Web Services. File transfer Service description

Transcription

1 Web Services File transfer Service description

2 Content 1 General Web Services Agreement on the use of the WS connection Certificates and keys Prerequisites for using the WS connection Use of certificates and PKI keys in bank connections Identification of the user and authorisation to the service Invalidation of certificates Validity and renewal of certificates Files in Web Services connection Files in Nordea Bank Finland Files in Nordea Bank Baltic General description of data communication protocol Creating and uploading files Signing the file Uploading the file File compression Downloading files Downloading compressed files Technical instructions for bank connection software Testing Connection test with test IDs and accounts Payment file and connection test with the customer s IDs and accounts Schedules Web Services connection address PKI certificates Distribution of certificates Automatic download Manual download Renewal of certificate Security instruction User support User support Finland User support Estonia User support Latvia User support Lithuania... 19

3 1 General This document describes the Web Services data communication protocol (hereinafter protocol) produced by Nordea (hereinafter Nordea or the bank). Web Services (WS) is Nordea s new data communication protocol for file transfer between the bank and the corporate customer. The Web Services protocol is based on common global standards and complies with the definitions of the World Wide Web Consortium (W3C), see In the WS connection, data is SSL encrypted in the Internet TCP-IP network, so VPN encryption is not needed. Customers are identified by Public Key Infrastructure (PKI) certificates, also called keys, given by the bank. The bank is the issuer of the certificates (Certificate Authority, CA). With the Web Services standard Nordea can offer companies a data communication protocol, PKI identification and security specifications in line with the definitions of the Web Services Interoperability Organisation, see This document describes the standard in the form is applied by Nordea. The technical details of the WS protocol are described in other documents available at the website of the Federation of Finnish Financial Services The descriptions are in English; see section 5.3. At present the WS connection can be used to transmit files based on the XML standard and, in addition, local Cash Management (CM) service files used in Finland and in Baltic countries (Estonia, Latvia, Lithuania). The same local files can also be transmitted through other data communication solutions. When a corporate customer changes over from other protocols to Web Services protocol, a new agreement on the Web Services protocol is made. The agreements and terms and conditions of different CM services remain as is; only the data communication and data security protocols change. 1.1 Web Services The Web Services protocol is intended for the transmission of CM files such as XML/ISO20022-standard based files (payments, account statements) and the local files such as incoming reference payment files (KTL). A complete list of the file types available in the WS connection is given in section 4. The list is updated when new file types are added to the protocol. XML files based on the ISO20022 standard, like Corporate Payments, must be transmitted via the WS connection and the related PKI security standard or alternatively via Corporate Netbank s File Transfer service. The WS connection is designed for the transmission of files from the customer or to the customer. In WS communication, the customer is the active party who opens the connection whether uploading files to the bank or downloading them from the bank (push-pull communication). The company needs a bank connection program that supports the WS protocol. Nordea does not offer bank connection software, but; instead, companies should contact, for example, software suppliers to obtain a suitable program.

