EMENTS JPMorgan Chase Treasury Workstation Certification Setup Guide Version 2.0 December 2010
TABLE OF CONTENTS Introduction... 1 About this Guide... 1 When to Create the Certificates... 2 Getting Help... 2 Company (SSL) Certificates... 3 Company (SSL) Certificates... 3 Generating Company (SSL) Certificates... 3 Approving Company (SSL) Certificates... 5 Operator (Digital Signing) Certificates... 9 Introduction About this Guide The guide is intended to provide Treasury Workstation (TW) clients with the information required to create the digital certificates needed to communicate with J.P. Morgan. The Company (SSL) Certificate is used for authentication. All JPMorgan Chase Treasury Workstation clients are required to create a Company (SSL) Certificate. The Operator (Digital Signing) Certificate is used for transmitting transactions from Global Funds Transfer (GFT) module to J.P. Morgan. All JPMorgan Chase Treasury Workstation clients who utilize the Global Funds Transfer (GFT) module must create Operator (Digital Signing) Certificates for each user who will be transmitting payments. Password/Passphrases are required for the digital certificates. Please carefully track these passphrases. In case they are lost/forgotten it may take up to 10 days to create a new certificate and gain access to the system. Creating Operator Certificates... 9 Viewing Operator Certificate Details... 13 Changing Operator Certificate Passphrase... 14 Glossary... 16 Appendix A: Initial Connectivity Setup... 17 For more information, please contact your J.P. Morgan Treasury Services representative or visit jpmorgan.com/ts Connectivity Setup... 17 Specifying Host Settings... 17 This document contains information that is confidential and is the property of JPMorgan Chase & Co. It may not be copied, published, or used in whole or in part for any purpose other than as expressly authorized by JPMorgan Chase & Co. All trademarks, trade names, and service marks appearing herein are the property of their respective owners. SecurID is a registered trademark or trademark of RSA Security Inc. in the United States and/or other countries. 1
When to Create the Certificates All new JPMorgan Chase Treasury Workstation (TW) users must create certificates in order to use the Treasury Workstation to communicate with J.P. Morgan. The certificates are valid for up to two (2) years from the time the certificate is created. Clients will be notified that a new certificate must be created starting 45 days prior to the expiration date of the current certificate. We recommend that clients start the process as soon as they begin to receive these messages, since certificate activation may require up to 10 days. Examples of these messages are shown below. Company (SSL) Certificate Expiration Warning: Operator (Digital Signing) Certificate Expiration Warning: Getting Help If you have questions or need assistance, please contact the JPMorgan Chase Technical Solutions Group (TSG) at 888-363-3318; in Europe call +44-207-777-5600, option 3. 2
Company (SSL) Certificates Company (SSL) Certificates Each company must have a Company (SSL) Certificate in order to connect to J.P. Morgan. There can only be one active Company Certificate at a time. Generating Company (SSL) Certificates To Generate Company (SSL) Certificates: 1. Log on to Treasury Workstation. 2. On the Control Panel, click Administration > Parameters. The Treasury Workstation Parameters dialog box appears. Note: If your Operator ID does not have Treasury Workstation Parameters maintenance privileges, you will not be able to modify the fields in this dialog box; another authorized user may be required to do so. If your Company Name is not correct, please update it here. This change may require another authorized Operator to approve it. Default values have been established for the new certificate options. They can be modified by an authorized Operator if desired. This change may require another authorized Operator to approve it. If changes are made, after the final approval has been given, Operators must exit Treasury Workstation and log on again before the changes become effective. 3
