equens connect direct - manual v2.0 uk

8/2/2019 Equens Connect Direct - Manual v2.0 UK

1/56

Manual Connect:Direct (Secure FileTransfer)Connecting to Secure File Transfer of Equens

Final

Equens SE

Classification: OPEN

Version 2.0 - 10 May 2011


2/56

Manual Connect:Direct (Secure File Transfer)

Connecting to Secure File Transfer of Equens

Equens

Version history

Version

number

Version

date

Status Edited by Most important

edit(s)

1.0 02-Mar-09 Final Equens SE Revision of the manual.

2.0 10-May-11 Final Equens SE Revision for PCI-DSS.

Connect:Direct and Secure+ are trademarks of SterlingCommerce Inc.


3/56



OPEN

Equens Version 2.0 - 10 May 2011 3

Content

1 Introduction.....................................................................................61.1 Maintenance of this document ..............................................................61.2 Target groups.....................................................................................61.3 Structure of this manual ......................................................................62 Connect:Direct network variants and infrastructure ........................82.1 Two network variants ..........................................................................8

2.1.1 Connect:Direct via internet .....................................................82.1.2

Connect:Direct via a Leased Line .............................................8

2.2 Infrastructure.....................................................................................93 Security .........................................................................................103.1 Introduction .....................................................................................103.2 Encrypted file transmission via TLS .....................................................103.3 Authentication by means of certificates................................................124 File naming convention and routing mechanism ............................144.1 Introduction .....................................................................................144.2 Connect:Direct file name convention ...................................................144.3 Receipt of different file types ..............................................................164.4 Multiple destination id's (optional).......................................................165 Fallback and backup facilities ........................................................175.1 Standard situation.............................................................................175.2 Scenario in the event of local problems................................................175.3 Scenario in the event of a network failure at the primary location ...........185.4 Scenario in the event of a total failure at the primary location ................196 Configuration of your network.......................................................206.1 Configuration of your firewall..............................................................206.2 Configuration of the Connect:Direct node in your environment ............... 20

6.2.1 Node name/IP address .........................................................206.2.2 Secure+ .............................................................................206.2.3 Client certificate ..................................................................21

6.3 File processing in the test/acceptance environment...............................21


4/56



4 Equens

7 Requesting and installing of a certificate .......................................227.1 Introduction .....................................................................................22

7.1.1 Procedure ...........................................................................227.1.2 Preparation .........................................................................227.1.3 Maintenance........................................................................23

7.2 Requesting a certificate ..................................................................... 237.3 Retrieving the certificate.................................................................... 297.4 Exporting the certificate.....................................................................327.5 Importing the certificate into your Connect:Direct node .........................387.6 Retrieving the Equens server certificate (CA root certificate) ..................397.7 Importing the Equens CA certificate into your Connect:Direct node .........407.8 Revoking the client certificate.............................................................407.9 Retrieving the Certification Revocation List...........................................447.10 Renewal client certificate ...................................................................448 Testing your connection.................................................................468.1 Introduction .....................................................................................468.2 Difference between the three test types...............................................468.3 Connection test ................................................................................47

8.3.1 Connection test features and conditions..................................478.3.2 Connection test execution.....................................................47

8.4 File transfer test ...............................................................................478.4.1 File transfer test features and conditions.................................478.4.2 File transfer test execution....................................................47

8.5 Processing tests................................................................................498.5.1 Processing test features and conditions ..................................498.5.2 Requesting the processing tests.............................................49

9 File sending ...................................................................................509.1 Introduction .....................................................................................509.2 Automatic file sending .......................................................................509.3 Binary file sending ............................................................................5010 File delivery ...................................................................................5110.1 Introduction .....................................................................................5111 Using compressed files ..................................................................5211.1 Introduction .....................................................................................52

11.1.1 Compression programme conditions.......................................5211.1.2 Binary file transmission ........................................................ 52


5/56



OPEN


11.2 Sending and receiving compressed files ...............................................5211.2.1 Conditions...........................................................................52

11.3 Receiving compressed files.................................................................5211.3.1 Conditions...........................................................................5211.3.2 Features:............................................................................53

12 Support processes: questions and changes....................................5412.1 Connect:Direct availability .................................................................5412.2 Technical Support department contact information................................5412.3 Information on the Equens website .....................................................5412.4 Changing connection specifications......................................................5412.5 Changing connection type ..................................................................5512.6 Terminating the connection................................................................5512.7 Changing and terminating processing agreements.................................55Annex 1 The relationship between the Connect:Direct naming

convention and the 'old' I-Connect interface description...............56


6/56



6 Equens

1 Introduction

This manual provides information regarding Secure File Transfer of Equens, in

particular the Connect:Direct connection type.

1.1 Maintenance of this documentThis document is managed and maintained by Equens Corporate IT Middleware

Management department. Amendment and publication of this document may be

carried out solely by this department.

New versions of this document will be made available as PDF files.

When a new version of the document is published, Equens will send the customer

an e-mail notification. The notification will be sent to the e-mail address you have

stated in the "Applicant details" field on the Connect:Direct Service Request Form.

We would be grateful for any feedback regarding any unclear or incorrect

information found in this manual. Please send your response to the Technical

Support department of Equens (for contact details, see chapter 12, Support

processes: questions and changes).

1.2 Target groupsThis manual is primarily intended for network specialists, functional and technical

designers and administrators, ICT architects and programmers who are involved in

the implementation and use of the Connect:Direct connection.

1.3 Structure of this manualThis manual is divided into three sections in which the following is explained:

Configuration of the connection with Connect:Direct How to make a connection Recurring proceduresThe above three sections are explained in further detail below.

The first section describes how Equens has configured the connection with

Connect:Direct and comprises chapters 2 to 5, which contain the following

information: Network variants via which you will be able to connect to Connect:Direct How the security works The manner in which the system will route your data to its destination on the

basis of file names

How Equens has set up the backup and fallback.The second section explains in detail the one-off procedure you must perform in

order to carry out future submissions of your data using Connect:Direct. This

section comprises chapters 6 to 8, which contain the following information:

The technical aspects of the connection (organisation of your network) Requesting and installing a certificate Testing your connection.


