H2H Connectivity Guide V7.3

FEBRUARY 2018
J.P. Morgan Host-to-Host Connectivity

User Guide
J.P. Morgan Host-to-Host
Version 7.3
Disclaimer
This material was prepared exclusively for the benefit and internal use of the JPMorgan client to
whom it is directly addressed (including such client’s subsidiaries, the “Company”) in order to
assist the Company in evaluating a possible transaction(s) and does not carry any right of
disclosure to any other party. This material is incomplete without reference to the other briefings
provided by JPMorgan. Neither this material nor any of its contents may be disclosed or used for
any other purpose without the prior written consent of JPMorgan.
J.P. Morgan, JPMorgan, JPMorgan Chase and Chase are marketing names for certain
businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, “JPMC”).
Products or services may be marketed and/or provided by commercial banks such as JPMorgan
Chase Bank, N.A., securities or other non-banking affiliates or other JPMC entities. JPMC
contact persons may be employees or officers of any of the foregoing entities and the terms “J.P.
Morgan”, “JPMorgan”, “JPMorgan Chase” and “Chase” if and as used herein include as
applicable all such employees or officers and/or entities irrespective of marketing name(s) used.
Nothing in this material is a solicitation by JPMC of any product or service which would be
unlawful under applicable laws or regulations.
Investments or strategies discussed herein may not be suitable for all investors. This material is
not intended to provide, and should not be relied on for, accounting, legal or tax advice or
investment recommendations. Please consult your own tax, legal, accounting or investment
advisor concerning such matters.
GUIDE
Not all products and services are available in all geographic areas. Eligibility for particular
products and services is subject to final determination by JPMC and or its affiliates/subsidiaries.
This material does not constitute a commitment by any JPMC entity to extend or arrange credit
or to provide any other products or services and JPMorgan reserves the right to withdraw at any
time. All services are subject to applicable laws, regulations, and applicable approvals and
USER
notifications.
Notwithstanding anything to the contrary, the statements in this material are not intended to be
legally binding. Any products, services, terms or other matters described herein (other than in
CONNECTIVITY
respect of confidentiality) are subject to the terms of separate legally binding documentation
and/or are subject to change without notice.
JPMorgan Chase Bank, N.A. Member FDIC. Deposits with JPMorgan Chase Bank, N.A.,
Toronto Branch, are not insured by the Canada Deposit Insurance Corporation.
© 2018 JPMorgan Chase & Co. All Rights Reserved.
All trademarks, trade names and service marks appearing herein are the property of their
HOST-TO- HOST
respective owners.
MORGAN
J.P.
Table of contents
1. Introduction .......................................................................................................... 4
2. J.P. Morgan Host-to-Host Best Practices ........................................................... 5
3. Connectivity.......................................................................................................... 9
4. Security ............................................................................................................... 10
Transport Security 10
Payload Security 11
5. Transport ............................................................................................................ 12
SSL (HTTPS) 13
AS2 17
FTPS 19
SFTP 20
Example using Putty 21
Connectivity using WinSCP 22
Connectivity using Solaris 24
GUIDE
6. Payload (File Encryption/Signing)..................................................................... 25

PGP 25
File Encryption/Signing 52
USER
X.509 (SSL) 61
Base64 Encoding a file 64
CONNECTIVITY
7. Partner Key Management .................................................................................. 65

Partner Key Management Overview 65
Partner Key Management Sample Email 67
Rapid Renewal Process 69
8. Firewalls .............................................................................................................. 70
Requirements for Internet Source Address Filtering 70
Alternative Solution 70
HOST-TO- HOST
Registered IP Address Netblock details 71
9. J.P. Morgan Inbound URL/IP addresses and Ports .......................................... 72
10. Common Errors .................................................................................................. 74
11. SSL Certificate Issues ........................................................................................ 75
12. SSL Certificate Enhanced Key Usage ............................................................... 76

MORGAN
J.P.
1. Introduction
The primary objective of this guide is to provide our clients with a basic understanding of the
offerings of J.P. Morgan Host-to-Host, and to provide assistance with the set up process and
requirements for each communications protocol. It will cover aspects of security, both at the
transport and payload levels, including topics on SSL certificates, SSH keys, PGP keys, and the
J.P. Morgan Partner Key Management (PKM) process for submission of production certificates
and keys. The document cannot cover every situation, but should provide the user sufficient
information to simplify the setup experience.
Important Note: Throughout this document, J.P. Morgan discusses the use of various third
party software for informational purposes only. J.P. Morgan does not recommend or endorse any
third party software and makes no representation, explicit or implied, as to the functionality,
quality or suitability of any third party software referenced herein. Before downloading, installing
or using any third party software, your organization must make an independent assessment of
the suitability of such software.
J.P. Morgan’s Implementation Analysts and Production Support teams cannot support
third party software. For this reason, we strongly suggest that you enter into a service
agreement with any vendor from which you purchase 3rd party software.
Please refer to instructions from the provider of such third party software prior to use. The use
GUIDE
and functionality of third party software is not controlled by J.P. Morgan and is subject to change
without notice. You should not rely on the information provided herein regarding third party
software for anything beyond its presentation as an illustrative example.
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
4
2. J.P. Morgan Host-to-Host Best Practices
J.P. Morgan is committed to sharing information about best practices that are commonly used to
help keep file transmissions reliable and secure. Please review the information below and apply
these practices to the extent possible to improve your experience with J.P. Morgan Host-to-Host.
For the latest information about these best practices and security standards, please visit
www.jpmorgan.com/visit/h2h.
Installation & Setup

Client J.P. Morgan strongly recommends that you keep your environments and
Environments applications up to date with respect to security patches and currently
supported software versions.
We will, without notice, routinely update the Host-to-Host environments

to ensure that proper versioning and applicable security patching is up
to date.
Failure to maintain your applications at current release versions may result in

connectivity errors.
Bank Host-to-Host has two independent environments: Client Acceptance Testing
Environments (CAT) and Production.
Clients are required to use separate security credentials in each of the

environments.
GUIDE
Please note that production data should never be transmitted to the

J.P. Morgan CAT environment, nor should test data ever be sent to the
J.P. Morgan production environment, except as specified by special setups
that are designed for production verification testing.
USER
Host All connectivity to Host-to-Host servers must be addressed to the URL that
Addressing you have been assigned.
CONNECTIVITY
It is J.P. Morgan’s policy to utilize multiple data centers for connectivity

as part of our resiliency strategy. This strategy requires that we
periodically switch data centers as a normal course of business.
Because this will be routinely done without notice, clients must not use
direct IP addressing or cache Host-to-Host IP addresses for an
extended period of time.
Clients who insist upon the use of hard-coded IP addressing must assume
the responsibility for service interruptions that may result when planned or
unplanned events result in IP address changes on the J.P. Morgan
HOST-TO- HOST
infrastructure. J.P. Morgan is unable to change its resiliency-related

business practices, and is unable to make special accommodations for the
use of hard-coded IP addressing.
Firewall J.P. Morgan is a large organization with a highly distributed, globally load-
Configuration balanced proxy infrastructure. We own two Class B /16's of IP address
space that have been specifically reserved for services hosted globally within
our own public DMZ infrastructures. Since we are a known business partner
accessing services over the Internet and we only source transmissions from
hosts under our management, we hope clients would not have concerns to
trust this address space. Firewalls should be configured to allow traffic
MORGAN
across the two J.P. Morgan Class B IP ranges:
159.53.0.0 - 159.53.255.255
170.148.0.0 - 170.148.255.255
J.P.
5
Client SoftwareAt the time of this publication, client software applications that are known
to connect successfully to Host-to-Host are shown below. Note that this
list may change over time, and that it is best practice to use only
supported current versions of third party applications. The use and
functionality of third party software is not controlled by J.P. Morgan and is
subject to change without notice. J.P. Morgan does not recommend or
endorse any of the third party software and makes no representation,
explicit or implied, as to the functionality, quality, or suitability of any third
party software referenced below.
Protocol Clients/Software
SFTP Axway Secure Client 5.8, 6.0, 6.1
Curl 7.22
FileZilla Client 3.10.x
PSCP 0.64
PSFTP 0.64
VanDyke SecureFX 7.3
WinSCP 5.7.1
OpenSSH 6.6
FTPS Axway Secure Client 5.8, 6.0, 6.1
Curl 7.22
FileZilla Client 3.10.x
CuteFTP Professional 9.x
Ipswitch WS_FTP 12.x
Igloo FTP PRO 3.9
GUIDE
LFTP 4.6.1
SmartFTP Client 3.0-6.0
AS2 Drummond Certified AS2 clients
Daily Operations
USER
Communications It is important to ensure that your J.P. Morgan Service Representative

has the latest Host-to-Host contact information for your company,
including any group email addresses that are used for daily operations
and production support.
CONNECTIVITY
Maintenance J.P. Morgan has regularly scheduled maintenance windows for the Host-
Windows to-Host environments:
• Production: Saturday 8pm ET – Sunday 5am ET

• Client Acceptance Test (CAT): Tuesday 5pm – 10pm ET and
Thursday 5pm – 10pm ET
We will conduct routine updates and patching during these times, and it
may be necessary, on occasion, to make Host-to-Host unavailable to
clients. To minimize disruption, it is strongly recommended that clients
HOST-TO- HOST
avoid scheduled transmissions during these maintenance windows.
If you experience connectivity issues during one of these windows,

please retry after the window has expired.
Operations Please consider the following best practices when setting up your file
transmission operation to help reduce transmission failures:
• Use DNS addressing with short-lived address caching.

• Make sure that your system is using current security credentials
MORGAN
– both yours and ours.

