Professional Documents
Culture Documents
H2H Connectivity Guide V7.3
H2H Connectivity Guide V7.3
J.P. Morgan, JPMorgan, JPMorgan Chase and Chase are marketing names for certain
businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, “JPMC”).
Products or services may be marketed and/or provided by commercial banks such as JPMorgan
Chase Bank, N.A., securities or other non-banking affiliates or other JPMC entities. JPMC
contact persons may be employees or officers of any of the foregoing entities and the terms “J.P.
Morgan”, “JPMorgan”, “JPMorgan Chase” and “Chase” if and as used herein include as
applicable all such employees or officers and/or entities irrespective of marketing name(s) used.
Nothing in this material is a solicitation by JPMC of any product or service which would be
unlawful under applicable laws or regulations.
Investments or strategies discussed herein may not be suitable for all investors. This material is
not intended to provide, and should not be relied on for, accounting, legal or tax advice or
investment recommendations. Please consult your own tax, legal, accounting or investment
advisor concerning such matters.
GUIDE
Not all products and services are available in all geographic areas. Eligibility for particular
products and services is subject to final determination by JPMC and or its affiliates/subsidiaries.
This material does not constitute a commitment by any JPMC entity to extend or arrange credit
or to provide any other products or services and JPMorgan reserves the right to withdraw at any
time. All services are subject to applicable laws, regulations, and applicable approvals and
USER
notifications.
Notwithstanding anything to the contrary, the statements in this material are not intended to be
legally binding. Any products, services, terms or other matters described herein (other than in
CONNECTIVITY
respect of confidentiality) are subject to the terms of separate legally binding documentation
and/or are subject to change without notice.
JPMorgan Chase Bank, N.A. Member FDIC. Deposits with JPMorgan Chase Bank, N.A.,
Toronto Branch, are not insured by the Canada Deposit Insurance Corporation.
© 2018 JPMorgan Chase & Co. All Rights Reserved.
All trademarks, trade names and service marks appearing herein are the property of their
HOST-TO- HOST
respective owners.
MORGAN
J.P.
Table of contents
1. Introduction .......................................................................................................... 4
3. Connectivity.......................................................................................................... 9
4. Security ............................................................................................................... 10
Transport Security 10
Payload Security 11
5. Transport ............................................................................................................ 12
SSL (HTTPS) 13
AS2 17
FTPS 19
SFTP 20
Example using Putty 21
Connectivity using WinSCP 22
Connectivity using Solaris 24
GUIDE
X.509 (SSL) 61
Base64 Encoding a file 64
CONNECTIVITY
8. Firewalls .............................................................................................................. 70
Requirements for Internet Source Address Filtering 70
Alternative Solution 70
HOST-TO- HOST
Important Note: Throughout this document, J.P. Morgan discusses the use of various third
party software for informational purposes only. J.P. Morgan does not recommend or endorse any
third party software and makes no representation, explicit or implied, as to the functionality,
quality or suitability of any third party software referenced herein. Before downloading, installing
or using any third party software, your organization must make an independent assessment of
the suitability of such software.
J.P. Morgan’s Implementation Analysts and Production Support teams cannot support
third party software. For this reason, we strongly suggest that you enter into a service
agreement with any vendor from which you purchase 3rd party software.
Please refer to instructions from the provider of such third party software prior to use. The use
GUIDE
and functionality of third party software is not controlled by J.P. Morgan and is subject to change
without notice. You should not rely on the information provided herein regarding third party
software for anything beyond its presentation as an illustrative example.
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
4
2. J.P. Morgan Host-to-Host Best Practices
J.P. Morgan is committed to sharing information about best practices that are commonly used to
help keep file transmissions reliable and secure. Please review the information below and apply
these practices to the extent possible to improve your experience with J.P. Morgan Host-to-Host.
For the latest information about these best practices and security standards, please visit
www.jpmorgan.com/visit/h2h.
Host All connectivity to Host-to-Host servers must be addressed to the URL that
Addressing you have been assigned.
CONNECTIVITY
Clients who insist upon the use of hard-coded IP addressing must assume
the responsibility for service interruptions that may result when planned or
unplanned events result in IP address changes on the J.P. Morgan
HOST-TO- HOST
159.53.0.0 - 159.53.255.255
170.148.0.0 - 170.148.255.255
J.P.
5
Client SoftwareAt the time of this publication, client software applications that are known
to connect successfully to Host-to-Host are shown below. Note that this
list may change over time, and that it is best practice to use only
supported current versions of third party applications. The use and
functionality of third party software is not controlled by J.P. Morgan and is
subject to change without notice. J.P. Morgan does not recommend or
endorse any of the third party software and makes no representation,
explicit or implied, as to the functionality, quality, or suitability of any third
party software referenced below.
Protocol Clients/Software
SFTP Axway Secure Client 5.8, 6.0, 6.1
Curl 7.22
FileZilla Client 3.10.x
PSCP 0.64
PSFTP 0.64
VanDyke SecureFX 7.3
WinSCP 5.7.1
OpenSSH 6.6
FTPS Axway Secure Client 5.8, 6.0, 6.1
Curl 7.22
FileZilla Client 3.10.x
CuteFTP Professional 9.x
Ipswitch WS_FTP 12.x
Igloo FTP PRO 3.9
GUIDE
LFTP 4.6.1
SmartFTP Client 3.0-6.0
AS2 Drummond Certified AS2 clients
Daily Operations
USER
Maintenance J.P. Morgan has regularly scheduled maintenance windows for the Host-
Windows to-Host environments:
We will conduct routine updates and patching during these times, and it
may be necessary, on occasion, to make Host-to-Host unavailable to
clients. To minimize disruption, it is strongly recommended that clients
HOST-TO- HOST
Operations Please consider the following best practices when setting up your file
transmission operation to help reduce transmission failures:
6
• On a connectivity failure, automatically retry the connection.
After three successive failures, publish an alert to your
operations team. If assistance is required, contact J.P. Morgan.
• Track failures over time, such that you may identify an
intermittent problem.
• Refresh your DNS / IP addressing cache whenever a
connectivity failure occurs.
• Make sure that transaction acknowledgements and
confirmations that are generated and sent to you by J.P. Morgan
are distributed to your business users.
• Make sure that there is a current email address on file at
J.P. Morgan so that you receive notifications from us.
J.P. Morgan will send automated email notifications on certain
failure conditions.
Volume If you have any of the following requirements, please discuss with the
Considerations J.P. Morgan technical team prior to implementation:
• You must send more than 1000 files in a single day
• You must send many files in a very short period of time
• You must send or receive very large files (> 100MB)
Rapid Fire If you are sending a large number of files in a short period of time, this
GUIDE
may trigger a denial of service attack alert at J.P. Morgan. To protect its
clients, J.P. Morgan may take action to terminate a connection and
disable an account when such alerts occur.
USER
You should note that Host-to-Host often acts only in the capacity of
sending your files to target systems, and that there may be limitations to
the speed by which those systems may receive and process files.
Because of this, there are times when it may be necessary to adjust the
CONNECTIVITY
timing of your file delivery process. Please discuss all high volume
considerations with the J.P. Morgan technical team prior to
implementation.
Failure / If you are not sure whether we received your file, or if a failure occurs
Recovery after successful delivery of a file to us, do not resubmit the file without
consulting the J.P. Morgan support team. Resubmission may result in a
duplicate file.
Know that certain files cannot be recovered, and must be re-sent. This
includes, although not exclusively, any file with improper naming, and
HOST-TO- HOST
any file for which the digital signature could not be confirmed.