Password and Passphrase Expiration Days Enter the number of days after which the Operator s password expires. When an Operator s password expires, the system requires the Operator to establish a new password (minimum 10 days; maximum 90 days). COMPANY (SSL) CERTIFICATE Approvals for New Certificate Approvals for Revoking Certificate Months for Certificate Length Certificates Expiration Notification Days Enter or select the number of Operator Approvals required to activate a Company (SSL) Certificate (minimum 0; maximum 2). Enter or select the number of Operator Approvals required to revoke a Company (SSL) Certificate (minimum 0; maximum 2). Enter or select the number of months a Company Certificate can remain active (minimum 6; maximum 24). Enter or select the number of days in advance of Certificate Expiration that Treasury Workstation will begin to display reminders to the user (minimum 30; maximum 90). OPERATOR (DIGITAL SIGNING) CERTIFICATES Approvals for New Certificate Approvals for Revoking Certificate Months for Certificate Length Certificate Expiration Notification Days Minimum Passphrase Length Maximum Certificate Passphrase Tries Enter or select the number of Operator Approvals required to activate an Operator (Digital Signing) Certificate (minimum 0; maximum 2). Enter or select the number of Operator Approvals required to revoke an Operator (Digital Signing) Certificate (minimum 0; maximum 2). Enter or select the number of months an Operator s Certificate can remain active (minimum 6; maximum 24). Enter or select the number of days in advance of Certificate Expiration that Treasury Workstation will begin to display reminders to the user (minimum 30; maximum 90). Enter or select the minimum length for a passphrase (minimum 7; maximum 10). Enter or select the maximum number of times an Operator can enter an incorrect passphrase before they are locked out (minimum 3; maximum 5). Operators can be unlocked using the Operator Maintenance function. 3. Click the Certificates icon to launch the Parameters Certificate Maintenance screen. 4. Click Generate Company (SSL) Certificate. The Confirm dialog box displays, asking if you want to create a new SSL (Company) certificate. 4
Click Yes to continue. A new certificate is added to the list with a status of: P1A or PFA (Pending First Approval or Pending Final Approval) if your company has set Approvals for New Certificate on the Parameters screen to 1 or more. Additional Operator(s) must now approve the new certificate. RTS (Ready to Send) if your company has set Approvals for New Certificate on the Parameters screen to 0. CERTIFICATE STATUS CODES ACT EXP REV DEL P1A or P1R PFA or PFR RTS RJA SNA Active Expired Revoked Deleted Pending first approval for new Certificates or Pending first approval for Certificate revoke Pending Final Approval for new certificates or Pending Final approval for certificate Revoke Ready to Send to JPMorgan Chase Rejected by Approver Sent Not Acknowledged Approving Company (SSL) Certificates When a new Company (SSL) Certificate has been generated by another Operator and one or more Approvals for New Certificates are required, you may need to approve the Certificate. You can approve only the Certificates that other Operators have generated. To Approve Company (SSL) Certificates generated: 1. As soon as you log on, a Parameters button with a red checkmark displays on the 5
Messages tab. 2. Click Parameters. The Treasury Workstation Parameters dialog box appears. 3. If the Certificates icon is red, it indicates a certificate has been generated that you may approve. Click the Certificates icon to launch the Parameters Certificate Maintenance screen. 4. Click the Company (SSL) Certificate with a Status of PFA (Pending Final Approval) or P1A (Pending First Approval) that you wish to approve. The Approve button is activated for you to approve the Certificate. 5. Click Approve. The Certificate status changes to PFA or RTS (Ready to Send). 6
6. When the status reads RTS, you are now ready to click Print and Export Certificates Note: If you wish to print all certificates at the same time, you can proceed to the next Section, Operator (Digital Signing) Certificates, at this point. 7. The Select Certificates to Register/Revoke dialog box displays. 8. By default all new certificates will be selected. Uncheck any certificates that you do not want to generate and click OK. 9. The Confirm dialog box informs you of the three functions that will be performed if you continue. 10. Click Yes to continue. The Address dialog box displays. 7