4 1.2 Abbreviations and terms used in the service description WS PKI XML PATU CA SSL HTTPS SOAP Administrator User Sender Web Services. A de facto standard of data communication complying with international specifications such as SOAP and XML. Public Key Infrastructure. International specification for the identification of a party in communication (owner of certificate). Extensible Markup language. Format used, for instance, with the Corporate payments service and in SOAP messages. From Finnish compound word pankkiturvallisuus ( banking security, secure banking ). Specification published by the Federation of Finnish Financial Services for the identification method presently used by Finnish banks. Certificate Authority. Issuer of the PKI certificate. Secure Sockets Layer. Encryption scheme used with Internet connections. Hypertext Transfer Protocol Secure. Encrypted version of the http protocol. Standardised message format in WS communications. A user named in a customer s (company) agreement whom the customer authorises to receive from the bank the users' personal /company-specific identification data based the PKI system. The administrator manages the user rights related to the identification data and tends to other administrative matters on behalf of the customer. A user named in a company s agreement, authorised to use the CM service. Can be different from the file sender. The party who signs the SOAP message. Authorised to communicate with the bank using the WS connection and to send ApplicationRequest messages signed by the user or to receive ApplicationResponse messages signed by the bank. The sender can be a third party who has an agreement with the company. (Nordea not being a party to this agreement.) 2 Agreement on the use of the WS connection The customer makes an agreement with Nordea on the use of the Web Services connection (Web Services Agreement). At the time the agreement is made the customer selects whether it wants to use company-specific or user-specific certificates. In the agreement the parties specify the company and the company s contact person (administrator) who represents the company s users, and if necessary any other users. By virtue of the agreement the company can upload and download batch files using the Web Services data communication and PKI security protocol. If the file sender (i.e. signer of SOAP messages) is a third party who has made an agreement with the company, the sender is not a party to the agreement between Nordea and the customer. The authorisation for a service or account is always verified with the user company s digital signature (ApplicationRequest signature). 2.1 Certificates and keys The customer can download automatically the certificate needed for the Web Services protocol with its bank connection program if it supports the automatic certificate download. In that case, the customer s bank connection program sends the certification request based on the customer s information and the activation code obtained by a text message. The code is valid for seven days. The administrator can order/renew it when the program is implemented by calling E-support for Corporate Customers (contact information in section 10). The mobile phone number is registered in the customer s agreement, or it can be added to it at a Nordea branch. The certificate can also be downloaded without a program from Nordea s website. The downloading is done with the help of the browser using the same information as in in the previously mentioned downloading with a program. The previously used password envelope is no longer used. December

5 More specific instructions for both types of download are described in section 9.1. Nordea also offers card based certificate which together with the card reader enables authentication/authorization towards the bank s services offered via the Web Services channel. Each time the private key in the card is used to sign a message the PIN of the user must be entered. When a user receives a file based certificate, it must be protected by the PIN entered by the user. It must not be possible to use the certificate without this PIN except when the software otherwise controls the user s user rights reliably. The software can store private keys and allow their usage without a PIN given by the user to enable, for example, automatic connections. In such a case the bank connection software must control the user role and save the transaction related to the usage of the key in the software s log information. Nordea s system always verifies a service request by the user- or companyspecific certificate and the owner of the certificate is responsible for the requests. When sending a service request, a user (the signer of the file) represents the company that has made the Web Services agreement. In the bank s register a certificate is always named to a certain person or company. If the certificate is used by automated systems between Nordea and the customer, the company s certificate can be given for use by a person who is not registered as a user. It is the company s responsibility to ensure that certificates are duly stored and that they are only used in the authorised manner. Backup copies of the certificates, if any, must also be stored in a secure manner. 2.2 Prerequisites for using the WS connection The customer has a valid agreement with Nordea on the use of the Web Services connection. A user must have a user-specific or company-specific ID (received from the bank upon concluding the agreement) with which the PKI certificate is downloaded from Nordea to the customer s system. The digital signature based on the PKI certificate, user identification and the user s authorisation to use the CM service are verified by Nordea on the basis of the certificate. The company has the software able to create the digital signature and the bank connection. Before the bank connection, payment files to be uploaded or a download request is signed digitally with the private key belonging to the user s or the company s PKI certificate. The signature can be created with separate software or with a function integrated in the bank connection program. The digital signature is created, and bank connection opened, with software that supports WS connection described in Nordea s Web Services protocol description. The general Web Services description has been jointly drafted by Finnish banks. It is available at the website of the Federation of Finnish Financial Services Nordea s instructions for applying the specification are given in this service description and in the document Web Services Security and Communication Description. Before sending messages to the bank their structural correctness must be ensured and the messages must be tested; see section 6. 3 Use of certificates and PKI keys in bank connections In Web Services connections the customer is identified with PKI technology and certificates. PKI, Public Key Infrastructure, is an operating model for the use of keys and certificates. This operating model makes use of asymmetric cryptography based on key pairs. It allows the basic forms of secured electronic communication, such as digital signatures, to be employed with the private key of a signer. Certificate refers specifically to certificates in X.509 format issued by Nordea (Certificate Administrator). In this confidential relationship there are only two parties, Nordea and the corporate December

