Swiftnet link error codes

swiftnet link error codes

The following typographical conventions are used in this manual. SWIFTNet Link, and software can use SWIFT Alliance Gateway. Unable to recover from SWIFTNet error: rc=1 eg. Tuxedo error or remote SAG cannot be connected. See SWIFT Knowledge Base FIN Error Codes, and SWIFTNet FIN errors See SWIFTNet Link error codes SWIFTNet FIN errors In case of frequent aborts.

watch the thematic video

Swift Tip - #warning \u0026 #error

Swiftnet link error codes - consider, that

SWIFTNet

Axway Gateway: Connectors

SWIFTNet Introduction

SWIFTNet is the SWIFT organization's IP-based network. SWIFTNet services enable the secure and reliable transfer of financial information and transactional data.

Many institutions frequently need to manage separate interfaces, standards and security models for each market infrastructure used, and for various types of communication with correspondents and customers. With SWIFTNet, you connect only once. Single window connectivity delivers a single communications infrastructure to access multiple service providers, correspondents and customers. Other advantages are automation and straight-through processing within a financial organization.

The Gateway/SWIFTNet connector supports the following SWIFTNet services:

  • InterAct messaging
  • FileAct file transfer

SWIFTNet message types

Originally SWIFT used FIN messaging. More recently, with SWIFTNet, the XML-based InterAct and FileAct message types have been introduced.

InterAct

InterAct is SWIFT's interactive messaging service that supports the exchange of messages between two parties.

With InterAct, institutions and communities can exchange messages in an automated and interactive way — an application sends a request message to another application and receives an immediate response message.

Each message exchange consists of a request and a reply message. Request messages usually contain either information to be sent from a sender to a receiver or a request for information which is sent from sender to receiver. Reply messages contain either the confirmation that the receiver has received the sender's message or a reply on a sender's request.

InterAct is used to exchange time-critical and short to medium length messages (such as securities orders, payment instructions) between parties.

Each InterAct message consists of two parts:

  • The payload that contains the business contents, such as an investment funds order
  • The envelope that contains the technical information which is required for the SWIFT network to send the message (such as requester and receiver, PKI information, SnF mode, etc.)

InterAct messages can be validated, for example for XML compliance and correct semantics, within SWIFTNet according to the message specification.

FileAct

FileAct allows the secure and reliable transfer of files between parties via SWIFTNet.

FileAct supports tailored solutions for market infrastructure communities, closed user groups and financial institutions. FileAct is particularly suitable for bulk payments, batches of structured financial messages and large reports.

Files are usually created in batch processes and should not be time critical. Files are typically large. There is no validation of FileAct messages. They can be free formatted, even binary data can be transmitted.

SWIFTNet delivery modes

SWIFTNet provides two different delivery modes:

  • Real Time (RT) mode exchanges messages and files between parties in real time. In this case both sender and receiver have to be connected to the SWIFT network at the same time.
  • Store-and-Forward (SnF) mode allows the sender's message to be stored within the SWIFT network until the receiver is able to receive the message. The sender and receiver do not need to be connected at the same time. SnF relies on queues managed by SWIFT.

SWIFTNet software

SWIFT provides the following software to connect to SWIFTNet:

  • SWIFTNet Link (SNL). This is the low-level connection software that manages access to SWIFTNet. A client may have more than one instance of SNL for reasons of performance and reliability. SNL connects gateway applications such as SAG to SWIFTNet.
  • SWIFT Alliance Gateway (SAG). SAG acts as concentrator and allows multiple applications to be connected to SWIFTNet. Examples are: automated file transfer, distant applications using SWIFTNet RA (Remote API) and applications using MQ-series queues. Flows coming from SWIFTNet to these applications are routed according to configurable criteria.

SWIFTNet message and file limitations

Gateway fully supports the SWIFTNet InterAct and FileAct protocols within the size limits established by SWIFT. For the current limits, refer to the official SWIFTNet documentation.

Related topics

SWIFTNet connector

SWIFTNet system recovery

More information

Gateway is just part of the Axway Financial Exchange solution. Using Axway products to deploy a full SWIFTNet solution is outside the scope of this document. For more information on Axway products, go to sprers.eu

For more information on SWIFTNet, refer to:

  • The SWIFT (Society for Worldwide Interbank Financial Telecommunication) website: sprers.eu
  • The SWIFTNet documentation delivered with the product

Links to documentation set for Axway Gateway

About Application Adapters

The topics listed here provide information about Application Adapters. If you have any questions or problems, see the Java CAPS web site at .

SWIFTAlliance Gateway is a modular software package that is installed on top of the SWIFTNet Link (SNL) software, and is designed to enable application-to-application communication. Using the SWIFTNet interactive services, InterAct and FileAct, messages and files are typically exchanged between a customer application (client) and a central application (server) over the Secure IP Network (SIPN). SWIFTAlliance Gateway can handle large volumes of information and is therefore suitable for use with both client and server applications.

The subtopics listed here provide information about SWIFT Alliance Gateway and its Sun Adapter.

Introduction to SWIFTNet

SWIFTNet is a global business messaging network for secure connectivity between institutions that participate in the financial services industry. As such, SWIFTNet is designed to satisfy institutional community requirements for inter-operability of mission-critical financial software solutions.

SWIFTNet provides an assurance of infrastructure reliability, availability, access control, correspondent and message authentication, message integrity, and confidentiality, to business applications that are interconnected among a community of institutions. Optionally, SWIFTNet also provides non-repudiation support, message validation, store-and-forward, and role-based access control.

SWIFTAlliance Gateway

SWIFTAlliance Gateway is an interface product for SWIFTNet. It incorporates all the functionality of the SWIFTNet Link. Additionally, it provides several different connectivity and usability features for SWIFTNet users, providing solutions to a variety of system integration problems.

SWIFTAlliance Gateway is designed to concentrate traffic from multiple SWIFTAlliance WebStations. It provides a graphical user interface for the administration of the SWIFTAlliance Gateway and related SWIFTNet security administration functions.

SWIFTAlliance Gateway can serve as a message concentrator, receiving messages from various other applications for passage through SWIFTNet. It can receive these messages through host adapters, including a WebSphere MQ host adapter, for interfacing with business applications running on a variety of different types of computing platforms.

SWIFTAlliance Gateway Remote API

SWIFTAlliance Gateway Remote API (RA) is a software package that establishes a communication link with the RA Host Adapter component of SWIFTAlliance Gateway, either from a SWIFTNet application existing on a remote computer or from a SWIFTNet application existing on the computer where SWIFTAlliance Gateway is installed.

Using Remote API, applications developed to run directly on top of SNL software can use SWIFTAlliance Gateway transparently as a concentrator for their SWIFTNet traffic, thereby implementing the single window concept RA offers two sets of APIs: SWIFTNet Link specific, and SWIFTAlliance Gateway specific. Message flow, from an RA instance to SWIFTAlliance Gateway, is managed by the Remote API Host Adapter (RAHA), a sub-component of SWIFTAlliance Gateway’s Application Interface (AI).

SWIFTNet Messaging Services

SWIFTNet offers four messaging services, SWIFTNet InterAct, FileAct, Browse, and FIN. Of these four, the SWIFTAlliance Gateway specifically addresses FileAct and InterAct in client mode, with both Real Time and Store-and-Forward transfers.

SWIFTNet InterAct

SWIFTNet InterAct provides secure and reliable exchange of individual structured financial messages. SWIFT customers’ messaging requirements vary from customer to customer but also from message to message. SWIFTNet InterAct offers you a broad range of telecommunication modes.

Store-and-Forward Messaging

SWIFTNet InterAct’s store-and-forward capability is designed for messages that are destined for a large number of correspondents, many of whom may not be online at the time of transmission. It removes the uncertainty and inconvenience of worrying about whether or not your correspondents are on-line at the time you send the message. The message is delivered as soon as the recipient is ready to receive it. As a result, it provides an ideal way to send individual instructions, confirmations, and reports to large numbers of correspondents, some of whom may be in different time zones.

Real-Time Messaging

Real-time messaging offers a low-cost alternative to store-and-forward for messages which are destined for correspondents that are online at the time of transmission. As a result, it is ideal for sending individual instructions, confirmations, and reports to a few large correspondents, or for messages to market infrastructures.

SWIFTNet FileAct

SWIFTNet FileAct provides secure and reliable transfer of files, such as batches of structured financial messages or large reports. Typical applications include repetitive credit transfers such as pension or salary payments, securities value-added information and reporting, and regulatory reporting. SWIFTNet FileAct offers a variety of messaging modes.

Store-and-Forward File Transfers

SWIFTNet FileAct’s store-and-forward capability ensures that your correspondents receive your message whether or they are online at the time of transmission. Messages are delivered when the recipient is ready to receive it. Store-and-Forward is an ideal way to send individual instructions, confirmations and reports to large numbers of correspondents, some of which may be in different time zones.

Real-time File Transfers

Real-time messaging provides a lower-cost alternative to store-and-forward for files that are destined for correspondents that are online at the time of transmission. This makes it ideal for sending files to a few large correspondents or market infrastructures.

The SWIFT Alliance Gateway Adapter

The Sun Adapter for SWIFTAlliance Gateway (referred to as the SWIFT AG Adapter throughout this guide) enables the Sun Java™ Composite Application Platform Suite to communication with SWIFTAlliance Gateway

The SWIFT AG Adapter is comprised of the following components:

  • Connector module: a JCA Resource Adapter, allows you to exchange messages or files across SWIFTNet, SWIFT’s secure IP network.

  • NetBeans module: incorporates the Adapter into Java CAPS and provides necessary design time and runtime functionality within the Suite.

  • SWIFT AG Object Type Definition: exposes SWIFTNet methods and attributes for use within a Java Collaboration to perform connectivity and business logic.

In addition to the OTD, the SWIFT AG Adapter provides Connectivity Map and External System configuration for design time configuration.

SWIFT AG Adapter Features

The SWIFT AG Adapter includes the following features:

  • Supports InterAct and FileAct Services in client mode, with both Real Time and Store-and-Forward messaging

  • Supports both synchronous and asynchronous operation modes

  • Provides support for all the SWIFTNet Link (SNL) Primitives

  • Supports dynamic configuration of InterAct and FileAct primitive attributes from the Java Collaboration Editor

  • Supports dynamic configuration of SWIFT AG Remote API transport properties

SAGOutboundAdapter Object Type Definition

The Adapter provides a SWIFTAlliance Gateway specific OTD (Object Type Definition), which exposes methods, attributes, and configuration properties. When it is incorporated in a Java Collaboration, the SAGOutboundAdapter OTD allows you to build powerful business logic into your Projects.

The SAGOutboundAdapter OTD is comprised of the following nodes:

  • Configuration: enables dynamic configuration of the Adapter at runtime

  • Constants: provides various SNL constants

  • Primitives: provides all of the SNL Primitives for advanced users

  • RemoteApis: provides user access to the Remote API’s client APIs

  • Services: provide the InterAct and FileAct client implementations to support Real Time and Store-and-Forward messaging

In addition to the OTD, the SWIFT AG Adapter provides Connectivity Map and External System parameters for design time configuration.

The Oracle E-Business Suite 11i is a comprehensive enterprise resource planning (ERP) software package built upon Oracle’s database technology. It is presented within an Internet environment, using online transaction processing to address the global requirements of today’s typical enterprise.

The E-Business suite includes a large number of Product Families, grouped into software modules corresponding to what were once stand-alone computer systems used by individual departments. These Product Families are identified by their major business functions, such as:

  • Financials

  • Human Resources

  • Manufacturing

  • Marketing

  • Sales

These Product Families are integrated together to share a common database, allowing a company’s various departments to quickly and easily share information and communicate with each other.

Oracle Applications Basic Operation

The basic architecture of an Oracle system contains a set of base objects which are held in highly normalized core tables within the Oracle database. A de-normalized view of these base objects is provided in a set of Open Interface Tables (OITs), also maintained in the database. Data is passed from the Open Interface Tables to the core tables under the control of the Concurrent Manager.

    In a typical scenario, an operator schedules an import job by means of the Oracle front end, which initiates the following procedure:

  1. Data is passed from the Open Interface Tables to the core tables under the control of Import Jobs scheduled by the Concurrent Manager.

  2. It then invokes the Oracle Concurrent Manager, which:

  3. Validates the data in the Open Interface Table, based on a set of stored SQL procedures.

  4. Inserts the validated rows into the Oracle Applications Database.

There are several limitations to this very basic scheme:

  • Once data is in the Open Interface Table, it cannot be withdrawn or corrected.

  • Data failing the validation process may be handled in different ways—some import scripts update the original rows with error codes, while other scripts log errors to a file, requiring user intervention.

  • Only the default validation rules provided by Oracle are used in the validation process, and may not address specific customer requirements.

  • There is no easy way to insert batches of data as a transactional unit—for example, where all inserts from a batch must succeed (if any fail, then all must fail).

PeopleSoft’s Enterprise Resource Planning (ERP) software is a full-function application package that offers business applications for financials, human resources, customer relations, supply chain management, materials management, and business analytics. PeopleSoft provides what it calls “pure-Internet” architecture: Web-based applications designed to streamline a company’s operations by integrating systems to effectively connect it’s various departments, customers, and suppliers.

The Sun Java Composite Application Platform Suite and the PeopleSoft Adapter enable PeopleSoft to easily and transparently integrate with legacy systems, enterprise applications, and other platforms. The Sun Adapter for PeopleSoft exposes JCA and Web services compliant interfaces for the purpose of application and business integration.

SAP ALE (Application Link Enabling) is a technology for exchange of business data between multiple SAP R/3 systems or SAP R/3 and customer applications. The vehicle for data exchange is an IDoc (Intermediate Document), which is basically a SAP defined message structure that serves as a container for the different types of application data being transmitted.

ALE provides SAP customers with a program distribution model and technology that enables them to transfer IDocs across various platforms and systems.

The SAP IDoc Format

IDocs are used as containers for information, and are used to exchange business data between systems.

Several hundred IDocs are supplied with each SAP R/3 system, serving as templates for a wide variety of applications. The IDoc hierarchy is represented by the following terminology:

  • Message Types are related to specific applications such as Orders.

  • IDoc Types are different versions of standard Message Types, such as Orders for specific items or services.

The SAP ALE Adapter

The SAP ALE IDOC Object Type Definition (OTD), when used with the SAP BAPI Adapter in Transactional Remote Function Call (tRFC) mode, enables Sun Java Composite Application Platform Suite (Java CAPS) Projects to exchange data with SAP R/3 software using SAP’s Intermediate Documents (IDocs) via the Application Link Enabling (ALE) interface.

The next two sections provide an overview of how to use the IDoc OTD and the SAP BAPI Adapter to send or receive IDocs to SAP R/3.

Inbound Data Flow: SAP R/3 to Java CAPS

During routine operations, an application on the SAP R/3 system generates a transaction designated for an external system. The ALE interface converts the data from the internal data format to the IDoc format, and sends it via tRFC to the SAP BAPI Adapter, acting as a RFC server.

The Java CAPS Project’s business rules receive the IDoc data from the SAP BAPI Adapter, performs any necessary processing or routing, and sends the information to another Adapter connected to the recipient system. Any necessary data transformation required for the target application is performed in your Project Collaborations.

  1. The Adapter reads in the required configuration parameters and establishes a network connection with the SAP R/3 system. The Adapter acts an RFC server, receiving IDocs from the SAP R/3 system.

  2. When the IDoc is sent from SAP R/3 via tRFC, the SAP BAPI Adapter uses the RFC OTD, IDOC_INBOUND_ASYNCHRONOUS, to receive the IDoc data.

  3. IDoc data received by the IDOC_INBOUND_ASYNCHRONOUS OTD can be marshaled out of the OTD and unmarshaled into a IDoc OTD.

  4. A file-based TID (Transactional ID) database is used to track transactions that have been committed successfully or rolled back.

  5. If identified successfully, the process moves on to the next step. If not, the Adapter composes the appropriate response and logs an exception in the log file.

  6. If the Collaboration or Business Process fails, an exception is logged in the log file raised back to SAP R/3.

  7. The Adapter then repeats the procedure beginning with step 2.

Outbound Data Flow: Java CAPS to SAP R/3

In the outbound mode, you must first get the data into the IDoc OTD using its unmarshal method. From the IDoc OTD, you unmarshal the data into the IDOC_INBOUND_ASYNCHRONOUS RFC OTD which sends the IDoc to SAP R/3 using tRFC protocol.

  1. When the Collaboration or Business Process starts to run, the Adapter is initialized with its configuration properties.

  2. The data is unmarshaled to the IDoc OTD before being sent to the SAP BAPI Adapter’s RFC OTDIDOC_INBOUND_ASYNCHRONOUS.

  3. The SAP BAPI Adapter transmits the data to SAP R/3.

  4. The SAP BAPI Adapter associates the next TID (from a persistent resetable counter) with the transformed outbound message and sends it via tRFC to the SAP R/3 host.

  5. If no exceptions are raised by the receiving SAP R/3 host, the next TID is incremented.

  6. The Adapter repeats the procedure beginning with step 2.

Messages are sent to the SAP R/3 host via Transactional RFC (tRFC). With tRFC, the receiving SAP R/3 system relies on an unique Transactional ID (TID) sent with the message to ascertain whether or not a transaction has ever been processed by it before. The SAP BAPI Adapter assumes that all messages handled are new and assigns a new TID to each message.


Note –

If you have IDoc data in a byte array format you may unmarshal it directly to the IDOC_INBOUND_ASYNCHRONOUS OTD without using the IDoc OTD first.


The Siebel EAI Adapter enables the application to exchange messages with the Siebel EAI interface via a Web server using open standards such as HTTP and XML. There are two distinct processes involved in using the Siebel EAI Adapter:

  • A design-time process, in which you obtain information about the Siebel Interface Object; and

  • A run-time process, in which you use the Project to exchange data with Siebel EAI.

Design-Time Process

The design-time process, which is an integral part of Project development, is primarily concerned with extracting metadata from the Siebel application. This metadata is then used to format the messages propagated by the adapter.

This process uses the Siebel EAI OTD Wizard, which prompts you for information to find and connect to the desired Siebel instance. The Wizard then connects to Siebel and extracts the business services that are exposed through the Siebel Web Engine. These services are presented to you for selection of the appropriate service and operation.

When the service and operation have been selected, an OTD representing the selections is generated and saved in the repository.

Run-Time Process

During run-time, the Siebel EAI Adapter’s components relay the contents of web requests to Java Collaborations or Business Processes for further processing and subsequent hand-off to an outbound Siebel EAI Adapter.

In routine operation, the Siebel EAI Adapter uses HTTP to post a Siebel XML-formatted message to Siebel. It also specifies one of the following actions to be performed on the XML message:

  • Delete

  • Upsert (Insert/Update)

  • Query

The result is that a corresponding Workflow is executed to process the message. A Siebel Workflow is a customized business application for managing and enforcing business processes.

The Siebel EAI Adapter POSTs the message to the Web server. The Siebel Web Server Extension invokes the specified Business Service which, in turn, starts an internal Workflow.

The Workflow invokes the Siebel EAI XML Converter, which converts the information from XML into the Siebel internal format and presents it to the Siebel EAI Adapter. The information is then sent to the Siebel Server via the Siebel Object Manager.

If any data is to be returned, the EAI Siebel Adapter can pass the result to the EAI XML Converter and send the data back to the adapter as a Siebel XML message.

Workflow Templates

A set of Workflow Templates is included with the Siebel EAI Adapter. These Workflow Templates invoke the necessary Workflow Processes to map the data directly to or from the Siebel database.

Session vs. Sessionless Mode

You can run the Siebel EAI Adapter in either session or sessionless mode. When running in the default Sessionless mode, every message posted to Siebel is enveloped with the login method, negating the need for an explicit login. By contrast, when Siebel runs in Session mode, the collaboration must include both a login method at beginning and a logout method at the end. Session mode allows you to post multiple messages to Siebel within a loop between a single login and logoff statement. Session mode is only supported using the Java Collaboration Definition (JCD). You cannot use Session mode when using business processes in eInsight.

Using the Siebel Message Header

Siebel EAI Adapter supports both Siebel integration objects and Application Service Interfaces (ASIs). A Siebel message header is required for most integration objects or ASIs. In a JCD, you can include the Siebel Message Header by invoking the appropriate methods provided in the Siebel EAI OTD. When creating business processes in eInsight, the Siebel Message Header is automatically included when the appropriate web service operation (Query, Update, Insert, Delete) is selected. Also, be sure to set the integrationObjectName.

This topic provides conceptual information about SAP BAPI and its Sun Java CAPS Adapter.

About SAP

SAP creates software for the Enterprise Resource Planning (ERP) business sector. The company main product is SAP R/3 which uses a three-tier application architecture—database, application server, and client—to facilitate real-time data processing.

About the SAP BAPI Adapter

The SAP BAPI Adapter enables Java CAPS Projects to exchange data with SAP R/3 software using Business Application Programming Interfaces (BAPIs), RFCs, and IDocs.

The SAP BAPI Adapter uses the SAP Java Connector (SAP JCo) to allow Java applications to access BAPIs and RFCs.

The functionality of the SAP BAPI Adapter simplifies the process of determining the requisite IMPORT, EXPORT, CHANGING, and TABLE parameters—collecting all the necessary data using the correct type and format, calling the Remote Function Module (RFM) that represents the BAPI, and then extracting and parsing data from the EXPORT and/or TABLE parameters.

Before it can be invoked, a BAPI or RFM requires the following parameters:

  • IMPORT parameters: data provided to the BAPI

  • EXPORT parameters: data returned by the BAPI

  • CHANGING parameters: data provided to and/or returned by the BAPI/RFC

  • TABLE parameters - data provided to and/or returned by the BAPI/RFC

The detailed metadata for these parameters such as descriptions of their value types and mandatory or optional nature, can be found under SAP transaction SE37.

The meta data for a BAPI/RFC in SAP R/3 is extracted by the BAPI wizard, which uses it to build the BAPI/RFC OTD. This OTD is used in Java Collaborations and eInsight Business Processes to invoke or receive the BAPI/RFC call.

The SAP BAPI Adapter Data Flows

When the SAP BAPI Adapter communicates with the SAP R/3 software, it uses the RFC protocol. The list below shows the RFC types of communication used:

  • Outbound (Java CAPS to SAP R/3): non-transactional (regular) RFC and transactional RFC (tRFC)

  • Inbound (SAP R/3 to Java CAPS): non-transactional and transactional RFC (tRFC)

Outbound Data Flow: Java CAPS to SAP R/3

Outbound communications occur when the Adapter receives data from Java CAPS and sends it to SAP R/3 by calling a specific BAPI or RFM. The figure below shows a non-transactional outbound process.

The figure above shows the following steps for the outbound data flow:

  1. The Collaboration or Business Process populates the appropriate BAPI or RFC Import, Changing, and Table parameter nodes on the BAPI/RFC OTD with data from an inbound OTD.

  2. The Adapter logs onto the SAP R/3 application using preconfigured properties.

  3. The Adapter calls the BAPI OTD’s execute() method. Any work performed is immediately committed by SAP R/3 through autocommit.

  4. The SAP R/3 applications returns successfully.

Inbound Data Flow: SAP R/3 to Java CAPS

For the inbound data flow, the SAP BAPI Adapter can receive data from SAP R/3 via RFC or tRFC. The sections below describe each protocol.

To enable the SAP BAPI Adapter to receive data from SAP R/3, configure the Environment properties with an RFC destination created within SAP R/3.

Inbound Data Flow via RFC

The sequence diagram uses a sample CostCenter OTD to describe the RFC inbound sequence.

The figure above shows the following steps for the inbound data flow via RFC:

  1. The Business Process is activated when an RFM call is received from SAP R/3.

  2. Finding that data from an RFM is available, the Business Process accesses all pertinent data nodes and sends the gathered information to other Java CAPS components.

  3. The Adapter returns the results of the RFM execution back to SAP.

Inbound Data Flow via tRFC

Communication via tRFC is the similar to RFC, except that it adds transactional verification steps prior to committing or rolling back. tRFC is preferred over RFC because of the additional reliability. By using unique TIDs associated with a BAPI/RFM call, SAP R/3 processes the data once, and only once. The figure below shows inbound data flow via tRFC.

The figure above shows the following steps for the inbound data flow via tRFC:

  1. The Business Process is activated when an RFM call is received from SAP R/3.

  2. Finding that data from an RFM is available, the Business Process accesses all pertinent data nodes and sends the gathered information to other Java CAPS components.

  3. The Adapter returns the results of the RFM execution back to SAP R/3.

  4. If the RFM call returned successfully without exceptions, SAP R/3 informs the Adapter that the data can be committed by calling onCommitTID().

  5. The Adapter updates the TID in the file database as being Committed, commits the data, and sends an onCommitTID() return to SAP R/3.

  6. If the RFM call did not return successfully for any reason, SAP R/3 informs the Adapter that the data must be rolled back by calling onRollbackTID().

  7. The Adapter sends an onRollbackTID() return to SAP R/3, confirming that the TID was not committed.

This topic provides conceptual information about WebSphere MQ and its Sun Java CAPS Adapter.

About IBM’s WebSphere MQ

WebSphere MQ (formerly MQSeries™) from IBM™ is a client-server message broker supporting an open API (application programming interface), available on a variety of operating systems including AIX™, Solaris™, HP-UX™, and Windows™. WebSphere MQ is “middleware” that provides commercial messaging and queuing services. Messaging enables programs to communicate with each other via messages rather than direct connection. Messages are placed in queues for temporary storage, freeing up programs to continue to work independently. This process also allows communication across a network of dissimilar components, processors, operating systems, and protocols.

About the WebSphere MQ Adapter

The Sun Adapter for WebSphere MQ (referred to as the WebSphere MQ Adapter throughout this document) allows the Sun Java CAPS ESB system to exchange data with IBM’s WebSphere MQ. Sun Java CAPS ESB, using the WebSphere MQ Adapter, uses business logic within a Collaboration or Business Process to perform operations for data identification, manipulation, and transformation. Messages are tailored to meet the communication requirements of specific applications or protocols. Queues or Topics provide non-volatile storage for data within the Sun Java CAPS ESB system allowing applications to run independently of one another at different speeds and times.

The WebSphere MQ Adapter transparently integrates existing systems with IBM’s WebSphere MQ. This document explains how to install and configure the WebSphere MQ Adapter.

  • © , Oracle Corporation and/or its affiliates

ag_7_2_adm_op_sprers.eu

Citation preview

Alliance Gateway

Administration and Operations Guide

This guide describes how to use the Alliance Gateway Administration interface to perform Alliance Gateway tasks. The Alliance Gateway Administration interface is available through the Alliance Web Platform. This guide also describes how to monitor multiple Alliance instances and how to use Alliance Gateway commands and tools. This guide is for system administrators and security managers.

25 August

Alliance Gateway Administration and Operations Guide

Table of Contents

Table of Contents Preface 5 1

SWIFT Training 6

2

Alliance Gateway Operations Overview 7

3

4

5



About Alliance Gateway



Component Groups of the Alliance Gateway Environment



Configuring Alliance Gateway Interfaces 13



Creating and Managing Alliance Gateway Entities 15



Enabled and Disabled Entities



Configuration Parameters 19



Daily Operations and Housekeeping 20

Logging in to Alliance Gateway Administration 21

Session Management for Alliance Gateway Administration GUI 23



Configure Two-Factor Authentication



Embedded Two-Factor Authentication 25



Changing Your Password

The Alliance Gateway Administration GUI 27

Online Help



Tips and Tricks for Using Alliance Gateway Administration 27



Wildcards for Searching or Filtering



Change your List View



Choose File 30



Print a Report Directly from the GUI



Print 30



Export 31



Report Types and Settings 31

Configuration 33

Licensing Configuration 33



Parameters 36



Manage Configuration Parameters 42

25 August

2

Alliance Gateway Administration and Operations Guide

Table of Contents



User Management 43



Event Log



Application Interface



SWIFTNet Interface



MI Channel Support Interface



File Transfer

Routing

6

7

8

9

10

Instance Monitoring Overview

Accessing the Instance Monitoring Overview Page



The Instance Monitoring Overview Page



The Connectivity Status Window



Logging In to an Alliance Server Instance

Monitoring

Alerts



Processes



System



Last Logins



Concurrent Users



File Transfers



Queues



MI Channel Message Flow Instances



Event Log

HSM Management

HSM Operations



HSM Status

Licensing

Licensing Operations Overview



Licence Files



Types of Licence-related Data



Interactive Licensing



Silent Licensing

Alliance Gateway Commands and Tools The Alliance Gateway Bootstrap

25 August

3

Alliance Gateway Administration and Operations Guide

Table of Contents

sag_system Other Alliance Gateway Commands

11

Miscellaneous Activities Archive, Back Up, Copy, and Restore Alliance Gateway Data Collect Message Traffic Statistics Monitor Application Errors Change the Alliance Gateway System Service Password (Windows Only) Alliance Gateway in Replicated Environments Change the Type of Hardware Security Module Used by Alliance Gateway Manage Concurrent User Connections TLS Security for Remote API Traffic

12

Security Best Practice Check Tool Starting the Security Best Practice Check Tool

Legal Notices

25 August

4

Alliance Gateway Administration and Operations Guide

Preface

Preface Purpose This guide describes how to use the Alliance Gateway Administration interface to perform Alliance Gateway tasks. The Alliance Gateway Administration interface is available through the Alliance Web Platform Server-Embedded. This guide also explains how to monitor multiple Alliance instances from the Instance Monitoring Overview page. Audience This guide is for Alliance Gateway operators who use the Alliance Gateway Administration interface. About Alliance Web Platform Server-Embedded Alliance Web Platform Server-Embedded is the framework that hosts browser-based graphical user interfaces (GUI) of the Alliance portfolio. It offers a consistent end-user interface to the functionality managed by the Alliance servers. Alliance Web Platform Server-Embedded runs in an application server environment, enabling centralised deployment of the software.

25 August

5

Alliance Gateway Administration and Operations Guide

1

SWIFT Training

SWIFT Training SWIFT provides training about standards, products, and services to suit different needs. From tailored training to self-paced e-learning modules on SWIFTSmart, a range of training options are available for all SWIFT users. SWIFTSmart SWIFTSmart is an interactive, cloud-based training service that offers a large variety of courses for different levels of knowledge. The courses contain exercises and quizzes and are available in multiple languages. The SWIFTSmart catalogue provides a lists of courses that are organised into these learning tracks: •

General knowledge



Work with messages



Deploy and manage SWIFT software solutions



Security and audit



Compliance and shared services

SWIFTSmart is accessible from the desktop or from a mobile device. No installation is required. It is available to all connected SWIFT users and registered SWIFT partners with a sprers.eu account. For more information, see How to become a sprers.eu user. Tailored training A full range of tailored programmes are available to meet specific training needs. For more information, visit the Training web page.

25 August

6

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

2

Alliance Gateway Operations Overview



About Alliance Gateway Description and purpose Alliance Gateway is a modular software package that is installed on top of the SWIFTNet Link (SNL) software, and is designed to enable application-to-application communication. Using the SWIFTNet messaging services InterAct and FileAct, messages and files are typically exchanged between a customer application (client) and a central application (server) over the secure IP network (SIPN). Alliance Gateway overview

Host Adapter

Alliance Gateway

Client Application

Alliance Web Platform

InterAct FileAct Host Adapter

Alliance Gateway

SWIFT WebAccess

D

Server Application

Alliance Gateway provides the following features:

25 August



application concentration



compatibility for SWIFTNet Link applications



monitoring and archiving tools



message flow auditing and statistics



modularity

7

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview



process optimisation



security certificate concentration

Application concentration Alliance Gateway acts as a single window to the secure IP network, enabling multiple applications to concentrate their traffic to SWIFTNet over Alliance Gateway. This avoids the need for multiple physical connections to the secure IP network within your organisation. The internal host adapters of Alliance Gateway enable connectivity over a variety of middleware applications. Compatibility for SWIFTNet Link applications Messaging traffic of applications built to communicate directly with SWIFTNet Link can be transparently rerouted and concentrated through Alliance Gateway, without the need to make software changes. Message flow auditing and statistics For auditing purposes, Alliance Gateway can be configured to make copies of client and server message flows and submit these copies to a separate, custom server application. Additionally, a message traffic statistics report can be generated. Modularity The Alliance Gateway system consists of the Alliance Gateway kernel and built-in components (plug-ins). Its modular structure enables you to license only the modules that you require. The following modules can be licensed to provide additional features: Module

Description

Developers Toolkit

Includes developer documentation and a licence to develop

File Transfer Adapter and File Transfer Integrated

Provides built-in capability to exchange files with your correspondents over SWIFTNet, either integrated or automated For more information, see the Alliance Gateway File Transfer Interface Guide.

Remote API Host Adapter

Provides support for SWIFTNet Link and Alliance Gateway applications, using the proprietary Remote API middleware For more information, see the Remote API for Alliance Gateway Operations Guide.

MQ Host Adapter

Provides support for MQ applications For more information, see the MQ Host Adapter for Alliance Gateway Configuration Guide.

Monitoring and archiving tools Alliance Gateway activity, such as operators performing tasks with Alliance Gateway Administration, or applications exchanging messages, generates events. Events are logged in the Event Log of Alliance Gateway, according to event templates. It is also possible to log SWIFTNet Link events in the Alliance Gateway Event Log.

25 August

8

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Event templates can be configured to send events to the operating system log or to third-party system management software such as Tivoli or HP OpenView. Different archiving tools allow you to control the size of the logs generated by Alliance Gateway. The list of alerts indicates any operational conditions that may require quick action. The licence for File Transfer Adapter provides monitoring capability for file transfers. The Alliance Gateway Administration interface includes a GUI to manage and monitor hardware security modules. Process optimisation Alliance Gateway starts a configurable number of SWIFTNet Link processes and manages the SWIFTNet Link security contexts for all applications. This enables one large application to use several SWIFTNet Link processes, and also removes the need for the system to run as many SWIFTNet Link processes as there are applications. Security profile concentration Alliance Gateway also enables cost savings by acting as a concentrator of SWIFTNet PKI profiles. Message partners and users for access to SWIFTNet can use SWIFTNet PKI profiles. Alliance Gateway enables you to share a single profile between a number of virtual SWIFTNet users.



Component Groups of the Alliance Gateway Environment The Alliance Gateway environment consists of the Alliance Gateway software and the applications that interact with Alliance Gateway. The environment can be classified into the following component groups:

25 August



applications



operator tools



the Alliance Gateway instance

9

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

The Alliance Gateway environment

Alliance Gateway Command Tools

Alliance Gateway File Transfer Interface

Process Control

File Transfer Interface

Alliance Gateway Command Tools Application Interface

Kernel

Remote API Host Adapter Alliance Web Platform Server-Embedded

Message Dispatcher

IBM MQ Host Adapter

SWIFT Net Interface SWIFTNet Network Adapter

Remote API SWIFTNet Link/ Alliance Gateway Application

Alliance Gateway Application over IBM MQ

Log

Market Infrastructure Support Interface

SWIFTNet Link

D

Remote API

The following sections describe these component groups.



Applications The Application component group contains several types of applications that can be developed to communicate with Alliance Gateway:

25 August



SNL applications: These applications send InterAct or FileAct messages over the Remote API, using the SWIFTNet Link API and protocol as if they were directly connected to SWIFTNet Link.



Alliance Gateway applications: These applications send either Alliance Gateway Administration primitives or InterAct/FileAct messages over the Remote API, using the Alliance Gateway API. They can benefit from Alliance Gateway features such as relaxed mode and local authentication. Such applications can also send Alliance Gateway administration commands. Copy-to applications can be configured to receive message copies in the copy-to message format.



Process Control applications: Applications that send messages to the Process Control use a specific API. The Process Control is running all the time, as soon as the bootstrap starts running. The Process Control receives management requests, for example to start or stop Alliance Gateway.

10

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview



MQ applications: The same as Alliance Gateway applications, but in this case the IBM MQ middleware facilitates communication with Alliance Gateway. The messages are exchanged through queues belonging to queue managers.



Alliance Web Platform: A user can use Alliance Web Platform and the Alliance Gateway Administration GUI to communicate with Alliance Gateway.

Administration Tools Purpose Administration tools enable operators to manage Alliance Gateway. This section describes the three types of administration tools. Alliance Gateway GUI application Alliance Gateway supports the Alliance Gateway Administration GUI, available through Alliance Web Platform. The Alliance Gateway Administration GUI enables you to configure Alliance Gateway and manage the operational aspects of Alliance Gateway, such as: •

start and stop Alliance Gateway



configure Alliance Gateway



monitor Alliance Gateway



manage SWIFTNet users



export reports on system information

Alliance Gateway command tools In addition to functionality available through the Alliance Gateway Administration application, Alliance Gateway includes several command-line tools. Two types of Alliance Gateway command-line tools are available to Alliance Gateway operators: •

Local Alliance Gateway commands: These commands are run on the machine that hosts Alliance Gateway. For more information, see Alliance Gateway Commands and Tools on page



Remote Alliance Gateway commands: The Remote API for Alliance Gateway Operations Guide describes the commands that can be run remotely.

Note

The local Alliance Gateway commands as described in Alliance Gateway Commands and Tools on page are a superset of what is offered remotely. The remote Alliance Gateway commands are syntactically the same as those offered locally.

Customer-developed tools If you have a development licence, then you can develop your own tools to customise the management of Alliance Gateway, using the development facilities described in the Alliance Gateway Developer Guide. This document is not available to customers with only a run-time licence.

25 August

11

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

Alliance Gateway Instances Definition An Alliance Gateway instance is a complete installation of the Alliance Gateway software and database. The SAG instance component group consists of two major parts: •

Alliance Gateway interfaces



kernel entities

Alliance Gateway interfaces The following interfaces are present within an Alliance Gateway instance: •



Application Interface: used by client and server applications to transmit messages through Alliance Gateway. AI components include: -

Remote API Host Adapter: manages the messages sent to and received from applications running over the Remote API.

-

MQ Host Adapter: manages the messages sent to and received from applications running over IBM MQ middleware.

SWIFTNet Interface: treats all incoming and outgoing SWIFTNet Link messages from and to the secure IP network (SIPN). The SWIFTNet Interface controls and manages the SWIFTNet Link security per application (security profiles and SWIFTNet users). For server applications, the SWIFTNet Interface also manages the routing of the incoming messages by means of the Alliance Gateway endpoints. Includes the SWIFTNet Network Adapter, a major component of the SWIFTNet Interface.



File Transfer Interface: comprises the File Transfer Adapter and File Transfer Integrated. Note

The presence of the File Transfer Interface in a given Alliance Gateway instance depends on your licensing scheme. To license and install File Transfer Interface, see "Licensing" in the Alliance Gateway Installation Guide for AIX, Linux, Oracle Solaris, or Windows.



MI Channel Support Interface: enables users to configure data for an MI Channel-based solution The MI Channel Support Interface only applies to customers who are accessing a market infrastructure service where MI Channel connectivity is available. For information about related configuration activities, see MI Channel Support Interface on page

Alliance Gateway kernel entities Within an Alliance Gateway instance, the following kernel entities play a major role:

25 August



Workflow Engine: manages the message flow and routing through Alliance Gateway, using the Message Dispatcher.



Process Control: enables you to control the operational aspects of Alliance Gateway and its subsystems, such as starting and stopping Alliance Gateway, as well as running commands, for example to back up data or verify the integrity of software.



Log: handles the Event Log.