Viruses If J.P. Morgan detects a virus within a received file, the file will be
quarantined, and will not be processed. We will invoke our standard
process to notify you and instruct you to send a clean file.
7
Security Certificates & Keys
Key J.P. Morgan requires that all certificates and keys have a finite
Requirements validity period of two years or less.
key.
• All files must be digitally signed with your CURRENT signature
key, as with any files that you are sending to J.P. Morgan.
CONNECTIVITY
Notifications
Communications • It is important to ensure that your J.P. Morgan Service
Representative has the latest contact information for your
company, including any group email addresses that are needed
for production support.
• Key Expirations – As a courtesy, J.P. Morgan will send notices
of impending expiry to client contacts on file with Host-to-Host.
(A group address is recommended for this.) It is, however, still
the client’s responsibility to maintain their security keys and
certificates and renew them on a timely basis.
HOST-TO- HOST
8
3. Connectivity
To successfully connect and transmit files to the Host-to-Host, a couple of steps need to be
completed first and these are dependent upon the solution you have chosen to implement.
HTTPS/PGP
Key Exchange You need to provide us with your public SSL certificate and public
PGP key, we will provide you with our public PGP key.
Software Configuration You will need to configure your connectivity application to use the SSL
certificate and PGP key
AS2
Key Exchange You need to provide us with your public SSL certificate, we will provide
you with our public SSL certificate
Software Configuration You will need to configure your AS2 client software per the settings in
our Trading Network Profile
SFTP
Key Exchange You need to provide us with your public SSH key and PGP key for
payload encryption
Software Configuration You will need to obtain and configure your FTP software
FTPS
GUIDE
Key Exchange You will need to provide us with your public SSL certificate and either
a PGP or X.509 key for payload encryption. FTPS Push from
J.P. Morgan servers is not supported
USER
Software Configuration You will need to obtain and configure your FTP software
SFTP Push to client
Key Exchange You need to provide us with your public PGP key, we will provide you
with our public PGP key. We will give you our SSH key
CONNECTIVITY
Software Configuration You will need an SFTP Server to accept our requests. We will
authenticate with our SSH key
If you have chosen an SSL-based protocol, please be advised that our servers will only
accept connections from remote hosts which utilize TLS v1.2 ciphers. You must ensure
that your client application has support for TLSv1.2. In addition, all SSL certificates must
minimally use SHA-256 hashing algorithms.
HOST-TO- HOST
MORGAN
J.P.
9
4. Security
Security is divided into two areas: Transport and Payload. J.P. Morgan utilizes SSL and SSH for
transport security, and PGP and x.509 for payload security.
This is a requirement of J.P. Morgan Partner Key Management, so please bear this in
mind when obtaining your certificate or when generating self-signed keys. There are
no exceptions to these requirements.
USER
Transport Security
Secure Socket Layer (SSL) is a protocol for sending encrypted information over the internet.
CONNECTIVITY
SSL provides session encryption to prevent others from being able to see information that you
send over the internet.
The server and client are authenticated via two-way SSL using public SSL keys to provide an
encrypted connection. When connecting to the Host-to-Host, client side authentication takes
place whereby your public certificate is passed to the server and the server authenticates the
validity of this certificate, checking that it has been setup on our servers as a valid client, before
allowing the connection to proceed. A handshake takes place during which the server and client
agree the type of encryption that will be used to secure the connection. After a successful
handshake, you will be allowed to send or receive files.
HOST-TO- HOST
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure
channel between two computers. Encryption provides confidentiality and integrity of data. SSH
uses public-key cryptography to authenticate the remote computer and allow the remote
computer to authenticate the user, if necessary.
MORGAN
J.P.
10
Payload Security
Pretty Good Privacy (PGP) is based on a widely used encryption technology known as public
key cryptography in which two complementary keys, called a key pair are used to secure the
payload during communications. One of these keys is called a private key and the other a public
key. The private key is for your use only and the public key is exchanged with J.P. Morgan. It is
the complete key exchange of both SSH or SSL certificates and PGP keys that allows for a
successful file exchange, with the SSH or SSL certificate providing the encrypted tunnel and
Client Side Validation, and the PGP key securing the actual file.
PGP keys generally have a Master key and Sub key and it is important that both of these
meet the J.P. Morgan requirements for the minimum key size of 2048. Any key not
conforming to this requirement will be rejected.
After successfully exchanging public PGP keys with J.P. Morgan, you may start to exchange
files. When sending a file to J.P. Morgan you optionally encrypt** the file with the J.P. Morgan
public key and sign it with your private key. J.P. Morgan will decrypt the file using our private key
and verify that it was signed using your public key. The reverse will happen for files that you
receive from J.P. Morgan.
You will be required to perform a key exchange ceremony with J.P. Morgan, whereby you
provide to us a copy of your public SSH or SSL and/or PGP keys and we provide you with a
copy of our public SSH or SSL and/or PGP keys. For production, there is a formal procedure
GUIDE
called the Partner Key Management, whilst for testing purposes, keys may be exchanged via
email with your J.P. Morgan technical specialist.
As an alternative, X.509 encryption certificates may be used instead of PGP for encrypting and
USER
** Encryption of the payload is not required by J.P. Morgan, due to the fact that the channel is
already encrypted.
CONNECTIVITY
As a reminder, all certificates and keys must have a finite validity period of two years or
less.
11
5. Transport
J.P. Morgan has two environments for receiving files: Client Acceptance Test (CAT) and
Production. Each of these have their own unique addresses that you will need to use when
establishing your connection for any one of the chosen protocols. The environment you use for
transmissions will determine the addressing that is required. For further information on IP
addresses and ports, please refer to the section “J.P. Morgan Inbound URL/IP Addresses and
Ports” for the protocol applicable to your setup with J.P. Morgan.
SFTP/FTPS
CAT transmissions-uat.jpmorgan.com
Production transmissions.jpmorgan.com
AS2/HTTPS
CAT Production
transmissions-uat.jpmorgan.com transmissions.jpmorgan.com
transmissions-uat1.jpmorgan.com transmissions1.jpmorgan.com
transmissions-uat2.jpmorgan.com transmissions2.jpmorgan.com
transmissions-uat3.jpmorgan.com transmissions3.jpmorgan.com
transmissions-uat4.jpmorgan.com transmissions4.jpmorgan.com
transmissions-uat5.jpmorgan.com transmissions5.jpmorgan.com
GUIDE
transmissions-uat6.jpmorgan.com transmissions6.jpmorgan.com
transmissions-uat7.jpmorgan.com transmissions7.jpmorgan.com
transmissions-uat8.jpmorgan.com transmissions8.jpmorgan.com
USER
transmissions-uat9.jpmorgan.com transmissions9.jpmorgan.com
For SSL-based connections, your J.P. Morgan technical analyst will assign you the
appropriate URL.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
12
SSL (HTTPS)
Obtaining SSL Certificates
There are several ways of obtaining SSL certificates, all of which require that you create a
Certificate Signing Request (CSR). The CSR is then sent off to a Certificate Authority (CA) for
signing. For demonstration purposes, an example is shown using OpenSSL®, a software
package that is freely available from www.OpenSSL.org. If you require explanations for each of
the parameters used when using OpenSSL, please refer to the documents stored at the
OpenSSL website
OpenSSL is a command line product and all examples are shown in a Microsoft Windows
command window
Using OpenSSL
The following instructions are designed as a reference for the steps that need to be taken in
order to successfully create your public and private SSL certificates and convert them into the
correct formats. The primary software that will be used to create and convert the SSL keys is
OpenSSL, which is available from one of the following places:
Please know that this is open source software and that J.P. Morgan is in no way
associated with this product, nor does J.P. Morgan support its use in any way
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
13
The first step is to create your private SSL key. To do this, issue the following command:
Once the certificate is signed, you will receive back from the authority an email containing the
text of your signed public key. This text should be copied from the email and placed into an
empty file. This file should be named appropriately to identify it as your signed public key and
should have a “.pem” extension.