7/56



OPEN


The third section explains in detail the activities that recur. This section comprises

chapters 9 to 12, which contain the following information: How to send files How files are delivered How to handle compressed files How to submit questions and/or changes


8/56



8 Equens

2 Connect:Direct network variants and infrastructure

2.1 Two network variantsTwo network variants can be used for Connect:Direct

Connect:Direct via internet Connect:Direct via a Leased LineThese two types are equal in terms of security: The security will be organised on

application level with Secure+ (use of Transport Layer Security (TLS) and strong

encryption).

A connection via the internet is advantageous, as it enables high-speed transfers.Furthermore, if you already have an internet connection, the costs will naturally

be lower.

If you should opt for a more robust connection, the Leased Line is a good solution.

This will involve additional costs ensuing from the management of the Leased Line

by the connection provider. Furthermore, this connection is not a standard Equens

network variant, and is realised in project form. This will also involve additional

costs.

The two network variants will be discussed in the subsequent sections.

2.1.1Connect:Direct via internetThis network variant is the preferred choice of both Equens and the majority of

users. Its characteristics are as follows:

The file transfer speed will depend on the internet connection bandwidth.Please note: As a rule, the available bandwidth cannot be guaranteed in the

event of internet use.

Securing your internet-linked infrastructure will be your responsibility, inaddition to which Equens strongly recommends using firewalls.

2.1.2 Connect:Direct via a Leased LineFor banks and large corporations, Equens offers the possibility to connect via a

Leased Line. This Leased Line is based on a dedicated network and therefore has

no relationship with the internet. Furthermore, agreements can be made with

regard to guaranteed bandwidth and availability. As a result, such connections

have a different level of security. The Leased Line connection can be scaled from

128 Kb/second up to 155 MB/second. This type of connection can also be useful if

you exchange multiple types of traffic with Equens.

From a technical point of view, connecting to such a connection is very similar to

an internet connection.

Given the fact that these connections are always tailor-made, please contact the

Technical Support department for additional information. This will not be discussed

in any further detail in this manual.


9/56



OPEN


2.2 InfrastructureAfter the connection is made to Connect:Direct the infrastructure will resemble as

shown in the following figure:

Figure 1: Infrastructure for connection to Connect:Direct


10/56



10 Equens

3 Security

3.1 IntroductionThis chapter describes how the security of your data and the continuity of services

will be guaranteed.

Agreements and technical facilities will ensure that Secure File Transfer secures

your data at all times. The security aspects are as follows:

Authenticity

Authenticity will be ensured by means of the following:

Certificate verification and validation Use of a Secure Point of Entry (SPOE)Confidentiality

Confidentiality regarding public and internal connections will be guaranteed

through the use of Connect:Direct with Secure+ (TLS plus encryption).

Integrity

The integrity of the data that is to be transported will be guaranteed via the TLS

hashing mechanism (digital signature).

Authorisation

Authorisation will be granted by means of the following:

Check (netmap) on both IP-address and node name Check on Common Name in the client certificate Contract conclusion checks (processing contracts)

3.2 Encrypted file transmission via TLSWhen using Connect:Direct you will exchange files that may contain confidential

information via Connect:Direct with Secure+. In use, Connect:Direct with Secure+

will be very similar to standard Connect:Direct, but one important difference is the

fact that all confidential information will be encrypted via TLS and a strong cipher

suite as AES. The nodes will automatically carry this out for you.

By default the following strong cipher suites are acceptable by Equens unless

agreed otherwise:

RSA_WITH_AES_128_CBC_SHA


RSA_WITH_3DES_EDE_CBC_SHA

Please note: TLS v1.0 is the preferred secure protocol and SSLv3 is acceptable for

a limited time. As of the 15th of March 2011, Equens will no longer support the

SSLv3 protocol unless mutually agreed otherwise (this is temporarily postponed).


11/56



OPEN


One major advantage to this security method is that it is end-to-end: from node

to node. The data will not only be encrypted in the public part of the network, but

also on the internal networks of the customer and Equens.

An additional advantage to this method is the fact that the network link between

the customer and Equens will no longer need to be secured separately. It will be

possible to send files over any type of network, including the internet.

Figure 2: The connection via Connect:Direct is secured end-to-end via TLS


12/56



12 Equens

3.3 Authentication by means of certificatesAn important aspect of the Connect:Direct infrastructure is the use of digital

certificates. The Connect:Direct nodes are equipped with certificates for thepurpose of authentication. This authentication is based on the nodes only

accepting one another's certificates when they have been signed by the correct

(Equens) Certificate Authority.

A Getronics Pink Roccade PKI (Public Key Infrastructure) service will be used to

issue certificates. This company sets high standards for the construction and

management of PKI systems. Getronics Pink Roccade has set up a private CA

(Certificate Authority) for the benefit of Equens. Private, in relation to this matter,

means that this CA will only issue certificates for the Connect:Direct (and Secure

FTP) service. Conversely, the Connect:Direct service will only accept nodes with

certificates issued by this CA stating the same so-called Common Name on both

ends of the connection.

Equens will have full control over issuing of certificates and will determine which

certificate applications will be accepted or rejected via a RA function. Equens will

also be able to revoke previously approved certificates, when for example a

security risk is established or the contract expires.

More details on certificates can be found in the Equens Certificate Policy,

downloadable from our website: www.equens.com (Support - Connectivity).

In case your security policy does not allow the usage of the Equens PKI

certificates, please contact the Technical Support department of Equens.


13/56



OPEN


Figure 3: Issuing of certificates by Equens


14/56



14 Equens

4 File naming convention and routing mechanism

4.1 IntroductionWhen you wish to exchange files with Equens via Connect:Direct, the file names

must comply with a specific naming convention.

Files sent in will be routed to the appropriate Equens processing system on the

basis of the file name. Equens will not be able to route sent files if their name

does not comply with the naming convention and will therefore be unable to

process them. In such cases you will receive an error message by e-mail.