12

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

Configuring Alliance Gateway Interfaces Introduction Various interfaces within Alliance Gateway are responsible for controlling the processing of messages. The design of Alliance Gateway enables it to support one or more applications, each of which may have different processing requirements. When considering Alliance Gateway configuration, it is helpful to think about the interfaces that it includes, and how these interfaces contribute to message processing. Each interface uses and manages several entities as illustrated in the following diagram. The following interfaces are available within Alliance Gateway: •

the Application Interface



the File Transfer Interface



the SWIFTNet Interface



the MI Channel Support Interface The MI Channel Support Interface only applies to customers who are accessing a market infrastructure service where MI Channel connectivity is available. For information about related configuration activities, see MI Channel Support Interface on page

This diagram shows all interfaces and the entities within that require configuration: Alliance Gateway File Transfer Interface

Application Interface Message Partners

WebSphere MQ Web Services Connection Profile Configuration Settings

Business Application/ Message

File Transfer SWIFTNet Interface SWIFTNet Users

Endpoints

secure IP network

25 August

Profiles

D

Remote API

13

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Application Interface The Application Interface controls direct communication between a business application and Alliance Gateway. Messages reach the Application Interface by means of the host adapter that the application uses to exchange messages with Alliance Gateway. Within the Application Interface, a message partner represents each application. Message partner configuration details determine how messages are processed within Alliance Gateway. For configuration information, see Application Interface on page File Transfer Interface The File Transfer Interface offers two approaches for sending and receiving files: File Transfer Integrated and File Transfer Adapter. File Transfer Integrated offers a command-based approach to send and receive files, while File Transfer Adapter offers an automated way to exchange files. The configuration for File Transfer Adapter consists of specifying profiles containing all the details necessary for automated file transfer. Different types of profiles exist, depending on the customer environment. File Transfer Adapter may include emission, reception, security, and queue profiles. For File Transfer Integrated, security profiles must be configured. For more information, see the Alliance Gateway File Transfer Interface Guide. SWIFTNet Interface The SWIFTNet Interface controls communication between Alliance Gateway and SWIFTNet Link. The SWIFTNet Interface handles all messages to and from the Application Interface, the File Transfer Interface and SWIFTNet. The SWIFTNet Interface also manages the security processing based on the Public Key Infrastructure (PKI) implemented by SWIFTNet. For general information, see the SWIFTNet PKI Certificate Administration Guide. Security profiles and SWIFTNet users Two types of data configuration are important to consider in the SWIFTNet Interface: security profiles and SWIFTNet users. A user of a PKI profile is called a SWIFTNet user. Alliance Gateway enables multiple users to concentrate the usage of a single PKI profile, these are called virtual SWIFTNet users. As of Alliance Gateway , personal HSM certificates are additionally supported. For more information about personal HSM certificates, see SWIFTNet Certificates on page and the SWIFTNet PKI Certificate Administration Guide. The applications that exchange messages with Alliance Gateway must reference a security Distinguished Name (DN) for authentication, signature, or encryption. Such DNs must be referenced as SWIFTNet users. For details about security profiles and SWIFTNet users, see SWIFTNet Users on page and the Alliance Gateway Security Guide. Endpoints For server applications, the SWIFTNet Interface processing relies on endpoint routing criteria to determine where to send request messages received from the secure IP network (SIPN). For information about endpoints, see Routing on page

25 August

14

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

MI Channel Support Interface The MI Channel Support Interface enables customers using an MI Channel-based solution to define and store configuration data for MI Channel in Alliance Gateway. The related message flow instances can also be managed from Alliance Gateway. The MI Channel Support Interface menus and functions are only available after activating MI Channel Support in Alliance Gateway. For more information, see MI Channel Support Interface on page



Creating and Managing Alliance Gateway Entities Overview The following process describes how to create and manage various Alliance Gateway entities. This process is intended as a guide and may vary depending on your requirements. Alliance Gateway administration process 1. Define operators When you install Alliance Gateway, an operator called Administrator is created with full operating profile functions. The Administrator operator can create operating profiles and assign them to Alliance Gateway operators. Creating an Alliance Gateway operator may involve defining: •

units



operating profiles



operator details

For more information, see User Management on page 2. Define virtual SWIFTNet users To enable the sharing of the PKI certificates, Alliance Gateway allows several virtual SWIFTNet users to share the same PKI certificate. Each virtual SWIFTNet user is identified by its name and has its own password. To define a virtual SWIFTNet user, you must: •

define the virtual SWIFTNet user details



assign a PKI certificate to the virtual SWIFTNet user

For more information, see SWIFTNet Users on page Important

Defining a virtual SWIFTNet user is not equivalent to registering a new user node in SWIFT.

3. Define message partners and MQ connections Each application message partner that exchanges information with Alliance Gateway through the Application Interface must have a corresponding message partner profile. For all message partners, you must specify the list of supported message formats. For more information, see Application Interface on page

25 August

15

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

In addition, message partners for applications using IBM MQ to connect to Alliance Gateway must have a corresponding MQ connection. For more information, see Configure Alliance Gateway for IBM MQ on page and the MQ Host Adapter for Alliance Gateway Configuration Guide. 4. Define endpoints Endpoints enable you to define message routing criteria for server applications. For more information, see Routing on page 5. Set configuration parameters The configuration parameters for Alliance Gateway components are defined when the Alliance Gateway software is licensed. You can modify the value of some parameters to influence the behaviour of your Alliance Gateway system in specific areas. For more information, see Configuration Parameters on page 6. Manage Hardware Security Module (HSM) devices Alliance Gateway allows you to manage and monitor the HSM devices that are available for an Alliance Gateway instance. 7. Monitor Alliance Gateway Alliance Gateway allows you to: •

search for events generated by the activity of the Alliance Gateway components



specify which events must be logged



customise event storage



archive events



monitor alerts to help you identify the location of a problem

For more information about configuring the Alliance Gateway Event Log, see Event Log on page To search for events, see Event Log on page For more information about alerts, see Alerts on page 8. Set up profiles for file transfer (if you are licensed for File Transfer Adapter) To use File Transfer Adapter, you must define: •

emission profiles



reception profiles



security profiles



queue profiles

For more information, see File Transfer on page and the Alliance Gateway File Transfer Interface Guide. 9. Monitor file transfers (if you are licensed for File Transfer Adapter) The File Transfer Adapter licence option allows you to monitor your queues and file transfers, and to archive file transfer information. For more information, see Monitoring on page and the Alliance Gateway File Transfer Interface Guide.

25 August

16

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

Enabled and Disabled Entities Why disable entities? Within Alliance Gateway, certain entities can be either enabled or disabled to improve operational control. When such entities are created, they are by default disabled, and must be enabled to be used. Having new entities disabled by default allows implementing the 4-eyes principle: one operator creates the entity while a second operator must enable it. There are two major reasons for disabling entities: •

Modifications: Alliance Gateway does not allow you to modify an enabled entity. Therefore, you must first disable an entity before updating it. Note

There is one exception: an MI Channel message flow instance can be modified while it is enabled. MI Channel only applies to customers who are accessing a market infrastructure service where MI Channel connectivity is available.

Similarly, you must disable an entity before you can delete it. Disabling entities can be quite useful for maintenance purposes. For example, you can disable operators when modifying their assigned operating profile functions, and thus prevent an unexpected change to the tasks that they are allowed to perform. •

Message traffic control: Preventing message traffic can also be useful. A disabled entity cannot participate in the flow of message traffic within Alliance Gateway. For example, you can set up a message partner and leave it disabled until you are ready to use it when preparing to test a new application.

Which entities can be disabled, and what are the effects? The following table lists the entities that can be disabled, and explains the effects of disabling the entity: Entity

Effect of disabling

Authentication server

No authentication requests can be submitted.

Emission profile

An ongoing file transfer continues if the related emission profile is disabled. If it does not succeed, then it is not retried until the emission profile is enabled again. File Transfer Adapter no longer scans the emission directory of the disabled emission profile. File transfers not yet initiated are ignored: they are initiated when the profile is enabled.

Endpoint

If a request matches the routing criteria of a disabled endpoint, then no further criteria checking occurs. Alliance Gateway immediately returns an error to the sending application and does not forward the request to the server application.

25 August

17

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Entity

Effect of disabling

MI Channel message flow instance

The message flow passing through SWIFTNet Link is interrupted.

Message partner (client The client application sending the request message receives an error. side) Responses to messages already in transit are returned to the application even if the message partner was disabled immediately after sending the request. Message partner (server side)

The server application cannot receive new request messages: the originating client application subsequently receives an error (instead of a response). The server application can still send response messages to the requests received before the message partner was disabled.

MQ connection

MQ Host Adapter is disconnected from the local queue manager associated with the disabled MQ connection profile. All MQ Host Adapter resources handling the disabled connections are properly closed and freed. If a message is sent to a disabled connection (server request), then MQ Host Adapter rejects the message, sends an error back, and logs an event. If an application sends a message to MQ Host Adapter (client request or server response), then the message stays in the corresponding MQ queue. It is picked up by MQ Host Adapter when the connection is enabled again (if the message did not expire in the meantime).

Operating profile

The operating profile is not available. Operators with this operating profile cannot log in. Logged operators with that operating profile are forcibly logged out.

Operator

The operator cannot log in. The operator cannot perform any operations. Logged operators are forcibly logged out.

Queue profile (storeand-forward transfer)

The store-and-forward queue is automatically released. An ongoing file transfer fails. If the queue profile is subsequently enabled and the queue is acquired, then a new NotifyFileRequest message is received for a file transfer that failed, unless the file expired in the queue in the meantime.

Reception profile

25 August

File Transfer Adapter uses reception profiles when the LTA-PutInit command returns code 2. An ongoing file transfer continues if the related reception profile is disabled. File Transfer Adapter does not accept new file transfers from the Requestor DN in the reception profile.

18

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Entity

Effect of disabling

SWIFTNet user

Only virtual SWIFTNet users can be disabled. The virtual SWIFTNet user cannot log in or create a security context. The virtual SWIFTNet user cannot perform any operations. Logged in SWIFTNet users are forcibly logged out.



Configuration Parameters Concept The behaviour of the Alliance Gateway system can be customised to your company's needs, mainly through the use of configuration parameters. Two types of configuration parameters exist: operational configuration parameters and security configuration parameters. Configuration parameters reference table The following table explains which group a particular type of configuration parameter belongs to and where you can find more information. Type

Group

Reference

Operational configuration parameters

operational

Configuration on page 33

Security configuration parameters

security

"Security Configuration Parameters" in the Alliance Gateway Security Guide

MQ Host Adapter configuration parameters

operational

"Configuring the MQ Host Adapter Plug-in" in the MQ Host Adapter for Alliance Gateway Configuration Guide

File Transfer Interface configuration parameters

operational

"Configuration Parameters" in the Alliance Gateway File Transfer Interface Guide

Operating profile functions Your operating profile determines the level of access to the configuration parameters.

25 August

If you want to

Then your operating profile must have

view all operational configuration parameters

View List of Configuration Parameters

view all operational and security configuration parameters

View List of Configuration Parameters and Manage Security Configuration Parameters

view all operational configuration parameters and their details

View Configuration Parameter Details

view all operational and security configuration parameters and their details

View Configuration Parameter Details and Manage Security Configuration Parameters

19

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

If you want to

Then your operating profile must have

modify operational configuration parameters

Update a Configuration Parameter

modify operational and security configuration parameters

Update a Configuration Parameter and Manage Security Configuration Parameters

Daily Operations and Housekeeping To keep your Alliance Gateway system in good order, perform the following tasks on a regular basis: Task

Description and reference

Start and stop Alliance Gateway as required

See Alliance Gateway Instance on page

Use the Alliance Gateway Administration GUI to operate Alliance Gateway

See The Alliance Gateway Administration GUI on page 27 for an overview

Use commands to operate Alliance Gateway

See Alliance Gateway Commands and Tools on page

Monitor your system

Alliance Gateway logs configuration and operation events. You must verify that abnormal events do not occur in Alliance Gateway or on your system. For example, verify that all entities created are expected, and that there are not any attempts to log in with failures, which may indicate a security attack. In addition, in case Alliance Gateway has problems, these events are logged and therefore must be regularly verified in the Event Log. See Event Log on page If, for any reason, the Event Log is not accessible, then some events may be logged in the OS event log. It is advised to check this event log as well in case of problems. Beginning with Alliance Gateway , alerts are generated to proactively inform you about operational conditions that may require quick action. For more information, see Alerts on page

25 August

Perform regular archives

To archive the Event Log using the Alliance Gateway Administration GUI, see Event Log Search on page For information about the sag_system -- archive command, see Archive the Alliance Gateway Event Log on page

Perform regular database backups

See Back Up the Alliance Gateway Database on page

20

Alliance Gateway Administration and Operations Guide

3

Logging in to Alliance Gateway Administration

Logging in to Alliance Gateway Administration The Alliance Gateway Administration workspace displays the Welcome page by default when a user logs in. Alliance Web Platform Server-Embedded uses a single sign-on authentication process that allows you to enter one user name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. When logged in to Alliance Gateway Administration hosted on Alliance Web Platform ServerEmbedded, you can open a new browser window or tab (depending on browser configuration) by using the browser's embedded options within a single session. Before you begin To log in to the Alliance Gateway Administration on Alliance Web Platform Server-Embedded, you need the following: •

A valid URL for Alliance Gateway Administration. The administrator of Alliance Web Platform Server-Embedded provides this information. This is the default URL: https://[:]/swp/group/sagadmin

Where: -

is the Alliance Web Platform Server-Embedded host name

-

indicates the port number (optional)

It is not necessary to specify a value for if the default port for HTTPS is used. On Windows, the default port number is On UNIX or Linux, the default port number is



-

swp refers to Alliance Web Platform Server-Embedded

-

group/sagadmin refers to Alliance Gateway Administration

User name and password You must have a user name and a password that correspond to your operator definition. The administrator of your Alliance Gateway server provides this information.

To optimally display the information in Alliance Gateway Administration pages, set your screen resolution to by pixels or higher. Do not use the zoom functionality of the browser. The layout of Alliance Gateway Administration labels can be incorrect when the display value of the browser is not set at percent. Procedure 1. Start your browser. 2. Perform one of these actions to provide the URL for Alliance Gateway Administration, as applicable:

25 August

21

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration



Type the URL in the address bar of your browser and press ENTER.



Select the URL from your list of saved links, for example, from Favourites or Bookmarks.



Select the URL from the list of previously visited addresses.

The browser displays the Alliance Gateway Administration login page. 3. Enter your User Name and Password. Both are case sensitive. If you are using your password for the first time, then you must enter an eighteen-character password received from the administrator of your Alliance Gateway. When you click Login , you are prompted to change it. See Changing Your Password on page 25 for details. This is not applicable if the authentication method used for your operator definition is either One-time Password or LDAP. 4. If your operator definition has been configured to use Two-Factor Authentication, select the Use Two-factor Authentication check box and enter your Two-factor Authentication Code. If this your first log on, or your password has been reset, you will need to 'enroll'. See Configure Two-Factor Authentication on page 23 and Embedded Two-Factor Authentication on page 5. If multiple Alliance Gateway instances have been configured for the Alliance Web Platform Server-Embedded host, then select the applicable instance from the Alliance Server Instance drop-down list. 6. Click Login . Tip

If you experience problems logging in, then delete the Browsing history files. You can delete these files from the Tools menu or Options window. The exact location depends on your browser type and release.

After you have successfully logged in, the following screen appears. The Welcome page shows a list of shortcuts to tasks that are also available through the menus in the navigation area. The list of tasks available depends on your operator profile and the application group. The Alliance Web Platform administrator configures an application group through the GUI application. Tip

25 August

If you have enabled the single sign-on option, when you log out of any browser tab or window, then the system will log you out from all the other remaining browser tabs or windows.

22

Alliance Gateway Administration and Operations Guide



Logging in to Alliance Gateway Administration

Session Management for Alliance Gateway Administration GUI Manage your Alliance Gateway session with the menu options and controls in the upper right corner of the navigation area, as follows. Alliance Server Instance:

This menu provides the following: •

The Instance ID and user (for example, Administrator)



Make a new connection Click to open the Alliance Gateway Administration login page. This will include Active Connections.

Use Active Connections to Open an instance, Logout from a specific instance, or Logout from all instances. User: This menu provides the following: •

Change Password (see Changing Your Password on page 25



Session Info. Click Session Info to open the following:

The pop-up provides the UUID of the SAG instance and Web Platform instance.



Logout

Logout from the current session.

Help

Display the online help.

Configure Two-Factor Authentication Two-factor authentication uses a temporary passcode to strengthen the authentication process when you log in to an application. If your operator definition has been configured to use Two-Factor Authentication, then you must configure two-factor authentication in the following situations: •

the first time that you log in



after your password is reset



if you change the device or application used to generate your time-based one-time password

Before you begin The configuration can only be undertaken if you have been set up to use the Password and TOTP method.

25 August

23

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration

You must have an authenticator mobile phone application or other software or hardware authenticator tool to generate the time-based one-time password. Procedure 1. Enter your username and password (and Instance name, if applicable), and click Login. Note

For configuration itself, the "Use Two-factor Authentication" check box should not be selected. 2. Once your username and password have been verified, a secret key from Alliance Gateway is displayed.

3. Either scan the barcode with an authenticator mobile phone application or other software or hardware authenticator tool or enter the string on the device manually. Important

Scan or save the key as quickly as possible. Do not leave it displayed on your screen so that others can observe it.

4. Enter the code generated from your authentication device in the configuration screen, and click Continue . 5. Alliance Gateway validates the credentials (username, password, and authentication code). If validation is successful, you are logged on.

25 August

24

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration

If not, you can repeat the step with another authentication code. If you quit without entering the authentication code, then you can set up two-factor authentication the next time you log in (you will receive a new secret).



Embedded Two-Factor Authentication Two-Factor Authentication (2FA) is a method of user authentication where at least two different components are required to authenticate a user. Typically, this is something you know (username/ password) and something you have (for example, a one-time-password generator). In addition to the RADIUS one-time password method, Alliance Gateway provides a secure 2FA setup using an off-the-shelf application that can be installed on a separate device, such as a mobile phone or tablet. Two-Factor Authentication using LDAP can be achieved by enabling a feature or plug-in for the LDAP server that provides Time-based one-time Password (TOTP) or One-time Password (OTP) in addition to the fixed password. As with the LDAP and RADIUS solution, SWIFT does not recommend a specific vendor of client Time-based one-time Password (TOTP) solutions. The solution selected for the TOTP second factor must be able to generate passwords of (at least) 8 digits, support SHA, and accept an activation code, either by scanning the bar code or by typing the code manually. Time-based one-time passwords Time-based one-time passwords (TOTP) are temporary passcodes, generated by an algorithm for use in authenticating access to computer systems. The algorithm that generates each password uses the current time of day as one of its time-based one-time factors, ensuring that each password is unique. With two-factor authentication, the user must enter the Alliance Gateway username and password and the TOTP code to gain access.



Changing Your Password Operators with the authentication type Password are requested to change their password when logging in in the following situations: •

at the first login with a new operator password



when the password has expired



if the password was reset on the Alliance server

The frequency with which you have to change your password depends on the security configuration parameters set on the Alliance server. You can also change your password on demand. For password requirements, check with the security officers of your Alliance server. The possible maximum length of the password is characters. The minimum length is set by your organization's security policy. Procedure 1. If you want to change your password on demand, then click the User: menu in the upper right corner of the navigation area. The Change Password and Session Info menu options are displayed.

25 August

25

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration

2. Click the Change Password menu option. The Change Password dialog box appears. 3. Type your current password in the Old Password field. Then type your new password in the New Password and Password Verification fields. 4. Click

Change Password

.

The password is changed.

25 August

26

Alliance Gateway Administration and Operations Guide

4

The Alliance Gateway Administration GUI

The Alliance Gateway Administration GUI The Alliance Gateway Administration GUI displays the home page by default when a user logs in.



Online Help All pages within Alliance Gateway Administration contain the Help link in the upper-right corner of the navigation area of the GUI. Clicking the Help link displays the online help that corresponds to the page or entity that is currently selected. It also enables you to navigate to other topics within the online help. Help for entering values in fields Alliance Gateway Administration provides tools to help you enter values with the correct syntax, for example, how to select and enter dates or times. For more information, see User Assistance in the Online Help, available after login. Behaviour If you click the Help link, then the corresponding help file opens in a new window. The system opens the help file at the content that corresponds to the page or entity that is currently selected. You can use the navigational links that are available in the help window to show other topics from within the online help. The page from which you click the Help link determines the topics that the system shows: •



If you click the Help link on a page within Alliance Gateway Administration, then the system opens the Alliance Gateway Administration online help.

Tips and Tricks for Using Alliance Gateway Administration Click the logo at any time to return to the home page. Changing page size and possible impact You can use the Change View function to set the value for Page Size, which changes the maximum number of rows that the list shows at a time. You can use the Change View function to change the column width, and to show or hide columns, if it is applicable for the current list. It is also possible to drag and drop items to re-order them. Note

The default and recommended value is Using a higher value may have an impact on the performance of Alliance Gateway Administration. The more messages that you ask to be displayed on a page, the longer it takes to receive the page in your browser. Changing the Page Size value must be done with care.

Data input or modification in a form Selection lists Some pages and windows in Alliance Gateway Administration display a list that enables you to select one or more values for a field.

25 August

27

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

To select a group of values that are not sequential, click a value and then hold down the CTRL key and click the other values.



Wildcards for Searching or Filtering Where the functionality is available, you can use criteria to search or to filter the list for the current page for a specific set of information. Criteria This is the behaviour for the search or filtering operation: •

If you do not specify a value for a criterion, then the system does not take that criterion into account.



If you specify values for more than one criterion, then the system uses an AND relationship to evaluate these criteria.

Wildcards Some of the search criteria and the filtering criteria fields allow you to use these wildcards: Wildcard

Purpose

Example

% (percent)

Replaces one or more contiguous unknown characters in a string

a%a matches for example the following strings:

_ (underscore)



Replaces one unknown character in a string



aba



afedpa



azhgjdhsa

aa_a matches for example the following strings: •

aa1a



aaGa

Change your List View The Change View function changes the layout of the list for the current page or window. You can use the Change View function to do the following:

25 August



specify the maximum number of rows that the list shows at a time (page size)



show or hide columns



change the order of the columns



save changes to column widths



reset a list to the default layout, including column width



reset a list to the default layout, except for column width changes

28

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

Procedure 1. If you want to increase or decrease the width of a column in the list, then move the mouse pointer over the right-side edge of the column header, then click and drag. 2. Repeat the previous step for the other columns in the list, as necessary. 3. Click Change View . The Change View window opens. 4. Use these methods to change the list layout, as necessary: •

Select or clear the check box for a column to show or hide it.



Click the name of a column and use the up or down arrow to change its position in the list. Alternatively, you can drag and drop the column names to reorder them.

5. If you made any changes to the column widths in the current list, then select or clear the Save Column Widths check box, as necessary. If you select the Save Column Widths check box, then the system saves the changes to the column widths and retains them in subsequent sessions. If you clear the Save Column Widths check box, then the system discards the changes to the column widths when the current session ends. 6. Type the number of rows for the list to show at a time into the Page Size field, if it is available. The value must be between 10 and The default and recommended value is Using a higher value may have an impact on the performance of the GUI. The more messages that you ask to be displayed on a page, the longer it takes to receive the page in your browser. Changing the Page Size value must be done with care.

Note

7. Click

OK

.

The Change View window closes and the list layout changes accordingly. The system also saves any changes to the column widths, if the Save Column Widths check box is selected.



Reset list layout Procedure 1. Click

Change View

.

The Change View window opens. 2. If you made any changes to the column widths in the current list, then select or clear the Save Column Widths check box, as necessary. If you select the Save Column Widths check box, then the system saves the changes to the column widths and retains them in subsequent sessions. If you clear the Save Column Widths check box, then the system discards the changes to the column widths when the current session ends. 3. Click Reset and then click OK .

25 August

29

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

The Change View window closes and the system restores the original layout of the list:





the default page size



the original set of columns in the original sequence



the original column widths (if the Save Column Widths check box is cleared)

Choose File This function enables you to select a file from the user space. Procedure 1. Click

next to the corresponding field. 2. Navigate to the parent folder or file that you require. 3. Select the file that you require. 4. Click OK . The Choose File window closes and the file name populates the corresponding field.



Print a Report Directly from the GUI To print a report directly from an Alliance Gateway GUI, click Print . The behaviour is similar to that of the Export function of the same GUI, with the following differences:





The output format is always HTML.



For font size, you can choose either small, medium, or large.



The Page Orientation and Page Format options do not apply.



If you select the All check box for a list, all of the entities displayed on the search page are displayed. In the Print window, Print Range is set to Selected items.



If you select nothing in a list, all of the entities matching the criteria across all results (that is, not limited to the results on the page) are selected. In the Print window, Print Range is set to All items.



If you select a subset of the entities in the list, only those entities are selected for printing. In the Print window, the Print Range is set to Selected items. However, you can change the selection to All items, which causes all of the entities matching the filters to be printed.



When the output HTML page is opened in a new tab, the browser print menu is automatically displayed.

Print The Print function allows you to print the current page or window. You can use the Print funtion to do the following:

25 August



Print a range of all items or selected items on a page



Specify a print type of Summary or Details



Select a font size for the output

30

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI



Choose the columns to print



Designate a content header/footer and search criteria

To print information in the current page or window: 1. Select

Print

to open a dialog with print settings.

2. Select the appropriate print settings and click



OK

to print.

Export The Export function allows you to export the content of a window. This includes the following: •

Export Range



Export Type



Output Format



Page Orientation



Page Format (A4, US Letter, US Legal)



Font Size (Small, Medium, Large)



Add page break (only for Output Format: PDF and Export Type: Detailed)



Columns (using an “Available” / “Selected” list)



Sort Order (if offered by the application)



Content (Header/Footer, Search Criteria)

The output formats provided include: •

PDF



TXT



CSV (comma separated values)



XLS (Excel compliant)

Procedure 1. Select Export in the window. 2. Select the appropriate export settings and click



OK

to export.

Report Types and Settings Purpose The function enables you to run a report about information in the database, and is available:

25 August



in the search or filtering criteria area of a page



in the button bar of a list



in the bottom button bar of a page or a window

31

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

Output You can use the function to produce these types of reports: •

Summary report Available only from pages that contain lists of entities, this report type enables you to include the information from at least one or more columns on the page for every entity included in the report.



Details report This report type includes all details for every entity included in the report. You can only choose the output format and formatting options.

If available in the search or filtering criteria area of a page, then the corresponding report includes all the entities that the current search or filtering criteria return. In the Export window, checking the "Search Criteria" box will include the current values for search or filtering criteria in the report.



Run a Report (Export) The Export function enables you to run a report about information in the database. Procedure 1. If applicable, select the entities in the list that you want to include in the report. 2. Click Export . The Export window opens. 3. If applicable, select the export type. 4. Select the options that you require for the output format and formatting. 5. For summary reports, you can choose the columns for which details should be included in the report from the Available list. 6. Click

OK

.

The File Download window opens and prompts you to open or save the report file. 7. If necessary, click

Open

to open the report or

Save

to save the report, as you require.

To open the report, you must have a tool installed that reads the corresponding file format: PDF, CSV (only for summary reports), TXT, or XLS. The system opens or saves the report accordingly.

25 August

32

Alliance Gateway Administration and Operations Guide

5

Configuration

Configuration Overview The Configuration application of Alliance Gateway Administration enables you to manage the configuration of the available Alliance Gateway entities. The nodes present in Alliance Gateway Administration provide access to the configuration parameters for the corresponding entities. The licence options of the Alliance Gateway instance and the operating profile of the current operator determine which entity types are available. Alliance Gateway: The Alliance Gateway: node contains these entity nodes: •

Licensing Configuration (see Licensing Configuration on page 33 )



Parameters (see Parameters on page 36 )



User Management (see User Management on page 43 )



Event Log (see Event Log on page 93 )



Application Interface (see Application Interface on page )



SWIFTNet Interface (see SWIFTNet Interface on page )



MI Channel Support Interface (see MI Channel Support Interface Configuration Parameters on page )



File Transfer (see File Transfer on page )



Routing (see Routing on page )

Clicking an entity node opens the corresponding entity page.



Licensing Configuration Description The Licensing Configuration page enables you to license or relicense an Alliance Gateway instance. Use either of these methods to enter the licence information: •

Upload a licence file Procedure: Upload a Licence File on page 35



Manually enter the values based on licensing details from SWIFT Procedure: Change Values on page 42

When relicensing an Alliance Gateway instance, the following rules apply:

25 August



Before removing a licence option, you must stop Alliance Gateway.



When adding a licence option, you do not have to stop Alliance Gateway. However, the licensing change takes effect only after you restart Alliance Gateway.



Alliance Gateway Administration checks operating profile functions only when an operator logs in. Therefore, operators must log out and log in again to align the operating profile functions with the changed components.

33

Alliance Gateway Administration and Operations Guide

Configuration

Display

Details Field

Description

Components

In the Available list: •

The list of components available

In the Selected list: • Destinations

The components that you assign to the server

Determines the possible destinations (BIC) for SWIFTNet messaging One destination per line Maximum eight characters per destination The system converts lowercase alphabetic characters to uppercase.

Hardware Platform

25 August

Specifies the hardware platform that the Alliance Gateway instance runs on

34

Alliance Gateway Administration and Operations Guide

Configuration

Field

Description

Concurrent Users

Determines the maximum number of concurrent user connections. This configuration parameter determines the possible number of concurrent SWIFTNet user connections to Alliance Gateway. The value of this configuration parameter relates the cumulative number of connections to Alliance Gateway through Alliance Web Platform. The total number of concurrent connections must not exceed the number that the licence agreement that you have with SWIFT specifies. The licence options USERS 1 through USERS determine the total number of concurrent connections permissible. The default value is equal to the value of the USERS licence option. You must restart Alliance Gateway for changes to this parameter to take effect. Determines the bandwidth available

Bandwidth

Functions Function

Description

Availability View

Upload Licence File



Uploads a licence file

Edit x

Procedure: Upload a Licence File on page 35

Modify licence information To change the Licensing Configuration values, see Manage Configuration Parameters on page Related information Licensing on page



Upload a Licence File Procedure 1. Click

Upload Licence File

.

The Upload Licence File window opens. 2. Click

Browse

.

The Choose file window opens. 3. Browse the file system and locate the licence file to use. Select the licence file and click

Open

.

The Choose file window closes and the path name of the selected file appears in the Licence File field of the Upload Licence File window. 4. Click

25 August

OK

.

35

Alliance Gateway Administration and Operations Guide

Configuration

The Upload Licence File window closes and the content of the uploaded licence file populates the fields of the Licensing Configuration page. 5. Click

Save

.

The Initialisation Passwords window opens. 6. Select the Show Clear Text check box to show the passwords as typed, if necessary. 7. Enter the value for the Left Initialisation Password. 8. Enter the value for the Right Initialisation Password. 9. Click

OK

.

The Initialisation Passwords window closes. The system checks the licence details and the passwords provided and informs you if the licensing is successful. If licensing is successful, then the system instructs you to log out of Alliance Gateway Administration and then log in again to refresh your operating profile functions.



Parameters The Parameters application enables you to view and modify configuration parameters that control the general behaviour of the Alliance Gateway instance.

By default, parameters are listed in alphabetical order by component. View parameters by selecting a specific component from the Component drop down and clicking the Submit button. To view or edit a parameter, click on the entry in the Parameters list to open a Parameter Details pop-up. To change or reset the value of a configuration parameter, follow the corresponding procedure in Manage Configuration Parameters on page

25 August

36

Alliance Gateway Administration and Operations Guide

Configuration

Functions and details Function/detail



Description

Filtering Criteria

View parameters by selecting a specific component from the Component drop down and clicking the Submit button.

Clear

Resets the Component drop-down.

Submit

Displays parameters for the selection in the Component drop-down.

Change View

Allows you to select what is displayed in the Parameters list.

Component

Name of the component in Alliance Gateway. For example, Event Logger.

Name

The name of the parameter. For example, System Log Format.

Value

The parameter value. For example, Original.

Export

See Export on page

Print

See Print on page

Event Logger Details on Event Logger parameters are available as follows:





Archive related parameters in Configure Event Archiving on page



System Log Configuration in Event Structure on page



SNMP parameters in: -

SNMP Server Addresses on page 38

-

SNMP Max Event Size on page 38

-

SNMP Heartbeat Interval on page 37

SNMP Heartbeat Interval Parameter definition The SNMP Heartbeat Interval configuration parameter determines the interval (in seconds) between the SNMP heartbeats sent by Alliance Gateway to a local alert agent. The heartbeat is sent to any IP address, or host name, and port as defined for the SNMP Manager. For more information, see SNMP Server Addresses on page Possible values are: •

0 (no heartbeat is sent)



a value of to

For changes to this parameter to take effect, you must restart Alliance Gateway. Default value The default value is 0.

25 August

37

Alliance Gateway Administration and Operations Guide

Configuration

For more information about SNMP heartbeats, see SNMP Heartbeat on page



SNMP Max Event Size Parameter definition The SNMP Max Event Size configuration parameter determines whether the system truncates the event information to a maximum SNMP trap field size: •

If set to 0, then no truncation occurs.



If set to a value of 80 to , then the system truncates the event information to the corresponding size in bytes, as applicable.

Default value The default value is 0. For more information, see Event Structure on page



SNMP Server Addresses Parameter definition The SNMP Server Addresses configuration parameter determines the addresses on which the SNMP Manager listens for events. You must specify the addresses as pairs of values for IP address, or host name, and port number. You may specify an "SNMP community string" for use by a router's or other device's statistics. In the Community Name field, enter a value of maximum 64 US-ASCII printable characters, except ", : \". If no value is provided, then the SNMP community name is set to "public". SNMP version 1 is supported. For changes to the SNMP Server Addresses configuration parameter to take effect, you must restart Alliance Gateway and the Alliance Gateway bootstrap. Default value The default value is empty. For more information, see Event Structure on page



File Transfer Interface See File Transfer Configuration Parameters on page



SWIFTNet Interface Details on SWIFTNet Interface parameters are available as follows:

25 August



Operator System Configuration Parameters for SWIFTNet Users on page



SWIFTNet Users on page



SWIFTNet Interface Configuration on page

38

Alliance Gateway Administration and Operations Guide





Hardware Security Modules on page



SNNA Subsystem Management on page



Event Log Configuration Parameters on page



Manage Message Partners on page

Configuration

System Details on System parameters are available as follows:





Manage Authentication Server Groups on page 49



Operator System Configuration Parameters for SWIFTNet Users on page



Operators on page 86 (for Disable Period)



Activate Alert Monitoring on page 39



Enable Requires Additional Operator on page 39



Ignore Deactivated Subsystems on page 40



Instance Name on page 40



Release Level on page 40



Shutdown on Database Tampering Detection on page 41

Activate Alert Monitoring Parameter definition The Activate Alert Monitoring configuration parameter determines whether Alliance Gateway checks for conditions that trigger the creation of alerts. Possible values are: •

Yes



No

Default value The default value is Yes. For more information, see Alerts on page Note



If you set the value to No, then Alliance Gateway removes any existing alerts.

Enable Requires Additional Operator Parameter definition The configuration parameter Enable Requires Additional Operator controls whether operators can enable an entity that they added or recently updated. Those entities are of the type operator, operating profile, and virtual SWIFTNet user.

25 August

39

Alliance Gateway Administration and Operations Guide

Configuration

If the parameter is set to: •

Yes, then an operator who added or updated an entity cannot enable that entity unless their operating profile includes the function Allow Unconditional Enable for .



No, then any operator with the Enable function can enable the entity.

represents operator, operating profile, or virtual SWIFTNet user. Default value The default value is No.



Ignore Deactivated Subsystems Parameter definition The configuration parameter Ignore Deactivated Subsystems determines whether the overall status of Alliance Gateway considers intentionally deactivated subsystems. •

If set to Yes and one or more subsystems are intentionally deactivated, then the status of Alliance Gateway will be set to started.



If set to No and one or more subsystems are intentionally deactivated, then the status of Alliance Gateway will be set to partial.

Changing the value of this configuration parameter does not cause Process Control to update the system status immediately. The value is considered in the scope of actions to start Alliance Gateway, activate and deactivate a subsystem, or start and stop a subsystem. For changes to this parameter to take effect, you must restart Alliance Gateway and the Alliance Gateway bootstrap. Default value The default value is No. For more information about the status of Alliance Gateway and its subsystems, see Processes on page



Instance Name This configuration parameter displays the Alliance Gateway instance name and is read-only.



Release Level This configuration parameter displays the Alliance Gateway release level and is read-only.

25 August

40

Alliance Gateway Administration and Operations Guide



Configuration

Shutdown on Database Tampering Detection Parameter definition Shutdown on Database Tampering Detection determines whether Alliance Gateway stops in the event of a database integrity violation: •

If set to Yes, then the system stops Alliance Gateway upon detection of any database integrity violation.



If set to No, then this behaviour is not enabled.

Default value The default value of Shutdown on Database Tampering Detection is Yes.



IBM MQ Host Adapter Configuration paramaters are described in Configure Alliance Gateway for IBM MQ on page



MI Channel Support Interface See MI Channel Support Interface Configuration Parameters on page



Functional Updates List The Functional Updates List configuration parameter displays the functional updates installed on your Alliance Gateway system. This configuration parameter is present if an update containing functional updates has been installed on your Alliance Gateway system.



Startup Mode Parameter definition Startup Mode determines whether Alliance Gateway automatically starts after a system boot and stops before a system shutdown: •

If set to Automatic, then all the allowed Alliance Gateway processes start when the Alliance Gateway bootstrap starts and the system stops them before shutdown.



If set to Manual, then the Process Controller requires the start command to start the Alliance Gateway processes and the system does not stop them before shutdown.

Default value The default value of Startup Mode is Manual. System shutdown behaviour On shutdown, the system does not wait for all Alliance Gateway processes to stop before it stops, even if Startup Mode is set to Automatic.

25 August

41

Alliance Gateway Administration and Operations Guide

Configuration

SWIFT recommends that you use the stop command in the Process Controller to stop Alliance Gateway before a system shutdown. If the system reports that some SWIFTNet Link processes cannot gracefully shut down, then you may ignore these messages.



Manage Configuration Parameters About this section This section contains the procedures to modify the configuration parameters that are available in Alliance Gateway Administration. About configuration parameters Alliance Gateway Administration enables you to manage the configuration of the available Alliance Gateway entities.



Change Values Procedure 1. Change the parameter value by using one of the following types of input fields: •

Drop-down: Select the value from the drop-down list.



Text Field: Type the value required in the field.

Typically, a text field is accessed by clicking and 2. Click Save . Cancel

Save

Add

in a Details window.

appear at the bottom of the page.

The changed value is saved.



Reset Values Procedure •

Click

Reset to Default

.

The corresponding configuration parameter is reset to the default value.



Add Multiple Values Multiple values are added when a configuration parameter allows multiple values, such as Add SNMP Server. Procedure 1. Click

Add

, located next to the corresponding field.

The Add window opens. 2. Enter a value in the field of the Add window.

25 August

42

Alliance Gateway Administration and Operations Guide

3. Click

Add

Configuration

.

The Add window closes and the value appears in the field. 4. Repeat the previous steps, as required. 5. Click Save , located at the bottom of the page. The changes to the configuration parameter are saved.



Edit Multiple Values Multiple values are edited when a configuration parameter allows multiple values, such as Add SNMP Server. Procedure 1. Select the value to edit in the corresponding field. 2. Click Edit , located next to the field. The Edit window opens. 3. Edit the value in the field of the Edit window, as required. 4. Click

Save

, located in the Edit window.

The Edit window closes and the modified value appears in the field. 5. Click

Save

, located at the bottom of the page.

The changes to the configuration parameter are saved.



Remove Multiple Values Multiple values can be removed when a configuration parameter allows multiple values, such as Add SNMP Server. Procedure 1. Select the values to remove in the corresponding field. 2. Click Remove , located next to the field. The selected values are removed from the field. 3. Click Save , located at the bottom of the page. The changes to the configuration parameter are saved.



User Management Description The User Management node enables you to do the following:

25 August



Define authentication servers and LDAP (Lightweight Directory Access Protocol) servers to authenticate the passwords of operational entities in Alliance Gateway.



Define units to organise the events logged as a consequence of administrative operations and SWIFTNet message flow.

43

Alliance Gateway Administration and Operations Guide

Configuration



Create and manage Alliance Gateway operators.



Create operating profiles to define the scope of administrative control that operators have over functions in Alliance Gateway.