You should not have to do this again. Private keys do not expire. When it comes time
for renewal, simply resend the CSR to the signing authority and they will re-sign it and
send the .pem back to you. (If you do not have the .csr, you can simply re-run the
command to convert the private key to a CSR file again.
The next step is to take the signed key that was returned to you by the authority and convert it to
the needed DER format. To do this, use the following command:
GUIDE
Once you have converted the public key to the DER format, send it in so that we may add it to
the system.
USER
We are almost there, and the last step in this process is to take the original private RSA key
“.pem” file that you created and covert it from its PEM format to the PKCS#8 format that it should
be in. To do this, do the following:
CONNECTIVITY
In the above, the names that are available to be changed by you are contained within
<>. Please name them accordingly so that you know what each is.
HOST-TO- HOST
SSL certificates are used for authentication and transport encryption when using HTTPS. For
AS2, they are used for authentication, transport encryption and data signing.
You must provide an SSL certificate that has “Client Authentication” under the enhanced key
usage.
As a reminder, the J.P. Morgan Host-to-Host servers will only accept connections from
remote hosts which utilize TLS v1.2 ciphers. You must ensure that your client application
has support for TLSv1.2. Also, all SSL certificates must minimally use SHA-256 hashing
MORGAN
algorithms.
J.P.
14
Sending Data Using HTTPS
The Host-to-Host interface requires certificate-based client authentication for all incoming
HTTPS connection requests. This client authentication process is performed during the initial
HTTPS/SSL handshake process, and is transparent to the client.
After successful SSL authentication, remote systems can use the following URL/HTTPS request
and parameters to securely transfer/post data to J.P. Morgan using the Partners Interface:
Below is an example of the full URL using our primary DNS names:
Env. URL
CAT HTTPS://transmissions-uat.jpmorgan.com/invoke/FMSPartnerInterface.inbound/httpGateway
PROD HTTPS://transmissions.jpmorgan.com/invoke/FMSPartnerInterface.inbound/httpGateway
Most connectivity applications make use of URL names when making connections,
this means that the URL will always resolve to the correct IP address currently being
used by our servers. If your company utilizes a firewall, it will more than likely use IP
GUIDE
addresses. In this case you should also create firewall rules for all of our Host-to-Host
IP addresses. Please refer to the section on URL/IP addresses to obtain the correct IP
for the URL you have been assigned.
The above URL accepts the following parameters:
USER
jpmcData – Variable containing the secured data/payload to be sent to the J.P. Morgan
systems
jpmcDataType – This represents the type of unsecured data being sent in the jpmcData
CONNECTIVITY
parameter
jpmcProtocol – This represents the connection protocol used to transfer/send the jpmcData
and should be set to HTTPS
jpmcSecurity – This parameter defines the security mechanism used to secure the data in the
jpmcData parameter
jpmcDataFormat – This parameter represents the format of unsecured data being sent in the
jpmcData parameter
HOST-TO- HOST
The above URL expects J.P. Morgan parameters as URL Encoded compliant HTTPS
form POST parameters specified within the body of the HTTPS request. The default
HTTPS form POST content type should be as:
Content-type: application/x-www-form-urlencoded.
There may be occasions when you will be asked to use a different URL from those
mentioned above. If this is the case, you will be advised accordingly by our technical
representative, you will also be advised of the IP addresses to be used in your firewall
MORGAN
rules for both the production and DR servers. Please refer to the section on URL/IP
addresses to obtain the correct IP for the URL you have been assigned.
J.P.
15
Our system also expects that the data being passed in the jpmcData parameter
be base64 encoded
Env. URL
CAT HTTPS://transmissions-uat.jpmorgan.com/invoke/FMSPartnerInterface.inbound/downloadJPMCData
PROD HTTPS://transmissions.jpmorgan.com/invoke/FMSPartnerInterface.inbound/downloadJPMCData
for download
jpmcProtocol – This represents the connection protocol used and should be set to HTTPS
jpmcSecurity – This parameter defines the security mechanism/algorithm to apply on data
USER
The requested data is sent as a response to the above HTTPS request. Depending upon the
CONNECTIVITY
values of jpmcDataFormat and jpmcDataType, this URL/request returns the oldest data (active
data) not yet downloaded by the client. Repeated requests to download a specific set of data
should be made until the J.P. Morgan server returns a message/response of “No Data
Available to Download”.
HOST-TO- HOST
MORGAN
J.P.
16
AS2
AS2 setup information
We will provide a Host-to-Host Trading Partner's Profile Information document for you to
complete and send back to us. Based on the information returned, we will set up our system to
communicate with you. We also send you a profile with J.P. Morgan information so you can set
up your communications with us.
The J.P. Morgan technical specialist will do their utmost to assist you with any issues
surrounding your connectivity, but please be aware that if the issue is with software setup or
operation, your vendor is responsible for providing support.
Most connectivity applications make use of URL names when making connections,
this means that the URL will always resolve to the correct IP address currently being
used by our servers. If your company utilizes a firewall, it will more than likely use IP
addresses. In this case you should also create firewall rules for all of our Host-to-Host
IP addresses. Please refer to the section on URL/IP addresses to obtain the correct IP
for the URL you have been assigned.
GUIDE
There may be occasions when you will be asked to use a different URL from those
mentioned above. If this is the case, you will be advised accordingly by our technical
representative, you will also be advised of the IP addresses to be used in your firewall
rules for both the production and DR servers.
USER
Please note that standard HTTP connectivity is not permitted on J.P. Morgan servers
CONNECTIVITY
If strict host checking is configured in your application, then you must have the J.P. Morgan
public SSL certificate installed on your system.
MORGAN
J.P.
17
Trading Partner Information
Corporate Information
Port 443
CAT- HTTPS://transmissions-
Location (URL if any)
uat.jpmorgan.com/invoke/wm.EDIINT/receive
Production-
HTTPS://transmissions.jpmorgan.com/invoke/wm.E
DIINT/receive
User Name (if any) Certificate based authentication only
Password (if any) N/A
HOST-TO- HOST
18
Payload Security Type (e.g. Signed, SignedAndEncrypted
SignedAndEncrypted etc.)
Certificates/Security
Certificates Issuing Authority Name Verisign (see below)
New Certificate Authority Entrust
CAT – October 23, 2018
Production – January 19, 2019
The delivery URL will be provided by your J.P. Morgan technical analyst.
FTPS
There are many FTP software applications that can be used to connect. J.P. Morgan does not
make any recommendations on which software vendor you decide to use to connect or setup
connectivity with J.P. Morgan; however it is recommended to maintain a relationship with your
GUIDE
vendor from which you will receive support for your product.
CAT transmissions-uat.jpmorgan.com
USER
Production transmissions.jpmorgan.com
currently being used by our servers. If your company utilizes a firewall, the
firewalls will more than likely use IP addresses. In this case you should also
create firewall rules for all of our Host-to-Host IP addresses. Please refer to the
section on URL/IP addresses to obtain the correct IP for the URL you have
been assigned.
