Corporate Access File Transfer Service Description Version /05/2015

Transcription

1 Corporate Access File Transfer Service Description Version /05/2015 This document describes the characteristics and usage of the Corporate Access File Transfer service, which is for transferring cash management files (e.g. a payment file) between Nordea and a corporate customer via a public network. Technical details, such as Secure envelope specification and communication protocol dependent instructions are explained in a separate, related document. 1/17

2 1 Introduction File transfer is used for exchanging files and messages via a network. Nordea s new file transfer service for corporate customers is called Corporate Access File Transfer (CAF). Corporate Access File Transfer will be the entry point for Nordic and Baltic customers, and will support various file transfer protocols and different cash management file formats, including XML in the ISO20022 standard. The service is used by customers banking software products for automatic host-to-host file transfer. Besides the secure exchange of files, CAF also includes a user interface for a set of additional services to view the status of file transfers. With the user interface the customer can view the status, a history of transferred files and manually upload and download files. Manual File Transfer can also be used in cases when a backup channel for host-to-host channel is needed. The user interface is provided via Corporate Netbank (CN) service. Global services currently available in Corporate Access include: File Transfer for the data communication and Payables for payment services. In the future, Corporate Access will include other services, such as Receivables, Account reporting etc. This document describes the usage of the Corporate Access File Transfer service. The document will be continually updated. Structure of documentation The latest version of documents for Corporate Access File Transfer can be found at The structure of the various documents is shown below. 2/17

3 1.1 Corporate Access File Transfer The Corporate Access File Transfer service operates via a new global file transfer platform, intended for the transmission of cash management files (payments, account statements) and local file types. It will be a single entry point for Nordea s file-based services in different countries. The number of services included is still limited but it will increase as more countries are integrated into the service over the next few years. The company needs a bank connectivity program which supports one of the available protocols. Nordea does not offer bank connectivity software, but suggests that companies contact software suppliers to obtain a suitable program. The CAF service can currently be used to access file transfer services available in Sweden, Denmark and Norway. However, more countries will be integrated. The file transfer connection can be used to transmit files based on the XML standard and in addition, local cash management service files. Files targeted at Corporate Access Payables can only be enabled either via the Corporate Access File Transfer or manual file transfer via Corporate Netbank (CN). See list of currently supported file types/services in Appendix B. Technical details regarding connectivity and end-to-end security in file transfer are described in a separate document called Content Signature Specification. The technical details of different protocols are described in relevant documents available on Nordea s website 2 Prerequisites for using Corporate Access File Transfer The customer has a valid agreement with Nordea on the use of the Corporate Access File Transfer connection. See Chapter 2.1. The customer or a user must have a company-specific key and ID received from the bank upon signing the agreement. See Chapter 2.2. The company has software (one or multiple programs) which is able to: create the file which will be sent to the bank (the payload) create a security envelope, including digital signature, and establish a bank connection via available communication protocols. See Chapter Agreement Before the file transfer service can be used, an agreement (Corporate Cash Management/CAF Agreement) must be signed by the customer. By virtue of this agreement the company can upload and download batch files using the Corporate Access File Transfer data communication. In the agreement the parties specify the company and the company contact (administrator) representing the company s users, and if necessary any other users. The administrator is also authorised to download one or multiple certificates which are connected to agreed services. See Chapter 2.2 Certificates and keys. The agreement is in technical data communication level represented by an ID called SenderID. In the agreement it is possible to set up authorisations to one or several IDs. Each of the IDs is represented in an agreement by a SignerID. The user of the SignerID is authorised to use services assigned to that SignerID. 3/17