Nodes Expanding the User Management node reveals these entity nodes:





Authentication Server Groups (see Authentication Servers on page 47)



LDAP Server Groups (see LDAP Authentication on page 52)



Units (see Units on page 61)



Operating Profiles (see Operating Profiles on page 64)



Operators (see Operators on page 86)

Passwords Overview Introduction Alliance Gateway allows you to manage the passwords of the operational entities that it uses. Alliance Gateway requires passwords for the following operational entities: •

Alliance Gateway operators, including the Alliance Gateway Administrator operator



SWIFTNet users added in Alliance Gateway, also referred to as virtual SWIFTNet users



SWIFTNet PKI profiles used in Alliance Gateway, sometimes called real PKI profiles or certificates Passwords for SWIFTNet PKI profiles used through Alliance Gateway are outside the scope of Alliance Gateway password management, but they must adhere to the minimum requirements for user-defined passwords. For more information, see SWIFTNet PKI profiles on page

Password authentication Alliance Gateway supports the following types of password authentication: •

Password (user-defined) Alliance Gateway authenticates the user-defined password that a user provides at login. Userdefined passwords adhere to the Alliance Gateway password management policy. For more information, see User-Defined Passwords on page



RADIUS One-time Password An authentication server authenticates the one-time password that a user provides at login. Only Alliance Gateway operators and virtual SWIFTNet users can use one-time passwords. For more information, see Authentication Servers and One-Time Passwords on page



LDAP Authentication A Lightweight Directory Access Protocol (LDAP) server authenticates the user name and password that an operator or a virtual SWIFTNet user provides at login. For more information, see Concept on page



25 August

Password and TOTP

44

Alliance Gateway Administration and Operations Guide

Configuration

Two-factor authentication uses a temporary passcode to strengthen the authentication process when you log in to an application. Configuration parameters Configuration parameters in Alliance Gateway allow fine-tuning of the password management. There are separate sets of configuration parameters to allow establishing different password policies for operators (see Configuration parameters on page 88) and for virtual SWIFTNet users (see Virtual SWIFTNet Users on page ). SWIFTNet PKI profiles Alliance Gateway differentiates whether SWIFTNet PKI profiles are used directly to create security contexts. This distinction is significant for password management. A virtual SWIFTNet user added in Alliance Gateway has a different name from the security profile it uses. This approach allows a password to be assigned to each SWIFTNet user mapped to a SWIFTNet PKI profile (which corresponds to the underlying certificate). One or more SWIFTNet users can be mapped to a certificate. The password type attributed to a virtual SWIFTNet user determines the rules that govern that user's password. For more information about certificates and SWIFTNet users, see SWIFTNet Users on page For more information about passwords for SWIFTNet PKI profiles, see the SWIFTNet PKI Certificate Administration Guide. Passwords and business applications The configuration parameter Allow Use of Real SWIFTNet Users determines whether the security context that results from logging in with real PKI profiles can be used for main message flow. See the related considerations explained in the Alliance Gateway Security Guide. If a business application is accessing a SWIFTNet PKI profile through a SWIFTNet user, then ensure that someone is designated to be responsible for the SWIFTNet user password that the business application uses. If user-defined passwords are used, then this person must change the random password the first time it is used. If passwords are checked for expiration, then this person must ensure that the SWIFTNet user password is changed each time the password expires. The configuration parameter Enforce Application Passwords determines whether Alliance Gateway must enforce the use of application passwords for certificates configured in relaxed mode or used through virtual SWIFTNet users.



User-Defined Passwords User-defined passwords are more familiar to users in the sense that users have the ability to define a password themselves, provided they comply with the characteristics of this password type and with related configuration parameters. For more information about these parameters, see Manage Operators on page 87 and Manage Virtual SWIFTNet Users on page The following table outlines the characteristics of user-defined passwords. These characteristics are in line with the minimum password requirements for SWIFTNet.

25 August

45

Alliance Gateway Administration and Operations Guide

Configuration

Characteristic

Specifics

Random password generation

When adding an operator or virtual SWIFTNet user, Alliance Gateway generates a random password. Similarly, whenever a password is reset for an operator or a virtual SWIFTNet user, Alliance Gateway generates a random password.

Change at first login Any randomly generated password must be used to log in the first time. After a successful login, the operator or virtual SWIFTNet user is prompted to change the random password. The Administrator operator password defined during installation must also be changed the first time it is used to log in. Password checking

Alliance Gateway checks passwords whenever they are provided: while logging in, when provided with a request, and when provided as a result of a browser time-out.

Password history

Alliance Gateway keeps a configurable number of old passwords that cannot be reused when the password must be changed.

Password creation rules

Passwords must comply with the following: •



25 August

By user type as follows: -

For SWIFTNet Users, 12 to 64 characters

-

For Operators, 17 to 64 characters or 12 to 64 characters with two-factor authentication (TOTP)

US-ASCII () characters, including: -

A - Z

-

a - z

-

0 - 9

-

~ ! @ # $ % ^ & * ( ) _ + ` - = { }

1 Connectivity SWIFTNet Link Functional Overview December

2 SWIFTNet Link Table of Contents 1 Introduction Enhancements and features Message and File Copy Message and File Distribution Enhanced Store-and-Forward Delivery Options Session History Report Enhanced Traffic Segregation Enhanced Error Text Easier Reconciliation of Notifications General Security Enhancements Enhanced HSM Resilience and Security Improved HSM Operability Enhanced HSM Supportability Operational Enhancements Obsolete Functionality End of Dial-up Support End of Support for previous HSM card reader model Legal Notices SWIFTNet Link Functional Overview

3 1 Introduction SWIFTNet Link SWIFTNet Link is SWIFT's mandatory software product for customers of SWIFTNet services. SWIFTNet Link provides the minimal functionality for technical interoperability between customers that use SWIFTNet services. SWIFTNet Link is designed to provide the following functionality: the necessary minimal functionality to access and use SWIFTNet services over the SWIFT secure IP network the technical interoperability at the customer end between the requestor application and the network and between the secure IP network and the responder application. Purpose of this document The purpose of this document is to provide a description of the main functional enhancements on SWIFTNet Link as well as the other functionalities that are removed in this release. 3 SWIFTNet Link Functional Overview

4 SWIFTNet Link Enhancements and features Message and File Copy SWIFTNet introduces additional copy functionality for InterAct messages and FileAct files exchanged in store-and-forward mode. It also adds more flexibility in terms of determining the copy destination. When the copy feature is used, SWIFT can now automatically copy the entire message or file to a copy destination. It can be used to either simply copy a message or file for information purpose (T-copy), or to make the delivery dependent on approval of a third party that must authorise the message delivery (Y-copy). The service administrator decides on the traffic flows that are copied, and which options are used related to this. Note that the FileAct header-only copy remains available as an option. Copy for information purpose (T-copy) In this mode, SWIFT delivers the message or file to the recipient (as usual), and simultaneously provides a copy of the full message or file "for information" to one or more copy destination(s). This can be for example an accounting centre, a head office, a netting system or a regulatory body. Copy for authorisation purpose (Y-copy) In this case, SWIFT does not deliver the sender's message immediately to the recipient, but keeps it on hold at SWIFT. SWIFT copies the full message or file to the copy destination that must authorise, or refuse the transaction. If it is authorised, then SWIFT delivers the original message or file to the recipient. If it is refused, then SWIFT does not deliver the message or file, and informs the sender about the refusal. Note For messages, this feature only supports full message copy. Message and File Distribution SWIFTNet introduces the ability to send a message or file to a distribution list. In this case, the customer sends the message or file only once, together with a distribution list that contains the recipients that need to receive it. Because the sender provides the recipient list, the sender has full control over the list and can change it over time or even use a different one for every exchange. This feature is available only for services that work in store-and-forward mode. The ability to distribute messages or files to recipients who have subscribed to the service, also depends on the traffic flows that the service administrator allows for the service. Note If the message or file to be distributed is signed (for example when non-repudiation is used), then SWIFT can only deliver it to recipients who have also installed SWIFTNet interface software. Recipients who do not have the required interface software will not receive the signed message or file. Instead, SWIFT will send a failed delivery notification to the sender, for each such receiver in the distribution list. If the message or file distribution request is not signed, SWIFT can deliver it to both 6.x and interfaces. 4 SWIFTNet Link Functional Overview

5 Enhanced Store-and-Forward Delivery Options With SWIFTNet , the following new delivery options become available: Option to receive traffic from one queue on several systems in parallel This is useful for customers who have several systems that receive traffic and are operational at the same time, as such a setup provides enhanced resilience as well as increased throughput (load balancing). To use this option, customers must configure their queue(s) as "shareable" and use the SWIFTNet interface software. As of that moment, several concurrent sessions on the same queue will be allowed. When SWIFT delivers traffic from a queue and more than one session is open, SWIFT will distribute the traffic in a (roughly) equal manner over the different sessions. If a session is interrupted (for example because one of the receiving systems is not available), then SWIFT will automatically adjust the traffic distribution to the remaining systems. When the system logs in again, it can participate in the traffic distribution again. This option is equivalent to the "shared delivery subsets" feature on FIN. Ability to specify a traffic subset When opening a delivery session, it is possible to restrict delivered traffic to "messages only" or "files only". Similarly there is an option to deliver "urgent only" (or "normal only") traffic. Note that these are "filters" that a messaging interface can specify when opening a session. It does not affect what traffic is routed to which queue, because customers define this routing upfront through their message routing rules. Availability of delivery notifications as system messages With SWIFTNet , the delivery notifications and failed delivery notifications become available also in the form of normal system messages. Before this release, they were only available as store-and-forward primitives to developers, and could not be processed in the same way as system messages. Session History Report This new feature allows a user to send a request to SWIFT to get a report with an overview of past sessions, with related session details. SWIFT will process this request, retrieve the necessary information and respond by putting the session history report in a queue. When sending the request to SWIFT, it is possible to specify the time frame and the input or output channels as parameters for generating the report. The report lists the session information, including open and close time, number of messages, sequence number range, and other related information. These exchanges are in the form of system messages. SWIFT describes the technical details in the Interface Vendor Specifications for InterAct and FileAct and in the SWIFTNet System Messages volume of the User Handbook. Enhanced Traffic Segregation With SWIFTNet , SWIFT provides additional segregation capability to channel InterAct traffic and FileAct traffic separately, over the lines of an Alliance Connect Gold connectivity product. This allows customers to channel for example Browse and InterAct traffic over one line, and FileAct traffic over the other. Alternatively, it allows to channel Browse and FileAct over one line, and InterAct over the other. 5 SWIFTNet Link Functional Overview

6 SWIFTNet Link Customers can configure this setup using a new SWIFTNet Link command. They must also update their firewall(s) as mentioned in the Network Access Control Guide. Note In this context, FIN traffic follows the same path as InterAct traffic. For more information, see the SWIFTNet Link Operations Guide. Enhanced Error Text In SWIFTNet , SWIFT has enhanced (and simplified) the error text or severity for a number of common errors generated by SWIFT s central system. With SWIFTNet , SWIFT enhances the error text (or severity) for a number of remaining error areas, including errors generated by SWIFTNet Link of the HSMs. In particular, the description now allows to better identify the root cause of the problem (for example, if the problem is with the sender or receiver). To ensure backward compatibility, SWIFT does not provide the new error text by default. Therefore, application developers must explicitly select the new error reporting to benefit from this enhancement. SWIFT expects that in a future release, this new capability will become the default mode. Customers will see the new, simplified error text when they use applications that select the new error reporting mode and that show the SWIFTNet error text to customers. Easier Reconciliation of Notifications SWIFTNet introduces the ability to receive the store-and-forward notifications as system messages. These system messages include the same header information that was used for the original message or file. This enhancement will ease the reconciliation as customers can now determine the context of the original message or file directly from the notification, instead of having to find back this information through the technical reference. Customers who want to take benefit of this enhancement must check with their application developer or interface vendor to ensure that their implementation uses the new approach of using system messages for notifications. General Security Enhancements SWIFTNet Link introduces the following security enhancements: Human password expiry enforcement With SWIFTNet Link , customers can decide to block certificates that have an expired human password. Once this option is activated, it will not be possible to use these certificates for signing traffic. To be able to use their certificates again, users must first change their password. Users can still change the password of their certificates even if they have already expired. For application passwords, there is no change. If an expired application password is used, SWIFTNet Link will continue to only generate warnings. Use of Policy OIDs for all certificates In line with industry best practices, SWIFT will implement a Policy Object Identifier (Policy OID) for each SWIFTNet PKI certificate. Comprehensively using Policy OIDs ensures that nonbusiness certificates can be easily differentiated from each other and that there is a unique and unambiguous relationship between a given certificate and its corresponding Certificate Policy. 6 SWIFTNet Link Functional Overview

7 SWIFT will assign the appropriate Policy OID to existing non-business certificates such that over time, through their normal renewal process, these certificates will acquire the assigned Policy OID. All new non-business certificates created after the deployment of SWIFTNet will immediately acquire the appropriate Policy OID. There is no change to the Policy OID values of business certificates. End-to-end signature SWIFTNet introduces new service attributes that allow to mandate the use of an end-to-end signature and to specify the format of the signature (either crypto block or signature list) for all traffic exchanged on a service. SWIFT will centrally check that traffic sent on a service is compliant with the selected service attributes. Enhanced HSM Resilience and Security SWIFTNet Link introduces the following HSM box resilience and security enhancements: Support for additional boxes per cluster Customers will now be able to configure an HSM cluster with up to four boxes. The HSM cluster will keep certificates up-to-date between the primary box and all the replicas. It will only use two boxes for signing at any time and automatically switch traffic to a replica in case of failure. This feature allows restoring cluster operations without manual intervention when a box becomes unavailable. It also allows to have spare boxes actively connected in the cluster, keeping their configuration up-to-date and ensuring their correct functioning before they are needed. Note that the current network and security requirements that apply between a SWIFTNet Link and an HSM box and between HSM boxes will also apply to the additional boxes. For details on these requirements, see the Network Access Control Guide. Concurrent use of HSM certificates over multiple SNLs Currently, customers need to set up distinct certificates for SWIFTNet Links used by an application in multi-active mode. SWIFTNet Link removes this restriction by ensuring that only one SWIFTNet Link can update a certificate at a time. This feature will allow customers to rationalise the number of certificates needed for applications using multi-active SWIFTNet Links. SWIFT recommends changing these certificates or their password only outside of business hours as all systems using these certificates must be updated simultaneously. Avoid application certificates lock-out due to invalid logins Customers will be able to optionally configure, on their HSM boxes, a different lock-out policy based on the password length of their certificates. Therefore customers can ensure that application certificates (that is, certificates that are protected by sufficiently long passwords) are not automatically locked-out after multiple consecutive invalid login attempts. This feature allows to protect application certificates from denial-of-service attacks within the customers institution, which could result in service disruption of critical applications such as FIN. SWIFT advises to use this option when application certificate passwords are generated randomly and renewed at least every two years (as recommended in the password policy). The current lock-out policy is unchanged for human certificates whose passwords are short and might be vulnerable to brute force attacks. 7 SWIFTNet Link Functional Overview

8 SWIFTNet Link Improved power management in HSM box Currently the CPU on the HSM box is set to operate at its maximum frequency regardless of the load on the system. The result is greater power consumption than necessary. HSM software version will load and enable CPU governors to give the operating system more control over the power management. This results in reduction in power consumption and heat generation Improved HSM Operability SWIFTNet Link introduces the following HSM box operability enhancements: Interfaces can now integrate HSM box commands Interfaces are now able to provide customers with certain HSM box management commands such as activating an HSM box, initialising a partition or opening a Remote PED session, thereby avoiding the need to use the SWIFTNet Link environment for such commands. Note Excessive use of the HSM commands can result in reduced Main Message Flow throughput. Flexible HSM box identification in a cluster Customers can now select a unique HSM box identification for a cluster from HSM1 to HSM99, thereby avoiding ambiguous HSM cluster name and profile names. Renaming an existing cluster will require the cluster reconfiguration and re-creation of profiles. Easier HSM registration for a SWIFTNet Link running on a cluster Customers running a SWIFTNet Link instance on a cluster platform (with two hosts in active/standby mode sharing disks), will be able to register their HSM boxes by updating the SWIFTNet Link on the active host only. They will no longer have to repeat the HSM registration after switching the SWIFTNet Link instance over to the standby host Enhanced HSM Supportability SWIFT introduces the following HSM box supportability enhancements as of SWIFTNet Ability to monitor SSL certificate validity A new option has been introduced to the existing SWIFTNet Link command (perl sprers.eu) which allows customers to query their SSL certificate creation dates. This allows customers to monitor and plan timely renewals of these certificates. Ability to synchronise the HSM box clock with the SNL clock Currently, customers can use a SWIFTNet Link command to change the date and time of their HSM box to a new specified value. Currently, customers can use a SWIFTNet Link command (perl sprers.eu) to change the date and time of their HSM box to a new specified value. This command has been enhanced to allow customers to use the SWIFTNet Link host date and time to set the HSM box date and time. This will simplify problem investigation as events can be more easily correlated between logs. Improved HSM box logs The HSM logs contain more concise log entries for SwHSM commands. 8 SWIFTNet Link Functional Overview

9 Ability to enable regular backup of HSM box database A new SWIFTNet Link command (perl sprers.eu) allows customers to enable backup of the HSM box database, list the existing backup files of an HSM box, and restore a backup file to the HSM box. Backups of up to 15 days will be stored on the HSM. Any changes performed after the backup will be lost as a result of this restore. Improved HSM box IP address change procedure SWIFTNet Link introduces a new SWIFTNet Link command (perl sprers.eu) to ease the procedure for changing the IP address of an HSM box. For more information, see the Hardware Security Module Operations Guide Operational Enhancements Silent installation framework SWIFTNet Link introduces a new installation framework to ease the installation (or upgrade) of SWIFTNet Link. This can provide significant time savings and reduce operational risk, particularly for customers with a large number of SWIFTNet Link instances. In addition to the existing GUI-based installation framework, SWIFT provides the ability to use a command-line installation based on an input parameter file prepared in advance for easy execution by operators. This approach can reduce the installation time, allows unattended installations of multiple instances, avoids manual errors, and increases the auditability of the actions performed in production environments. The use of an input parameter file also avoids user interaction during the installation process. Operations managers can prepare the parameter files for the different SWIFTNet Links in advance so that the actual software installation can be scripted or carried out potentially by other parts of the organisation. This provides further segregation of duties if required. In addition, this new installation method no longer requires the use of an X-terminal. For some customers, this represented a security concern, and for others implied some performance issues when executed remotely. The interactive, GUI-based installation remains available as an alternative. Self-managed SNL certificate Each SWIFTNet Link system has its own instance certificate, which is used to secure the messaging layer and allows SWIFT to authenticate the customer's SWIFTNet Link system. This certificate is created during the SWIFTNet Link installation. In previous releases, the user assigned a password which needed to be kept for later use (for example, in case of re-installation). With SWIFTNet Link , this certificate is fully managed by SWIFTNet Link at installation and during future upgrades. The user no longer needs to manage the password of this certificate. Avoid timeout due to multiple security profile renewals When multiple security profiles in their renewal period are opened at the same time (e.g. by the communication interface, such as Alliance Gateway), the renewal operation can take more than one minute per profile. The serialisation of these operations may take time and subsequently generate time-outs at the level of the messaging interface. SWIFTNet Link controls the number of profiles that can be renewed at the same time. If a dedicated threshold is reached, remaining renewals will be postponed for later login. Manual renewal of a certificate can still be triggered using the CertInfo command. 9 SWIFTNet Link Functional Overview

10 SWIFTNet Link Ability to identify outdated HSM certificates A new option has been introduced to the existing SWIFTNet Link Certlist command which allows customers to identify outdated certificates stored on their HSM. It will retrieve the details of the certificate stored on the HSM and compare them with the details of the latest certificate available in the SWIFTNet Directory. 10 SWIFTNet Link Functional Overview

11 3 Obsolete Functionality The following functionality is suppressed or replaced in this release of Alliance Gateway. End of Dial-up Support As of SWIFTNet Link , SWIFT discontinues the dial-up technology and has therefore not qualified SWIFTNet Link with the dial-up connectivity product. Consequently, dial-up technology is no longer supported on release What is the impact for Prime Dial customers? In order to benefit from the new features and enhancements introduced with SWIFTNet , customers using dial-up as their prime connectivity must first upgrade their network connectivity to one of the Alliance Connect products before upgrading their SWIFTNet software to release Customers using Dual-I with a dial-up back-up line are however not impacted and can safely implement SWIFTNet as soon as it becomes available. What is the standard upgrade scenario for Prime Dial customers? SWIFT recommends that Prime Dial customers choose Alliance Connect Bronze as a replacement option for their network connection. For more information about Alliance Connect, see the connectivity pages on End of Support for previous HSM card reader model SWIFTNet Link does not support the HSM card reader model (Reflex USB from Gemalto) that was supported on SWIFTNet Link 6.x versions. A new hardware model (PC USB-SW Reader from Gemalto) is introduced with SWIFTNet Link replacing the old one. Customers using the HSM card reader need to switch to the new model when installing SWIFTNet Link release The HSM cards used with the previous HSM card reader model can be used transparently with the new HSM card reader model. 11 SWIFTNet Link Functional Overview

12 SWIFTNet Link Legal Notices Copyright SWIFT All rights reserved. You may copy this publication within your organisation. Any such copy must include these legal notices. Confidentiality This publication may contain SWIFT or third-party confidential information. Do not disclose this publication outside your organisation without the prior written consent of SWIFT. Disclaimer SWIFT supplies this publication for information purposes only. The information in this publication may change from time to time. You must always refer to the latest available version on Translations The English version of SWIFT documentation is the only official version. Trademarks SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT, the SWIFT logo, 3SKey, Innotribe, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks of their respective owners. 12 SWIFTNet Link Functional Overview

What Is SWIFTNet?

  • Article
  • 3 minutes to read

As a general purpose, industry-standard solution for the financial industry, SWIFTNet provides an application-independent, single window interface to all the connected applications of all the institutions participating in the global financial community. Actual access is controlled by the business policy decisions of each Service Administrator, not by the technical limitations of the infrastructure.

SWIFTNet provides a basis for assuring business continuity and disaster recovery for the infrastructure of mission-critical financial applications that cross institutional boundaries. SWIFTNet is designed to satisfy institutional community requirements for interoperability of mission-critical financial software solutions.

To interconnected business applications, SWIFTNet provides the following:

  • Assurance of infrastructure reliability

  • Availability

  • Role-based and non-role-based access control

  • Correspondent and message authentication

  • Message integrity

  • Confidentiality

  • Non-repudiation support

  • Message validation

  • Store and-forward

SWIFTNet uses SWIFTNet Link (SNL) as the application programming interface to the SWIFTNet services, and uses the SWIFTAlliance Gateway for connectivity and usability. Read more about these resources in this topic.

SWIFTNet Link overview

Business software applications use the SWIFTNet Link (SNL) application programming interface (API) to access and use SWIFTNet services. The SNL is the mandatory network interface to SWIFTNet. SWIFTNet requires SNL for all external interfaces. The SNL also includes background processes that support messaging, security, and service management functions. The SNL is incorporated into SWIFTAlliance WebStation and SWIFTAlliance Gateway (SAG).

SNL establishes a loosely coupled client/server relationship between business application components. Instead of directly invoking methods or functions, the interaction is message-oriented: structured messages are passed between client and server. A business application designed for SWIFTNet services generally consists of a set of clients and servers. The same client or the same server process can be started multiple times. Note that you cannot predict to which process instance of the same application an incoming message request will be delivered. Multiple threads within a client process can invoke the SwCall API function. A server process can have multiple threads as well; however, only one thread can invoke SwCallback. Client and server processes cannot be combined in the same process.

SNL provides a set of transport-level features designed for high availability and high throughput environments. These features include:

  • Load balancing

  • Location transparency and routing, shielding application components from the underlying transport technology

  • Transport-level authentication and confidentiality, packaged within SNL and provided transparently to the application

  • Security functions by which business application software may establish end-to-end security (user application to user application), when required.

    In terms of programming at the source code level using C++ or Java, there are only two functions: SwCall and SwCallback. SwCall is used by client applications to access server applications through SWIFTNet. SwCallback is used by server applications to respond to clients through SWIFTNet.

    The SwCall and SwCallback functions access the functionality of SWIFTNet by passing structured XML messages to and from SWIFTNet. At run-time, SNL includes both software libraries — the code of which executes within the same address space as business application client or server processes — and independent processes (daemons or services), which run in their own address spaces. The software libraries are accessible through the SNL APIs.

SWIFTAlliance Gateway overview

The SWIFTAlliance Gateway (SAG) is an interface product for SWIFTNet. It incorporates all the functionality of the SWIFTNet Link. Additionally, it provides several different connectivity and usability features for SWIFTNet users, providing solutions to a variety of system integration problems.

The SAG supports several different modes of operation. One of these, the strict SWIFTNet Link Mode, is particularly relevant to the FileAct and InterAct adapters for SWIFT. In strict SWIFTNet Link Mode, the SAG presents a messaging interface that is functionally equivalent to the SWIFTNet Link interface as it is described throughout these topics.

The SAG serves as a message concentrator. It receives messages from various other applications and passes them through SWIFTNet. It receives these messages through host adapters, including a WebSphere MQ host adapter, which enables business applications running on a variety of different types of computing platforms to pass messages through SWIFTNet.

Next reading

What Is the FileAct Adapter?
What Is the InterAct Adapter?
BizTalk FileAct and InterAct Adapters End-to-End Tutorial

See also

Understanding FileAct and InterAct Adapter Architecture

[ ] \ : " ; ' < > ? , . /



At least one upper case and one lower case letter.



At least one numeric character.



At least one special character.



The number of occurrences of the same character in the password must be equal to or less than half the number of characters in the password, minus one. For example, if the password is 15 characters long, then there can be no more than six occurrences of the same character.



The value supplied for a password cannot be the same as the operator name or SWIFTNet user name.

46

Alliance Gateway Administration and Operations Guide

Configuration



Authentication Servers



Authentication Servers and One-Time Passwords Description As an alternative to user-defined passwords, you can configure Alliance Gateway operators and virtual SWIFTNet users to log in with a one-time password, a generated password that is used for one session only. Alliance Gateway uses an authentication server to authenticate the one-time password that an operator or a virtual SWIFTNet user provides at login. One-time password overview

Query

Query

One-time password directory

Alliance Gateway server

Login: User Interface

D

Response

A one-time password is generated by a hardware token, a physical device kept by the operator that generates one-time passwords, and is validated by a separate authentication server with which Alliance Gateway communicates. To be authenticated, the user must provide a user name and the one-time password generated by the hardware token. Alliance Gateway forwards the authentication request to the authentication server, which either authenticates or rejects the password. Prerequisites To use the one-time password functionality, you must do the following: •

Provide and deploy the authentication server. This server must comply with the RADIUS protocol (RFC ) except for the Challenge-Response feature.



In Alliance Gateway: -

Configure an authentication server group with at least one authentication server. For more information, see Manage Authentication Server Groups on page

-

Configure the Alliance Gateway operators and virtual SWIFTNet users to use the one-time password authentication method. For operators, see Manage Operators on page For virtual SWIFTNet users, see Manage Virtual SWIFTNet Users on page



Configure the Alliance Gateway operators and virtual SWIFTNet users within the authentication server. This is outside the scope of Alliance Gateway.



Provide the password hardware tokens to the users.

Startup The connectivity to the authentication server is established during the startup of the sag_bootstrap. This connection must remain available, independent of the Alliance Gateway status (started or stopped). An event is logged if it is not possible to connect to the authentication server.

25 August

47

Alliance Gateway Administration and Operations Guide

Configuration

Communication protocol Alliance Gateway communicates with the authentication server by using the standard RADIUS protocol features: •

Access-Request



Access-Accept



Access-Reject

The Challenge-Response authentication feature of RADIUS is not supported. Sharing hardware tokens If multiple Alliance Gateway instances define the same user names which all use one-time passwords that the same authentication server authenticates, then the users must share the same hardware token. This may occur for example when the database configuration is replicated many times. An operator or a virtual SWIFTNet user can log in to an Alliance Gateway instance from one location at a time only. If the same operator or virtual SWIFTNet user logs in from another location, then Alliance Gateway logs out the operator or virtual SWIFTNet user from the first login. Bilateral key requirements The bilateral secret key used by the RADIUS protocol is composed of 32 characters and must be identically configured on Alliance Gateway as on the authentication server. This length is enforced by Alliance Gateway. Each half of the key (16 characters) is composed of the printable characters (US-ASCII characters 32 to included) and must comply with the following password complexity rules: •

The key must contain at least one upper case and one lower case alphabetic character.



The key must contain at least one number.



Any character cannot be repeated more than half of the length minus one.

4-eyes principle requirements To implement the 4-eyes principle in the authentication server configuration, the following segregation of roles is defined: •

Two operators enter the secret keys (for the primary and secondary server), each of them responsible for half of the length of the key.



Different operating profiles allow operators to modify or enable the authentication configuration data. Typically one operator can only perform the modifications, while another can only enable them.

Two authentication servers If Alliance Gateway sends a request to the primary server of an authentication server group and no response is received within 30 seconds, then Alliance Gateway tries the same request with the secondary server of that authentication server group, if configured. If, after another 30 seconds, Alliance Gateway has not received any response from the secondary server, then the request is rejected and an event is logged to indicate that authentication failed. If Alliance Gateway receives a response from the secondary server, then the request is processed and an event is logged to indicate that Alliance Gateway switched to the secondary authentication server.

25 August

48

Alliance Gateway Administration and Operations Guide

Configuration

Recommendations SWIFT recommends the following:





The shared secret keys must be changed every two years. To help managing these keys, Alliance Gateway verifies at each startup and every day at if one of the shared secret keys has expired or is going to expire within the next 30 days. If so, then a warning security event is generated. The application is still able to work with the one-time password authentication servers.



As appropriate, an implementation of network access control (firewalls, ACLs) or segregation of message flow (main and management flow) must be considered.



If the authentication server is unavailable or the hardware token is not functioning properly, then the account is not able to log in to Alliance Gateway. It is therefore recommended to have appropriate emergency backup user accounts.

Manage Authentication Server Groups Description The Configuration > User Management > Authentication Server Groups page enables you to manage authentication server groups and authentication servers. The Authentication Server Groups page contains these elements: •

A configuration parameter that allows overriding some parameters used by Alliance Gateway to communicate with RADIUS servers See Configuration parameter on page 50



A function that allows you to manage the configuration parameter See Configuration parameter function on page 50



Details of the available authentication server groups See Details on page 50



Functions that allow you to manage the authentication server groups See Functions on page 52

For conceptual information about authentication servers, see Authentication Servers and One-Time Passwords on page Display

25 August

49

Alliance Gateway Administration and Operations Guide

Configuration

Configuration parameter Configuration parameter

Definition

RADIUS Parameters

Allows overriding some parameters used by Alliance Gateway to communicate with RADIUS servers This parameter must only be changed in exceptional circumstances. For more information, see Knowledge base tip Default value: empty

Configuration parameter function Function

Description Resets the RADIUS Parameters configuration parameter to the default value

Reset to Default

Procedure: Reset Values on page 42

Details Page / Window

Tab

Details

Authentication Server Groups Details

See General on page 50

Authentication Server Group Details window

General

See General on page 50

Primary Server

See Primary / Secondary Server on page 51

Secondary Server See Primary / Secondary Server on page 51

General Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Server Group Name

The name of the authentication server group













This name must be unique. It is not allowed to use the same name for:

Description

25 August



two authentication server groups



an authentication server group and an LDAP server group

A description of the authentication server group

50

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Status

Indicates the current status of the authentication server group



x



To modify the settings of an authentication server group or of the server(s) of that group, the status must be set to Disabled. It must then be set to Enabled for the changes to take effect. If an authentication server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests. (1)

Only displays the values, does not allow you to modify them

Primary / Secondary Server Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Host Address

The host name or IP address of the authentication server







Key Left / Key Right

The left / right part of the authentication key

x





x





x





Show Clear Text

Both the left and right parts of the authentication key must meet these criteria: •

exactly 16 US-ASCII printable characters (characters 32 to ) long



contains at least one upper case and one lower case alphabetic character



contains at least one number



characters are not repeated within half of the length minus one

Determines whether the system displays the authentication keys By default, the system does not display the authentication keys. This is to help prevent unauthorised users reading the authentication key information "over your shoulder".

Port Number

The port number on which authentication requests are sent on the host name or IP address The port number must be in the range of to

25 August

51

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Local Port Number

The local port number used by Alliance Gateway to send authentication requests and to receive authentication responses







If there is a firewall between Alliance Gateway and the authentication server, then this local port number must be left open on the firewall. (1)

Only displays the values, does not allow you to modify them

Functions Function

Description

Availability Page view

Windows Add

Edit

Add

Enables you to add an authentication server group



x

x

Delete

Deletes a disabled authentication server group



x

x

Enable

Enables a disabled authentication server group



x



Disable

Disables an enabled authentication server group



x



If an authentication server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests.

Edit authentication server group details To edit the authentication server group details, change the details in the corresponding fields then click Save . Related information Authentication Servers and One-Time Passwords on page 47



LDAP Authentication



Concept Introduction Lightweight Directory Access Protocol (LDAP) allows the use of user directories that already exist within an institution to control access to a range of Alliance products. Institutions can use LDAP

25 August

52

Alliance Gateway Administration and Operations Guide

Configuration

directories to authenticate the credentials (user name and password) of the users defined in those Alliance products. Note

Alliance Gateway operators and virtual SWIFTNet users can be configured to use LDAP authentication. An operator or a virtual SWIFTNet user can log in to an Alliance Gateway instance from one location at a time only. If the same operator or virtual SWIFTNet user logs in from another location, then Alliance Gateway logs out the operator or virtual SWIFTNet user from the first login.

You can configure connections to maximum two LDAP servers (a primary and a secondary) per LDAP server group for resiliency purposes. An automatic failover mechanism switches between LDAP servers in the event of unavailability. LDAP overview

Query

Query

LDAP directory

Alliance Gateway server

Login: User Interface

D

Response

LDAP authentication process LDAP is used to authenticate the operator or virtual SWIFTNet user, by verification of the user name and password. An Alliance Gateway Administrator creates users on the Alliance Gateway server, but can map the users to an LDAP identifier to use for verification of the credentials. The Alliance Gateway Administrator assigns profiles and units to the users on the Alliance Gateway server. The LDAP authentication process is as follows: 1. A user logs in to a user interface (a GUI application running in Alliance Web Platform) as an Alliance Gateway operator or a virtual SWIFTNet user that uses LDAP authentication. 2. The Alliance Gateway server receives the login request and checks whether the user is authenticated locally, through a one-time password, or through LDAP authentication. 3. If the user is authenticated through LDAP, then the user name is mapped to an LDAP identifier. Note

External Identifier is an optional field for operators and virtual SWIFTNet users. If this field is empty, then the user name is used instead to check the user credentials.

4. The Alliance Gateway server sends the LDAP identifier and password to the LDAP server. 5. The LDAP server attempts to authenticate the user. 6. If the LDAP server successfully authenticates the user, then the Alliance Gateway server receives confirmation. 7. The user can use the permissions assigned in Alliance Gateway to log in.

25 August

53

Alliance Gateway Administration and Operations Guide



Configuration

Manage LDAP Server Groups Description The Configuration > User Management > LDAP Server Groups page enables you to manage LDAP (Lightweight Directory Access Protocol) server groups and LDAP servers. The LDAP Server Groups page contains these elements: •

Details of the available LDAP server groups See Details on page 54



Functions that allow you to manage the LDAP server groups See Functions on page 57

For conceptual information about LDAP servers, see Concept on page Display

Details Page / Window

Tab

Details

LDAP Server Groups page

See General on page 55

LDAP Server Group Details window

General

See General on page 55

Primary Server

See Primary / Secondary Server on page 55

Secondary Server See Primary / Secondary Server on page 55

25 August

54

Alliance Gateway Administration and Operations Guide

Configuration

General Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Server Group Name

The name of the LDAP server group















x



Maximum 20 characters The following characters are allowed: •

a-z



A-Z







_-:

This name must be unique. It is not allowed to use the same name for:

Description



two LDAP server groups



an LDAP server group and an authentication server group

A description of the LDAP server group Maximum US-ASCII printable characters

Status

Indicates the current status of the LDAP server group To modify the settings of an LDAP server group or of the server(s) of that group, the status must be set to Disabled. It must then be set to Enabled for the changes to take effect. If an LDAP server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests.

(1)

Only displays the values, does not allow you to modify them

Primary / Secondary Server Column / Field

Description

Availability Page Windows view ( ) Add Edit

Host Address

The host name or IP address of the LDAP server







Maximum US-ASCII printable characters

25 August

55

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( ) Add Edit

Connection Security

Determines whether Alliance Gateway must use TLS to secure the connection to the LDAP server

x





Port Number

The local port number used by Alliance Gateway to communicate with the LDAP server

x





x





If not defined, then Alliance Gateway uses either of these default LDAP ports:

Connect DN



when Connection Security is not selected



when Connection Security is selected

The user DN used by Alliance Gateway to connect to the LDAP server to retrieve user profile information about users that log in to the system Optional. The LDAP server may support anonymous access. Maximum US-ASCII printable characters

Configure Connect Password

Determines whether you configure the connect password

x





Connect Password

The user password that Alliance Gateway uses with the Connect DN to connect to the LDAP server to retrieve user profile information about users that log in to the system

x





Optional. The LDAP server may support anonymous access. Maximum US-ASCII printable characters Confirm Connect Password

Confirmation of the connect password

x





User DN

The DN of the entry point in the user directory

x





This entry point corresponds with the root of the sub-tree where user nodes are defined Maximum US-ASCII printable characters

25 August

56

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( ) Add Edit

User Object Class The class of the user nodes within the directory

x





x





Optional. Useful in case there are not only user nodes in the directory. Maximum 32 characters The following characters are allowed:

User Name Attribute



a-z



A-Z







-

The name of the attribute that contains the user name Maximum 32 characters The following characters are allowed: •

a-z



A-Z







-

Functions Function

Description

Availability Page view

Windows Add

Add

Enables you to add an LDAP server group

Edit



x

x

You can define as many LDAP server groups as you want. Delete

Deletes a disabled LDAP server



x

x

Enable

Enables a disabled LDAP server



x



Disable

Disables an enabled LDAP server



x



If an LDAP server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests.

25 August

57

Alliance Gateway Administration and Operations Guide

Configuration

Edit LDAP server group details To edit the LDAP server group details, change the details in the corresponding fields then click Save . Related information Concept on page 52



Secure an LDAP Connection You can use TLS to secure the connection to an LDAP authentication server. The LDAP server must have TLS support enabled. The TLS certificate installed on the LDAP server can be either a self-signed certificate or a certificate signed by a Certification Authority. The keystore that LDAP uses on Alliance Gateway must trust either the self-signed TLS certificate or the Certification Authority certificate. To implement this, perform the applicable procedure:





Secure an LDAP Connection on Windows on page 58



Secure an LDAP Connection on AIX on page 59



Secure an LDAP Connection on Oracle Solaris on page 60



Secure an LDAP Connection on Linux on page 61

Secure an LDAP Connection on Windows

Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Open a DOS command prompt. 3. Enter mmc to launch the Microsoft Management Console application. The Microsoft Management Console window appears. 4. Use File > Open to open the file /system32/sprers.eu, where you replace with the path to the WINDOWS directory on the Alliance Gateway machine. The Certificates - Current User window appears:

5. Select the Trusted Root Certification Authorities > Certificates store.

25 August

58

Alliance Gateway Administration and Operations Guide

Configuration

6. Select Action > All Tasks > Import. The Certificate Import Wizard appears. 7. Follow the instructions in the Certificate Import Wizard to import either the self-signed TLS certificate or the Certification Authority certificate in the Trusted Root Certification Authorities certificate store. A Security Warning message appears. 8. Click

Yes

.

A Certificate Import Wizard message appears that confirms the successful import of the certificate. 9. Click OK . Close the Certificates - Current User window. A Microsoft Management Console dialog box appears. Click

Yes

.

The Certificates - Current User window closes.



Secure an LDAP Connection on AIX

Before you begin •

Alliance Gateway looks for the LDAP dynamic library (libibmldap.a) in the following directories: -

/opt/IBM/ldap/V/lib

-

/opt/IBM/ldap/V/lib

-

/usr/lib

If on your system the LDAP library is not in one of these directories, then update the sag_sprers.eu file located in /bin. Add the LDAP_LIBRARY parameter as

follows: 1. LDAP_LIBRARY =/libibmldap.a where is the directory where libibmldap.a is located 2. Restart the sag_bootstrap for the parameter to take effect. See UNIX or Linux: sag_bootstrap on page •

On AIX, the iKeyman key management utility (gsk7ikm) is used to manage the CMS keystore that contains TLS certificates. gsk7ikm is a Java program that requires a JRE to run. Furthermore, it can handle a CMS keystore format only if the JRE is configured with the IBM CMS security provider. You must select the JRE by setting the environment variables JAVA_HOME and PATH as follows: export JAVA_HOME= export PATH=$JAVA_HOME/bin:$PATH

25 August

59

Alliance Gateway Administration and Operations Guide

Configuration

The standard JREs are provided with AIX and are configured with the IBM CMS security provider. You can find them in these directories: -

AIX /usr/java14 or /usr/java5

-

AIX /usr/java5

In the SWIFTNet Link owner environment, the variable JAVA_HOME is set to /SNL/_jvm. This JRE does not feature the IBM CMS security

provider. Therefore, you must redefine the environment variables JAVA_HOME and PATH as explained above before running gsk7ikm. Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Launch the gsk7ikm graphical application. If you use an X-Window-based tool to connect remotely to the Alliance Gateway machine, then ensure that the DISPLAY environment variable is set to the display of your workstation. Also, if there is a firewall in use between the Alliance Gateway machine and your workstation, then make sure to configure the firewall rules to allow X-Window communication. 3. Configure the right JAVA_HOME and PATH environment so that CMS security is available when creating a new keystore. 4. Click Key Database File to create a new keystore and follow the instructions in the documentation. 5. Do either of the following: in the right panel.



