'fireCardRange'));

Parameter List

 'rangestart'
'rangeend'
'rangeaction'
'acsstartprotocolversion'
'acsendprotocolversion'
'dsstartprotocolversion'
'dsendprotocolversion'
'threedsmethodurl'
'acsinformationindicator'
'valid'

Remarks

The CardRange event fires for each range of card numbers to be added or removed from the cache. The RangeAction parameter indicates whether the range specified by the RangeStart and RangeEnd arguments is to be added or deleted from the current cache.

RangeStart13-19 digit account number from the Directory indicating the first number in a range of account numbers to be added or deleted from the current cache.
RangeEnd13-19 digit account number from the Directory indicating the last number in a range of account numbers to be added or deleted from the current cache. This End number must be the same length as the Start number.
RangeActionIndicates the action to be taken with the card range specified by the RangeStart and RangeEnd parameters. Possible values are:
  • A - Add the card range to the cache (default value)
  • D - Delete the card range from the cache
  • M - Modify the card range data
If the SerialNumber was not included in the Card Range Request, the Action will be A (add) for all ranges returned. If no action is returned for the card range (empty value), it can be assumed that the action for the range is A.
ACSStartProtocolVersionThe earliest (i.e. oldest) active protocol version that is supported by the ACS.
ACSEndProtocolVersionThe most recent active protocol version that is supported by the ACS URL.
DSStartProtocolVersionThe earliest (i.e. oldest) active protocol version that is supported by the DS.
DSEndProtocolVersionThe most recent active protocol version that is supported by the DS.
ThreeDSMethodURLThe fully qualified ACS URL that will be used by the 3DS method.
ACSInformationIndicatorAdditional information on the card range as supplied by the ACS. This field is a comma separate list of values returned from the server; possible values are:
  • 01 - Authentication Available at ACS
  • 02 - Attempts Supported by ACS or DS
  • 03 - Decoupled Authentication Supported
  • 04 - Whitelisting Supported
  • 05 - Device Binding Supported (2.3.1 only)
  • 06 - WebAuthn Authentication Supported (2.3.1 only)
  • 07 - SPC Authentication Supported (2.3.1 only)
  • 08 - Transaction Risk Analysis Exemption Supported (2.3.1 only)
  • 09 - Trust List Exemption Supported (2.3.1 only)
  • 10 - Low Value Exemption Supported (2.3.1 only)
  • 11 - Secure Corporate Payments Exemption Supported (2.3.1 only)
  • 80-99 - Reserved for DS Use
ValidWhether or not the card range data is valid. If an issue is found with the card range data, this can be set to false to cause a 203 error to be returned to the directory server.

Note that the card ranges must be processed in the order returned.

These card ranges are also returned outside this event in the CardRangeStart, CardRangeEnd, CardRangeAction, CardRangeACSStartProtocolVersion, CardRangeACSEndProtocolVersion, and CardRangeMethodURL properties.

CardRangeData Event (IPWorks3DS_Server Class)

Fired when the response to a Preparation Request Message (PReq) is received. This event is used for card range data returned when version 2.3.1 of the protocol is used.

Object Oriented Interface

public function fireCardRangeData($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 2, array($this, 'fireCardRangeData'));

Parameter List

 'rangeaction'
'issuercountrycode'
'dsprotocolversions'
'status'

Remarks

When card ranges are requested using using MessageVersion 2.3.1, the CardRangeData event will fire for each card range data object received in the Preparation Response Message (PRes) returned from the directory server.

This data indicates the most recent protocol versions supported by the ACS and, optionally, the DS that hosts that range. If configured, the ACS URL for the 3DS Method will be included as well, along with the 3DS features supported by the ACS, such as Trust List or Decoupled Authentication.

The RangeAction parameter indicates whether the ranges defined in the Ranges property are to be added, deleted, or modified in the current cache.

RangeActionIndicates the action to be taken with the card range specified by the RangeStart and RangeEnd parameters. Possible values are:
  • A - Add the card range to the cache (default value)
  • D - Delete the card range from the cache
  • M - Modify the card range data
If the SerialNumber was not included in the Card Range Request, the Action will be A (add) for all ranges returned. If no action is returned for the card range (empty value), it can be assumed that the action for the range is A.
IssuerCountryCodeThe Issuer country for the ranges. An ISO 3166-1 numeric three-digit country code.
DSProtocolVersionsThe active protocol versions supported by the Directory Server. A bitwise OR of the following values:
2.1.00x02
2.2.00x04
2.3.10x08
Note that the protocol versions may also be returned outside of the individual card ranges. These versions will be present in the DSSupportedProtocols property.
StatusIf an issue is found with the card range, it can be reported by setting the Status parameter. Possible values are:
  • 0: Valid (default)
  • 1: Overlap in the card ranges provided by the DS in the PRes message.
  • 2: Action is not possible for the card range.
When set to a non-zero value, the class will automatically report the appropriate error to the DS.
Within the event, a few properties will also be populated, both with details for the current ranges in question. The Ranges collection will hold the card ranges for which the rest of the data applies. The ACSProtocolInfos collection will hold protocol versions and other associated information supported by the ACS for the card ranges.

DataPacketIn Event (IPWorks3DS_Server Class)

Fired when receiving a data packet from the server.

Object Oriented Interface

public function fireDataPacketIn($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 3, array($this, 'fireDataPacketIn'));

Parameter List

 'datapacket'

Remarks

This event fires when a packet is received. The entire data packet (including all framing and error detection characters) is contained in the DataPacket parameter. This parameter may be inspected for advanced troubleshooting, or to extract additional response properties beyond the scope of this component.

DataPacketOut Event (IPWorks3DS_Server Class)

Fired when sending a data packet to the server.

Object Oriented Interface

public function fireDataPacketOut($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 4, array($this, 'fireDataPacketOut'));

Parameter List

 'datapacket'

Remarks

This event fires right before each data packet is sent. The entire data packet (including all framing and error detection characters) is contained in the DataPacket parameter. This parameter may be inspected for advanced troubleshooting, or may be modified to support additional features beyond the scope of this component.

DSURL Event (IPWorks3DS_Server Class)

Fired for each DS URL present in the Preparation Response Message (PRes).

Object Oriented Interface

public function fireDSURL($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 5, array($this, 'fireDSURL'));

Parameter List

 'threedsservertodsurl'
'dscountrycode'

Remarks

The DSURL event fires for each DS URL returned from the directory server when requesting card ranges via the RequestCardRanges method.

Each DSURL object contains a ThreeDSServerToDsUrl and, optionally, a CountryCode. For a given card range, if the Issuer Country Code matches the DS CountryCode, the 3DS Server uses this ThreeDSServerToDsUrl to communicate with the DS. If there is no match, the 3DS Server uses the default 3DS Server to DS URL.

Error Event (IPWorks3DS_Server Class)

Information about errors during data delivery.

Object Oriented Interface

public function fireError($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 6, array($this, 'fireError'));

Parameter List

 'errorcode'
'description'

Remarks

The Error event is fired in case of exceptional conditions during message processing.

ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

Log Event (IPWorks3DS_Server Class)

Fires once for each log message.

Object Oriented Interface

public function fireLog($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 7, array($this, 'fireLog'));

Parameter List

 'loglevel'
'message'
'logtype'

Remarks

Logging in the component is handled through the Log event. This will fire anytime a message is built or a response is parsed, including error messages.

When the Log event is fired, the message in question is made available via the Message event parameter. Properties such as EphemeralKey and DeviceParams are also available when they are gathered by the Client. The other event arguments are LogType and LogLevel:

The LogType parameter indicates the type of the log entry. Possible values are:

  • "Info"
  • "RequestHeaders"
  • "ResponseHeaders"
  • "RequestBody"
  • "ResponseBody"
  • "ProxyRequest"
  • "ProxyResponse"
  • "FirewallRequest"
  • "FirewallResponse"
  • "AReq"
  • "ARes"
  • "CReq"
  • "CRes"
  • "RReq"
  • "RRes"
  • "PReq"
  • "PRes"
  • "Erro"
  • "EphemeralKey"
  • "DeviceParams"
The LogLevel configuration setting can be used to specify the detail of the logs raised through the Log event. The LogLevel parameter in the event indicates the log level to which the current message belongs.

It is recommended to output all messages raised in this event to a file for record keeping purposes, or for later debugging issues that may have come up.

The Server and Client components also have DataPacketIn and DataPacketOut events that fire anytime a data packet is received or sent, respectively. The entire data packet is then accessible in the DataPacket event parameter. For encrypted packets, this would contain the full encrypted data. This parameter may be inspected for advanced troubleshooting.

MessageExtension Event (IPWorks3DS_Server Class)

Fired when a Message Extension is present in a message being parsed.

Object Oriented Interface

public function fireMessageExtension($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 8, array($this, 'fireMessageExtension'));

Parameter List

 'name'
'id'
'data'
'critical'
'recognized'

Remarks

Enables the parsing of Message Extension data by firing when extensions have been included in a ARes, CRes, RReq or PRes message that is being parsed. Message Extensions carry additional data not defined in the 3DS Protocol. This event fires once for each such extension. Event arguments correspond to the four elements comprising the extension, as well as an indication of whether or not the extension is recognized:

Name 'name' element - extension name
Id 'id' element - assigned extension group identifier
Data 'data' element - message extension data
Critical 'criticalityIndicator' element - criticality indicator
Recognized set by component to indicate whether or not the extension is recognized

If a 3-D Secure application receives a message containing a critical extension that it does not recognize, it must treat it as invalid and return Error Code = 202. This event will fire before the exception is thrown.

SSLServerAuthentication Event (IPWorks3DS_Server Class)

Fired after the server presents its certificate to the client.

Object Oriented Interface

public function fireSSLServerAuthentication($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 9, array($this, 'fireSSLServerAuthentication'));

Parameter List

 'certencoded'
'certsubject'
'certissuer'
'status'
'accept'

Remarks

During this event, the client can decide whether or not to continue with the connection process. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether or not to continue.

When Accept is False, Status shows why the verification failed (otherwise, Status contains the string OK). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.

SSLStatus Event (IPWorks3DS_Server Class)

Fired when secure connection progress messages are available.

Object Oriented Interface

public function fireSSLStatus($param);

Procedural Interface

ipworks3ds_server_register_callback($res, 10, array($this, 'fireSSLStatus'));

Parameter List

 'message'

Remarks

The event is fired for informational and logging purposes only. This event tracks the progress of the connection.

Config Settings (Server Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

Server Config Settings

AccountAgeIndicator:   Cardholder Account Age Indicator.

Length of time that the cardholder has had the account with the 3DS Requestor.

Possible values are:

01 No account (guest check-out)
02 Created during this transaction
03 Less than 30 days
04 30-60 days
05 More than 60 days

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include.

The complete list of elements (all available as config settings) comprising Cardholder Account Information is:

  • AccountAgeIndicator
  • AccountChangeDate
  • AccountChangeIndicator
  • AccountDate
  • AccountPasswordChangeDate
  • AccountPasswordChangeIndicator
  • AccountRequestorID
  • AccountPurchaseCount
  • AccountProvisioningAttempts
  • AccountDayTransactions
  • AccountYearTransactions
  • PaymentAccountAge
  • PaymentAccountAgeIndicator
  • ShipAddressUsageDate
  • ShipAddressUsageIndicator
  • ShipNameIndicator
  • SuspiciousAccountActivity

AccountChangeDate:   Cardholder Account Change Date.

Date that the cardholder's account with the 3DS Requestor was last changed. Accepted date format is YYYYMMDD.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountChangeIndicator:   Cardholder Account Change Indicator.