• Ensure that your system provides confirmation of both success
and failure conditions.
J.P.
6
• On a connectivity failure, automatically retry the connection.
After three successive failures, publish an alert to your
operations team. If assistance is required, contact J.P. Morgan.
• Track failures over time, such that you may identify an
intermittent problem.
• Refresh your DNS / IP addressing cache whenever a
connectivity failure occurs.
• Make sure that transaction acknowledgements and
confirmations that are generated and sent to you by J.P. Morgan
are distributed to your business users.
• Make sure that there is a current email address on file at
J.P. Morgan so that you receive notifications from us.
J.P. Morgan will send automated email notifications on certain
failure conditions.
If a failure occurs after successful delivery of a file to us, do not resubmit

the file without consulting the J.P. Morgan support team.
Volume If you have any of the following requirements, please discuss with the
Considerations J.P. Morgan technical team prior to implementation:
• You must send more than 1000 files in a single day
• You must send many files in a very short period of time
• You must send or receive very large files (> 100MB)
Rapid Fire If you are sending a large number of files in a short period of time, this
GUIDE
may trigger a denial of service attack alert at J.P. Morgan. To protect its
clients, J.P. Morgan may take action to terminate a connection and
disable an account when such alerts occur.
USER
You should note that Host-to-Host often acts only in the capacity of
sending your files to target systems, and that there may be limitations to
the speed by which those systems may receive and process files.
Because of this, there are times when it may be necessary to adjust the
CONNECTIVITY
timing of your file delivery process. Please discuss all high volume
considerations with the J.P. Morgan technical team prior to
implementation.
Failure / If you are not sure whether we received your file, or if a failure occurs
Recovery after successful delivery of a file to us, do not resubmit the file without
consulting the J.P. Morgan support team. Resubmission may result in a
duplicate file.
Know that certain files cannot be recovered, and must be re-sent. This
includes, although not exclusively, any file with improper naming, and
HOST-TO- HOST
any file for which the digital signature could not be confirmed.
Viruses If J.P. Morgan detects a virus within a received file, the file will be
quarantined, and will not be processed. We will invoke our standard
process to notify you and instruct you to send a clean file.
Repeated occurrences of virus detection may result in the locking of your

Host-to-Host account.
MORGAN
J.P.
7
Security Certificates & Keys
Key J.P. Morgan requires that all certificates and keys have a finite
Requirements validity period of two years or less.
In addition, they must meet the following cryptographic standards:
Key Type Requirements

SSH RSA, Asymmetric algorithm key length: 2048 bits or more
(expiration will be set at 2 years when installed)
SSL SHA-2, AES256; Asymmetric algorithm key length: 2048
bits or more
PGP RSA, Asymmetric algorithm key length: 2048 bits or more
Key Renewal Partner Key Management is the process of exchanging security

credentials (keys and certificates) with J.P. Morgan Host-to-Host. On
initial setup, keys are exchanged via email as outlined in the Host-to-
Host Connectivity Guide. For key renewals, eligible clients must use the
Rapid Renewal process to transmit new keys:
• Send the transport and payload (signature) keys in the

appropriate formats to your Inbound/Encrypted folder, using the
following naming convention:
o <Partner ID> .TRANSPORT.IN.DAT for a new transport
(SSH or SSL) key
GUIDE
o <Partner ID> .PAYLOAD.IN.DAT for a new payload

(PGP or X.509) key
• Send an activation file in XML format, <Partner
ID> .ACTIVATE.IN to activate your renewed SSL or PGP/X.509
USER
key.
• All files must be digitally signed with your CURRENT signature
key, as with any files that you are sending to J.P. Morgan.
CONNECTIVITY
Notifications
Communications • It is important to ensure that your J.P. Morgan Service
Representative has the latest contact information for your
company, including any group email addresses that are needed
for production support.
• Key Expirations – As a courtesy, J.P. Morgan will send notices
of impending expiry to client contacts on file with Host-to-Host.
(A group address is recommended for this.) It is, however, still
the client’s responsibility to maintain their security keys and
certificates and renew them on a timely basis.
HOST-TO- HOST
• Maintenance/Upgrades- J.P. Morgan has a process by which we

communicate major changes and upgrades, whenever such
changes may require action by clients who use Host-to-Host.
Routine maintenance and security patching, however, may not
be communicated.
MORGAN
J.P.
8
3. Connectivity
To successfully connect and transmit files to the Host-to-Host, a couple of steps need to be
completed first and these are dependent upon the solution you have chosen to implement.
HTTPS/PGP
Key Exchange You need to provide us with your public SSL certificate and public
PGP key, we will provide you with our public PGP key.
Software Configuration You will need to configure your connectivity application to use the SSL
certificate and PGP key
AS2
Key Exchange You need to provide us with your public SSL certificate, we will provide
you with our public SSL certificate
Software Configuration You will need to configure your AS2 client software per the settings in
our Trading Network Profile
SFTP
Key Exchange You need to provide us with your public SSH key and PGP key for
payload encryption
Software Configuration You will need to obtain and configure your FTP software
FTPS
GUIDE
Key Exchange You will need to provide us with your public SSL certificate and either
a PGP or X.509 key for payload encryption. FTPS Push from
J.P. Morgan servers is not supported
USER
Software Configuration You will need to obtain and configure your FTP software
SFTP Push to client
Key Exchange You need to provide us with your public PGP key, we will provide you
with our public PGP key. We will give you our SSH key
CONNECTIVITY
Software Configuration You will need an SFTP Server to accept our requests. We will
authenticate with our SSH key
If you have chosen an SSL-based protocol, please be advised that our servers will only
accept connections from remote hosts which utilize TLS v1.2 ciphers. You must ensure
that your client application has support for TLSv1.2. In addition, all SSL certificates must
minimally use SHA-256 hashing algorithms.
HOST-TO- HOST
MORGAN
J.P.
9
4. Security
Security is divided into two areas: Transport and Payload. J.P. Morgan utilizes SSL and SSH for
transport security, and PGP and x.509 for payload security.
J.P. Morgan requires the ‘Transport’ communication session to be ‘encrypted’ by a secure

protocol, as outlined in this document. J.P. Morgan only requires that inbound (client to bank)
files have a ‘digital signature’ for ‘Payload’ security, and does not require payload security for
outbound (bank to client) files. Outbound payload security will only be used if it is requested by
the client.
J.P. Morgan administrative procedures require that:

 All certificates and keys have a finite validity period of two years or less.
 Certificates adhere to the following cryptographic specification:
 Message digest: SHA-2, AES256
 Asymmetric algorithm: RSA, DSS (RSA only for SSH)
 Asymmetric algorithm key length: 2048 bits or more
 Digital signature is required for all client-to-bank transaction initiation files.
GUIDE
This is a requirement of J.P. Morgan Partner Key Management, so please bear this in
mind when obtaining your certificate or when generating self-signed keys. There are
no exceptions to these requirements.
USER
Transport Security
Secure Socket Layer (SSL) is a protocol for sending encrypted information over the internet.
CONNECTIVITY
SSL provides session encryption to prevent others from being able to see information that you
send over the internet.
The server and client are authenticated via two-way SSL using public SSL keys to provide an
encrypted connection. When connecting to the Host-to-Host, client side authentication takes
place whereby your public certificate is passed to the server and the server authenticates the
validity of this certificate, checking that it has been setup on our servers as a valid client, before
allowing the connection to proceed. A handshake takes place during which the server and client
agree the type of encryption that will be used to secure the connection. After a successful
handshake, you will be allowed to send or receive files.
HOST-TO- HOST
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure
channel between two computers. Encryption provides confidentiality and integrity of data. SSH
uses public-key cryptography to authenticate the remote computer and allow the remote
computer to authenticate the user, if necessary.
MORGAN
J.P.
10
Payload Security
Pretty Good Privacy (PGP) is based on a widely used encryption technology known as public
key cryptography in which two complementary keys, called a key pair are used to secure the
payload during communications. One of these keys is called a private key and the other a public
key. The private key is for your use only and the public key is exchanged with J.P. Morgan. It is
the complete key exchange of both SSH or SSL certificates and PGP keys that allows for a
successful file exchange, with the SSH or SSL certificate providing the encrypted tunnel and
Client Side Validation, and the PGP key securing the actual file.
PGP keys generally have a Master key and Sub key and it is important that both of these
meet the J.P. Morgan requirements for the minimum key size of 2048. Any key not
conforming to this requirement will be rejected.
After successfully exchanging public PGP keys with J.P. Morgan, you may start to exchange
files. When sending a file to J.P. Morgan you optionally encrypt** the file with the J.P. Morgan
public key and sign it with your private key. J.P. Morgan will decrypt the file using our private key
and verify that it was signed using your public key. The reverse will happen for files that you
receive from J.P. Morgan.
You will be required to perform a key exchange ceremony with J.P. Morgan, whereby you
provide to us a copy of your public SSH or SSL and/or PGP keys and we provide you with a
copy of our public SSH or SSL and/or PGP keys. For production, there is a formal procedure
GUIDE
called the Partner Key Management, whilst for testing purposes, keys may be exchanged via
email with your J.P. Morgan technical specialist.
As an alternative, X.509 encryption certificates may be used instead of PGP for encrypting and
USER
signing files prior to the transmission to J.P. Morgan servers.
** Encryption of the payload is not required by J.P. Morgan, due to the fact that the channel is
already encrypted.
CONNECTIVITY
As a reminder, all certificates and keys must have a finite validity period of two years or
less.
Security standards change over time.

 Please visit www.jpmorgan.com/visit/h2h to review the latest minimum
standards for cipher, message authentication and key exchange algorithms
HOST-TO- HOST
for connectivity and authentication.

 Note that scheduled changes to Production are generally implemented in
CAT three months prior to the production date.
MORGAN
J.P.
11
5. Transport
J.P. Morgan has two environments for receiving files: Client Acceptance Test (CAT) and
Production. Each of these have their own unique addresses that you will need to use when
establishing your connection for any one of the chosen protocols. The environment you use for
transmissions will determine the addressing that is required. For further information on IP
addresses and ports, please refer to the section “J.P. Morgan Inbound URL/IP Addresses and
Ports” for the protocol applicable to your setup with J.P. Morgan.
SFTP/FTPS
CAT transmissions-uat.jpmorgan.com
Production transmissions.jpmorgan.com
AS2/HTTPS
CAT Production
transmissions-uat.jpmorgan.com transmissions.jpmorgan.com
transmissions-uat1.jpmorgan.com transmissions1.jpmorgan.com
GUIDE
USER
For SSL-based connections, your J.P. Morgan technical analyst will assign you the
appropriate URL.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
12
SSL (HTTPS)
Obtaining SSL Certificates
There are several ways of obtaining SSL certificates, all of which require that you create a
Certificate Signing Request (CSR). The CSR is then sent off to a Certificate Authority (CA) for
signing. For demonstration purposes, an example is shown using OpenSSL®, a software
package that is freely available from www.OpenSSL.org. If you require explanations for each of
the parameters used when using OpenSSL, please refer to the documents stored at the
OpenSSL website
OpenSSL is a command line product and all examples are shown in a Microsoft Windows
command window
Using OpenSSL
The following instructions are designed as a reference for the steps that need to be taken in
order to successfully create your public and private SSL certificates and convert them into the
correct formats. The primary software that will be used to create and convert the SSL keys is
OpenSSL, which is available from one of the following places:
Windows software HTTP://www.slproweb.com/products/Win32OpenSSL.html
Unix/Linux software HTTP://www.OpenSSL.org/

GUIDE
Please know that this is open source software and that J.P. Morgan is in no way
associated with this product, nor does J.P. Morgan support its use in any way
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
13
The first step is to create your private SSL key. To do this, issue the following command:
# OpenSSL genrsa –des3 –out privkey.pem 2048