To add a Certification Authority certificate, click



To add a new self-signed certificate, click Create and then New Self-Signed Certificate.

Add

6. Restart the sag_bootstrap. See UNIX or Linux: sag_bootstrap on page



Secure an LDAP Connection on Oracle Solaris

Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Open a Korn shell. 3. Use the certutil command-line application to create a new keystore in the /data/ldap directory: /usr/sfw/bin/certutil -N -d /data/ldap

4. Add either the self-signed TLS certificate or the Certification Authority certificate to the keystore : /usr/sfw/bin/certutil -A -n "" -i -a -t "C,C,C" -d [SAG_HOME]/data/ldap

Replace with the name of the certificate. Replace with the path and file name of the certificate. 5. Restart the sag_bootstrap. See UNIX or Linux: sag_bootstrap on page

25 August

60

Alliance Gateway Administration and Operations Guide



Configuration

Secure an LDAP Connection on Linux On RHEL , LDAP with TLS does not work with TLS certificates with a signature algorithm that uses MD5, for example MD5-RSA. This is a security feature enforced by RHEL since MD5 is obsolete.

Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Create a file named ldaprc in the /data/ldap directory. 3. Define TLS to secure the connection. The following rules apply while creating or updating the file: •

The file must be owned by and readable by the Alliance Gateway owner.



The file must have the same format as sprers.eu (described in the man page).



The file must contain only TLS specific options. Alliance Gateway will handle the other options (URI, DNs, HOST, PORT).



All paths in the file must be absolute.

Here is an example: TLS_CACERT

/Alliance/Gateway/data/ldap/sprers.eu

TLS_CACERTDIR /Alliance/Gateway/data/ldap TLS_REQCERT

never

4. Add either the self-signed TLS certificate or the Certification Authority certificate to the keystore. 5. Restart the sag_bootstrap. See UNIX or Linux: sag_bootstrap on page



Units



Concept Purpose of units Units provide a way to organise the logging of events generated by the following: •

administrative activity



SWIFTNet message flow

Units enhance Alliance Gateway security by allowing operators to access only those events that are relevant to them. Controlling the visibility of events makes the Alliance Gateway Event Log a more efficient tool. Units and message flow Units can be assigned to operators, endpoints, message partners, and emission profiles. When events related to the message flow are logged, the corresponding unit is used.

25 August

61

Alliance Gateway Administration and Operations Guide

Configuration

Unit visibility management In large institutions, units can be used to separate traffic and activity into different groups or departments, such as Billing, Treasury, or Stock Options. For example, all activity generated by a Finance department can be flagged with a unit called Finance. Events logged against the Finance unit are only visible to operators with the Finance unit assigned to them. Units can also be assigned to operators. When a unit is assigned to an operator, all events logged against that unit become visible to that operator. To use units, an Alliance Gateway Administrator must define units and assign one or more units to each operator, specifying a default unit for each operator. Any event triggered by a particular operator is then logged to the operator's default unit. The Administrator operator is automatically granted visibility of events for all units. The default unit The default unit None is created at installation. Defining new units When created, units cannot be deleted. For this reason, a warning appears before defining a new unit.



Manage Units The Units page contains these elements: •

Details of the units defined for the current Alliance Gateway instance See Details on page 63



Functions that allow you to manage the units See Functions on page 63

25 August

62

Alliance Gateway Administration and Operations Guide

Configuration

Display

Details Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Name

The name of the unit





✓(1)







Maximum 20 characters Description

A description of the unit Maximum characters

(1)

Only displays the values, does not allow you to modify them

Functions Function

Description

Availability Page view

Windows Add

Add

25 August

Enables you to add a unit



x

Edit x

63

Alliance Gateway Administration and Operations Guide

Configuration

Edit unit details To edit the unit details, change the details in the corresponding fields then click

Save

.

Related information Concept on page 61



Operating Profiles



Concept Definition An operating profile defines the scope of administrative control that an operator has over functions in Alliance Gateway. It includes operating profile functions. Operators can only use the functionality assigned to their operating profile. When Alliance Gateway is installed, an operating profile called Administrator is created and assigned to an operator of that name, also created at installation. This profile includes all Alliance Gateway operating profile functions. As of Alliance Gateway , another operating profile called Dashboard_Monitor is created during installation. This profile includes all the functions required to monitor alerts and to use related parts of Alliance Gateway Administration. For more information, see Alerts on page Operators must be assigned operating profiles with suitable functions to enable them to fulfil their responsibilities. You can modify an operating profile using Alliance Gateway Administration. For example, you can define an operating profile that allows an operator to add an operator, but not delete an operator. You can also define operating profiles such that adding or removing certain entities requires actions by two people. For more information, see Dual Authorisation on page Profiles are independent from the type of password authentication selected for the operator. Default operating profile functionality Standard operating profile functionality is assigned to every operator upon creation. This default functionality cannot be revoked as it does not appear in the list of available components. By default, all operators can do the following: •

Renew their own password, provided they know their current operator password.



Request and monitor the status of the Alliance Gateway system and its subsystems. For more information, see Monitoring on page



Invoke the Traceset and Tracereset commands. For more information, see Start an Alliance Gateway Trace on page and Stop an Alliance Gateway Trace on page

Operating profile function rules Two types of dependencies exist within operating profile functions: functional dependencies deal with the relationship between functions, for example the relationship between the Adopt and View List of functions, and object dependencies deal with the relationship between objects, for example the Message Partner to Unit relationship.

25 August

64

Alliance Gateway Administration and Operations Guide

Configuration

The following general rules determine the relationship between operating profile functions: 1. For basic operations, the following functional dependencies apply: Basic function

Relationship

Adopt

Any one function automatically grants the View List of function. The objects used in these functions are not interdependent.

Archive Delete

For example, Delete a Message Partner automatically grants View List of Message Partners, but not View List of Units.

Disable Enable Reset Add

Any one function automatically grants the View List of function. The objects used in these functions are interdependent. For example, Add a Message Partner automatically grants View List of Message Partners, View List of Units, View MQ Connections and View List of Certificates. See the next table for object relationships.

View Update

Any one function automatically grants the View and View List of functions. The objects used in these functions are interdependent. For example, Update a Message Partner automatically grants View Message Partner Details, View List of Message Partners, View List of Units, View MQ Connections and View List of Certificates. See the next table for object relationships.

Change

This function automatically grants the View and View Details functions. The objects used in these functions are not interdependent. For example, granting Change Event Logging Criteria automatically grants View List of Event Templates and View Event Template Details.

View List of

This function has no functional dependencies.

2. For the basic operations described earlier, the following object dependencies apply: Object

is related to

Endpoints

Message partner and Unit

Message partner

Unit, Certificate and MQ Connection

Operator

Operating profiles and Unit

For example, the Endpoints object is related to the Message Partner object and the Unit object. Granting Add an Endpoint also grants View List of Message Partners and View List of Units. Other objects have no object dependencies.

25 August

65

Alliance Gateway Administration and Operations Guide

Configuration

3. Non-basic functions have no dependencies: Function

Relationship

Activate

Any one function has no functional or object dependencies.

Backup

For example, granting Manage LAU Right Part Key does not result in the granting of any other functionality.

Can Use Deactivate Manage Remove Run Start Stop

4. Exceptions Function

Relationship

Change Endpoint Sequence

Change Endpoint Sequence only grants View List of Endpoints.

Add Certificate Relaxed Setting

This basic function has no dependency.

Available components and related functions The following table lists all Alliance Gateway components along with the entities and operating profile functions associated with them. The operating profile functions are accessed through Alliance Gateway Administration. For more information, see Manage Operating Profiles on page Component

Entity

Operating profile functions

Configuration Manager

Operator

Add an Operator Update an Operator Delete an Operator Enable an Operator Allow Unconditional Enable for Operator(1) Disable an Operator View List of Operators Reset an Operator's Password View Operator Details

25 August

66

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Operating Profile

Add an Operating Profile Update an Operating Profile Delete an Operating Profile Enable an Operating Profile Allow Unconditional Enable for Operating Profile(1) Disable an Operating Profile View Operating Profile Details View List of Operating Profiles

Unit

Add a Unit Update a Unit View Unit Details View List of Units

Configuration Parameters Update a Configuration Parameter View Configuration Parameter Details View List of Configuration Parameters Manage Security Configuration Parameters Import Configuration Data Export Configuration Data Alerts

Control Alerts View Alert Details View List of Alerts

Application Interface

Message Partner

Add a Message Partner Update a Message Partner Delete a Message Partner Enable a Message Partner Disable a Message Partner View Message Partner Details View List of Message Partners Can Use Protected Formats(2) Manage LAU Left Part Key Manage LAU Right Part Key Remove LAU Setting(2) Remove RAHA TLS Setting(2)

25 August

67

Alliance Gateway Administration and Operations Guide

Configuration

Component

Entity

Operating profile functions

MQ Host Adapter

MQ Connection

Add MQ Connection Delete MQ Connection Disable MQ Connection Enable MQ Connection Update MQ Connection View List of MQ Connections View MQ Connection Details

Event Logger

Event Template

View Event Template Details View List of Event Templates View Event Log Details View Event Log Archive the Event Log Change Event Logging Criteria

SWIFTNet Interface

SWIFTNet User

Add a SWIFTNet User Delete a SWIFTNet User Update a SWIFTNet User Disable a SWIFTNet User Enable a SWIFTNet User Allow Unconditional Enable for SWIFTNet User(1) Reset Password of a SWIFTNet User View SWIFTNet User Details View List of SWIFTNet Users List concurrent SWIFTNet users

Certificates(3)

View List of Certificates Update a Certificate Add Certificate Relaxed Setting(4) View Certificate Details Delete a Certificate Adopt a Certificate Move a Certificate Initialise HSM Partition

25 August

68

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Endpoints

Add an Endpoint Update an Endpoint Delete an Endpoint Change Endpoint Sequence Can Use Relaxed Setting(2) View Endpoint Details View List of Endpoints Enable an Endpoint Disable an Endpoint

System

HSM

Show HSM Management GUI

Process Controller

Start System Start a Subsystem Stop System Stop a Subsystem Activate a Subsystem Deactivate a Subsystem Backup Configuration Data Run Integrity Check Run readlog Command Run SNL swiftnet Commands Run statistics Command Run System Check Generate and Send supportinfo

Authentication Server

Add an Authentication Server Group Update an Authentication Server Group Disable an Authentication Server Group Enable an Authentication Server Group Manage Left Authentication Server Secret Manage Right Authentication Server Secret View Authentication Server Group Details View List of Authentication Server Groups Delete an Authentication Server Group

25 August

69

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Licence

View Gateway Licence Update Gateway Licence

File Transfer Interface

File Transfer

Abort an Ongoing File Transfer Archive File Transfers View File Transfer Details View List of File Transfers

Emission Profile

Add an Emission Profile Delete an Emission Profile Disable an Emission Profile Enable an Emission Profile Manage Emission Profile LAU Left Part Key Manage Emission Profile LAU Right Part Key Remove Emission Profile LAU Setting Update an Emission Profile View Emission Profile Details View List of Emission Profiles

Reception Profile

Add a Reception Profile Delete a Reception Profile Disable a Reception Profile Enable a Reception Profile Manage Reception Profile LAU Left Part Key Manage Reception Profile LAU Right Part Key Remove Reception Profile LAU Setting Update a Reception Profile View Reception Profile Details View List of Reception Profiles

Security Profile

Add a Security Profile Delete a Security Profile Update a Security Profile View Security Profile Details View List of Security Profiles

25 August

70

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Store-and-Forward Queue

Add a Store-and-forward Queue Delete a Store-and-forward Queue Disable a Store-and-forward Queue Enable a Store-and-forward Queue Update a Store-and-forward Queue View Store-and-forward Queue Details View List of Store-and-forward Queues

MI Channel Support Interface (5)

Batch Class

Add a Batch Class Delete a Batch Class Update a Batch Class View Batch Class Details View List of Batch Classes

Message Flow Instance

Add a Message Flow Instance Delete a Message Flow Instance Disable a Message Flow Instance Enable a Message Flow Instance Start Replay for a Message Flow Instance Update a Message Flow Instance View Message Flow Instance Details View List of Message Flow Instances

MQ Channel

Add an MQ Channel Delete an MQ Channel Update an MQ Channel View MQ Channel Details View List of MQ Channels

MQ Queue

Add an MQ Queue Delete an MQ Queue Update an MQ Queue View MQ Queue Details View List of MQ Queues

25 August

71

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

MQ Manager

Add an MQ Manager Delete an MQ Manager Update an MQ Manager View MQ Manager Details View List of MQ Managers

Routing Rule Set

Add a Routing Rule Set Delete a Routing Rule Set Update a Routing Rule Set View Routing Rule Set Details View List of Routing Rule Sets

Routing Rule

Add a Routing Rule Delete a Routing Rule Update a Routing Rule View Routing Rule Details View List of Routing Rules

Site

Add a Site Delete a Site Update a Site View Site Details View List of Sites

SnF Queue

Add an SnF Queue Delete an SnF Queue Update an SnF Queue View SnF Queue Details View List of SnF Queues

MIS Configuration

Generate MIS Configuration Validate MIS Configuration

MIS PKI Profile

Add an MIS PKI Profile Delete an MIS PKI Profile Update an MIS PKI Profile View MIS PKI Profile Details View List of MIS PKI Profiles

25 August

72

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

MIS Security Profile

Add an MIS Security Profile Delete an MIS Security Profile Update an MIS Security Profile View MIS Security Profile Details View List of MIS Security Profiles

MI Channel Support Reliable Messaging (5)

Emission Endpoint

Add an Emission Endpoint Delete an Emission Endpoint Update an Emission Endpoint View Emission Endpoint Details View List of Emission Endpoints

Reception Endpoint

Add a Reception Endpoint Delete a Reception Endpoint Update a Reception Endpoint View Reception Endpoint Details View List of Reception Endpoints

(1)

For more information about this function, see Dual Authorisation on page

(2)

These operating profile functions are specifically aimed at controlling the reduction of security.

(3)

Acquire a Certificate and Recover a Certificate are not Alliance Gateway operating profile functions. They are part of

(4)

An operator needs this operating profile function to adopt or recover a relaxed certificate.

(5)

MI Channel functionality only applies to customers who are accessing a market infrastructure service where MI Channel

SWIFTNet Link functionality, can only be used by SWIFTNet users, and are protected by PKI.

connectivity is available.

Operating profile functions and security The default level of a message partner or endpoint provides maximum security. Operators entitled to update a message partner or an endpoint can improve the level of security, but not reduce it. Several operating profile functions are specifically aimed at controlling the reduction of security. Without these operating profile functions, operators cannot perform operations that reduce security. Additionally, if the default security level of an entity has been lowered, only operators with an operating profile that allows both lowering the relevant security level and updating the entity can make modifications. Example An operator with only Update a Message Partner can make modifications such as changing the type of the message partner, as long as the message partner remains at its maximum security level. When the security has been lowered, this operator can no longer make any modifications to this message partner, except to raise its security level. To make modifications to a message partner with lowered security, an operator needs an operating profile containing both the Remove LAU Setting and Update a Message Partner functions.

25 August

73

Alliance Gateway Administration and Operations Guide

Configuration

In contrast, an operator with just Remove LAU Setting can only lower the default LAU security for a message partner, not make any other modifications. Operating profile examples The following are three examples of operator profiles that you can use as a basis for creating your own operator profiles: •

Security operators Security operators have specific administrative functions allowing them to do the following:



-

manage certificates and SWIFTNet users

-

update configuration parameters of type security

-

define and maintain details of Alliance Gateway operators

-

define operating profiles and assign suitable profiles to Alliance Gateway operators

-

define units to segregate message traffic in Alliance Gateway, and assign units to operators

-

manage event distribution within Alliance Gateway

-

check the Alliance Gateway Event Log as required and perform audit reporting, for example, reporting message errors

-

manage relaxed mode functions for message partners and endpoints.

Application operators Application operators manage applications with specific administrative functions allowing them to do the following:



-

define details and maintain information relating to operators

-

define and maintain endpoints

-

define and maintain message partners

-

check the Alliance Gateway Event Log within pre-defined areas, such as message-related events

-

define MQ connections.

System operators System operators have administrative control over Alliance Gateway components and processes through the following:

25 August

-

Process control

-

start and stop Alliance Gateway and some subsystems

-

define and maintain configuration parameters for Alliance Gateway components

-

check the Alliance Gateway Event Log within pre-defined areas, such as modification of configuration parameters

-

run Alliance Gateway traffic statistics

-

define and maintain the authentication server settings.

74

Alliance Gateway Administration and Operations Guide

Configuration

Migrating operating profiles Operating profiles are migrated according to the principle that an operator is able to do the same activities in Alliance Gateway as were possible in the previous release. Operator passwords, password history, enable status and lock status are all kept after migration. •

The Administrator operating profile is not migrated. Beginning with Alliance Gateway , this operating profile becomes dynamic and receives functions based on licence-related details. The Administrator operating profile in Alliance Gateway includes the following additional functions:









25 August

-

Export Configuration Data

-

Import Configuration Data

-

View Gateway Licence

-

Update Gateway Licence

-

Show HSM Management GUI

-

List concurrent SWIFTNet users

If you install Alliance Gateway , then the following functions are added to the Administrator operating profile: -

View List of Alerts

-

View Alert Details

-

Control Alerts

-

Generate and Send supportinfo

If you install Alliance Gateway , then the following functions are added to the Administrator operating profile: -

Allow Unconditional Enable for Operator

-

Allow Unconditional Enable for Operating Profile

-

Allow Unconditional Enable for SWIFTNet User

If you install Alliance Gateway , then the following functions are added to the Administrator operating profile: -

Initialise HSM Partition

-

Move a Certificate

The Starter_Set_Admin operating profile is migrated; its visibility becomes public. This profile does not receive the following additional functions after migration: -

Export Configuration Data

-

Import Configuration Data

-

View Gateway Licence

-

Update Gateway Licence



Any user-defined operating profile that is migrated from an instance with release prior to is set to status Enabled after migration.



The following mapping applies to any user-defined operating profile that is migrated from an instance with release prior to The Human ID value is the value displayed in the Alliance Gateway Administration GUI, and maps to the Internal Name value, required for programming.

75

Alliance Gateway Administration and Operations Guide

Configuration

Function for 6.x:

Function added in

Internal Name / Human ID

Internal Name / Human ID

DeleteOpProf / Delete an Operating Profile

DisableOpProf / Disable an Operating Profile

UpdateOpProf / Update an Operating Profile AddOpProf / Add an Operating Profile

EnableOpProf / Enable an Operating Profile

UpdateOpProf / Update an Operating Profile KMAAddVirtualProfile / Add a SWIFTNet User KMADeleteVirtualProfile / Delete a SWIFTNet User KMADisableVirtualProfile / Disable a SWIFTNet User

KMAListVirtualProfile / View List of SWIFTNet Users ListConcurrentUsers / List concurrent SWIFTNet users

KMAEnableVirtualProfile / Enable a SWIFTNet User KMAListProfile / View List of SWIFTNet Users KMAReadVirtualProfile / View SWIFTNet User Details KMAResetVirtualPassword / Reset Password of a SWIFTNet User KMAUpdateVirtualProfile / Update a SWIFTNet User KMAAdoptRealProfile / Adopt a Certificate KMADeleteRealProfile / Delete a Certificate KMAListRealProfile / View List of Certificates KMASetRelaxedMode / Add Certificate Relaxed Setting KMASetRelaxedMode / Add Certificate Relaxed Setting

25 August

KMAUpdateRealProfile / Update a SWIFTNet User

76

Alliance Gateway Administration and Operations Guide

Configuration

Function for 6.x:

Function added in

Internal Name / Human ID

Internal Name / Human ID

KMAListRealProfile / View List of SWIFTNet Certificates

KMAReadRealProfile / View Certificate Details

Certificates KMAListProfile / View List of SWIFTNet Users AddFtiEmissionProfile / Add an Emission Profile AddFtiQueue / Add a Store-and-forward Queue AddFtiSecurityProfile / Add a Security Profile AddMessagePartner / Add a Message Partner KMAAddVirtualProfile / Add a SWIFTNet User KMAAdoptRealProfile / Adopt a Certificate KMADeleteRealProfile / Delete a Certificate KMADeleteVirtualProfile / Delete a SWIFTNet User KMADisableVirtualProfile / Disable a SWIFTNet User KMAEnableVirtualProfile / Enable a SWIFTNet User KMAReadVirtualProfile / View SWIFTNet User Details KMAResetVirtualPassword / Reset Password of a SWIFTNet User KMASetRelaxedMode / Add Certificate Relaxed Setting KMAUpdateVirtualProfile / Update a SWIFTNet User ListFtiSecurityProfile / View List of Security Profiles ReadFtiEmissionProfile / View Emission Profile Details ReadFtiQueue / View Store-and-forward Queue Details ReadFtiSecurityProfile / View Security Profile Details ReadMessagePartner / View Message Partner Details

25 August

77

Alliance Gateway Administration and Operations Guide

Configuration

Function for 6.x:

Function added in

Internal Name / Human ID

Internal Name / Human ID

UpdateFtiEmissionProfile / Update an Emission Profile UpdateFtiQueue / Update a Store-and-forward Queue UpdateFtiSecurityProfile / Update a Security Profile UpdateMessagePartner / Update a Message Partner UpdateAuthServer / Update an Authentication Server(1)

AddAuthServer / Add an Authentication Server(1)

UpdateAuthServer / Update an Authentication Server(1)

ListAuthServer / View List of Authentication Servers(1)

DeleteAuthServer / Delete an Authentication Server(1)

ReadAuthServer / View Authentication Server Details(1) EnableAuthServer / Enable an Authentication Server(1) DisableAuthServer / Disable an Authentication Server(1) (1)



As of Alliance Gateway , "Authentication Server" is renamed "Authentication Server Group" in this function.

The following functions have been added in releases subsequent to Alliance Gateway Alliance Gateway release

Function added Internal Name / Human ID

Alliance Gateway

ListMonItem / View List of Alerts ReadMonItem / View Alert Details ControlMonItem / Control Alerts

Alliance Gateway

UnconditionalEnableOperator / Allow Unconditional Enable for Operator UnconditionalEnableOpProfile / Allow Unconditional Enable for Operating Profile KMAUncondEnableVirtualProfile / Allow Unconditional Enable for SWIFTNet User

25 August

78

Alliance Gateway Administration and Operations Guide

Alliance Gateway release

Configuration

Function added Internal Name / Human ID

Alliance Gateway

MisAddBatchClass / Add a Batch Class

Note: The functions related to MI Channel introduced in Alliance Gateway only apply to customers who are accessing a market infrastructure service where MI Channel connectivity is available.



25 August

79

Alliance Gateway Administration and Operations Guide

Alliance Gateway release

Configuration

Function added Internal Name / Human ID

Alliance Gateway

MisAddRoutingRuleSet / Add a Routing Rule Set

Note: The functions related to MI Channel introduced in Alliance Gateway only apply to customers who are accessing a market infrastructure service where MI Channel connectivity is available.



25 August

80

Alliance Gateway Administration and Operations Guide

Alliance Gateway release

Configuration

Function added Internal Name / Human ID

Alliance Gateway Note: The functions related to MI Channel introduced in Alliance Gateway only apply to customers who are accessing a market infrastructure service where MI Channel connectivity is available.

MisReadSecurityProfile / View MIS Security Profile Details MisListSecurityProfile / View List of MIS Security Profiles MisRmsAddEmissionEndpoint / Add an Emission Endpoint MisRmsDeleteEmissionEndpoint / Delete an Emission Endpoint MisRmsUpdateEmissionEndpoint / Update an Emission Endpoint MisRmsReadEmissionEndpoint / View Emission Endpoint Details MisRmsListEmissionEndpoint / View List of Emission Endpoints MisRmsAddReceptionEndpoint / Add a Reception Endpoint MisRmsDeleteReceptionEndpoint / Delete a Reception Endpoint MisRmsUpdateReceptionEndpoint / Update a Reception Endpoint MisRmsReadReceptionEndpoint / View Reception Endpoint Details MisRmsListReceptionEndpoint / View List of Reception Endpoints

Alliance Gateway

KMASmaInitRealProfile / Initialise HSM Partition KMAMoveRealProfile / Move a Certificate



Dual Authorisation Principle You may want to implement a dual authorisation approach for operations relating to the management of operators, SWIFTNet user profiles (virtual SWIFTNet users), and passwords. The granular functionality inherent in the operating profile can be assigned in such a way as to achieve this. This approach effectively ensures that one person acting alone cannot configure Alliance Gateway entities that are ready to use. A second person must validate the action of the first person. Similarly, functionality in operating profiles can ensure that one person acting alone cannot remove Alliance Gateway entities currently in use. This therefore operates in a similar manner to the 4-eyes principle, enabling segregation of entity management.

25 August

81

Alliance Gateway Administration and Operations Guide

Configuration

Restrictions for enabling created and modified entities You can prevent an operator who has just created or modified certain entity types from enabling those entities. The entities types are operator, operating profile, and virtual SWIFTNet user. This is controlled by the system configuration parameter Enable Requires Additional Operator. To set the parameter Enable Requires Additional Operator, see Enable Requires Additional Operator on page 39 and Manage Configuration Parameters on page Note

In the tables below, Operators A and B are used as an example in each table of functions.

Entities and operator functions The following table lists entities and related operating profile functions that can be managed using a dual authorisation scheme. Using this approach, different operating profiles must be established for each of two operators (listed here as Operator A and Operator B). Alternatively, including the respective disable functions in the Operator B profile may prove more practical. Note that this reduces the dual authorisation principle to entity creation and updates, but not removal. Entity

Operator A functions

Operator B functions

Operator

Add an Operator

Delete an Operator

Update an Operator

Enable an Operator

Disable an Operator

Reset an Operator's Password

Add an Operating Profile

Delete an Operating Profile

Update an Operating Profile

Enable an Operating Profile

Operating Profile

Disable an Operating Profile SWIFTNet User

Add a SWIFTNet User

Delete a SWIFTNet User

Disable a SWIFTNet User

Enable a SWIFTNet User Reset Password of a SWIFTNet User

Message Partner

Add a Message Partner

Delete a Message Partner

Update a Message Partner

Enable a Message Partner

Disable a Message Partner MQ Connection Profile

Add MQ Connection

Delete MQ Connection

Update MQ Connection

Enable MQ Connection

Disable MQ Connection Endpoint

Add an Endpoint

Delete an Endpoint

Update an Endpoint

Enable an Endpoint

Disable an Endpoint

25 August

82

Alliance Gateway Administration and Operations Guide

Configuration

Entities and operator functions for local authentication With the local authentication of message partners, two operators can share the key that is used to check the integrity and authentication, as shown in the following table: Entity

Operator A functions

Operator B functions

Authentication Servers

Manage Left Authentication Server Secret Manage Right Authentication Server Secret

Message Partners

Manage LAU Left Part Key

Manage LAU Right Part Key

For more information, see Dual Authorisation on page Related information Dual Authorisation on page 81



Manage Operating Profiles Description The Operating Profiles page contains these elements: •

Details of the operating profiles defined for the current Alliance Gateway instance See Details on page 84



Functions that allow you to manage the operating profiles See Functions on page 85

25 August

83

Alliance Gateway Administration and Operations Guide

Configuration

Display

Details Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Name

The name of the operating profile









x



Maximum 20 characters Status

25 August

Indicates the current status of the operating profile

84

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Components

In the Available list: •

x





x





The list of components available

In the Selected list: • Functions

The components that you assign to the operating profile

In the Available list: •

The list of functions available for the component that has focus

In the Selected list: •

(1)

The functions for the component that has focus, which are assigned to the operating profile

Only displays the values, does not allow you to modify them

Functions Function

Description

Availability Page view

Windows Add

Edit

Change View

Filter what appears in the list.

Add

Enables you to add an operating profile



x

x

Delete

Deletes a disabled operating profile



x

x

Enable

Enables a disabled operating profile



x



Disable

Disables an enabled operating profile



x



Export

See Export on page

x

x

x

Print

Print on page

x

x

x

Edit operating profile details To edit the operating profile details, change the details in the corresponding fields then click

Save

.

Related information Concept on page 64 Dual Authorisation on page 81

25 August

85

Alliance Gateway Administration and Operations Guide



Operators



Concept

Configuration

Overview An Alliance Gateway operator uses the Alliance Gateway Administration interface to perform tasks on Alliance Gateway. Your institution may decide to distribute administrative tasks among a number of operators. This may typically be necessary in a large institution, but in smaller institutions a single operator can perform all Alliance Gateway administrative tasks. Operators are assigned an authentication type (and an authentication server group, for LDAP and one-time password), an operating profile, and a list of units to which they belong. The tasks that an operator can perform in Alliance Gateway depend on the functions assigned to this operator. For more information, see Available components and related functions on page Note

An Alliance Gateway operator cannot exchange business messages over SWIFTNet.

Default Alliance Gateway operator When Alliance Gateway is installed, a default operator called Administrator is created with full Alliance Gateway operating profile functions. This operator cannot be deleted or disabled, and its profile cannot be modified or deleted. An initial password for the Administrator is defined during installation. This password must be changed the first time it is used to log in. The Administrator operator cannot be configured to use one-time passwords. Important

Create an operator with the same operating profile as the Administrator operator. Otherwise, if you lose the Administrator password or have to reset it, then you must reinstall Alliance Gateway. For more information, see the Alliance Gateway Installation Guide.

Locked operator accounts When the permitted number of attempts to specify a valid Alliance Gateway operator password is exhausted, your Alliance Gateway operator account is locked. Another Alliance Gateway operator who is not locked or suspended and who has the operating profile function Reset an Operator's Password can reset your Alliance Gateway operator account password. If an operator has the Administrator operating profile, then only an operator who also has the Administrator operating profile can reset the password of that operator. To reset an operator password, see Reset Operator Passwords on page Dormant operator accounts Operators who have not logged in for a pre-defined number of days are considered dormant. The Disable Period configuration parameter enables you to define a number of days after which operators are considered dormant and are disabled as a result. This functionality does not apply to the Alliance Gateway Administrator account: this account can never be disabled.

25 August

86

Alliance Gateway Administration and Operations Guide

Configuration

Suspended operator accounts When the Administrator account exhausts the permitted number of attempts to specify a valid Alliance Gateway operator password, the Administrator account is suspended. After 10 minutes, this account is again able to attempt to log in. Operator types Operators can be grouped according to their functional areas in Alliance Gateway Administration. Each group of operators can be assigned operating profiles with particular functions that allow them to perform certain tasks in the Alliance Gateway Administration interface. It is important that you use the Alliance Gateway Administration interface to define operator profiles that meet the requirements of your organisation. For examples, see Operating profile examples on page



Manage Operators Description The Configuration > User Management > Operators option enables you to manage operators. The Operators page contains these elements: •

Configuration parameters that allow you to configure the settings for the operators See Configuration parameters on page 88



Functions that allow you to manage the configuration parameters See Functions: configuration parameters on page 88



Details of the operators defined for the current Alliance Gateway instance See Details on page 89



Functions that allow you to manage the operators See Functions on page 91

For conceptual information about operators, see Concept on page Display

25 August

87

Alliance Gateway Administration and Operations Guide

Configuration

Configuration parameters Configuration parameter

Definition

Allowed values

Disable Period

Determines the number of days without login after which the 0, 30 to system disables an operator

Default value days

A value of 0 means that automatic disable will not be performed. Maximum Number of Failed Login Attempts

Determines the number of attempts that the system allows an operator to provide a valid password

5 attempts

17 to 64

17 characters

12 to 64

12 characters

For the Administrator: the account shall not be locked. It gets suspended for 10 minutes after the number of times of failed attempts, which is configured in this parameter.

Determines the minimum number of characters that an Password Minimum Length (1)operator password must contain Password Minimum Length TOTP

1 to 10

Determines the minimum allowed length for an Operator password when used in combination with TOTP

Password History Determines the number of previous operator passwords that 24 the system retains Length (1) Password Validity Determines the number of days before an operator password expires and requires changing Period (1) (1)

8 to

24 entries

days

Valid only for operators defined with Authentication Type set to Password (user-defined password)

Functions: configuration parameters Function Add

Description Enables you to add illegal password pattern values Procedure: Add Multiple Values on page 42

Remove

Enables you to remove illegal password pattern values Procedure: Remove Multiple Values on page 43

Edit

Enables you to edit illegal password pattern values Procedure: Edit Multiple Values on page 43

Reset to Default

Resets the configuration parameters on the Operators page to the default values Procedure: Reset Values on page 42

25 August

88

Alliance Gateway Administration and Operations Guide

Configuration

Details Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Name

The name of the operator







Maximum US-ASCII printable characters Description

A description of the operator







Status

Indicates the current status of the operator



x



Operating Profile

Determines the operating profile that you assign to the operator







Lock Status

Indicates the lock status of the operator



x





x



The system locks operators that reach the limit for the Maximum Number of Failed Login Attempts (see Configuration parameters on page 88) without providing a valid password. If the Alliance Gateway Administrator operator reaches the limit, then the system suspends the Alliance Gateway Administrator operator. Last Login

25 August

Indicates the date and the time of the operator's last login

89

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Authentication Type

Determines the authentication method that the login mechanism uses to authenticate the operator







✓(2)

✓(3)

✓(3)



✓(3)

✓(3)

x





x





The possible values are as follows: •

Password Alliance Gateway authenticates the user-defined password that the operator provides at login. For more information, see User-Defined Passwords on page



RADIUS One-time Password An authentication server authenticates the one-time password that the operator provides at login. For more information, see Authentication Servers and One-Time Passwords on page



LDAP Authentication An LDAP server authenticates the user name and password that the operator provides at login. For more information, see LDAP Authentication on page



Password and TOTP A time-based one-time password (TOTP) is generated on an additional downloaded application from a mobile device for temporary use to log into the SAG Operator account. This is used in conjunction with a permanent password.

Authentication Server Group

The authentication server group used to authenticate requests for the operator

External Identifier The user name of the operator in the LDAP directory or authentication server Maximum US-ASCII printable characters This field is optional: if it has no value, then the system uses the operator name to check the operator credentials. Units

In the Available list: •

The list of units available

In the Selected list: • Default Unit

(1)

25 August

The units that you assign to the operator

The unit to use for the generation of events logged when the operator performs administrative operations

Only displays the values, does not allow you to modify them

90

Alliance Gateway Administration and Operations Guide

Configuration

(2)

Not a default column, use Change View to add this column to the list

(3)

Only appears when Authentication Type is set to LDAP

Authentication or RADIUS One-time Password

Functions Function

Description

Availability Page view

Windows Add

Edit

View operators using the Name, External Identifier, or Operating Profile drop-down and clicking Submit .

x

x

x

Clear

Resets the Filtering Criteria.

x

x

x

Submit

Displays parameters for the selection in the Filtering Criteria.

x

x

x

Change View

Allows you to select what is displayed in the Operators list.

x

x

x

Add

Enables you to add an operator



x

x

Delete

Deletes a disabled operator



x

x

Enable

Enables a disabled operator



x



Disable

Disables an enabled operator



x



Reset Password

Resets the password of an operator that uses a user-defined password and unlock the operator, if it is locked



x





x





x

x

Filtering Criteria

Procedure: Reset Operator Passwords on page 92 Unlock Operator

Unlocks an operator that uses one-time passwords or LDAP authentication and is locked Procedure: Unlock Operators on page 92

Reset to Default

Resets the configuration parameters on the Operators page to the default values Procedure: Reset Values on page 42

Export

See Export on page

x

x

x

Print

See Print a Report Directly from the GUI on page

x

x

x

Modify configuration parameters To change the values of configuration parameters on the Operators page, do the steps in Change Values on page Edit operator details To edit the operator details, change the details in the corresponding fields then click

25 August

Save

.

91

Alliance Gateway Administration and Operations Guide

Configuration

Related information Concept on page 86



Reset Operator Passwords This procedure is only applicable for operators that use user-defined passwords.

Procedure 1. From the Operators page, select the applicable operator with either of these actions: •

Click the list entry for the operator. The Operator Details window opens.

• Select the check box of the list entry for the operator. 2. Click Reset Password . The Reset Password window opens. 3. Click

Reset Password

in the Reset Password window.

The system unlocks the operator, if applicable, and resets the password. The Operator Generated Password window opens. This action will also reset the TOTP code. This means that you will need to repeat the Configure Two-Factor Authentication on page Doing this will create two records in your mobile Authenticator application. You must be sure to delete the old record in order to ensure proper usage.

Note

4. Select the Show Clear Text check box. The window displays the Generated Password value. 5. Follow the instructions given in the Operator Generated Password window. 6. Click



Close

.

Unlock Operators This procedure is only applicable for operators that use one-time passwords or LDAP authentication.

Procedure 1. From the Operators page, select the applicable operator with either of these actions: •

Click the list entry for the operator. The Operator Details window opens.

• Select the check box of the list entry for the operator. 2. Click Unlock Operator . The Unlock LDAP or OTP Operator window opens. 3. Click

Unlock LDAP or OTP Operator

in the Unlock LDAP or OTP Operator window.

The system unlocks the operator.

25 August

92

Alliance Gateway Administration and Operations Guide



Configuration

Event Log Description The Event Log node enables you to view and modify configuration parameters that influence the general behaviour of the event log for the current Alliance Gateway instance. The Event Log node contains the related entities that are available for the current Alliance Gateway instance. Content Clicking the Event Log node opens the Event Log page: •

See Event Log Configuration Parameters on page

Nodes Expanding the Event Log node reveals these entity nodes: •

Event Distribution (see Event Distribution on page )



Archive (see Archive on page )

Clicking an entity node opens the corresponding entity page.



Events, Event Logging and SNMP



Alliance Gateway Events and Event Log Events and errors It is important to make the distinction between events and errors. Applications designed to work with Alliance Gateway are responsible for treating errors. An application that sends messages can receive an error. A single error may generate one or more events. If an error with severity Severe or Fatal is returned to an application, then at least one corresponding event is logged. Events are also logged due to the following operational activities: •

changes to configuration data, such as adding, changing or removing operators, message partners, and so on



internal processing within Alliance Gateway, such as process start and stop, and other actions monitored by the Process Controller



events resulting from message flow

SWIFTNet Link events SWIFTNet Link events can also be logged in the Alliance Gateway Event Log. To do this, you must set the configuration parameter Subscribe to Receive SNL Events. By default, it is set to Yes. By default, Alliance Gateway requests any events that occurred since the last received SWIFTNet Link event (if any), or if there was a period of time during which no SWIFTNet Link events were received (for example, if Alliance Gateway was stopped). If Alliance Gateway is started for the first

25 August

93

Alliance Gateway Administration and Operations Guide

Configuration

time or is stopped over a weekend, then only SWIFTNet Link events logged within the last hour are considered. Alliance Gateway Event Log The Alliance Gateway Event Log is a database that stores Alliance Gateway-related events. Event Log disk space When you install Alliance Gateway, disk space is allocated for the Alliance Gateway Event Log. The amount allocated depends on the connectivity pack setting established during Alliance Gateway installation or relicensing. Alliance Gateway activity, such as logging in to the Alliance Gateway Administration GUI and exchanging messages, generates events that are logged in the Alliance Gateway Event Log according to an event template. The events reported can be customised and configured to interface with the operating system log or with third-party system management software such as Tivoli or HP OpenView. Configuration parameters Configuration parameters enable you to define the properties of the Alliance Gateway Event Log: •

whether the Alliance Gateway Event Log runs in Archive or Rollover mode



whether Alliance Gateway receives and logs SWIFTNet Link events To set these configuration parameters, see Event Log Configuration Parameters on page



whether events in Archive mode are archived or removed



the retention period of events in Archive mode



the location of the archival directory To set configuration parameters related to archiving, see Configure Event Archiving on page



Event Characteristics Unique identification Two main criteria identify events: •

The ComponentName identifies the component requesting to log an event.



The EventNumber is a unique value, specific to the component. Over the course of Alliance Gateway releases, event numbers do not change. It is possible, however, that event text may change.

