How do I specify the IP addresses that can access the SRS?

The Registrar Data Form has a section where registrars may specify the IP subnets that will be accessing the Production SRS. If you wish to change the IP subnets after this form has been submitted, please follow the .aero IP Subnet Change Request process. The specified subnets must conform to the following rules:

• A maximum of three IP subnets.

• A maximum of 96 hosts between the three IP subnets.

How does SITA control access to the Shared Registry System (SRS)?

Access to the SRS is restricted by three mechanisms:

• Access control to the Production SRS is restricted by IP address filters.

• SSL encryption is required for the communication channels between the registrar's client system and the OT&E and production systems.

• Authentication by means of a username and password is required for session establishment.

What is a Secure Socket Layer (SSL) certificate?

A digital certificate is simply a statement digitally signed by an independent and trusted third party (the certificate authority). That statement usually follows a very specific format laid down in a standard called X.509; hence, they are sometimes referred to as X.509 certificates.

A certificate is required to establish an authenticated and encrypted communications channel between the registrar's server and .aero SRS.

What is the requirement for the purpose of "SSL Client: Yes" for the SSL certificate I purchase?

This defines the purpose of the certificate and whether it can be used as client certificate. The following is a sample of an expected output from the command:

openssl x509 -in your_cert.filename -purpose

When do I get the username/password for the Production SRS?

The username and password for the Production SRS is issued after you have successfully completed OT&E certification and all business requirements.

Where do I get an SSL certificate?

X.509 SSL certificates can be obtained from one of the accepted Certificate Authorities. Please make sure that the certificate you obtain is NOT an individual/personal certificate. The accepted Certificate Authorities are
Verisign
Thawte
Geotrust
Comodo
Entrust
Starfield - Details for Starfield follow -

Which cipher suites are accepted?

To establish an SSL connection to the SRS, the registrar's client system must choose a cipher suite supported by the SRS. The SRS supports the following ciphers:

• SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

• SSL_DHE_DSS_WITH_DES_CBC_SHA

• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_WITH_DES_CBC_SHA

• SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

Which SSL toolkit should I use?

Registrars are responsible for obtaining an SSL toolkit that is compatible with the development language and platform of their client system. The minimum requirement is that it must support SSL version 3.

For C, C++ or Perl, OpenSSL is an open-source SSL solution.

For Java:

• Sun's Java Secure Socket Extension.

• SSLava from Phaos Technology. SSLava also is the toolkit used in the development of the SRS.