Length of time since the cardholder's account information with the 3DS Requestor was last changed.

Possible values are:

01 Changed during this transaction
02 Less than 30 days
03 30-60 days
04 More than 60 days

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountDate:   Date cardholder account opened.

Date that the cardholder opened the account with the 3DS Requestor. Accepted date format is YYYYMMDD.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountDayTransactions:   Number of account transactions in the last day.

Number of transactions (successful and abandoned) for this cardholder account with the 3DS Requestor across all payment accounts in the previous 24 hours.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountId:   Cardholder Account Identifier.

Additional information about the account optionally provided by the 3DS Requestor in AReq messages.

AccountPasswordChangeDate:   Cardholder Account Password Change Date.

Date that cardholder's account with the 3DS Requestor had a password change or account reset. Accepted date format is YYYYMMDD.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountPasswordChangeIndicator:   Cardholder Account Password Change Indicator.

Indicates the length of time since the cardholder's account with the 3DS Requestor had a password change or account reset.

Possible values are:

01 No change
02 Changed during this transaction
03 Less than 30 days
04 30-60 days
05 More than 60 days

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountProvisioningAttempts:   Number of account provisioning attempts in the last day.

Number of Add Card attempts for the account in the last 24 hours.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountPurchaseCount:   Cardholder Account Purchase Count.

Number of purchases with this cardholder account during the previous six months.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

AccountRequestorID:   Cardholder Account Requestor ID.

The 3DS Requestor assigned account identifier of the transacting Cardholder.

This identifier is coded as the SHA-256 + Base64URL of the account identifier for the 3DS Requestor and is provided as a string.

AccountYearTransactions:   Number of account transactions in the last year.

Number of transactions (successful and abandoned) for this cardholder account with the 3DS Requestor across all payment accounts in the previous year.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

ACSChallengeMandatedIndicator:   ACS Challenge Mandated Indicator.

Indication of whether a challenge is required for the transaction to be authorized due to local/regional mandates or other variable. Required in ARes messages if TransactionStatus = C.

ACSOperatorId:   ACS identifier assigned by DS.

Each DS can provide a unique ID to each ACS on an individual basis. Requirements for the presence of this field in ARes messages are DS specific. Any individual DS may impose special formatting and character requirements on the contents of this field.

ACSReferenceNumber:   Unique ACS Reference Number.

Returned from the directory server in the Authentication Response Message (ARes), this field contains a unique identifier for the ACS. Used by the DS to identify the ACS and passed along to the Server in the ARes. This field will be set after a successful call to SendAuthRequest.

ACSRenderingDeviceUserInterfaceMode:   User interface mode the ACS will present to cardholder.

Indicates the user interface mode the ACS will present to the cardholder for a challenge. Possible values are:

01 Portrait
02 Landscape
03 Voice
04 Other
ACSRenderingInterface:   Challenge interface type presented to cardholder.

This setting specifies the ACS interface that must be used to present the challenge to the cardholder in an app-based flow. This setting is populated after calling SendAuthRequest in the 3DS Server. This is also populated after calling CheckResponse and passing the Results Request Message.

Possible values are:

01 Native UI
02 HTML UI

ACSRenderingUITemplate:   Challenge type presented to cardholder.

This setting holds the type of challenge that will be presented to the cardholder in an app-based flow. This setting is populated after calling SendAuthRequest in the 3DS Server. This is also populated after calling CheckResponse and passing the Results Request Message.

Possible values are:

01 Text
02 Single Select
03 Multi Select
04 OOB
05 HTML Other (valid only for HTML UI)
06 HTML OOB (valid only for 2.3.1)
07 Information (valid only for 2.3.1)

ACSSignedContent:   String value of the JWS object of the ARes message created by the ACS.

Contains the JWS object created by the ACS for the ARes message. The JWS object body contains the ACSURL, the ACS Ephemeral Public Key, and the SDK Ephemeral Public Key (available in the SDKEphemeralPublicKey configuration setting).

This setting is only applicable to the app-based flow and is informational. It does not need to be queried or set in most cases.

ACSTransactionId:   Unique transaction identifier assigned by the ACS.

This field contains a universally unique transaction identifier assigned by the ACS to identify a single transaction.

AddressMatch:   Address Match Indicator.

This field is used to indicate to the ACS whether the cardholder shipping address and billing address are the same.

YShipping address matches billing address.
NShipping address does not match billing address.
AllowNullMethodURL:   Allow null MethodURL when retrieving card ranges.

According to the EMVCo specification, if no MethodURL is available, the field should be omitted from the card ranges response. In some cases, however, the directory server has returned a "null" string instead. This is false by default, and this invalid data will result in an error raised by the RequestCardRanges method. Setting this configuration setting to true will allow a null MethodURL in the card range data.

AppIP:   App IP Address.

External IP address (i.e., the device public IP address) used by the 3DS Requestor App when it connects to the 3DS Requestor environment.

AppURLIndicator:   3DS Requestor App URL Indicator.

Indicates whether the OOB Authentication App used by the ACS during a challenge supports the 3DS Requestor App URL. This is returned by the ACS in the authentication response (ARes) packet. Possible values are:

Y3DS Requestor App URL is supported by the OOB Authentication App
N3DS Requestor App URL is NOT supported by the OOB Authentication App
AuthenticationInformation:   3DS Requestor Prior Transaction Authentication Information.

Information about how th 3DS Requestor authenticated the cardholder as part of a previous 3DS transaction. This is specified as a JSON array of objects containing the following fields:

threeDSReqPriorAuthDsTransIdThe prior DS Transaction ID (2.3.1 only)
threeDSReqPriorAuthDataData that documents and supports a specific authentication process
threeDSReqPriorAuthMethodMechanism used by the Cardholder to previously authenticate to the 3DS Requestor
threeDSReqPriorAuthTimestampData and time converted into UTC of the prior Cardholder authentication
threeDSReqPriorRefAdditional information
AuthenticationMethod:   A comma separated list of authentication types used by the issuer.

After SendAuthRequest, this will be set if the TransactionStatus is C or D and indicates the authentication type(s) the issuer will use to challenge the cardholder. When a Results Reuqest Message (RReq) is parsed this will be set if the TransactionStatus is Y or N and indicates the authentication method(s) that were used during the challenge. Possible values include:

01Static Passcode
02SMS OTP
03Key fob or EMV card reader OTP
04App OTP
05OTP Other
06KBA
07OOB Biometrics
08OOB Login
09OOB Other
10Other
11Push Confirmation
12Decoupled
13WebAuthn
14SPC
15Behavioral biometrics
16Electronic ID
17-79Reserved for future EMVCo use
80-99Reserved for DS use
For 3RI, only present for Decoupled Authentication.
AuthenticationType:   Type of authentication method used by the issuer.

After SendAuthRequest, this will be set if TransactionStatus is C or D and indicates the type of authentication method that will be used to challenge the cardholder. When a Results Request Message (RReq) is parsed, this will be set if the TransactionStatus is Y or N and indicates the authentication method that was used during the challenge.

Possible values include:

01Static
02Dynamic
03OOB
04Decoupled

BroadInfo:   Broadcast Information.

Structured information sent between the 3DS server, the DS, and the ACS.

BroadInfoCategory:   Broadcast Information Category.

Indicates the category/type of information. Possible values are:

01General
02Certificate expiry
03Fraud alert
04Operational alert
05Transactional data
06Other
07-79Reserved for EMVCo future use
80-99Reserved for DS use
BroadInfoDescription:   Broadcast Information Description.

Information to be broadcasted to recipients.

BroadInfoExpiryDate:   Broadcast Information Expiry Date.

The date after which the relevance of the broadcasted information (e.g., certificate expiration dates) expires, in YYYYMMDD format.

BroadInfoRecipients:   Broadcast Information Recipient(s).

Indicates the intended recipient(s) of the broadcasted information. Multiple recipients can be configured by OR-ing one or more of the following values:

13DS SDK
23DS Server
4DS
8ACS
BroadInfoSeverity:   Broadcast Information Severity.

Indicates the importance/severity level of the broadcasted information. Possible values are:

01Critical
02Major
03Minor
04Informational
BroadInfoSource:   Broadcast Information Source.

Indicates the source of the broadcasted information. Possible values are:

013DS Server
02DS
03ACS
BrowserUserDeviceId:   Browser User Device ID.

Unique and immutable identifier linked to a device that is consistent across 3DS transactions for the specific user device. Examples include a Hardware Device ID or a Platform-calculated device fingerprint.

BrowserUserId:   Browser User ID.

Identifier of the transacting user's Browser Account ID. This identifier is a unique and immutable hash of the user's account identifier for the given Browser provided as a string.

CardholderInformation:   Information text presented to Cardholder during the transaction.

Text provided in ARes by the ACS/Issuer to Cardholder during a Frictionless or Decoupled transaction. The Issuer can provide information to Cardholder. If populated, this information is required to be conveyed to the cardholder. Required if DecoupledConfirmationIndicator is Y.

CardholderInformationIssuerImage:   Issuer image presented to the Cardholder during the transaction.

A URL pointing to the issuer image to be presented to the cardholder along with the CardholderInformation.

CardholderInformationPaymentSystemImage:   Payment system image presented to the Cardholder during the transaction.

A URL pointing to the payment system image to be presented to the cardholder along with the CardholderInformation.

CardRangeRecordsReadOrder:   Indicates the order in which to process the card range records from the PRes message.

Possible values are:

01Direct order/FIFO (First In First Out)
02Reverse order/LIFO (Last In First Out)
When UseJsonDOM is false, the cardrange in CardRangeData is in the sequence of received data. If the value of this field is 02, indicating a Last In First Out approach, it would be necessary to cache the cardranges first and then reverse the order of which they are processed.

This config may not be available (empty value) in the CardRangeData. This config will always be empty when UseJsonDOM is true.

CardRangeTempPath:   Temporary path where card range data is written.

When RequestCardRanges is called, this configuration setting can be used to specify the path to which the component will temporarily save the card range data. This data is saved in a file that is deleted when parsing of the ranges is complete. This can be useful in limiting memory usage of the component, especially when large amounts of ranges are returned. For the most benefit, this should be used in conjunction with StoreCardRangeData set to False.

CardSecurityCode:   Card Security Code.

Three or four digit security code printed on the card.

CardSecurityCodeStatus:   Card Security Code Status.

Enables the communication of Card Security Code Status between the ACS, the DS, and the 3DS Requestor. Possible values are:

YValidated
NFailed validation
UStatus unknown, unavailable, or does not apply
CardSecurityCodeStatusSource:   Card Security Code Status Source.

Possible values are:

01DS
02ACS
03-79Reserved for EMVCo future use
80-99Reserved for DS use
ChallengeCancellationIndicator:   Challenge Cancellation Indicator.

Indicator informing the ACS and the DS that the authentication has been canceled. Required in CReq for app-based if the authentication transaction was canceled for any of the reasons available as values. Required in the RReq if the ACS identifies that the authentication transaction was canceled for reasons indicated.

Possible values are:

01 Cardholder selected "Cancel" by interaction with the cancellation button in the UI
02 3DS Requestor canceled Authentication
03 Transaction Abandoned
04 Transaction Timed out at ACS - other timeouts
05 Transaction Timed out at ACS - First CReq not received by ACS
06 Transaction Error
07 Unknown
08 Transaction Timed Out at 3DS SDK
09 Error message in response to the CRes message sent by the ACS
10 Error in response to the CRes message received by the ACS
11-79 Reserved for future EMV/Co use (values invalid until defined by EMVCo)
80-99 Reserved for future DS use

ChallengeErrorReportingACSTransID:   Challenge Error Reporting ACS Transaction ID.