6 customer. A certificate is issued, on the basis of the WS Agreement, to person or persons working in the company and specified in the company s WS agreement. The certificate, or rather the private and public keys belonging to it, is used by the customer to digitally sign the CM service file and then by Nordea to identify the customer. By the signature Nordea can verify that files were confirmed and signed by the person authorised to use the certificate and the CM service. It also proves that the files were not altered after they were signed. The file-based certificate is valid for two years, after which it must be renewed. The card certificate is valid for five years. Instructions for the renewal of the file-based certificate, see section 9.2. The card certificate must be ordered from the bank through a contact person. The digital signature is created in the manner described in the banks common Web Services description, where an XML structure named ApplicationRequest is the object of the signature. ApplicationRequest is a simple XML structure that includes information specifying the customer and the file. The digital signature is enveloped. It means that the entire content of the message to be signed, including possible files, is covered by the signature. The digital signature both identifies the sender and ensures content integrity. Any modification to the content ruins the signature. The modification would be recognised by Nordea s receiving system and connection would be rejected. Correspondingly, the bank s system signs an ApplicationResponse message when creating messages to the customer with the Web Services connection. From the signature the user ensures that the message has come from agreed party and that the information hasn t changed on the way. It is possible to duplicate enveloped signature. In this case the latter signer signs all of the content and the previous signature. For the time being, duplicate signing of ApplicationRequests is not used in Nordea s Web Services data connection protocol. 3.1 Identification of the user and authorisation to the service The authorisation to use the Nordea Cash Management service is based on the digital signature of the ApplicationRequest message, i.e. the user/company is identified and the authorisation checked from the bank's agreement system. An ApplicationRequest signed before the bank connection is delivered inside a SOAP message, in its body element. The ApplicationRequest can be signed in advance before transmission. The SOAP message is signed with the file sender s own PKI certificate two hours, at the most, before the bank connection. This signature is only an authorisation to use the Web Services connection, not an authorisation to use any CM service. The signing of the SOAP message only ensures that the file sender is authorised to contact the bank s file transfer service through the Web Services connection, to send ApplicationRequests signed by the user and to receive ApplicationResponses signed by Nordea addressed to the user. Image 1 below describes connections between the files to be sent (Payload), the ApplicationRequest to be signed and the SOAP messages sent to Nordea. To avoid interdependencies of nested XML structures the messages are base64 coded before they are placed as field content. December

7 Image 1 When the user is also the file sender, the SOAP message can be signed by using the same PKI key with which the ApplicationRequest was signed. When a user requests for file downloading from the bank, the Content field is skipped. Also in this case the ApplicationRequest must be signed, just as when uploading files to the bank. The field content is described in more detail in the document Web Services Security and Communication Description. The structure of the messages described above does not differ from each other whether you use a card based hard certificate or a downloaded soft certificate. 3.2 Invalidation of certificates If a person authorised in the appendix to the agreement no longer works for the company or no longer does tasks involving bank connections, the person s certificate must be invalidated. To invalidate the certificate, and to order a new one, if necessary, the customer must contact his or her Nordea branch. The customer must inform the bank of the logonid connected to the certificate. The company is responsible for invalidation, and the invalidation requires an amendment to the appendix of the agreement. Personal certificates must not be handed over. Outside the bank s service hours, call Luottokunta blocking service to invalidate the certificate. Blocking service contact information: in Finland, tel ; from abroad, tel December

