Valicert TM Secure Internet data delivery and application integration
To secure the delivery of financial transactions and highly sensitive documents to our customers over the Internet, we selected Valicert s software because it provides us a confidential and guaranteed solution. JPMorgan Chase Valicert is a proven solution used by major corporations and financial institutions to securely move sensitive data between geographically dispersed offices, customers, partners and suppliers; replace the costly private network infrastructure required for EDI systems; and reliably exchange data between back-office applications across multiple sites. has been deployed by hundreds of major corporations at thousands of sites around the world. Many Valicert customers integrate with existing applications and business processes. They use it to secure extranet services; replace costly leased lines, modem pools and VANs; streamline paper, fax and phone-based processes inside and outside the organization; and support demanding, mission-critical production processes. Leading banks, insurance companies and government departments use to transparently incorporate secure data and document delivery into the Web services and portals they offer to their corporate customers and business partners. now provides even greater value by adding a rich set of application integration capabilities to the secure data delivery platform. This unique combination is a highly cost-effective way to extend Application Integration (EAI) out over the Internet to small and large companies. The Valicert team brings extensive knowledge in securely deploying these solutions in the most demanding financial and supply chain processes. The consulting team has experience with a variety of enterprise authentication solutions, DMZ security practices, high-availability deployments, and load-balanced configurations. Product Overview Valicert is a data transfer and business process integration solution offering security, reliability, scalability and performance. It provides secure file transfer and data integration over the Internet and private IP networks, with enterpriseclass features, including: Support for both FTP/S and HTTP/S protocols for secure data transfer The strongest levels of authentication, data encryption and audit trails Guaranteed delivery and data integrity with retransmits for failed transfers Reliable transfer of very large files with checkpoint/restart Scheduled batch transfers Transaction management for structured EDI and XML messages Thin and thick clients available across a wide range of operating systems Integration with many authentication systems including LDAP, SSO and PKI Event-driven agents, data conversion and application integration Distributed deployment architecture for high availability and performance Push and pull data delivery with centralized partner management Rapid deployment services Because of these attributes, provides a compelling return on your investment (ROI). is used extensively in large-scale production environments by: Leading commercial and central banks, inter-bank networks, clearinghouses and other financial institutions National and state government agencies Insurance companies and health records processors Global 2000 companies in the manufacturing, pharmaceutical and high-tech industries In many instances is deployed for complete automation of application-to-application data delivery across organizational boundaries. It can be deployed more securely and quickly than a VPN solution, with lower Total Cost of Ownership (TCO), while providing a more complete set of automation capabilities for secure and reliable data exchange. FINANCIAL SERVICES Treasury and cash management Electronic funds transfer (ACH, SWIFT) Lockbox services with images Positive Pay file delivery Trust and custodial services Brokerage position updates Credit card reporting services Insurance claims processing and enrollment Trade finance documentary collection ENTERPRISE Internet EDI Software and disk image distribution Product design, shipment and logistics Credit processing and recovery services Remote inventory reporting GOVERNMENT Tax and wage reporting Regulatory filings Records delivery Benefits More reliable than e-mail and ftp Protects data in transit and in DMZ Transparently encrypts stored data Cuts private network/van costs Increases efficiency via automation Provides demonstrable, quick ROI Eliminates need for paper proof Improves regulatory compliance Lowers Total Cost of Ownership (TCO)