The ACS Transaction ID field from the error message (Erro) reported during the challenge process.

When an error is encountered during the CReq/CRes process, a copy of the error message (Erro) may be included in the RReq sent to the server. This is required when the ChallengeCancellationIndicator is 09 or 10. The following configuration settings will be populated with data from this error message:

ChallengeErrorReportingDSTransID:   Challenge Error Reporting DS Transaction ID.

The Directory Server Transaction ID field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingErrorCode:   Challenge Error Reporting Error Code.

The Error Code field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingErrorComponent:   Challenge Error Reporting Error Component.

The Error Component field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingErrorDescription:   Challenge Error Reporting Error Description.

The Error Description field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingErrorDetail:   Challenge Error Reporting Error Detail.

The Error Detail field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingErrorMessageType:   Challenge Error Reporting Error Message Type.

The Error Message Type field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingMessageType:   Challenge Error Reporting Message Type.

The Message Type field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingMessageVersion:   Challenge Error Reporting Message Version.

The Message Version field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingSDKTransID:   Challenge Error Reporting SDK Transaction ID.

The SDK Transaction ID field from the error message (Erro) reported during the challenge process.

ChallengeErrorReportingThreeDSServerTransID:   Challenge Error Reporting Server Transaction ID.

The 3DS Server Transaction ID field from the error message (Erro) reported during the challenge process.

ChallengeTimeRemaining:   Amount of time left to complete challenge.

This field contains the time remaining to complete the challenge. This is based on the SDKMaxTimeout set when issuing the initial Authorization Request Message.

CheckSPCTimeout:   Time remaining for SPC authentication to complete.

When SPC authentication is to be performed as indicated by a TransactionStatus value of S, the authenticaton must be complete within 9 minutes. The component will automatically start an internal timer that can be checked using this configuration setting. This will return the number of seconds left for SPC authentication to complete. When authentication is complete, the assertion data should be sent to the DS using a second AReq packet should be set to the server.

If the time has expired before receiving the Assertion Data from the 3DS Requestor, checking this configuration setting will cause the component to automatically send the second AReq message with an SPC Incompletion Indicator value of 03, indicating that SPC authentication timed out.

ClearCustomRequestFields:   Clear the custom request fields internal collection.

When PersistCustomRequestFields is true, the component will store request fields specified via the AddRequestField method to use for future generated requests. This configuration setting can be used to clear this internal collection.

ContinueParsingCardRangesOnError:   Whether or not to continue parsing card ranges when a validation error is encountered.

When RequestCardRanges is called, the class will parse the card ranges returned in the PRes response packet. By default, if an error is encountered, the component will stop parsing, send an Erro packet to the Directory Server, and throw an exception. This setting can be used to instruct the component to continue parsing the card ranges, and adding the ranges that do not fail validation to the CardRanges collection prior to raising the error. The default value is False.

DecoupledConfirmationIndicator:   ACS Decoupled Confirmation Indicator.

Returned in the authentication response, and indicates whether the ACS confirms utilization of Decoupled Authentication and agrees to utilize Decoupled Authentication to authenticate the Cardholder.

Possible values are:

Y Confirms decoupled authentication will be utilized.
N Decoupled authentication will not be utilized.

Note that if the 3DS Requestor decoupled request indicator = N, a value of Y cannot be returned. If the TransactionStatus is D, a value of N is not valid.

DecoupledMaxTimeout:   3DS Requestor Decoupled Max Time.

Indicates the maximum amount of time that the 3DS Requestor will wait for an ACS to provide the results of a Decoupled Authentication transaction (in minutes). Set prior to calling SendAuthRequest if allowing decoupled authentication.

DecoupledRequestIndicator:   3DS Requestor Decoupled Request Indicator.

Indicates whether the 3DS Requestor requests the ACS to utilize Decoupled Authentication and agrees to utilize Decoupled Authentication if the ACS confirms its use.

Possible values are:

Y Decoupled authentication is supported and preferred if challenge is necessary.
N Do not use decoupled authentication.
F Decoupled Authentication is supported and is to be used only as a fallback challenge method if a challenge is necessary (TransactionStatus = D in RReq).
B Decoupled Authentication is supported and can be used as a primary or fallback challenge method if a challenge is necessary (TransactionStatus = D in either ARes or RReq).
Note that if the element is not provided (default), the ACS should interpret this equivalent to a value of N.

DecoupledTimeRemaining:   Time remaining before a RReq should be received during a decoupled authentication.

When performing decoupled authentication, the 3DS Server will wait DecoupledMaxTimeout seconds for a Results Request (RReq) packet from the Directory Server indicating the results of the authentication. Generally, the ACS should send the RReq before the specified max time expires, even if authentication has not succeeded. If not successful, this would be indicated in the RReq. This config can be used to help track the time remaining before this RReq should be received, and is based on DecoupledMaxTimeout + 30 seconds.

DeliveryEmailAddress:   Merchandise Delivery Email Address.

The email address to which the merchandise was delivered for Electronic delivery.

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. The data elements making up the Indicator will be formatted into a JSON object prior to being placed into the Device Merchant Risk Indicator field of the message. The Indicator is the Merchant's assessment of the level of fraud risk for the specific authentication for both the cardholder and the authentication being conducted.

The complete list of elements (all available as config settings) comprising the Merchant Risk Indicator is:

  • DeliveryEmailAddress
  • DeliveryTimeframe
  • GiftCardAmount
  • GiftCardCount
  • GiftCardCurrency
  • PreOrderDate
  • PreOrderPurchaseIndicator
  • ReorderItemsIndicator
  • ShipIndicator

DeliveryTimeframe:   Merchandise Delivery Timeframe.

Indicates the merchandise delivery timeframe.

Possible values are:

01 Electronic Delivery
02 Same day shipping
03 Overnight shipping
04 Two-day or more shipping

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

DeviceBindingStatus:   Device Binding Status.

Enables the communication of Device Binding Status between the ACS, DS, and the 3DS Requestor.

For bound devices (value = 11-14), this convest the type of binding that was performed.

01Device is not bound by Cardholder
02Not eligible as determined by issuer
03Pending confirmation by Cardholder
04Cardholder rejected
05Device Binding Status unknown, unavailable, or does not apply
06-10Reserved for EMVCo future use
11Device is bound by Cardholder (device is bound using hardware/SIM internal to the consumer device. For instance, keys stored in a secure element on the device)
12Device is bound by Cardholder (device is bound using hardware external to the consumers device. For example, an external FIDO authenticator)
13Device is bound by Cardholder (device is bound using data that includes dynamically generated data and could include a unique device ID)
14Device is bound by Cardholder (device is bound using static device data that has been obtained from the consumer's device)
15Device is bound by Cardholder (other method)
16-79Reserved for EMVCo future use
80-99Reserved for DS use

DeviceBindingStatusSource:   Device Binding Status Source.

Populated by the system setting Device Binding Status. Possible values are:

013DS Server
02DS
03ACS
04-79Reserved for EMVCo future use
80-99Reserverd for DS use

This setting is read-only. For outgoing requests, a value of 01 will always be used when DeviceBindingStatus is set.

DeviceInfoRecognisedVersion:   Device Information Recognized Version.

Indicates the highest Data Version of the Device Information supported by the ACS.

DeviceRenderingInterface:   SDK Interface Device Rendering Types supported.

Types of SDK Interfaces that the device supports for displaying specific challenge user interfaces within the SDK.

Possible values are:

01 Native
02 HTML
03 Both

One of the elements comprising the Device Rendering Options which define the SDK UI types that the device supports (along with DeviceRenderingInterface). These Options are required in AReq messages.

DeviceRenderingUIType:   SDK UI Types supported.

UI types that the device supports for displaying specific challenge user interfaces within the SDK. Multiple values can be or-ed together to support multiple types. Possible values are:

01 Text
02 Single Select
04 Multi Select
08 OOB
16 HTML Other
32 HTML OOB
64 Information

Note that currently all SDKs need to support all UI types. In the future, however, this may change (for example, smart watches may support a UI Type not yet defined). In light of this, all UI types are enabled by default (127).

DSEndProtocolVersion:   DS End Protocol Version.

The most recent active protocol version that is supported for the directory server. This is the default value included in the PRes packet returned from the server during a call to RequestCardRanges. If the DSEndProtocolVersion is not specified (i.e. empty) at the CardRanges level, this should be utilized.

DSReferenceNumber:   DS Reference Number.

EMVCo-assigned unique identifier to track approved DS. The DS will populate the AReq with this element prior to passing to the ACS, and it will be returned in the ARes.

DSStartProtocolVersion:   DS Start Protocol Version.

The earliest (i.e. oldest) active protocol version that is supported for the directory server. This is the default value included in the PRes packet returned from the server during a call to RequestCardRanges. If the DSStartProtocolVersion is not specified (i.e. empty) at the CardRanges level, this should be utilized.

DSTransactionId:   Directory server transaction ID.

Universally unique transaction identifier assigned by the directory server to identify a single transaction.

EMVPaymentTokenIndicator:   EMV Payment Token Indicator.

A value of true indicates that the transaction was de-tokenised prior to being received by the ACS. This data element will be populated by the system residing in the 3-D Secure domain where the de-tokenization occurs (i.e., the 3DS Server or the DS). The Boolean value of true is the only valid response for this field when it is present. Required in CReq if there is a de-tokenization of an Account Number.

EMVPaymentTokenSource:   EMV Payment Token Source.

Indicates where the payment token was detokenized.

Valid values are:

01 3DS Server
02 DS

This is required to be set if EMVPaymentTokenIndicator is true.

EnableDownloadCardRangeDataFile:   Card Range Data Download Indicator.

Indicates if the 3DS Server supports Card Range Data from a file. This can be set to Yprior to calling RequestCardRanges to indicate that downloading a card range data file is supported.

If the DS supports this functinoality, the response packet (PRes) will include a URL from which the card range data maybe downloaded. The component will automatically download the data from this location and process the card ranges.

Available when MessageVersion is 2.3.1 only.

EncodedSessionData:   Encoded session data that is sent in the challenge request and returned in the challenge response.

This setting holds the encoded version of SessionData after GetChallengeRequest is called. This may be set in the threeDSSessionData form variable in the post made in the challenge window.

When the ACS POSTs the final challenge response to the NotificationURL this setting may be set to the threeDSSessionData form variable value, and SessionData setting may then be queried to return the decoded session data.

EncryptedDeviceInfo:   SDK Encrypted Data.

JWE Object (represented as a string) containing data encrypted by the 3DS SDK. Required for the app-based flow and sent in the AReq when the SendAuthRequest method is called.

ErrorCode:   Code from the last error message.

Code indicating the type of problem identified in the error message.

ErrorDescription:   Description from the last error message.

Text describing the problem identified in the error message.

ErrorDetail:   Additional details from the last error message.

Additional detail regarding the problem identified in the error message.

ExtractRReqServerTransactionId:   Extacts the ServerTransactionId from the RReq packet.

This setting can be used to extract the ServerTransactionId from the RReq packet. This field can then be used to look up details on the transaction prior to parsing the RReq packet using the CheckResponse method. Set this to the received RReq packet data and the ServerTransactionId will be returned from the Config method.

GiftCardAmount:   Total gift card(s) amount.

For prepaid or gift card purchase, the purchase amount total of prepaid or gift card(s) in major units (for example, USD 123.45 is 123).

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

GiftCardCount:   Total number of gift cards purchased.

For prepaid or gift card purchase, total count of individual prepaid or gift cards/codes purchased.