Note

swiftnet link error codes

Matchless answer: Swiftnet link error codes

HARDWARE REPORTED UNCORRECTABLE MEMORY ERROR
Windows error dj mix
Error not available
Alcatel oxe io1 driver error
Attachconsole error #6

Swiftnet link error codes - think, that

ag_7_2_adm_op_sprers.eu

Citation preview

Alliance Gateway

Administration and Operations Guide

This guide describes how to use the Alliance Gateway Administration interface to perform Alliance Gateway tasks. The Alliance Gateway Administration interface is available through the Alliance Web Platform. This guide also describes how to monitor multiple Alliance instances and how to use Alliance Gateway commands and tools. This guide is for system administrators and security managers.

25 August

Alliance Gateway Administration and Operations Guide

Table of Contents

Table of Contents Preface 5 1

SWIFT Training 6

2

Alliance Gateway Operations Overview 7

3

4

5



About Alliance Gateway



Component Groups of the Alliance Gateway Environment



Configuring Alliance Gateway Interfaces 13



Creating and Managing Alliance Gateway Entities 15



Enabled and Disabled Entities



Configuration Parameters 19



Daily Operations and Housekeeping 20

Logging in to Alliance Gateway Administration 21

Session Management for Alliance Gateway Administration GUI 23



Configure Two-Factor Authentication



Embedded Two-Factor Authentication 25



Changing Your Password

The Alliance Gateway Administration GUI 27

Online Help



Tips and Tricks for Using Alliance Gateway Administration 27



Wildcards for Searching or Filtering



Change your List View



Choose File 30



Print a Report Directly from the GUI



Print 30



Export 31



Report Types and Settings 31

Configuration 33

Licensing Configuration 33



Parameters 36



Manage Configuration Parameters 42

25 August

2

Alliance Gateway Administration and Operations Guide

Table of Contents



User Management 43



Event Log



Application Interface



SWIFTNet Interface



MI Channel Support Interface



File Transfer

Routing

6

7

8

9

10

Instance Monitoring Overview

Accessing the Instance Monitoring Overview Page



The Instance Monitoring Overview Page



The Connectivity Status Window



Logging In to an Alliance Server Instance

Monitoring

Alerts



Processes



System



Last Logins



Concurrent Users



File Transfers



Queues



MI Channel Message Flow Instances



Event Log

HSM Management

HSM Operations



HSM Status

Licensing

Licensing Operations Overview



Licence Files



Types of Licence-related Data



Interactive Licensing



Silent Licensing

Alliance Gateway Commands and Tools The Alliance Gateway Bootstrap

25 August

3

Alliance Gateway Administration and Operations Guide

Table of Contents

sag_system Other Alliance Gateway Commands

11

Miscellaneous Activities Archive, Back Up, Copy, and Restore Alliance Gateway Data Collect Message Traffic Statistics Monitor Application Errors Change the Alliance Gateway System Service Password (Windows Only) Alliance Gateway in Replicated Environments Change the Type of Hardware Security Module Used by Alliance Gateway Manage Concurrent User Connections TLS Security for Remote API Traffic

12

Security Best Practice Check Tool Starting the Security Best Practice Check Tool

Legal Notices

25 August

4

Alliance Gateway Administration and Operations Guide

Preface

Preface Purpose This guide describes how to use the Alliance Gateway Administration interface to perform Alliance Gateway tasks. The Alliance Gateway Administration interface is available through the Alliance Web Platform Server-Embedded. This guide also explains how to monitor multiple Alliance instances from the Instance Monitoring Overview page. Audience This guide is for Alliance Gateway operators who use the Alliance Gateway Administration interface. About Alliance Web Platform Server-Embedded Alliance Web Platform Server-Embedded is the framework that hosts browser-based graphical user interfaces (GUI) of the Alliance portfolio. It offers a consistent end-user interface to the functionality managed by the Alliance servers. Alliance Web Platform Server-Embedded runs in an application server environment, enabling centralised deployment of the software.

25 August

5

Alliance Gateway Administration and Operations Guide

1

SWIFT Training

SWIFT Training SWIFT provides training about standards, products, and services to suit different needs. From tailored training to self-paced e-learning modules on SWIFTSmart, a range of training options are available for all SWIFT users. SWIFTSmart SWIFTSmart is an interactive, cloud-based training service that offers a large variety of courses for different levels of knowledge. The courses contain exercises and quizzes and are available in multiple languages. The SWIFTSmart catalogue provides a lists of courses that are organised into these learning tracks: •

General knowledge



Work with messages



Deploy and manage SWIFT software solutions



Security and audit



Compliance and shared services

SWIFTSmart is accessible from the desktop or from a mobile device. No installation is required. It is available to all connected SWIFT users and registered SWIFT partners with a sprers.eu account. For more information, see How to become a sprers.eu user. Tailored training A full range of tailored programmes are available to meet specific training needs. For more information, visit the Training web page.

25 August

6

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

2

Alliance Gateway Operations Overview



About Alliance Gateway Description and purpose Alliance Gateway is a modular software package that is installed on top of the SWIFTNet Link (SNL) software, and is designed to enable application-to-application communication. Using the SWIFTNet messaging services InterAct and FileAct, messages and files are typically exchanged between a customer application (client) and a central application (server) over the secure IP network (SIPN). Alliance Gateway overview

Host Adapter

Alliance Gateway

Client Application

Alliance Web Platform

InterAct FileAct Host Adapter

Alliance Gateway

SWIFT WebAccess

D

Server Application

Alliance Gateway provides the following features:

25 August



application concentration



compatibility for SWIFTNet Link applications



monitoring and archiving tools



message flow auditing and statistics



modularity

7

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview



process optimisation



security certificate concentration

Application concentration Alliance Gateway acts as a single window to the secure IP network, enabling multiple applications to concentrate their traffic to SWIFTNet over Alliance Gateway. This avoids the need for multiple physical connections to the secure IP network within your organisation. The internal host adapters of Alliance Gateway enable connectivity over a variety of middleware applications. Compatibility for SWIFTNet Link applications Messaging traffic of applications built to communicate directly with SWIFTNet Link can be transparently rerouted and concentrated through Alliance Gateway, without the need to make software changes. Message flow auditing and statistics For auditing purposes, Alliance Gateway can be configured to make copies of client and server message flows and submit these copies to a separate, custom server application. Additionally, a message traffic statistics report can be generated. Modularity The Alliance Gateway system consists of the Alliance Gateway kernel and built-in components (plug-ins). Its modular structure enables you to license only the modules that you require. The following modules can be licensed to provide additional features: Module

Description

Developers Toolkit

Includes developer documentation and a licence to develop

File Transfer Adapter and File Transfer Integrated

Provides built-in capability to exchange files with your correspondents over SWIFTNet, either integrated or automated For more information, see the Alliance Gateway File Transfer Interface Guide.

Remote API Host Adapter

Provides support for SWIFTNet Link and Alliance Gateway applications, using the proprietary Remote API middleware For more information, see the Remote API for Alliance Gateway Operations Guide.

MQ Host Adapter

Provides support for MQ applications For more information, see the MQ Host Adapter for Alliance Gateway Configuration Guide.

Monitoring and archiving tools Alliance Gateway activity, such as operators performing tasks with Alliance Gateway Administration, or applications exchanging messages, generates events. Events are logged in the Event Log of Alliance Gateway, according to event templates. It is also possible to log SWIFTNet Link events in the Alliance Gateway Event Log.

25 August

8

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Event templates can be configured to send events to the operating system log or to third-party system management software such as Tivoli or HP OpenView. Different archiving tools allow you to control the size of the logs generated by Alliance Gateway. The list of alerts indicates any operational conditions that may require quick action. The licence for File Transfer Adapter provides monitoring capability for file transfers. The Alliance Gateway Administration interface includes a GUI to manage and monitor hardware security modules. Process optimisation Alliance Gateway starts a configurable number of SWIFTNet Link processes and manages the SWIFTNet Link security contexts for all applications. This enables one large application to use several SWIFTNet Link processes, and also removes the need for the system to run as many SWIFTNet Link processes as there are applications. Security profile concentration Alliance Gateway also enables cost savings by acting as a concentrator of SWIFTNet PKI profiles. Message partners and users for access to SWIFTNet can use SWIFTNet PKI profiles. Alliance Gateway enables you to share a single profile between a number of virtual SWIFTNet users.



Component Groups of the Alliance Gateway Environment The Alliance Gateway environment consists of the Alliance Gateway software and the applications that interact with Alliance Gateway. The environment can be classified into the following component groups:

25 August



applications



operator tools



the Alliance Gateway instance

9

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

The Alliance Gateway environment

Alliance Gateway Command Tools

Alliance Gateway File Transfer Interface

Process Control

File Transfer Interface

Alliance Gateway Command Tools Application Interface

Kernel

Remote API Host Adapter Alliance Web Platform Server-Embedded

Message Dispatcher

IBM MQ Host Adapter

SWIFT Net Interface SWIFTNet Network Adapter

Remote API SWIFTNet Link/ Alliance Gateway Application

Alliance Gateway Application over IBM MQ

Log

Market Infrastructure Support Interface

SWIFTNet Link

D

Remote API

The following sections describe these component groups.



Applications The Application component group contains several types of applications that can be developed to communicate with Alliance Gateway:

25 August



SNL applications: These applications send InterAct or FileAct messages over the Remote API, using the SWIFTNet Link API and protocol as if they were directly connected to SWIFTNet Link.



Alliance Gateway applications: These applications send either Alliance Gateway Administration primitives or InterAct/FileAct messages over the Remote API, using the Alliance Gateway API. They can benefit from Alliance Gateway features such as relaxed mode and local authentication. Such applications can also send Alliance Gateway administration commands. Copy-to applications can be configured to receive message copies in the copy-to message format.



Process Control applications: Applications that send messages to the Process Control use a specific API. The Process Control is running all the time, as soon as the bootstrap starts running. The Process Control receives management requests, for example to start or stop Alliance Gateway.

10

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview



MQ applications: The same as Alliance Gateway applications, but in this case the IBM MQ middleware facilitates communication with Alliance Gateway. The messages are exchanged through queues belonging to queue managers.



Alliance Web Platform: A user can use Alliance Web Platform and the Alliance Gateway Administration GUI to communicate with Alliance Gateway.

Administration Tools Purpose Administration tools enable operators to manage Alliance Gateway. This section describes the three types of administration tools. Alliance Gateway GUI application Alliance Gateway supports the Alliance Gateway Administration GUI, available through Alliance Web Platform. The Alliance Gateway Administration GUI enables you to configure Alliance Gateway and manage the operational aspects of Alliance Gateway, such as: •

start and stop Alliance Gateway



configure Alliance Gateway



monitor Alliance Gateway



manage SWIFTNet users



export reports on system information

Alliance Gateway command tools In addition to functionality available through the Alliance Gateway Administration application, Alliance Gateway includes several command-line tools. Two types of Alliance Gateway command-line tools are available to Alliance Gateway operators: •

Local Alliance Gateway commands: These commands are run on the machine that hosts Alliance Gateway. For more information, see Alliance Gateway Commands and Tools on page



Remote Alliance Gateway commands: The Remote API for Alliance Gateway Operations Guide describes the commands that can be run remotely.

Note

The local Alliance Gateway commands as described in Alliance Gateway Commands and Tools on page are a superset of what is offered remotely. The remote Alliance Gateway commands are syntactically the same as those offered locally.

Customer-developed tools If you have a development licence, then you can develop your own tools to customise the management of Alliance Gateway, using the development facilities described in the Alliance Gateway Developer Guide. This document is not available to customers with only a run-time licence.

25 August

11

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

Alliance Gateway Instances Definition An Alliance Gateway instance is a complete installation of the Alliance Gateway software and database. The SAG instance component group consists of two major parts: •

Alliance Gateway interfaces



kernel entities

Alliance Gateway interfaces The following interfaces are present within an Alliance Gateway instance: •



Application Interface: used by client and server applications to transmit messages through Alliance Gateway. AI components include: -

Remote API Host Adapter: manages the messages sent to and received from applications running over the Remote API.

-

MQ Host Adapter: manages the messages sent to and received from applications running over IBM MQ middleware.

SWIFTNet Interface: treats all incoming and outgoing SWIFTNet Link messages from and to the secure IP network (SIPN). The SWIFTNet Interface controls and manages the SWIFTNet Link security per application (security profiles and SWIFTNet users). For server applications, the SWIFTNet Interface also manages the routing of the incoming messages by means of the Alliance Gateway endpoints. Includes the SWIFTNet Network Adapter, a major component of the SWIFTNet Interface.



File Transfer Interface: comprises the File Transfer Adapter and File Transfer Integrated. Note

The presence of the File Transfer Interface in a given Alliance Gateway instance depends on your licensing scheme. To license and install File Transfer Interface, see "Licensing" in the Alliance Gateway Installation Guide for AIX, Linux, Oracle Solaris, or Windows.



MI Channel Support Interface: enables users to configure data for an MI Channel-based solution The MI Channel Support Interface only applies to customers who are accessing a market infrastructure service where MI Channel connectivity is available. For information about related configuration activities, see MI Channel Support Interface on page

Alliance Gateway kernel entities Within an Alliance Gateway instance, the following kernel entities play a major role:

25 August



Workflow Engine: manages the message flow and routing through Alliance Gateway, using the Message Dispatcher.



Process Control: enables you to control the operational aspects of Alliance Gateway and its subsystems, such as starting and stopping Alliance Gateway, as well as running commands, for example to back up data or verify the integrity of software.



Log: handles the Event Log.

12

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

Configuring Alliance Gateway Interfaces Introduction Various interfaces within Alliance Gateway are responsible for controlling the processing of messages. The design of Alliance Gateway enables it to support one or more applications, each of which may have different processing requirements. When considering Alliance Gateway configuration, it is helpful to think about the interfaces that it includes, and how these interfaces contribute to message processing. Each interface uses and manages several entities as illustrated in the following diagram. The following interfaces are available within Alliance Gateway: •

the Application Interface



the File Transfer Interface



the SWIFTNet Interface



the MI Channel Support Interface The MI Channel Support Interface only applies to customers who are accessing a market infrastructure service where MI Channel connectivity is available. For information about related configuration activities, see MI Channel Support Interface on page

This diagram shows all interfaces and the entities within that require configuration: Alliance Gateway File Transfer Interface

Application Interface Message Partners

WebSphere MQ Web Services Connection Profile Configuration Settings

Business Application/ Message

File Transfer SWIFTNet Interface SWIFTNet Users

Endpoints

secure IP network

25 August

Profiles

D

Remote API

13

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Application Interface The Application Interface controls direct communication between a business application and Alliance Gateway. Messages reach the Application Interface by means of the host adapter that the application uses to exchange messages with Alliance Gateway. Within the Application Interface, a message partner represents each application. Message partner configuration details determine how messages are processed within Alliance Gateway. For configuration information, see Application Interface on page File Transfer Interface The File Transfer Interface offers two approaches for sending and receiving files: File Transfer Integrated and File Transfer Adapter. File Transfer Integrated offers a command-based approach to send and receive files, while File Transfer Adapter offers an automated way to exchange files. The configuration for File Transfer Adapter consists of specifying profiles containing all the details necessary for automated file transfer. Different types of profiles exist, depending on the customer environment. File Transfer Adapter may include emission, reception, security, and queue profiles. For File Transfer Integrated, security profiles must be configured. For more information, see the Alliance Gateway File Transfer Interface Guide. SWIFTNet Interface The SWIFTNet Interface controls communication between Alliance Gateway and SWIFTNet Link. The SWIFTNet Interface handles all messages to and from the Application Interface, the File Transfer Interface and SWIFTNet. The SWIFTNet Interface also manages the security processing based on the Public Key Infrastructure (PKI) implemented by SWIFTNet. For general information, see the SWIFTNet PKI Certificate Administration Guide. Security profiles and SWIFTNet users Two types of data configuration are important to consider in the SWIFTNet Interface: security profiles and SWIFTNet users. A user of a PKI profile is called a SWIFTNet user. Alliance Gateway enables multiple users to concentrate the usage of a single PKI profile, these are called virtual SWIFTNet users. As of Alliance Gateway , personal HSM certificates are additionally supported. For more information about personal HSM certificates, see SWIFTNet Certificates on page and the SWIFTNet PKI Certificate Administration Guide. The applications that exchange messages with Alliance Gateway must reference a security Distinguished Name (DN) for authentication, signature, or encryption. Such DNs must be referenced as SWIFTNet users. For details about security profiles and SWIFTNet users, see SWIFTNet Users on page and the Alliance Gateway Security Guide. Endpoints For server applications, the SWIFTNet Interface processing relies on endpoint routing criteria to determine where to send request messages received from the secure IP network (SIPN). For information about endpoints, see Routing on page

25 August

14

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

MI Channel Support Interface The MI Channel Support Interface enables customers using an MI Channel-based solution to define and store configuration data for MI Channel in Alliance Gateway. The related message flow instances can also be managed from Alliance Gateway. The MI Channel Support Interface menus and functions are only available after activating MI Channel Support in Alliance Gateway. For more information, see MI Channel Support Interface on page



Creating and Managing Alliance Gateway Entities Overview The following process describes how to create and manage various Alliance Gateway entities. This process is intended as a guide and may vary depending on your requirements. Alliance Gateway administration process 1. Define operators When you install Alliance Gateway, an operator called Administrator is created with full operating profile functions. The Administrator operator can create operating profiles and assign them to Alliance Gateway operators. Creating an Alliance Gateway operator may involve defining: •

units



operating profiles



operator details

For more information, see User Management on page 2. Define virtual SWIFTNet users To enable the sharing of the PKI certificates, Alliance Gateway allows several virtual SWIFTNet users to share the same PKI certificate. Each virtual SWIFTNet user is identified by its name and has its own password. To define a virtual SWIFTNet user, you must: •

define the virtual SWIFTNet user details



assign a PKI certificate to the virtual SWIFTNet user

For more information, see SWIFTNet Users on page Important

Defining a virtual SWIFTNet user is not equivalent to registering a new user node in SWIFT.

3. Define message partners and MQ connections Each application message partner that exchanges information with Alliance Gateway through the Application Interface must have a corresponding message partner profile. For all message partners, you must specify the list of supported message formats. For more information, see Application Interface on page

25 August

15

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

In addition, message partners for applications using IBM MQ to connect to Alliance Gateway must have a corresponding MQ connection. For more information, see Configure Alliance Gateway for IBM MQ on page and the MQ Host Adapter for Alliance Gateway Configuration Guide. 4. Define endpoints Endpoints enable you to define message routing criteria for server applications. For more information, see Routing on page 5. Set configuration parameters The configuration parameters for Alliance Gateway components are defined when the Alliance Gateway software is licensed. You can modify the value of some parameters to influence the behaviour of your Alliance Gateway system in specific areas. For more information, see Configuration Parameters on page 6. Manage Hardware Security Module (HSM) devices Alliance Gateway allows you to manage and monitor the HSM devices that are available for an Alliance Gateway instance. 7. Monitor Alliance Gateway Alliance Gateway allows you to: •

search for events generated by the activity of the Alliance Gateway components



specify which events must be logged



customise event storage



archive events



monitor alerts to help you identify the location of a problem

For more information about configuring the Alliance Gateway Event Log, see Event Log on page To search for events, see Event Log on page For more information about alerts, see Alerts on page 8. Set up profiles for file transfer (if you are licensed for File Transfer Adapter) To use File Transfer Adapter, you must define: •

emission profiles



reception profiles



security profiles



queue profiles

For more information, see File Transfer on page and the Alliance Gateway File Transfer Interface Guide. 9. Monitor file transfers (if you are licensed for File Transfer Adapter) The File Transfer Adapter licence option allows you to monitor your queues and file transfers, and to archive file transfer information. For more information, see Monitoring on page and the Alliance Gateway File Transfer Interface Guide.

25 August

16

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

Enabled and Disabled Entities Why disable entities? Within Alliance Gateway, certain entities can be either enabled or disabled to improve operational control. When such entities are created, they are by default disabled, and must be enabled to be used. Having new entities disabled by default allows implementing the 4-eyes principle: one operator creates the entity while a second operator must enable it. There are two major reasons for disabling entities: •

Modifications: Alliance Gateway does not allow you to modify an enabled entity. Therefore, you must first disable an entity before updating it. Note

There is one exception: an MI Channel message flow instance can be modified while it is enabled. MI Channel only applies to customers who are accessing a market infrastructure service where MI Channel connectivity is available.

Similarly, you must disable an entity before you can delete it. Disabling entities can be quite useful for maintenance purposes. For example, you can disable operators when modifying their assigned operating profile functions, and thus prevent an unexpected change to the tasks that they are allowed to perform. •

Message traffic control: Preventing message traffic can also be useful. A disabled entity cannot participate in the flow of message traffic within Alliance Gateway. For example, you can set up a message partner and leave it disabled until you are ready to use it when preparing to test a new application.

Which entities can be disabled, and what are the effects? The following table lists the entities that can be disabled, and explains the effects of disabling the entity: Entity

Effect of disabling

Authentication server

No authentication requests can be submitted.

Emission profile

An ongoing file transfer continues if the related emission profile is disabled. If it does not succeed, then it is not retried until the emission profile is enabled again. File Transfer Adapter no longer scans the emission directory of the disabled emission profile. File transfers not yet initiated are ignored: they are initiated when the profile is enabled.

Endpoint

If a request matches the routing criteria of a disabled endpoint, then no further criteria checking occurs. Alliance Gateway immediately returns an error to the sending application and does not forward the request to the server application.

25 August

17

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Entity

Effect of disabling

MI Channel message flow instance

The message flow passing through SWIFTNet Link is interrupted.

Message partner (client The client application sending the request message receives an error. side) Responses to messages already in transit are returned to the application even if the message partner was disabled immediately after sending the request. Message partner (server side)

The server application cannot receive new request messages: the originating client application subsequently receives an error (instead of a response). The server application can still send response messages to the requests received before the message partner was disabled.

MQ connection

MQ Host Adapter is disconnected from the local queue manager associated with the disabled MQ connection profile. All MQ Host Adapter resources handling the disabled connections are properly closed and freed. If a message is sent to a disabled connection (server request), then MQ Host Adapter rejects the message, sends an error back, and logs an event. If an application sends a message to MQ Host Adapter (client request or server response), then the message stays in the corresponding MQ queue. It is picked up by MQ Host Adapter when the connection is enabled again (if the message did not expire in the meantime).

Operating profile

The operating profile is not available. Operators with this operating profile cannot log in. Logged operators with that operating profile are forcibly logged out.

Operator

The operator cannot log in. The operator cannot perform any operations. Logged operators are forcibly logged out.

Queue profile (storeand-forward transfer)

The store-and-forward queue is automatically released. An ongoing file transfer fails. If the queue profile is subsequently enabled and the queue is acquired, then a new NotifyFileRequest message is received for a file transfer that failed, unless the file expired in the queue in the meantime.

Reception profile

25 August

File Transfer Adapter uses reception profiles when the LTA-PutInit command returns code 2. An ongoing file transfer continues if the related reception profile is disabled. File Transfer Adapter does not accept new file transfers from the Requestor DN in the reception profile.

18

Alliance Gateway Administration and Operations Guide

Alliance Gateway Operations Overview

Entity

Effect of disabling

SWIFTNet user

Only virtual SWIFTNet users can be disabled. The virtual SWIFTNet user cannot log in or create a security context. The virtual SWIFTNet user cannot perform any operations. Logged in SWIFTNet users are forcibly logged out.



Configuration Parameters Concept The behaviour of the Alliance Gateway system can be customised to your company's needs, mainly through the use of configuration parameters. Two types of configuration parameters exist: operational configuration parameters and security configuration parameters. Configuration parameters reference table The following table explains which group a particular type of configuration parameter belongs to and where you can find more information. Type

Group

Reference

Operational configuration parameters

operational

Configuration on page 33

Security configuration parameters

security

"Security Configuration Parameters" in the Alliance Gateway Security Guide

MQ Host Adapter configuration parameters

operational

"Configuring the MQ Host Adapter Plug-in" in the MQ Host Adapter for Alliance Gateway Configuration Guide

File Transfer Interface configuration parameters

operational

"Configuration Parameters" in the Alliance Gateway File Transfer Interface Guide

Operating profile functions Your operating profile determines the level of access to the configuration parameters.

25 August

If you want to

Then your operating profile must have

view all operational configuration parameters

View List of Configuration Parameters

view all operational and security configuration parameters

View List of Configuration Parameters and Manage Security Configuration Parameters

view all operational configuration parameters and their details

View Configuration Parameter Details

view all operational and security configuration parameters and their details

View Configuration Parameter Details and Manage Security Configuration Parameters

19

Alliance Gateway Administration and Operations Guide



Alliance Gateway Operations Overview

If you want to

Then your operating profile must have

modify operational configuration parameters

Update a Configuration Parameter

modify operational and security configuration parameters

Update a Configuration Parameter and Manage Security Configuration Parameters

Daily Operations and Housekeeping To keep your Alliance Gateway system in good order, perform the following tasks on a regular basis: Task

Description and reference

Start and stop Alliance Gateway as required

See Alliance Gateway Instance on page

Use the Alliance Gateway Administration GUI to operate Alliance Gateway

See The Alliance Gateway Administration GUI on page 27 for an overview

Use commands to operate Alliance Gateway

See Alliance Gateway Commands and Tools on page

Monitor your system

Alliance Gateway logs configuration and operation events. You must verify that abnormal events do not occur in Alliance Gateway or on your system. For example, verify that all entities created are expected, and that there are not any attempts to log in with failures, which may indicate a security attack. In addition, in case Alliance Gateway has problems, these events are logged and therefore must be regularly verified in the Event Log. See Event Log on page If, for any reason, the Event Log is not accessible, then some events may be logged in the OS event log. It is advised to check this event log as well in case of problems. Beginning with Alliance Gateway , alerts are generated to proactively inform you about operational conditions that may require quick action. For more information, see Alerts on page

25 August

Perform regular archives

To archive the Event Log using the Alliance Gateway Administration GUI, see Event Log Search on page For information about the sag_system -- archive command, see Archive the Alliance Gateway Event Log on page

Perform regular database backups

See Back Up the Alliance Gateway Database on page

20

Alliance Gateway Administration and Operations Guide

3

Logging in to Alliance Gateway Administration

Logging in to Alliance Gateway Administration The Alliance Gateway Administration workspace displays the Welcome page by default when a user logs in. Alliance Web Platform Server-Embedded uses a single sign-on authentication process that allows you to enter one user name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. When logged in to Alliance Gateway Administration hosted on Alliance Web Platform ServerEmbedded, you can open a new browser window or tab (depending on browser configuration) by using the browser's embedded options within a single session. Before you begin To log in to the Alliance Gateway Administration on Alliance Web Platform Server-Embedded, you need the following: •

A valid URL for Alliance Gateway Administration. The administrator of Alliance Web Platform Server-Embedded provides this information. This is the default URL: https://[:]/swp/group/sagadmin

Where: -

is the Alliance Web Platform Server-Embedded host name

-

indicates the port number (optional)

It is not necessary to specify a value for if the default port for HTTPS is used. On Windows, the default port number is On UNIX or Linux, the default port number is



-

swp refers to Alliance Web Platform Server-Embedded

-

group/sagadmin refers to Alliance Gateway Administration

User name and password You must have a user name and a password that correspond to your operator definition. The administrator of your Alliance Gateway server provides this information.

To optimally display the information in Alliance Gateway Administration pages, set your screen resolution to by pixels or higher. Do not use the zoom functionality of the browser. The layout of Alliance Gateway Administration labels can be incorrect when the display value of the browser is not set at percent. Procedure 1. Start your browser. 2. Perform one of these actions to provide the URL for Alliance Gateway Administration, as applicable:

25 August

21

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration



Type the URL in the address bar of your browser and press ENTER.



Select the URL from your list of saved links, for example, from Favourites or Bookmarks.



Select the URL from the list of previously visited addresses.

The browser displays the Alliance Gateway Administration login page. 3. Enter your User Name and Password. Both are case sensitive. If you are using your password for the first time, then you must enter an eighteen-character password received from the administrator of your Alliance Gateway. When you click Login , you are prompted to change it. See Changing Your Password on page 25 for details. This is not applicable if the authentication method used for your operator definition is either One-time Password or LDAP. 4. If your operator definition has been configured to use Two-Factor Authentication, select the Use Two-factor Authentication check box and enter your Two-factor Authentication Code. If this your first log on, or your password has been reset, you will need to 'enroll'. See Configure Two-Factor Authentication on page 23 and Embedded Two-Factor Authentication on page 5. If multiple Alliance Gateway instances have been configured for the Alliance Web Platform Server-Embedded host, then select the applicable instance from the Alliance Server Instance drop-down list. 6. Click Login . Tip

If you experience problems logging in, then delete the Browsing history files. You can delete these files from the Tools menu or Options window. The exact location depends on your browser type and release.

After you have successfully logged in, the following screen appears. The Welcome page shows a list of shortcuts to tasks that are also available through the menus in the navigation area. The list of tasks available depends on your operator profile and the application group. The Alliance Web Platform administrator configures an application group through the GUI application. Tip

25 August

If you have enabled the single sign-on option, when you log out of any browser tab or window, then the system will log you out from all the other remaining browser tabs or windows.

22

Alliance Gateway Administration and Operations Guide



Logging in to Alliance Gateway Administration

Session Management for Alliance Gateway Administration GUI Manage your Alliance Gateway session with the menu options and controls in the upper right corner of the navigation area, as follows. Alliance Server Instance:

This menu provides the following: •

The Instance ID and user (for example, Administrator)



Make a new connection Click to open the Alliance Gateway Administration login page. This will include Active Connections.

Use Active Connections to Open an instance, Logout from a specific instance, or Logout from all instances. User: This menu provides the following: •

Change Password (see Changing Your Password on page 25



Session Info. Click Session Info to open the following:

The pop-up provides the UUID of the SAG instance and Web Platform instance.



Logout

Logout from the current session.

Help

Display the online help.

Configure Two-Factor Authentication Two-factor authentication uses a temporary passcode to strengthen the authentication process when you log in to an application. If your operator definition has been configured to use Two-Factor Authentication, then you must configure two-factor authentication in the following situations: •

the first time that you log in



after your password is reset



if you change the device or application used to generate your time-based one-time password

Before you begin The configuration can only be undertaken if you have been set up to use the Password and TOTP method.

25 August

23

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration

You must have an authenticator mobile phone application or other software or hardware authenticator tool to generate the time-based one-time password. Procedure 1. Enter your username and password (and Instance name, if applicable), and click Login. Note

For configuration itself, the "Use Two-factor Authentication" check box should not be selected. 2. Once your username and password have been verified, a secret key from Alliance Gateway is displayed.

3. Either scan the barcode with an authenticator mobile phone application or other software or hardware authenticator tool or enter the string on the device manually. Important

Scan or save the key as quickly as possible. Do not leave it displayed on your screen so that others can observe it.

4. Enter the code generated from your authentication device in the configuration screen, and click Continue . 5. Alliance Gateway validates the credentials (username, password, and authentication code). If validation is successful, you are logged on.

25 August

24

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration

If not, you can repeat the step with another authentication code. If you quit without entering the authentication code, then you can set up two-factor authentication the next time you log in (you will receive a new secret).



Embedded Two-Factor Authentication Two-Factor Authentication (2FA) is a method of user authentication where at least two different components are required to authenticate a user. Typically, this is something you know (username/ password) and something you have (for example, a one-time-password generator). In addition to the RADIUS one-time password method, Alliance Gateway provides a secure 2FA setup using an off-the-shelf application that can be installed on a separate device, such as a mobile phone or tablet. Two-Factor Authentication using LDAP can be achieved by enabling a feature or plug-in for the LDAP server that provides Time-based one-time Password (TOTP) or One-time Password (OTP) in addition to the fixed password. As with the LDAP and RADIUS solution, SWIFT does not recommend a specific vendor of client Time-based one-time Password (TOTP) solutions. The solution selected for the TOTP second factor must be able to generate passwords of (at least) 8 digits, support SHA, and accept an activation code, either by scanning the bar code or by typing the code manually. Time-based one-time passwords Time-based one-time passwords (TOTP) are temporary passcodes, generated by an algorithm for use in authenticating access to computer systems. The algorithm that generates each password uses the current time of day as one of its time-based one-time factors, ensuring that each password is unique. With two-factor authentication, the user must enter the Alliance Gateway username and password and the TOTP code to gain access.



Changing Your Password Operators with the authentication type Password are requested to change their password when logging in in the following situations: •

at the first login with a new operator password



when the password has expired



if the password was reset on the Alliance server

The frequency with which you have to change your password depends on the security configuration parameters set on the Alliance server. You can also change your password on demand. For password requirements, check with the security officers of your Alliance server. The possible maximum length of the password is characters. The minimum length is set by your organization's security policy. Procedure 1. If you want to change your password on demand, then click the User: menu in the upper right corner of the navigation area. The Change Password and Session Info menu options are displayed.

25 August

25

Alliance Gateway Administration and Operations Guide

Logging in to Alliance Gateway Administration

2. Click the Change Password menu option. The Change Password dialog box appears. 3. Type your current password in the Old Password field. Then type your new password in the New Password and Password Verification fields. 4. Click

Change Password

.

The password is changed.

25 August

26

Alliance Gateway Administration and Operations Guide

4

The Alliance Gateway Administration GUI

The Alliance Gateway Administration GUI The Alliance Gateway Administration GUI displays the home page by default when a user logs in.



Online Help All pages within Alliance Gateway Administration contain the Help link in the upper-right corner of the navigation area of the GUI. Clicking the Help link displays the online help that corresponds to the page or entity that is currently selected. It also enables you to navigate to other topics within the online help. Help for entering values in fields Alliance Gateway Administration provides tools to help you enter values with the correct syntax, for example, how to select and enter dates or times. For more information, see User Assistance in the Online Help, available after login. Behaviour If you click the Help link, then the corresponding help file opens in a new window. The system opens the help file at the content that corresponds to the page or entity that is currently selected. You can use the navigational links that are available in the help window to show other topics from within the online help. The page from which you click the Help link determines the topics that the system shows: •



If you click the Help link on a page within Alliance Gateway Administration, then the system opens the Alliance Gateway Administration online help.

Tips and Tricks for Using Alliance Gateway Administration Click the logo at any time to return to the home page. Changing page size and possible impact You can use the Change View function to set the value for Page Size, which changes the maximum number of rows that the list shows at a time. You can use the Change View function to change the column width, and to show or hide columns, if it is applicable for the current list. It is also possible to drag and drop items to re-order them. Note

The default and recommended value is Using a higher value may have an impact on the performance of Alliance Gateway Administration. The more messages that you ask to be displayed on a page, the longer it takes to receive the page in your browser. Changing the Page Size value must be done with care.

Data input or modification in a form Selection lists Some pages and windows in Alliance Gateway Administration display a list that enables you to select one or more values for a field.

25 August

27

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

To select a group of values that are not sequential, click a value and then hold down the CTRL key and click the other values.



Wildcards for Searching or Filtering Where the functionality is available, you can use criteria to search or to filter the list for the current page for a specific set of information. Criteria This is the behaviour for the search or filtering operation: •

If you do not specify a value for a criterion, then the system does not take that criterion into account.



If you specify values for more than one criterion, then the system uses an AND relationship to evaluate these criteria.

Wildcards Some of the search criteria and the filtering criteria fields allow you to use these wildcards: Wildcard

Purpose

Example

% (percent)

Replaces one or more contiguous unknown characters in a string

a%a matches for example the following strings:

_ (underscore)



Replaces one unknown character in a string



aba



afedpa



azhgjdhsa

aa_a matches for example the following strings: •

aa1a



aaGa

Change your List View The Change View function changes the layout of the list for the current page or window. You can use the Change View function to do the following:

25 August



specify the maximum number of rows that the list shows at a time (page size)



show or hide columns



change the order of the columns



save changes to column widths



reset a list to the default layout, including column width



reset a list to the default layout, except for column width changes

28

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

Procedure 1. If you want to increase or decrease the width of a column in the list, then move the mouse pointer over the right-side edge of the column header, then click and drag. 2. Repeat the previous step for the other columns in the list, as necessary. 3. Click Change View . The Change View window opens. 4. Use these methods to change the list layout, as necessary: •

Select or clear the check box for a column to show or hide it.



Click the name of a column and use the up or down arrow to change its position in the list. Alternatively, you can drag and drop the column names to reorder them.

5. If you made any changes to the column widths in the current list, then select or clear the Save Column Widths check box, as necessary. If you select the Save Column Widths check box, then the system saves the changes to the column widths and retains them in subsequent sessions. If you clear the Save Column Widths check box, then the system discards the changes to the column widths when the current session ends. 6. Type the number of rows for the list to show at a time into the Page Size field, if it is available. The value must be between 10 and The default and recommended value is Using a higher value may have an impact on the performance of the GUI. The more messages that you ask to be displayed on a page, the longer it takes to receive the page in your browser. Changing the Page Size value must be done with care.

Note

7. Click

OK

.

The Change View window closes and the list layout changes accordingly. The system also saves any changes to the column widths, if the Save Column Widths check box is selected.



Reset list layout Procedure 1. Click

Change View

.

The Change View window opens. 2. If you made any changes to the column widths in the current list, then select or clear the Save Column Widths check box, as necessary. If you select the Save Column Widths check box, then the system saves the changes to the column widths and retains them in subsequent sessions. If you clear the Save Column Widths check box, then the system discards the changes to the column widths when the current session ends. 3. Click Reset and then click OK .

25 August

29

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

The Change View window closes and the system restores the original layout of the list:





the default page size



the original set of columns in the original sequence



the original column widths (if the Save Column Widths check box is cleared)

Choose File This function enables you to select a file from the user space. Procedure 1. Click

next to the corresponding field. 2. Navigate to the parent folder or file that you require. 3. Select the file that you require. 4. Click OK . The Choose File window closes and the file name populates the corresponding field.



Print a Report Directly from the GUI To print a report directly from an Alliance Gateway GUI, click Print . The behaviour is similar to that of the Export function of the same GUI, with the following differences:





The output format is always HTML.



For font size, you can choose either small, medium, or large.



The Page Orientation and Page Format options do not apply.



If you select the All check box for a list, all of the entities displayed on the search page are displayed. In the Print window, Print Range is set to Selected items.



If you select nothing in a list, all of the entities matching the criteria across all results (that is, not limited to the results on the page) are selected. In the Print window, Print Range is set to All items.



If you select a subset of the entities in the list, only those entities are selected for printing. In the Print window, the Print Range is set to Selected items. However, you can change the selection to All items, which causes all of the entities matching the filters to be printed.



When the output HTML page is opened in a new tab, the browser print menu is automatically displayed.

Print The Print function allows you to print the current page or window. You can use the Print funtion to do the following:

25 August



Print a range of all items or selected items on a page



Specify a print type of Summary or Details



Select a font size for the output

30

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI



Choose the columns to print



Designate a content header/footer and search criteria

To print information in the current page or window: 1. Select

Print

to open a dialog with print settings.

2. Select the appropriate print settings and click



OK

to print.

Export The Export function allows you to export the content of a window. This includes the following: •

Export Range



Export Type



Output Format



Page Orientation



Page Format (A4, US Letter, US Legal)



Font Size (Small, Medium, Large)



Add page break (only for Output Format: PDF and Export Type: Detailed)



Columns (using an “Available” / “Selected” list)



Sort Order (if offered by the application)



Content (Header/Footer, Search Criteria)

The output formats provided include: •

PDF



TXT



CSV (comma separated values)



XLS (Excel compliant)

Procedure 1. Select Export in the window. 2. Select the appropriate export settings and click



OK

to export.

Report Types and Settings Purpose The function enables you to run a report about information in the database, and is available:

25 August



in the search or filtering criteria area of a page



in the button bar of a list



in the bottom button bar of a page or a window

31

Alliance Gateway Administration and Operations Guide

The Alliance Gateway Administration GUI

Output You can use the function to produce these types of reports: •

Summary report Available only from pages that contain lists of entities, this report type enables you to include the information from at least one or more columns on the page for every entity included in the report.



Details report This report type includes all details for every entity included in the report. You can only choose the output format and formatting options.

If available in the search or filtering criteria area of a page, then the corresponding report includes all the entities that the current search or filtering criteria return. In the Export window, checking the "Search Criteria" box will include the current values for search or filtering criteria in the report.



Run a Report (Export) The Export function enables you to run a report about information in the database. Procedure 1. If applicable, select the entities in the list that you want to include in the report. 2. Click Export . The Export window opens. 3. If applicable, select the export type. 4. Select the options that you require for the output format and formatting. 5. For summary reports, you can choose the columns for which details should be included in the report from the Available list. 6. Click

OK

.

The File Download window opens and prompts you to open or save the report file. 7. If necessary, click

Open

to open the report or

Save

to save the report, as you require.