Secure Data Delivery Features Authenticated, Encrypted File Transfer The foundation of is its ability to transfer data securely and reliably over the public Internet or private IP networks. Secure access and data transfers are available with a Web browser, a wide range of platform-specific clients or an application using the Software Developer Kit (SDK). Security is provided by: Authenticating the SSL connection between the client and server Encrypting the connection during data delivery Controlling access based on credentials managed by or an enterprise authentication system SSL-encrypted sessions protect important information, such as userid, password, commands, file names and data. Guaranteed Delivery file transfers are based on industry-standard protocols: FTP and HTTP. ValiCert brings enterprise-class reliability and efficiency to these protocols, by adding the following guaranteed delivery features: Data integrity checks on both sides of the transfer, with a retransmit if the match fails Auto-restart in case of a failed transmission Checkpoint/Restart in case of an interrupted connection. After reconnection, the client transfers only the remaining data, saving time and bandwidth and improving performance Authentication and Authorization Users or applications require authenticated credentials to access. Supported credentials include: userid/password, secure tokens, digital certificates, smartcards or any other enterprise authentication means. can also be used in conjunction with an LDAP server such as Netscape Directory Server or anocsp server such as Valicert Validation Authority. When used with digital certificates, accepts standard X.509v3 certificates or Entrust Entelligence user profiles. It works with any commercial Certificate Authority (CA), but also has a built-in CA for customers preferring an integrated solution. can be extended with customizable Agents to authenticate against any Single Sign-On (SSO) server or enterprise authentication solution such as tokens. Customers have used agents to integrate with: Network authentication systems, such as RADIUS Secure token systems, such as RSA SecureID ACE/Server SSO environments, such as Netegrity SiteMinder and IBM Tivoli Policy Director Computer Associates CA-ACF2 After validating the credentials, determines user access permissions based on the IP address, user class and user types real (OS) or virtual ( application). Any combination of user type, name pattern, group and IP address can be used to create a user class with enterprise access policies. Virtual users operate in a higher security environment; their access is restricted to the application, preventing unauthorized access to the system and to other parts of the network. Their home directories restrict access to a defined segment of the file system, but they can be granted access permissions to shared directories. Audit Trails and Tracking Secure data delivery requires strong audit trails for tracking and proof management. All data transfers in are tracked via log files and Messaging Disposition Notification (MDN) receipts. These digitally signed and vaulted audit records capture relevant file transfer and nonrepudiation information, including: timestamp, data integrity check and user credentials. Tracking reports are available based on userid, disposition status, time period, etc. Data Protection and Encryption also addresses enterprise and regulatory requirements for data protection through: DMZ Security Application Proxy Repository Encryption End-to-End Encryption These features help financial institutions comply with GLB Title V (Privacy) regulations and healthcare organizations with HIPAA privacy and security regulations. policies often preclude storing sensitive data in the Demilitarized Zone (DMZ). s DMZ Security Application Proxy streams data securely between the Internet and the Data Management server on your enterprise network without writing it to disk in the DMZ. Once data reaches the back-end network, the Repository Encryption Module protects data on the server from unauthorized internal users or those with access to backups. Finally, the End-to-End Encryption Module provides asymmetric encryption to protect data at the client before it is sent, ensuring that only the receiving party can decrypt the data protecting it in transit and while on servers. Client-Server & Hub-and-Spoke supports client-initiated connections to push or pull data from the server. It also supports a Hub-and-Spokes deployment, in which the Hub server connects to centrally administered Spoke servers ( Partner Edition) for very secure and cost-effective server push capability. Key Components of Valicert TM Secure Data Transfer Services: Accept and process secure file transfer requests. Valicert Software http and http/s ftp and ftp/s Secure Data Transfer Services Authentication Transaction : Server-side agent framework that triggers scripts on file transfer events, for integration of third-party functionality or back-end applications. Web-Browser Client: Securely transfer files to the server without requiring client-side installation. ActiveX control provides guaranteed delivery. Web Browser Third Party http http/s ftp secure ftp Transaction Valicert Back-End ValiCert Software : Securely transfers files to and from the server, using advanced automation features such as batch upload and scheduling.