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

GiftCardCurrency:   Gift Card Currency.

For prepaid or gift card purchase, the currency code of the card.

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

IncomingExtensionCount:   The number of extensions received from the directory server.

This setting holds the number of extensions received in the last message from the directory server. The individual extension data can be accessed via the IncomingExtensionId, $rcfgIncomingExtensionName;, IncomingExtensionCritical, and IncomingExtensionData settings.

IncomingExtensionCritical[Index]:   Whether the extension is critical.

This setting specifies whether the recipient must understand the contents of the extension to interpret the entire message.

IncomingExtensionData[Index]:   The extension data as JSON.

This setting specifies the JSON formatted extension data.

IncomingExtensionId[Index]:   The id of the specified extension.

This setting specifies a unique identifier for the extension.

IncomingExtensionName[Index]:   The extension name.

This setting specifies the name of the extension as defined by the extension owner.

IncomingRawExtensions:   The full JSON formatted extension data received from the directory server.

This setting holds the full JSON formatted extension data that was received in the last message from the directory server. This corresponds to the value for the messageExtension JSON object defined in the specification.

InstalmentPaymentData:   Max authorizations permitted for installment payments.

Indicates maximum number of authorizations permitted for installment payments. Required in AReq messages if the Merchant and Cardholder have agree to installment payments (AuthenticationIndicator = 03). Value must be greater than 1.

InteractionCounter:   Interaction Counter.

Indicates the number of authentication cycles attempted by the cardholder. Value to be tracked by the ACS and present in the Results Response Message (RRes).

LogLevel:   Level of logging enabled.

This config specifies the level of logging enabled in the component. Possible values include:

0 (None)No events are logged.
1 (Info - default)Informational events are logged.
2 (Verbose)Detailed data is logged.
3 (Debug)Debug data is logged.
This is set to 1 (Info) by default.
MaskSensitive:   Whether to mask sensitive data in the Log event.

This setting controls whether sensitive data is masked in the Log event. When set to True (default) the CardNumber value will be replaced with the value *************.

Note: DataPacketOut will always contain the raw unmasked value regardless of this setting. This setting only applies to the Log event.

The default value is True.

MessageType:   Type of message that is passed.

This field identifies the type of the message being transmitted.

Possible values include:

AReqAuthentication Request Message
AResAuthentication Response Message
CReqChallenge Request Message
CResChallenge Response Message
PReqPreparation Request Message
PResPreparation Response Message
RReqResults Request Message
RResResults Response Message
ErroError Message

This setting is read-only.

MethodCompletionIndicator:   3DS Method Completion Indicator.

Indicates whether the 3DS Method was successfully completed or not. This is included in the Authorization Request Message (AReq) sent by the SendAuthRequest method. Possible values are:

Y (default)Successfully completed.
NDid not successfully complete.
UUnavailable. 3DS Method URL was not present in the PRes message data for the card range associated with the Cardholder Account Number.
MultiTransactionAcquirerMerchantID:   Acquirer Merchant ID.

Acquirer-assigned Merchant Listed Identifier. Represented in ISO 8583-1 formatting requirements.

MultiTransactionAVNumberUse:   AV Number Use.

Number of times that the AV (Authentication Value) is valid.

MultiTransactionAVValidityTime:   AV Validity Time.

Number of days that the AV (Authentication Value) is valid.

MultiTransactionCount:   The total number of additional transactions specified.

The MultiTransaction configuration settings can be used to specify additional transaction information in case of multiple transactions or merchants. MultiTransactionCount indicates the number of additional transactions specified. Details on these transactions can be set using the following indexed configuration settings:

MultiTransactionMerchantAmount:   Merchant Amount.

Purchase amount for the merchant in minor units of currency with all punctuation removed.

MultiTransactionMerchantCurrencyCode:   Merchant Currency Code.

Currency Code in which purchase Merchant Amount is expressed.

MultiTransactionMerchantCurrencyExponent:   Merchant Currency Exponent.

Minor units of Merchant Currency as specified in the ISO 4217 currency exponent.

MultiTransactionMerchantName:   Merchant Name.

Name of the listed merchant.

MultiTransactionSellerID:   Seller ID.

Merchant-assigned Seller Identifier that links additinal Seller Information outlined in the SellerInfo config.

OutgoingRawExtensions:   The full JSON formatted extension data sent to the directory server.

This setting holds the full JSON formatted extension data that will be included in the next outgoing packet. This corresponds to the value for the messageExtension JSON object defined in the specification.

Note: When sending extension data it is generally recommended to use Extensions instead of this setting.

PaymentAccountAge:   Payment Account Age.

Date that the payment account was enrolled in the cardholder's account with the 3DS Requestor. Accepted date format is YYYYMMDD.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

PaymentAccountAgeIndicator:   Payment Account Age Indicator.

Indicates the length of time that the payment account was enrolled in the cardholder's account with the 3DS Requestor.

Possible values are:

01 No account (guest check-out)
02 Created during this transaction
03 Less than 30 days
04 30-60 days
05 More than 60 days

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

PaymentToken:   EMV Payment Token.

Payment token used to initiate the EMV 3DS transaction.

PaymentTokenAdditionalData:   EMV Payment Token Additional Data.

Additional information about the Payment Token from the Token Service Provider.

PaymentTokenCryptogram:   EMV Payment Token Cryptogram.

A cryptogram, containing a transaction-unique value, typically generated using the Payment Token, Payment Token related data, and transaction data. Cryptogram derivation methods may vary by scenario and may be Payment System-specific.

PaymentTokenStatusIndicator:   EMV Payment Token Status Indicator.

Identifies the current status of the Payment token.

PersistCustomRequestFields:   Whether or not to store custom request fields for subsequent requests.

By default, fields added using the AddRequestField method are used once in the next generated requests and disposed of. When this configuration setting is set to true (false by default), the component will store these fields for use in subsequent requests. The ClearCustomRequestFields can then be used to clear the internal collection.

PreOrderDate:   Expected date pre-ordered purchase will be available.

For a pre-ordered purchase, the expected date that the merchandise will be available. Accepted date format is YYYYMMDD.

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

PreOrderPurchaseIndicator:   Pre-Order Purchase Indicator.

Indicates whether Cardholder is placing an order for merchandise with a future availability or release date.

Possible values are:

01 Merchandise available
02 Future availability

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

ProtocolVersion:   Protocol version identifier.

This field indicates the protocol version number of the specification used by the system creating this message.

Possible values are:

2.1.0 (Default)
2.2.0
2.3.1
The message version number is set by the 3DS Server which originates the protocol with the AReq message (when SendAuthRequest is called). The message version number does not change during a 3DS transaction.

RecurringAmount:   Recurring Amount.

Recurring amount in minor units of currency with all punctuation removed.

RecurringAmountIndicator:   Recurring Amount Indicator.

Indicates whether the recurring or installment payment has a fixed or variable amount. Possible values are:

01Fixed Purchase Amount
02Variable Purchase Amount
03-79Reserved for EMVCo future use
80-99Reserved for DS use
RecurringCurrency:   Recurring Currency.

Currency in which the RecurringAmount is expressed.

RecurringDate:   Recurring Date.

Effective date of the new authorized amount following the first/promotional payment in a recurring or installment transaction.

RecurringExponent:   Recurring Currency Exponent.

Minor units of currency as specified in the ISO 4217 currency exponent.

RecurringFrequencyIndicator:   Recurring Frequency Indicator.

Indicates whether the recurring or installment payment has a fixed or variable frequency.

01Fixed Frequency
02Variable or Unknown Frequency
03-79Reserved for EMVCo future use
80-99Reserved for DS use
ReorderItemsIndicator:   Reorder Items Indicator.

Indicates whether the cardholder is reordering previously purchased merchandise.

Possible values are:

01 First time ordered
02 Reordered

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

ReportCardRangeError:   Report a Card Range Error to the DS.

This configuration setting can be used to actively report a card range error to the directory server. When set, the component will send an appropriate error packet (Erro) to the DirectoryServerURL.

When MessageVersion is 2.3.1, a reason can be provided. Possible values are:

1Overlap in the card ranges provided by the DS in the PRes message.
2Action is not possible for the card range.
When MessageVersion is not 2.3.1, this can be set to any integer value and a generic card range error will be transmitted.

ReqAuthCount:   Number of 3DS Requestor Authentication Data objects.

The ReqAuth* configuration settings can be used to specify information about how the 3DS Requestor authenticated the Cardholder before or during the transaction. ReqAuthCount indicates the number of pieces of 3DS Requestor Authentication Information are specified, details of which can be set using the following indexed configuration settings:

When MessageVersion is 2.3.1 up to 3 entries can be specified. For previous versions this is limited to 1.
ReqAuthData[Index]:   3DS Requestor Authentication Data.

Data that documents and supports a specific authentication process. In the current version of the specification, this data element is not defined in detail, however the intention is that for each 3DS Requestor Authentication Method, this field carry data that the ACS can use to verify the authentication process.

Part of the 3DS Requestor Authentication Information which contains optional information about how the cardholder authenticated during login to their 3DS Requestor account.

This is an indexed configuration setting, set using an index between 0 and ReqAuthCount - 1.

ReqAuthMethod[Index]:   3DS Requestor Authentication Method.

Method used by the Cardholder to authenticate to the 3DS Requestor.

Part of the 3DS Requestor Authentication Information which contains optional information about how the cardholder authenticated during login to their 3DS Requestor account.

Possible values are:

01 No 3DS Requestor authentication occurred (i.e. cardholder "logged in" as guest)
02 Login to the cardholder account at the 3DS Requestor system using 3DS Requestor's own credentials
03 Login to the cardholder account at the 3DS Requestor system using federated ID
04 Login to the cardholder account at the 3DS Requestor system using issuer credentials
05 Login to the cardholder account at the 3DS Requestor system using third-party authentication
06 Login to the cardholder account at the 3DS Requestor system using FIDO Authenticator
07 Login to the cardholder account at the 3DS Requestor system using FIDO Authenticator (FIDO Assertion or Attestation data signed)
08 SRC Assurance Data
09 SPC Authentication
10 Electronic ID Authentication Data
11-79 Reserved for EMVCo future use (values invalid until defined by EMVCo)
80-99 Reserved for future DS use

This is an indexed configuration setting, set using an index between 0 and ReqAuthCount - 1.

ReqAuthTimestamp[Index]:   3DS Requestor Authentication Timestamp.

Date and time in UTC of the cardholder authentication. Accepted date format is YYYYMMDDHHMM.

Part of the 3DS Requestor Authentication Information which contains optional information about how the cardholder authenticated during login to their 3DS Requestor account.

This is an indexed configuration setting, set using an index between 0 and ReqAuthCount - 1.

RequestorChallengeInd:   3DS Requestor Challenge Indicator.

Indicates whether a challenge is requested for this transaction. For example: For MessageCategory 01 (PA), a 3DS Requestor may have concerns about the transaction, and request a challenge. For 02 (NPA), a challenge may be necessary when adding a new card to a wallet. Allows 3DS Requestor to request a challenge such as to follow local/regional mandates or other variables.