8 3.3 Validity and renewal of certificates A customer s certificate is valid for two years and it must be renewed before its expiry. The bank connection program should monitor the situation and warn the user of the expiry in advance. The renewal should be done well in advance with the bank connection program if it supports the use of a file based certificate. The new certificate can be downloaded by signing a certificate request digitally with a valid certificate. If the certificate has already expired, a customer can request an SMS activation code from a Nordea branch or E-support for Corporate Customers. Then the downloading can be done with the software or through the website. However, this procedure requires that the customer s Web Services agreement has a valid mobile phone number to which the activation code is transmitted as an SMS message. 4 Files in Web Services connection 4.1 Files in Nordea Bank Finland Files downloaded from Nordea File name File type Note Account statement SWIFT MT940 Bill payment service, transmission feedback SW940 LMPPAL Corporate payments, Payment Status Report (XML) NDCORPAYL pain Currency payments, transmission feedback Currency payments, transmission feedback Current date balance, SWIFT MT941 Current date transactions, SWIFT MT942 Custody ISO instructions fb. Custody ISO reports Customer specific files Direct debits, authorisations to invoicers Direct debits, transmission feedback E-invoice from file transfer, Invoices to recipient E-invoice from file transfer, rejected invoices to sender Electronic account statement Electronic XML account statement ULMPPAL VLU2 SW941 SW942 CSINXS00L CSREPS00L CNFTB000L SVVAL SVPAL HAELASKUT HYLLASKUT TITO NDCAMT53L File type BRSWIFT will work until the end of We recommend switching to use file type SW940 before this date. The content and adoption of files to be separately agreed with Nordea Electronic XML account statement/egw NDEGWA53L To Corporate egateway customers Electronic account statement, Nordea Finance EMV-Payment terminal AID-file EMV-Payment terminal BIN-table EMV-Payment terminal feedback to vendors EMV-Payment terminal files to card companies EMV-Payment terminal public keys Exchange rates for EUR Feedback on Request for transfer Feedback on Request for transfer from SWIFT IBAN calculation and validation, feedback Incoming reference payments Incoming XML reference payments FINRACSTL EMVAID EMVBIN EMVMPAL EMVKAIN EMVJAV VKEUR FIRFT000L FIRTSWPL FIIBANPAL KTL NDCAMT54L December

9 Incoming XML reference payments/egw NDEGWC54L To Corporate Gateway customers Incoming reference payments, Nordea Finance FINRREFPL Incoming currency payments, advance notice ENNTIED Finnish accounts only Interest Liability statement Payment terminal feedback to vendors Payment terminal feedback to card companies Real time balance Recipient notification Salaries and pensions, transmission feedback KORKO HTMVASTEL MPAL MPPPALAUTE SALDO FIB2CVASL TSPAL Specifications of payments paid/egw NDEGWD54L To Corporate egateway customers Security statement Transaction statement HTMVAKUEL TATO All transactions of the current day up to the time of query Files uploaded to Nordea File name File type Note Bill payment service LMP300 Corporate payments, (XML) NDCORPAYS pain Corporate payments, Cancellation Request (XML) NDCORCANS pain Currency payments Currency payments Custody ISO instructions Customer specific files Direct debits LUM2 ULMP CSINXS00S CNFTC000S SV The content and adoption of files to be separately agreed with Nordea E-invoice to file transfer (FI) LAHLASKUT The character set to be used is ISO EMV-Payment terminal transactions from vendors IBAN calculation and validation Payment terminal transactions from vendors EMVMPP FIIBANLAS MPP Request for transfer FIRFT000S Finnish files. Other countries: GetUserInfo Salaries and pensions Invoicer notification Sales receivables (FI) TS FIB2CLASS FACTORING XML payments/egw NDEGWXMLS To Corporate egateway customers 4.2 Files in Nordea Bank Baltic Files downloaded from Nordea File name File type Note Currency payments (ULMPPAL) feedback FI ULMPPAL Currency payments (VLU2) feedback FI VLU2 Advance notice on currency payments FI ENNTIED Account statement SWIFT MT940 SW940 Account statement SWIFT MT940 HTMBR for printable HTML statements Balance report SWIFT MT941 SW941 Interim transaction report SWIFT MT942 SW942 Baltic domestic payments feedback NEMCT101L December