When configuring your application, you must ensure that you enable encryption for
both the “control channel” and authentication
HOST-TO- HOST
To connect via FTPS, you will use port 21. We use the following Random Port range for FTPS.
CAT 62101-62200
Production 62000-62100
When connecting via FTPS, you will authenticate using an SSL certificate. Since your FTP client
software will present the SSL certificate, you must specify the location of your private key.
MORGAN
J.P.
19
SFTP
There are many FTP software applications that can be used to connect. J.P. Morgan does not
make any recommendation on which software vendor you decide to use to connect or setup
connectivity with J.P. Morgan; however it is recommended to maintain a relationship with your
vendor from which you will receive support for your product.
CAT transmissions-uat.jpmorgan.com
Production transmissions.jpmorgan.com
When connecting via SFTP, you will authenticate using an SSH key, not a password.
Host-to-Host only supports the RSA algorithm for SSH keys. These must have a
minimum 2048-bit key length.
GUIDE
USER
You will send the Public SSH Key to J.P. Morgan. You will specify the location of your Private
Key in your FTP software. (Note: when you send to Public SSH Key to J.P. Morgan, we will set
the key to expire in accordance with J.P. Morgan administrative procedures.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
20
We have provided example of FTP connectivity software below only as a guide to assist with
establishing a successful connection to J.P. Morgan.
21
The example screen below illustrates that you can create a passphrase for your key and
export your key pair
GUIDE
SSH Authentication, may be used. Another popular client that is demonstrated in the FTPS
section of this document is WS FTP Professional™.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
22
For a first time connection to Host-to-Host, the server will present the server host key. You
should click yes to accept this key, and you will then be connected to the server. Your personal
folders will be displayed as shown below.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
23
Connectivity using Solaris
Connecting to J.P. Morgan using Solaris.
Creating RSA SSH key pair
As shown in the example below, we are using the command ssh-keygen –t rsa to create the key
pair
As seen in the following example, to make the connection to the CAT server, type the following
command: sftp USERNAME@transmissions-uat.jpmorgan.com
USER
CONNECTIVITY
HOST-TO- HOST
24
6. Payload (File Encryption/Signing)
PGP
This section covers the creation of a PGP key pair using PGP and GPG. It covers Microsoft
Windows GUI and command prompts for both MS-DOS and UNIX. It also covers the export of
your public key and the import of the J.P. Morgan public key.
For many users, the vast array of command line parameters can make PGP difficult to use. It is
suggested that you make yourself familiar with some of the more commonly used commands
and parameters. The user guides that ship with your software provide a good foundation in the
basics of PGP and should be read if you have not been exposed to PGP.
You should not rely on the information regarding third party software for anything beyond its
presentation as an illustrative example. Please refer to your software provider for more
information about any third party software. Due to the many different versions of PGP, it would
be impossible to provide examples for all and highly recommend that you review the
documentation provided with your particular version to familiarize yourself with its usage.
As a reminder, J.P. Morgan administrative procedures require that all keys have a finite
validity period of two years or less.
Please note that PGP keys can have a Master Key and a Sub Key, and both must be a minimum
GUIDE
name to identify your company. Also, please note that PGP is required for signing of inbound
files to J.P. Morgan, outbound files are generally sent in clear text unless otherwise requested by
the client
CONNECTIVITY
25
Step 2: Your first time into the product, click on ‘generate key now’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
26
Step 3: Type in your firm or what you want the key to be known as.
GUIDE
27
Step 5: Enter your secret passphrase
GUIDE
Step 6: You will be prompted to create a backup. Click on ‘create backup’, then click on ‘apply’.
This could take a few minutes. Please be patient
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
28
Step 7: A backup copy will be generated, click on ‘ok’
GUIDE
Step 8: Follow the instructions in the GPA message box, and click close
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
29
Step 9: You will now see the default key in the Keyring Editor
Step 10: Click the private key, and then click on ‘Edit’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
30
Step 11: An ‘Edit Key’ box will appear, click on ‘change expiration’
Step 12: Select the year and day through the menu option. Please note: J.P. Morgan does not
accept keys that exceed a two year expiration.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
31
Step 13: You will be prompted to enter the secret passphrase that you created in step 5
GUIDE
Step 14: Place your cursor on ‘keys’, then click on ‘Export keys’
USER
CONNECTIVITY
HOST-TO- HOST
Step 15: Enter a file name for this key. Please note: you will need to provide this to J.P. Morgan
MORGAN
J.P.
32
J.P. MORGAN HOST-TO- HOST CONNECTIVITY USER GUIDE
33
Step 16: Click on close
GUIDE
When exporting the key from your keyring, ensure that you export the entire key and not just the
sub key.
An example of how a key should look when opened in Notepad is shown below.
USER
hC5qhwvPnufAU8KTvh/AjmU9xokATAQYEQIADAUCQ8ZLIQUJA8JnAAAKCRA5GU2u
XzsoVYZ3AJ9UplVIl7zNHjCmCeIdjbGKEX8M5QCdG84amCX4u47PihnCEf20DdgW
ZgY==8FZT
-----END PGP PUBLIC KEY BLOCK-----
HOST-TO- HOST
MORGAN
J.P.
34
Step 17 (if needed): To import the J.P. Morgan public key, click ‘Import’, then select the location
of the key that you wish to import, and click on ‘ok’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
35
Step 18: A box will appear showing the key has been added to your ring
GUIDE
Step 19: Select the key you have just imported. Place your cursor to ‘keys’ then click on ‘Sign
keys’
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
36
Step 20: Click on ‘yes’ to sign the key
Step 21: Enter the passphrase that you had created in step 5 and click ‘ok’
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
37
Windows PGP
The following is an example of how to create a PGP key pair using PGP for Windows from
Network Associates®
Start the PGP application, normally done by Clicking Start, Programs, PGP and then PGPKeys.
A windows similar to the following should be displayed.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
38
Select the Keys menu and the New Key option
You will now be guided through the Key pair creation wizard
GUIDE
USER
CONNECTIVITY
39
Enter your company name and a contact email address
Change the Key Expiration from “Key pair never expires” to “Key pair expires on” and select a
date that is not greater than two years. Click the Next Button.
HOST-TO- HOST
MORGAN
J.P.
40
Enter a passphrase in both of the boxes
The above dialog will be displayed once your key pair has been created. Click the Next button
GUIDE
USER
CONNECTIVITY
If you do not know the answer to the above question, leave it at the default and click the Next
button.
HOST-TO- HOST
You have now created a public/private PGP key pair. Click the Finish button
MORGAN
J.P.
41
Windows Command line examples
There are different PGP vendors available in the market and their command syntax vary.
Following are a few examples that may help you generate your PGP key pair. Please check with
your vendor’s documentation for command correctness.
Generate PGP key where <type> may be DSS/RSA and <size> may be
DSS:{2048,3072,4096} or RSA:{2048}
42
Examples for using GPG
Create ascii-armored public key from private key and send it to us…
GPG --ARMOR --EXPORT <PRIVATE-KEY-ID> > KEY.ASC
Add J.P. Morgan PGP key in ring, mark down the key id/name
GPG --IMPORT <J.P. MORGAN KEY>
<DATA-FILE>
HOST-TO- HOST
MORGAN
J.P.