Possible values are:

01 No preference
02 No challenge requested
03 Challenge requested: 3DS Requestor Preference
04 Challenge requested: Mandate
05 No challenge requested (transactional risk analysis is already performed). Valid for MessageVersion 2.2.0 and 2.3.1 only
06 No challenge requested (data share only). Valid for MessageVersion 2.2.0 and 2.3.1 only
07 No challenge requested (strong consumer authentication is already performed). Valid for MessageVersion 2.2.0 and 2.3.1 only
08 No challenge requested (utilize Trust List exemption if no challenge required). Valid for MessageVersion 2.2.0 and 2.3.1 only
09 Challenge requested (Trust List prompt requested if challenge required). Valid for MessageVersion 2.2.0 and 2.3.1 only
10 No challenge requested (utilize low value exemption). Valid for MessageVersion 2.3.1 only
11 No challenge requested (Secure corporate payment exemption). Valid for MessageVersion 2.3.1 only
12 Challenge requested (Device Binding prompt requested if challegnge required). Valid for MessageVersion 2.3.1 only
13 Challenge requested (Issuer requested). Valid for MessageVersion 2.3.1 only
14 Challenge requested (Merchant initiated transactions). Valid for MessageVersion 2.3.1 only
15-79 Reserved for EMVCo future use (values invalid until defined by EMVCo)
80-99 Reserved for DS use

If not provided, the ACS action would be identical to 01 (no preference).

ResendRequestCardRanges:   Whether or not to resend the card ranges request.

If an error is identified with the card range data received from the directory server when calling the RequestCardRanges method, this configuration setting will be true, indicating that the request should be resent. When resending, if SerialNumber was specified for the initial request, it should be set to an empty string before calling RequestCardRanges again. Otherwise, the request can be sent without the serial number again, but the server may respond with an error due to multiple requests within an hour.

SdkAppId:   SDK App ID.

Universally unique ID created upon all installations of the 3DS Requestor App on a Consumer Device. This will be newly generated and stored by the 3DS SDK for each installation.

SdkAuthenticationType:   SDK Authentication Type.

Authentication methods preferred by the 3DS SDK in order of preference. A comma separated list of the following possible values:

01Static Passcode
02SMS OTP
03Key fob or EMV card reader OTP
04App OTP
05OTP Other
06KBA
07OOB Biometrics
08OOB Login
09OOB Other
10Other
11Push Notification
SDKEphemeralPublicKey:   Public key component of the ephemeral key pair generated by the Client.

This setting holds the public key used to establish session keys between the 3DS SDK and ACS.

SDKMaxTimeout:   SDK Maximum Timeout.

Indicates the maximum amount of time (in minutes) for all exchanges. Included in the Authorization Request Message (AReq) sent to the directory server via the SendAuthRequest method. A value of 5 minutes is used by default. SDK Maximum Timeout.

Indicates the maximum amount of time (in minutes) for all exchanges. Included in the Authorization Request Message (AReq) sent to the directory server via the SendAuthRequest method. A value of 5 minutes is used by default.

SDKMaxTimeout:   SDK Maximum Timeout.

Indicates the maximum amount of time (in minutes) for all exchanges. Included in the Authorization Request Message (AReq) sent to the directory server via the SendAuthRequest method. A value of 5 minutes is used by default. SDK Maximum Timeout.

Indicates the maximum amount of time (in minutes) for all exchanges. Included in the Authorization Request Message (AReq) sent to the directory server via the SendAuthRequest method. A value of 5 minutes is used by default.

SDKReferenceNumber:   Assigned SDK reference number.

This setting specifies the SDK reference number assigned by EMVCo when the 3DS SDK is approved.

SDKServerSignedContent:   SDK Server Signed Content.

Contains the JWS object (represented as a string) created by the Split-SDK Server for the AReq message.

SDKTransactionId:   SDK Transaction ID.

Universally unique transaction identifier assigned by the 3DS SDK to identify a single transaction.

SDKWrapped:   Default-SDK Wrapped Indicator.

Set to Y to indicate if the Default-SDK is embedded as a wrapped component in the 3DS Requestor App.

SellerInfo:   Seller Information.

Contains details of each seller involved in the transaction. This is specified as a JSON array of objects containing the following fields:

sellerNameName of the Seller
sellerIdMerchant-assigned Seller identifier
sellerBusinessNameBusiness Name of the Seller
sellerAccDateDate converted into UTC that the Seller started using the Merchant's services.
sellerAddrLine1First line of the business or contact street address of the Seller
seerAddrLine2Second line of the business or contact street address of the Seller
sellerAddrLine3Third line of the business or contact street address of the Seller
sellerAddrCityBusiness or contact city of the Seller
sellerAddrStateBusiness or contact state or province of the Seller
sellerAddrPostCodeBusiness or contact ZIP or other postal code of the seller
sellerAddrCountryBusiness or contact country of the Seller
sellerEmailBusiness or contact email address of the Seller
sellerPhoneBusiness or contact phone number of the Seller
ServerOperatorId:   3DS Server identifier.

Directory server assigned 3DS Server identifier. This may be assigned by a directory server. If this is assigned it should be set here.

SessionData:   Session data that is sent in the challenge request and returned in the challenge response.

This setting specifies session information that may be used to associate the notification of challenge completion with the original transaction. This may be set before calling GetChallengeRequest.

When the ACS POSTs the final challenge response to the NotificationURL the EncodedSessionData may be set to the threeDSSessionData form variable value, and this setting may then be queried to return the decoded session data.

ShipAddressUsageDate:   Shipping address first usage date.

Date when the shipping address used for this transaction was first used with the 3DS Requestor. Accepted date format is YYYYMMDD.

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

ShipAddressUsageIndicator:   Shipping address usage indicator.

Indicates the length of time since the shipping address used for this transaction was first used with the 3DS Requestor.

Possible values are:

01 This transaction
02 Less than 30 days
03 30-60 days
04 More than 60 days

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

ShipIndicator:   Shipping method indicator.

Indicates shipping method chosen for the transaction. Merchants must choose the Shipping Indicator code that most accurately describes the cardholder's specific transaction, not their general business. If one or more items are included in the sale, the Shipping Indicator code for the physical goods is used, or if all digital goods, the Shipping Indicator code that describes the most expensive item.

Possible values are:

01 Ship to cardholder's billing address
02 Ship to another verified address on file with merchant
03 Ship to address that is different than the cardholder's billing address
04 "Ship to Store" / Pick-up at local store (Store address shall be populated in shipping address fields)
05 Digital goods (includes online services, electronic gift cards and redemption codes)
06 Travel and Event tickets, not shipped
07 Other (for example, Gaming, digital services not shipped, emedia subscriptions, etc.)
08 Pick-up and go delivery
09 Locker delivery (or other automated pick-up)

An element of the Merchant Risk Indicator applicable in AReq messages, which is optional but strongly recommended to include. See the DeliveryEmailAddress configuration setting for the complete list of elements (all available as config settings) comprising the Merchant Risk Indicator.

ShipNameIndicator:   Shipping Name Indicator.

Indicates if the Cardholder Name on the account is identical to the shipping Name used for this transaction.

Possible values are:

01 Account Name identical to shipping Name
02 Account Name different than shipping Name

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

SPCIncompletionIndicator:   SPC Incompletion Indicator.

Reason that the SPC authentication was not completed. Possible values are:

01SPC did not run or did not successfully complete
02Cardholder cancelled the SPC authentication
03SPC timed out
04-99Reserved for EMVCo future use
SPCTransactionAdditionalData:   SPC Transaction Additional Data.

For SPC API enhancement, to be defined in a future 3DS specification release.

SPCTransactionChallenge:   SPC Transaction Challenge.

Random string generated by the ACS to prevent replay attacks.

SPCTransactionChallengeInfoText:   SPC Transaction Challenge Information Text.

Text provided by the ACS to be displayed during the SPC authentication.

SPCTransactionCurrency:   SPC Transaction Currency.

Transaction amount currency to be displayed during the SPC authentication. In ISO 4217 three-character alphabetic format.

SPCTransactionDisplayName:   SPC Transaction Display Name.

Card or product name (Payment Instrument) to be displayed during the SPC authentication.

SPCTransactionExtensionIndicator:   SPC Transaction WebAuthn SPC Extension Indicator.

For SPC and WebAuthn API enhancement.

SPCTransactionIcon:   SPC Transaction Icon.

Card image (Payment Instrument) URL or Data URL to be displayed during the SPC authentication.

SPCTransactionIssuerImage:   SPC Transaction Issuer Default Image.

Default Issuer logo or image URL or Data URL to be displayed during the SPC authentication.

SPCTransactionIssuerImageDark:   SPC Transaction Issuer Dark Mode Image.

Dark mode Issuer logo or image URL or Data URL to be displayed during the SPC authentication.

SPCTransactionIssuerImageMonochrome:   SPC Transaction Issuer Monochrome Image.

Monochrome Issuer logo or image URL or Data URL to be displayed during the SPC authentication.

SPCTransactionPayeeName:   SPC Transaction Payee Name.

The display name of the payee that this SPC call is for (e.g. the merchant). Matches the Merchant Name from the AReq message.

SPCTransactionPayeeOrigin:   SPC Transaction Payee Origin.

The origin of the payee that this SPC call is for (e.g. the merchant).

SPCTransactionPSImage:   SPC Transaction Payment System Default Image.

Default Default Payment System logo or image URL to be displayed during the SPC authentication.

SPCTransactionPSImageDark:   SPC Transaction Payment System Dark Mode Image.

Dark mode Payment System logo or image URL to be displayed during the SPC authentication.

SPCTransactionPSImageMonochrome:   SPC Transaction Payment System Monochrome Image.

Monochrome Payment System logo or image URL to be displayed during the SPC authentication.

SPCTransactionTimeout:   SPC Transaction Transaction Timeout.

The number of milliseconds before the request to sign the transaction details times out.

SPCTransactionValue:   SPC Transaction Value.

Transaction amount as a decimal value to be displayed during the SPC authentication.

SplitSDKLimited:   Limited Split-SDK Indicator.

Set to Y to indicate if the Split-SDK client has limited capabilities.

SplitSDKVariant:   Split-SDK Variant.

Indicates the implementation characteristics of the Split-SDK client. Possible values are:

01Native Client
02Browser
03Shell
StoreCardRangeData:   Whether or not to store the card ranges in the CardRanges collection.

Indicates whether or not the component should store card ranges in the internal CardRanges collection after the RequestCardRanges method completes. When False, the card range data will only be available via the CardRange event. This can be useful in limiting memory usage of the component, especially when large amounts of ranges are returned.

The default value is True.

SuspiciousAccountActivity:   Suspicious account activity indicator.

Indicates whether the 3DS Requestor has experienced suspicious activity (including previous fraud) on the cardholder account.

Possible values are:

01 No suspicious activity has been observed
02 Suspicious activity has been observed

An element of the Cardholder Account Information provided by the 3DS Requestor in AReq messages, which is optional but strongly recommended to include. See the AccountAgeIndicator configuration setting for the complete list of elements (all available as config settings) comprising Cardholder Account Information.

TaxId:   Tax ID.

Cardholder's tax identification.

ThreeDSMethodId:   3DS Method ID.

Contains the 3DS Server Transaction ID used during the previous execution of the 3DS method. Required is the 3DS Requestor reuses previous 3DS Method execution.

ThreeDSRequestorSpcSupport:   3DS Requestor SPC Support.

Set to True to indicate that the 3DS Requestor supports SPC authentication.

ThreeRIIndicator:   3RI Indicator.

Indicates the type of 3RI request. This data element provides additional information to the ACS to determine the best approach for handing a 3RI request. Included in the Authorization Request Message (ARes) sent by the SendAuthRequest. Valid when DeviceChannel is set to "03," indicating 3RI.