Once you have created your private SSL key, you next need to create your Certificate Signing
Request (CSR). This is the file that will be sent to the authority for signing.
To create your CSR to send to the signing authority, do the following:
# OpenSSL req –new –key <privkey>.pem –out <cert>.csr
Once the certificate is signed, you will receive back from the authority an email containing the
text of your signed public key. This text should be copied from the email and placed into an
empty file. This file should be named appropriately to identify it as your signed public key and
should have a “.pem” extension.
You should not have to do this again. Private keys do not expire. When it comes time
for renewal, simply resend the CSR to the signing authority and they will re-sign it and
send the .pem back to you. (If you do not have the .csr, you can simply re-run the
command to convert the private key to a CSR file again.
The next step is to take the signed key that was returned to you by the authority and convert it to
the needed DER format. To do this, use the following command:
GUIDE
# OpenSSL x509 -outform der -in < publicKey>.pem -out <publicKey>.der
Once you have converted the public key to the DER format, send it in so that we may add it to
the system.
USER
We are almost there, and the last step in this process is to take the original private RSA key
“.pem” file that you created and covert it from its PEM format to the PKCS#8 format that it should
be in. To do this, do the following:
CONNECTIVITY
# OpenSSL pkcs8 -topk8 -outform der -in <privKey>.pem -out <privKey>.pk8
In the above, the names that are available to be changed by you are contained within
<>. Please name them accordingly so that you know what each is.
HOST-TO- HOST
SSL certificates are used for authentication and transport encryption when using HTTPS. For
AS2, they are used for authentication, transport encryption and data signing.
You must provide an SSL certificate that has “Client Authentication” under the enhanced key
usage.
As a reminder, the J.P. Morgan Host-to-Host servers will only accept connections from
remote hosts which utilize TLS v1.2 ciphers. You must ensure that your client application
has support for TLSv1.2. Also, all SSL certificates must minimally use SHA-256 hashing
MORGAN
algorithms.
J.P.
14
Sending Data Using HTTPS
The Host-to-Host interface requires certificate-based client authentication for all incoming
HTTPS connection requests. This client authentication process is performed during the initial
HTTPS/SSL handshake process, and is transparent to the client.
After successful SSL authentication, remote systems can use the following URL/HTTPS request
and parameters to securely transfer/post data to J.P. Morgan using the Partners Interface:
Below is an example of the full URL using our primary DNS names:
Env. URL
CAT HTTPS://transmissions-uat.jpmorgan.com/invoke/FMSPartnerInterface.inbound/httpGateway
PROD HTTPS://transmissions.jpmorgan.com/invoke/FMSPartnerInterface.inbound/httpGateway
Most connectivity applications make use of URL names when making connections,
this means that the URL will always resolve to the correct IP address currently being
used by our servers. If your company utilizes a firewall, it will more than likely use IP
GUIDE
addresses. In this case you should also create firewall rules for all of our Host-to-Host
IP addresses. Please refer to the section on URL/IP addresses to obtain the correct IP
for the URL you have been assigned.
The above URL accepts the following parameters:
USER
 jpmcData – Variable containing the secured data/payload to be sent to the J.P. Morgan
systems
 jpmcDataType – This represents the type of unsecured data being sent in the jpmcData
CONNECTIVITY
parameter
 jpmcProtocol – This represents the connection protocol used to transfer/send the jpmcData
and should be set to HTTPS
 jpmcSecurity – This parameter defines the security mechanism used to secure the data in the
jpmcData parameter
 jpmcDataFormat – This parameter represents the format of unsecured data being sent in the
jpmcData parameter
HOST-TO- HOST
The above URL expects J.P. Morgan parameters as URL Encoded compliant HTTPS
form POST parameters specified within the body of the HTTPS request. The default
HTTPS form POST content type should be as:
Content-type: application/x-www-form-urlencoded.
There may be occasions when you will be asked to use a different URL from those
mentioned above. If this is the case, you will be advised accordingly by our technical
representative, you will also be advised of the IP addresses to be used in your firewall
MORGAN
rules for both the production and DR servers. Please refer to the section on URL/IP
addresses to obtain the correct IP for the URL you have been assigned.
J.P.
15
Our system also expects that the data being passed in the jpmcData parameter
be base64 encoded
Receiving Data Using HTTPS

After successful SSL authentication, remote systems can use the following URL/HTTPS request
and parameters to securely receive data from J.P. Morgan using the Partners Interface:
Env. URL
CAT HTTPS://transmissions-uat.jpmorgan.com/invoke/FMSPartnerInterface.inbound/downloadJPMCData
PROD HTTPS://transmissions.jpmorgan.com/invoke/FMSPartnerInterface.inbound/downloadJPMCData
The above URL accepts following parameters:

 jpmcData Type – This represents the type of unsecured data being requested for download
 jpmcDataFormat – This parameter represents the format of unsecured data being requested
GUIDE
for download
 jpmcProtocol – This represents the connection protocol used and should be set to HTTPS
 jpmcSecurity – This parameter defines the security mechanism/algorithm to apply on data
USER
before sending the data to the partner
The requested data is sent as a response to the above HTTPS request. Depending upon the
CONNECTIVITY
values of jpmcDataFormat and jpmcDataType, this URL/request returns the oldest data (active
data) not yet downloaded by the client. Repeated requests to download a specific set of data
should be made until the J.P. Morgan server returns a message/response of “No Data
Available to Download”.
HOST-TO- HOST
MORGAN
J.P.
16
AS2
AS2 setup information
We will provide a Host-to-Host Trading Partner's Profile Information document for you to
complete and send back to us. Based on the information returned, we will set up our system to
communicate with you. We also send you a profile with J.P. Morgan information so you can set
up your communications with us.
It is your responsibility to acquire/install compatible Drummond® certified AS2 client software on

your system. The client software used must support client side validation. This software is used
for the setup and communication with J.P. Morgan. You are only required to provide J.P. Morgan
with one SSL certificate as this will be used for both transport and data encryption.
The J.P. Morgan technical specialist will do their utmost to assist you with any issues
surrounding your connectivity, but please be aware that if the issue is with software setup or
operation, your vendor is responsible for providing support.
Most connectivity applications make use of URL names when making connections,
this means that the URL will always resolve to the correct IP address currently being
used by our servers. If your company utilizes a firewall, it will more than likely use IP
addresses. In this case you should also create firewall rules for all of our Host-to-Host
IP addresses. Please refer to the section on URL/IP addresses to obtain the correct IP
for the URL you have been assigned.
GUIDE
There may be occasions when you will be asked to use a different URL from those
mentioned above. If this is the case, you will be advised accordingly by our technical
representative, you will also be advised of the IP addresses to be used in your firewall
rules for both the production and DR servers.
USER
Please note that standard HTTP connectivity is not permitted on J.P. Morgan servers
CONNECTIVITY
for neither inbound nor outbound transmissions.
SSL Certificate installation note

When installing your SSL certificate into the system, please keep in mind that your certificate will
be used for the Transport (SSL Connection) and also for the client side validation. With this in
HOST-TO- HOST
mind, please ensure that the certificate is installed accordingly.
If strict host checking is configured in your application, then you must have the J.P. Morgan
public SSL certificate installed on your system.
MORGAN
J.P.
17
Trading Partner Information
Corporate Information
Corporation Name J.P. Morgan

Unit/Department Name Treasury Services
Partner Type (Integration software e.g., Cyclone) webMethods version 9.7
EDIINT AS2 ID Test - JPMC
Production - 006981815
Contact Information
Contact Type (Production issues only) Technical

Contact Name Production Technical Support
Contact Availability 24/7
Phone Number +1 978 805 1200 Option 1
Email Address CAS.Helpdesk@jpmchase.com
Address 10410 Highland Manor Drive, Floor 4
City Tampa, Florida
State/Province FL
GUIDE
Postal Code 33610-9128

Country USA
USER
Delivery Method (To J.P. Morgan)
Host Name CAT – transmissions-uat.jpmorgan.com

Production – transmissions.jpmorgan.com
CONNECTIVITY
Port 443
CAT- HTTPS://transmissions-
Location (URL if any)
uat.jpmorgan.com/invoke/wm.EDIINT/receive
Production-
HTTPS://transmissions.jpmorgan.com/invoke/wm.E
DIINT/receive
User Name (if any) Certificate based authentication only
Password (if any) N/A
HOST-TO- HOST
HTTPS command Post

Extended Fields
AS2 MDN URL (if any) Same URL as mentioned above
Encryption Algorithm 3-DES
SMIME Type (e.g. Signed, SignedAndEncrypted SignedAndEncrypted
etc.)
Data Content Type (e.g. text/text/) N/A
MORGAN
Data Compression (True/False) N/A

MDN Delivery Type (Synchronous/Asynchronous) Synchronous (Asynchronous also supported)
Request Signed Receipt (True/False) True
J.P.
18
Payload Security Type (e.g. Signed, SignedAndEncrypted
SignedAndEncrypted etc.)
Certificates/Security
Certificates Issuing Authority Name Verisign (see below)
New Certificate Authority Entrust
CAT – October 23, 2018
Production – January 19, 2019
The delivery URL will be provided by your J.P. Morgan technical analyst.
FTPS
There are many FTP software applications that can be used to connect. J.P. Morgan does not
make any recommendations on which software vendor you decide to use to connect or setup
connectivity with J.P. Morgan; however it is recommended to maintain a relationship with your
GUIDE
vendor from which you will receive support for your product.
USER
Most connectivity applications make use of URL names when making

connections, this means that the URL will always resolve to the correct IP address
CONNECTIVITY
currently being used by our servers. If your company utilizes a firewall, the
firewalls will more than likely use IP addresses. In this case you should also
create firewall rules for all of our Host-to-Host IP addresses. Please refer to the
section on URL/IP addresses to obtain the correct IP for the URL you have
been assigned.
When configuring your application, you must ensure that you enable encryption for
both the “control channel” and authentication
HOST-TO- HOST
To connect via FTPS, you will use port 21. We use the following Random Port range for FTPS.
CAT 62101-62200
Production 62000-62100
When connecting via FTPS, you will authenticate using an SSL certificate. Since your FTP client
software will present the SSL certificate, you must specify the location of your private key.
MORGAN
J.P.
19
SFTP
There are many FTP software applications that can be used to connect. J.P. Morgan does not
make any recommendation on which software vendor you decide to use to connect or setup
connectivity with J.P. Morgan; however it is recommended to maintain a relationship with your
vendor from which you will receive support for your product.
Most connectivity applications make use of URL names when making

connections, this means that the URL will always resolve to the correct IP address
currently being used by our servers. If your company utilizes a firewall, it will more
than likely use IP addresses. In this case you should also create firewall rules for
all of our Host-to-Host IP addresses. Please refer to the section on URL/IP
addresses to obtain the correct IP for the URL you have been assigned.
To connect via SFTP, you will use port 22.
When connecting via SFTP, you will authenticate using an SSH key, not a password.
Host-to-Host only supports the RSA algorithm for SSH keys. These must have a
minimum 2048-bit key length.
GUIDE
USER
You will send the Public SSH Key to J.P. Morgan. You will specify the location of your Private
Key in your FTP software. (Note: when you send to Public SSH Key to J.P. Morgan, we will set
the key to expire in accordance with J.P. Morgan administrative procedures.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
20
We have provided example of FTP connectivity software below only as a guide to assist with
establishing a successful connection to J.P. Morgan.
Example using Putty