4 SignerIDs are connected to certificates, so that if multiple SignerIDs have been agreed, then an equal number of certificates will exist. Each certificate is used to digitally sign content to be sent to the bank, and each of them is authorised to use the services by the corresponding SignerID. The customer can choose to use host-to-host communication only, or in combination with the user interface via Corporate Netbank. The Corporate Netbank offers additional tools for users to view the file transfer status and maintain files, which is why it is highly recommended. In CN the customer s administrator can appoint users to have access to manual file transfer services. The same interface is used for Corporate Access Payables for online services. When a corporate customer switches starts using Corporate Access File Transfer, a new schedule must be signed. Agreements are available and can be signed at Nordea branch office Using outsourced parties to send files It is possible for a corporate customer to use a bookkeeping company or other service bureau to act on behalf of the corporate customer that owns the debit account. In such cases there must be a Power of Attorney from the corporate customer to the service bureau and it must be registered at the bank. If the file sender and signer of the security envelope is a third party that has entered into an agreement with the company and is acting on behalf of the company, the sender is a party to the agreement between Nordea and the company. If the file sender is a fourth party that has entered into an agreement with the company or with the third party, and is not acting on behalf of these, i.e. is not a signer of the envelope, the sender is not a party to the agreement between Nordea and the company or the third party. 2.2 Certificates and keys In the customer file transfer agreement it is possible to assign one or more SignerIDs. Each SignerID can be authorised to different services or respective file types. Nordea provides each SignerID with a unique certificate. The certificate is used to digitally sign the security envelope before sending files to Nordea. The persons who receives the certificate activation code for each SignerID are named by the corporate administrator in CCM agreement. When Nordea receives files, authorisation for customers to use a cash management service is always verified by the bank from the digital signature of the security envelope. If authorisation fails, the files will be rejected and a response will be sent by Nordea. Further information about the certificate download process is provided in Appendix D. 2.3 Bank connectivity software Files are sent/uploaded to Nordea using bank connectivity software which supports one of the available secure communication protocols. There are multiple software vendors locally and globally, which provide adequate software to enable Nordea Corporate Access to automatically transfer files. 4/17

5 Alternatively, files can be sent/retrieved from the bank manually by using Nordea Corporate Netbank File transfer (CN), a web-based service for interactive operations. Nordea s instructions for using the file transfer service are provided in this service description and in a more technical document entitled Content Signature Specification. In addition, there is separate documentation describing various communication protocols in detail, as well as associated use of security keys. Before the connection is established, the payload file to be uploaded to the bank must be signed digitally using the private key linked to the user/company s PKI certificate. The digital signature can be created: a. b. c. in the ERP system where the actual payload file is created (recommended) using separate software similar to the ERP system, or using a function integrated in the bank connectivity program. Alternative a) is the most secure, enabling end-to-end security, including the corporate customer s own internal network, because the file content is protected while it is being created. Before sending files to the bank production system, their structural correctness must be ensured by using the test system. See section 3.2 Testing. Character set and encoding The files sent to Nordea must be in UTF-8 format and Nordea will use UTF-8 format for all Messages sent to customers. 3 Schedules and availability Files can be uploaded and downloaded 24 hours a day, seven days a week. The execution of uploaded files will not happen in real-time, so the processing and response schedules vary depending on the service. Further information about schedules can be found in the respective service descriptions in Nordea.com. Nordea will have scheduled service breaks in Corporate Access. The file transfer service is not available during these periods. The breaks are scheduled to take place at night and over the weekend, when traffic is very limited. Such service breaks will be announced according to Nordea s policy. 3.1 Corporate Access File Transfer connectivity Nordea Corporate Access can be reached via different communication protocols. The host-to-host (H2H) protocols and their URL addresses are listed below. Instead of using IP addresses, Nordea recommends that only the URL s mentioned below be used. IP addresses are at times subject to changes, but URL addresses are static and therefore require no changes by the customer. Addresses for the Corporate Access File Transfer production systems are: sftp sftp.ebridge. AS2 as2.ebridge. 5/17

6 FTP (VPN) vpn.ebridge. Addresses for the test environment are: sftp sftp.ebridge.test. AS2 as2.ebridge.test. FTP (VPN) vpn.ebridge test. Besides the above-mentioned protocols used for connection via the internet, it is possible to connect to Nordea via the SWIFTNet FileAct. Please contact your Cash Management advisor at Nordea for further information about FileAct connection. 3.2 Testing It is possible to test the security envelope with online connection by uploading the signed file with a browser to Nordea s Corporate Access Test solution. The link can be found at www. / Information for ERP Vendors. The same test solution can also be used for testing Corporate Access Payable files. Bank connection software must be tested with Nordea s test system before it can be used in production. The connection with the test environment uses test certificates and other Nordea test IDs. Separate documentation is provided regarding testing. 3.3 Security instruction Certificates and their private keys are solely for their proper owners, to safeguard against inappropriate use of the certificate. Orders made using the customer s certificate are always assumed to have been issued by the customer, therefore the certificate and the computer, along with the software in which the certificate is saved, must be properly and securely protected. 4 User support 4.1 User support Global Nordea provide support for Corporate Access File Transfer. You find more information on, how to get help, Q&A, and Support contact information at the our ERP Vendors site at Nordea.com. 6/17