4.2 Connect:Direct file name conventionThe following standard will apply within Connect:Direct with regard to the

structure of file names:

....


15/56



OPEN


The separate fields are defined as follows:

Field Format Length Description

lowercase 8 Must be /mailbox/

This part will be stripped from the

filename after it is received.

UPPERCASE,

alpha-numeric

1-8 The ID (router address) of the

submitting party.

This will be assigned by Equens and

made known to the customer.

Separation Single dot 1 .

UPPERCASE,alpha-numeric

1-8 The ID (router address) of thedestination.

This is SFT if the file is destined for an

Equens system (not'INTERPAY' or

'EQUENS').

If the destination is outside of Equens

or not SFT, the field must be filled

with a destination name that has been

assigned by Equens.


UPPERCASE,

alpha-numeric

1-8 The ID of the file type being

exchanged. The file type determinesthe type of processing by Equens.

An overview of the most often used

file types can be found in the

Typetable at: www.equens.com

(Support - Connectivity)


UPPERCASE,

alpha-numeric

1-8 A unique alpha-numeric file reference

ID assigned by the submitting party.

The field must start with a letter and

must be unique for the submitting

party within a time frame of at least35 days.



16/56



16 Equens

Field Format Length Description

UPPERCASE,

alpha-numeric

1-8 The file name suffix, assigned by the

submitting party indicating the format

of the file.

Important extensions include the

following:

TXT ('readable'/ASCII data)

DAT (binary)

PDF (Adobe Acrobat Reader format,

binary)

XLS (Microsoft Excel format,

binary)

XML (Extensible Markup Language

format, binary)

ZIP (compressed files, binary).

The extension has no effect on the

routing by Equens.

Table 1: Explanation of file name components

Specifications:

Each field is mandatory The maximum field length is eight charactersPlease refer to the appendix "The relationship between the Connect:Direct naming

convention and the 'old' I-Connect interface description" for information regarding

the relationship between the current Connect:Direct naming convention and the

previous I-Connect interface with token files.

Below is an example of a complete file name for a file sent from id

R0001234 to id SFT:

/mailbox/R0001234.SFT.CLIEOP.C1234567.TXT

4.3 Receipt of different file typesA customer will be able to receive numerous file types via Connect:Direct. Each

type will be processed by a specific application on the side of the customer.

The customer must have a mechanism that ensures that each file type is routed tothe correct application on the basis of the field .

4.4 Multiple destination id's (optional)Equens can only issue multiple id's (router addresses) to a

customer in complex cases (for example, if a group has numerous offices, all of

which process the same file types and also share the same connection). The

customer will then be able to route internally on the basis of the

id in the file name.

Additional id (router address) requests can be subject to extra

charges, please contact the Technical Support department for more information.


17/56



OPEN


5 Fallback and backup facilities

5.1 Standard situationEquens will have two identical environments; a primary location and a secondary

location, both with a backup facility.

Under normal circumstances each customer will have a Connect:Direct connection

with the primary location. This is shown in the following figure:

Figure 4: Route through Equens environment under normal circumstances

5.2 Scenario in the event of local problemsLocal problems will be dealt with by the additional identical set of equipment at

the primary location.


18/56



18 Equens

5.3 Scenario in the event of a network failure at the primary locationIn the event of a network failure in the primary location, the system will

automatically use the network infrastructure in the secondary location. With theexception of a brief hiccup, the client will not notice a difference.

Figure 5: Route through Equens environment in the event of a network failure at

the primary location


19/56



OPEN


5.4 Scenario in the event of a total failure at the primary locationIn the event of a total failure at the primary location, a procedure will be started in

order to summon the secondary location as the fallback location.A number of procedures will ensure that the Connect:Direct traffic for the different

network variants is routed to the secondary location. During these procedures it

will not be possible to connect to Equens. The customer will not notice a difference

after summoning of the fallback location and does not need to make any changes.

Please refer to the Secure File Transfer (Connect:Direct) Service Level Agreement

(SLA) for the specification of the maximum downtime.

Figure 6: Route through Equens fallback environment in the event of a total failure

at the primary location


20/56



20 Equens

6 Configuration of your network

This chapter explains the procedure for connecting to Connect:Direct at network

level. Once the connection has been made it will be possible to work with

Connect:Direct at transportation level.

Two network variants can be used for Connect:Direct:

Connect:Direct via internet Connect:Direct via a Leased LineThe specifications for these network variants are described in chapter 2, "Equens

Connect:Direct Network variants and infrastructure".

6.1 Configuration of your firewallIn order to be able to use the production system, you will need to open your

firewall TCP port 1364 and the ports 52000 through 52025 for sft.equens.com (IP:

82.195.45.60) for production (and ports configured for your local Connect:Direct

node).

For the test/acceptance environment the same TCP ports need to be opened for

sftacc.equens.com (IP: 82.195.45.59).

Please note: If you wish to carry out a processing test you must connect to the

test/acceptance environment. Please refer to section 8.5, "Processing tests".

The test/acceptance environment is not intended for data that have to remain

confidential. The use of production data is not allowed on the test/acceptanceenvironment.

6.2 Configuration of the Connect:Direct node in your environment6.2.1 Node name/IP address

For configuring your Connect:Direct node you will need to add the IP-address or

the node name of the Equens Connect:Direct node in your configuration.

Production: IP-address: 82.195.45.60 (node: SFT)

Test/acceptance: IP-address: 82.195.45.59 (node: SFTACC)

6.2.2 Secure+When using Connect:Direct you will exchange files that may contain confidential

information via Connect:Direct with Secure+. In use, Connect:Direct with Secure+

will be very similar to standard Connect:Direct, but one important difference is the

fact that all confidential information will be encrypted via TLS and a strong cipher

suite such as AES. The nodes will automatically carry this out for you.

By default the following strong cipher suites are acceptable by Equens unless

agreed otherwise:



RSA_WITH_3DES_EDE_CBC_SHA


21/56



OPEN


Please note: TLS v1.0 is the preferred secure protocol and SSLv3 is acceptable for

a limited time. As of the 15th of March 2011, Equens will no longer support the

SSLv3 protocol unless mutually agreed otherwise (this is temporarily postponed).

