Dun & Bradstreet’s Online Services Security Enhancement
October 21, 2020
Dun & Bradstreet is making security enhancements to its Direct 2.0 application in November. In preparation for this activity, we would like to share important information and actions that are required of your business to ensure a continuous user experience. First, please be sure that your business successfully meets the following technical and security requirements, including:
- • Updating the accepted Cipher Suite to accompany TLS 1.2 – TLS 1.3 secure transport protocol
- • Updating the server certificate if you are storing this in your trust store
- • Changes to Dun & Bradstreet’s IP address if you are whitelisting our IP within your environment
- • Changing to the Dun & Bradstreet endpoint if you are using maxcvservices.dnb.com
In rare cases, customers who use a Trust Store that support only one active certificate per URL connection (one to one mapping) should utilize the new certificate only after the cutover.
To avoid potential disruption, the applications must be compatible with the following versions:
- • Oracle Java 7u95 (requires an enterprise support contract with Oracle)
- • Oracle Java 8 and above
- • Microsoft .NET version 4.5 or later
We are providing a test environment using the Oracle, Java and .NET versions listed above, as well the accepted list of ciphers. If you currently have a test environment available, you can connect to Dun & Bradstreet’s pre-production environment supporting the new protocols to test changes.Our test environment has not changed since August 04, 2020 so any testing done since then is still valid. Connectivity tests may be conducted using https://direct-stg.dnb.com to confirm compatibility. Please open a ticket with Customer Support at https://support.dnb.com/Support_Home or contact 1-866-465-3829 to confirm credentials to test in this environment.
Approved Ciphers
Open SSL | IANA /RFC5289 | |
---|---|---|
TLS 1.3 | TLS-AES-256-GCM-SHA384 | TLS_AES_256_GCM_SHA384 |
TLS 1.3 | TLS-CHACHA20-POLY1305-SHA256 | TLS_CHACHA20_POLY1305_SHA256 |
TLS 1.3 | TLS-AES-128-GCM-SHA256 | TLS_AES_128_GCM_SHA256 |
TLS 1.3 | TLS-AES-128-CCM-8-SHA256 | TLS_AES_128_CCM_8_SHA256 |
TLS 1.3 | TLS-AES-128-CCM-SHA256 | TLS_AES_128_CCM_SHA256 |
TLS 1.2 | ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLS 1.2 | ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS 1.2 | ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLS 1.2 | ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLS 1.2 | ECDHE-ECDSA-CHACHA20-POLY1305 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
TLS 1.2 | ECDHE-RSA-CHACHA20-POLY1305 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
TLS 1.2 | ECDHE-ECDSA-AES256-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLS 1.2 | ECDHE-ECDSA-AES128-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS 1.2 | ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLS 1.2 | ECDHE-RSA-AES128-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLS 1.2 | ECDHE-RSA-AES256-SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLS 1.2 | ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLS 1.2 | AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLS 1.2 | AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLS 1.2 | AES256-SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLS 1.2 | AES128-SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS 1.2 | AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
TLS 1.2 | AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
Following are additional details for updating the accepted Cipher Suite beginning 12:00 a.m. ET, Monday, November 09, 2020.As part of the change, we are extending support for ECDSA certificates as well as RSA certificates (dual stack).
1. Updates to the server certificate if you are storing it in your trust store.
If you are storing the Direct 2.0 server certificate within you server store, you will need to replace it with a new server certificate. If this applies to you, please open a ticket with Customer Support to acquire the new certificate after October 1, 2020.
2. Whitelisting our IP within your environment.
IP addresses for the application will be dynamically assigned after November 09, 2020. If you connect over an IP address, please use the fully qualified domain name direct.dnb.com. Whitelisting is not recommended as our IP addresses may change. Our production IP range and the new server certificate will be provided October 1, 2020.
3. Sunsetting of maxcvservices.dnb.com
If you are using https://maxcvservices.dnb.com in an endpoint, it will be sunset and no longer available after November 13. Please modify the endpoint to direct.dnb.com for the service you are accessing.
Support
If you have any questions or concerns, please submit an inquiry at https://support.dnb.com/Support_Home or contact 1-866-465-3829.