11. Enter your Address, Phone Number and E-mail Address. Enter or select the date and time if different from that displayed and click Ok. 12. The Company (SSL) Certificate report is sent to your default printer and the Status for the Certificate changes to SNA. After the report is printed, have the appropriate approver(s) [as specified in your company s Security Administrator Designation Form (SADF)] sign the Company Certificate Report. Fax this report to JPMorgan Chase to activate the certificate(s). Fax the signed Company Certificate Report to: IMSD Security Operations 813-649-8367 When a new Company (SSL) Certificate Report is generated, a zip file is also created that must be e-mailed to JPMorgan Chase. The file will be in the JPMCTW\CERTIFICATES or the FirstWindow\CERTIFICATES directory (EX: Certificates-20060926-123456.zip). If you have a LAN Installation, the Certificates folder is located in the Network Directory. E-mail this zip file to: imsd.security.operations@jpmorgan.com 13. Within approximately ten business days of receipt of your signed certificate report, you will receive a return e-mail from JPMorgan Chase confirming the activation of your certificate(s). 8
Operator (Digital Signing) Certificates Creating Operator (Digital Signing) Certificates Operator (Digital Signing) Certificates are signed electronic documents that contain information uniquely identifying the user. Operator (Digital Signing) Certificates authenticate the Operator using Treasury Workstation to transmit payments to the bank. Every Treasury Workstation Operator who transmits payments using Global Funds Transfer will be required to have their own Operator (Digital Signing) Certificate. To Generate an Operator (Digital Signing) Certificate: 1. Log on to Treasury Workstation. 2. On the Treasury Workstation Control Panel, click Global Funds Transfer, and then click Communications. The GFT Communications screen opens to the Jobs tab. 3. Select the Certificates tab, then click Generate Certificate. 9
4. The Enter New Certificate Passphrase dialog box displays. 5. Enter the passphrase that will be used with this certificate and then re-enter the Passphrase and click OK. Note: The passphrase must be between seven and 30 characters in length and contain at least one numeric and one alpha character. The length is specified on the Parameters screen. Passphrases are case sensitive. Forgotten passphrases will require a new Operator (Digital Signing) Certificate to be created. Please take care to securely save the passphrase since creating a new certificate may take up to 10 days. 6. The new Operator (Digital Signing) Certificate displays on the Certificates tab. 7. Click Close. Note: The next step will be performed by an authorized Operator or administrator. 8. From the Control Panel, select Administration, then Parameters. 10
The Treasury Workstation Parameters dialog box appears. 9. Click Certificates to launch the Parameters Certificate Maintenance screen. 11
10. Click Print and Export Certificates all new certificates will automatically be checked. You may change those selections as desired, or use the default of all new certificates to complete the remaining steps at the same time. The Select Certificates to Register/Revoke screen displays. 11. By default all new certificates will be selected. Uncheck any Certificates that you do not want to generate and click OK. 12. The Confirm dialog box informs you of the three functions that will be performed if you continue. 13. Click Yes to continue. The Address dialog box displays. 14. Enter your Address, Phone Number and E-mail Address. Enter or select the date and time if different from that displayed and click Ok. 15. The certificate report is sent to your default printer and the status for the Certificate changes to SNA. After the report is printed have the appropriate approver(s) [as specified in your company s Security Administrator Designation Form (SADF)] sign all certificate reports. Fax the report(s) to JPMorgan Chase to activate the certificate(s). 12
Fax the signed Operator (Digital Signing) Certificate Report to: IMSD Security Operations 813-649-8367 When a new Operator (Digital Signing) Certificate Report is generated, a zip file is also created that must be e-mailed to JPMorgan Chase. The file will be in the JPMCTW\CERTIFICATES or the FirstWindow\CERTIFICATES directory (EX: Certificates- 20060926-123456.zip). If you have a LAN installation, the certificates folder is located on the Network directory. E-mail this zip file to: imsd.security.operations@jpmorgan.com 16. Within approximately ten business days of the receipt of your signed certificate report, you will receive a return e-mail from JPMorgan Chase confirming the activation of your certificate(s). Viewing Operator (Digital Signing) Certificate Details It may be necessary to view the details of an Operator (Digital Signing) Certificate to check the Valid From and Valid To date or verify a fingerprint. To View Certificate Details: 1. On the Treasury Workstation Control Panel, click Global Funds Transfer, and then click Communications. The GFT Communications screen opens to the Jobs tab. 13