To open the report, you must have a tool installed that reads the corresponding file format: PDF, CSV (only for summary reports), TXT, or XLS. The system opens or saves the report accordingly.

25 August

32

Alliance Gateway Administration and Operations Guide

5

Configuration

Configuration Overview The Configuration application of Alliance Gateway Administration enables you to manage the configuration of the available Alliance Gateway entities. The nodes present in Alliance Gateway Administration provide access to the configuration parameters for the corresponding entities. The licence options of the Alliance Gateway instance and the operating profile of the current operator determine which entity types are available. Alliance Gateway: The Alliance Gateway: node contains these entity nodes: •

Licensing Configuration (see Licensing Configuration on page 33 )



Parameters (see Parameters on page 36 )



User Management (see User Management on page 43 )



Event Log (see Event Log on page 93 )



Application Interface (see Application Interface on page )



SWIFTNet Interface (see SWIFTNet Interface on page )



MI Channel Support Interface (see MI Channel Support Interface Configuration Parameters on page )



File Transfer (see File Transfer on page )



Routing (see Routing on page )

Clicking an entity node opens the corresponding entity page.



Licensing Configuration Description The Licensing Configuration page enables you to license or relicense an Alliance Gateway instance. Use either of these methods to enter the licence information: •

Upload a licence file Procedure: Upload a Licence File on page 35



Manually enter the values based on licensing details from SWIFT Procedure: Change Values on page 42

When relicensing an Alliance Gateway instance, the following rules apply:

25 August



Before removing a licence option, you must stop Alliance Gateway.



When adding a licence option, you do not have to stop Alliance Gateway. However, the licensing change takes effect only after you restart Alliance Gateway.



Alliance Gateway Administration checks operating profile functions only when an operator logs in. Therefore, operators must log out and log in again to align the operating profile functions with the changed components.

33

Alliance Gateway Administration and Operations Guide

Configuration

Display

Details Field

Description

Components

In the Available list: •

The list of components available

In the Selected list: • Destinations

The components that you assign to the server

Determines the possible destinations (BIC) for SWIFTNet messaging One destination per line Maximum eight characters per destination The system converts lowercase alphabetic characters to uppercase.

Hardware Platform

25 August

Specifies the hardware platform that the Alliance Gateway instance runs on

34

Alliance Gateway Administration and Operations Guide

Configuration

Field

Description

Concurrent Users

Determines the maximum number of concurrent user connections. This configuration parameter determines the possible number of concurrent SWIFTNet user connections to Alliance Gateway. The value of this configuration parameter relates the cumulative number of connections to Alliance Gateway through Alliance Web Platform. The total number of concurrent connections must not exceed the number that the licence agreement that you have with SWIFT specifies. The licence options USERS 1 through USERS determine the total number of concurrent connections permissible. The default value is equal to the value of the USERS licence option. You must restart Alliance Gateway for changes to this parameter to take effect. Determines the bandwidth available

Bandwidth

Functions Function

Description

Availability View

Upload Licence File



Uploads a licence file

Edit x

Procedure: Upload a Licence File on page 35

Modify licence information To change the Licensing Configuration values, see Manage Configuration Parameters on page Related information Licensing on page



Upload a Licence File Procedure 1. Click

Upload Licence File

.

The Upload Licence File window opens. 2. Click

Browse

.

The Choose file window opens. 3. Browse the file system and locate the licence file to use. Select the licence file and click

Open

.

The Choose file window closes and the path name of the selected file appears in the Licence File field of the Upload Licence File window. 4. Click

25 August

OK

.

35

Alliance Gateway Administration and Operations Guide

Configuration

The Upload Licence File window closes and the content of the uploaded licence file populates the fields of the Licensing Configuration page. 5. Click

Save

.

The Initialisation Passwords window opens. 6. Select the Show Clear Text check box to show the passwords as typed, if necessary. 7. Enter the value for the Left Initialisation Password. 8. Enter the value for the Right Initialisation Password. 9. Click

OK

.

The Initialisation Passwords window closes. The system checks the licence details and the passwords provided and informs you if the licensing is successful. If licensing is successful, then the system instructs you to log out of Alliance Gateway Administration and then log in again to refresh your operating profile functions.



Parameters The Parameters application enables you to view and modify configuration parameters that control the general behaviour of the Alliance Gateway instance.

By default, parameters are listed in alphabetical order by component. View parameters by selecting a specific component from the Component drop down and clicking the Submit button. To view or edit a parameter, click on the entry in the Parameters list to open a Parameter Details pop-up. To change or reset the value of a configuration parameter, follow the corresponding procedure in Manage Configuration Parameters on page

25 August

36

Alliance Gateway Administration and Operations Guide

Configuration

Functions and details Function/detail



Description

Filtering Criteria

View parameters by selecting a specific component from the Component drop down and clicking the Submit button.

Clear

Resets the Component drop-down.

Submit

Displays parameters for the selection in the Component drop-down.

Change View

Allows you to select what is displayed in the Parameters list.

Component

Name of the component in Alliance Gateway. For example, Event Logger.

Name

The name of the parameter. For example, System Log Format.

Value

The parameter value. For example, Original.

Export

See Export on page

Print

See Print on page

Event Logger Details on Event Logger parameters are available as follows:





Archive related parameters in Configure Event Archiving on page



System Log Configuration in Event Structure on page



SNMP parameters in: -

SNMP Server Addresses on page 38

-

SNMP Max Event Size on page 38

-

SNMP Heartbeat Interval on page 37

SNMP Heartbeat Interval Parameter definition The SNMP Heartbeat Interval configuration parameter determines the interval (in seconds) between the SNMP heartbeats sent by Alliance Gateway to a local alert agent. The heartbeat is sent to any IP address, or host name, and port as defined for the SNMP Manager. For more information, see SNMP Server Addresses on page Possible values are: •

0 (no heartbeat is sent)



a value of to

For changes to this parameter to take effect, you must restart Alliance Gateway. Default value The default value is 0.

25 August

37

Alliance Gateway Administration and Operations Guide

Configuration

For more information about SNMP heartbeats, see SNMP Heartbeat on page



SNMP Max Event Size Parameter definition The SNMP Max Event Size configuration parameter determines whether the system truncates the event information to a maximum SNMP trap field size: •

If set to 0, then no truncation occurs.



If set to a value of 80 to , then the system truncates the event information to the corresponding size in bytes, as applicable.

Default value The default value is 0. For more information, see Event Structure on page



SNMP Server Addresses Parameter definition The SNMP Server Addresses configuration parameter determines the addresses on which the SNMP Manager listens for events. You must specify the addresses as pairs of values for IP address, or host name, and port number. You may specify an "SNMP community string" for use by a router's or other device's statistics. In the Community Name field, enter a value of maximum 64 US-ASCII printable characters, except ", : \". If no value is provided, then the SNMP community name is set to "public". SNMP version 1 is supported. For changes to the SNMP Server Addresses configuration parameter to take effect, you must restart Alliance Gateway and the Alliance Gateway bootstrap. Default value The default value is empty. For more information, see Event Structure on page



File Transfer Interface See File Transfer Configuration Parameters on page



SWIFTNet Interface Details on SWIFTNet Interface parameters are available as follows:

25 August



Operator System Configuration Parameters for SWIFTNet Users on page



SWIFTNet Users on page



SWIFTNet Interface Configuration on page

38

Alliance Gateway Administration and Operations Guide





Hardware Security Modules on page



SNNA Subsystem Management on page



Event Log Configuration Parameters on page



Manage Message Partners on page

Configuration

System Details on System parameters are available as follows:





Manage Authentication Server Groups on page 49



Operator System Configuration Parameters for SWIFTNet Users on page



Operators on page 86 (for Disable Period)



Activate Alert Monitoring on page 39



Enable Requires Additional Operator on page 39



Ignore Deactivated Subsystems on page 40



Instance Name on page 40



Release Level on page 40



Shutdown on Database Tampering Detection on page 41

Activate Alert Monitoring Parameter definition The Activate Alert Monitoring configuration parameter determines whether Alliance Gateway checks for conditions that trigger the creation of alerts. Possible values are: •

Yes



No

Default value The default value is Yes. For more information, see Alerts on page Note



If you set the value to No, then Alliance Gateway removes any existing alerts.

Enable Requires Additional Operator Parameter definition The configuration parameter Enable Requires Additional Operator controls whether operators can enable an entity that they added or recently updated. Those entities are of the type operator, operating profile, and virtual SWIFTNet user.

25 August

39

Alliance Gateway Administration and Operations Guide

Configuration

If the parameter is set to: •

Yes, then an operator who added or updated an entity cannot enable that entity unless their operating profile includes the function Allow Unconditional Enable for .



No, then any operator with the Enable function can enable the entity.

represents operator, operating profile, or virtual SWIFTNet user. Default value The default value is No.



Ignore Deactivated Subsystems Parameter definition The configuration parameter Ignore Deactivated Subsystems determines whether the overall status of Alliance Gateway considers intentionally deactivated subsystems. •

If set to Yes and one or more subsystems are intentionally deactivated, then the status of Alliance Gateway will be set to started.



If set to No and one or more subsystems are intentionally deactivated, then the status of Alliance Gateway will be set to partial.

Changing the value of this configuration parameter does not cause Process Control to update the system status immediately. The value is considered in the scope of actions to start Alliance Gateway, activate and deactivate a subsystem, or start and stop a subsystem. For changes to this parameter to take effect, you must restart Alliance Gateway and the Alliance Gateway bootstrap. Default value The default value is No. For more information about the status of Alliance Gateway and its subsystems, see Processes on page



Instance Name This configuration parameter displays the Alliance Gateway instance name and is read-only.



Release Level This configuration parameter displays the Alliance Gateway release level and is read-only.

25 August

40

Alliance Gateway Administration and Operations Guide



Configuration

Shutdown on Database Tampering Detection Parameter definition Shutdown on Database Tampering Detection determines whether Alliance Gateway stops in the event of a database integrity violation: •

If set to Yes, then the system stops Alliance Gateway upon detection of any database integrity violation.



If set to No, then this behaviour is not enabled.

Default value The default value of Shutdown on Database Tampering Detection is Yes.



IBM MQ Host Adapter Configuration paramaters are described in Configure Alliance Gateway for IBM MQ on page



MI Channel Support Interface See MI Channel Support Interface Configuration Parameters on page



Functional Updates List The Functional Updates List configuration parameter displays the functional updates installed on your Alliance Gateway system. This configuration parameter is present if an update containing functional updates has been installed on your Alliance Gateway system.



Startup Mode Parameter definition Startup Mode determines whether Alliance Gateway automatically starts after a system boot and stops before a system shutdown: •

If set to Automatic, then all the allowed Alliance Gateway processes start when the Alliance Gateway bootstrap starts and the system stops them before shutdown.



If set to Manual, then the Process Controller requires the start command to start the Alliance Gateway processes and the system does not stop them before shutdown.

Default value The default value of Startup Mode is Manual. System shutdown behaviour On shutdown, the system does not wait for all Alliance Gateway processes to stop before it stops, even if Startup Mode is set to Automatic.

25 August

41

Alliance Gateway Administration and Operations Guide

Configuration

SWIFT recommends that you use the stop command in the Process Controller to stop Alliance Gateway before a system shutdown. If the system reports that some SWIFTNet Link processes cannot gracefully shut down, then you may ignore these messages.



Manage Configuration Parameters About this section This section contains the procedures to modify the configuration parameters that are available in Alliance Gateway Administration. About configuration parameters Alliance Gateway Administration enables you to manage the configuration of the available Alliance Gateway entities.



Change Values Procedure 1. Change the parameter value by using one of the following types of input fields: •

Drop-down: Select the value from the drop-down list.



Text Field: Type the value required in the field.

Typically, a text field is accessed by clicking and 2. Click Save . Cancel

Save

Add

in a Details window.

appear at the bottom of the page.

The changed value is saved.



Reset Values Procedure •

Click

Reset to Default

.

The corresponding configuration parameter is reset to the default value.



Add Multiple Values Multiple values are added when a configuration parameter allows multiple values, such as Add SNMP Server. Procedure 1. Click

Add

, located next to the corresponding field.

The Add window opens. 2. Enter a value in the field of the Add window.

25 August

42

Alliance Gateway Administration and Operations Guide

3. Click

Add

Configuration

.

The Add window closes and the value appears in the field. 4. Repeat the previous steps, as required. 5. Click Save , located at the bottom of the page. The changes to the configuration parameter are saved.



Edit Multiple Values Multiple values are edited when a configuration parameter allows multiple values, such as Add SNMP Server. Procedure 1. Select the value to edit in the corresponding field. 2. Click Edit , located next to the field. The Edit window opens. 3. Edit the value in the field of the Edit window, as required. 4. Click

Save

, located in the Edit window.

The Edit window closes and the modified value appears in the field. 5. Click

Save

, located at the bottom of the page.

The changes to the configuration parameter are saved.



Remove Multiple Values Multiple values can be removed when a configuration parameter allows multiple values, such as Add SNMP Server. Procedure 1. Select the values to remove in the corresponding field. 2. Click Remove , located next to the field. The selected values are removed from the field. 3. Click Save , located at the bottom of the page. The changes to the configuration parameter are saved.



User Management Description The User Management node enables you to do the following:

25 August



Define authentication servers and LDAP (Lightweight Directory Access Protocol) servers to authenticate the passwords of operational entities in Alliance Gateway.



Define units to organise the events logged as a consequence of administrative operations and SWIFTNet message flow.

43

Alliance Gateway Administration and Operations Guide

Configuration



Create and manage Alliance Gateway operators.



Create operating profiles to define the scope of administrative control that operators have over functions in Alliance Gateway.

Nodes Expanding the User Management node reveals these entity nodes:





Authentication Server Groups (see Authentication Servers on page 47)



LDAP Server Groups (see LDAP Authentication on page 52)



Units (see Units on page 61)



Operating Profiles (see Operating Profiles on page 64)



Operators (see Operators on page 86)

Passwords Overview Introduction Alliance Gateway allows you to manage the passwords of the operational entities that it uses. Alliance Gateway requires passwords for the following operational entities: •

Alliance Gateway operators, including the Alliance Gateway Administrator operator



SWIFTNet users added in Alliance Gateway, also referred to as virtual SWIFTNet users



SWIFTNet PKI profiles used in Alliance Gateway, sometimes called real PKI profiles or certificates Passwords for SWIFTNet PKI profiles used through Alliance Gateway are outside the scope of Alliance Gateway password management, but they must adhere to the minimum requirements for user-defined passwords. For more information, see SWIFTNet PKI profiles on page

Password authentication Alliance Gateway supports the following types of password authentication: •

Password (user-defined) Alliance Gateway authenticates the user-defined password that a user provides at login. Userdefined passwords adhere to the Alliance Gateway password management policy. For more information, see User-Defined Passwords on page



RADIUS One-time Password An authentication server authenticates the one-time password that a user provides at login. Only Alliance Gateway operators and virtual SWIFTNet users can use one-time passwords. For more information, see Authentication Servers and One-Time Passwords on page



LDAP Authentication A Lightweight Directory Access Protocol (LDAP) server authenticates the user name and password that an operator or a virtual SWIFTNet user provides at login. For more information, see Concept on page



25 August

Password and TOTP

44

Alliance Gateway Administration and Operations Guide

Configuration

Two-factor authentication uses a temporary passcode to strengthen the authentication process when you log in to an application. Configuration parameters Configuration parameters in Alliance Gateway allow fine-tuning of the password management. There are separate sets of configuration parameters to allow establishing different password policies for operators (see Configuration parameters on page 88) and for virtual SWIFTNet users (see Virtual SWIFTNet Users on page ). SWIFTNet PKI profiles Alliance Gateway differentiates whether SWIFTNet PKI profiles are used directly to create security contexts. This distinction is significant for password management. A virtual SWIFTNet user added in Alliance Gateway has a different name from the security profile it uses. This approach allows a password to be assigned to each SWIFTNet user mapped to a SWIFTNet PKI profile (which corresponds to the underlying certificate). One or more SWIFTNet users can be mapped to a certificate. The password type attributed to a virtual SWIFTNet user determines the rules that govern that user's password. For more information about certificates and SWIFTNet users, see SWIFTNet Users on page For more information about passwords for SWIFTNet PKI profiles, see the SWIFTNet PKI Certificate Administration Guide. Passwords and business applications The configuration parameter Allow Use of Real SWIFTNet Users determines whether the security context that results from logging in with real PKI profiles can be used for main message flow. See the related considerations explained in the Alliance Gateway Security Guide. If a business application is accessing a SWIFTNet PKI profile through a SWIFTNet user, then ensure that someone is designated to be responsible for the SWIFTNet user password that the business application uses. If user-defined passwords are used, then this person must change the random password the first time it is used. If passwords are checked for expiration, then this person must ensure that the SWIFTNet user password is changed each time the password expires. The configuration parameter Enforce Application Passwords determines whether Alliance Gateway must enforce the use of application passwords for certificates configured in relaxed mode or used through virtual SWIFTNet users.



User-Defined Passwords User-defined passwords are more familiar to users in the sense that users have the ability to define a password themselves, provided they comply with the characteristics of this password type and with related configuration parameters. For more information about these parameters, see Manage Operators on page 87 and Manage Virtual SWIFTNet Users on page The following table outlines the characteristics of user-defined passwords. These characteristics are in line with the minimum password requirements for SWIFTNet.

25 August

45

Alliance Gateway Administration and Operations Guide

Configuration

Characteristic

Specifics

Random password generation

When adding an operator or virtual SWIFTNet user, Alliance Gateway generates a random password. Similarly, whenever a password is reset for an operator or a virtual SWIFTNet user, Alliance Gateway generates a random password.

Change at first login Any randomly generated password must be used to log in the first time. After a successful login, the operator or virtual SWIFTNet user is prompted to change the random password. The Administrator operator password defined during installation must also be changed the first time it is used to log in. Password checking

Alliance Gateway checks passwords whenever they are provided: while logging in, when provided with a request, and when provided as a result of a browser time-out.

Password history

Alliance Gateway keeps a configurable number of old passwords that cannot be reused when the password must be changed.

Password creation rules

Passwords must comply with the following: •



25 August

By user type as follows: -

For SWIFTNet Users, 12 to 64 characters

-

For Operators, 17 to 64 characters or 12 to 64 characters with two-factor authentication (TOTP)

US-ASCII () characters, including: -

A - Z

-

a - z

-

0 - 9

-

~ ! @ # $ % ^ & * ( ) _ + ` - = { }

1 Connectivity SWIFTNet Link Functional Overview December

2 SWIFTNet Link Table of Contents 1 Introduction Enhancements and features Message and File Copy Message and File Distribution Enhanced Store-and-Forward Delivery Options Session History Report Enhanced Traffic Segregation Enhanced Error Text Easier Reconciliation of Notifications General Security Enhancements Enhanced HSM Resilience and Security Improved HSM Operability Enhanced HSM Supportability Operational Enhancements Obsolete Functionality End of Dial-up Support End of Support for previous HSM card reader model Legal Notices SWIFTNet Link Functional Overview

3 1 Introduction SWIFTNet Link SWIFTNet Link is SWIFT's mandatory software product for customers of SWIFTNet services. SWIFTNet Link provides the minimal functionality for technical interoperability between customers that use SWIFTNet services. SWIFTNet Link is designed to provide the following functionality: the necessary minimal functionality to access and use SWIFTNet services over the SWIFT secure IP network the technical interoperability at the customer end between the requestor application and the network and between the secure IP network and the responder application. Purpose of this document The purpose of this document is to provide a description of the main functional enhancements on SWIFTNet Link as well as the other functionalities that are removed in this release. 3 SWIFTNet Link Functional Overview

4 SWIFTNet Link Enhancements and features Message and File Copy SWIFTNet introduces additional copy functionality for InterAct messages and FileAct files exchanged in store-and-forward mode. It also adds more flexibility in terms of determining the copy destination. When the copy feature is used, SWIFT can now automatically copy the entire message or file to a copy destination. It can be used to either simply copy a message or file for information purpose (T-copy), or to make the delivery dependent on approval of a third party that must authorise the message delivery (Y-copy). The service administrator decides on the traffic flows that are copied, and which options are used related to this. Note that the FileAct header-only copy remains available as an option. Copy for information purpose (T-copy) In this mode, SWIFT delivers the message or file to the recipient (as usual), and simultaneously provides a copy of the full message or file "for information" to one or more copy destination(s). This can be for example an accounting centre, a head office, a netting system or a regulatory body. Copy for authorisation purpose (Y-copy) In this case, SWIFT does not deliver the sender's message immediately to the recipient, but keeps it on hold at SWIFT. SWIFT copies the full message or file to the copy destination that must authorise, or refuse the transaction. If it is authorised, then SWIFT delivers the original message or file to the recipient. If it is refused, then SWIFT does not deliver the message or file, and informs the sender about the refusal. Note For messages, this feature only supports full message copy. Message and File Distribution SWIFTNet introduces the ability to send a message or file to a distribution list. In this case, the customer sends the message or file only once, together with a distribution list that contains the recipients that need to receive it. Because the sender provides the recipient list, the sender has full control over the list and can change it over time or even use a different one for every exchange. This feature is available only for services that work in store-and-forward mode. The ability to distribute messages or files to recipients who have subscribed to the service, also depends on the traffic flows that the service administrator allows for the service. Note If the message or file to be distributed is signed (for example when non-repudiation is used), then SWIFT can only deliver it to recipients who have also installed SWIFTNet interface software. Recipients who do not have the required interface software will not receive the signed message or file. Instead, SWIFT will send a failed delivery notification to the sender, for each such receiver in the distribution list. If the message or file distribution request is not signed, SWIFT can deliver it to both 6.x and interfaces. 4 SWIFTNet Link Functional Overview

5 Enhanced Store-and-Forward Delivery Options With SWIFTNet , the following new delivery options become available: Option to receive traffic from one queue on several systems in parallel This is useful for customers who have several systems that receive traffic and are operational at the same time, as such a setup provides enhanced resilience as well as increased throughput (load balancing). To use this option, customers must configure their queue(s) as "shareable" and use the SWIFTNet interface software. As of that moment, several concurrent sessions on the same queue will be allowed. When SWIFT delivers traffic from a queue and more than one session is open, SWIFT will distribute the traffic in a (roughly) equal manner over the different sessions. If a session is interrupted (for example because one of the receiving systems is not available), then SWIFT will automatically adjust the traffic distribution to the remaining systems. When the system logs in again, it can participate in the traffic distribution again. This option is equivalent to the "shared delivery subsets" feature on FIN. Ability to specify a traffic subset When opening a delivery session, it is possible to restrict delivered traffic to "messages only" or "files only". Similarly there is an option to deliver "urgent only" (or "normal only") traffic. Note that these are "filters" that a messaging interface can specify when opening a session. It does not affect what traffic is routed to which queue, because customers define this routing upfront through their message routing rules. Availability of delivery notifications as system messages With SWIFTNet , the delivery notifications and failed delivery notifications become available also in the form of normal system messages. Before this release, they were only available as store-and-forward primitives to developers, and could not be processed in the same way as system messages. Session History Report This new feature allows a user to send a request to SWIFT to get a report with an overview of past sessions, with related session details. SWIFT will process this request, retrieve the necessary information and respond by putting the session history report in a queue. When sending the request to SWIFT, it is possible to specify the time frame and the input or output channels as parameters for generating the report. The report lists the session information, including open and close time, number of messages, sequence number range, and other related information. These exchanges are in the form of system messages. SWIFT describes the technical details in the Interface Vendor Specifications for InterAct and FileAct and in the SWIFTNet System Messages volume of the User Handbook. Enhanced Traffic Segregation With SWIFTNet , SWIFT provides additional segregation capability to channel InterAct traffic and FileAct traffic separately, over the lines of an Alliance Connect Gold connectivity product. This allows customers to channel for example Browse and InterAct traffic over one line, and FileAct traffic over the other. Alternatively, it allows to channel Browse and FileAct over one line, and InterAct over the other. 5 SWIFTNet Link Functional Overview

6 SWIFTNet Link Customers can configure this setup using a new SWIFTNet Link command. They must also update their firewall(s) as mentioned in the Network Access Control Guide. Note In this context, FIN traffic follows the same path as InterAct traffic. For more information, see the SWIFTNet Link Operations Guide. Enhanced Error Text In SWIFTNet , SWIFT has enhanced (and simplified) the error text or severity for a number of common errors generated by SWIFT s central system. With SWIFTNet , SWIFT enhances the error text (or severity) for a number of remaining error areas, including errors generated by SWIFTNet Link of the HSMs. In particular, the description now allows to better identify the root cause of the problem (for example, if the problem is with the sender or receiver). To ensure backward compatibility, SWIFT does not provide the new error text by default. Therefore, application developers must explicitly select the new error reporting to benefit from this enhancement. SWIFT expects that in a future release, this new capability will become the default mode. Customers will see the new, simplified error text when they use applications that select the new error reporting mode and that show the SWIFTNet error text to customers. Easier Reconciliation of Notifications SWIFTNet introduces the ability to receive the store-and-forward notifications as system messages. These system messages include the same header information that was used for the original message or file. This enhancement will ease the reconciliation as customers can now determine the context of the original message or file directly from the notification, instead of having to find back this information through the technical reference. Customers who want to take benefit of this enhancement must check with their application developer or interface vendor to ensure that their implementation uses the new approach of using system messages for notifications. General Security Enhancements SWIFTNet Link introduces the following security enhancements: Human password expiry enforcement With SWIFTNet Link , customers can decide to block certificates that have an expired human password. Once this option is activated, it will not be possible to use these certificates for signing traffic. To be able to use their certificates again, users must first change their password. Users can still change the password of their certificates even if they have already expired. For application passwords, there is no change. If an expired application password is used, SWIFTNet Link will continue to only generate warnings. Use of Policy OIDs for all certificates In line with industry best practices, SWIFT will implement a Policy Object Identifier (Policy OID) for each SWIFTNet PKI certificate. Comprehensively using Policy OIDs ensures that nonbusiness certificates can be easily differentiated from each other and that there is a unique and unambiguous relationship between a given certificate and its corresponding Certificate Policy. 6 SWIFTNet Link Functional Overview

7 SWIFT will assign the appropriate Policy OID to existing non-business certificates such that over time, through their normal renewal process, these certificates will acquire the assigned Policy OID. All new non-business certificates created after the deployment of SWIFTNet will immediately acquire the appropriate Policy OID. There is no change to the Policy OID values of business certificates. End-to-end signature SWIFTNet introduces new service attributes that allow to mandate the use of an end-to-end signature and to specify the format of the signature (either crypto block or signature list) for all traffic exchanged on a service. SWIFT will centrally check that traffic sent on a service is compliant with the selected service attributes. Enhanced HSM Resilience and Security SWIFTNet Link introduces the following HSM box resilience and security enhancements: Support for additional boxes per cluster Customers will now be able to configure an HSM cluster with up to four boxes. The HSM cluster will keep certificates up-to-date between the primary box and all the replicas. It will only use two boxes for signing at any time and automatically switch traffic to a replica in case of failure. This feature allows restoring cluster operations without manual intervention when a box becomes unavailable. It also allows to have spare boxes actively connected in the cluster, keeping their configuration up-to-date and ensuring their correct functioning before they are needed. Note that the current network and security requirements that apply between a SWIFTNet Link and an HSM box and between HSM boxes will also apply to the additional boxes. For details on these requirements, see the Network Access Control Guide. Concurrent use of HSM certificates over multiple SNLs Currently, customers need to set up distinct certificates for SWIFTNet Links used by an application in multi-active mode. SWIFTNet Link removes this restriction by ensuring that only one SWIFTNet Link can update a certificate at a time. This feature will allow customers to rationalise the number of certificates needed for applications using multi-active SWIFTNet Links. SWIFT recommends changing these certificates or their password only outside of business hours as all systems using these certificates must be updated simultaneously. Avoid application certificates lock-out due to invalid logins Customers will be able to optionally configure, on their HSM boxes, a different lock-out policy based on the password length of their certificates. Therefore customers can ensure that application certificates (that is, certificates that are protected by sufficiently long passwords) are not automatically locked-out after multiple consecutive invalid login attempts. This feature allows to protect application certificates from denial-of-service attacks within the customers institution, which could result in service disruption of critical applications such as FIN. SWIFT advises to use this option when application certificate passwords are generated randomly and renewed at least every two years (as recommended in the password policy). The current lock-out policy is unchanged for human certificates whose passwords are short and might be vulnerable to brute force attacks. 7 SWIFTNet Link Functional Overview

8 SWIFTNet Link Improved power management in HSM box Currently the CPU on the HSM box is set to operate at its maximum frequency regardless of the load on the system. The result is greater power consumption than necessary. HSM software version will load and enable CPU governors to give the operating system more control over the power management. This results in reduction in power consumption and heat generation Improved HSM Operability SWIFTNet Link introduces the following HSM box operability enhancements: Interfaces can now integrate HSM box commands Interfaces are now able to provide customers with certain HSM box management commands such as activating an HSM box, initialising a partition or opening a Remote PED session, thereby avoiding the need to use the SWIFTNet Link environment for such commands. Note Excessive use of the HSM commands can result in reduced Main Message Flow throughput. Flexible HSM box identification in a cluster Customers can now select a unique HSM box identification for a cluster from HSM1 to HSM99, thereby avoiding ambiguous HSM cluster name and profile names. Renaming an existing cluster will require the cluster reconfiguration and re-creation of profiles. Easier HSM registration for a SWIFTNet Link running on a cluster Customers running a SWIFTNet Link instance on a cluster platform (with two hosts in active/standby mode sharing disks), will be able to register their HSM boxes by updating the SWIFTNet Link on the active host only. They will no longer have to repeat the HSM registration after switching the SWIFTNet Link instance over to the standby host Enhanced HSM Supportability SWIFT introduces the following HSM box supportability enhancements as of SWIFTNet Ability to monitor SSL certificate validity A new option has been introduced to the existing SWIFTNet Link command (perl sprers.eu) which allows customers to query their SSL certificate creation dates. This allows customers to monitor and plan timely renewals of these certificates. Ability to synchronise the HSM box clock with the SNL clock Currently, customers can use a SWIFTNet Link command to change the date and time of their HSM box to a new specified value. Currently, customers can use a SWIFTNet Link command (perl sprers.eu) to change the date and time of their HSM box to a new specified value. This command has been enhanced to allow customers to use the SWIFTNet Link host date and time to set the HSM box date and time. This will simplify problem investigation as events can be more easily correlated between logs. Improved HSM box logs The HSM logs contain more concise log entries for SwHSM commands. 8 SWIFTNet Link Functional Overview

9 Ability to enable regular backup of HSM box database A new SWIFTNet Link command (perl sprers.eu) allows customers to enable backup of the HSM box database, list the existing backup files of an HSM box, and restore a backup file to the HSM box. Backups of up to 15 days will be stored on the HSM. Any changes performed after the backup will be lost as a result of this restore. Improved HSM box IP address change procedure SWIFTNet Link introduces a new SWIFTNet Link command (perl sprers.eu) to ease the procedure for changing the IP address of an HSM box. For more information, see the Hardware Security Module Operations Guide Operational Enhancements Silent installation framework SWIFTNet Link introduces a new installation framework to ease the installation (or upgrade) of SWIFTNet Link. This can provide significant time savings and reduce operational risk, particularly for customers with a large number of SWIFTNet Link instances. In addition to the existing GUI-based installation framework, SWIFT provides the ability to use a command-line installation based on an input parameter file prepared in advance for easy execution by operators. This approach can reduce the installation time, allows unattended installations of multiple instances, avoids manual errors, and increases the auditability of the actions performed in production environments. The use of an input parameter file also avoids user interaction during the installation process. Operations managers can prepare the parameter files for the different SWIFTNet Links in advance so that the actual software installation can be scripted or carried out potentially by other parts of the organisation. This provides further segregation of duties if required. In addition, this new installation method no longer requires the use of an X-terminal. For some customers, this represented a security concern, and for others implied some performance issues when executed remotely. The interactive, GUI-based installation remains available as an alternative. Self-managed SNL certificate Each SWIFTNet Link system has its own instance certificate, which is used to secure the messaging layer and allows SWIFT to authenticate the customer's SWIFTNet Link system. This certificate is created during the SWIFTNet Link installation. In previous releases, the user assigned a password which needed to be kept for later use (for example, in case of re-installation). With SWIFTNet Link , this certificate is fully managed by SWIFTNet Link at installation and during future upgrades. The user no longer needs to manage the password of this certificate. Avoid timeout due to multiple security profile renewals When multiple security profiles in their renewal period are opened at the same time (e.g. by the communication interface, such as Alliance Gateway), the renewal operation can take more than one minute per profile. The serialisation of these operations may take time and subsequently generate time-outs at the level of the messaging interface. SWIFTNet Link controls the number of profiles that can be renewed at the same time. If a dedicated threshold is reached, remaining renewals will be postponed for later login. Manual renewal of a certificate can still be triggered using the CertInfo command. 9 SWIFTNet Link Functional Overview

10 SWIFTNet Link Ability to identify outdated HSM certificates A new option has been introduced to the existing SWIFTNet Link Certlist command which allows customers to identify outdated certificates stored on their HSM. It will retrieve the details of the certificate stored on the HSM and compare them with the details of the latest certificate available in the SWIFTNet Directory. 10 SWIFTNet Link Functional Overview

11 3 Obsolete Functionality The following functionality is suppressed or replaced in this release of Alliance Gateway. End of Dial-up Support As of SWIFTNet Link , SWIFT discontinues the dial-up technology and has therefore not qualified SWIFTNet Link with the dial-up connectivity product. Consequently, dial-up technology is no longer supported on release What is the impact for Prime Dial customers? In order to benefit from the new features and enhancements introduced with SWIFTNet , customers using dial-up as their prime connectivity must first upgrade their network connectivity to one of the Alliance Connect products before upgrading their SWIFTNet software to release Customers using Dual-I with a dial-up back-up line are however not impacted and can safely implement SWIFTNet as soon as it becomes available. What is the standard upgrade scenario for Prime Dial customers? SWIFT recommends that Prime Dial customers choose Alliance Connect Bronze as a replacement option for their network connection. For more information about Alliance Connect, see the connectivity pages on End of Support for previous HSM card reader model SWIFTNet Link does not support the HSM card reader model (Reflex USB from Gemalto) that was supported on SWIFTNet Link 6.x versions. A new hardware model (PC USB-SW Reader from Gemalto) is introduced with SWIFTNet Link replacing the old one. Customers using the HSM card reader need to switch to the new model when installing SWIFTNet Link release The HSM cards used with the previous HSM card reader model can be used transparently with the new HSM card reader model. 11 SWIFTNet Link Functional Overview

12 SWIFTNet Link Legal Notices Copyright SWIFT All rights reserved. You may copy this publication within your organisation. Any such copy must include these legal notices. Confidentiality This publication may contain SWIFT or third-party confidential information. Do not disclose this publication outside your organisation without the prior written consent of SWIFT. Disclaimer SWIFT supplies this publication for information purposes only. The information in this publication may change from time to time. You must always refer to the latest available version on Translations The English version of SWIFT documentation is the only official version. Trademarks SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT, the SWIFT logo, 3SKey, Innotribe, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks of their respective owners. 12 SWIFTNet Link Functional Overview

SWIFTNet

Axway Gateway: Connectors

SWIFTNet Introduction

SWIFTNet is the SWIFT organization's IP-based network. SWIFTNet services enable the secure and reliable transfer of financial information and transactional data.

Many institutions frequently need to manage separate interfaces, standards and security models for each market infrastructure used, and for various types of communication with correspondents and customers. With SWIFTNet, you connect only once. Single window connectivity delivers a single communications infrastructure to access multiple service providers, correspondents and customers. Other advantages are automation and straight-through processing within a financial organization.

The Gateway/SWIFTNet connector supports the following SWIFTNet services:

  • InterAct messaging
  • FileAct file transfer

SWIFTNet message types

Originally SWIFT used FIN messaging. More recently, with SWIFTNet, the XML-based InterAct and FileAct message types have been introduced.

InterAct

InterAct is SWIFT's interactive messaging service that supports the exchange of messages between two parties.

With InterAct, institutions and communities can exchange messages in an automated and interactive way — an application sends a request message to another application and receives an immediate response message.

Each message exchange consists of a request and a reply message. Request messages usually contain either information to be sent from a sender to a receiver or a request for information which is sent from sender to receiver. Reply messages contain either the confirmation that the receiver has received the sender's message or a reply on a sender's request.

InterAct is used to exchange time-critical and short to medium length messages (such as securities orders, payment instructions) between parties.

Each InterAct message consists of two parts:

  • The payload that contains the business contents, such as an investment funds order
  • The envelope that contains the technical information which is required for the SWIFT network to send the message (such as requester and receiver, PKI information, SnF mode, etc.)

InterAct messages can be validated, for example for XML compliance and correct semantics, within SWIFTNet according to the message specification.

FileAct

FileAct allows the secure and reliable transfer of files between parties via SWIFTNet.

FileAct supports tailored solutions for market infrastructure communities, closed user groups and financial institutions. FileAct is particularly suitable for bulk payments, batches of structured financial messages and large reports.

Files are usually created in batch processes and should not be time critical. Files are typically large. There is no validation of FileAct messages. They can be free formatted, even binary data can be transmitted.

SWIFTNet delivery modes

SWIFTNet provides two different delivery modes:

  • Real Time (RT) mode exchanges messages and files between parties in real time. In this case both sender and receiver have to be connected to the SWIFT network at the same time.
  • Store-and-Forward (SnF) mode allows the sender's message to be stored within the SWIFT network until the receiver is able to receive the message. The sender and receiver do not need to be connected at the same time. SnF relies on queues managed by SWIFT.

SWIFTNet software

SWIFT provides the following software to connect to SWIFTNet:

  • SWIFTNet Link (SNL). This is the low-level connection software that manages access to SWIFTNet. A client may have more than one instance of SNL for reasons of performance and reliability. SNL connects gateway applications such as SAG to SWIFTNet.
  • SWIFT Alliance Gateway (SAG). SAG acts as concentrator and allows multiple applications to be connected to SWIFTNet. Examples are: automated file transfer, distant applications using SWIFTNet RA (Remote API) and applications using MQ-series queues. Flows coming from SWIFTNet to these applications are routed according to configurable criteria.

SWIFTNet message and file limitations

Gateway fully supports the SWIFTNet InterAct and FileAct protocols within the size limits established by SWIFT. For the current limits, refer to the official SWIFTNet documentation.

Related topics

SWIFTNet connector

SWIFTNet system recovery

More information

Gateway is just part of the Axway Financial Exchange solution. Using Axway products to deploy a full SWIFTNet solution is outside the scope of this document. For more information on Axway products, go to sprers.eu

For more information on SWIFTNet, refer to:

  • The SWIFT (Society for Worldwide Interbank Financial Telecommunication) website: sprers.eu
  • The SWIFTNet documentation delivered with the product

Links to documentation set for Axway Gateway

What Is SWIFTNet?

  • Article
  • 3 minutes to read

As a general purpose, industry-standard solution for the financial industry, SWIFTNet provides an application-independent, single window interface to all the connected applications of all the institutions participating in the global financial community. Actual access is controlled by the business policy decisions of each Service Administrator, not by the technical limitations of the infrastructure.

SWIFTNet provides a basis for assuring business continuity and disaster recovery for the infrastructure of mission-critical financial applications that cross institutional boundaries. SWIFTNet is designed to satisfy institutional community requirements for interoperability of mission-critical financial software solutions.

To interconnected business applications, SWIFTNet provides the following:

  • Assurance of infrastructure reliability

  • Availability

  • Role-based and non-role-based access control

  • Correspondent and message authentication

  • Message integrity

  • Confidentiality

  • Non-repudiation support

  • Message validation

  • Store and-forward

SWIFTNet uses SWIFTNet Link (SNL) as the application programming interface to the SWIFTNet services, and uses the SWIFTAlliance Gateway for connectivity and usability. Read more about these resources in this topic.

SWIFTNet Link overview

Business software applications use the SWIFTNet Link (SNL) application programming interface (API) to access and use SWIFTNet services. The SNL is the mandatory network interface to SWIFTNet. SWIFTNet requires SNL for all external interfaces. The SNL also includes background processes that support messaging, security, and service management functions. The SNL is incorporated into SWIFTAlliance WebStation and SWIFTAlliance Gateway (SAG).

SNL establishes a loosely coupled client/server relationship between business application components. Instead of directly invoking methods or functions, the interaction is message-oriented: structured messages are passed between client and server. A business application designed for SWIFTNet services generally consists of a set of clients and servers. The same client or the same server process can be started multiple times. Note that you cannot predict to which process instance of the same application an incoming message request will be delivered. Multiple threads within a client process can invoke the SwCall API function. A server process can have multiple threads as well; however, only one thread can invoke SwCallback. Client and server processes cannot be combined in the same process.