6.2.3 Client certificateThe client certificate of the customer will be checked by Equens using client

authentication. The Common Name in the client certificate is checked against the

Common Name registered at PinkRoccade (as given by customer during the

certificate request procedure). You will find more information on how to request a

certificate from Equens in chapter 7, "Requesting and installing of a certificate".

6.3File processing in the test/acceptance environment

To be able to use the test/acceptance environment a separate set of agreement(s)

need to be in place with the appropriate processing department. For more

information on this you may contact our Technical Support department.

On the test/acceptance environment NO production data is allowed. You should

test using test/dummy data.


22/56



22 Equens

7 Requesting and installing of a certificate

7.1 IntroductionIn this chapter we will explain how to obtain a client certificate (also called "Digital

ID") and install this in your Connect:Direct node.

7.1.1 ProcedureIn general the procedure is as follows:

To install the client certificate You will receive the URL and a Certificate Enrollment PIN You request a client certificate from Equens via your browser You pick up your certificate from Equens via your browser You export the certificate out of your browser You import the certificate into your Connect:Direct node

You install/import the Equens CA root certificate into your Connect:Direct nodeIn the following paragraphs the procedure is described in further detail.

7.1.2 PreparationBefore you start the procedure, it is important you pay attention to the following

aspects.

Choice of applicant

First determine which employee will request the certificate, as the certificate will

be linked to the person who has requested it! This will be the only person whomay extend or revoke the certificate based on the challenge phrase created by

this person.

When this person leaves the company, it will become necessary to have to revoke

the current certificate and to request a new certificate with the original Certificate

Enrollment PIN.

Choice of e-mail address

The certificate can only be retrieved with the PC that was used to request it. Make

sure you can access your e-mail on or close to the same PC you have requested

the certificate with.

A production certificate is valid for two years and test certificates are valid for one

year. A warning will be send by e-mail when the certificate is about to expire

(starting 30 days before expiring).

Transfer of certificates to the Connect:Direct node

In case the machine where the Connect:Direct node will be active on is a different

machine than the machine that is used to retrieve the certificate, the client

certificate and the Equens CA root certificate need to be transferred to the

Connect:Direct node machine.

The encryption of the client certificate during transport must be done with a

password only known to the person who has requested the client certificate.


23/56



OPEN


Browser choice

The described procedure and screenshots shown in this manual are based on the

use of Microsoft Internet Explorer. Equens does not provide support concerningproblems that result from using other browsers than Microsoft Internet Explorer.

Potential error messages

There is a chance you will get the error message "Error 1B6 occurred. You may

need to install OnSiteMSI". On the website www.pki.pinkroccade.com, 'Support',

'Updates', 'OnSiteMSI error' you can download a file with the OnSiteMSI file and

an installation manual.

There is a chance you will get the error message "Error 1B6 occurred." (without

the message about OnSiteMSI), in this case you can do the following.

In the Internet Explorer click "Tools - Internet options - Security - Trusted sites"

button "Sites".

Add the following websites (make sure the option "Require server verification" is

not marked):

*.managedpki.com

mpki.pinkroccade.com

mpki-test.pinkroccade.com

Converting certificates

Some nodes are not able to import the certificates with the standard exported

format. In that case the certificate needs to be converted. See the "Frequently

asked questions - Connectivity services" at www.equens.com for more

information.

7.1.3 MaintenanceSecuring your certificate

It is highly recommended to safeguard the client certificate against unauthorized

use. Make a (encrypted) backup on an external carrier and store this in a safe

place.

Equens is not able to re-issue any client certificate used by the systems. When the

certificate is lost and still valid, you will need to revoke the certificate and request

a new certificate based on the original Certificate Enrollment PIN.

Extending your certificate on time

A production certificate is valid for two years (a test certificate for one year).

When a certificate is about to expire you will be warned by e-mail (starting 30days before the expiry date).

If the original computer used for the certificate request procedure and the

certificate on that computer are still available you can perform a renewal by

yourself. Follow the instructions given in the renewal e-mail and on the website.

If the original computer is not available anymore, you must request a new

certificate according to the described procedure in chapter 7.2.

7.2 Requesting a certificateAfter your Service Request Form is processed by Equens, you will receive an URL

and a Certificate Enrollment PIN for the CA website (PKI Portal) of Equens.


24/56



24 Equens

With this Certificate Enrollment PIN you can request a client certificate (also called

Digital ID) from Equens.

Note: As of October 16, 2006 Interpay is operating under the name Equens.

However, the PKI environment at Pink Roccade is still active under the name

Interpay Nederland.

In the URL you will receive, as well as in the address bar of the browser you will

see /InterpayNederlandBV/

Step 1 Copy the URL and paste this in the address bar of your browser

URL Production:

https://mpki.pinkroccade.com/services/InterpayNederlandBV001/digitalidCenter.htm

URL Test/Acceptance:

https://mpki-test.pinkroccade.com/services/InterpayNederlandBV/digitalidCenter.htm

The following screen will be displayed:

Please note: 'Digital ID' is a synonym for 'certificate'.

Figure 7: The opening page with the options for certificates.


25/56



OPEN


Step 2 Click the first option, 'Enroll'

The following screen will be displayed:

Figure 8: The form for requesting a certificate.


26/56



26 Equens

Step 3 Fill in the contact- and identification data as described below:

The name of the applicant (only alpha-numeric characters are allowed,diacritical marks etc. are not allowed).

Please note: the certificate will be linked to the person who has requested it.

This is the only person who can extend or revoke the certificate. If the person

who has requested the certificate leaves the company it will be necessary to

revoke the current certificate and request a new certificate. Please keep this in

mind when deciding in whose name the certificate is requested.

The e-mail address where you will receive certificate notifications at.The first notification you will receive at this e-mail address is a confirmation of

your request and the second notification will contain the necessary information

for retrieving the certificate.

A production certificate is valid for two years (a test certificate is valid for one

year). At this e-mail address we will warn you once the certificate is going toexpire. Please keep this in mind when deciding which e-mail address you will

use.