10 Files downloaded from Nordea File name File type Note Currency payments (ULMP) FI ULMP Currency payments (LUM2) FI LUM2 Baltic domestic payments NEMCT101S 5 General description of data communication protocol The Web Services data communication involves transfer of sessionless request-reply messages. With the Web Services connection the customer s identification data accompany the transmission in every single connection. The data connection is based on a Web Services standard: the sending and receiving of an XML structure complying with the SOAP specification. (SOAP is the standardised message format in the WS connection.) A SOAP message contains header and body elements. The body element is signed with the file sender s key before transmission. Each connection includes its own digitally signed ApplicationRequest with the desired command. The ApplicationRequest is always signed with the private key of the user specified in the agreement. The ApplicationRequest is placed in the body element of the SOAP message base64 coded; see image 1 in section 3.1. The command is either for uploading files to Nordea (UploadFile) or for downloading files from Nordea (DownloadFile). There are two other commands: DownloadFileList, a list of files to be downloaded GetUserInfo, user-specific information on the agreed CM services. ApplicationRequest always implies a specific file type. The FileType field must read the file type to be uploaded or downloaded. The file types are listed in section 4. Nordea recommends that the customer makes a GetUserInfo request in connection with adoption of the protocol and checks that all services it wants to use are mentioned in the reply. The response message also includes each file s file type and customer-specific identifiers related to the files. Nordea replies each Request message with a Response message. For an UploadFile command the ApplicationResponse includes an acknowledgement that the files have been received or rejected. The different CM services produce status and feedback messages according to their specific timetables. Note that it is possible that the uploaded file is rejected later because of, for instance, lack of cover on an account. December

11 When the system has failed to verify an ApplicationRequest or a signature, it delivers an error message with a SOAP fault message. An error message is crated with the SOAP error message in cases where it has been impossible to certify the ApplicationRequest message or the signature. However, in most cases the reason for the error is in the data content of the ApplicationResponse message when the system mentions a numeric error code and an error text. Correspondingly, Nordea replies a Download request by delivering the requested file(s) in the Content field of an ApplicationResponse, base64 coded. If the requested files are not available, the Response includes an explanatory error message. Nordea s reply always includes an ApplicationResponse with the corresponding fields of the Request; for example, the Content including the file to be downloaded. The ApplicationResponse is always digitally signed by the bank, so that the customer or the customer s system can verify the identity of the sending party and the integrity of the message after it was signed. The structure of ApplicationRequests, ApplicationResponses and SOAP messages is described in more detail in the document Web Services Security and Communication Description and other documents available at the website of the Federation of Finnish Financial Services see section Creating and uploading files Signing the file Uploading the file Below are described the steps needed to create and upload messages. Usually a bank connection program does these steps without the user seeing them. If files are signed and uploaded with different software, the message is signed in accordance with steps 1-5 and uploaded in accordance with steps 6-8. See also image 1 on the interconnection of the messages in section Create the payment file (e.g. Corporate payments) in your system. If the file is very large, it must be compressed (see section 5.1.3). Convert the file or compressed file into base64 code for the uploading. The file is called Payload. 2. Create an XML structure called ApplicationRequest. 3. Place Payload in the Content element of the ApplicationRequest. 4. Digitally sign the whole ApplicationRequest using the user-specific or company-specific certificate and its private key. Convert the signed message into base64 code. 5. Transfer the message to communication software or a CD. 6. Place the signed and base64 coded ApplicationRequest in the ApplicationRequest field of the body element of a new SOAP message. 7. Digitally sign the SOAP message with the private key of the file sender s certificate. The key may be the same as the above-mentioned which was used to sign the ApplicationRequest message. 8. Upload the SOAP message using the WS protocol and wait for a reply from Nordea. Confirm the signature in the reply and show the content of the ApplicationResponse to the user. Nordea s reply complies with the ApplicationResponse message defined in the banks common Web Services description. The reply includes a status code indicating that the transmission has succeeded (=0) or failed (>0). December