7 Appendix A Abbreviations and terms used in the service description The following table provides a list of commonly used abbreviations and terms in this document. CAF Corporate Access File Transfer. A global data communication hub at Nordea complying with international specifications such as PKI and XML. PKI Public Key Infrastructure. International specification for the identification of a party in communication (owner of certificate). XML Extensible Markup language. Format used, for instance, with the payments service and in content signature envelope messages. UI User Interface. Usually an online manual service used with a browser. CA Certificate Authority. Issuer of the PKI certificate. SSL Secure Sockets Layer. Encryption scheme used with Internet connections. HTTPS Hypertext Transfer Protocol Secure. Encrypted version of the http protocol. Administrator A special user named in company agreements, to which the company gives authorisation to receive company-specific identification data from the bank. The administrator manages the user rights related to the identification data and handles other administrative matters on behalf of the company. User A user using the service on behalf of the company. In host-tohost channels there are no users from an agreement perspective, but users may be assigned by the company administrator to connect to services via online UI Signer SignerID The party (company) that owns the digitally signed content to be sent. One agreement can have several signers, represented by SignerID s, each with their own signing certificate. Signature is an XML digital signature made with PKI keys, given to the party by the bank. Sender SenderID The party (company) that actually sends the message. Authorised to communicate with the bank using the connection and to send files signed by the Signer. The sender (identified by SenderID in agreement) can be a third or fourth party that has an agreement for file communication with the bank. Certificate A key pair with private and public keys. The private key is used by the signer to digitally sign the content (payload). The public key is included in the signature element. The Certificate is connected to the SignerID in the CAF schedule of the CA agreement. 7/17

8 Signer certificate receiver A person in the corporate, who is named in agreement scheduleto receive the certificate activation code via SMS CN An abbreviation of Corporate Netbank. Also CN FT: a manual File Transfer in Corporate Netbank BICOrBEI An identifier in payment file, used only in SWIFTNet FileAct channel SWIFTNet FileAct ID In SWIFTNet FileAct a Security Envelope is not mandatory and if not used, then the user can use only one SignerID which is used as default. The used SignerID is agreed in agreement schedule as FileAct ID. 8/17

9 Appendix B Available File types File to Nordea File type Supported Countries Comments Payment file to Corporate Access Payables NDCAPXMLI SE Pain.001 File from Nordea File type Supported Countries Comments Status file from Payables NDCAPXMLO SE Pain.002 Debit advice from Payables NDCAPXMLD54O SE Camt54D 9/17

10 Appendix C Data communication in File Transfer The following describes the data communication process steps. Identification of the user and authorisation to use the service Authorisation to use the Nordea Cash Management file-based services in Corporate Access is based on the digital signature of the content and the envelope. The envelope is signed in advance before transmission. The security envelope can be used in all file transfer channels connected to Corporate Access. It is mandatory in other channels but optional when using CN manual file transfer or SWIFTNet FileAct connections, for which special rules apply. Picture below describes connections between the file to be sent (the payload) and the envelope based on ApplicationRequest schema, to be signed and sent to Nordea. To avoid interdependencies of nested XML structures the payload message is base64 coded before it is placed as text in the content element. 1. Create payload file in corporate legacy 2. Create XML Envelope and import the pyload 3. Sign the XML wrapper with XML Dsig 4. Send the package with any protocol Figure 1 10/17