The access code for the CA website you have received together with theURL, also known as the 'Certificate Enrollment PIN'. This 'Certificate Enrollment

PIN' needs to be stored in a safe place.

A 'Challenge Phrase'The Challenge Phrase is case sensitive and may not contain any punctuation.

The Challenge Phrase is a sentence you will need to remember. You will need

this sentence when extending or revoking your certificate. In case you do not

remember the Challenge Phrase anymore and want to extend the certificate,

you will need to request a new certificate.If you want to revoke your certificate and do not remember the Challenge

Phrase, you will need to contact the Technical Support department of Equens to

have your certificate revoked.

Step 4 Send the form by clicking the 'Submit' button

You will get the message below, asking you to confirm your e-mail address and

check if the correct e-mail address is entered.

Figure 9: It is important that you have entered your e-mail address correctly.


27/56



OPEN


Step 5 Confirm that you have entered the correct e-mail address

If you click 'Cancel', you will get the opportunity to correct the e-mail address in

the Enrollment form.If you click 'OK', the form will be processed.

Next you will get the screen below and a security message of Microsoft Internet

Explorer.

Figure 10: A standard security message of Microsoft Internet Explorer.

Step 6 Click 'Yes'The request is finished.

The following screen will be displayed. It shows an e-mail has been sent with

instructions for installing the certificate.

Figure 11: You see a message to check your e-mail.


28/56



28 Equens

When you check your e-mail, you should see the message below.

From: certificateSend: woensdag 2 augustus 2006 14:13

To: Janssen, Dhr. G.A. (Geert)

Subject: Equens Digital ID request confirmation

Dear G.A. Janssen,

Thank you for requesting a Digital ID.

Equens SE is processing your request, and will

notify you when your Digital ID is ready.

If you have questions about your application, please

contact Equens SE by replying to this e-mail

message.

Figure 12: You receive a request confirmation by e-mail.

The status now is as follows:

A Private Key is created in the browser on this computer You have received an e-mail stating your request has been confirmed Equens is processing your request Some time later you will receive an e-mail with instructions for installing the

client certificate with the pin code in that e-mail


29/56



OPEN


7.3 Retrieving the certificateAfter you have received confirmation of your certificate request, the certificate is

ready to be retrieved.

Step 7 Open the second e-mail message

This message contains the information you will need to retrieve the certificate.

From: certificate

Send: woensdag 2 augustus 2006 14:24

To: Janssen, Dhr. G.A. (Geert)

Subject: Your Equens Digital ID is ready

Dear G.A. JANSSEN,

Equens SE has approved your Digital ID request.

To assure that someone else cannot obtain a Digital ID that

contains your personal information, you must retrieve your

Digital ID from a secure web site using a unique Personal

Identification Number (PIN).

You can retrieve your Digital ID by following these simple

steps:

Step 1: Visit the Digital ID retrieval web page, at:

https://mpki.pinkroccade.com/services/

InterpayNederlandBV/client/mspickup.htm

Step 2: In the form, enter your Personal Identification

Number (PIN):

Your PIN is: 641625923

Step 3: Follow the instructions on the page to complete the

installation of your Digital ID.

If you have any questions or problems, please contact Equens

SE by replying to this e-mail message.

Figure 13: The e-mail with instructions and pin code.

As indicated in the e-mail, you will need to perform the following steps:

Copy/paste the URL that is mentioned in the e-mail into the address bar ofyour browser

Type the pin code in the form that appears in your browser Follow the instructions given in your browser


30/56



30 Equens

Step 8 Copy the URL and paste this in the address bar of your browser

You will get the following screen:

Figure 14: The page where you retrieve your certificate.

Step 9 Type the pin code mentioned in the e-mail and click 'Submit'

Please pay attention! You must retrieve the certificate on the same PC that you

have used to request the certificate because that will contain the private key

created earlier. If you don't, you will get the following error message:


31/56



OPEN


Figure 15: Error message when you use a different PC.

Next you will see the screen below, a message from Microsoft Internet Explorer

indicating the client certificate is ready to be installed:

Figure 16: A standard security message from Microsoft Internet Explorer.


32/56



32 Equens

Step 10 Click 'Yes'

Retrieval of the certificate is now complete.

You will see the screen below. It shows the certificate has been successfullygenerated and installed on that PC.

Figure 17: Confirmation of the certificate installation.

7.4 Exporting the certificateThe certificate is now imported in your browser.

You will need to export it from here, so you can import it into the Connect:Direct

node.

Step 11 Call the dialogue screen for certificates

In the browser menu choose 'Extra' and 'Options'The following screen will be displayed (the screens might be different compared

to yours depending on what version Microsoft Internet Explorer you are using):


33/56



OPEN


Figure 18: Through the Options screen you go to the certificates screen.


34/56



34 Equens

Click the button 'Certificates'The following screen is displayed:

Figure 19: The screen where you manage the certificates in your browser.

Step 12 Choose the correct certificate

Click the certificate you have just installed.

The screen below is displayed. Click 'Next' to continue.

Figure 20: Certificate export screen.


35/56



OPEN


Step 13 Confirm you want to export the private key

In the next screen you are asked if you want to export the private key with the

certificate (the private key is password protected). Exporting the private key withthe certificate is mandatory, so choose option 'Yes' and click 'Next'.

Figure 21: Exporting the certificate private key.

Step 14 Enter the export options

You will need to enter several preferences.

Tick the bottom two options under 'Personal Information Exchange':

'Enable strong protection'With this option you choose for strong security (protection) during transport

'Delete the private key if the export is successful'Ticking this option will delete the private key after exporting the certificate. You

should only do this if you are sure you will not need to export the certificate

again and the certificate is appropriately protected at all times (without private

key the certificate cannot be renewed).

Please note: as long as the private key is not deleted, it may be possible for

other persons with access to your system to export the certificate and make

use of your certificate!Click 'Next'.


36/56



36 Equens

Figure 22: Important options related to security.

Step 15 Enter a password

In the next screen you will need to enter a password.

You will need this password again when you are importing the certificate into your

Connect:Direct node.