Possible values are:

01Recurring transaction
02Installment transaction
03Add card
04Maintain card information
05Account verification
06Split shipment
07Top-up
08Mail Order
09Telephone Order
10Trust List status check
11Other payment
12Billing Agreement
13Device Binding status check
14Card Security Code status check
15Delayed shipment
16Split payment
17FIDO credential deletion
18FIDO credential registration
19Decoupled authentication fallback
20-79Reserved for EMVCo future use
80-99Reserved for DS use
Values of 06-11 are only applicable when MessageVersion is > 2.2.0. Values of 12-14 are only applicable when MessageVersion is 2.3.1.

TransactionChallengeExemption:   Transaction Challenge Exemption.

Exemption applied by the ACS to authenticate the transaction without requesting a challenge.

05Transaction Risk Analysis exemption
08Trust List exemption
10Low Value exemption
11Secure Corporate Payments exemption
79No exemption applied
01-04, 06, 07, 09, and 12-78Reserved for EMVCo future use
80-99Reserved for DS use
TransactionCharacteristics:   Transaction Characteristics.

Indicates to the ACS specific transactions identified by the Merchant.

Multiple values can be or-ed together to support multiple types. Possible values are:

1Cryptocurrency transaction
2NFT transaction

TransactionStatusReason:   Reason for value of TransactionStatus.

Provides information on why the Transaction Status field has the specified value. For MessageCategory 01 (PA), always included when TransactionStatus = N, U, or R. For MessageCategory 02 (NPA), as defined by the DS.

Possible values are:

01 Card authentication failed
02 Unknown device
03 Unsupported device
04 Exceeds authentication frequency limit
05 Expired card
06 Invalid card number
07 Invalid transaction
08 No Card record
09 Security failure
10 Stolen card
11 Suspected fraud
12 Transaction not permitted to cardholder
13 Cardholder not enrolled in service
14 Transaction timed out at the ACS
15 Low confidence
16 Medium confidence
17 High confidence
18 Very high confidence
19 Exceeds ACS maximum challenges
20 Non-Payment transaction non supported
21 3RI transaction not supported
22 ACS technical issue
23 Decoupled Authentication required by ACS but not requested by 3DS Requestor
24 3DS Requestor Decoupled Max Expiry Time exceeded
25 Decoupled Authentication was provided insufficient time to authenticate cardholder. ACS will not make attempt
26 Authentication attempted but not performed by the cardholder
27 Preferred Authentication Method not supported
28 Validation of content security policy failed
29 Authentication attempted but not completed by the Cardholder. Fall back to Decoupled Authentication
30 Authentication completed successfully but additional authentication of the Cardholder required. Reinitiate as Decoupled Authentication
31-79 Reserved for future EMVCo use (values invalid until defined by EMVCo)
80-99 Reserved for DS use

TransactionStatusReasonInfo:   Transaction Status Reason Information.

Provides additional information on the TransactionStatusReason.

TransactionType:   Transaction Type.

Identifies the type of transaction being authenticated. This field is required in AReq messages in some markets (e.g. for Merchants in Brazil). Otherwise, optional.

Possible values (derived from ISO Standard) are:

01 Goods/ Service Purchase
03 Check Acceptance
10 Account Funding
11 Quasi-Cash Transaction
28 Prepaid Activation and Load

TrustListStatus:   Trust List Status.

Enables the communication of trust list status between the ACS, the DS and the 3DS Requestor.

Y 3DS Requestor is trust listed by cardholder
N 3DS Requestor is not trust listed by cardholder
E Not eligible as determined by issuer
P Pending confirmation by cardholder
R Cardholder rejected
U Trust list status unknown, unavailable, or does not apply

This may be set prior to calling the SendAuthRequest method. In this case, only values of Y or N are valid. This may also be set when the Authentication Response message or Results Request messages are received, and will be set to the values received from the Directory Server.

TrustListStatusSource:   Trust List Status Source.

This data element will be populated by the system providing the Trust List Status. If TrustListStatus is set prior to calling the SendAuthRequest method, this will automatically be included in the outgoing request with a value of 01. When incoming packets include this field, this setting will contain the parsed value. Possible values are:

01 3DS Server
02 DS
03 ACS
04-79 Reserved for EMVCo future use
08-99 Reserved for DS use
This setting is read-only.
UseAESGCM:   Whether or not to use AESGCM as the encryption algorithm.

By default, the component will use JWS_ENC_ALG_ID_A128CBC_HS256AES when encrypting packets to send to the ACS. Setting this to true will instruct the component to use JWE_ENC_ALG_ID_A128GCM instead.

UseJsonDOM:   Whether or not the component should build an internal DOM when parsing card ranges.

When the RequestCardRanges method is called, by default the component will construct an internal DOM (Document Object Model) when parsing the returned data. When set to False, this will instruct the component not to build this model, which can be useful in limiting memory usage of the component, especially when large amounts of ranges are returned.

The default value is True. Note that when False, the XPath settings will not be available.

WebAuthnCredentialListCount:   The total number of WebAuthen Credentials.

The WebAuthnCredentialList configuration settings can be used to access a list of enrolled FIDO credentials (WebAuthn Credentials) associated with the Cardholder Account Number as returned from the ACS in the ARes packet. WebAuthnCredentialListCount indicates the number of credentials specified. The Relying Party ID and Credential for each can be set using the following indexed configuration settings:

This data is only available when MessageVersion is 2.3.1, and only when the TransactionStatus is S.
WebAuthnCredentialListRelyingPartyId:   WebAuthn Credential List: Relying Party ID.

The Relying Party ID for the WebAuthn credential.

WebAuthnCredentialListWebAuthnCredential:   WebAuthn Credential List: WebAuthn Credential.

WebAuthn Credential.

WhitelistStatus:   Whitelist Status.

Enables the communication of trusted beneficiary/whitelist status between the ACS, the DS and the 3DS Requestor.

Y 3DS Requestor is whitelisted by cardholder
N 3DS Requestor is not whitelisted by cardholder
E Not eligible as determined by issuer
P Pending confirmation by cardholder
R Cardholder rejected
U Whitelist status unknown, unavailable, or does not apply

This may be set prior to calling the SendAuthRequest method. In this case, only values of Y or N are valid. This may also be set when the Authentication Response message or Results Request messages are received, and will be set to the values received from the Directory Server.

WhitelistStatusSource:   Whitelist Status Source.

The system setting the Whitelist Status. When setting WhitelistStatus prior to calling the SendAuthRequest method, this should be set to 01. Possible values are:

01 3DS Server
02 DS
03 ACS
04-79 Reserved for EMVCo future use
08-99 Reserved for DS use
XChildCount:   The number of child elements of the current element.

This configuration settings specifies the number of child attributes of the current element. The XChild configuration settings will be indexed from 0 to (XChildCount - 1).

The current element is specified through the XPath configuration setting. This configuration setting is read-only.

XChildName[i]:   The name of the child element.

This configuration setting provides the name of the i-th child element of the current element.

The current element is specified through the XPath configuration setting. This configuration setting is read-only.

XChildXText[i]:   The inner text of the child element.

This configuration setting provides the inner text of the i-th child element of the current element.

The current element is specified through the XPath configuration setting. This configuration setting is read-only.

XElement:   The name of the current element.

This configuration setting provides the name of the current element.

The current element is specified through the XPath configuration setting. This configuration setting is read-only.

XParent:   The parent of the current element.

This configuration setting provides the parent of the current element.

The current element is specified through the XPath configuration setting. This configuration setting is read-only.

XPath:   Provides a way to point to a specific element in the returned XML or JSON response.

The XPath setting allows you to point to specific elements in the XML or JSON response.

When XPath is set to a valid path, XElement points to the name of the element, with XText, XParent, XSubTree, XChildCount, XChildName[i], and XChildXText[i] providing other properties of the element.

XPath syntax is available for both XML and JSON documents. An XPath is a series of one or more element accessors separated by the / character, for example, /A/B/C/D. An XPath can be absolute (i.e., it starts with /), or it can be relative to the current XPath location.

The following are possible values for an element accessor, which operates relative to the current location specified by the XPath accessors, which proceed it in the overall XPath string:

Accessor Description
name The first element with a particular name. Can be *.
[i] The i-th element.
name[i] The i-th element with a particular name.
[last()] The last element.
[last()-i] The element i before the last element.
name[@attrname="attrvalue"]The first element with a particular name that contains the specified attribute-value pair.

Supports single and double quotes. (XML Only)

. The current element.
.. The parent element.
Note: XPath indices are 1-based.

For example, assume the following XML and JSON responses.

XML:

<firstlevel>
  <one>value</one>
  <two>
    <item>first</item>
    <item>second</item>
  </two>
  <three>value three</three>
</firstlevel>

JSON:

{
  "firstlevel": {
    "one": "value",
    "two": ["first", "second"],
    "three": "value three"
  }
}

The following are examples of valid XPaths for these responses:

DescriptionXML XPath JSON XPath
Document root / /json
Specific element /firstlevel/one /json/firstlevel/one
i-th child /firstlevel/two/item[2]/json/firstlevel/two/[2]

This list is not exhaustive, but it provides a general idea of the possibilities.

XSubTree:   A snapshot of the current element in the document.

This configuration setting provides the entirety of the current element (including its subelements).

The current element is specified through the XPath configuration setting. This configuration setting is read-only.

XText:   The text of the current element.

This configuration setting provides the inner text of the current element.

The current element is specified in the XPath configuration setting. This configuration setting is read-only.

SSL Config Settings

LogSSLPackets:   Controls whether SSL packets are logged when using the internal security API.

When SSLProvider is set to Internal, this configuration setting controls whether Secure Sockets Layer (SSL) packets should be logged. By default, this configuration setting is False, as it is useful only for debugging purposes.

When enabled, SSL packet logs are output using the SSLStatus event, which will fire each time an SSL packet is sent or received.

Enabling this configuration setting has no effect if SSLProvider is set to Platform.

OpenSSLCADir:   The path to a directory containing CA certificates.

This functionality is available only when the provider is OpenSSL.

The path set by this property should point to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. If more than one CA certificate with the same name hash value exist, the extension must be different (e.g., 9d66eef0.0, 9d66eef0.1). OpenSSL recommends the use of the c_rehash utility to create the necessary links. Please refer to the OpenSSL man page SSL_CTX_load_verify_locations(3) for details.

OpenSSLCAFile:   Name of the file containing the list of CA's trusted by your application.

This functionality is available only when the provider is OpenSSL.

The file set by this property should contain a list of CA certificates in PEM format. The file can contain several CA certificates identified by the following sequences:

-----BEGIN CERTIFICATE-----

... (CA certificate in base64 encoding) ...

-----END CERTIFICATE-----

Before, between, and after the certificate text is allowed, which can be used, for example, for descriptions of the certificates. Refer to the OpenSSL man page SSL_CTX_load_verify_locations(3) for details.

OpenSSLCipherList:   A string that controls the ciphers to be used by SSL.

This functionality is available only when the provider is OpenSSL.

The format of this string is described in the OpenSSL man page ciphers(1) section "CIPHER LIST FORMAT". Please refer to it for details. The default string "DEFAULT" is determined at compile time and is normally equivalent to "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH".

OpenSSLPrngSeedData:   The data to seed the pseudo random number generator (PRNG).

This functionality is available only when the provider is OpenSSL.

By default, OpenSSL uses the device file "/dev/urandom" to seed the PRNG, and setting OpenSSLPrngSeedData is not required. If set, the string specified is used to seed the PRNG.

ReuseSSLSession:   Determines if the SSL session is reused.

If set to True, the class will reuse the context if and only if the following criteria are met:

  • The target host name is the same.
  • The system cache entry has not expired (default timeout is 10 hours).
  • The application process that calls the function is the same.
  • The logon session is the same.
  • The instance of the class is the same.

SSLCACertFilePaths:   The paths to CA certificate files on Unix/Linux.