43
Unix & Windows GPG command line
With GPG installed in your machine, use these commands to create a key-pair. The commands
you type have been marked in yellow.:
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
44
If you want to use your key for encryption as well, you will need to create a Sub Key for your
PGP key. Use the below commands to create it.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
45
You will need to provide the passphrase you created in the earlier step. After that, you will be
able to choose the options as below:
GUIDE
USER
46
GUIDE
USER
gpg --list-key
UID ECSRQ01
47
Exporting your public Key from the Keyring
Signing the J.P. Morgan public key after it has been added to your keyring
48
Exporting Your Public Key
The new key pair will be displayed in the key window of the PGPKeys application. An example is
shown below.
Right click the mouse on the top level of your key, which is the entry that has the icon that
depicts a key above a person’s head. From the drop down menu click Export and choose a
location to save the key.
GUIDE
Once saved, open the key in notepad to ensure that the format looks like the example shown
below.
<HTTP://www.pgp.com>
mQGhBEPGSyERBADVubB7a0yBRUFofHx28WUxq/aiFqysz6440HorUc1wWOtvQjtD
xu6EwZ5dqZnPMvYvfjRzk8vWSkkKCt5V2nE1LfYRqArSZM1MMnj+JTivZrRhWzGT
jnPRZIWALB8758auSHsEPfQTMVTmKlnA1MOwUSpbc/OavVflBgYvsE7BiwCg/zuZ
CONNECTIVITY
zwL4MH3wBSZxPGTDz8k6OAsD93k8aIYDUz0o/7zKqO9JW1Ho/G0r26WVbgiXwAKH
edWManpthr87D7dwpJgbM77/ae31NDREWGGtCjYZBtK5d5eIGu0LnbYbQp1mNH3e
ndd+wicJROaESIb8BXBFX66jMlM+XaQYIieBTvF3UHS5caFvoh4PVETzuAcrxca5
rvkEAJlLKOUp7Ag4CyAtovLmxo9CGV6cs/VKu2ojXsm0E/7P+D8xCxjCu3sSo0uL
7q+nwwLli0YLPXBjrJiiqP8Ovlbe11g0nmOZOJX9KOmQ6N2bSRLYGkPEBCfr6Q1L
SI4YYEU4Q77S7AFz6l3mPGpcp6ZQi3oFtloBtZwmWf6QUeFjtCZEZW1vIEN1c3Rv
bWVyIDxkZW1vQGRlbW9uc3RyYXRpb24uY29tPokAVAQQEQIAFAUCQ8ZLIQUJA8Jn
AAQLAwIBAhkBAAoJEDkZTa5fOyhVgowAnjOl0Nrmk6h8ojgagM6D7UyI7cWyAJ9z
OKuxkUzQiGrhwxW54+gd3SwforkCDQRDxkshEAgA9kJXtwh/CBdyorrWqULzBej5
HOST-TO- HOST
UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1
WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01ue
jaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJ
I8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaG
xAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwAC
Agf7BhWDUPY83thA1LnjV0StVcCuH5iqwFFEBvHJDC3H5TlrK+4yznVttOoJY6wE
/Sn42jzmHFxcOTKLWb5jF8EXWF2R9i9p5WkRLJjWZMy3z51hWQCPRwFDuJ19xbvO
QtMSCsrAZPs8MH5PyyO1DHdLlhEdJ5iwozWw2QSzE9mK/qHvt2pyTYSFJrtOvxU5
3p/Taa31OOC7o05T8dm0KY5VmkixySKDfDKOpyRZQ69YvFjO0eXzfhgfQRH0Ud6+
TNriVEcGKG669pNh5RvaaNmPWagnazEVCo9UhdShcaHImztzQN9BsQbFzkzoEiDr
hC5qhwvPnufAU8KTvh/AjmU9xokATAQYEQIADAUCQ8ZLIQUJA8JnAAAKCRA5GU2u
MORGAN
XzsoVYZ3AJ9UplVIl7zNHjCmCeIdjbGKEX8M5QCdG84amCX4u47PihnCEf20DdgW
ZgY=
=8FZT
-----END PGP PUBLIC KEY BLOCK-----
J.P.
49
Installing the J.P. Morgan public key (if required)
The J.P. Morgan PGP key must be imported into your PGP public keyring.
An example of how to import the PGP key in the Windows version of PGP is shown below.
From the Keys menu of the PGPKeys application, choose the Import option and navigate to the
GUIDE
location where the J.P. Morgan public PGP key has been stored.
USER
CONNECTIVITY
You will be shown information regarding the imported key, you should confirm that the key does
HOST-TO- HOST
50
You will notice that a new key has now been added to your keyring, but one thing that you will
notice is that the icon in the Validity column is grey and not green. This is because the key is not
trusted by default. You need to set the trust properties of the key. To do this right click on the top
level of the key and choose the Sign option. This basically means that you are signing the
J.P. Morgan public key with your private key.
The Signing Key will be your private key, enter the passphrase that you used when creating your
GUIDE
key pair and then click the OK button. You will now see that the Validity icon has turned green.
USER
CONNECTIVITY
Some implementations may require an additional step of explicitly trusting the key after it is
signed. Please see your application documentation for more details.
HOST-TO- HOST
MORGAN
J.P.
51
File Encryption/Signing
File Management is the process of encrypting and signing files that you wish to deliver to
J.P. Morgan or decrypting and verifying files that you have received from J.P. Morgan.
Encryption
There are two ways to achieve this operation: the Windows GUI and at the command line. This
example shows how to achieve this using the Windows GUI.
For this example, there is a text file called Test.txt. Using Windows Explorer®, right click on the
file name.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
52
Click on PGP>Encrypt & Sign
When encrypting files, you always encrypt the file using the public key of the recipient. In this
case J.P. Morgan. Click on the J.P. Morgan Key from the list of keys in the top window and drag
and drop this into the Recipients window.
Ensure that the Text Output option is checked (this will ascii armor the file), click the OK button.
You will be prompted for a Signing Key, this is your private key and should be chosen from the
drop down list box, you then need to enter the passphrase for your key. Click the OK button.
A new file will be created in the same location as the original file that you chose to encrypt. This
will have the same file name as the original, but with the additional extension of .asc. This is the
file that you will send to J.P. Morgan.
Click on ‘Open’ then select or type in the file location and click ‘ok’
HOST-TO- HOST
MORGAN
J.P.
53
Click on ‘Encrypt’ the selected file
Click on ‘sign’ also click on the J.P. Morgan key and click ‘Armor’, then click on ok
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
54
You will be prompted for the passphrase that you had created in step 5. The file is now
encrypted and signed, and may be sent to J.P. Morgan
GUIDE
You may want to automate the encrypt and sign process. To achieve this, you will need a
command line version of PGP.
CONNECTIVITY
You can encrypt & sign the file by running the following
ENCSIGN TEST.TXT
HOST-TO- HOST
MORGAN
J.P.
55
Decryption
The following topics show how to decrypt files received from the Host-to-Host using the Windows
GUI, MS-DOS and UNIX.
To decrypt and verify the received file, you need to right click on the file to bring up the context
USER
The following dialog box shows the name of the key that was used to encrypt the file, you will
need to enter the associated password for this key to unlock the file.
MORGAN
J.P.
56
The file will be decoded and extracted to the same folder as the encrypted source. You will also
see a window showing the key that was used to sign the file. You must have the corresponding
public key to verify the signature.
GUIDE
Launch a MS-DOS command prompt and change to the location of the encrypted file.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
57
Enter the following command, pgp test.doc.asc
Notice that the command is now prompting you for the pass phrase (password) for the key. Enter
your password and the decryption process will then decrypt and verify the sender of the file and
create a decrypted file in the same folder.
GUIDE
USER
You can automate the above procedure by creating a batch file with the appropriate commands.