Valicert Software Web Browser Third Party http and http/s ftp and ftp/s http http/s ftp secure ftp DMZ Security Application Proxy Secure Data Transfer Services Transaction Data Management Server Valicert TM Edition: Secure DMZ Deployment Authentication Client Back-End Key Components of Valicert TM Edition DMZ Security Application Proxy: Authenticates external connections, converts all supported protocols to a secure streaming connection to the Data Management server and examines all user commands for protocol conformance. Secure Data Transfer: Supports all internal client connections and file transfers. Transaction : Excecutes predefined or custom rules and agents for enterprise authentication, local data management and integration with backend applications. Server Family Valicert s product family includes a range of server offerings to suit varied customer needs. Standard Edition Servers Standard Edition servers provide secure data delivery with agent-based integration infrastructure and user-based licensing. Secure data transfer with guaranteed delivery and checkpoint/restart is supported over FTP, FTP/S, Secure FTP (RFC2228), HTTP, and HTTP/S protocols. Web browsers, all Valicert client software and a number of 3rd party clients can connect securely to Standard Edition Servers. Customers can augment Standard Edition with a range of options, including: Repository Encryption Module Data Integration Suite Forms Suite Edition The Edition server has an unlimited user license and provides the built-in features that large enterprise customers demand, such as: Repository encryption EDI INT AS2 support DMZ Security Application Proxy Tracking and proof management Role-based user management Delegated user administration Transaction & Rules Editor In addition to all the protocols and clients supported by the Standard Edition, Edition provides unique deployment modes to meet the higher security and flexibility needs of banks, financial networks, insurers and large enterprises. Secure DMZ Streaming Deployment The Edition server provides a DMZ Security Application Proxy, which ensures greater security by streaming data between an Internet client and internal secure network. The data is securely transferred across the DMZ by s application proxy without it ever being written to storage in the DMZ. Hub-and-Spokes Deployment Edition provides a Partner Management Hub for centralized management of a distributed community of Partner Edition servers used in push-oriented data delivery and transaction processing. This is an ideal capability for trading communities and financial networks. This capability enables the Edition server to initiate secure, guaranteed transfers of data from the Hub to the Partners and to accept incoming secure transfers from the Partner Edition servers. These bi-directional transfers over managed queues with exception monitoring can be initiated in real time or controlled by a scheduler. The Partner stores data delivered by the Hub in a mailbox designated for a specific application or user and can trigger a pre-defined action, including notifications, data movement, or more complex processing with the Data Integration Suite. Similarly, data delivered by a Partner to the Hub can be stored in a defined mailbox and trigger Transaction rules for notifications or more complex processing. Partner Edition In concert with the Edition Hub, Partner Edition can be deployed as a spoke of a distributed network. Built for simple and easy deployment, the Partner Edition is an ideal solution for environments requiring reliable and secure data delivery from a Hub without the high cost and burden of administering a full server at each Partner site. The Partner Edition server provides a simple setup wizard to define its Hub connection, create user profiles, and select actions for incoming files. All of the security and protocol settings are predefined by the Edition Hub and downloaded to the Partner on the first connection or following any updates. The Hub controls the connections, relieving the Partner from administration tasks. Partner Edition servers support all of the protocols and clients supported by the other servers. They can be deployed as data gateways for internal access and data transfers with an Edition Hub. Partner Edition servers can be augmented with these optional modules: Repository Encryption Module Data Integration Suite for transforming incoming or outgoing data Forms Suite for secure form submission