Figure 23: Security through a password.


37/56



OPEN


Step 16 Save the certificate file

Next you will need to enter where on your hard disk the certificate needs to be

saved and under what name it is to be saved as a .PFX file (with PKCS #12format).

Figure 24: Saving the certificate on the hard disk.

Step 17 Finish the export procedure

Next you will see an overview of the specifications you have entered with the

possibility of making adjustments by using the 'Back' key.

If you are satisfied, click 'Finish'.

Figure 25: Overview of the specifications entered.


38/56



38 Equens

You will get a confirmation that the export was successful. Click 'OK' to continue.

Figure 26: The confirmation that the export was successful.

Subsequently you can find the saved file with the certificate in the Microsoft

Explorer.

Figure 27: The file with the certificate in Microsoft Explorer.

Make sure when you save the certificate (encrypted if possible) on a mobile device

like a USB stick to keep the device with the certificate in a secure place. Also

make sure you have deleted any copies of the certificate that are not needed or

stored in a secure place.

7.5 Importing the certificate into your Connect:Direct nodeFor importing the certificate in your Connect:Direct node we refer you to the

manual of your Connect:Direct node or request support from Sterling Commerce.

If you need to convert your certificate into a different format, please check our

'Frequently asked questions' section on the website of Equens (www.equens.com)


39/56



OPEN


7.6 Retrieving the Equens server certificate (CA root certificate)By importing the CA root certificate into your Connect:Direct node the computers

of Equens know to trust your computer.

Now you will need to configure your computer so it will trust the Certificate

Authority (CA) of Equens.

Step 18 Go back to the opening page of the Digital ID Center

Once again, type the URL you have received by postal mail into the address bar of

your browser.

The following screen is displayed:



40/56



40 Equens

Step 19 Choose the option 'Install CA'

A download is started immediately and the screen below is displayed. The system

asks you if you want to open or save the file to your computer. Choose the option'Save'. The CA root certificate will be saved to your computer.

Figure 29: Save the certificate to your computer.

7.7 Importing the Equens CA certificate into your Connect:Direct nodeFor importing the CA root certificate into your Connect:Direct node, we refer you

to the manual of your Connect:Direct node or request support from Sterling

Commerce.

7.8 Revoking the client certificateThe client certificate (or Digital ID) can be revoked by request of the owner of the

certificate or by the registered contact person. The client certificate can be

revoked in case of one of the following circumstances:

The client certificate is no longer in the possession of the owner The file transfer contract is ended The file transfer contract was stopped temporarily The CA of Getronics Pink Roccade was compromised The private key of the client certificate may have been compromisedThe contact person or the certificate owner should have the client certificate

revoked immediately if there is any reason to believe that the client certificate has

been compromised.

Companies should also have the client certificate revoked when the certificate

owner change jobs or when there is no longer need for the client certificate.

There should be only one valid client certificate per Certificate Enrollment PIN, but

Equens will allow time (maximum of 14 days) to have the certificate replaced in

case of requesting a new certificate in the renewal procedure.


41/56



OPEN


If you like Equens to revoke your client certificate, for instance when you cannot

access the CA anymore or have forgotten the Challenge Phrase, please contact the

Technical Support department of Equens.Please make sure you have the following information at hand when contacting the

Technical Support department:

First and last name of the certificate owner (as these have been entered duringthe certificate request procedure)

E-mail address of the certificate owner (the e-mail address entered during thecertificate request procedure)

Revoking the client certificate yourself is possible through the Digital ID Center of

Pink Roccade. Type the URL you have received by postal mail into the address bar

of your browser.

The following screen is displayed:


Click on 'Revoke', the following screen will be displayed:


42/56



42 Equens

Figure 31: The form to revoke a client certificate (Digital ID)

Fill in either the e-mail address OR the full name (First Name and Last Name) as

used when you requested the client certificate.

Click on 'Search'.

Next you will see a screen with the client certificates that were found using the

filled in data. Select the correct client certificate and click on 'Revoke'.

The following screen will be displayed asking you to type the Challenge Phrase and

give the reason for revoking.


43/56



OPEN


Figure 32: Enter Challenge Phrase to revoke the client certificate

After filling in the Challenge Phrase and selecting the reason for Revoking, click on

'Submit'. If you have entered the correct Challenge Phrase the client certificate isrevoked and the following screen is displayed.

Figure 33: Message indicating the client certificate was successfully revoked

Please inform the Technical Support department of Equens that you have revoked

your client certificate.

If you encounter any problems during the revocation process, you can have

Equens revoke your client certificate. Please contact the Technical Support

department for this.


44/56



44 Equens

7.9 Retrieving the Certification Revocation ListSome nodes can import a 'Certification Revocation List' (CRL) to check if a

certificate is still valid (and not revoked). This file contains a list of all revokedcertificates and is refreshed at regular intervals. This list can be downloaded at:

http://pki.pinkroccade.com/crl/InterpayNederlandBV001/LatestCRL.crl

7.10 Renewal client certificateProduction certificates are valid for two years and test/acceptance certificates are

valid for one year. About 30 days before the expiry date the requestor of the client

certificate will receive an e-mail stating the client certificate will expire and can be

renewed using the mentioned URL and pin code.

Below an example of this e-mail.

Dear ,

Our record indicates that your Digital ID will expire on xx-xx-xxxx. If

you have already renewed your Digital ID, please ignore this notice.

Otherwise please call Customer Services Equens Nederland

__________________

Exception:

You can also apply for automatic renewal of your Digital ID, but only

under the following conditions:

1. You must have the original Digital ID on the computer connecting theMPKI site.

2. The location of the ID must be in the right place on the computer

connecting the MPKI site.

If you meet this criteria, please visit:

to renew your Digital ID.

Note to Netscape users: To complete the renewal process, you may need the

Challenge Phrase you used to enroll for your original Digital ID, and the

following Renewal ID Number:

Your Renewal ID number is : xxxxxx

If you have any questions or problems, please contact Equens SE by replying

to this e-mail message.