CONNECTIVITY
Example
SET PGPPASS=YOURPASSWORD
PGP %1
SET PGPPASS=
Save this as dec.bat and then run with the following: dec test.doc.asc, this will place your
HOST-TO- HOST
password into memory and then run pgp %1 replacing the %1 with the test.doc.asc file name.
The final set PGPPASS removes the password from memory.
If you do not want to have your password stored inside of the batch file, then you can modify the
batch file as follows and then pass as a parameter.
ECHO OFF
SET PGPPASS=%1
ECHO ON
PGP %2
MORGAN
ECHO OFF
SET PGPPASS=
ECHO ON
J.P.
58
The echo on/off commands will prevent reference to your password from being placed into the
text log that you may create.
Then run dec yourpassword filename. If you have a requirement to capture the output of this
command into a text file, then the command would be
Sample Files
The following are two sample encrypted files, one that is acceptable because it uses ascii armor
and the other would be rejected by J.P. Morgan due to it being in binary format.
Please note that the ascii armor requirement only applies to file transmissions that use
HTTPS as the protocol.
J.P. Morgan
<HTTP://www.pgp.com>
qANQR1DBwU4DSP6v3j03U60QB/9dv9MoWD7Q8BHUkB/voOQKEj9DTu437x14sUVD
LSPzm/6+NjA+rbsODnv1gkspl/MilZnnUy9CaUqVC7QZeQyZiqcvMekEd2+tDz5g
hm1Op09LnHhQxqX7zgswOII48IQ0eRM40kwte2CIgsQeopwpoNVOYacBvmiTwR/R
CONNECTIVITY
WPvdsnQqS8g/bVTICKrN6VunBy9MIgkXfVuOQsX3EadM8aHrIyCOSOOHPqTOrB9+
wGkZbXS4ydEo4irrFAKZZ4fODcWGpdLYsC3pLlcqs2w8/kQhkLMCgN1m6w1Rj19f
6dtdrtRw4WhyTu5fg1xEN2su8I7PrSL6VGR8xthNXvU06oz5B/4rwcGQOEg7Kgcq
DIhAacSeP/2QByQH27uqjk8B8vVCarSs/W4X47z6PFUEPekKJteo6g1jVIBzllbZ
lLR834laoGZKO/tGtqP3hqGwOLCdQAqxjutHoUPi4h5Fk8m68rbHKVxVKdq/koV4
ljjczH7s8IH+/o/fWNamptZ9jqrlcGbPQVrjb8C+TtkXuLT/Iqk6X7xd1kjoH5AA
qrv5//RkeaM/NbKtebAoFmZbbSH07vGQQzWo7kbXRtdfJ0Bb7FiYIdL/j5Bpsppc
ILQnegzzAg8GXVGmct+96PLdymS7V8gHvNxiUyVCkT0uorWlQRzbRE4N3lxAAIP4
OjHAkoyIyXX/guEHkjGadtzAF0Wel9cuIpaLLL6BObNhu0sfOlSbLOB/ef9ePzDF
Wk7ou1wNyyUHYirEAY4JU2QRtnK/1WldiX7y2C7G8slvqiM3Upiv8ZxPiVh9vR36
HOST-TO- HOST
GEzL2KR4xUnXA8RYFnRxPB9uAIj2t+Zh9WoQ1MM=
=BmOr
-----END PGP MESSAGE-----
MORGAN
J.P.
59
A sample of a non-ascii armored file
This is an example of file successfully encrypted without ascii armor, which will not be accepted
by J.P. Morgan. The purpose of ascii armor is to put a wrapper around binary files during
transmission over non-binary channels, such as the internet. This procedure can prevent data
corruption during the transmission.
…_
_iJ³Ìj…ûõ__ÿXŠ29ðø_ô¶_s!½ 7_yšÔýÍÜð
C¥_‹Òí{¤jxïõÈI¿ÑÛÉ_Ü^gÜÈkÆW§CÇâpY_.®T÷_¿JH_Ï™gD«Bkûéé
½‘šì.¨øê_¯ ˆ6ÄÌÁ›”pp_AÏ\8F™z_ z_t´ &uÇN¹_2*_«ŽÉ<
…tÓ+Ó°r]úe%êv.N¼¾±ez_ÝŠ?Šè¾ 9__
Ý£àoÇ!çÓ‘M ît_:BX
~·˜î‹4#_õ·ò¡dèv†d¢ósδqïc_e5P8¶l‘úäOE†Ÿ„ÓFÙÛW_*Žμ4_¹²Ñ9$._WÖ€ŠåÁžoe_bè·_¢Ìý†Ä2¥_
_ÂÞ•
È_ßy?ì� ³4ï/_ï_¾Ÿ_;È;9lc_´ç_0„4à_•
“7t_ûT®dÄDû_ßÜed0z¤_»î2Ä”÷cúƒM_´£$øJ¶q¦H __aìBÔ˜iŠŽ¾oº?_%²/Cí©_2$Šz5_¯
_ÔÉoeOEᔎ
Y__àç›ú¥p"c#›É_²R®øcÞ‘háCR¼$"Xº!ð?×*<65~˜÷¸Î=;½ÈHýq_°¥„
© e_öâiˆcñD«A÷âÇ7B §§
b
_5uרª$ñ0;ªvìàQ-ž¦FLk¬þ_P´ð{ë_¼3
u_·…Æô*}ž^èþàmK¹JÀXïâÈ_HôLB¾‚< CÇ‘n jsиy_¤,
ÅŸÅÂÂö ¡°• )Ykf2¸Ë!¤__V°]'ϱLy–Ö"˜R—YÅm¾ôÅÍ¢}n9û¯ áÞ¶_"Ú<• (*_ùÔHÙ_ÈþETßߣzÌ_—
_õB
GUIDE
60
X.509 (SSL)
Signing Payload with X.509 (SSL) Digital Certificate
J.P. Morgan can accommodate the use of X.509 (SSL) certificate to encrypt/sign the payload
(data) prior to sending. Please note that J.P. Morgan does not require that your files be
encrypted; we require signing only.
To sign the file using X.509, we used a freeware program called iSafeguard™. Screenshots for
importing the certificate are shown below.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
61
GUIDE
Once the certificate has been imported, you may launch the program from within Windows
Explorer. Right click on a file and select iSafeguardTM, then select “sign”
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
62
You will be prompted to select a signer (certificate). This is where you will select your certificate
that was created earlier.
Once the file has been signed, a new file will be created with an .xcs extension.
GUIDE
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
63
Base64 Encoding a file
For the file to work correctly with J.P. Morgan when using HTTPS over the internet, it must be
Base64 encoded. To accomplish this for demonstration purposes, we used a freeware program
called Base64 Encoder, Version 1.1.1.0. More information on this may be found at:
After signing the file, launch a command prompt window. Make sure you have the base64.exe
program in the same folder as your file. Enter command:
Base64 –e (in file) (out file) –s
GUIDE
USER
64
7. Partner Key Management
The Partner Key Management (PKM) process is used by J.P. Morgan as a way to verify that the
credentials submitted for activation on the Host-to-Host servers not only meet the requirements
for validity period and key strength, but also that they have been submitted by persons duly
authorized by the client. A document describing the process will be supplied to you by your
Implementation Manager.
When submitting your public key or certificate for Production use with the Host-to-Host, you
must follow the Partner Key Management process.
All production keys and certificates should follow the instructions provided in the guide and must
be sent directly to IMSD Security Operations two weeks prior to the scheduled production
migration date.