provides thin and thick clients for diverse needs and supports Web access with Microsoft Internet Explorer and Netscape Navigator in environments with no software clients. Users of Web browsers can communicate with using HTTP or HTTP/S and navigate customized HTML screens tailored to a corporation s user interface standard or the needs of a specific application. Full customization of the interface and the SSO capabilities of its authentication framework allow to be integrated into an enterprise portal. Thin Client - ActiveX Control Users of Internet Explorer benefit from the added reliability and efficiency provided by the ActiveX Control. It provides guaranteed delivery via data integrity checks, auto-restarts and checkpoint/restart for IE-initiated transfers within any customized interface or portal. For simple distribution and management, this client can be downloaded and installed by the browser on the user s first connection. Afterwards, any updated versions are automatically picked up by the browser and installed with one-click approval. Platform-Specific for Windows, UNIX, OS/390 (MVS), and AS/400 permit users to: Securely transfer data over FTP/S or HTTP/S protocols, even through a firewall or HTTP Proxy server Authenticate using userid/password or digital certificates Reliably transfer files over unstable network connections or dial-up lines with guaranteed delivery These clients also feature the platform-specific capabilities described below. Windows GUI Client The Client for Windows provides the full client functionality through an easy-to-use graphical interface. Users can select files and folders in a Windows Explorerlike view, then drag and drop file icons to transfer files or folders to and from the server. For strong authentication this client supports X.509 certificates, smartcards and Entrust Entelligence profiles. This client also includes a multi-event scheduler that allows data transfer operations to be triggered automatically based on scheduled events. The same client functionality is available from the Windows command line interactively or for use in a script. Command-Line Client for UNIX The Client for UNIX is a command-line client that runs on Solaris, HP- UX, AIX and Linux. It provides the same core features and can be used interactively, incorporated into scripts, or used for automated, unattended transfers using the UNIX cron scheduler. OS/390 (MVS) Client The Client for OS/390 secures data transfer to and from mainframes in a reliable manner. It supports both binary and ASCII/EBCDIC file transfers over FTP/S and HTTP/S with SSL authentication and guaranteed delivery over internal IP networks or over the Internet. The Client for OS/390 is a command-line client that runs on OS/390 release 2.4 or later and z/os release 1.1. Like the UNIX command-line client, you can use the OS/390 client interactively under USS or TSO, or incorporate it into a script or a JCL job. AS/400 Client AS/400 client for IBM iseries provides guaranteed data delivery and checkpoint/restart capabilities over FTP/S and HTTP/S protocols for users and applications. Designed to support standard firewall settings, this client provides easy-to-use access between AS/400-based users and applications, and servers. Client Software Development Kit The client-side Software Development Kit (SDK), available in C and Java, provides the same guaranteed delivery features and checkpoint/restart capabilities as Valicert s other clients. It permits customers and application software vendors to: Use APIs from their applications to reliably transfer data to and from Build their own custom client for Third Party In addition to Valicert s client software, users can use 3rd party clients provided by platform vendors or ISVs, including standard FTP clients and secure FTP clients compliant with RFC2228. Partner Edition Partner Key Components of Valicert TM Hub and Spoke Deployment HTTP/S Internal Secure Data Transfer Services Partner Community Transaction Partner Transfers Edition Authentication Back-End Client Browser Partner Edition: Simple to deploy partner endpoint accepts Edition-initiated connections and data transfers. Stores received data in application mailboxes and delivers to partner applications for final processing. Accepts client connections for data transfers back to the Edition. Partner Community : Defines a distributed Partner community, their security and other settings, and provides central management of Partner profiles. Partner Transfers : Initiates and monitors transfers on Partner queues, handles exceptions, schedules regular partner and application-specific transfers.
Business Process Integration Transaction A core requirement for application integration is the ability to connect data flows to and from external organizations with a set of predefined integration policies and actions. s Transaction provides this capability to define, execute and manage transactions that link data exchange with back-end processing and applications. Its foundation is an execution engine triggered by incoming and outgoing data transfer events, including: Client connections to the server File uploads & downloads Incoming or outgoing transfers on Partner queues Incoming or outgoing AS2 transfers Scheduled events Errors and exceptions Transaction provides two levels of capabilities: Implicit transaction rules that trigger Active Agents based on core events Explicit transaction rules defined in the Rules Editor with conditions and actions for more complex events and actions Transactions Using Active Agents Active Agents are server-side scripts that run when triggered by events to provide automation