Creating an SSH key pair
Below are examples of how to create an SSH key pair. In this example, we are using PuTTY.
This software may be obtained from HTTP://www.chiark.greenend.org.uk/~sgtatham/putty/. You
may use any other software that will produce an RSA SSH key pair.
This example screens below, show key pair generation

GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
21
The example screen below illustrates that you can create a passphrase for your key and
export your key pair
GUIDE
Connectivity using WinSCP

In the example below, the WinSCPTM is used to make the connection to Host-to-Host. This
software may be obtained from HTTP://winscp.net. This, or any other FTP software that supports
USER
SSH Authentication, may be used. Another popular client that is demonstrated in the FTPS
section of this document is WS FTP Professional™.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
22
For a first time connection to Host-to-Host, the server will present the server host key. You
should click yes to accept this key, and you will then be connected to the server. Your personal
folders will be displayed as shown below.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
23
Connectivity using Solaris
Connecting to J.P. Morgan using Solaris.
 Creating RSA SSH key pair
As shown in the example below, we are using the command ssh-keygen –t rsa to create the key
pair
Default location and file name for your private key

 Place your private SSH key in /.ssh
 The private key should be named id_rsa
GUIDE
As seen in the following example, to make the connection to the CAT server, type the following
command: sftp USERNAME@transmissions-uat.jpmorgan.com
USER
CONNECTIVITY
HOST-TO- HOST
Sending and Receiving files

When sending files to J.P. Morgan the files should be put in the /Inbound/Encrypted directory.
When receiving files from J.P. Morgan, you will find them in the /Outbound/Encrypted directory.
MORGAN
J.P.
24
6. Payload (File Encryption/Signing)
PGP
This section covers the creation of a PGP key pair using PGP and GPG. It covers Microsoft
Windows GUI and command prompts for both MS-DOS and UNIX. It also covers the export of
your public key and the import of the J.P. Morgan public key.
For many users, the vast array of command line parameters can make PGP difficult to use. It is
suggested that you make yourself familiar with some of the more commonly used commands
and parameters. The user guides that ship with your software provide a good foundation in the
basics of PGP and should be read if you have not been exposed to PGP.
You should not rely on the information regarding third party software for anything beyond its
presentation as an illustrative example. Please refer to your software provider for more
information about any third party software. Due to the many different versions of PGP, it would
be impossible to provide examples for all and highly recommend that you review the
documentation provided with your particular version to familiarize yourself with its usage.
As a reminder, J.P. Morgan administrative procedures require that all keys have a finite
validity period of two years or less.
Please note that PGP keys can have a Master Key and a Sub Key, and both must be a minimum
GUIDE
size of 2048 to be accepted by J.P. Morgan.

Send the PGP public key in asci-armored format. When naming your key, please use your
company name. Please do not use “J.P. Morgan” as part of your key name, we need the key
USER
name to identify your company. Also, please note that PGP is required for signing of inbound
files to J.P. Morgan, outbound files are generally sent in clear text unless otherwise requested by
the client
CONNECTIVITY
Examples for Windows

The following are examples using Windows GUI versions of several PGP packages.
GPG for Windows

For GPG Windows users, there is freeware available at www.gpg4win.org. This product is called
‘gpg4winTM.
GPG4win is a GUI front-end for GPG.
HOST-TO- HOST
Step 1: Generate a key “Programs/GnuPG for Windows/GPA”

MORGAN
J.P.
25
Step 2: Your first time into the product, click on ‘generate key now’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
26
Step 3: Type in your firm or what you want the key to be known as.
GUIDE
Step 4: Enter your email address

USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
27
Step 5: Enter your secret passphrase
GUIDE
Step 6: You will be prompted to create a backup. Click on ‘create backup’, then click on ‘apply’.
This could take a few minutes. Please be patient
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
28
Step 7: A backup copy will be generated, click on ‘ok’
GUIDE
Step 8: Follow the instructions in the GPA message box, and click close
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
29
Step 9: You will now see the default key in the Keyring Editor
Step 10: Click the private key, and then click on ‘Edit’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
30
Step 11: An ‘Edit Key’ box will appear, click on ‘change expiration’
Step 12: Select the year and day through the menu option. Please note: J.P. Morgan does not
accept keys that exceed a two year expiration.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
31
Step 13: You will be prompted to enter the secret passphrase that you created in step 5
GUIDE
Step 14: Place your cursor on ‘keys’, then click on ‘Export keys’
USER
CONNECTIVITY
HOST-TO- HOST
Step 15: Enter a file name for this key. Please note: you will need to provide this to J.P. Morgan
MORGAN
J.P.
32
J.P. MORGAN HOST-TO- HOST CONNECTIVITY USER GUIDE
33
Step 16: Click on close
GUIDE
When exporting the key from your keyring, ensure that you export the entire key and not just the
sub key.
An example of how a key should look when opened in Notepad is shown below.
USER
-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: PGPfreeware 6.5.8 for non-commercial use <HTTP://www.pgp.com>
mQGhBEPGSyERBADVubB7a0yBRUFofHx28WUxq/aiFqysz6440HorUc1wWOtvQjtD
QtMSCsrAZPs8MH5PyyO1DHdLlhEdJ5iwozWw2QSzE9mK/qHvt2pyTYSFJrtOvxU5
3p/Taa31OOC7o05T8dm0KY5VmkixySKDfDKOpyRZQ69YvFjO0eXzfhgfQRH0Ud6+
TNriVEcGKG669pNh5RvaaNmPWagnazEVCo9UhdShcaHImztzQN9BsQbFzkzoEiDr
CONNECTIVITY
hC5qhwvPnufAU8KTvh/AjmU9xokATAQYEQIADAUCQ8ZLIQUJA8JnAAAKCRA5GU2u
XzsoVYZ3AJ9UplVIl7zNHjCmCeIdjbGKEX8M5QCdG84amCX4u47PihnCEf20DdgW
ZgY==8FZT
-----END PGP PUBLIC KEY BLOCK-----
HOST-TO- HOST
MORGAN
J.P.
34
Step 17 (if needed): To import the J.P. Morgan public key, click ‘Import’, then select the location
of the key that you wish to import, and click on ‘ok’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
35
Step 18: A box will appear showing the key has been added to your ring
GUIDE
Step 19: Select the key you have just imported. Place your cursor to ‘keys’ then click on ‘Sign
keys’
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
36
Step 20: Click on ‘yes’ to sign the key
Step 21: Enter the passphrase that you had created in step 5 and click ‘ok’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
37
Windows PGP
The following is an example of how to create a PGP key pair using PGP for Windows from
Network Associates®
Start the PGP application, normally done by Clicking Start, Programs, PGP and then PGPKeys.
A windows similar to the following should be displayed.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
38
Select the Keys menu and the New Key option
You will now be guided through the Key pair creation wizard
GUIDE
USER
CONNECTIVITY
Click the Next button

HOST-TO- HOST
MORGAN
J.P.
39
Enter your company name and a contact email address
Accept the default (Diffie-Hellman/DSS) by clicking the Next button

Please ensure that your key size is 2048/2048 minimum (screen not shown, as it will vary
from version to version)
GUIDE
USER
CONNECTIVITY
Change the Key Expiration from “Key pair never expires” to “Key pair expires on” and select a
date that is not greater than two years. Click the Next Button.
HOST-TO- HOST
MORGAN
J.P.
40
Enter a passphrase in both of the boxes
The above dialog will be displayed once your key pair has been created. Click the Next button
GUIDE
USER
CONNECTIVITY
If you do not know the answer to the above question, leave it at the default and click the Next
button.
HOST-TO- HOST
You have now created a public/private PGP key pair. Click the Finish button
MORGAN
J.P.
41
Windows Command line examples
There are different PGP vendors available in the market and their command syntax vary.
Following are a few examples that may help you generate your PGP key pair. Please check with
your vendor’s documentation for command correctness.
Examples for using PGP:
Generate PGP key where <type> may be DSS/RSA and <size> may be
DSS:{2048,3072,4096} or RSA:{2048}
 Generate PGP key

PGP --KEY-GEN --USERID <CUSTOMERKEY> --KEY-TYPE <TYPE> --EXPIRES-AFTER
<TIME> --KEY-SIZE <SIZE>
 Signing using your private PGP key

PGP --SIGN --SIGN-WITH <CUSTOMER KEY> --PASSPHRASE <PASSWORD> --ARMOR
<INPUT FILE> --OUTPUT <OUTPUT FILE>
GUIDE
 Export your PGP public key with ASCII-armor

PGP --KEY-EXPORT --ARMOR …
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
42
Examples for using GPG
 Generate client private key

GPG --GEN-KEY
 Create ascii-armored public key from private key and send it to us…
GPG --ARMOR --EXPORT <PRIVATE-KEY-ID> > KEY.ASC
For J.P. Morgan PGP public key, if required:
 Add J.P. Morgan PGP key in ring, mark down the key id/name
GPG --IMPORT <J.P. MORGAN KEY>
 Sign public key with private

GUIDE
GPG –EDIT-KEY <J.P. MORGAN KEY-ID>

COMMAND> SIGN
USER
For Data File

 Encrypt and sign the data file
GPG --OUTPUT <FN.PGP> --ARMOR --SIGN --ENCRYPT –R <J.P. MORGAN KEY-ID>
CONNECTIVITY
<DATA-FILE>
HOST-TO- HOST
MORGAN
J.P.
43
Unix & Windows GPG command line
UNIX/LINUX and Windows
Generate the key pair
With GPG installed in your machine, use these commands to create a key-pair. The commands
you type have been marked in yellow.:
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
You will need to repeat the passphrase to confirm it.