SNL provides a set of transport-level features designed for high availability and high throughput environments. These features include:

  • Load balancing

  • Location transparency and routing, shielding application components from the underlying transport technology

  • Transport-level authentication and confidentiality, packaged within SNL and provided transparently to the application

  • Security functions by which business application software may establish end-to-end security (user application to user application), when required.

    In terms of programming at the source code level using C++ or Java, there are only two functions: SwCall and SwCallback. SwCall is used by client applications to access server applications through SWIFTNet. SwCallback is used by server applications to respond to clients through SWIFTNet.

    The SwCall and SwCallback functions access the functionality of SWIFTNet by passing structured XML messages to and from SWIFTNet. At run-time, SNL includes both software libraries — the code of which executes within the same address space as business application client or server processes — and independent processes (daemons or services), which run in their own address spaces. The software libraries are accessible through the SNL APIs.

SWIFTAlliance Gateway overview

The SWIFTAlliance Gateway (SAG) is an interface product for SWIFTNet. It incorporates all the functionality of the SWIFTNet Link. Additionally, it provides several different connectivity and usability features for SWIFTNet users, providing solutions to a variety of system integration problems.

The SAG supports several different modes of operation. One of these, the strict SWIFTNet Link Mode, is particularly relevant to the FileAct and InterAct adapters for SWIFT. In strict SWIFTNet Link Mode, the SAG presents a messaging interface that is functionally equivalent to the SWIFTNet Link interface as it is described throughout these topics.

The SAG serves as a message concentrator. It receives messages from various other applications and passes them through SWIFTNet. It receives these messages through host adapters, including a WebSphere MQ host adapter, which enables business applications running on a variety of different types of computing platforms to pass messages through SWIFTNet.

Next reading

What Is the FileAct Adapter?
What Is the InterAct Adapter?
BizTalk FileAct and InterAct Adapters End-to-End Tutorial

See also

Understanding FileAct and InterAct Adapter Architecture

About Application Adapters

The topics listed here provide information about Application Adapters. If you have any questions or problems, see the Java CAPS web site at .

SWIFTAlliance Gateway is a modular software package that is installed on top of the SWIFTNet Link (SNL) software, and is designed to enable application-to-application communication. Using the SWIFTNet interactive services, InterAct and FileAct, messages and files are typically exchanged between a customer application (client) and a central application (server) over the Secure IP Network (SIPN). SWIFTAlliance Gateway can handle large volumes of information and is therefore suitable for use with both client and server applications.

The subtopics listed here provide information about SWIFT Alliance Gateway and its Sun Adapter.

Introduction to SWIFTNet

SWIFTNet is a global business messaging network for secure connectivity between institutions that participate in the financial services industry. As such, SWIFTNet is designed to satisfy institutional community requirements for inter-operability of mission-critical financial software solutions.

SWIFTNet provides an assurance of infrastructure reliability, availability, access control, correspondent and message authentication, message integrity, and confidentiality, to business applications that are interconnected among a community of institutions. Optionally, SWIFTNet also provides non-repudiation support, message validation, store-and-forward, and role-based access control.

SWIFTAlliance Gateway

SWIFTAlliance Gateway is an interface product for SWIFTNet. It incorporates all the functionality of the SWIFTNet Link. Additionally, it provides several different connectivity and usability features for SWIFTNet users, providing solutions to a variety of system integration problems.

SWIFTAlliance Gateway is designed to concentrate traffic from multiple SWIFTAlliance WebStations. It provides a graphical user interface for the administration of the SWIFTAlliance Gateway and related SWIFTNet security administration functions.

SWIFTAlliance Gateway can serve as a message concentrator, receiving messages from various other applications for passage through SWIFTNet. It can receive these messages through host adapters, including a WebSphere MQ host adapter, for interfacing with business applications running on a variety of different types of computing platforms.

SWIFTAlliance Gateway Remote API

SWIFTAlliance Gateway Remote API (RA) is a software package that establishes a communication link with the RA Host Adapter component of SWIFTAlliance Gateway, either from a SWIFTNet application existing on a remote computer or from a SWIFTNet application existing on the computer where SWIFTAlliance Gateway is installed.

Using Remote API, applications developed to run directly on top of SNL software can use SWIFTAlliance Gateway transparently as a concentrator for their SWIFTNet traffic, thereby implementing the single window concept RA offers two sets of APIs: SWIFTNet Link specific, and SWIFTAlliance Gateway specific. Message flow, from an RA instance to SWIFTAlliance Gateway, is managed by the Remote API Host Adapter (RAHA), a sub-component of SWIFTAlliance Gateway’s Application Interface (AI).

SWIFTNet Messaging Services

SWIFTNet offers four messaging services, SWIFTNet InterAct, FileAct, Browse, and FIN. Of these four, the SWIFTAlliance Gateway specifically addresses FileAct and InterAct in client mode, with both Real Time and Store-and-Forward transfers.

SWIFTNet InterAct

SWIFTNet InterAct provides secure and reliable exchange of individual structured financial messages. SWIFT customers’ messaging requirements vary from customer to customer but also from message to message. SWIFTNet InterAct offers you a broad range of telecommunication modes.

Store-and-Forward Messaging

SWIFTNet InterAct’s store-and-forward capability is designed for messages that are destined for a large number of correspondents, many of whom may not be online at the time of transmission. It removes the uncertainty and inconvenience of worrying about whether or not your correspondents are on-line at the time you send the message. The message is delivered as soon as the recipient is ready to receive it. As a result, it provides an ideal way to send individual instructions, confirmations, and reports to large numbers of correspondents, some of whom may be in different time zones.

Real-Time Messaging

Real-time messaging offers a low-cost alternative to store-and-forward for messages which are destined for correspondents that are online at the time of transmission. As a result, it is ideal for sending individual instructions, confirmations, and reports to a few large correspondents, or for messages to market infrastructures.

SWIFTNet FileAct

SWIFTNet FileAct provides secure and reliable transfer of files, such as batches of structured financial messages or large reports. Typical applications include repetitive credit transfers such as pension or salary payments, securities value-added information and reporting, and regulatory reporting. SWIFTNet FileAct offers a variety of messaging modes.

Store-and-Forward File Transfers

SWIFTNet FileAct’s store-and-forward capability ensures that your correspondents receive your message whether or they are online at the time of transmission. Messages are delivered when the recipient is ready to receive it. Store-and-Forward is an ideal way to send individual instructions, confirmations and reports to large numbers of correspondents, some of which may be in different time zones.

Real-time File Transfers

Real-time messaging provides a lower-cost alternative to store-and-forward for files that are destined for correspondents that are online at the time of transmission. This makes it ideal for sending files to a few large correspondents or market infrastructures.

The SWIFT Alliance Gateway Adapter

The Sun Adapter for SWIFTAlliance Gateway (referred to as the SWIFT AG Adapter throughout this guide) enables the Sun Java™ Composite Application Platform Suite to communication with SWIFTAlliance Gateway

The SWIFT AG Adapter is comprised of the following components:

  • Connector module: a JCA Resource Adapter, allows you to exchange messages or files across SWIFTNet, SWIFT’s secure IP network.

  • NetBeans module: incorporates the Adapter into Java CAPS and provides necessary design time and runtime functionality within the Suite.

  • SWIFT AG Object Type Definition: exposes SWIFTNet methods and attributes for use within a Java Collaboration to perform connectivity and business logic.

In addition to the OTD, the SWIFT AG Adapter provides Connectivity Map and External System configuration for design time configuration.

SWIFT AG Adapter Features

The SWIFT AG Adapter includes the following features:

  • Supports InterAct and FileAct Services in client mode, with both Real Time and Store-and-Forward messaging

  • Supports both synchronous and asynchronous operation modes

  • Provides support for all the SWIFTNet Link (SNL) Primitives

  • Supports dynamic configuration of InterAct and FileAct primitive attributes from the Java Collaboration Editor

  • Supports dynamic configuration of SWIFT AG Remote API transport properties

SAGOutboundAdapter Object Type Definition

The Adapter provides a SWIFTAlliance Gateway specific OTD (Object Type Definition), which exposes methods, attributes, and configuration properties. When it is incorporated in a Java Collaboration, the SAGOutboundAdapter OTD allows you to build powerful business logic into your Projects.

The SAGOutboundAdapter OTD is comprised of the following nodes:

  • Configuration: enables dynamic configuration of the Adapter at runtime

  • Constants: provides various SNL constants

  • Primitives: provides all of the SNL Primitives for advanced users

  • RemoteApis: provides user access to the Remote API’s client APIs

  • Services: provide the InterAct and FileAct client implementations to support Real Time and Store-and-Forward messaging

In addition to the OTD, the SWIFT AG Adapter provides Connectivity Map and External System parameters for design time configuration.

The Oracle E-Business Suite 11i is a comprehensive enterprise resource planning (ERP) software package built upon Oracle’s database technology. It is presented within an Internet environment, using online transaction processing to address the global requirements of today’s typical enterprise.

The E-Business suite includes a large number of Product Families, grouped into software modules corresponding to what were once stand-alone computer systems used by individual departments. These Product Families are identified by their major business functions, such as:

  • Financials

  • Human Resources

  • Manufacturing

  • Marketing

  • Sales

These Product Families are integrated together to share a common database, allowing a company’s various departments to quickly and easily share information and communicate with each other.

Oracle Applications Basic Operation

The basic architecture of an Oracle system contains a set of base objects which are held in highly normalized core tables within the Oracle database. A de-normalized view of these base objects is provided in a set of Open Interface Tables (OITs), also maintained in the database. Data is passed from the Open Interface Tables to the core tables under the control of the Concurrent Manager.

    In a typical scenario, an operator schedules an import job by means of the Oracle front end, which initiates the following procedure:

  1. Data is passed from the Open Interface Tables to the core tables under the control of Import Jobs scheduled by the Concurrent Manager.

  2. It then invokes the Oracle Concurrent Manager, which:

  3. Validates the data in the Open Interface Table, based on a set of stored SQL procedures.

  4. Inserts the validated rows into the Oracle Applications Database.

There are several limitations to this very basic scheme:

  • Once data is in the Open Interface Table, it cannot be withdrawn or corrected.

  • Data failing the validation process may be handled in different ways—some import scripts update the original rows with error codes, while other scripts log errors to a file, requiring user intervention.

  • Only the default validation rules provided by Oracle are used in the validation process, and may not address specific customer requirements.

  • There is no easy way to insert batches of data as a transactional unit—for example, where all inserts from a batch must succeed (if any fail, then all must fail).

PeopleSoft’s Enterprise Resource Planning (ERP) software is a full-function application package that offers business applications for financials, human resources, customer relations, supply chain management, materials management, and business analytics. PeopleSoft provides what it calls “pure-Internet” architecture: Web-based applications designed to streamline a company’s operations by integrating systems to effectively connect it’s various departments, customers, and suppliers.

The Sun Java Composite Application Platform Suite and the PeopleSoft Adapter enable PeopleSoft to easily and transparently integrate with legacy systems, enterprise applications, and other platforms. The Sun Adapter for PeopleSoft exposes JCA and Web services compliant interfaces for the purpose of application and business integration.

SAP ALE (Application Link Enabling) is a technology for exchange of business data between multiple SAP R/3 systems or SAP R/3 and customer applications. The vehicle for data exchange is an IDoc (Intermediate Document), which is basically a SAP defined message structure that serves as a container for the different types of application data being transmitted.

ALE provides SAP customers with a program distribution model and technology that enables them to transfer IDocs across various platforms and systems.

The SAP IDoc Format

IDocs are used as containers for information, and are used to exchange business data between systems.

Several hundred IDocs are supplied with each SAP R/3 system, serving as templates for a wide variety of applications. The IDoc hierarchy is represented by the following terminology:

  • Message Types are related to specific applications such as Orders.

  • IDoc Types are different versions of standard Message Types, such as Orders for specific items or services.

The SAP ALE Adapter

The SAP ALE IDOC Object Type Definition (OTD), when used with the SAP BAPI Adapter in Transactional Remote Function Call (tRFC) mode, enables Sun Java Composite Application Platform Suite (Java CAPS) Projects to exchange data with SAP R/3 software using SAP’s Intermediate Documents (IDocs) via the Application Link Enabling (ALE) interface.

The next two sections provide an overview of how to use the IDoc OTD and the SAP BAPI Adapter to send or receive IDocs to SAP R/3.

Inbound Data Flow: SAP R/3 to Java CAPS

During routine operations, an application on the SAP R/3 system generates a transaction designated for an external system. The ALE interface converts the data from the internal data format to the IDoc format, and sends it via tRFC to the SAP BAPI Adapter, acting as a RFC server.

The Java CAPS Project’s business rules receive the IDoc data from the SAP BAPI Adapter, performs any necessary processing or routing, and sends the information to another Adapter connected to the recipient system. Any necessary data transformation required for the target application is performed in your Project Collaborations.

  1. The Adapter reads in the required configuration parameters and establishes a network connection with the SAP R/3 system. The Adapter acts an RFC server, receiving IDocs from the SAP R/3 system.

  2. When the IDoc is sent from SAP R/3 via tRFC, the SAP BAPI Adapter uses the RFC OTD, IDOC_INBOUND_ASYNCHRONOUS, to receive the IDoc data.

  3. IDoc data received by the IDOC_INBOUND_ASYNCHRONOUS OTD can be marshaled out of the OTD and unmarshaled into a IDoc OTD.

  4. A file-based TID (Transactional ID) database is used to track transactions that have been committed successfully or rolled back.

  5. If identified successfully, the process moves on to the next step. If not, the Adapter composes the appropriate response and logs an exception in the log file.

  6. If the Collaboration or Business Process fails, an exception is logged in the log file raised back to SAP R/3.

  7. The Adapter then repeats the procedure beginning with step 2.

Outbound Data Flow: Java CAPS to SAP R/3

In the outbound mode, you must first get the data into the IDoc OTD using its unmarshal method. From the IDoc OTD, you unmarshal the data into the IDOC_INBOUND_ASYNCHRONOUS RFC OTD which sends the IDoc to SAP R/3 using tRFC protocol.

  1. When the Collaboration or Business Process starts to run, the Adapter is initialized with its configuration properties.

  2. The data is unmarshaled to the IDoc OTD before being sent to the SAP BAPI Adapter’s RFC OTDIDOC_INBOUND_ASYNCHRONOUS.

  3. The SAP BAPI Adapter transmits the data to SAP R/3.

  4. The SAP BAPI Adapter associates the next TID (from a persistent resetable counter) with the transformed outbound message and sends it via tRFC to the SAP R/3 host.

  5. If no exceptions are raised by the receiving SAP R/3 host, the next TID is incremented.

  6. The Adapter repeats the procedure beginning with step 2.

Messages are sent to the SAP R/3 host via Transactional RFC (tRFC). With tRFC, the receiving SAP R/3 system relies on an unique Transactional ID (TID) sent with the message to ascertain whether or not a transaction has ever been processed by it before. The SAP BAPI Adapter assumes that all messages handled are new and assigns a new TID to each message.


Note –

If you have IDoc data in a byte array format you may unmarshal it directly to the IDOC_INBOUND_ASYNCHRONOUS OTD without using the IDoc OTD first.


The Siebel EAI Adapter enables the application to exchange messages with the Siebel EAI interface via a Web server using open standards such as HTTP and XML. There are two distinct processes involved in using the Siebel EAI Adapter:

  • A design-time process, in which you obtain information about the Siebel Interface Object; and

  • A run-time process, in which you use the Project to exchange data with Siebel EAI.

Design-Time Process

The design-time process, which is an integral part of Project development, is primarily concerned with extracting metadata from the Siebel application. This metadata is then used to format the messages propagated by the adapter.

This process uses the Siebel EAI OTD Wizard, which prompts you for information to find and connect to the desired Siebel instance. The Wizard then connects to Siebel and extracts the business services that are exposed through the Siebel Web Engine. These services are presented to you for selection of the appropriate service and operation.

When the service and operation have been selected, an OTD representing the selections is generated and saved in the repository.

Run-Time Process

During run-time, the Siebel EAI Adapter’s components relay the contents of web requests to Java Collaborations or Business Processes for further processing and subsequent hand-off to an outbound Siebel EAI Adapter.

In routine operation, the Siebel EAI Adapter uses HTTP to post a Siebel XML-formatted message to Siebel. It also specifies one of the following actions to be performed on the XML message:

  • Delete

  • Upsert (Insert/Update)

  • Query

The result is that a corresponding Workflow is executed to process the message. A Siebel Workflow is a customized business application for managing and enforcing business processes.

The Siebel EAI Adapter POSTs the message to the Web server. The Siebel Web Server Extension invokes the specified Business Service which, in turn, starts an internal Workflow.

The Workflow invokes the Siebel EAI XML Converter, which converts the information from XML into the Siebel internal format and presents it to the Siebel EAI Adapter. The information is then sent to the Siebel Server via the Siebel Object Manager.

If any data is to be returned, the EAI Siebel Adapter can pass the result to the EAI XML Converter and send the data back to the adapter as a Siebel XML message.

Workflow Templates

A set of Workflow Templates is included with the Siebel EAI Adapter. These Workflow Templates invoke the necessary Workflow Processes to map the data directly to or from the Siebel database.

Session vs. Sessionless Mode

You can run the Siebel EAI Adapter in either session or sessionless mode. When running in the default Sessionless mode, every message posted to Siebel is enveloped with the login method, negating the need for an explicit login. By contrast, when Siebel runs in Session mode, the collaboration must include both a login method at beginning and a logout method at the end. Session mode allows you to post multiple messages to Siebel within a loop between a single login and logoff statement. Session mode is only supported using the Java Collaboration Definition (JCD). You cannot use Session mode when using business processes in eInsight.

Using the Siebel Message Header

Siebel EAI Adapter supports both Siebel integration objects and Application Service Interfaces (ASIs). A Siebel message header is required for most integration objects or ASIs. In a JCD, you can include the Siebel Message Header by invoking the appropriate methods provided in the Siebel EAI OTD. When creating business processes in eInsight, the Siebel Message Header is automatically included when the appropriate web service operation (Query, Update, Insert, Delete) is selected. Also, be sure to set the integrationObjectName.

This topic provides conceptual information about SAP BAPI and its Sun Java CAPS Adapter.

About SAP

SAP creates software for the Enterprise Resource Planning (ERP) business sector. The company main product is SAP R/3 which uses a three-tier application architecture—database, application server, and client—to facilitate real-time data processing.

About the SAP BAPI Adapter

The SAP BAPI Adapter enables Java CAPS Projects to exchange data with SAP R/3 software using Business Application Programming Interfaces (BAPIs), RFCs, and IDocs.

The SAP BAPI Adapter uses the SAP Java Connector (SAP JCo) to allow Java applications to access BAPIs and RFCs.

The functionality of the SAP BAPI Adapter simplifies the process of determining the requisite IMPORT, EXPORT, CHANGING, and TABLE parameters—collecting all the necessary data using the correct type and format, calling the Remote Function Module (RFM) that represents the BAPI, and then extracting and parsing data from the EXPORT and/or TABLE parameters.

Before it can be invoked, a BAPI or RFM requires the following parameters:

  • IMPORT parameters: data provided to the BAPI

  • EXPORT parameters: data returned by the BAPI

  • CHANGING parameters: data provided to and/or returned by the BAPI/RFC

  • TABLE parameters - data provided to and/or returned by the BAPI/RFC

The detailed metadata for these parameters such as descriptions of their value types and mandatory or optional nature, can be found under SAP transaction SE37.

The meta data for a BAPI/RFC in SAP R/3 is extracted by the BAPI wizard, which uses it to build the BAPI/RFC OTD. This OTD is used in Java Collaborations and eInsight Business Processes to invoke or receive the BAPI/RFC call.

The SAP BAPI Adapter Data Flows

When the SAP BAPI Adapter communicates with the SAP R/3 software, it uses the RFC protocol. The list below shows the RFC types of communication used:

  • Outbound (Java CAPS to SAP R/3): non-transactional (regular) RFC and transactional RFC (tRFC)

  • Inbound (SAP R/3 to Java CAPS): non-transactional and transactional RFC (tRFC)

Outbound Data Flow: Java CAPS to SAP R/3

Outbound communications occur when the Adapter receives data from Java CAPS and sends it to SAP R/3 by calling a specific BAPI or RFM. The figure below shows a non-transactional outbound process.

The figure above shows the following steps for the outbound data flow:

  1. The Collaboration or Business Process populates the appropriate BAPI or RFC Import, Changing, and Table parameter nodes on the BAPI/RFC OTD with data from an inbound OTD.

  2. The Adapter logs onto the SAP R/3 application using preconfigured properties.

  3. The Adapter calls the BAPI OTD’s execute() method. Any work performed is immediately committed by SAP R/3 through autocommit.

  4. The SAP R/3 applications returns successfully.

Inbound Data Flow: SAP R/3 to Java CAPS

For the inbound data flow, the SAP BAPI Adapter can receive data from SAP R/3 via RFC or tRFC. The sections below describe each protocol.

To enable the SAP BAPI Adapter to receive data from SAP R/3, configure the Environment properties with an RFC destination created within SAP R/3.

Inbound Data Flow via RFC

The sequence diagram uses a sample CostCenter OTD to describe the RFC inbound sequence.

The figure above shows the following steps for the inbound data flow via RFC:

  1. The Business Process is activated when an RFM call is received from SAP R/3.

  2. Finding that data from an RFM is available, the Business Process accesses all pertinent data nodes and sends the gathered information to other Java CAPS components.

  3. The Adapter returns the results of the RFM execution back to SAP.

Inbound Data Flow via tRFC

Communication via tRFC is the similar to RFC, except that it adds transactional verification steps prior to committing or rolling back. tRFC is preferred over RFC because of the additional reliability. By using unique TIDs associated with a BAPI/RFM call, SAP R/3 processes the data once, and only once. The figure below shows inbound data flow via tRFC.

The figure above shows the following steps for the inbound data flow via tRFC:

  1. The Business Process is activated when an RFM call is received from SAP R/3.

  2. Finding that data from an RFM is available, the Business Process accesses all pertinent data nodes and sends the gathered information to other Java CAPS components.

  3. The Adapter returns the results of the RFM execution back to SAP R/3.

  4. If the RFM call returned successfully without exceptions, SAP R/3 informs the Adapter that the data can be committed by calling onCommitTID().

  5. The Adapter updates the TID in the file database as being Committed, commits the data, and sends an onCommitTID() return to SAP R/3.

  6. If the RFM call did not return successfully for any reason, SAP R/3 informs the Adapter that the data must be rolled back by calling onRollbackTID().

  7. The Adapter sends an onRollbackTID() return to SAP R/3, confirming that the TID was not committed.

This topic provides conceptual information about WebSphere MQ and its Sun Java CAPS Adapter.

About IBM’s WebSphere MQ

WebSphere MQ (formerly MQSeries™) from IBM™ is a client-server message broker supporting an open API (application programming interface), available on a variety of operating systems including AIX™, Solaris™, HP-UX™, and Windows™. WebSphere MQ is “middleware” that provides commercial messaging and queuing services. Messaging enables programs to communicate with each other via messages rather than direct connection. Messages are placed in queues for temporary storage, freeing up programs to continue to work independently. This process also allows communication across a network of dissimilar components, processors, operating systems, and protocols.

About the WebSphere MQ Adapter

The Sun Adapter for WebSphere MQ (referred to as the WebSphere MQ Adapter throughout this document) allows the Sun Java CAPS ESB system to exchange data with IBM’s WebSphere MQ. Sun Java CAPS ESB, using the WebSphere MQ Adapter, uses business logic within a Collaboration or Business Process to perform operations for data identification, manipulation, and transformation. Messages are tailored to meet the communication requirements of specific applications or protocols. Queues or Topics provide non-volatile storage for data within the Sun Java CAPS ESB system allowing applications to run independently of one another at different speeds and times.

The WebSphere MQ Adapter transparently integrates existing systems with IBM’s WebSphere MQ. This document explains how to install and configure the WebSphere MQ Adapter.

  • © , Oracle Corporation and/or its affiliates
[ ] \ : " ; ' < > ? , . /



At least one upper case and one lower case letter.



At least one numeric character.



At least one special character.



The number of occurrences of the same character in the password must be equal to or less than half the number of characters in the password, minus one. For example, if the password is 15 characters long, then there can be no more than six occurrences of the same character.



The value supplied for a password cannot be the same as the operator name or SWIFTNet user name.

46

Alliance Gateway Administration and Operations Guide

Configuration



Authentication Servers



Authentication Servers and One-Time Passwords Description As an alternative to user-defined passwords, you can configure Alliance Gateway operators and virtual SWIFTNet users to log in with a one-time password, a generated password that is used for one session only. Alliance Gateway uses an authentication server to authenticate the one-time password that an operator or a virtual SWIFTNet user provides at login. One-time password overview

Query

Query

One-time password directory

Alliance Gateway server

Login: User Interface

D

Response

A one-time password is generated by a hardware token, a physical device kept by the operator that generates one-time passwords, and is validated by a separate authentication server with which Alliance Gateway communicates. To be authenticated, the user must provide a user name and the one-time password generated by the hardware token. Alliance Gateway forwards the authentication request to the authentication server, which either authenticates or rejects the password. Prerequisites To use the one-time password functionality, you must do the following: •

Provide and deploy the authentication server. This server must comply with the RADIUS protocol (RFC ) except for the Challenge-Response feature.



In Alliance Gateway: -

Configure an authentication server group with at least one authentication server. For more information, see Manage Authentication Server Groups on page

-

Configure the Alliance Gateway operators and virtual SWIFTNet users to use the one-time password authentication method. For operators, see Manage Operators on page For virtual SWIFTNet users, see Manage Virtual SWIFTNet Users on page



Configure the Alliance Gateway operators and virtual SWIFTNet users within the authentication server. This is outside the scope of Alliance Gateway.



Provide the password hardware tokens to the users.

Startup The connectivity to the authentication server is established during the startup of the sag_bootstrap. This connection must remain available, independent of the Alliance Gateway status (started or stopped). An event is logged if it is not possible to connect to the authentication server.

25 August

47

Alliance Gateway Administration and Operations Guide

Configuration

Communication protocol Alliance Gateway communicates with the authentication server by using the standard RADIUS protocol features: •

Access-Request



Access-Accept



Access-Reject

The Challenge-Response authentication feature of RADIUS is not supported. Sharing hardware tokens If multiple Alliance Gateway instances define the same user names which all use one-time passwords that the same authentication server authenticates, then the users must share the same hardware token. This may occur for example when the database configuration is replicated many times. An operator or a virtual SWIFTNet user can log in to an Alliance Gateway instance from one location at a time only. If the same operator or virtual SWIFTNet user logs in from another location, then Alliance Gateway logs out the operator or virtual SWIFTNet user from the first login. Bilateral key requirements The bilateral secret key used by the RADIUS protocol is composed of 32 characters and must be identically configured on Alliance Gateway as on the authentication server. This length is enforced by Alliance Gateway. Each half of the key (16 characters) is composed of the printable characters (US-ASCII characters 32 to included) and must comply with the following password complexity rules: •

The key must contain at least one upper case and one lower case alphabetic character.



The key must contain at least one number.



Any character cannot be repeated more than half of the length minus one.

4-eyes principle requirements To implement the 4-eyes principle in the authentication server configuration, the following segregation of roles is defined: •

Two operators enter the secret keys (for the primary and secondary server), each of them responsible for half of the length of the key.



Different operating profiles allow operators to modify or enable the authentication configuration data. Typically one operator can only perform the modifications, while another can only enable them.

Two authentication servers If Alliance Gateway sends a request to the primary server of an authentication server group and no response is received within 30 seconds, then Alliance Gateway tries the same request with the secondary server of that authentication server group, if configured. If, after another 30 seconds, Alliance Gateway has not received any response from the secondary server, then the request is rejected and an event is logged to indicate that authentication failed. If Alliance Gateway receives a response from the secondary server, then the request is processed and an event is logged to indicate that Alliance Gateway switched to the secondary authentication server.

25 August

48

Alliance Gateway Administration and Operations Guide

Configuration

Recommendations SWIFT recommends the following:





The shared secret keys must be changed every two years. To help managing these keys, Alliance Gateway verifies at each startup and every day at if one of the shared secret keys has expired or is going to expire within the next 30 days. If so, then a warning security event is generated. The application is still able to work with the one-time password authentication servers.



As appropriate, an implementation of network access control (firewalls, ACLs) or segregation of message flow (main and management flow) must be considered.



If the authentication server is unavailable or the hardware token is not functioning properly, then the account is not able to log in to Alliance Gateway. It is therefore recommended to have appropriate emergency backup user accounts.

Manage Authentication Server Groups Description The Configuration > User Management > Authentication Server Groups page enables you to manage authentication server groups and authentication servers. The Authentication Server Groups page contains these elements: •

A configuration parameter that allows overriding some parameters used by Alliance Gateway to communicate with RADIUS servers See Configuration parameter on page 50



A function that allows you to manage the configuration parameter See Configuration parameter function on page 50



Details of the available authentication server groups See Details on page 50



Functions that allow you to manage the authentication server groups See Functions on page 52

For conceptual information about authentication servers, see Authentication Servers and One-Time Passwords on page Display

25 August

49

Alliance Gateway Administration and Operations Guide

Configuration

Configuration parameter Configuration parameter

Definition

RADIUS Parameters

Allows overriding some parameters used by Alliance Gateway to communicate with RADIUS servers This parameter must only be changed in exceptional circumstances. For more information, see Knowledge base tip Default value: empty

Configuration parameter function Function

Description Resets the RADIUS Parameters configuration parameter to the default value

Reset to Default

Procedure: Reset Values on page 42

Details Page / Window

Tab

Details

Authentication Server Groups Details

See General on page 50

Authentication Server Group Details window

General

See General on page 50

Primary Server

See Primary / Secondary Server on page 51

Secondary Server See Primary / Secondary Server on page 51

General Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Server Group Name

The name of the authentication server group













This name must be unique. It is not allowed to use the same name for:

Description

25 August



two authentication server groups



an authentication server group and an LDAP server group

A description of the authentication server group

50

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Status

Indicates the current status of the authentication server group



x



To modify the settings of an authentication server group or of the server(s) of that group, the status must be set to Disabled. It must then be set to Enabled for the changes to take effect. If an authentication server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests. (1)

Only displays the values, does not allow you to modify them

Primary / Secondary Server Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Host Address

The host name or IP address of the authentication server







Key Left / Key Right

The left / right part of the authentication key

x





x





x





Show Clear Text

Both the left and right parts of the authentication key must meet these criteria: •

exactly 16 US-ASCII printable characters (characters 32 to ) long



contains at least one upper case and one lower case alphabetic character



contains at least one number



characters are not repeated within half of the length minus one

Determines whether the system displays the authentication keys By default, the system does not display the authentication keys. This is to help prevent unauthorised users reading the authentication key information "over your shoulder".

Port Number

The port number on which authentication requests are sent on the host name or IP address The port number must be in the range of to

25 August

51

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Local Port Number

The local port number used by Alliance Gateway to send authentication requests and to receive authentication responses







If there is a firewall between Alliance Gateway and the authentication server, then this local port number must be left open on the firewall. (1)

Only displays the values, does not allow you to modify them

Functions Function

Description

Availability Page view

Windows Add

Edit

Add

Enables you to add an authentication server group



x

x

Delete

Deletes a disabled authentication server group



x

x

Enable

Enables a disabled authentication server group



x



Disable

Disables an enabled authentication server group



x



If an authentication server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests.

Edit authentication server group details To edit the authentication server group details, change the details in the corresponding fields then click Save . Related information Authentication Servers and One-Time Passwords on page 47



LDAP Authentication



Concept Introduction Lightweight Directory Access Protocol (LDAP) allows the use of user directories that already exist within an institution to control access to a range of Alliance products. Institutions can use LDAP

25 August

52

Alliance Gateway Administration and Operations Guide

Configuration

directories to authenticate the credentials (user name and password) of the users defined in those Alliance products. Note

Alliance Gateway operators and virtual SWIFTNet users can be configured to use LDAP authentication. An operator or a virtual SWIFTNet user can log in to an Alliance Gateway instance from one location at a time only. If the same operator or virtual SWIFTNet user logs in from another location, then Alliance Gateway logs out the operator or virtual SWIFTNet user from the first login.

You can configure connections to maximum two LDAP servers (a primary and a secondary) per LDAP server group for resiliency purposes. An automatic failover mechanism switches between LDAP servers in the event of unavailability. LDAP overview

Query

Query

LDAP directory

Alliance Gateway server

Login: User Interface

D

Response

LDAP authentication process LDAP is used to authenticate the operator or virtual SWIFTNet user, by verification of the user name and password. An Alliance Gateway Administrator creates users on the Alliance Gateway server, but can map the users to an LDAP identifier to use for verification of the credentials. The Alliance Gateway Administrator assigns profiles and units to the users on the Alliance Gateway server. The LDAP authentication process is as follows: 1. A user logs in to a user interface (a GUI application running in Alliance Web Platform) as an Alliance Gateway operator or a virtual SWIFTNet user that uses LDAP authentication. 2. The Alliance Gateway server receives the login request and checks whether the user is authenticated locally, through a one-time password, or through LDAP authentication. 3. If the user is authenticated through LDAP, then the user name is mapped to an LDAP identifier. Note

External Identifier is an optional field for operators and virtual SWIFTNet users. If this field is empty, then the user name is used instead to check the user credentials.

4. The Alliance Gateway server sends the LDAP identifier and password to the LDAP server. 5. The LDAP server attempts to authenticate the user. 6. If the LDAP server successfully authenticates the user, then the Alliance Gateway server receives confirmation. 7. The user can use the permissions assigned in Alliance Gateway to log in.

25 August

53

Alliance Gateway Administration and Operations Guide



Configuration

Manage LDAP Server Groups Description The Configuration > User Management > LDAP Server Groups page enables you to manage LDAP (Lightweight Directory Access Protocol) server groups and LDAP servers. The LDAP Server Groups page contains these elements: •

Details of the available LDAP server groups See Details on page 54



Functions that allow you to manage the LDAP server groups See Functions on page 57

For conceptual information about LDAP servers, see Concept on page Display

Details Page / Window

Tab

Details

LDAP Server Groups page

See General on page 55

LDAP Server Group Details window

General

See General on page 55

Primary Server

See Primary / Secondary Server on page 55

Secondary Server See Primary / Secondary Server on page 55

25 August

54

Alliance Gateway Administration and Operations Guide

Configuration

General Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Server Group Name

The name of the LDAP server group















x



Maximum 20 characters The following characters are allowed: •

a-z



A-Z







_-:

This name must be unique. It is not allowed to use the same name for:

Description



two LDAP server groups



an LDAP server group and an authentication server group

A description of the LDAP server group Maximum US-ASCII printable characters

Status

Indicates the current status of the LDAP server group To modify the settings of an LDAP server group or of the server(s) of that group, the status must be set to Disabled. It must then be set to Enabled for the changes to take effect. If an LDAP server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests.

(1)

Only displays the values, does not allow you to modify them

Primary / Secondary Server Column / Field

Description

Availability Page Windows view ( ) Add Edit

Host Address

The host name or IP address of the LDAP server







Maximum US-ASCII printable characters

25 August

55

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( ) Add Edit

Connection Security

Determines whether Alliance Gateway must use TLS to secure the connection to the LDAP server

x





Port Number

The local port number used by Alliance Gateway to communicate with the LDAP server

x





x





If not defined, then Alliance Gateway uses either of these default LDAP ports:

Connect DN



when Connection Security is not selected



when Connection Security is selected

The user DN used by Alliance Gateway to connect to the LDAP server to retrieve user profile information about users that log in to the system Optional. The LDAP server may support anonymous access. Maximum US-ASCII printable characters

Configure Connect Password

Determines whether you configure the connect password

x





Connect Password

The user password that Alliance Gateway uses with the Connect DN to connect to the LDAP server to retrieve user profile information about users that log in to the system

x





Optional. The LDAP server may support anonymous access. Maximum US-ASCII printable characters Confirm Connect Password

Confirmation of the connect password

x





User DN

The DN of the entry point in the user directory

x





This entry point corresponds with the root of the sub-tree where user nodes are defined Maximum US-ASCII printable characters

25 August

56

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( ) Add Edit

User Object Class The class of the user nodes within the directory

x





x





Optional. Useful in case there are not only user nodes in the directory. Maximum 32 characters The following characters are allowed:

User Name Attribute



a-z



A-Z







-

The name of the attribute that contains the user name Maximum 32 characters The following characters are allowed: •

a-z



A-Z







-

Functions Function

Description

Availability Page view

Windows Add

Add

Enables you to add an LDAP server group

Edit



x

x

You can define as many LDAP server groups as you want. Delete

Deletes a disabled LDAP server



x

x

Enable

Enables a disabled LDAP server



x



Disable

Disables an enabled LDAP server



x



If an LDAP server group is disabled, then neither the primary server nor the secondary server in that group can respond to authentication requests.

25 August

57

Alliance Gateway Administration and Operations Guide

Configuration

Edit LDAP server group details To edit the LDAP server group details, change the details in the corresponding fields then click Save . Related information Concept on page 52



Secure an LDAP Connection You can use TLS to secure the connection to an LDAP authentication server. The LDAP server must have TLS support enabled. The TLS certificate installed on the LDAP server can be either a self-signed certificate or a certificate signed by a Certification Authority. The keystore that LDAP uses on Alliance Gateway must trust either the self-signed TLS certificate or the Certification Authority certificate. To implement this, perform the applicable procedure:





Secure an LDAP Connection on Windows on page 58



Secure an LDAP Connection on AIX on page 59



Secure an LDAP Connection on Oracle Solaris on page 60



Secure an LDAP Connection on Linux on page 61

Secure an LDAP Connection on Windows

Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Open a DOS command prompt. 3. Enter mmc to launch the Microsoft Management Console application. The Microsoft Management Console window appears. 4. Use File > Open to open the file /system32/sprers.eu, where you replace with the path to the WINDOWS directory on the Alliance Gateway machine. The Certificates - Current User window appears:

5. Select the Trusted Root Certification Authorities > Certificates store.

25 August

58

Alliance Gateway Administration and Operations Guide

Configuration

6. Select Action > All Tasks > Import. The Certificate Import Wizard appears. 7. Follow the instructions in the Certificate Import Wizard to import either the self-signed TLS certificate or the Certification Authority certificate in the Trusted Root Certification Authorities certificate store. A Security Warning message appears. 8. Click

Yes

.

A Certificate Import Wizard message appears that confirms the successful import of the certificate. 9. Click OK . Close the Certificates - Current User window. A Microsoft Management Console dialog box appears. Click

Yes

.

The Certificates - Current User window closes.



Secure an LDAP Connection on AIX

Before you begin •

Alliance Gateway looks for the LDAP dynamic library (libibmldap.a) in the following directories: -

/opt/IBM/ldap/V/lib

-

/opt/IBM/ldap/V/lib

-

/usr/lib

If on your system the LDAP library is not in one of these directories, then update the sag_sprers.eu file located in /bin. Add the LDAP_LIBRARY parameter as

follows: 1. LDAP_LIBRARY =/libibmldap.a where is the directory where libibmldap.a is located 2. Restart the sag_bootstrap for the parameter to take effect. See UNIX or Linux: sag_bootstrap on page •

On AIX, the iKeyman key management utility (gsk7ikm) is used to manage the CMS keystore that contains TLS certificates. gsk7ikm is a Java program that requires a JRE to run. Furthermore, it can handle a CMS keystore format only if the JRE is configured with the IBM CMS security provider. You must select the JRE by setting the environment variables JAVA_HOME and PATH as follows: export JAVA_HOME= export PATH=$JAVA_HOME/bin:$PATH

25 August

59

Alliance Gateway Administration and Operations Guide

Configuration

The standard JREs are provided with AIX and are configured with the IBM CMS security provider. You can find them in these directories: -

AIX /usr/java14 or /usr/java5

-

AIX /usr/java5

In the SWIFTNet Link owner environment, the variable JAVA_HOME is set to /SNL/_jvm. This JRE does not feature the IBM CMS security

provider. Therefore, you must redefine the environment variables JAVA_HOME and PATH as explained above before running gsk7ikm. Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Launch the gsk7ikm graphical application. If you use an X-Window-based tool to connect remotely to the Alliance Gateway machine, then ensure that the DISPLAY environment variable is set to the display of your workstation. Also, if there is a firewall in use between the Alliance Gateway machine and your workstation, then make sure to configure the firewall rules to allow X-Window communication. 3. Configure the right JAVA_HOME and PATH environment so that CMS security is available when creating a new keystore. 4. Click Key Database File to create a new keystore and follow the instructions in the documentation. 5. Do either of the following: in the right panel.