12 5.1.3 File compression If an XML format file sent to the bank, eg Corporate Payments includes tens of thousands of transactions, the file must be compressed. Do this before signing and sending the file. In this way the size of the file can be decreased significantly for the signature process and the transmission. The size of the largest acceptable single file is 50 megabytes (about 50,000 uncompressed transactions). The supported compression algorithms are GZIP and PKZIP (only the deflate algorithm is supported). Nordea recommends using the GZIP compression algorithm. The Compression element of the compressed file s ApplicationRequest message must include the value true and the value of the CompressionMethod element must be the name of the compression algorithm, for example, GZIP. Feedback on the transmission of the compressed file (eg Corporate Payment, pain.002) is not created during the same connection, but it must be downloaded separately. Compression can also be used in files downloadable from the bank. 5.2 Downloading files File downloading is done as described above, but because there are no files to upload, the Content field is skipped. The content of the Command field is GetUserInfo, DownloadFileList or DownLoadFile. Nordea s reply complies with the ApplicationResponse message, which has been specified in the Finnish banks' joint Web Services description. If the reply includes the requested file, it is located in the Content field of the ApplicationResponse, base64 coded. The ApplicationResponse is always signed by the bank s system, so the customer or customer s software can verify that the message was sent by the agreed party Downloading compressed files Files can be requested as compressed. It is important to do so especially if it is known that the file is very large, for example an XML account statement. The download of compressed file uses the same principles as sending compressed files: the Compression-element must be set to True and CompressionMethod must contain the algorithm. Only GZIP algorithm is supported currently. 5.3 Technical instructions for bank connection software Nordea s Web Services data communication protocol is described in more detail in separate instructions. These guidelines are mainly intended for companies producing bank connection software, so that all the properties and safety features of the Web Services could be complied with accurately. The instructions are divided into the following classes (the date in the filename extension indicates the latest version and can vary): 1. WebServices-Messages pdf Nordea, OP-Pohjola Group, Sampo Bank: Security and Message Specification for Financial Messages using Web Services, This description is drafted by Finnish banks and it can be used to produce WS client software compatible with the services of all banks applying this description. 2. Web Services Description Language, WSDL Technical description of WS client software. This is a configuration file in XML format created for the automatic processing of a client application. The file name is in format BankCorporateFileService-yyyymmdd.wsdl, in which yyyymmdd indicates version update. The Finnish banks have one common WSDL file. 3. ApplicationRequest-yyyymmdd.xsd and ApplicationResponse-yyyymmdd.xsd, in which yyyymmdd indicates version update; for example The banks have common December

13 schema files of these XML structures. 4. This service description that defines Nordea s requirements for the use of WS-protocl in more detail. 5. Nordea s Web Services Security and Communication Description The description specifies in detail the message structure and its security features and the field contents in line with Nordea s requirements. 6. CertificateService_ WSDL Technical description of WS client software for downloading customer certificate. The banks do not have a common procedure for certificate download. Documents 1, 2 and 3 can be downloaded from the website of the Federation of Finnish Financial Services at in the Publications and statistics section. Documents 4, 5 and 6 are available at Nordea s website: or 6 Testing Bank connection software must be tested before implementation. The connection test is carrying out in Nordea s production environment using the test certificate and the other Nordea s test IDs, see section 6.1. When a bank connection program has been proved accurate and faultless, it can be used with Nordea s WS connection. The user doesn t need to make a separate WS connection test. However, it is advised that CM service files are always tested irrespective of the mode of connection. A customer is identified, and user authorisation verified, only on the basis of the user s certificate. Nordea is not liable for damage caused by incorrect operations of a bank connection program. Nordea recommends that before testing you read this service description, the Web Services Security and Communication instruction intended for software companies and the testing instructions at our website. The descriptions and the test pages can be found at: Connection test with test IDs and accounts With the connection test the specific test certificate must be used and the Environment field of the ApplicationRequest must read the word PRODUCTION. The test certificate and instructions for its downloading are available at: customers/payments and cards/tools/testing ID s for connection and message: UserId (CustomerId): PIN: WSNDEA1234 Filetypeset number for filetransfer (TargetId): A1. The test service codes and payment accounts used for testing each CM/payment services files are given in their own service description. Instructions for testing e-invoice are available on Nordea s website at: customers/payments and cards/tools/service descriptions December