and simple enterprise application integration. Using the trigger events, one can insert custom processing at different times during a data transfer transaction. Active Agents can be used to: Extend the authentication framework to support Single Sign-On or enterprise authentication solutions Provide user notifications and operation alerts on user login, directory access, or file transfer Transfer incoming data to a back-end application, repository or message queue for further processing Notify back-end systems of data arrival or user requests to retrieve data Perform local data management and archival on the server Active Agents can be defined for the following events: User login & logout User credential presentation (USER & PASS commands or certificate presentation) File upload and download, at the start and at the end of the transfer Most FTP and HTTP commands Transaction Built to provide additional flexibility and scalability, the Transaction is based on a powerful rulebased parallel execution engine. It also provides a Web-based graphical rules editor, which allows users to construct the conditions and actions pertaining to particular events and data transfers. The Rules Editor permits authorized users to access, import and edit rule packages and individual rules. Rule packages combine rules to define a complete easy-toadapt business process specification or policy for acting on data transferred via. Within the Rules Editor, the graphical rule definer constructs conditions and actions to be executed on these conditions. Conditions can be constructed using logical operators to combine pre-defined Transaction events with external functions, which can access file data (e.g. to examine certain headers or tags) or lookup external values in a database or directory server. Actions can be constructed using external Active Agents and inprocess Java Agents. The Transaction also supports rule chaining by allowing in-process Java Agents to trigger other rules for multi-step processing. Data Integration Suite customers can add comprehensive data conversion and integration features to their secure data delivery environment by leveraging Valicert s Data Integration Suite for. The Data Integration Suite removes a significant barrier to achieving increased automation and Straight Through Processing (STP) by enabling enterprises to connect to the multitude of different information systems of customers and business partners, without custom programming. The Data Integration Suite supports a wide range of file formats, EDI and XML schemas, enterprise applications and databases. Format conversions and integration process flows are specified using an intuitive drag-and-drop design studio. These integration maps are executed by the Transaction on file access and file transfer events. s business process integration capabilities open up new opportunities for cutting costs and streamlining business processes, at a fraction of the cost of other Application Integration products. Server Platforms MS Windows Sun Solaris IBM AIX HP-UX Red Hat Linux Supported Standards Secure Data Transfer HTTP, HTTP/S, FTP, FTP/S, Secure FTP (RFC2228) EDIINT AS2 SSL v3, TLS, v1 SNMP, LDAP, SMTP 3DES, RC2, RC4, MD-5 X509 v3, MS CAPI, OCSP PKCS7 Data Integration XML, EDI X12, UN/EDIFACT HL7, HIPAA SWIFT SQL, ODBC v2 and v3, OLE DB 2.0 SAP IDoc JMS, IBM WebSphere MQ, MS MQ
Server Editions Table Standard Edition Edition Partner Edition Secure File Transfer FTP, FTP/S, Secure FTP HTTP, HTTP/S EDI INT AS2 Guaranteed Delivery and Data Integrity Authentication and Authorization UserID/Password Digital Certificates, Smartcards LDAP SSO Extensible Class-based access control User Management Role-based Delegated Audit Trails and Tracking Log Files Signed MDN Receipts w/ Reporting Data Protection and Encryption Repository Encryption DMZ Security Proxy End-to-End Encryption Transaction Active Agents In-process Java Agents Rules Editor Data Integration Suite Table Client-side Interface Secure File Transfer FTP HTTP Scheduling PKI Authentication: Standard X.509v3 PKI Authentication Entrust Entelligence TM Guaranteed Delivery UNIX command line client Windows GUI client Windows command line client OS/390 (MVS) client AS/400 client C SDK Java SDK Web browser Microsoft IE browser on Windows w/activex Control Third Party Native FTP Secure FTP (RFC2228) EDI INT AS2 products Worldwide Headquarters Valicert, Inc. 1215 Terra Bella Avenue Mountain View, CA 94043 USA Tel +1 650 567 5400 Fax +1 650 969 3554 Toll Free in U.S. 1 877 VALICERT www.valicert.com Europe Headquarters Valicert BV Arena Business Park Olympia 1a/1b 1213 NS Hilversum The Netherlands Tel +31 35 646 2616 Fax +31 35 646 2707 Japan Headquarters Valicert Japan KK TT-1 Bldg. 11F, 1-14-8 Nihonbashi Ningyo-cho Chuo-ku, Tokyo Japan 103-0013 Tel +81 3 5651 0384 Fax +81 3 5651 0386 2002 Valicert, Inc. All rights reserved. Valicert and the Valicert logo are registered trademarks of Valicert, Inc. All other company and product names are trademarks or registered trademarks of their respective owners. 8/02