2. Select the Certificates tab. The Manage Operator (Digital Signing) Certificates screen displays. 3. To view the details of a certificate, select the certificate and click View Details. Changing Operator (Digital Signing) Certificate Passphrase Operators are required to periodically change their passphrase. The length of time between changes is specified on the Parameters screen. To Change a Passphrase: 1. On the Treasury Workstation Control Panel, click Global Funds Transfer, and then click Communications. The GFT Communications screen opens to the Jobs tab. 14
2. Select the Certificates tab. The Manage Operator (Digital Signing) Certificates screen displays. 3. To change the passphrase for a certificate, select the certificate and click Change Passphrase. The Change Passphrase dialog box displays. 4. Enter the original passphrase that was used with this certificate. Enter the new passphrase and then re-enter the new passphrase and click OK. Note: The passphrase must be between seven and 30 characters in length and contain at least one numeric and one alpha character. The length is specified on the Parameters screen. Passphrases are case sensitive. 5. Click OK. Forgotten passphrases will require a new Operator (Digital Signing) Certificate to be created. Please take care to securely save the passphrase since creating a new certificate may take up to 10 days. 15
Glossary Dial-up IP Dial-up Modem Digital Certificate or Digital Cert Digital Signing Operator Certificate (also referred to as Signing Certificate, Signing Cert, or Digital Signing Cert ) Direct IP FirstCash GFT GIM Passphrase RAS SSL SSL Certificate TCP/IP or IP Provides access to the Internet via a service provider selected by JPMorgan Chase. Refers to JPMorgan Chase Treasury Workstation communications using direct dial via an analogue telephone line to MT CAM (from GFT), and FirstCash, and third-party banks (all three from GIM). Signed electronic documents that contain information uniquely identifying the user. It can be considered an electronic passport. Digital Certificates are used to authenticate Treasury Workstation s access to the JPMorgan Chase. Refers to an attempt to mimic the offline act of a person applying their signature to a paper document. Involves applying a mathematical algorithm, usually stored on and as part of the user s private key, to the contents of a body of text. This results in an encrypted version of the document (this is referred to as the 'digitally signed' document) that can only be decrypted by applying the user s public key. Digital Certificates are used to digitally sign documents. This is a Digital Certificate required for transmitting payments from GFT to JPMorgan Chase. Every Treasury Workstation Operator who transmits payments will be required to have their own Certificate. A passphrase associated with the Signing Certificate must be entered before transmitting to JPMorgan Chase; it will replace the transmission password they enter using Treasury Workstation version 5.0. JPMorgan Chase Treasury Workstation refers to them as Operator Certificates. Refers to a direct Internet (TCP/IP) connection from the client s workstation where Treasury Workstation is installed to JPMorgan Chase. A heritage Bank One interactive TTY information reporting product that is accessed using GIM. The primary information reporting source for GIM. The Global Funds Transfer module of JPMorgan Chase Treasury Workstation. The Global Information Manager module of JPMorgan Chase Treasury Workstation. A secret string of words (i.e., a grammatical sentence) used to authenticate an individual's identity during system logon that is transformed by a system security component into a virtual password. Phrases are easier to remember than long strings of random characters because passphrases can be actual meaningful sentences or words. Passphrases will be used by Operators when transmitting payments to JPMorgan Chase using GFT. Short for Remote Access Services, a feature built into Windows NT that enables users to log into a remote network. RAS works with several major network protocols, including TCP/IP. To use RAS from a remote node, you need a RAS client program, which is built into most versions of Windows. Short for Secure Sockets Layer, which is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:. This document uses the term SSL Certificate to refer to the Digital Certificate used to authenticate Treasury Workstation to the JPMorgan Chase. The SSL certificate is required in order to connect to JPMorgan Chase. There is only one SSL Certificate per Treasury Workstation client. JPMorgan Chase refers to them as Company Certificates. Transmission Control Protocol / Internet Protocol. Used as a standard for transmitting data over networks and as the basis for standard Internet protocols. In this document, when we speak of Direct IP or Direct IP communications, meaning no modem is involved in communicating over the Internet, the phrase Direct IP is used. 16