To add a Certification Authority certificate, click



To add a new self-signed certificate, click Create and then New Self-Signed Certificate.

Add

6. Restart the sag_bootstrap. See UNIX or Linux: sag_bootstrap on page



Secure an LDAP Connection on Oracle Solaris

Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Open a Korn shell. 3. Use the certutil command-line application to create a new keystore in the /data/ldap directory: /usr/sfw/bin/certutil -N -d /data/ldap

4. Add either the self-signed TLS certificate or the Certification Authority certificate to the keystore : /usr/sfw/bin/certutil -A -n "" -i -a -t "C,C,C" -d [SAG_HOME]/data/ldap

Replace with the name of the certificate. Replace with the path and file name of the certificate. 5. Restart the sag_bootstrap. See UNIX or Linux: sag_bootstrap on page

25 August

60

Alliance Gateway Administration and Operations Guide



Configuration

Secure an LDAP Connection on Linux On RHEL , LDAP with TLS does not work with TLS certificates with a signature algorithm that uses MD5, for example MD5-RSA. This is a security feature enforced by RHEL since MD5 is obsolete.

Procedure 1. Log on to Alliance Gateway as Alliance Gateway owner. 2. Create a file named ldaprc in the /data/ldap directory. 3. Define TLS to secure the connection. The following rules apply while creating or updating the file: •

The file must be owned by and readable by the Alliance Gateway owner.



The file must have the same format as sprers.eu (described in the man page).



The file must contain only TLS specific options. Alliance Gateway will handle the other options (URI, DNs, HOST, PORT).



All paths in the file must be absolute.

Here is an example: TLS_CACERT

/Alliance/Gateway/data/ldap/sprers.eu

TLS_CACERTDIR /Alliance/Gateway/data/ldap TLS_REQCERT

never

4. Add either the self-signed TLS certificate or the Certification Authority certificate to the keystore. 5. Restart the sag_bootstrap. See UNIX or Linux: sag_bootstrap on page



Units



Concept Purpose of units Units provide a way to organise the logging of events generated by the following: •

administrative activity



SWIFTNet message flow

Units enhance Alliance Gateway security by allowing operators to access only those events that are relevant to them. Controlling the visibility of events makes the Alliance Gateway Event Log a more efficient tool. Units and message flow Units can be assigned to operators, endpoints, message partners, and emission profiles. When events related to the message flow are logged, the corresponding unit is used.

25 August

61

Alliance Gateway Administration and Operations Guide

Configuration

Unit visibility management In large institutions, units can be used to separate traffic and activity into different groups or departments, such as Billing, Treasury, or Stock Options. For example, all activity generated by a Finance department can be flagged with a unit called Finance. Events logged against the Finance unit are only visible to operators with the Finance unit assigned to them. Units can also be assigned to operators. When a unit is assigned to an operator, all events logged against that unit become visible to that operator. To use units, an Alliance Gateway Administrator must define units and assign one or more units to each operator, specifying a default unit for each operator. Any event triggered by a particular operator is then logged to the operator's default unit. The Administrator operator is automatically granted visibility of events for all units. The default unit The default unit None is created at installation. Defining new units When created, units cannot be deleted. For this reason, a warning appears before defining a new unit.



Manage Units The Units page contains these elements: •

Details of the units defined for the current Alliance Gateway instance See Details on page 63



Functions that allow you to manage the units See Functions on page 63

25 August

62

Alliance Gateway Administration and Operations Guide

Configuration

Display

Details Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Name

The name of the unit





✓(1)







Maximum 20 characters Description

A description of the unit Maximum characters

(1)

Only displays the values, does not allow you to modify them

Functions Function

Description

Availability Page view

Windows Add

Add

25 August

Enables you to add a unit



x

Edit x

63

Alliance Gateway Administration and Operations Guide

Configuration

Edit unit details To edit the unit details, change the details in the corresponding fields then click

Save

.

Related information Concept on page 61



Operating Profiles



Concept Definition An operating profile defines the scope of administrative control that an operator has over functions in Alliance Gateway. It includes operating profile functions. Operators can only use the functionality assigned to their operating profile. When Alliance Gateway is installed, an operating profile called Administrator is created and assigned to an operator of that name, also created at installation. This profile includes all Alliance Gateway operating profile functions. As of Alliance Gateway , another operating profile called Dashboard_Monitor is created during installation. This profile includes all the functions required to monitor alerts and to use related parts of Alliance Gateway Administration. For more information, see Alerts on page Operators must be assigned operating profiles with suitable functions to enable them to fulfil their responsibilities. You can modify an operating profile using Alliance Gateway Administration. For example, you can define an operating profile that allows an operator to add an operator, but not delete an operator. You can also define operating profiles such that adding or removing certain entities requires actions by two people. For more information, see Dual Authorisation on page Profiles are independent from the type of password authentication selected for the operator. Default operating profile functionality Standard operating profile functionality is assigned to every operator upon creation. This default functionality cannot be revoked as it does not appear in the list of available components. By default, all operators can do the following: •

Renew their own password, provided they know their current operator password.



Request and monitor the status of the Alliance Gateway system and its subsystems. For more information, see Monitoring on page



Invoke the Traceset and Tracereset commands. For more information, see Start an Alliance Gateway Trace on page and Stop an Alliance Gateway Trace on page

Operating profile function rules Two types of dependencies exist within operating profile functions: functional dependencies deal with the relationship between functions, for example the relationship between the Adopt and View List of functions, and object dependencies deal with the relationship between objects, for example the Message Partner to Unit relationship.

25 August

64

Alliance Gateway Administration and Operations Guide

Configuration

The following general rules determine the relationship between operating profile functions: 1. For basic operations, the following functional dependencies apply: Basic function

Relationship

Adopt

Any one function automatically grants the View List of function. The objects used in these functions are not interdependent.

Archive Delete

For example, Delete a Message Partner automatically grants View List of Message Partners, but not View List of Units.

Disable Enable Reset Add

Any one function automatically grants the View List of function. The objects used in these functions are interdependent. For example, Add a Message Partner automatically grants View List of Message Partners, View List of Units, View MQ Connections and View List of Certificates. See the next table for object relationships.

View Update

Any one function automatically grants the View and View List of functions. The objects used in these functions are interdependent. For example, Update a Message Partner automatically grants View Message Partner Details, View List of Message Partners, View List of Units, View MQ Connections and View List of Certificates. See the next table for object relationships.

Change

This function automatically grants the View and View Details functions. The objects used in these functions are not interdependent. For example, granting Change Event Logging Criteria automatically grants View List of Event Templates and View Event Template Details.

View List of

This function has no functional dependencies.

2. For the basic operations described earlier, the following object dependencies apply: Object

is related to

Endpoints

Message partner and Unit

Message partner

Unit, Certificate and MQ Connection

Operator

Operating profiles and Unit

For example, the Endpoints object is related to the Message Partner object and the Unit object. Granting Add an Endpoint also grants View List of Message Partners and View List of Units. Other objects have no object dependencies.

25 August

65

Alliance Gateway Administration and Operations Guide

Configuration

3. Non-basic functions have no dependencies: Function

Relationship

Activate

Any one function has no functional or object dependencies.

Backup

For example, granting Manage LAU Right Part Key does not result in the granting of any other functionality.

Can Use Deactivate Manage Remove Run Start Stop

4. Exceptions Function

Relationship

Change Endpoint Sequence

Change Endpoint Sequence only grants View List of Endpoints.

Add Certificate Relaxed Setting

This basic function has no dependency.

Available components and related functions The following table lists all Alliance Gateway components along with the entities and operating profile functions associated with them. The operating profile functions are accessed through Alliance Gateway Administration. For more information, see Manage Operating Profiles on page Component

Entity

Operating profile functions

Configuration Manager

Operator

Add an Operator Update an Operator Delete an Operator Enable an Operator Allow Unconditional Enable for Operator(1) Disable an Operator View List of Operators Reset an Operator's Password View Operator Details

25 August

66

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Operating Profile

Add an Operating Profile Update an Operating Profile Delete an Operating Profile Enable an Operating Profile Allow Unconditional Enable for Operating Profile(1) Disable an Operating Profile View Operating Profile Details View List of Operating Profiles

Unit

Add a Unit Update a Unit View Unit Details View List of Units

Configuration Parameters Update a Configuration Parameter View Configuration Parameter Details View List of Configuration Parameters Manage Security Configuration Parameters Import Configuration Data Export Configuration Data Alerts

Control Alerts View Alert Details View List of Alerts

Application Interface

Message Partner

Add a Message Partner Update a Message Partner Delete a Message Partner Enable a Message Partner Disable a Message Partner View Message Partner Details View List of Message Partners Can Use Protected Formats(2) Manage LAU Left Part Key Manage LAU Right Part Key Remove LAU Setting(2) Remove RAHA TLS Setting(2)

25 August

67

Alliance Gateway Administration and Operations Guide

Configuration

Component

Entity

Operating profile functions

MQ Host Adapter

MQ Connection

Add MQ Connection Delete MQ Connection Disable MQ Connection Enable MQ Connection Update MQ Connection View List of MQ Connections View MQ Connection Details

Event Logger

Event Template

View Event Template Details View List of Event Templates View Event Log Details View Event Log Archive the Event Log Change Event Logging Criteria

SWIFTNet Interface

SWIFTNet User

Add a SWIFTNet User Delete a SWIFTNet User Update a SWIFTNet User Disable a SWIFTNet User Enable a SWIFTNet User Allow Unconditional Enable for SWIFTNet User(1) Reset Password of a SWIFTNet User View SWIFTNet User Details View List of SWIFTNet Users List concurrent SWIFTNet users

Certificates(3)

View List of Certificates Update a Certificate Add Certificate Relaxed Setting(4) View Certificate Details Delete a Certificate Adopt a Certificate Move a Certificate Initialise HSM Partition

25 August

68

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Endpoints

Add an Endpoint Update an Endpoint Delete an Endpoint Change Endpoint Sequence Can Use Relaxed Setting(2) View Endpoint Details View List of Endpoints Enable an Endpoint Disable an Endpoint

System

HSM

Show HSM Management GUI

Process Controller

Start System Start a Subsystem Stop System Stop a Subsystem Activate a Subsystem Deactivate a Subsystem Backup Configuration Data Run Integrity Check Run readlog Command Run SNL swiftnet Commands Run statistics Command Run System Check Generate and Send supportinfo

Authentication Server

Add an Authentication Server Group Update an Authentication Server Group Disable an Authentication Server Group Enable an Authentication Server Group Manage Left Authentication Server Secret Manage Right Authentication Server Secret View Authentication Server Group Details View List of Authentication Server Groups Delete an Authentication Server Group

25 August

69

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Licence

View Gateway Licence Update Gateway Licence

File Transfer Interface

File Transfer

Abort an Ongoing File Transfer Archive File Transfers View File Transfer Details View List of File Transfers

Emission Profile

Add an Emission Profile Delete an Emission Profile Disable an Emission Profile Enable an Emission Profile Manage Emission Profile LAU Left Part Key Manage Emission Profile LAU Right Part Key Remove Emission Profile LAU Setting Update an Emission Profile View Emission Profile Details View List of Emission Profiles

Reception Profile

Add a Reception Profile Delete a Reception Profile Disable a Reception Profile Enable a Reception Profile Manage Reception Profile LAU Left Part Key Manage Reception Profile LAU Right Part Key Remove Reception Profile LAU Setting Update a Reception Profile View Reception Profile Details View List of Reception Profiles

Security Profile

Add a Security Profile Delete a Security Profile Update a Security Profile View Security Profile Details View List of Security Profiles

25 August

70

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

Store-and-Forward Queue

Add a Store-and-forward Queue Delete a Store-and-forward Queue Disable a Store-and-forward Queue Enable a Store-and-forward Queue Update a Store-and-forward Queue View Store-and-forward Queue Details View List of Store-and-forward Queues

MI Channel Support Interface (5)

Batch Class

Add a Batch Class Delete a Batch Class Update a Batch Class View Batch Class Details View List of Batch Classes

Message Flow Instance

Add a Message Flow Instance Delete a Message Flow Instance Disable a Message Flow Instance Enable a Message Flow Instance Start Replay for a Message Flow Instance Update a Message Flow Instance View Message Flow Instance Details View List of Message Flow Instances

MQ Channel

Add an MQ Channel Delete an MQ Channel Update an MQ Channel View MQ Channel Details View List of MQ Channels

MQ Queue

Add an MQ Queue Delete an MQ Queue Update an MQ Queue View MQ Queue Details View List of MQ Queues

25 August

71

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

MQ Manager

Add an MQ Manager Delete an MQ Manager Update an MQ Manager View MQ Manager Details View List of MQ Managers

Routing Rule Set

Add a Routing Rule Set Delete a Routing Rule Set Update a Routing Rule Set View Routing Rule Set Details View List of Routing Rule Sets

Routing Rule

Add a Routing Rule Delete a Routing Rule Update a Routing Rule View Routing Rule Details View List of Routing Rules

Site

Add a Site Delete a Site Update a Site View Site Details View List of Sites

SnF Queue

Add an SnF Queue Delete an SnF Queue Update an SnF Queue View SnF Queue Details View List of SnF Queues

MIS Configuration

Generate MIS Configuration Validate MIS Configuration

MIS PKI Profile

Add an MIS PKI Profile Delete an MIS PKI Profile Update an MIS PKI Profile View MIS PKI Profile Details View List of MIS PKI Profiles

25 August

72

Alliance Gateway Administration and Operations Guide

Component

Configuration

Entity

Operating profile functions

MIS Security Profile

Add an MIS Security Profile Delete an MIS Security Profile Update an MIS Security Profile View MIS Security Profile Details View List of MIS Security Profiles

MI Channel Support Reliable Messaging (5)

Emission Endpoint

Add an Emission Endpoint Delete an Emission Endpoint Update an Emission Endpoint View Emission Endpoint Details View List of Emission Endpoints

Reception Endpoint

Add a Reception Endpoint Delete a Reception Endpoint Update a Reception Endpoint View Reception Endpoint Details View List of Reception Endpoints

(1)

For more information about this function, see Dual Authorisation on page

(2)

These operating profile functions are specifically aimed at controlling the reduction of security.

(3)

Acquire a Certificate and Recover a Certificate are not Alliance Gateway operating profile functions. They are part of

(4)

An operator needs this operating profile function to adopt or recover a relaxed certificate.

(5)

MI Channel functionality only applies to customers who are accessing a market infrastructure service where MI Channel

SWIFTNet Link functionality, can only be used by SWIFTNet users, and are protected by PKI.

connectivity is available.

Operating profile functions and security The default level of a message partner or endpoint provides maximum security. Operators entitled to update a message partner or an endpoint can improve the level of security, but not reduce it. Several operating profile functions are specifically aimed at controlling the reduction of security. Without these operating profile functions, operators cannot perform operations that reduce security. Additionally, if the default security level of an entity has been lowered, only operators with an operating profile that allows both lowering the relevant security level and updating the entity can make modifications. Example An operator with only Update a Message Partner can make modifications such as changing the type of the message partner, as long as the message partner remains at its maximum security level. When the security has been lowered, this operator can no longer make any modifications to this message partner, except to raise its security level. To make modifications to a message partner with lowered security, an operator needs an operating profile containing both the Remove LAU Setting and Update a Message Partner functions.

25 August

73

Alliance Gateway Administration and Operations Guide

Configuration

In contrast, an operator with just Remove LAU Setting can only lower the default LAU security for a message partner, not make any other modifications. Operating profile examples The following are three examples of operator profiles that you can use as a basis for creating your own operator profiles: •

Security operators Security operators have specific administrative functions allowing them to do the following:



-

manage certificates and SWIFTNet users

-

update configuration parameters of type security

-

define and maintain details of Alliance Gateway operators

-

define operating profiles and assign suitable profiles to Alliance Gateway operators

-

define units to segregate message traffic in Alliance Gateway, and assign units to operators

-

manage event distribution within Alliance Gateway

-

check the Alliance Gateway Event Log as required and perform audit reporting, for example, reporting message errors

-

manage relaxed mode functions for message partners and endpoints.

Application operators Application operators manage applications with specific administrative functions allowing them to do the following:



-

define details and maintain information relating to operators

-

define and maintain endpoints

-

define and maintain message partners

-

check the Alliance Gateway Event Log within pre-defined areas, such as message-related events

-

define MQ connections.

System operators System operators have administrative control over Alliance Gateway components and processes through the following:

25 August

-

Process control

-

start and stop Alliance Gateway and some subsystems

-

define and maintain configuration parameters for Alliance Gateway components

-

check the Alliance Gateway Event Log within pre-defined areas, such as modification of configuration parameters

-

run Alliance Gateway traffic statistics

-

define and maintain the authentication server settings.

74

Alliance Gateway Administration and Operations Guide

Configuration

Migrating operating profiles Operating profiles are migrated according to the principle that an operator is able to do the same activities in Alliance Gateway as were possible in the previous release. Operator passwords, password history, enable status and lock status are all kept after migration. •

The Administrator operating profile is not migrated. Beginning with Alliance Gateway , this operating profile becomes dynamic and receives functions based on licence-related details. The Administrator operating profile in Alliance Gateway includes the following additional functions:









25 August

-

Export Configuration Data

-

Import Configuration Data

-

View Gateway Licence

-

Update Gateway Licence

-

Show HSM Management GUI

-

List concurrent SWIFTNet users

If you install Alliance Gateway , then the following functions are added to the Administrator operating profile: -

View List of Alerts

-

View Alert Details

-

Control Alerts

-

Generate and Send supportinfo

If you install Alliance Gateway , then the following functions are added to the Administrator operating profile: -

Allow Unconditional Enable for Operator

-

Allow Unconditional Enable for Operating Profile

-

Allow Unconditional Enable for SWIFTNet User

If you install Alliance Gateway , then the following functions are added to the Administrator operating profile: -

Initialise HSM Partition

-

Move a Certificate

The Starter_Set_Admin operating profile is migrated; its visibility becomes public. This profile does not receive the following additional functions after migration: -

Export Configuration Data

-

Import Configuration Data

-

View Gateway Licence

-

Update Gateway Licence



Any user-defined operating profile that is migrated from an instance with release prior to is set to status Enabled after migration.



The following mapping applies to any user-defined operating profile that is migrated from an instance with release prior to The Human ID value is the value displayed in the Alliance Gateway Administration GUI, and maps to the Internal Name value, required for programming.

75

Alliance Gateway Administration and Operations Guide

Configuration

Function for 6.x:

Function added in

Internal Name / Human ID

Internal Name / Human ID

DeleteOpProf / Delete an Operating Profile

DisableOpProf / Disable an Operating Profile

UpdateOpProf / Update an Operating Profile AddOpProf / Add an Operating Profile

EnableOpProf / Enable an Operating Profile

UpdateOpProf / Update an Operating Profile KMAAddVirtualProfile / Add a SWIFTNet User KMADeleteVirtualProfile / Delete a SWIFTNet User KMADisableVirtualProfile / Disable a SWIFTNet User

KMAListVirtualProfile / View List of SWIFTNet Users ListConcurrentUsers / List concurrent SWIFTNet users

KMAEnableVirtualProfile / Enable a SWIFTNet User KMAListProfile / View List of SWIFTNet Users KMAReadVirtualProfile / View SWIFTNet User Details KMAResetVirtualPassword / Reset Password of a SWIFTNet User KMAUpdateVirtualProfile / Update a SWIFTNet User KMAAdoptRealProfile / Adopt a Certificate KMADeleteRealProfile / Delete a Certificate KMAListRealProfile / View List of Certificates KMASetRelaxedMode / Add Certificate Relaxed Setting KMASetRelaxedMode / Add Certificate Relaxed Setting

25 August

KMAUpdateRealProfile / Update a SWIFTNet User

76

Alliance Gateway Administration and Operations Guide

Configuration

Function for 6.x:

Function added in

Internal Name / Human ID

Internal Name / Human ID

KMAListRealProfile / View List of SWIFTNet Certificates

KMAReadRealProfile / View Certificate Details

Certificates KMAListProfile / View List of SWIFTNet Users AddFtiEmissionProfile / Add an Emission Profile AddFtiQueue / Add a Store-and-forward Queue AddFtiSecurityProfile / Add a Security Profile AddMessagePartner / Add a Message Partner KMAAddVirtualProfile / Add a SWIFTNet User KMAAdoptRealProfile / Adopt a Certificate KMADeleteRealProfile / Delete a Certificate KMADeleteVirtualProfile / Delete a SWIFTNet User KMADisableVirtualProfile / Disable a SWIFTNet User KMAEnableVirtualProfile / Enable a SWIFTNet User KMAReadVirtualProfile / View SWIFTNet User Details KMAResetVirtualPassword / Reset Password of a SWIFTNet User KMASetRelaxedMode / Add Certificate Relaxed Setting KMAUpdateVirtualProfile / Update a SWIFTNet User ListFtiSecurityProfile / View List of Security Profiles ReadFtiEmissionProfile / View Emission Profile Details ReadFtiQueue / View Store-and-forward Queue Details ReadFtiSecurityProfile / View Security Profile Details ReadMessagePartner / View Message Partner Details

25 August

77

Alliance Gateway Administration and Operations Guide

Configuration

Function for 6.x:

Function added in

Internal Name / Human ID

Internal Name / Human ID

UpdateFtiEmissionProfile / Update an Emission Profile UpdateFtiQueue / Update a Store-and-forward Queue UpdateFtiSecurityProfile / Update a Security Profile UpdateMessagePartner / Update a Message Partner UpdateAuthServer / Update an Authentication Server(1)

AddAuthServer / Add an Authentication Server(1)

UpdateAuthServer / Update an Authentication Server(1)

ListAuthServer / View List of Authentication Servers(1)

DeleteAuthServer / Delete an Authentication Server(1)

ReadAuthServer / View Authentication Server Details(1) EnableAuthServer / Enable an Authentication Server(1) DisableAuthServer / Disable an Authentication Server(1) (1)



As of Alliance Gateway , "Authentication Server" is renamed "Authentication Server Group" in this function.

The following functions have been added in releases subsequent to Alliance Gateway Alliance Gateway release

Function added Internal Name / Human ID

Alliance Gateway

ListMonItem / View List of Alerts ReadMonItem / View Alert Details ControlMonItem / Control Alerts

Alliance Gateway

UnconditionalEnableOperator / Allow Unconditional Enable for Operator UnconditionalEnableOpProfile / Allow Unconditional Enable for Operating Profile KMAUncondEnableVirtualProfile / Allow Unconditional Enable for SWIFTNet User

25 August

78

Alliance Gateway Administration and Operations Guide

Alliance Gateway release

Configuration

Function added Internal Name / Human ID

Alliance Gateway

MisAddBatchClass / Add a Batch Class

Note: The functions related to MI Channel introduced in Alliance Gateway only apply to customers who are accessing a market infrastructure service where MI Channel connectivity is available.



25 August

79

Alliance Gateway Administration and Operations Guide

Alliance Gateway release

Configuration

Function added Internal Name / Human ID

Alliance Gateway

MisAddRoutingRuleSet / Add a Routing Rule Set

Note: The functions related to MI Channel introduced in Alliance Gateway only apply to customers who are accessing a market infrastructure service where MI Channel connectivity is available.



25 August

80

Alliance Gateway Administration and Operations Guide

Alliance Gateway release

Configuration

Function added Internal Name / Human ID

Alliance Gateway Note: The functions related to MI Channel introduced in Alliance Gateway only apply to customers who are accessing a market infrastructure service where MI Channel connectivity is available.

MisReadSecurityProfile / View MIS Security Profile Details MisListSecurityProfile / View List of MIS Security Profiles MisRmsAddEmissionEndpoint / Add an Emission Endpoint MisRmsDeleteEmissionEndpoint / Delete an Emission Endpoint MisRmsUpdateEmissionEndpoint / Update an Emission Endpoint MisRmsReadEmissionEndpoint / View Emission Endpoint Details MisRmsListEmissionEndpoint / View List of Emission Endpoints MisRmsAddReceptionEndpoint / Add a Reception Endpoint MisRmsDeleteReceptionEndpoint / Delete a Reception Endpoint MisRmsUpdateReceptionEndpoint / Update a Reception Endpoint MisRmsReadReceptionEndpoint / View Reception Endpoint Details MisRmsListReceptionEndpoint / View List of Reception Endpoints

Alliance Gateway

KMASmaInitRealProfile / Initialise HSM Partition KMAMoveRealProfile / Move a Certificate



Dual Authorisation Principle You may want to implement a dual authorisation approach for operations relating to the management of operators, SWIFTNet user profiles (virtual SWIFTNet users), and passwords. The granular functionality inherent in the operating profile can be assigned in such a way as to achieve this. This approach effectively ensures that one person acting alone cannot configure Alliance Gateway entities that are ready to use. A second person must validate the action of the first person. Similarly, functionality in operating profiles can ensure that one person acting alone cannot remove Alliance Gateway entities currently in use. This therefore operates in a similar manner to the 4-eyes principle, enabling segregation of entity management.

25 August

81

Alliance Gateway Administration and Operations Guide

Configuration

Restrictions for enabling created and modified entities You can prevent an operator who has just created or modified certain entity types from enabling those entities. The entities types are operator, operating profile, and virtual SWIFTNet user. This is controlled by the system configuration parameter Enable Requires Additional Operator. To set the parameter Enable Requires Additional Operator, see Enable Requires Additional Operator on page 39 and Manage Configuration Parameters on page Note

In the tables below, Operators A and B are used as an example in each table of functions.

Entities and operator functions The following table lists entities and related operating profile functions that can be managed using a dual authorisation scheme. Using this approach, different operating profiles must be established for each of two operators (listed here as Operator A and Operator B). Alternatively, including the respective disable functions in the Operator B profile may prove more practical. Note that this reduces the dual authorisation principle to entity creation and updates, but not removal. Entity

Operator A functions

Operator B functions

Operator

Add an Operator

Delete an Operator

Update an Operator

Enable an Operator

Disable an Operator

Reset an Operator's Password

Add an Operating Profile

Delete an Operating Profile

Update an Operating Profile

Enable an Operating Profile

Operating Profile

Disable an Operating Profile SWIFTNet User

Add a SWIFTNet User

Delete a SWIFTNet User

Disable a SWIFTNet User

Enable a SWIFTNet User Reset Password of a SWIFTNet User

Message Partner

Add a Message Partner

Delete a Message Partner

Update a Message Partner

Enable a Message Partner

Disable a Message Partner MQ Connection Profile

Add MQ Connection

Delete MQ Connection

Update MQ Connection

Enable MQ Connection

Disable MQ Connection Endpoint

Add an Endpoint

Delete an Endpoint

Update an Endpoint

Enable an Endpoint

Disable an Endpoint

25 August

82

Alliance Gateway Administration and Operations Guide

Configuration

Entities and operator functions for local authentication With the local authentication of message partners, two operators can share the key that is used to check the integrity and authentication, as shown in the following table: Entity

Operator A functions

Operator B functions

Authentication Servers

Manage Left Authentication Server Secret Manage Right Authentication Server Secret

Message Partners

Manage LAU Left Part Key

Manage LAU Right Part Key

For more information, see Dual Authorisation on page Related information Dual Authorisation on page 81



Manage Operating Profiles Description The Operating Profiles page contains these elements: •

Details of the operating profiles defined for the current Alliance Gateway instance See Details on page 84



Functions that allow you to manage the operating profiles See Functions on page 85

25 August

83

Alliance Gateway Administration and Operations Guide

Configuration

Display

Details Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Name

The name of the operating profile









x



Maximum 20 characters Status

25 August

Indicates the current status of the operating profile

84

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Components

In the Available list: •

x





x





The list of components available

In the Selected list: • Functions

The components that you assign to the operating profile

In the Available list: •

The list of functions available for the component that has focus

In the Selected list: •

(1)

The functions for the component that has focus, which are assigned to the operating profile

Only displays the values, does not allow you to modify them

Functions Function

Description

Availability Page view

Windows Add

Edit

Change View

Filter what appears in the list.

Add

Enables you to add an operating profile



x

x

Delete

Deletes a disabled operating profile



x

x

Enable

Enables a disabled operating profile



x



Disable

Disables an enabled operating profile



x



Export

See Export on page

x

x

x

Print

Print on page

x

x

x

Edit operating profile details To edit the operating profile details, change the details in the corresponding fields then click

Save

.

Related information Concept on page 64 Dual Authorisation on page 81

25 August

85

Alliance Gateway Administration and Operations Guide



Operators



Concept

Configuration

Overview An Alliance Gateway operator uses the Alliance Gateway Administration interface to perform tasks on Alliance Gateway. Your institution may decide to distribute administrative tasks among a number of operators. This may typically be necessary in a large institution, but in smaller institutions a single operator can perform all Alliance Gateway administrative tasks. Operators are assigned an authentication type (and an authentication server group, for LDAP and one-time password), an operating profile, and a list of units to which they belong. The tasks that an operator can perform in Alliance Gateway depend on the functions assigned to this operator. For more information, see Available components and related functions on page Note

An Alliance Gateway operator cannot exchange business messages over SWIFTNet.

Default Alliance Gateway operator When Alliance Gateway is installed, a default operator called Administrator is created with full Alliance Gateway operating profile functions. This operator cannot be deleted or disabled, and its profile cannot be modified or deleted. An initial password for the Administrator is defined during installation. This password must be changed the first time it is used to log in. The Administrator operator cannot be configured to use one-time passwords. Important

Create an operator with the same operating profile as the Administrator operator. Otherwise, if you lose the Administrator password or have to reset it, then you must reinstall Alliance Gateway. For more information, see the Alliance Gateway Installation Guide.

Locked operator accounts When the permitted number of attempts to specify a valid Alliance Gateway operator password is exhausted, your Alliance Gateway operator account is locked. Another Alliance Gateway operator who is not locked or suspended and who has the operating profile function Reset an Operator's Password can reset your Alliance Gateway operator account password. If an operator has the Administrator operating profile, then only an operator who also has the Administrator operating profile can reset the password of that operator. To reset an operator password, see Reset Operator Passwords on page Dormant operator accounts Operators who have not logged in for a pre-defined number of days are considered dormant. The Disable Period configuration parameter enables you to define a number of days after which operators are considered dormant and are disabled as a result. This functionality does not apply to the Alliance Gateway Administrator account: this account can never be disabled.

25 August

86

Alliance Gateway Administration and Operations Guide

Configuration

Suspended operator accounts When the Administrator account exhausts the permitted number of attempts to specify a valid Alliance Gateway operator password, the Administrator account is suspended. After 10 minutes, this account is again able to attempt to log in. Operator types Operators can be grouped according to their functional areas in Alliance Gateway Administration. Each group of operators can be assigned operating profiles with particular functions that allow them to perform certain tasks in the Alliance Gateway Administration interface. It is important that you use the Alliance Gateway Administration interface to define operator profiles that meet the requirements of your organisation. For examples, see Operating profile examples on page



Manage Operators Description The Configuration > User Management > Operators option enables you to manage operators. The Operators page contains these elements: •

Configuration parameters that allow you to configure the settings for the operators See Configuration parameters on page 88



Functions that allow you to manage the configuration parameters See Functions: configuration parameters on page 88



Details of the operators defined for the current Alliance Gateway instance See Details on page 89



Functions that allow you to manage the operators See Functions on page 91

For conceptual information about operators, see Concept on page Display

25 August

87

Alliance Gateway Administration and Operations Guide

Configuration

Configuration parameters Configuration parameter

Definition

Allowed values

Disable Period

Determines the number of days without login after which the 0, 30 to system disables an operator

Default value days

A value of 0 means that automatic disable will not be performed. Maximum Number of Failed Login Attempts

Determines the number of attempts that the system allows an operator to provide a valid password

5 attempts

17 to 64

17 characters

12 to 64

12 characters

For the Administrator: the account shall not be locked. It gets suspended for 10 minutes after the number of times of failed attempts, which is configured in this parameter.

Determines the minimum number of characters that an Password Minimum Length (1)operator password must contain Password Minimum Length TOTP

1 to 10

Determines the minimum allowed length for an Operator password when used in combination with TOTP

Password History Determines the number of previous operator passwords that 24 the system retains Length (1) Password Validity Determines the number of days before an operator password expires and requires changing Period (1) (1)

8 to

24 entries

days

Valid only for operators defined with Authentication Type set to Password (user-defined password)

Functions: configuration parameters Function Add

Description Enables you to add illegal password pattern values Procedure: Add Multiple Values on page 42

Remove

Enables you to remove illegal password pattern values Procedure: Remove Multiple Values on page 43

Edit

Enables you to edit illegal password pattern values Procedure: Edit Multiple Values on page 43

Reset to Default

Resets the configuration parameters on the Operators page to the default values Procedure: Reset Values on page 42

25 August

88

Alliance Gateway Administration and Operations Guide

Configuration

Details Column / Field

Description

Availability Page Windows view ( 1) Add Edit

Name

The name of the operator







Maximum US-ASCII printable characters Description

A description of the operator







Status

Indicates the current status of the operator



x



Operating Profile

Determines the operating profile that you assign to the operator







Lock Status

Indicates the lock status of the operator



x





x



The system locks operators that reach the limit for the Maximum Number of Failed Login Attempts (see Configuration parameters on page 88) without providing a valid password. If the Alliance Gateway Administrator operator reaches the limit, then the system suspends the Alliance Gateway Administrator operator. Last Login

25 August

Indicates the date and the time of the operator's last login

89

Alliance Gateway Administration and Operations Guide

Column / Field

Configuration

Description

Availability Page Windows view ( 1) Add Edit

Authentication Type

Determines the authentication method that the login mechanism uses to authenticate the operator







✓(2)

✓(3)

✓(3)



✓(3)

✓(3)

x





x





The possible values are as follows: •

Password Alliance Gateway authenticates the user-defined password that the operator provides at login. For more information, see User-Defined Passwords on page



RADIUS One-time Password An authentication server authenticates the one-time password that the operator provides at login. For more information, see Authentication Servers and One-Time Passwords on page



LDAP Authentication An LDAP server authenticates the user name and password that the operator provides at login. For more information, see LDAP Authentication on page



Password and TOTP A time-based one-time password (TOTP) is generated on an additional downloaded application from a mobile device for temporary use to log into the SAG Operator account. This is used in conjunction with a permanent password.

Authentication Server Group

The authentication server group used to authenticate requests for the operator

External Identifier The user name of the operator in the LDAP directory or authentication server Maximum US-ASCII printable characters This field is optional: if it has no value, then the system uses the operator name to check the operator credentials. Units

In the Available list: •

The list of units available

In the Selected list: • Default Unit

(1)

25 August

The units that you assign to the operator

The unit to use for the generation of events logged when the operator performs administrative operations

Only displays the values, does not allow you to modify them

90

Alliance Gateway Administration and Operations Guide

Configuration

(2)

Not a default column, use Change View to add this column to the list

(3)

Only appears when Authentication Type is set to LDAP

Authentication or RADIUS One-time Password

Functions Function

Description

Availability Page view

Windows Add

Edit

View operators using the Name, External Identifier, or Operating Profile drop-down and clicking Submit .

x

x

x

Clear

Resets the Filtering Criteria.

x

x

x

Submit

Displays parameters for the selection in the Filtering Criteria.

x

x

x

Change View

Allows you to select what is displayed in the Operators list.

x

x

x

Add

Enables you to add an operator



x

x

Delete

Deletes a disabled operator



x

x

Enable

Enables a disabled operator



x



Disable

Disables an enabled operator



x



Reset Password

Resets the password of an operator that uses a user-defined password and unlock the operator, if it is locked



x





x





x

x

Filtering Criteria

Procedure: Reset Operator Passwords on page 92 Unlock Operator

Unlocks an operator that uses one-time passwords or LDAP authentication and is locked Procedure: Unlock Operators on page 92

Reset to Default

Resets the configuration parameters on the Operators page to the default values Procedure: Reset Values on page 42

Export

See Export on page

x

x

x

Print

See Print a Report Directly from the GUI on page

x

x

x

Modify configuration parameters To change the values of configuration parameters on the Operators page, do the steps in Change Values on page Edit operator details To edit the operator details, change the details in the corresponding fields then click

25 August

Save

.

91

Alliance Gateway Administration and Operations Guide

Configuration

Related information Concept on page 86



Reset Operator Passwords This procedure is only applicable for operators that use user-defined passwords.

Procedure 1. From the Operators page, select the applicable operator with either of these actions: •

Click the list entry for the operator. The Operator Details window opens.

• Select the check box of the list entry for the operator. 2. Click Reset Password . The Reset Password window opens. 3. Click

Reset Password

in the Reset Password window.

The system unlocks the operator, if applicable, and resets the password. The Operator Generated Password window opens. This action will also reset the TOTP code. This means that you will need to repeat the Configure Two-Factor Authentication on page Doing this will create two records in your mobile Authenticator application. You must be sure to delete the old record in order to ensure proper usage.

Note

4. Select the Show Clear Text check box. The window displays the Generated Password value. 5. Follow the instructions given in the Operator Generated Password window. 6. Click



Close

.

Unlock Operators This procedure is only applicable for operators that use one-time passwords or LDAP authentication.

Procedure 1. From the Operators page, select the applicable operator with either of these actions: •

Click the list entry for the operator. The Operator Details window opens.

• Select the check box of the list entry for the operator. 2. Click Unlock Operator . The Unlock LDAP or OTP Operator window opens. 3. Click

Unlock LDAP or OTP Operator

in the Unlock LDAP or OTP Operator window.

The system unlocks the operator.

25 August

92

Alliance Gateway Administration and Operations Guide



Configuration

Event Log Description The Event Log node enables you to view and modify configuration parameters that influence the general behaviour of the event log for the current Alliance Gateway instance. The Event Log node contains the related entities that are available for the current Alliance Gateway instance. Content Clicking the Event Log node opens the Event Log page: •

See Event Log Configuration Parameters on page

Nodes Expanding the Event Log node reveals these entity nodes: •

Event Distribution (see Event Distribution on page )



Archive (see Archive on page )

Clicking an entity node opens the corresponding entity page.



Events, Event Logging and SNMP



Alliance Gateway Events and Event Log Events and errors It is important to make the distinction between events and errors. Applications designed to work with Alliance Gateway are responsible for treating errors. An application that sends messages can receive an error. A single error may generate one or more events. If an error with severity Severe or Fatal is returned to an application, then at least one corresponding event is logged. Events are also logged due to the following operational activities: •

changes to configuration data, such as adding, changing or removing operators, message partners, and so on



internal processing within Alliance Gateway, such as process start and stop, and other actions monitored by the Process Controller



events resulting from message flow

SWIFTNet Link events SWIFTNet Link events can also be logged in the Alliance Gateway Event Log. To do this, you must set the configuration parameter Subscribe to Receive SNL Events. By default, it is set to Yes. By default, Alliance Gateway requests any events that occurred since the last received SWIFTNet Link event (if any), or if there was a period of time during which no SWIFTNet Link events were received (for example, if Alliance Gateway was stopped). If Alliance Gateway is started for the first

25 August

93

Alliance Gateway Administration and Operations Guide

Configuration

time or is stopped over a weekend, then only SWIFTNet Link events logged within the last hour are considered. Alliance Gateway Event Log The Alliance Gateway Event Log is a database that stores Alliance Gateway-related events. Event Log disk space When you install Alliance Gateway, disk space is allocated for the Alliance Gateway Event Log. The amount allocated depends on the connectivity pack setting established during Alliance Gateway installation or relicensing. Alliance Gateway activity, such as logging in to the Alliance Gateway Administration GUI and exchanging messages, generates events that are logged in the Alliance Gateway Event Log according to an event template. The events reported can be customised and configured to interface with the operating system log or with third-party system management software such as Tivoli or HP OpenView. Configuration parameters Configuration parameters enable you to define the properties of the Alliance Gateway Event Log: •

whether the Alliance Gateway Event Log runs in Archive or Rollover mode



whether Alliance Gateway receives and logs SWIFTNet Link events To set these configuration parameters, see Event Log Configuration Parameters on page



whether events in Archive mode are archived or removed



the retention period of events in Archive mode



the location of the archival directory To set configuration parameters related to archiving, see Configure Event Archiving on page



Event Characteristics Unique identification Two main criteria identify events: •

The ComponentName identifies the component requesting to log an event.



The EventNumber is a unique value, specific to the component. Over the course of Alliance Gateway releases, event numbers do not change. It is possible, however, that event text may change.

Note

0 Comments

Leave a Comment