14 The files uploaded can also be Corporate payment files based on the XML standard (file type NDCORPAYS) or other Nordea Bank Finland s local files. Different feedback files for CM/payment service files, test account statements (file type TITO) and incoming reference files (file type KTL) can serve as downloadable test files. Note that the content of the general test feedback, test account statement test and incoming reference payments are constant so they do not correspond to files sent with test IDs. E-support for corporate customers assists in matters related to file testing. Contact information in section Payment file and connection test with the customer s IDs and accounts Uploaded CM files can also be tested in production using the user s or company s own production certificate and company s accounts and service codes, but this requires that the test use of the production agreement has been implemented for the service in question. You must check from the service description of the CM/payment service in question whether test use is possible, and agree with the bank that the agreement is updated to the test status. In this case the Environment field of the ApplicationRequest must read the word TEST. The purpose of testing with production IDs is to ensure that the file form and content are correct, that all the IDs are as agreed and that the customer s agreements are in order. The payment service will generate a genuine feedback file showing the test result. Payments are not entered to accounts, and no account statement is generated. This feature has only been introduced in Corporate Payments/pain message version 2. Other file types sent go to payment despite the TEST parameter. The TEST parameter is available for CPS payment orders and only for its version no 2. Note that if the Environment field doesn t read TEST, payments in the file will be entered on the accounts. 7 Schedules Files can be uploaded and downloaded 24 hours a day, seven days a week. The processing and completion schedules for the CM files are available at: customers/payments and cards/advice on Payments and cards/service notice and customer support/file transfer Re-transmission and deletion of accepted files must be agreed separately with E-support for corporate customers. See the contact information in section Web Services connection address Note! Write the address exactly in the format given above (upper case, lower case). The connection is always SSL encrypted. December

15 9 PKI certificates 9.1 Distribution of certificates Upon making the WS agreement the company representative names the persons authorised to upload and download file transfer files to and from Nordea with the WS connection. Each user gets a personal certificate used to digitally sign a request (ApplicationRequest) before the bank connection. Usually a company has only one company-specific certificate for which all the files needed by the company are determined. When a company-specific certificate is used, the bank connection program supervises the different users user authorisations. A certification request based on the company s or the user s agreement data and one-time identification code ie activation code is formed in the Web Services channel. The code is delivered as a text message to a mobile phone number given in advance and mentioned in the agreement. If the request is correctly formed and accepted, the certificate is returned in a response message and it can be saved directly in the bank connection program. The renewal of a certificate retrieved from this service can be fully automatic, if the renewal request is made before the validity of the certificate expires. In addition to downloading with the bank connection program in the Web Services channel it is possible to use manual downloading with the browser. The SMS activation code and other necessary information are the same as in the downloading with the bank connection program. The renewal of a certificate downloaded from these services is also possible to do fully automatically and the renewal request must be before the expiry of the current certificate in order to ensure the continuous use of the services. Only one version of the certificate can be in force at a time so when a certificate is renewed, the previous one is automatically revoked Automatic download The mobile phone number of the administrator is saved in the bank s agreement system for the delivery of a 10-digit activation which is sent as an SMS message to this mobile phone number. The message is normally delivered within a working day and the code is valid for 7 days. When necessary, a new activation code can be obtained by calling the E-support for Corporate Customers or by contacting a Nordea branch. The administrator enters the WS agreement data which is added to the data of the signed certificate: company name (company-specific certificate) or user s name (user-specific certificate) user ID country code (two letters, eg FI) activation code from the SMS message. The bank connection program creates a key pair and sends the public key to Nordea for signature. If the request is accepted, the program receives the certificate which it will use in subsequent bank connections. The old certificate can no longer be used after this. The process is described in more detail in the guidelines intended for companies producing software. If the first request ends in an error because of an invalid company/user name, rectify the data on the basis of the error response data and recreate the certificate. Use the same activation code. The address of the automatic certificate service is December