Appendix A: Initial Connectivity Setup Connectivity Setup The Host Maintenance dialog box lets you specify the connection settings for the bank s host systems. Converting to IP connectivity after JPMorgan Chase notifies you that your Certificates have been activated is the last step in the upgrade process, and can be done only after JPMorgan Chase has notified you that Certificates have been activated. Note: You do not have to convert all Workstations to IP connectivity at the same time. Specifying Host Settings You specify the connection settings for each Bank host. Note: Check with your System Administrator prior to making changes to Host Settings. To specify the Host Settings: 1. On the Control Panel, click Administration, then click Host Maintenance. The Host Maintenance dialog box appears. 2. From the Workstation drop-down list, select the workstation whose settings you want to define. Note: The Default Workstation must be set up first. When the Default Workstation entries have been made, all other Workstations will be set to the same settings. If necessary, this information may be overridden for a Workstation. Workstation Host Name Login ID Password Confirm Password Use Default workstation Host Communication Settings Select the identification name assigned to your workstation. The field defaults to the ID of the Current workstation you are now logged into. Select the Host Name whose connections you want to specify. Enter the default ID to be sent when communicating with this host. Enter the password for the default ID. The system displays asterisks for each character of the password as you type. Reenter the password for the default ID to confirm that you entered it correctly. The system again displays asterisks for each character typed. Check this checkbox to use the same settings for this Workstation that were set up for the Default Workstation. HOST COMMUNICATION SETTINGS Internet High Speed Dial-up (RAS) Dial-up (TAPI) Click this radio button if you have a direct connection to the Internet. Click this button to use a dial-up service provider selected by JPMorgan Chase. Refers to JPMorgan Chase Treasury Workstation communications using direct dial via an analog telephone line to third-party banks (from GIM). 17
INTERNET SETTINGS Automatically detect Direct Connect Use a proxy server Address Port SOCKS Firewall Address Port SOCKS v4 SOCKS v5 Phonebook Entry Dial-up ID Dial-up Password Automatically detect Internet settings. Connect to the Internet without a proxy server or SOCKS firewall. Use a proxy server to connect to the Internet. Host name or IP address of the proxy server. The listening port number of proxy server. Use a SOCKS firewall to connect to the Internet. Host name or IP address of the SOCKS firewall. The listening port number of the SOCKS firewall. Use the SOCKS version 4 protocol. Use the SOCKS version 5 protocol. Phonebook entry to use with high speed dial-up (RAS). Access ID for the dial-up service provider. Password for the dial-up service provider. 3. From the Host Name drop-down list, select the Host whose settings you want to define. 4. For all hosts except CAM, you must enter the following Host Login Settings: In the Login ID field, enter the default Host ID. Enter the Password. Re-enter the Password. 5. Under Host Communication Settings, select Internet or High Speed Dial-up (RAS) for CAM (GFT) and FIRSTCASH (GIM). 6. Under Internet Settings, select Automatically detect settings, Note: Select (Default) for the Workstation to access FirstCash for new installations. By default, Internet and Automatically detect settings are selected. To use Automatically Detect Settings, Microsoft Internet Explorer (any version) must be properly configured. Or Select Use a proxy server, and enter the server Address and Port information And If applicable, enter SOCKS Firewall Address and Version information. Note: Contact your System Administrator to obtain information on your Internet Settings. 7. Click OK. 18