11 The structure of the security envelope message described above applies regardless of the type of the PKI certificate used. Use of certificates and PKI keys in bank connections In Corporate Access File Transfer, the customer is identified by using Public Key Infrastructure (PKI) certificates. The certificates referred to here are in X.509 format and issued by Nordea. A certificate is issued, on the basis of the Corporate Access File Transfer Agreement, to an individual or individuals working at the company. The certificate, or rather the private and public keys belonging to it, is used by the customer to digitally sign the file and by Nordea to identify the customer. Nordea can use the signature to verify that files were confirmed and signed by the company authorised to use the certificate and the requested cash management service. It also proves that the files were not altered after they were signed. The file-based certificate is valid for two years, after which it must be renewed. Instructions on how to renew the file-based certificate are provided under Appendix D/Renewal of certificate. The digital signature is created in the manner described in the Content Signature Specification, where an envelope using ApplicationRequest schema is the object of the signature. The envelope is a simple XML structure that includes information specifying the customer and the file content to be protected. The digital signature both identifies the signer and ensures content integrity. Any modification to the content ruins the signature, which would be recognised by Nordea s receiving system. In such cases, the connection would be rejected. Correspondingly, the bank s system signs an envelope using ApplicationResponse schema and Nordea s signing key, when sending files to the customer. The signature provides assurance to the user that the message has come from an agreed party and that the information has not been altered during transmission. While the security envelope ensures the identification of parties and integrity control of the message, confidentiality is achieved via encrypted communication lines. General description of data communication protocols Corporate Access File Transfer data communication consists of various protocols in pushpush or push-pull mode. Push-Push protocol means that a party that wants to send data over the internet establishes a connection. The bank can then set up a connection and transport data, such as an account statement, to the customer. The bank must have customer-specific IP addresses and keys registered to be able to set up the connection. The customer must allow the bank to connect via their firewall. Typical push-push protocols include ftp, sftp, AS2 and SWIFTNet FileAct. Push-Pull protocol means the bank server does not connect to the customer, but the customer server connects to the bank when requesting data, such as account statements from the bank. In push-pull connections, the bank does not need to maintain customer-specific information 11/17

12 about IP addresses and customer server keys, and no firewall opening is needed. Typical pushpull connections include Web Services, EBICS and manual File Transfer in Netbank. A signed security envelope is used in all the protocols mentioned above, including manual file transfer in Corporate Netbank. However, the security envelope is not mandatory in manual file transfer and SWIFTNet FileAct. If not used, the payment transactions must be confirmed manually via netbank UI after transmission (exception: not in FileAct). Nordea replies to each request message with a response message. When managing very large files, the creation of a response message may take some time. Creating and uploading files To follow is a description of the steps needed to create and upload a file. Usually a bank connection program performs these steps without the user seeing them. If files are signed and uploaded using separate software, the message is signed in accordance with steps 1-5 and uploaded in accordance with steps 6-8. See also Figure 1 on the interconnection of the messages in Appendix C Data communication in File Transfer. Signing the file 1. Create the payment file (e.g. for Corporate Access Payables) in your system. If the file is very large, it must be compressed. Convert the file or compressed file into base64 code for the uploading. The file content is called the Payload. 2. Create an envelope, an XML structure following ApplicationRequest schema. 3. Place the Payload in the Content element of the envelope. 4. Digitally sign the envelope using the company-specific certificate. 5. Transfer the message to communication software. Uploading the file 6. Establish a connection to Nordea using your preferred communication protocol. 7. Upload the message and wait for a reply from Nordea. Confirm the signature in the reply and show the content of the response to the user. Nordea s reply complies with the signed envelope following ApplicationResponse schema. The reply includes a status code indicating whether the transmission has succeeded (=0) or failed (>0). File compression If a large file in XML format (e.g. Corporate Access Payables) is sent to the bank, the file must be compressed. This enables the size of the file to be decreased significantly, which helps the signature process and transmission. A compressed payment file can easily hold 100,000 transactions in one file. The only supported compression algorithm is GZIP. See more detailed instructions in the Content Signature Specification for Corporate Access File Transfer Compression is also used in files retrieved from the bank. Receiving files from the bank Files can be received from the bank in various ways via different communication protocols. Files are always in signed envelopes so the customer can verify that the file is coming from the correct partner and to enable compression of the file content. Only GZIP algorithm is supported. 12/17

13 In push-push protocols (like sftp) Nordea will send a file (e.g. an account statement or a feedback status message) as soon as it has been created. If the file is not successfully sent, for example due to an internet connection error, the customer can retrieve the file manually later using Corporate Netbank File Transfer. Nordea will not try to send the file automatically again to avoid duplicate processing of customer transactions. In push-pull protocols (like Web Services) the customer sends a signed request to the bank and the response contains the requested file, e.g. an account statement. The response is always signed by the bank s system, so the customer s software can verify that the message was sent by the agreed party. Push-pull protocol has not yet been implemented. Technical instructions for bank connection software In addition to this service description, Nordea s Corporate Access File Transfer and data communication protocols are described in more detail in separate documents. These guidelines are mainly intended for companies producing bank connection software and are available at /vendor pages. The documentation is divided up as follows: Content signature specification for Corporate Access File Transfer This specification is used to develop software for creating a security envelope and digital signature for files to be sent to Nordea Corporate Access. Protocol specification documents for sftp, SWIFTNet FileAct and AS2. These specification documents can be used to develop or configure banking software communicating with Nordea Corporate Access. The documents are available at Vendor pages. 3. Specification documents for Web Services and EBICS will be published once those protocols have been implemented into Corporate Access. Technical documentation for testing This document specifies how testing can be performed at Nordea using one or multiple alternatives. 13/17