This configuration setting specifies the paths on disk to CA certificate files on Unix/Linux.

The value is formatted as a list of paths separated by semicolons. The class will check for the existence of each file in the order specified. When a file is found, the CA certificates within the file will be loaded and used to determine the validity of server or client certificates.

The default value is as follows:

/etc/ssl/ca-bundle.pem;/etc/pki/tls/certs/ca-bundle.crt;/etc/ssl/certs/ca-certificates.crt;/etc/pki/tls/cacert.pem

SSLCACerts:   A newline separated list of CA certificates to be included when performing an SSL handshake.

When SSLProvider is set to Internal, this configuration setting specifies one or more CA certificates to be included with the SSLCert property. Some servers or clients require the entire chain, including CA certificates, to be presented when performing SSL authentication. The value of this configuration setting is a newline-separated (CR/LF) list of certificates. For instance:

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert ...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert ...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

SSLCheckCRL:   Whether to check the Certificate Revocation List for the server certificate.

This configuration setting specifies whether the class will check the Certificate Revocation List (CRL) specified by the server certificate. If set to 1 or 2, the class will first obtain the list of CRL URLs from the server certificate's CRL distribution points extension. The class will then make HTTP requests to each CRL endpoint to check the validity of the server's certificate. If the certificate has been revoked or any other issues are found during validation the class fails with an error.

When set to 0 (default), the CRL check will not be performed by the class. When set to 1, it will attempt to perform the CRL check, but it will continue without an error if the server's certificate does not support CRL. When set to 2, it will perform the CRL check and will throw an error if CRL is not supported.

This configuration setting is supported only in the Java, C#, and C++ editions. In the C++ edition, it is supported only on Windows operating systems.

SSLCheckOCSP:   Whether to use OCSP to check the status of the server certificate.

This configuration setting specifies whether the class will use OCSP to check the validity of the server certificate. If set to 1 or 2, the class will first obtain the Online Certificate Status Protocol (OCSP) URL from the server certificate's OCSP extension. The class will then locate the issuing certificate and make an HTTP request to the OCSP endpoint to check the validity of the server's certificate. If the certificate has been revoked or any other issues are found during validation, the class fails with an error.

When set to 0 (default), the class will not perform an OCSP check. When set to 1, it will attempt to perform the OCSP check, but it will continue without an error if the server's certificate does not support OCSP. When set to 2, it will perform the OCSP check and will throw an error if OCSP is not supported.

This configuration setting is supported only in the Java, C#, and C++ editions. In the C++ edition, it is supported only on Windows operating systems.

SSLCipherStrength:   The minimum cipher strength used for bulk encryption.

This minimum cipher strength is largely dependent on the security modules installed on the system. If the cipher strength specified is not supported, an error will be returned when connections are initiated.

Note: This configuration setting contains the minimum cipher strength requested from the security library. The actual cipher strength used for the connection is shown by the SSLStatus event.

Use this configuration setting with caution. Requesting a lower cipher strength than necessary could potentially cause serious security vulnerabilities in your application.

When the provider is OpenSSL, SSLCipherStrength is currently not supported. This functionality is instead made available through the OpenSSLCipherList configuration setting.

SSLClientCACerts:   A newline separated list of CA certificates to use during SSL client certificate validation.

This configuration setting is only applicable to server components (e.g., TCPServer) see SSLServerCACerts for client components (e.g., TCPClient). This setting can be used to optionally specify one or more CA certificates to be used when verifying the client certificate that is presented by the client during the SSL handshake when SSLAuthenticateClients is enabled. When verifying the client's certificate, the certificates trusted by the system will be used as part of the verification process. If the client's CA certificates are not installed to the trusted system store, they may be specified here so they are included when performing the verification process. This configuration setting should be set only if the client's CA certificates are not already trusted on the system and cannot be installed to the trusted system store.

The value of this configuration setting is a newline-separated (CR/LF) list of certificates. For instance:

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert ...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert ...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

SSLEnabledCipherSuites:   The cipher suite to be used in an SSL negotiation.

This configuration setting enables the cipher suites to be used in SSL negotiation.

By default, the enabled cipher suites will include all available ciphers ("*").

The special value "*" means that the class will pick all of the supported cipher suites. If SSLEnabledCipherSuites is set to any other value, only the specified cipher suites will be considered.

Multiple cipher suites are separated by semicolons.

Example values when SSLProvider is set to Platform include the following: obj.config("SSLEnabledCipherSuites=*"); obj.config("SSLEnabledCipherSuites=CALG_AES_256"); obj.config("SSLEnabledCipherSuites=CALG_AES_256;CALG_3DES"); Possible values when SSLProvider is set to Platform include the following:

  • CALG_3DES
  • CALG_3DES_112
  • CALG_AES
  • CALG_AES_128
  • CALG_AES_192
  • CALG_AES_256
  • CALG_AGREEDKEY_ANY
  • CALG_CYLINK_MEK
  • CALG_DES
  • CALG_DESX
  • CALG_DH_EPHEM
  • CALG_DH_SF
  • CALG_DSS_SIGN
  • CALG_ECDH
  • CALG_ECDH_EPHEM
  • CALG_ECDSA
  • CALG_ECMQV
  • CALG_HASH_REPLACE_OWF
  • CALG_HUGHES_MD5
  • CALG_HMAC
  • CALG_KEA_KEYX
  • CALG_MAC
  • CALG_MD2
  • CALG_MD4
  • CALG_MD5
  • CALG_NO_SIGN
  • CALG_OID_INFO_CNG_ONLY
  • CALG_OID_INFO_PARAMETERS
  • CALG_PCT1_MASTER
  • CALG_RC2
  • CALG_RC4
  • CALG_RC5
  • CALG_RSA_KEYX
  • CALG_RSA_SIGN
  • CALG_SCHANNEL_ENC_KEY
  • CALG_SCHANNEL_MAC_KEY
  • CALG_SCHANNEL_MASTER_HASH
  • CALG_SEAL
  • CALG_SHA
  • CALG_SHA1
  • CALG_SHA_256
  • CALG_SHA_384
  • CALG_SHA_512
  • CALG_SKIPJACK
  • CALG_SSL2_MASTER
  • CALG_SSL3_MASTER
  • CALG_SSL3_SHAMD5
  • CALG_TEK
  • CALG_TLS1_MASTER
  • CALG_TLS1PRF
Example values when SSLProvider is set to Internalinclude the following: obj.config("SSLEnabledCipherSuites=*"); obj.config("SSLEnabledCipherSuites=TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); obj.config("SSLEnabledCipherSuites=TLS_DHE_DSS_WITH_AES_128_CBC_SHA;TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"); Possible values when SSLProvider is set to Internal include the following:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

When TLS 1.3 is negotiated (see SSLEnabledProtocols), only the following cipher suites are supported:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256

SSLEnabledCipherSuites is used together with SSLCipherStrength.

SSLEnabledProtocols:   Used to enable/disable the supported security protocols.

This configuration setting is used to enable or disable the supported security protocols.

Not all supported protocols are enabled by default. The default value is 4032 for client components, and 3072 for server components. To specify a combination of enabled protocol versions set this config to the binary OR of one or more of the following values:

TLS1.312288 (Hex 3000)
TLS1.23072 (Hex C00) (Default - Client and Server)
TLS1.1768 (Hex 300) (Default - Client)
TLS1 192 (Hex C0) (Default - Client)
SSL3 48 (Hex 30)
SSL2 12 (Hex 0C)

Note that only TLS 1.2 is enabled for server components that accept incoming connections. This adheres to industry standards to ensure a secure connection. Client components enable TLS 1.0, TLS 1.1, and TLS 1.2 by default and will negotiate the highest mutually supported version when connecting to a server, which should be TLS 1.2 in most cases.

SSLEnabledProtocols: Transport Layer Security (TLS) 1.3 Notes:

By default when TLS 1.3 is enabled, the class will use the internal TLS implementation when the SSLProvider is set to Automatic for all editions.

In editions that are designed to run on Windows, SSLProvider can be set to Platform to use the platform implementation instead of the internal implementation. When configured in this manner, please note that the platform provider is supported only on Windows 11/Windows Server 2022 and up. The default internal provider is available on all platforms and is not restricted to any specific OS version.

If set to 1 (Platform provider), please be aware of the following notes:

  • The platform provider is available only on Windows 11/Windows Server 2022 and up.
  • SSLEnabledCipherSuites and other similar SSL configuration settings are not supported.
  • If SSLEnabledProtocols includes both TLS 1.3 and TLS 1.2, these restrictions are still applicable even if TLS 1.2 is negotiated. Enabling TLS 1.3 with the platform provider changes the implementation used for all TLS versions.

SSLEnabledProtocols: SSL2 and SSL3 Notes:

SSL 2.0 and 3.0 are not supported by the class when the SSLProvider is set to internal. To use SSL 2.0 or SSL 3.0, the platform security API must have the protocols enabled and SSLProvider needs to be set to platform.

SSLEnableRenegotiation:   Whether the renegotiation_info SSL extension is supported.

This configuration setting specifies whether the renegotiation_info SSL extension will be used in the request when using the internal security API. This configuration setting is false by default, but it can be set to true to enable the extension.

This configuration setting is applicable only when SSLProvider is set to Internal.

SSLIncludeCertChain:   Whether the entire certificate chain is included in the SSLServerAuthentication event.

This configuration setting specifies whether the Encoded parameter of the SSLServerAuthentication event contains the full certificate chain. By default this value is False and only the leaf certificate will be present in the Encoded parameter of the SSLServerAuthentication event.

If set to True, all certificates returned by the server will be present in the Encoded parameter of the SSLServerAuthentication event. This includes the leaf certificate, any intermediate certificate, and the root certificate.

SSLKeyLogFile:   The location of a file where per-session secrets are written for debugging purposes.

This configuration setting optionally specifies the full path to a file on disk where per-session secrets are stored for debugging purposes.

When set, the class will save the session secrets in the same format as the SSLKEYLOGFILE environment variable functionality used by most major browsers and tools, such as Chrome, Firefox, and cURL. This file can then be used in tools such as Wireshark to decrypt TLS traffic for debugging purposes. When writing to this file, the class will only append, it will not overwrite previous values.

Note: This configuration setting is applicable only when SSLProvider is set to Internal.

SSLNegotiatedCipher:   Returns the negotiated cipher suite.

This configuration setting returns the cipher suite negotiated during the SSL handshake.

Note: For server components (e.g., TCPServer), this is a per-connection configuration setting accessed by passing the ConnectionId. For example: server.Config("SSLNegotiatedCipher[connId]");

SSLNegotiatedCipherStrength:   Returns the negotiated cipher suite strength.

This configuration setting returns the strength of the cipher suite negotiated during the SSL handshake.

Note: For server components (e.g., TCPServer), this is a per-connection configuration setting accessed by passing the ConnectionId. For example: server.Config("SSLNegotiatedCipherStrength[connId]");

SSLNegotiatedCipherSuite:   Returns the negotiated cipher suite.

This configuration setting returns the cipher suite negotiated during the SSL handshake represented as a single string.

Note: For server components (e.g., TCPServer), this is a per-connection configuration setting accessed by passing the ConnectionId. For example: server.Config("SSLNegotiatedCipherSuite[connId]");

SSLNegotiatedKeyExchange:   Returns the negotiated key exchange algorithm.

This configuration setting returns the key exchange algorithm negotiated during the SSL handshake.

Note: For server components (e.g., TCPServer), this is a per-connection configuration setting accessed by passing the ConnectionId. For example: server.Config("SSLNegotiatedKeyExchange[connId]");

SSLNegotiatedKeyExchangeStrength:   Returns the negotiated key exchange algorithm strength.