Figure 34: The renewal e-mail

If you meet the mentioned criteria (the renewal can only be done from the

computer you have used when requesting the original certificate) you can perform

the renewal of the client certificate yourself. After renewal you must export the

renewed client certificate to your Connect:Direct node.


45/56



OPEN


If you do not meet the mentioned criteria or a problem occurred during the

renewal process (and your client certificate is not renewed), you must contact the

Technical Support department of Equens for further assistance (you might need torequest a new certificate instead of performing a renewal).

Please note: the renewal procedure can only be started after you have received

the renewal e-mail with the renewal pin code.


46/56



46 Equens

8 Testing your connection

8.1 IntroductionIt is advisable to first check whether the connection is functioning correctly and

whether the files are being sent on in the required manner. You can test this

easily by sending a file to yourself. This connection test and file transfer test can

simply be carried out in the Equens production environment.

If you also wish to carry out processing tests, you must carry these out in the

test/acceptance environment(!). These processing tests must be scheduled at

least one week in advance in consultation with the Technical Support department

and the relevant business unit.

8.2 Difference between the three test typesTests can be carried out at three levels:

Level A: connection test Level B: file transfer tests Level C: processing tests (application level).The level A and B tests relate specifically to the Connect:Direct connection.

The level C tests are not related to the connection type.

The following figure shows the levels at which the tests should be carried out.

Figure 35: Testing for Connect:Direct will take place at three levels

Testing can only commence if the following conditions have been met:

All relevant data must have been entered in the various Equens databases You must have installed a Connect:Direct node You must have installed both the client and CA root certificate


47/56


48/56



48 Equens

Prepare a test file and change its name according to the naming convention.

- For enter the same as for

- Enter the SELFTEST value for

Example filename for Connect:Direct:

/mailbox/R0001234.R0001234.SELFTEST.TEST1234.TXT

Please refer to section 4.2, "Connect:Direct file name convention" for the file name

structure.

Set up a connection to the Connect:Direct node of Equens (node: SFT orSFTACC)

Send the file to yourselfSee section 9, "File sending"

The file will be fully processed at Equens. This means the file will be routed to

the , in this case yourself. The file will be pushed to your

Connect:Direct node.

Check if the file is delivered at your Connect:Direct node.Once the file is at your Connect:Direct node the test is successfully completed.


49/56



OPEN


8.5 Processing tests8.5.1 Processing test features and conditions

Feature Description

Subject The content and layout of the files.

Objective Checking whether file transfers and data processing

(for Equens-specific business) between Equens and

the customer via Connect:Direct are successful.

Conditions If you use separate test machines you must request

the following:

A test connection on Connect:Direct Test certificates (client and CA)

These tests must be scheduled at least one week inadvance in consultation with the following:

Technical Support department of Equens The Equens business unit carrying out the

processing.

Importance Not mandatory.

Environment Test/acceptance environment (node: SFTACC)

On the test/acceptance environment NO production

data is allowed. You should test using test/dummy

data.

Processing tests in the production environment are not

permitted.

Table 4: Features of the Connect:Direct processing test

8.5.2 Requesting the processing testsProcessing tests will be carried out on the Equens test/acceptance environment.

If you wish to carry out processing tests (i.e. at application level), you must

schedule these tests at least one week in advance in consultation with the

Technical Support department.

In the event of a non-standard connection or connection to systems other than

the giral Clearing and Settlement System, the connection coordinator will draw up

the test procedure in consultation with the owner of the processing system. These

connection processes are always carried out on a project basis.


50/56



50 Equens

9 File sending

9.1 IntroductionYou can send files to Equens using commands in your Connect:Direct node. When

sending files you will need to initiate the transfer.

You can also send compressed (zipped) data files. Please refer to chapter 11,

"Using compressed files" for additional information.

Please note: The maximum file size for Connect:Direct is 2 GB (uncompressed).

9.2 Automatic file sendingMost Connect:Direct nodes have the possibility to send files automatically. The

node can be configured so that it will check a directory on the local system for

waiting files. If this is the case, the files will be sent to Equens without any further

action being required from the user. If the files are sent successfully the node can

remove the files.

You can use a "File agent" for this, but you are responsible for further automation,

Equens does not provide support for this.

9.3Binary file sending

Some file types, such as files with the extension .ZIP, .DAT, .PDF or .BIN must be

sent binary.For more information on sending files binary with Connect:Direct, please consult

the Connect:Direct documentation of Sterling Commerce.

If you send a binary file as a non-binary file, it may arrive corrupted at the

destination.


51/56



OPEN


10 File delivery

10.1 IntroductionFiles addressed to you are "pushed" to you by Connect:Direct, you do not need to

take the initiative to retrieve the files. The output files will be put on your

Connect:Direct node, if the files need to be placed in a specific directory on your

node, please indicate this on the Service Request Form when requesting the

Connect:Direct connection.

After pushing the files they will be automatically moved to the subdirectory

'ARCHIVE' in your mailbox. Already pushed files can be downloaded from the

'ARCHIVE' directory for 35 days (if you have access to this directory), after whichthey will be deleted.

If you don't have access to the 'ARCHIVE' directory and would like to receive a file

that has already been supplied to you, you will need to contact our Technical

Support department.

Files from the Equens Clearing and Settlement system will remain available within

that system for 30 days for eventual reissuing (in case you cannot access your

ARCHIVE folder). When this period has elapsed, the files will be deleted and

cannot be resupplied electronically.

Please note: Data with the highest security classification and risk will be archived

and stored with a minimum period technically possible, so less than 35 days andmight not be backed up during their presence in Secure File Transfer.

This includes all files that contain sensitive authentication data such as data used

to manufacture new credit cards and payment cards.

Although Connect:Direct can be used to transport sensitive authentication data, it

is not allowed to store this data in the 'ARCHIVE' folder.


52/56



52 Equens

11 Using compressed files

11.1 IntroductionFiles can be compressed (zipped) in order to reduce their size and therefore also

the amount of time it takes for them to be transmitted. If the bandwidth is

sufficient, compression will not be necessary and consequently advised against.