14 Appendix D Certificate download processes The following describes the certificate download process using software or alternatively downloading the certificate manually from Nordea s website. Downloading the certificate is secured using an activation code which is sent to the customer via SMS. The mobile phone number for SMS codes is registered in the customer s agreement, or it can be added to the agreement at a Nordea branch by an administrator. The received SMS activation code is valid for seven days. If necessary, the administrator can order a new code by calling customer support for Corporate Customers (see contact information in Chapter 4) A certificate is always attached to a company in the bank s register, even if the certificate is used by automated systems between Nordea and the customer. It is the company s responsibility to ensure that certificates are duly stored and that they are only used in the authorised manner. Backup copies of the certificates, if any, must also be stored in a secure manner. When sending a service request signed with the certificate, a user (the signer of the file) represents the company that has entered into the Corporate Access File Transfer agreement. Certificates must be renewed before the current certificate expires, in order to ensure uninterrupted use of the services. Only one version of the certificate can be in force at a time, so when a certificate is renewed, the previous one is automatically revoked. Automatic download The administrator creates a CSR (Certificate Signing Request) using a bank connection program and enters the agreement data, which will also be added to the data in the certificate: company name signerid country code (two letters, eg FI, SE ) activation code from the SMS message to the administrator. The bank connection program creates a key pair and sends the public key to Nordea for signature. If the request is accepted, the program receives the certificate, which it will use in subsequent bank connections. If there is an old certificate, it can no longer be used after this. The process is described in more detail in the guidelines intended for companies producing software. The address of the automatic certificate service is Currently only Web Services protocol is supported for automated download (see service description for Web Services communication for further information). Manual download The certificate can be downloaded manually to the customer s system from Nordea s website using the web browser ( Identification data for downloading, such as company name and SignerID, can be found in the CAF schedule of the Corporate Cash Management Agreement. To follow is a description of how to download the certificate in a Windows environment. A downloaded certificate can be used in any environment. Log in to the service address with the browser in order to download the certificate The Nexus Personal Client application must be installed before the certificate can be downloaded to the computer (see link on the screen). The Nexus Personal Client application 14/17

15 is only needed for downloading the certificate. The software only operates in a Windows environment. Fill in the company name and user ID (=SignerID) from the agreement and the activation code received in an SMS message. The country code is the same as used in customer address. Enter the password to protect the certificate when it has been received. The password must be sufficiently secure. If the password is too simple it will not be accepted and a new password will need to be entered. Finally select Download certificate. See next picture for details. 15/17

16 Image 1 16/17

17 If you want to save the certificate straight onto a USB stick, you must insert the stick into your PC before you select the Download button. Next the program will ask you to select the directory into which the certificate is to be saved and you will be asked for the password again. Enter the same password in the field as above (image 2) Image 2 Banking software must have access to the certificate file. More detailed instructions are available in each bank connection program s own instructions. If the certificate is temporarily saved on the hard drive, it is not advisable to leave it there for security reasons. Make a backup copy and delete the copies from the hard drive and the Nexus Personal program. When you no longer need Nexus Personal, you can delete it. It can be reinstalled later, if necessary Renewal of certificate A file-based PKI certificate used in the Corporate Access File Transfer protocol is valid for two (2) years. After a certificate has expired it cannot be used for bank connections. The certificate must be renewed before the current certificate expires. Nordea recommends that a new certificate is downloaded at least one month before the expiry of the current certificate. The bank connection program should give you plenty of advance warning of when your certificate is due to expire. When a certificate is renewed, the previous certificate will be closed. A new certificate can be downloaded at any time, but only one certificate is valid at a time. If the certificate has already expired, in order to receive a new certificate you must order an SMS activation code first by calling User support, or from your Nordea branch. Invalidation of certificates To invalidate the certificate, and to order a new one, if necessary, customers should contact their Nordea branch. Customers must inform the bank of the agreement and Signer ID connected to the certificate. 17/17