This configuration setting returns the strength of the key exchange algorithm negotiated during the SSL handshake.

Note: For server components (e.g., TCPServer), this is a per-connection configuration setting accessed by passing the ConnectionId. For example: server.Config("SSLNegotiatedKeyExchangeStrength[connId]");

SSLNegotiatedVersion:   Returns the negotiated protocol version.

This configuration setting returns the protocol version negotiated during the SSL handshake.

Note: For server components (e.g., TCPServer), this is a per-connection configuration setting accessed by passing the ConnectionId. For example: server.Config("SSLNegotiatedVersion[connId]");

SSLSecurityFlags:   Flags that control certificate verification.

The following flags are defined (specified in hexadecimal notation). They can be ORed together to exclude multiple conditions:

0x00000001Ignore time validity status of certificate.
0x00000002Ignore time validity status of CTL.
0x00000004Ignore non-nested certificate times.
0x00000010Allow unknown certificate authority.
0x00000020Ignore wrong certificate usage.
0x00000100Ignore unknown certificate revocation status.
0x00000200Ignore unknown CTL signer revocation status.
0x00000400Ignore unknown certificate authority revocation status.
0x00000800Ignore unknown root revocation status.
0x00008000Allow test root certificate.
0x00004000Trust test root certificate.
0x80000000Ignore non-matching CN (certificate CN non-matching server name).

This functionality is currently not available when the provider is OpenSSL.

SSLServerCACerts:   A newline separated list of CA certificates to use during SSL server certificate validation.

This configuration setting is only used by client components (e.g., TCPClient) see SSLClientCACerts for server components (e.g., TCPServer). This configuration setting can be used to optionally specify one or more CA certificates to be used when connecting to the server and verifying the server certificate. When verifying the server's certificate, the certificates trusted by the system will be used as part of the verification process. If the server's CA certificates are not installed to the trusted system store, they may be specified here so they are included when performing the verification process. This configuration setting should be set only if the server's CA certificates are not already trusted on the system and cannot be installed to the trusted system store.

The value of this configuration setting is a newline-separated (CR/LF) list of certificates. For instance:

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

TLS12SignatureAlgorithms:   Defines the allowed TLS 1.2 signature algorithms when SSLProvider is set to Internal.

This configuration setting specifies the allowed server certificate signature algorithms when SSLProvider is set to Internal and SSLEnabledProtocols is set to allow TLS 1.2.

When specified the class will verify that the server certificate signature algorithm is among the values specified in this configuration setting. If the server certificate signature algorithm is unsupported, the class fails with an error.

The format of this value is a comma-separated list of hash-signature combinations. For instance: component.SSLProvider = TCPClientSSLProviders.sslpInternal; component.Config("SSLEnabledProtocols=3072"); //TLS 1.2 component.Config("TLS12SignatureAlgorithms=sha256-rsa,sha256-dsa,sha1-rsa,sha1-dsa"); The default value for this configuration setting is sha512-ecdsa,sha512-rsa,sha512-dsa,sha384-ecdsa,sha384-rsa,sha384-dsa,sha256-ecdsa,sha256-rsa,sha256-dsa,sha224-ecdsa,sha224-rsa,sha224-dsa,sha1-ecdsa,sha1-rsa,sha1-dsa.

To not restrict the server's certificate signature algorithm, specify an empty string as the value for this configuration setting, which will cause the signature_algorithms TLS 1.2 extension to not be sent.

TLS12SupportedGroups:   The supported groups for ECC.

This configuration setting specifies a comma-separated list of named groups used in TLS 1.2 for ECC.

The default value is ecdhe_secp256r1,ecdhe_secp384r1,ecdhe_secp521r1.

When using TLS 1.2 and SSLProvider is set to Internal, the values refer to the supported groups for ECC. The following values are supported:

  • "ecdhe_secp256r1" (default)
  • "ecdhe_secp384r1" (default)
  • "ecdhe_secp521r1" (default)

TLS13KeyShareGroups:   The groups for which to pregenerate key shares.

This configuration setting specifies a comma-separated list of named groups used in TLS 1.3 for key exchange. The groups specified here will have key share data pregenerated locally before establishing a connection. This can prevent an additional roundtrip during the handshake if the group is supported by the server.

The default value is set to balance common supported groups and the computational resources required to generate key shares. As a result, only some groups are included by default in this configuration setting.

Note: All supported groups can always be used during the handshake even if not listed here, but if a group is used that is not present in this list, it will incur an additional roundtrip and time to generate the key share for that group.

In most cases, this configuration setting does not need to be modified. This should be modified only if there is a specific reason to do so.

The default value is ecdhe_x25519,ecdhe_secp256r1,ecdhe_secp384r1,ffdhe_2048,ffdhe_3072

The values are ordered from most preferred to least preferred. The following values are supported:

  • "ecdhe_x25519" (default)
  • "ecdhe_x448"
  • "ecdhe_secp256r1" (default)
  • "ecdhe_secp384r1" (default)
  • "ecdhe_secp521r1"
  • "ffdhe_2048" (default)
  • "ffdhe_3072" (default)
  • "ffdhe_4096"
  • "ffdhe_6144"
  • "ffdhe_8192"

TLS13SignatureAlgorithms:   The allowed certificate signature algorithms.

This configuration setting holds a comma-separated list of allowed signature algorithms. Possible values include the following:

  • "ed25519" (default)
  • "ed448" (default)
  • "ecdsa_secp256r1_sha256" (default)
  • "ecdsa_secp384r1_sha384" (default)
  • "ecdsa_secp521r1_sha512" (default)
  • "rsa_pkcs1_sha256" (default)
  • "rsa_pkcs1_sha384" (default)
  • "rsa_pkcs1_sha512" (default)
  • "rsa_pss_sha256" (default)
  • "rsa_pss_sha384" (default)
  • "rsa_pss_sha512" (default)
The default value is rsa_pss_sha256,rsa_pss_sha384,rsa_pss_sha512,rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,ecdsa_secp521r1_sha512,ed25519,ed448. This configuration setting is applicable only when SSLEnabledProtocols includes TLS 1.3.
TLS13SupportedGroups:   The supported groups for (EC)DHE key exchange.

This configuration setting specifies a comma-separated list of named groups used in TLS 1.3 for key exchange. This configuration setting should be modified only if there is a specific reason to do so.

The default value is ecdhe_x25519,ecdhe_x448,ecdhe_secp256r1,ecdhe_secp384r1,ecdhe_secp521r1,ffdhe_2048,ffdhe_3072,ffdhe_4096,ffdhe_6144,ffdhe_8192

The values are ordered from most preferred to least preferred. The following values are supported:

  • "ecdhe_x25519" (default)
  • "ecdhe_x448" (default)
  • "ecdhe_secp256r1" (default)
  • "ecdhe_secp384r1" (default)
  • "ecdhe_secp521r1" (default)
  • "ffdhe_2048" (default)
  • "ffdhe_3072" (default)
  • "ffdhe_4096" (default)
  • "ffdhe_6144" (default)
  • "ffdhe_8192" (default)

Trappable Errors (Server Class)

Server Errors

601   Could not create ephemeral key.
602   Invalid certificate.
603   Invalid operation.
604   Invalid ClientAuth data.
605   The errorCode element in Erro message is invalid.
606   Invalid index.
1101   Protocol error. Received invalid message.
1102   Protocol error. Invalid message version.
1201   Protocol error. Missing data element.
1202   Protocol error. Unrecognized critical extension.
1301   Protocol error. Unrecognized transaction Id.
1302   Decryption failed.

HTTP Errors

118   Firewall error. The error description contains the detailed message.
143   Busy executing current method.
151   HTTP protocol error. The error message has the server response.
152   No server specified in URL.
153   Specified URLScheme is invalid.
155   Range operation is not supported by server.
156   Invalid cookie index (out of range).
301   Interrupted.
302   Cannot open AttachedFile.

The class may also return one of the following error codes, which are inherited from other classes.

TCPClient Errors

100   You cannot change the RemotePort at this time. A connection is in progress.
101   You cannot change the RemoteHost (Server) at this time. A connection is in progress.
102   The RemoteHost address is invalid (0.0.0.0).
104   Already connected. If you want to reconnect, close the current connection first.
106   You cannot change the LocalPort at this time. A connection is in progress.
107   You cannot change the LocalHost at this time. A connection is in progress.
112   You cannot change MaxLineLength at this time. A connection is in progress.
116   RemotePort cannot be zero. Please specify a valid service port number.
117   You cannot change the UseConnection option while the class is active.
135   Operation would block.
201   Timeout.
211   Action impossible in control's present state.
212   Action impossible while not connected.
213   Action impossible while listening.
301   Timeout.
302   Could not open file.
434   Unable to convert string to selected CodePage.
1105   Already connecting. If you want to reconnect, close the current connection first.
1117   You need to connect first.
1119   You cannot change the LocalHost at this time. A connection is in progress.
1120   Connection dropped by remote host.

SSL Errors

270   Cannot load specified security library.
271   Cannot open certificate store.
272   Cannot find specified certificate.
273   Cannot acquire security credentials.
274   Cannot find certificate chain.
275   Cannot verify certificate chain.
276   Error during handshake.
280   Error verifying certificate.
281   Could not find client certificate.
282   Could not find server certificate.
283   Error encrypting data.
284   Error decrypting data.

TCP/IP Errors

10004   [10004] Interrupted system call.
10009   [10009] Bad file number.
10013   [10013] Access denied.
10014   [10014] Bad address.
10022   [10022] Invalid argument.
10024   [10024] Too many open files.
10035   [10035] Operation would block.
10036   [10036] Operation now in progress.
10037   [10037] Operation already in progress.
10038   [10038] Socket operation on nonsocket.
10039   [10039] Destination address required.
10040   [10040] Message is too long.
10041   [10041] Protocol wrong type for socket.
10042   [10042] Bad protocol option.
10043   [10043] Protocol is not supported.
10044   [10044] Socket type is not supported.
10045   [10045] Operation is not supported on socket.
10046   [10046] Protocol family is not supported.
10047   [10047] Address family is not supported by protocol family.
10048   [10048] Address already in use.
10049   [10049] Cannot assign requested address.
10050   [10050] Network is down.
10051   [10051] Network is unreachable.
10052   [10052] Net dropped connection or reset.
10053   [10053] Software caused connection abort.
10054   [10054] Connection reset by peer.
10055   [10055] No buffer space available.
10056   [10056] Socket is already connected.
10057   [10057] Socket is not connected.
10058   [10058] Cannot send after socket shutdown.
10059   [10059] Too many references, cannot splice.
10060   [10060] Connection timed out.
10061   [10061] Connection refused.
10062   [10062] Too many levels of symbolic links.
10063   [10063] File name is too long.
10064   [10064] Host is down.
10065   [10065] No route to host.
10066   [10066] Directory is not empty
10067   [10067] Too many processes.
10068   [10068] Too many users.
10069   [10069] Disc Quota Exceeded.
10070   [10070] Stale NFS file handle.
10071   [10071] Too many levels of remote in path.
10091   [10091] Network subsystem is unavailable.
10092   [10092] WINSOCK DLL Version out of range.
10093   [10093] Winsock is not loaded yet.
11001   [11001] Host not found.
11002   [11002] Nonauthoritative 'Host not found' (try again or check DNS setup).
11003   [11003] Nonrecoverable errors: FORMERR, REFUSED, NOTIMP.
11004   [11004] Valid name, no data record (check DNS setup).