11.1.1 Compression programme conditions Your compression programme must be compatible with PKZIP version 2.04g Acquisition and use of compression software will be your own responsibility Please refer to your compression programme manual for information regarding

file compression and decompression

Please note: The maximum file size of a ZIP file is 4 GB, however the maximum

file size for file transfer through Connect:Direct is 2 GB.

11.1.2 Binary file transmissionYou must use binary transmission in order to both send and receive compressed

files, please see section 9.3, "Binary file sending".

11.2 Sending and receiving compressed files

11.2.1Conditions You will be able to send both compressed and uncompressed files. There is no

need to specify this on the Service Request Form

Compressed files must be indicated with the 'ZIP' In case you would like to receive compressed files you must specify this on the

Service Request Form

The compressed file that you wish to send must contain not more than onedata file. The compressed file will be unzipped by Equens before it is routed to

the and can be zipped again by Equens, depending on the

configuration of the

Although the file name in the archive need not to comply with the namingconvention, this is advisable.

This is also easy, given the majority of compression programmes use the name

of the file being compressed for the archive name. For example: If you were to

compress the file R0001234.SFT.CLIEOP.A1234567.TXT, the compressed file

will be named R0001234.SFT.CLIEOP.A1234567.ZIP

11.3 Receiving compressed files11.3.1 Conditions

If you wish to receive compressed output from Equens, please specify this onthe Service Request form.


53/56



OPEN


11.3.2 Features:If you have stated you wish to receive compressed files, the following will apply: Allfiles you receive from Equens are compressed, it is not possible to compressspecific file types The names of both the ZIP archive and the archived file will comply with the

file name convention.

For example: the archive MFC.R0001234.VERWINFA.A1234567.ZIP would

contain the file MFC.R0001234.VERWINFA.A1234567.TXT


54/56



54 Equens

12 Support processes: questions and changes

12.1 Connect:Direct availabilityConnect:Direct will be available from 4:00p.m. on Sunday to 7:00a.m. on

Saturday. 98% availability will be guaranteed during these times.

12.2 Technical Support department contact informationSupport for File Transfer products will be provided by the Technical Support

department of Equens.

The support will encompass the following: Answering questions by telephone Dealing with incidents Monitoring the file exchange and any underlying network connectionsPlease note: The support that Technical Support will provide is intended for

situations involving a standard connection to Connect:Direct.

In the event of deviation, Technical Support will not provide any support for

matters relating to the client's domain.

Technical Support is available from Monday to Friday, with the exception of bank

holidays.

Opening times: 8:00am 6:00pm

Telephone: 0900 - 0660, option 3 (for customers in The Netherlands, localtariff)

Telephone: +31 (0)30 - 283 68 60, option 3 (for customers outside TheNetherlands)

Fax: +31 (0)30 - 283 51 33 E-mail: [email protected] note: Please submit any questions by telephone, not by e-mail (unless

otherwise instructed).

12.3 Information on the Equens websiteOn www.equens.com you will find the following information regarding Secure File

Transfer and the various connection types:

Brochures Manuals Forms FAQs

12.4 Changing connection specificationsYou can use the 'Service Request Form Connect:Direct' to do the following:

Register and deregister: The contact person


55/56



OPEN


Change contact details: Organisational information Telephone number and/or e-mail address of the contact person

Change service specifications: Whether you want to connect via the internet or via a Leased Line Whether you want to receive compressed files At which e-mail address you would like to receive error messages

(E-mail messages that inform you of a file that could not be processed, e.g.

by using an incorrect file name).

You must fill in and send a separate copy of the form for each request and/or

change! This form can be requested from Technical Support or downloaded from

our website: www.equens.com (Support - Connectivity)

This Service Request Form only concerns the transportof files/data. For the

processing of the data files you are sending/receiving, you will need to make

agreements with the appropriate (processing) department of Equens.

12.5 Changing connection typeIf you wish to deliver data using a connection type other than Connect:Direct,

please contact the Technical Support department.

12.6 Terminating the connectionThe Connect:Direct agreement must be terminated in writing, you can use the

Service Request Form to request a termination of the Connect:Direct agreement.

When terminating the connection you must ensure that all streams you use with

Connect:Direct are migrated in a timely fashion. This means that the relevantprocessing agreements must be amended.

12.7 Changing and terminating processing agreementsYou must arrange changes or termination of your processing agreements with

your bank and the Equens business unit that carries out the processing activities,

in accordance with the relevant procedures.


56/56



Annex 1 The relationship between the Connect:Direct namingconvention and the 'old' I-Connect interface description

1.1 Relationship with 'old' I-ConnectAccording to the 'old' interface description, a token file is sent in addition to a data

file. This token file is used to provide data regarding the routing of the data file.

The token file will not be included in the new Connect:Direct standard.

The following fields relate to the 'old' I-Connect interface descriptions as follows:

Field Relationship with 'old' I-Connect

More or less corresponds with the 'Naam inzender' (Name of

sender) field from the token file (versions 04 and 05). However,

the field is shorter (8 positions) than 'Naam inzender'

(20 positions), which in many cases ensures a difference.

Token file versions 01 and 02 contain a 'Relatienummer

inzender' (Sender account number) field. However, its content

is not comparable.

More or less corresponds with the 'Naam bestemming' (Name of

location) field from the token file (versions 04 and 05).

However, the field is shorter (8 positions) than

'Naam bestemming' (20 positions), which in many casesensures a difference.

Furthermore, please remember that you must enter spaces in

the token file for the destination of traffic to Equens. However,

in the new interface, 'SFT' must be entered as the destination.

Token file versions 01 and 02 contain a 'Relatienummer

bestemming' (Location account number) field. However, its

content is not comparable.

This field will replace the three 'Informatiegroep' (Information

group), 'Informatiesoort' ('Information type') and

'Bestandsindeling' (File format) fields from the token file.

This field corresponds with the 'File-ID' from the file name.

Only two extensions are permitted in the 'old' I-Connect: FTP

and ZIP. This limitation will not apply in Connect:Direct.

Table 5: Relationship with 'old' I-Connect

equens connect direct - manual v2.0 uk

Documents