We have two separate client environments: Client Acceptance Testing (CAT) and Production. In
order to help ensure that only production files are ever sent to the Production environment, we
require you to give us one certificate or key for CAT, and a different certificate or key for
Production.
Best Practice
GUIDE
We require that you use different keys for CAT & Production
USER
1) Using the Security Administration Designation Form (SADF), the client will identify the
authorized individuals for key exchange with their names; complete mailing addresses, original
signatures, phone numbers and e-mail addresses.
The J.P. Morgan Security Services (IMSD) group will action only those requests received from
any one of these authorized individuals.
2) Send an e-mail with Keyword "Implementation" on the subject line, a description of the action
to be taken, a request for a suggested date and time the action is to be taken, and an attached
zipped text file containing the certificate to the IMSD email address above. The text of the e-mail
HOST-TO- HOST
must contain a printed copy of any public keys contained in the zipped text file. The e-mail
request must be received at least two days prior to the key implementation date.
3) Print the e-mail, sign and send as fax or scanned copy to the address listed below. The e-mail
request must be received at least two days prior to the key implementation date. It is of utmost
importance that the printed email is countersigned by one of the authorized individuals.
J.P. Morgan IMSD Security Operations: Key Management
FAX: 813-649-8367; Email: IMSD.Security.Operations@jpmorgan.com
4) Upon receipt of this e-mail and the letter, IMSD will (i) validate the e-mail by comparing the
MORGAN
printed public key in the letter, with the electronic one contained in the zipped attachment, (ii)
compare the signature on the letter with the authorized original signature on the SADF, and (iii)
inform JPM Implementation teams upon approval. If the key is not approved, IMSD will notify
client authorized individual.
J.P.
65
5) The J.P. Morgan implementation team will inform the client of receipt of the key file and the
scheduled date and time for the action to take place.
This is a requirement of J.P. Morgan Partner Key Management, so please bear this in
mind when obtaining your certificate or when generating self-signed keys. There are
no exceptions to these requirements.
GUIDE
Eligible clients must use the Rapid Renewal process for all subsequent renewals. For
USER
email-initiated key renewals, follow the same PKM process outlines above, except to
mention the Keyword “Renewal” on the subject line of the email to IMSD when sending
the new key
CONNECTIVITY
To prevent any lapse in service or emergency procedures, the client should request a
key change at least one month prior to actual certificate expiration. As a courtesy,
J.P. Morgan will attempt to notify the client via email at least two months prior to actual
certificate expiration.
All requests for key changes and renewals are subject to validation according to the
HOST-TO- HOST
In the event of an emergency requiring an exception to the stated service level, clients should
call the Solution Center Transmission Support team at (978) 805-1200.
MORGAN
A call back to the client from the Support team, using previously provided contact information,
will be conducted to confirm any emergency changes.
The Support team will coordinate the emergency activity, upon direction from the J.P. Morgan
Client Service Representative.
J.P.
66
Partner Key Management Sample Email
Sample e-mail to IMSD.Security.Operations@jpmorgan.com for HTTPS/PGP. Please refer
to the Partner Key Management Explanation document for other protocol examples
To: IMSD.Security.Operations@jpmorgan.com
From: <client email address of authorized person>
This e-mail is being sent to you containing the Production SSL certificate and PGP key for our
implementation with J.P. Morgan Host-to-Host. The attached key/certificate expires within the
required period.
Below are the screen print and text of the certificate/key. Please add the attached key/certificate
into our Production setup.
-----BEGIN CERTIFICATE-----
MIIFeTCCBGGgAwIBAgIKFcilpAAAAAAAMjANBgkqhkiG9w0BAQUFADBQMRMwEQYK
GUIDE
CZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKbXNjc29ubGluZTEdMBsG
A1UEAxMUbXNjc29ubGluZS1ERU5BRDEtQ0EwHhcNMTEwOTIwMTg1OTU5WhcNMTIw
OTE5MTg1OTU5WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxsw
gjcVBwQwMC4GJisGAQQBgjcVTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1T
USER
ZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1zY3NvbmxpbmUsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludDCByQYIKwYBBQUHAQEEgbwwgbkwgbYGCCsGAQUFBzAChoGp
bGRhcDovLy9DTj1tc2Nzb25saW5lLURFTkFEMS1DQSxDTj1BSUEsQ049UHVibGlj
CONNECTIVITY
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1tc2Nzb25saW5lLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xh
c3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAQEAUP+O
NVAMLAtWBCUAAM6cum4rChSiW/3czcWWAXi+bh8/KYlfeq8a3ggLomtvMp+nPdIM
51Qg6DRdE8ki9JoDvAHUDjGkDmnPo+mquhfR4RqNOq7xzzDC8PGTt2s5nacYHGfO
a78fQFw5LZGDb9dV8B8+TQfh6fow9bszMVDG+6EV26MgSOIt1Dizisgnu2bQ3GN4
BhRuALE8Y9sSILouDy9GHhFLGmasYKI/fhf1bnVflFXgmieOtQWfNUGPktjVwph7
ujeSyhmExgTYuTNYgGIus8RbVuuKWdhKIuNnGdyK+/CTaChXtn4B2uQ/zp3/MUaE
J1sYa2Fsas5/7Ber7Q==
-----END CERTIFICATE-----
HOST-TO- HOST
MORGAN
J.P.
67
Pasted text of the PGP Public Key:
mQENA0PFPoIBbQEIALxA+t/8Xfj1sEYOJiL5b8Ii5bXjrwYPz+Z3ujUuDw60C17x
RWWcXcUAF0646Ofe2dqPokMfPfA3pheXISjiOHqmrti5TddOYppEYJBBpHuf9leu
vqekKNtB9lndQ7yCZf8hdK+f5m4w/k0HcZQ8pubxZoAEW+0Jcea0tGWPzX5duy1e
AznhRIq6GcyCtDVazhKuklhblaGJqXtVN8Lm4aWspLxhITQD179Lp6S2xkdslDt5
xMJdt3MUyUobB0SFCaLVQt0oXjGWgpWIwEuGjSILbKCACUnDcKLySEDpJ5GFwAPz
kpiLP0RoCHBeUE1iTf7xFxXCql/A88EOlOUlcNEABRG0EkplZmYgPG1lQGhvbWUu
Y29tPokBFQMFEEPFPoLzwQ6U5SVw0QEB0fMIAIEOU62lpT65oOG7R43Q8z+ocb5U
o27OCWiTg4u/lYJF12KYp+i7ySb5V1swkhWEephW3OvusZd0IBiN/KbXZ2NItOpy
6Joaqk9OmFTiNf7s6yPXonx1A7mHXtnF1+jexqPx19i12e7joyF1CAKVPA8YnULb
aIaU195QQtZRzJjSQO1r/Bv46ek8b7Y04VQIAQe4cYuIWK+Eg8BkR8SWFuUYp5cn
cLN0J+Op0HgE8weoQWdL/zlo62+3X4HaAp/Pl4nDjbjTHjNJCqP7vMqdrFIh75Kf
W8kwfklEzCl8S0iZeB/iRApmuP1ZGj56ABbk/utRgkye0MC7tYcktBc2Hu0=
=l0f0
-----END PGP PUBLIC KEY BLOCK-----
Sincerely,
Attachments
exampleSSLcert.zip examplePGPfile.zip
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
68
Rapid Renewal Process
Eligible clients must use the Rapid Renewal process for all subsequent renewals.
Benefits include:
A secure submission process, as clients use their existing credentials to submit new
certificates
The elimination of documentation requirements such as the signed hardcopy and SADF
A more effective method of managing submissions, as the files are automatically sent to the
Host-to-Host server.