MORGAN
J.P.
44
If you want to use your key for encryption as well, you will need to create a Sub Key for your
PGP key. Use the below commands to create it.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
45
You will need to provide the passphrase you created in the earlier step. After that, you will be
able to choose the options as below:
GUIDE
USER
Now Export the key along with the Sub Key:

CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
46
GUIDE
USER
Finding the key id

CONNECTIVITY
gpg --list-key
PUB 2048D/194603A2 2008-02-10 [EXPIRES: 2010-02-10]
UID WIDGETCORP <FIRSTNAME.LASTNAME@WIDGETCORP.COM>
SUB 2048G/EDCC7468 2008-02-10

HOST-TO- HOST
PUB 2048R/78823403 2001-09-21
UID ECGPDD <PGPADMIN@ECQA.JPMORGAN.COM>
UID ECGPDD PGPADMIN@ECQA.JPMORGAN.COM
UID ECSRQ01
PUB 2048R/61B97747 2008-02-11 [EXPIRES: 2010-01-31]

MORGAN
UID WIDGETENTERPRISES (NONE) FIRSTNAME.LASTNAME@WIDGET.COM

J.P.
47
Exporting your public Key from the Keyring
gpg –export –a <keyid> mykey.asc

gpg --export -a 194603a2 wigdet2008.asc

Version: GnuPG v1.4.7 (MingW32)
mQGiBEevQAERBAC0c3X+AwG2hez1grLaj1XceIKARKm8j7OmwaZyC+Rvz7SsErp7
iF30I+bMlLm1OExHvbfiuKMGSJRnK4R+o7U0oXXgZTADepqmPQNYfT6F0X0qveHS
cRev3y2obc8JOdRSLh+FueTTwhXeJ3EumJppQtSbnGM+jXsBcQMAAwYEAI/RGqNs
9YadN88bUZAm9n4qcvcahM10fifWbij5zKaNANaWLCU2c4tjuPElYANCmQLFHfBr
2N6Hobm5M9rv1lFF8i+aiqKehy0XoCMtqcZwoUwXD0rjJn4TYP5t1JfnSaLMLVuN
6R+6XzqbLGTgGR/VtnnoJygTFnGf9/g+UbijiEkEGBECAAkFAkevQAECGwwACgkQ
/e8rlxlGA6JemQCggy6WoFyQF8FyArhekMZ4XOu8eYMAnRcLjJMCHGrXlytr7hOC
DVqy29LW=X2jw
Adding keys to your Keyring

GUIDE
gpg –import <J.P. Morgan key file name>

gpg --import J.P. Morgan-TestPGPkey.asc
USER
GPG: KEY 78823403: PUBLIC KEY "ECGPDD <PGPADMIN@ECQA.JPMORGAN.COM>"

IMPORTED
GPG: TOTAL NUMBER PROCESSED: 1
CONNECTIVITY
GPG: IMPORTED: 1 (RSA: 1)GPG --EXPORT -A 194603A2 WIGDET2008.ASC
Signing the J.P. Morgan public key after it has been added to your keyring
gpg --sign ecgpdd

HOST-TO- HOST
YOU NEED A PASSPHRASE TO UNLOCK THE SECRET KEY FOR

USER: "WIDGETCORP <FIRSTNAME.LASTNAME@WIDGETCORP.COM>"
2048-BIT DSA KEY, ID 194603A2, CREATED 2008-02-10
GPG --IMPORT J.P. MORGAN-TESTPGPKEY.ASC
MORGAN
J.P.
48
Exporting Your Public Key
The new key pair will be displayed in the key window of the PGPKeys application. An example is
shown below.
Right click the mouse on the top level of your key, which is the entry that has the icon that
depicts a key above a person’s head. From the drop down menu click Export and choose a
location to save the key.
GUIDE
Once saved, open the key in notepad to ensure that the format looks like the example shown
below.

Version: PGPfreeware 6.5.8 for non-commercial use
USER
<HTTP://www.pgp.com>
mQGhBEPGSyERBADVubB7a0yBRUFofHx28WUxq/aiFqysz6440HorUc1wWOtvQjtD
xu6EwZ5dqZnPMvYvfjRzk8vWSkkKCt5V2nE1LfYRqArSZM1MMnj+JTivZrRhWzGT
jnPRZIWALB8758auSHsEPfQTMVTmKlnA1MOwUSpbc/OavVflBgYvsE7BiwCg/zuZ
CONNECTIVITY
zwL4MH3wBSZxPGTDz8k6OAsD93k8aIYDUz0o/7zKqO9JW1Ho/G0r26WVbgiXwAKH
edWManpthr87D7dwpJgbM77/ae31NDREWGGtCjYZBtK5d5eIGu0LnbYbQp1mNH3e
ndd+wicJROaESIb8BXBFX66jMlM+XaQYIieBTvF3UHS5caFvoh4PVETzuAcrxca5
rvkEAJlLKOUp7Ag4CyAtovLmxo9CGV6cs/VKu2ojXsm0E/7P+D8xCxjCu3sSo0uL
7q+nwwLli0YLPXBjrJiiqP8Ovlbe11g0nmOZOJX9KOmQ6N2bSRLYGkPEBCfr6Q1L
SI4YYEU4Q77S7AFz6l3mPGpcp6ZQi3oFtloBtZwmWf6QUeFjtCZEZW1vIEN1c3Rv
bWVyIDxkZW1vQGRlbW9uc3RyYXRpb24uY29tPokAVAQQEQIAFAUCQ8ZLIQUJA8Jn
AAQLAwIBAhkBAAoJEDkZTa5fOyhVgowAnjOl0Nrmk6h8ojgagM6D7UyI7cWyAJ9z
OKuxkUzQiGrhwxW54+gd3SwforkCDQRDxkshEAgA9kJXtwh/CBdyorrWqULzBej5
HOST-TO- HOST
UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1
WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01ue
jaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJ
I8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaG
xAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwAC
Agf7BhWDUPY83thA1LnjV0StVcCuH5iqwFFEBvHJDC3H5TlrK+4yznVttOoJY6wE
/Sn42jzmHFxcOTKLWb5jF8EXWF2R9i9p5WkRLJjWZMy3z51hWQCPRwFDuJ19xbvO
QtMSCsrAZPs8MH5PyyO1DHdLlhEdJ5iwozWw2QSzE9mK/qHvt2pyTYSFJrtOvxU5
3p/Taa31OOC7o05T8dm0KY5VmkixySKDfDKOpyRZQ69YvFjO0eXzfhgfQRH0Ud6+
TNriVEcGKG669pNh5RvaaNmPWagnazEVCo9UhdShcaHImztzQN9BsQbFzkzoEiDr
hC5qhwvPnufAU8KTvh/AjmU9xokATAQYEQIADAUCQ8ZLIQUJA8JnAAAKCRA5GU2u
MORGAN
XzsoVYZ3AJ9UplVIl7zNHjCmCeIdjbGKEX8M5QCdG84amCX4u47PihnCEf20DdgW
ZgY=
=8FZT
J.P.
49
Installing the J.P. Morgan public key (if required)
The J.P. Morgan PGP key must be imported into your PGP public keyring.
An example of how to import the PGP key in the Windows version of PGP is shown below.
From the Keys menu of the PGPKeys application, choose the Import option and navigate to the
GUIDE
location where the J.P. Morgan public PGP key has been stored.
USER
CONNECTIVITY
You will be shown information regarding the imported key, you should confirm that the key does
HOST-TO- HOST
show that it is from J.P. Morgan.

If you are sure that the key is from J.P. Morgan, click the Import button to include the key in your
public keyring.
MORGAN
J.P.
50
You will notice that a new key has now been added to your keyring, but one thing that you will
notice is that the icon in the Validity column is grey and not green. This is because the key is not
trusted by default. You need to set the trust properties of the key. To do this right click on the top
level of the key and choose the Sign option. This basically means that you are signing the
J.P. Morgan public key with your private key.
Click the OK button to continue.
The Signing Key will be your private key, enter the passphrase that you used when creating your
GUIDE
key pair and then click the OK button. You will now see that the Validity icon has turned green.
USER
CONNECTIVITY
Some implementations may require an additional step of explicitly trusting the key after it is
signed. Please see your application documentation for more details.
HOST-TO- HOST
MORGAN
J.P.
51
File Encryption/Signing
File Management is the process of encrypting and signing files that you wish to deliver to
J.P. Morgan or decrypting and verifying files that you have received from J.P. Morgan.
Encryption
What does encryption mean?

Encryption is the translation of data into a format that is not readable by those who do not have
the key to unlock it. For a recipient to be able to read an encrypted file, they must have access to
the secret key used to encrypt it. Two keys are used to encrypt and sign a file. It is encrypted
using the public key of the recipient of the file and signed using the private key of the sender.
The following topics show how to encrypt and signs files ready for transmission to the Host-to-
Host using the Windows, MS-DOS and UNIX.
Encrypting & Signing files using the PGP GUI
There are two ways to achieve this operation: the Windows GUI and at the command line. This
example shows how to achieve this using the Windows GUI.
For this example, there is a text file called Test.txt. Using Windows Explorer®, right click on the
file name.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
52
Click on PGP>Encrypt & Sign
When encrypting files, you always encrypt the file using the public key of the recipient. In this
case J.P. Morgan. Click on the J.P. Morgan Key from the list of keys in the top window and drag
and drop this into the Recipients window.
Ensure that the Text Output option is checked (this will ascii armor the file), click the OK button.
You will be prompted for a Signing Key, this is your private key and should be chosen from the
drop down list box, you then need to enter the passphrase for your key. Click the OK button.
A new file will be created in the same location as the original file that you chose to encrypt. This
will have the same file name as the original, but with the additional extension of .asc. This is the
file that you will send to J.P. Morgan.
Encrypting & Signing files using the GPG GUI

Click on the ‘File’ in the Keyring editor
GUIDE
USER
CONNECTIVITY
Click on ‘Open’ then select or type in the file location and click ‘ok’
HOST-TO- HOST
MORGAN
J.P.
53
Click on ‘Encrypt’ the selected file
Click on ‘sign’ also click on the J.P. Morgan key and click ‘Armor’, then click on ok
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
54
You will be prompted for the passphrase that you had created in step 5. The file is now
encrypted and signed, and may be sent to J.P. Morgan
GUIDE
Encrypting & Signing files using the CMD prompt

USER
You may want to automate the encrypt and sign process. To achieve this, you will need a
command line version of PGP.
CONNECTIVITY
The following is an example of using a MS-DOS command line.
Create a batch file called “encsign.bat” with the following content

SET PGPPASS=YOURPGPPASSPHRASE
PGP –ESA %1 “YOUR KEY NAME” -U “<PGPADMIN@ECQA.JPMCHASE.COM>“
You can encrypt & sign the file by running the following
ENCSIGN TEST.TXT
HOST-TO- HOST
MORGAN
J.P.
55
Decryption
What does decryption mean?

