Global Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)

Transcription

1 Managed Communications JPMorgan - Global Client Access Managed Internet (EC Gateway)

2 Managed Communications Overview JPMorgan offers a variety of electronic communications services that are reliable and user-friendly. As a comprehensive data communication service, our offerings allow for fail-over capabilities as well as 24 hours a day, seven days a week support. The service leverages industry standard message formats, open network communications and advanced security techniques to help meet your business needs. Our Global Client Access team is staffed worldwide by help desk, technical and business support employees to provide answers to your questions, professional service and monitor file delivery service. The following document provides an outline of available connectivity and security services through the Global Client Access Team. This document is subject to change based on new services and technologies added or discontinued. We offer the following types of communication and security services to help meet the needs of our global client base. Managed Internet (EC Gateway) SFTP FTPS AS2 HTTPS Sungard etx Service Snapshot - We engage transmission implementation personnel to provide application setup and transmission testing. We offer a 24 hours, seven days a week help desk that actively monitors data transmissions. This service automatically provides notification of transmission failures. Advanced Technology - We invest and operate the latest security and transportation technologies providing a world class service that is both flexible and functional. Security - Our advanced security features help prevent unauthorized access and safeguard against data theft or manipulation. We use globally recognized security standards such as SSL, SSH, PGP, IP SEC, HMAC and other techniques to encrypt and authorize data. 2

3 Managed Communications JPMC Managed Communications (EC Gateway) EC Gateway Overview EC Gateway is an electronic communications service that offers a variety of reliable and user-friendly integration options for linking to JPMorgan services. As a comprehensive data communication service, EC Gateway offers failover capabilities and support 24 hours a day, seven days a week. The service leverages industry-standard message formats, open network communications and advanced security techniques to satisfy your requirements. We employ public key infrastructure (PKI) security for all EC Gateway connection options to the bank. PKI digital certificates provide authentication, confidentiality, non-repudiation and data integrity. A combination of public and private keys keeps data secret. Link encrypted with SSL Client JPMorgan Firewall Firewall Firewall JPMorgan Service CLS Third Party Service Internet Client Gateway Security Software Transport Protocol Customer Directory on Router EC Gateway Server Security software/ Communications Gateway Inbound flow Client to JPMorgan Chase service Outbound flow JPMorgan service to Client Because security is paramount, when using JPMorganChase s EC Gateway, all access is authenticated and encrypted using digital certificates. Depending on the particular transfer protocol being used, clients may add an additional security layer by encrypting the data being communicated to the underlying JPMorgan service. The following is a typical secure data flow: Using pre-established transport protocol, the client puts the designated service file, created out of the back-office application according to an agreed format specification, into a secure incoming directory specifically created for that client. Once the transfer is complete, the file is then automatically moved to the EC Gateway server to be decrypted (if client has opted to encrypt) and for accompanying digital signature(s) to be authenticated. Once authenticated, the file is automatically transferred to the designated JPMorgan service for further processing. 3

4 Managed Communications EC Gateway All solutions support both Push and Pull methods. AS2 Description: Your organization must meet the following requirements in order to successfully communicate with JPMorgan exchanging data using AS2: Must be running a Drummond Group Certified AS2 platform Access to High-speed (preferred) or dial-up Internet connection TCP/IP network interface The ability to accept a SSL key AS2 platform must handle SSL server side validation Your firm must communicate using standard port 443 sending to JPMC Roadmap for establishing JPMorgan connectivity with AS2: You provide an SSL key JPMorgan will provide the appropriate DNS information for routing Firewall rules in place to communicate with AS2 partners - A trading partner may require inbound and outbound firewall modifications to account for all trading partner IP addresses and port numbers FTP / SSL Description: FTP/SSL requires the exchange of SSL certificates with JPMC in concert with the RFC 2228 standard. JPMorgan supports FTP encrypted with a secure socket layer (SSL) session. Requirements include: TCP/IP network interface FTP software supporting the RFC 2228 standard for FTP over an SSL session (SSL Key) The use of PGP or the use of the existing SSL key (SSL to be discussed) for sensitive data Secure FTP (SSH) Description: Secure FTP requires the exchange of SSH certificates with JPMorgan. Requirements include: TCP/IP network interface FTP client software supporting the SSH standard The use of PGP (if highly sensitive data) 4

5 Managed Communications JPMorgan HTTPS Client-Side Software Description: We provide a HTTPS Java TM -based software technology that is used to send/receive files. Requirements: If your company uses your own HTTPS, you must perform client-side verification, meaning the software used to connect must be able to verify itself by presenting a certificate. Java version 1.3.x. will be required on the target/sending environment. Requirements include: TCP/IP network interface SSL Key The use of PGP (if highly sensitive data) Other: You will need to store your company s private certificate in an unencrypted, no password required state. In addition, you will need to convert your public certificate to a.der file and send to JPMorgan. Sungard etx Communications Protocol: TCP/IP FTP Connectivity: Public Internet connection. Sungard Treasury workstation connected to etx. Security: SSL, PGP 5

6 Managed Communications Security and Data Overview JPMorgan supports the transfer of Highly Sensitive* and Sensitive* data as defined by our IT Control Policy. The service is designed to be bi-directional and managed end-to-end. Examples of data types by security level: Sensitive Data - Requires - Transport Security (SSL, IP SEC) Example Client information, Reporting Information, User name / Passwords Highly Sensitive Data requires - Requires - Transport Security (SSL, IP SEC), Message Integrity, Originator Authentication and Consequential evidence of Authentication (signing PGP, 509.v3) Example Value bearing transactions such as Wires, ACH, Trades 6

7 Managed Communications Partner Key Management Global Client Access has created a Partner Key Management Process (PKM) that allows for the bank to accept PGP, SSL and other key types from the client. This PKM process is designed to accommodate client keys while preserving the required IT Control standards. The following procedures will be used for digital-signature public key management using a certificate; Your company will identify at least three individuals authorized on their behalf to request JPMorgan to add, update or delete keys. Any requests from a third party agent should be forwarded to an authorized representative of your company. You must send a letter on company letterhead identifying the authorized individuals with their names, complete mailing addresses, original signatures, phone numbers and addresses. This information will be mailed to JPMorgan. A template will be provided for your convenience. Certificates must have a validity period of one to two years. No signature shall be accepted after certificate expiration. No certificate shall be accepted unless it adheres to the following cryptographic specification: Message digest: SHA-1 Asymmetric algorithm: RSA, DSS, Psypher Asymmetric algorithm key length: 1024 bits or more 7