16 9.1.2 Manual download The certificate can be downloaded to the customer s system from Nordea s website using the web browser (see Identification data for downloading, such as name and user ID is in the Web Services agreement. The one-time activation code is received as an SMS message to the administrator s mobile phone number indicated in the agreement. Below is a description of how the certificate is downloaded in Windows environment. A downloaded certificate can be used in any environment. Log in to the service address with the browser in order to download the certificate (Image 1). You can log in at under PKI certificate. If the Nexus Personal Client application has not yet been installed in the computer, it must be installed before the certificate is downloaded to the computer. The application is needed for secure downloading of the certificate. The Nexus Personal Client application is only needed during the downloading of the certificate. The software operates in Windows environment. Fill in the name and user ID from the agreement and the activation code received as an SMS message. The country code is usually FI. Foreign customers with another country code registered in their agreements form an exception. Enter the password to protect the certificate when it has been received. The password must be secure enough as a too simple a password will not be accepted. The password must be entered again. Finally select Download certificate. December

17 Image 1 December

18 If you want to save the certificate directly on a USB stick, you must insert the stick into your PC before you select the Download button. Next the program asks you to select the directory into which the certificate is to be saved and asks for the password again. Write the same password in the field as above (images 2 and 3) Image 2 Image 3 Banking software must have access to the certificate file. The more detailed instructions are available in each bank connection program s own instructions. If necessary, the password can be changed in Nexus Personal, with the program s PIN button. You can use a USB stick to save the certificate, but if you do a copy of the certificate is not saved on the hard drive. The USB stick can also serve as a backup copy if it is stored in a secure place. If the certificate is temporarily saved on the hard drive, for security reasons it is not advisable to leave it there. Take a backup copy and delete the copies from the hard drive and the Nexus Personal program. When you no longer need Nexus Personal you can delete it. It can be reinstalled later, if necessary. December

19 9.2 Renewal of certificate A PKI certificate used in the Web Services protocol is valid for two (2) years, if it is a file based certificate. A card based certificate is valid for five years. After the expiry of a certificate it cannot be used for bank connections. The certificate must be renewed before the expiry of the certificate currently in use. Nordea recommends that a new certificate is downloaded at least one month before the expiry of the current certificate. The bank connection program should warn you of the expiry of the certificate well in advance. A function has been added to Nordea s Web Services which supervises the expiry of the certificate and add a remark concerning the matter to SOAP and ApplicationRequest messages if there is less than month to the expiry of the certificate. When the response code is 0 and the text corresponding to it is OK, the remark text is added after OK. The text states the number of days left until expiry. The bank connection programs do not perhaps show this text, but they write it in the contact log. When a certificate is renewed, the previous certificate, which has been received in the same way, is simultaneously closed. (The renewal does not automatically close such a certificate which has been downloaded manually with a PIN code from an envelope. This kind of a certificate must be closed separately). A new certificate can be downloaded at any time, but only one certificate is valid at a time. If the certificate has already expired, in order to receive a new certificate you must order an SMS activation code by calling the E-support for Corporate Customers or from your Nordea branch. A bank connection program can renew the certificate automatically by signing the renewal request with a valid certificate. Example files and instructions are available at Security instruction A password linked to the certificate s private key must always be used to protect the certificate when it is used for digital signing. Certificates and their private keys must only be kept in the hands of their proper owners so that the certificate cannot be used inappropriately. Orders made with the customer s certificate are always considered having been made by the customer, so the certificate and the computer together with the software in which the certificate is saved must be properly and securely protected. December

20 10 User support 10.1 User support Finland E-support for Corporate Customers in Finnish Open on banking days ; on short banking days*) Call charge 0.11 euro per min + local network charge/mobile call charge. E-support for Corporate Customers in Swedish Open on banking days ; on short banking days*) Call charge 0.11 euro per min + local network charge/mobile call charge. E-support for corporate customers in English Open on banking days ; on short banking days*) Call charge 0.11 euro per min + local network charge/mobile call charge. *) New Year s Eve and Maundy Thursday Further information on the details of the service is available at Example messages, instructions and tools for testing for software houses are available at User support Estonia ebanking Support Monday to Friday from 9:00 to 17:00 [email protected] 10.3 User support Latvia Call Center Monday to Friday from 8:00 to 20:00 Saturday from 9:00 to 18:00 Sunday from 10:00 to 16: User support Lithuania Information and Help Desk Phone: or 1554 (local short number) Monday to Friday from 8:00 to 19:00 [email protected] December