Decryption is the process of decoding data that has been encrypted with a key. Only those who
have access to the secret key will be able to decrypt the file. If it is a signed file, the sender of
the file is also verified by checking the validity of the key that was used to sign it.
The following topics show how to decrypt files received from the Host-to-Host using the Windows
GUI, MS-DOS and UNIX.
Decrypting files using the GUI

In the following sample, J.P. Morgan have sent an encrypted file to ABC Client called
test.doc.asc that has been encrypted using the ABC Client public key and signed using the
J.P. Morgan QA private key.
Locate the file using the Windows Explorer

GUIDE
To decrypt and verify the received file, you need to right click on the file to bring up the context
USER
menu. Select PGP -> Decrypt & Verify

CONNECTIVITY
HOST-TO- HOST
The following dialog box shows the name of the key that was used to encrypt the file, you will
need to enter the associated password for this key to unlock the file.
MORGAN
J.P.
56
The file will be decoded and extracted to the same folder as the encrypted source. You will also
see a window showing the key that was used to sign the file. You must have the corresponding
public key to verify the signature.
GUIDE
Decrypting files using the CMD prompt

The following shows how to use MS-DOS commands to decrypt the sample shown in the
USER
previous GUI topic.
Launch a MS-DOS command prompt and change to the location of the encrypted file.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
57
Enter the following command, pgp test.doc.asc
Notice that the command is now prompting you for the pass phrase (password) for the key. Enter
your password and the decryption process will then decrypt and verify the sender of the file and
create a decrypted file in the same folder.
GUIDE
USER
You can automate the above procedure by creating a batch file with the appropriate commands.
CONNECTIVITY
Example
SET PGPPASS=YOURPASSWORD
PGP %1
SET PGPPASS=
Save this as dec.bat and then run with the following: dec test.doc.asc, this will place your
HOST-TO- HOST
password into memory and then run pgp %1 replacing the %1 with the test.doc.asc file name.
The final set PGPPASS removes the password from memory.
If you do not want to have your password stored inside of the batch file, then you can modify the
batch file as follows and then pass as a parameter.
ECHO OFF
SET PGPPASS=%1
ECHO ON
PGP %2
MORGAN
ECHO OFF
SET PGPPASS=
ECHO ON
J.P.
58
The echo on/off commands will prevent reference to your password from being placed into the
text log that you may create.
Then run dec yourpassword filename. If you have a requirement to capture the output of this
command into a text file, then the command would be
dec yourpassword filename > pgplog.txt
You can then open pgplog.txt in notepad for review
Sample Files
The following are two sample encrypted files, one that is acceptable because it uses ascii armor
and the other would be rejected by J.P. Morgan due to it being in binary format.
Please note that the ascii armor requirement only applies to file transmissions that use
HTTPS as the protocol.
A sample of an ascii armored file

This is an example of file successfully encrypted with asci armor and will be accepted by
GUIDE
J.P. Morgan
-----BEGIN PGP MESSAGE-----

Version: PGPfreeware 6.5.8 for non-commercial use
USER
<HTTP://www.pgp.com>
qANQR1DBwU4DSP6v3j03U60QB/9dv9MoWD7Q8BHUkB/voOQKEj9DTu437x14sUVD
LSPzm/6+NjA+rbsODnv1gkspl/MilZnnUy9CaUqVC7QZeQyZiqcvMekEd2+tDz5g
hm1Op09LnHhQxqX7zgswOII48IQ0eRM40kwte2CIgsQeopwpoNVOYacBvmiTwR/R
CONNECTIVITY
WPvdsnQqS8g/bVTICKrN6VunBy9MIgkXfVuOQsX3EadM8aHrIyCOSOOHPqTOrB9+
wGkZbXS4ydEo4irrFAKZZ4fODcWGpdLYsC3pLlcqs2w8/kQhkLMCgN1m6w1Rj19f
6dtdrtRw4WhyTu5fg1xEN2su8I7PrSL6VGR8xthNXvU06oz5B/4rwcGQOEg7Kgcq
DIhAacSeP/2QByQH27uqjk8B8vVCarSs/W4X47z6PFUEPekKJteo6g1jVIBzllbZ
lLR834laoGZKO/tGtqP3hqGwOLCdQAqxjutHoUPi4h5Fk8m68rbHKVxVKdq/koV4
ljjczH7s8IH+/o/fWNamptZ9jqrlcGbPQVrjb8C+TtkXuLT/Iqk6X7xd1kjoH5AA
qrv5//RkeaM/NbKtebAoFmZbbSH07vGQQzWo7kbXRtdfJ0Bb7FiYIdL/j5Bpsppc
ILQnegzzAg8GXVGmct+96PLdymS7V8gHvNxiUyVCkT0uorWlQRzbRE4N3lxAAIP4
OjHAkoyIyXX/guEHkjGadtzAF0Wel9cuIpaLLL6BObNhu0sfOlSbLOB/ef9ePzDF
Wk7ou1wNyyUHYirEAY4JU2QRtnK/1WldiX7y2C7G8slvqiM3Upiv8ZxPiVh9vR36
HOST-TO- HOST
GEzL2KR4xUnXA8RYFnRxPB9uAIj2t+Zh9WoQ1MM=
=BmOr
-----END PGP MESSAGE-----
MORGAN
J.P.
59
A sample of a non-ascii armored file
This is an example of file successfully encrypted without ascii armor, which will not be accepted
by J.P. Morgan. The purpose of ascii armor is to put a wrapper around binary files during
transmission over non-binary channels, such as the internet. This procedure can prevent data
corruption during the transmission.
…_
_iJ³Ìj…ûõ__ÿXŠ29ðø_ô¶_s!½ 7_yšÔýÍÜð
C¥_‹Òí{¤jxïõÈI¿ÑÛÉ_Ü^gÜÈkÆW§CÇâpY_.®T÷_¿JH_Ï™gD«Bkûéé
½‘šì.¨øê_¯ ˆ6ÄÌÁ›”pp_AÏ\8F™z_ z_t´ &uÇN¹_2*_«ŽÉ<
…tÓ+Ó°r]úe%êv.N¼¾±ez_ÝŠ?Šè¾ 9__
Ý£àoÇ!çÓ‘M ît_:BX
~·˜î‹4#_õ·ò¡dèv†d¢ósÎ´qïc_e5P8¶l‘úäOE†Ÿ„ÓFÙÛW_*Žμ4_¹²Ñ9$._WÖ€ŠåÁžoe_bè·_¢Ìý†Ä2¥_
_ÂÞ•
È_ßy?ì� ³4ï/_ï_¾Ÿ_;È;9lc_´ç_0„4à_•
“7t_ûT®dÄDû_ßÜed0z¤_»î2Ä”÷cúƒM_´£$øJ¶q¦H __aìBÔ˜iŠŽ¾oº?_%²/Cí©_2$Šz5_¯
_ÔÉoeOEá”Ž
Y__àç›ú¥p"c#›É_²R®øcÞ‘háCR¼$"Xº!ð?×*<65~˜÷¸Î=;½ÈHýq_°¥„
© e_öâiˆcñD«A÷âÇ7B §§
b
_5u×¨ª$ñ0;ªvìàQ-ž¦FLk¬þ_P´ð{ë_¼3
u_·…Æô*}ž^èþàmK¹JÀXïâÈ_HôLB¾‚< CÇ‘n jsÐ¸y_¤,
ÅŸÅÂÂö ¡°• )Ykf2¸Ë!¤__V°]'Ï±Ly–Ö"˜R—YÅm¾ôÅÍ¢}n9û¯ áÞ¶_"Ú<• (*_ùÔHÙ_ÈþETßß£zÌ_—
_õB
GUIDE
Ã‡Šzf–ëúü³_üp-Í_^?á5¡B ºF‚Ú ÷Ir©__›!LuAÔÒìÉ,æ¡¸_¹‚_\ÏÄ_“C;ÌÑ__˜_„‚ê½32p›¡_U•

p|Ÿ‘Ù@†…û©ñ«� ÷Ñ¢t×¢_‰á"&=½Q¥óá
‚_Kê_ÕW_øÁâd=ü~rÆ”¹él_ëaåôØ»û‹_Î†Q/Z¿ÙÈh}ôu_²_Ælì_KÁ¬@) nM1d^õ
<_GÅ¢\¨OE¼)2åñF´hû8¡Ê£–½ CÆÿ“_d«%Æä™®È·Ë’ Á5õÇ_3KeR]{]Ü6ùš«Î
)t¦j÷ÂÌ ^ Ü gÄ®ô__ôÈàoeU_ªz}_¬5• oeÀÝ+ 7VcEü_íV/‹/!/Ê¢Jé`Âº”_EHÂ°1_ì%°—
USER
]eq_ÚÙô¢t_˜wR}_OE±ríy55©_28ÀÃeŸ| z†—ÿ_Z|®ÞÎr šýÓÿ{Éqž¾+(T–_sb• ñyOE__U>

G”¢ŠÛø‘‘X›#½OE{õ=áŸ l‡âû+S·W_¸™d)_¼uÑ5> ¸5__éí_ÕIÔNÕ€Ü_BÞj_iÒ Ì·æ_ÎÐ_bG_A
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
60
X.509 (SSL)
Signing Payload with X.509 (SSL) Digital Certificate
J.P. Morgan can accommodate the use of X.509 (SSL) certificate to encrypt/sign the payload
(data) prior to sending. Please note that J.P. Morgan does not require that your files be
encrypted; we require signing only.
To sign the file using X.509, we used a freeware program called iSafeguard™. Screenshots for
importing the certificate are shown below.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
61
GUIDE
Once the certificate has been imported, you may launch the program from within Windows
Explorer. Right click on a file and select iSafeguardTM, then select “sign”
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
62
You will be prompted to select a signer (certificate). This is where you will select your certificate
that was created earlier.
Once the file has been signed, a new file will be created with an .xcs extension.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
63
Base64 Encoding a file
For the file to work correctly with J.P. Morgan when using HTTPS over the internet, it must be
Base64 encoded. To accomplish this for demonstration purposes, we used a freeware program
called Base64 Encoder, Version 1.1.1.0. More information on this may be found at:
HTTP://www.f2ko.de or online version at HTTP://www.motobit.com/util/base64-decoder-

encoder.asp
After signing the file, launch a command prompt window. Make sure you have the base64.exe
program in the same folder as your file. Enter command:
Base64 –e (in file) (out file) –s
GUIDE
USER
Your file is now in a format that can transmitted to J.P. Morgan.

CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
64
7. Partner Key Management
The Partner Key Management (PKM) process is used by J.P. Morgan as a way to verify that the
credentials submitted for activation on the Host-to-Host servers not only meet the requirements
for validity period and key strength, but also that they have been submitted by persons duly
authorized by the client. A document describing the process will be supplied to you by your
Implementation Manager.
When submitting your public key or certificate for Production use with the Host-to-Host, you
must follow the Partner Key Management process.
Partner Key Management Overview

The Client and J.P. Morgan will use the following procedures for certificate and key exchange.
All production keys and certificates should follow the instructions provided in the guide and must
be sent directly to IMSD Security Operations two weeks prior to the scheduled production
migration date.
We have two separate client environments: Client Acceptance Testing (CAT) and Production. In
order to help ensure that only production files are ever sent to the Production environment, we
require you to give us one certificate or key for CAT, and a different certificate or key for
Production.
Best Practice
GUIDE
We require that you use different keys for CAT & Production
USER
For First Time Partner Key Management:

CONNECTIVITY
1) Using the Security Administration Designation Form (SADF), the client will identify the
authorized individuals for key exchange with their names; complete mailing addresses, original
signatures, phone numbers and e-mail addresses.
The J.P. Morgan Security Services (IMSD) group will action only those requests received from
any one of these authorized individuals.
2) Send an e-mail with Keyword "Implementation" on the subject line, a description of the action
to be taken, a request for a suggested date and time the action is to be taken, and an attached
zipped text file containing the certificate to the IMSD email address above. The text of the e-mail
HOST-TO- HOST
must contain a printed copy of any public keys contained in the zipped text file. The e-mail
request must be received at least two days prior to the key implementation date.
3) Print the e-mail, sign and send as fax or scanned copy to the address listed below. The e-mail
request must be received at least two days prior to the key implementation date. It is of utmost
importance that the printed email is countersigned by one of the authorized individuals.
J.P. Morgan IMSD Security Operations: Key Management
FAX: 813-649-8367; Email: IMSD.Security.Operations@jpmorgan.com
4) Upon receipt of this e-mail and the letter, IMSD will (i) validate the e-mail by comparing the
MORGAN
printed public key in the letter, with the electronic one contained in the zipped attachment, (ii)
compare the signature on the letter with the authorized original signature on the SADF, and (iii)
inform JPM Implementation teams upon approval. If the key is not approved, IMSD will notify
client authorized individual.
J.P.
65
5) The J.P. Morgan implementation team will inform the client of receipt of the key file and the
scheduled date and time for the action to take place.
J.P. Morgan administrative procedures require that:

 All certificates and keys have a finite validity period of two years or less.
 Certificates adhere to the following cryptographic specification:
 Message digest: SHA-2, AES256
 Asymmetric algorithm: RSA, DSS (RSA only for SSH)
 Asymmetric algorithm key length: 2048 bits or more
 Digital signature is required for all client-to-bank transaction initiation files.
 For PGP keys, please ensure that the Key Name does not include any
reference to J.P. Morgan, and does not include the word “expires”.
This is a requirement of J.P. Morgan Partner Key Management, so please bear this in
mind when obtaining your certificate or when generating self-signed keys. There are
no exceptions to these requirements.
GUIDE
For future Key Renewal PKM Effort:
Eligible clients must use the Rapid Renewal process for all subsequent renewals. For
USER
email-initiated key renewals, follow the same PKM process outlines above, except to
mention the Keyword “Renewal” on the subject line of the email to IMSD when sending
the new key
CONNECTIVITY
To prevent any lapse in service or emergency procedures, the client should request a
key change at least one month prior to actual certificate expiration. As a courtesy,
J.P. Morgan will attempt to notify the client via email at least two months prior to actual
certificate expiration.
All requests for key changes and renewals are subject to validation according to the
HOST-TO- HOST
J.P. Morgan administrative procedures, which may involve a call-back process.
In the event of an emergency requiring an exception to the stated service level, clients should
call the Solution Center Transmission Support team at (978) 805-1200.
MORGAN
A call back to the client from the Support team, using previously provided contact information,
will be conducted to confirm any emergency changes.
The Support team will coordinate the emergency activity, upon direction from the J.P. Morgan
Client Service Representative.
J.P.
66
Partner Key Management Sample Email
Sample e-mail to IMSD.Security.Operations@jpmorgan.com for HTTPS/PGP. Please refer
to the Partner Key Management Explanation document for other protocol examples
To: IMSD.Security.Operations@jpmorgan.com
From: <client email address of authorized person>
Subject: Implementation Key/Certificate Submission for <client>’s HTTPS/PGP Implementation

(OR)
Subject: Renewal Key/Certificate Submission for <client>’s HTTPS/PGP Implementation
IMSD Security:
This e-mail is being sent to you containing the Production SSL certificate and PGP key for our
implementation with J.P. Morgan Host-to-Host. The attached key/certificate expires within the
required period.
Below are the screen print and text of the certificate/key. Please add the attached key/certificate
into our Production setup.
Screenshot of the SSL Certificate Public Key:
-----BEGIN CERTIFICATE-----
MIIFeTCCBGGgAwIBAgIKFcilpAAAAAAAMjANBgkqhkiG9w0BAQUFADBQMRMwEQYK
GUIDE
CZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKbXNjc29ubGluZTEdMBsG
A1UEAxMUbXNjc29ubGluZS1ERU5BRDEtQ0EwHhcNMTEwOTIwMTg1OTU5WhcNMTIw
OTE5MTg1OTU5WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxsw
gjcVBwQwMC4GJisGAQQBgjcVTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1T
USER
ZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1zY3NvbmxpbmUsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludDCByQYIKwYBBQUHAQEEgbwwgbkwgbYGCCsGAQUFBzAChoGp
bGRhcDovLy9DTj1tc2Nzb25saW5lLURFTkFEMS1DQSxDTj1BSUEsQ049UHVibGlj
CONNECTIVITY
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1tc2Nzb25saW5lLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xh
c3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAQEAUP+O
NVAMLAtWBCUAAM6cum4rChSiW/3czcWWAXi+bh8/KYlfeq8a3ggLomtvMp+nPdIM
51Qg6DRdE8ki9JoDvAHUDjGkDmnPo+mquhfR4RqNOq7xzzDC8PGTt2s5nacYHGfO
a78fQFw5LZGDb9dV8B8+TQfh6fow9bszMVDG+6EV26MgSOIt1Dizisgnu2bQ3GN4
BhRuALE8Y9sSILouDy9GHhFLGmasYKI/fhf1bnVflFXgmieOtQWfNUGPktjVwph7
ujeSyhmExgTYuTNYgGIus8RbVuuKWdhKIuNnGdyK+/CTaChXtn4B2uQ/zp3/MUaE
J1sYa2Fsas5/7Ber7Q==
-----END CERTIFICATE-----
HOST-TO- HOST
MORGAN
J.P.
67
Pasted text of the PGP Public Key:

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQENA0PFPoIBbQEIALxA+t/8Xfj1sEYOJiL5b8Ii5bXjrwYPz+Z3ujUuDw60C17x
RWWcXcUAF0646Ofe2dqPokMfPfA3pheXISjiOHqmrti5TddOYppEYJBBpHuf9leu
vqekKNtB9lndQ7yCZf8hdK+f5m4w/k0HcZQ8pubxZoAEW+0Jcea0tGWPzX5duy1e
AznhRIq6GcyCtDVazhKuklhblaGJqXtVN8Lm4aWspLxhITQD179Lp6S2xkdslDt5
xMJdt3MUyUobB0SFCaLVQt0oXjGWgpWIwEuGjSILbKCACUnDcKLySEDpJ5GFwAPz
kpiLP0RoCHBeUE1iTf7xFxXCql/A88EOlOUlcNEABRG0EkplZmYgPG1lQGhvbWUu
Y29tPokBFQMFEEPFPoLzwQ6U5SVw0QEB0fMIAIEOU62lpT65oOG7R43Q8z+ocb5U
o27OCWiTg4u/lYJF12KYp+i7ySb5V1swkhWEephW3OvusZd0IBiN/KbXZ2NItOpy
6Joaqk9OmFTiNf7s6yPXonx1A7mHXtnF1+jexqPx19i12e7joyF1CAKVPA8YnULb
aIaU195QQtZRzJjSQO1r/Bv46ek8b7Y04VQIAQe4cYuIWK+Eg8BkR8SWFuUYp5cn
cLN0J+Op0HgE8weoQWdL/zlo62+3X4HaAp/Pl4nDjbjTHjNJCqP7vMqdrFIh75Kf
W8kwfklEzCl8S0iZeB/iRApmuP1ZGj56ABbk/utRgkye0MC7tYcktBc2Hu0=
=l0f0
Sincerely,
<Client representative> (Authorized signatory on SADF)

GUIDE
Attachments
exampleSSLcert.zip examplePGPfile.zip
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
68
Rapid Renewal Process
Eligible clients must use the Rapid Renewal process for all subsequent renewals.
Benefits include:
 A secure submission process, as clients use their existing credentials to submit new
certificates
 The elimination of documentation requirements such as the signed hardcopy and SADF
 A more effective method of managing submissions, as the files are automatically sent to the
Host-to-Host server.
The use of Rapid Renewal depends on eligibility, and considers the following criteria:
 Clients must be able to send a file to J.P. Morgan.
 Clients must be able to digitally sign the file.
 Clients must submit new certificates prior to expiration of their existing credentials.
Rapid Renewal submission process:

 You will digitally sign each file with your CURRENT signature key, as you do with other files
that you are sending to J.P. Morgan.
 Send the transport and payload (signature) key separately, using the following naming
GUIDE
convention:
<Partner ID> .TRANSPORT.IN.DAT for a new transport (SSH or SSL) key
<Partner ID> .PAYLOAD.IN.DAT for a new payload (PGP or X.509) key
 When instructed, send a digitally signed activation file to move your new key to Production:
USER
<Partner ID> .ACTIVATE.IN.DAT format of contents will be provided
 Sign each file with your ‘existing’ payload (PGP or X.509) key… and not the new key.
CONNECTIVITY
 Connect to Host-to-Host and put the file(s) into the /Inbound/Encrypted folder.
Once the file is received, certificate validation will be performed to ensure it meets the
acceptable criteria. If the request is in good order, the key will either be activated or staged
awaiting activation. If the request is not in good order, IMSD will contact you via email to
indicate the rejection reason(s) and provide additional steps to remediate the issue, while also
copying your J.P. Morgan Client Service Representative for awareness.
HOST-TO- HOST
MORGAN
J.P.
69
8. Firewalls
If you are using a firewall, DO NOT hardcode just one or a few IP address, as this could result in
a service disruption for your company if J.P. Morgan changes its file transmission platform. All
clients should configure the two full Class B IP ranges below.
159.53.0.0 -159.53.255.255
170.148.0.0 -170.148.255.255
Each of the Class B IP ranges specified above are wholly owned and operated by J.P. Morgan
Transmissions to/from J.P. Morgan can use any of the IP addresses within the above range.
J.P. Morgan is a large organization with a highly distributed, globally load-balanced proxy
infrastructure. We own two Class B /16's of IP address space that have been specifically
reserved for services hosted globally within our own public DMZ infrastructures. Since we are a
known business partner accessing services over the Internet and we only source transmissions
from hosts under our management, we hope clients would not have concerns to trust this
address space.
Requirements for Internet Source Address Filtering