The use of Rapid Renewal depends on eligibility, and considers the following criteria:
Clients must be able to send a file to J.P. Morgan.
Clients must be able to digitally sign the file.
Clients must submit new certificates prior to expiration of their existing credentials.
convention:
<Partner ID> .TRANSPORT.IN.DAT for a new transport (SSH or SSL) key
<Partner ID> .PAYLOAD.IN.DAT for a new payload (PGP or X.509) key
When instructed, send a digitally signed activation file to move your new key to Production:
USER
Sign each file with your ‘existing’ payload (PGP or X.509) key… and not the new key.
CONNECTIVITY
Connect to Host-to-Host and put the file(s) into the /Inbound/Encrypted folder.
Once the file is received, certificate validation will be performed to ensure it meets the
acceptable criteria. If the request is in good order, the key will either be activated or staged
awaiting activation. If the request is not in good order, IMSD will contact you via email to
indicate the rejection reason(s) and provide additional steps to remediate the issue, while also
copying your J.P. Morgan Client Service Representative for awareness.
HOST-TO- HOST
MORGAN
J.P.
69
8. Firewalls
If you are using a firewall, DO NOT hardcode just one or a few IP address, as this could result in
a service disruption for your company if J.P. Morgan changes its file transmission platform. All
clients should configure the two full Class B IP ranges below.
159.53.0.0 -159.53.255.255
170.148.0.0 -170.148.255.255
Each of the Class B IP ranges specified above are wholly owned and operated by J.P. Morgan
Transmissions to/from J.P. Morgan can use any of the IP addresses within the above range.
J.P. Morgan is a large organization with a highly distributed, globally load-balanced proxy
infrastructure. We own two Class B /16's of IP address space that have been specifically
reserved for services hosted globally within our own public DMZ infrastructures. Since we are a
known business partner accessing services over the Internet and we only source transmissions
from hosts under our management, we hope clients would not have concerns to trust this
address space.
Alternative Solution
USER
If a client’s firewall policy allowing these address ranges is not possible for any reason, then a
direct business partner connection, such as an IP/VPN, should be looked at as an alternative
solution.
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
70
Registered IP Address Netblock details
159.53.0.0/16 170.148.0.0/16
Network Network
Net Range 159.53.0.0 - 159.53.255.255 Net Range 170.148.0.0 - 170.148.255.255
CIDR 159.53.0.0/16 CIDR 170.148.0.0/16
Name JMC Name CHASE2
Handle NET-159-53-0-0-1 Handle NET-170-148-0-0-1
Parent NET159 (NET-159-0-0-0-0) Parent NET170 (NET-170-0-0-0-0)
Net Type Direct Assignment Net Type Direct Assignment
Origin AS Origin AS
Organization JPMorgan Chase & Co. (JMC-39) Organization JPMorgan Chase & Co. (JMC-39)
Registration Registration
1992-03-06 1994-05-17
Date Date
Last Updated 2012-02-24 Last Updated 2012-02-24
Comments Comments
https://whois.arin.net/rest/net/NET-159- https://whois.arin.net/rest/net/NET-170-
RESTful Link RESTful Link
53-0-0-1 148-0-0-1
See Also Related organization's POC records. See Also Related organization's POC records.
See Also Related delegations. See Also Related delegations.
Organization Organization
Name JPMorgan Chase & Co. Name JPMorgan Chase & Co.
GUIDE
71
9. J.P. Morgan Inbound URL/IP addresses and Ports
The following ports should be used for both CAT and Production environments:
HTTPS 443
FTP/SSL (FTPS) 21
FTP/SSH (SFTP) 22
CAT 62101-62200
Production 62000-62100
J.P. Morgan has two environments: Client Acceptance Testing (CAT) and Production. Each has
several possible URL (IPs) that are used for connectivity.
As a reminder, production data must never be transmitted to the J.P. Morgan CAT environment
nor should test data ever be sent to the J.P. Morgan production environment.
You will be advised by your J.P. Morgan technical consultant which URL you will be required to
use for each of our environments. Below is the complete list, categorized by protocol. If your
company utilizes a firewall, you will need to add the appropriate URL or IP addresses. For the
CAT environment, we only have a single IP per URL, but please note for Production we have
several IPs per URL -- any one of which may be used at any given time. J.P. Morgan reserves
the right to make routing changes that change the IP address association with a given URL at
GUIDE
any given time, without client notification. Because of this, you should use only DNS addressing
to your assigned URL, an if your firewall only allows IP entries, then you must include all
addresses that are associated to the URL that you have been assigned. Please see Best
Practices for more details.
USER
The following are the IP addresses for both our CAT and Production environments listed by
protocol
CONNECTIVITY
transmissions-uat.jpmorgan.com 159.53.62.207
transmissions-uat1.jpmorgan.com 159.53.62.210
HOST-TO- HOST
transmissions-uat2.jpmorgan.com 159.53.62.209
transmissions-uat3.jpmorgan.com 159.53.62.208
transmissions-uat4.jpmorgan.com 159.53.62.211
transmissions-uat5.jpmorgan.com 159.53.62.213
transmissions-uat6.jpmorgan.com 159.53.62.212
transmissions-uat7.jpmorgan.com 159.53.62.215
transmissions-uat8.jpmorgan.com 159.53.62.216
transmissions-uat9.jpmorgan.com 159.53.62.217
MORGAN
J.P.
72
Production
URL IP 1 (Prod1) IP 2 (Prod2) IP 3 (DR)
FTPS
transmissions-uat.jpmorgan.com 159.53.62.207
DMZ Node 1 159.53.58.25
GUIDE
Production
USER
SFTP
transmissions-uat.jpmorgan.com 159.53.62.207
Production
URL IP 1 (Prod1) IP 2 (Prod2) IP 3 (DR)
73
10. Common Errors
If you encounter any issues when updating your configuration or parameters, or during
communications testing, please contact your designated J.P. Morgan technical consultant for
assistance.
Below are examples of some of the more common issues that you may encounter.
Connectivity
File Encryption
GUIDE
74
11. SSL Certificate Issues
You receive encoding errors when trying to convert your public key received from Verisign.
Example error:-
Sometimes Verisign sends the certificates with a pkcs7 wrapper. You have to perform the
following steps to get the certificate into .der format.
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
.
-----END CERTIFICATE-----
subject=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA -
Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
HOST-TO- HOST
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
.
.
.
-----END CERTIFICATE-----
There are two certificates in this file, the first certificate is yours, and the second is the Verisign
CA certificate.
MORGAN
Copy your certificate (from ---BEGIN CERTIFICATE--- through --END CERTIFICATE---) and
paste it to a file and save.
2. Issue command OpenSSL x509 -outform der -in copiedfile.pem -out output.der
J.P.
75
12. SSL Certificate Enhanced Key Usage
The H2H server has upgraded security checks. You must provide an SSL certificate that has
“Client Authentication” under the enhanced key usage (example below). In the following
example, “Client Authentication” is present under enhanced key usage. These certs are
acceptable.
GUIDE
Another example of a valid certificate is below where ‘Enhanced Key usage’ is NOT present so
this cert is a good cert to use as well.
USER
CONNECTIVITY
HOST-TO- HOST
MORGAN
J.P.
76
No Good! In the example below, this certificate is missing “Client Authentication” so this
certificate cannot be used with J.P. Morgan
GUIDE
77
J.P. MORGAN HOST-TO- HOST CONNECTIVITY USER GUIDE
78
End of Document