In general, services and applications offered on the Internet should not utilize source IP address
filtering, as clients cannot always guarantee the source address. Additionally, using cookies that
track and validate based on client source IP is not desirable, since the source IP cannot always
GUIDE
be guaranteed when using NAT pooling or proxies in a load balanced manner.
Alternative Solution
USER
If a client’s firewall policy allowing these address ranges is not possible for any reason, then a
direct business partner connection, such as an IP/VPN, should be looked at as an alternative
solution.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
70
Registered IP Address Netblock details
159.53.0.0/16 170.148.0.0/16
Network Network
Net Range 159.53.0.0 - 159.53.255.255 Net Range 170.148.0.0 - 170.148.255.255
CIDR 159.53.0.0/16 CIDR 170.148.0.0/16
Name JMC Name CHASE2
Handle NET-159-53-0-0-1 Handle NET-170-148-0-0-1
Parent NET159 (NET-159-0-0-0-0) Parent NET170 (NET-170-0-0-0-0)
Net Type Direct Assignment Net Type Direct Assignment
Origin AS Origin AS
Organization JPMorgan Chase & Co. (JMC-39) Organization JPMorgan Chase & Co. (JMC-39)
Registration Registration
1992-03-06 1994-05-17
Date Date
Last Updated 2012-02-24 Last Updated 2012-02-24
Comments Comments
https://whois.arin.net/rest/net/NET-159- https://whois.arin.net/rest/net/NET-170-
RESTful Link RESTful Link
53-0-0-1 148-0-0-1
See Also Related organization's POC records. See Also Related organization's POC records.
See Also Related delegations. See Also Related delegations.
Organization Organization
Name JPMorgan Chase & Co. Name JPMorgan Chase & Co.
GUIDE
Handle JMC-39 Handle JMC-39

Street 120 Broadway Street 120 Broadway
City New York City New York
State/Province NY State/Province NY
USER
Postal Code 10271-1999 Postal Code 10271-1999

Country US Country US
Registration Date 2006-11-21 Registration Date 2006-11-21
CONNECTIVITY
Last Updated 2017-10-19 Last Updated 2017-10-19

Comments Comments
RESTful Link https://whois.arin.net/rest/org/JMC-39 RESTful Link https://whois.arin.net/rest/org/JMC-39
Function Point of Contact Function Point of Contact
Abuse ABUSE6593-ARIN (ABUSE6593-ARIN) Abuse ABUSE6593-ARIN (ABUSE6593-ARIN)
Tech IPADM322-ARIN (IPADM322-ARIN) Tech IPADM322-ARIN (IPADM322-ARIN)
Admin IPADM322-ARIN (IPADM322-ARIN) Admin IPADM322-ARIN (IPADM322-ARIN)
HOST-TO- HOST
MORGAN
J.P.
71
9. J.P. Morgan Inbound URL/IP addresses and Ports
The following ports should be used for both CAT and Production environments:
HTTPS 443
FTP/SSL (FTPS) 21
FTP/SSH (SFTP) 22
We use the following Random Port range for FTPS
CAT 62101-62200
Production 62000-62100
J.P. Morgan has two environments: Client Acceptance Testing (CAT) and Production. Each has
several possible URL (IPs) that are used for connectivity.
As a reminder, production data must never be transmitted to the J.P. Morgan CAT environment
nor should test data ever be sent to the J.P. Morgan production environment.
You will be advised by your J.P. Morgan technical consultant which URL you will be required to
use for each of our environments. Below is the complete list, categorized by protocol. If your
company utilizes a firewall, you will need to add the appropriate URL or IP addresses. For the
CAT environment, we only have a single IP per URL, but please note for Production we have
several IPs per URL -- any one of which may be used at any given time. J.P. Morgan reserves
the right to make routing changes that change the IP address association with a given URL at
GUIDE
any given time, without client notification. Because of this, you should use only DNS addressing
to your assigned URL, an if your firewall only allows IP entries, then you must include all
addresses that are associated to the URL that you have been assigned. Please see Best
Practices for more details.
USER
The following are the IP addresses for both our CAT and Production environments listed by
protocol
CONNECTIVITY
AS2 and HTTPS
Client Acceptance Test (CAT)

URL IP Address
transmissions-uat.jpmorgan.com 159.53.62.207
transmissions-uat1.jpmorgan.com 159.53.62.210
HOST-TO- HOST
MORGAN
J.P.
72
Production
URL IP 1 (Prod1) IP 2 (Prod2) IP 3 (DR)
transmissions.jpmorgan.com 159.53.84.67 159.53.53.130 159.53.96.166

transmissions1.jpmorgan.com 159.53.84.68 159.53.53.115 159.53.117.2
FTPS

URL IP Address
DMZ Node 1 159.53.58.25
GUIDE
DMZ Node 2 159.53.58.26
Production
USER

DMZ Node 1 159.53.89.56 159.53.59.134 159.53.122.142
DMZ Node 2 159.53.89.59 159.53.59.137 159.53.122.145
CONNECTIVITY
SFTP

URL IP Address
HOST-TO- HOST
Production

MORGAN
J.P.
73
10. Common Errors
If you encounter any issues when updating your configuration or parameters, or during
communications testing, please contact your designated J.P. Morgan technical consultant for
assistance.
Below are examples of some of the more common issues that you may encounter.
Connectivity
Incorrect SSL certificates

Invalid private key format
Incorrect parameter file entries
Sendfile/Getfile scripts have not been updated to match your environment
File Encryption
GUIDE
No ascii armor on the file

Invalid PGP Key
Client PGP key used to encrypt the file (should be the J.P. Morgan key)
USER
Fails to Send/Retrieve files

CONNECTIVITY
Parameters not configured correctly for jpmcSecurity, jpmcDataType, jpmcDataFormat and

jpmcData
HOST-TO- HOST
MORGAN
J.P.
74
11. SSL Certificate Issues
You receive encoding errors when trying to convert your public key received from Verisign.
Example error:-
C:\OpenSSL\bin>OpenSSL x509 -outform der -in cert.cer -out cert.der
unable to load certificate 4576:error:0D0680A8:asn1 encoding

routines:ASN1_CHECK_TLEN:wrong tag:.
\crypto\asn1\tasn_dec.c:946:
4576:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.
\crypto\asn1\tasn_dec.c:304:Type=X509_CINF
4576:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:.
\crypto\asn1\tasn_dec.c:566:Field=cert_info, Type=X509
4576:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.
\crypto\pem\pem_oth.c:82:
Sometimes Verisign sends the certificates with a pkcs7 wrapper. You have to perform the
following steps to get the certificate into .der format.
1. Issue command OpenSSL pkcs7 -in certificatefromverisign -print_certs.
You will receive the following display:

GUIDE
subject=/C=US/ST=New York/L=New York/O=XYZZY Inc/OU=1166 Avenue of

Americas/OU=Terms of use at www.verisign.com/rpa
(c)00/CN=xyzzy.com
issuer= /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA -
Class 3/OU=www.verisign.com/CPS
USER
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

MIIE/DCCBGWgAwIBAgIQWxivSEpuxMubJfCHOH4mSTANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
CONNECTIVITY
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
.
subject=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA -
Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
HOST-TO- HOST
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
.
.
.
There are two certificates in this file, the first certificate is yours, and the second is the Verisign
CA certificate.
MORGAN
Copy your certificate (from ---BEGIN CERTIFICATE--- through --END CERTIFICATE---) and
paste it to a file and save.
2. Issue command OpenSSL x509 -outform der -in copiedfile.pem -out output.der
J.P.
75
12. SSL Certificate Enhanced Key Usage
The H2H server has upgraded security checks. You must provide an SSL certificate that has
“Client Authentication” under the enhanced key usage (example below). In the following
example, “Client Authentication” is present under enhanced key usage. These certs are
acceptable.
GUIDE
Another example of a valid certificate is below where ‘Enhanced Key usage’ is NOT present so
this cert is a good cert to use as well.
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
76
No Good! In the example below, this certificate is missing “Client Authentication” so this
certificate cannot be used with J.P. Morgan
GUIDE
Information can be found at:

https://tools.ietf.org/html/rfc5280#section-4.2.1.12
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
77
J.P. MORGAN HOST-TO- HOST CONNECTIVITY USER GUIDE
78
End of Document

H2H Connectivity Guide V7.3

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

H2H Connectivity Guide V7.3

Uploaded by

Copyright:

Available Formats

FEBRUARY 2018

J.P. Morgan Host-to-Host Connectivity

2. J.P. Morgan Host-to-Host Best Practices ........................................................... 5

6. Payload (File Encryption/Signing)..................................................................... 25

7. Partner Key Management .................................................................................. 65

Registered IP Address Netblock details 71

9. J.P. Morgan Inbound URL/IP addresses and Ports .......................................... 72

10. Common Errors .................................................................................................. 74

11. SSL Certificate Issues ........................................................................................ 75

12. SSL Certificate Enhanced Key Usage ............................................................... 76

Installation & Setup

We will, without notice, routinely update the Host-to-Host environments

Failure to maintain your applications at current release versions may result in

Clients are required to use separate security credentials in each of the

Please note that production data should never be transmitted to the

It is J.P. Morgan’s policy to utilize multiple data centers for connectivity

infrastructure. J.P. Morgan is unable to change its resiliency-related

across the two J.P. Morgan Class B IP ranges:

Communications It is important to ensure that your J.P. Morgan Service Representative

• Production: Saturday 8pm ET – Sunday 5am ET

avoid scheduled transmissions during these maintenance windows.

If you experience connectivity issues during one of these windows,

• Use DNS addressing with short-lived address caching.

– both yours and ours.

If a failure occurs after successful delivery of a file to us, do not resubmit

Repeated occurrences of virus detection may result in the locking of your

In addition, they must meet the following cryptographic standards:

Key Type Requirements

Key Renewal Partner Key Management is the process of exchanging security

• Send the transport and payload (signature) keys in the

o <Partner ID> .PAYLOAD.IN.DAT for a new payload

• Maintenance/Upgrades- J.P. Morgan has a process by which we

J.P. Morgan requires the ‘Transport’ communication session to be ‘encrypted’ by a secure

J.P. Morgan administrative procedures require that:

signing files prior to the transmission to J.P. Morgan servers.

Security standards change over time.

for connectivity and authentication.

Windows software HTTP://www.slproweb.com/products/Win32OpenSSL.html

Unix/Linux software HTTP://www.OpenSSL.org/

# OpenSSL genrsa –des3 –out privkey.pem 2048

To create your CSR to send to the signing authority, do the following:

# OpenSSL req –new –key <privkey>.pem –out <cert>.csr

# OpenSSL x509 -outform der -in < publicKey>.pem -out <publicKey>.der

# OpenSSL pkcs8 -topk8 -outform der -in <privKey>.pem -out <privKey>.pk8

Receiving Data Using HTTPS

The above URL accepts following parameters:

before sending the data to the partner

It is your responsibility to acquire/install compatible Drummond® certified AS2 client software on

for neither inbound nor outbound transmissions.

SSL Certificate installation note

mind, please ensure that the certificate is installed accordingly.

Corporation Name J.P. Morgan

Contact Type (Production issues only) Technical

Postal Code 33610-9128

Delivery Method (To J.P. Morgan)

Host Name CAT – transmissions-uat.jpmorgan.com

HTTPS command Post

Data Compression (True/False) N/A

Most connectivity applications make use of URL names when making

Most connectivity applications make use of URL names when making

To connect via SFTP, you will use port 22.

Example using Putty

This example screens below, show key pair generation