Tech File

JPMorgan Chase & Co.
Managed File Transfer 6.0

External Technical Guide
(For External Use)
Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

This document contains information that is confidential and is the property of JPMorgan Chase & Co. It may not be reproduced,
distributed or used, in whole or in part, for any purpose other than as expressly authorized by JPMorgan Chase. All services are
subject to applicable laws, regulations and services terms. All trademarks, trade names and service marks appearing herein are
the property of their respective owners.
Contents
1 Introduction ..........................................................................................................................3
2 Connectivity Requirements ..................................................................................................3
3 Security................................................................................................................................4
3. 1 Security at the Data Level (Payload) ............................................................................ 5
3. 2 Adding Certificates and Keys to Production ................................................................. 5
4 JPMC Environments Used to Receive Files .........................................................................5
5 AS2 Connectivity Requirements...........................................................................................7
5.1 SSL/AS2 Certificate Installation ................................................................................... 7
6 Required IP Ranges.............................................................................................................8
7 SFTP ...................................................................................................................................8
8 Data-level (Payload) Encryption - File Encryption and Signing .............................................8
8.1 JPMC PGP Security Rules........................................................................................... 9
9 JPMC Key Management Requirements ...............................................................................9
9.1 Firewalls ...................................................................................................................... 9
9.2 Internet Source Address Filtering Requirements .........................................................10
9.3 Alternative Solution .....................................................................................................10
10 Risk Analysis .....................................................................................................................10
11 JPMC Inbound URL/IP addresses and Ports .....................................................................10
12 MFT RESTful API Webservices .........................................................................................11
12.1 GET a Collection of Files and Folders in the User Home Directory .............................11
12.2 POST Uploads File to the User Home Folder..............................................................12
12.3 GET a List of Files ......................................................................................................13
12.4 POST an Update to a File’s Metatdata ........................................................................13
13 Supported Ciphers on MFT 6.0 ..........................................................................................14
14 Standard Operating Procedure ............................................................................................17
Appendix A – File Extension Blocking .......................................................................................21
Appendix C – Known Compatible Software Clients ...................................................................23
Appendix D – Line of Business Specific Security Requirements ...............................................24
Appendix G – Production Support Contact Details ....................................................................24

This document contains information that is confidential and is the property of JPMorgan Chase & Co. It may not be
reproduced, distributed or used, in whole or in part, for any purpose other than as expressly authorized by JPMorgan
Chase. All services are subject to applicable laws, regulations and services terms. All trademarks, trade names and
service marks appearing herein are the property of their respective owners.
JPMorgan Chase & Co.
Managed File Transfer 6.0
Technical Guide
1 Introduction
This document is designed to provide Managed File Transfer (MFT) customers with the information
they need to understand protocol service offerings, setup/requirements for each protocol, and
security. This document covers the primary aspects of security, both at the transport and data levels,
including topics on certificates and keys. The process MFT uses to implement production certificates
and keys is also covered in this document.1 MFT Implementation Engineers are assigned to work with
each customer from initial consultation to implementation. In addition, you may contact Transmission
Control at 1-800-990-9217 for assistance. Representatives are available 24 hours a day, 7 days a
week. Please see Appendix G for callers outside of the United States.
2 Connectivity Requirements
In order to connect and transfer files to JPMorgan Chase & Co. (JPMC) MFT, certain steps need to
be followed based on the protocol you select to transfer files. Refer to the table below for details:
Transfer Protocols and Setup
Protocol Key Exchange Software Configuration
HTTPS • Certificate exchange via Web browser should • Configure your connectivity
be automatic but you can request our SSL application/ Web browser to use
certificate if you need it the SSL certificate
SFTP • Provide us with your public SSH key if you • Obtain and configure your
require key-based authentication SFTP software
• User will also have the ability to upload their
SSH key; self-service
SFTP Push to • We will provide you with our SSH key if key- • You need an SFTP server to
Remote Server based authentication is required accept our requests
• We authenticate with our SSH
key or password if provided
AS2 • JPMC Engineer will share the AS2 certificates • Software has to be drummond
for connectivity as well as Encryption/Signing. certified
JPMC Supports AS2 version
1.2
REST API • HTTPS user account / password authentication • Public Certificate needs to be a
or Public Certificate-based signed certificate by Root CA
1 Throughout this document, various third-party products and their usage are outlined. JPMorgan Chase does not
recommend any third-party software and makes no representation, explicit or implied, as to the functionality, quality,
or suitability of any third-party software referenced herein. Before downloading, installing, or using any third-party
software, your organization must make an independent assessment of the suitability of such software.
Page 3
• User will also have the ability to upload their
SSL cert; self-service
REST API push • HTTPS user account / password authentication • Public Certificate needs to be a
to Remote Server or Public Certificate-based signed certificate by Root CA
3 Security
JPMC corporate policy requires all file transmissions, including test files, be sent via a secure
session. Refer to IT StandardsProcedure CP-28122 for details.
All Certificates and Keys must be 2048-bit or more in key strength. Certificates must have a
two-year-or-less expiration date and Keys must have a two-year-or-less expiration date. Refer
to IT Standards ATCS-840 and ATCS-5873 for more information.
MFT security is divided into two categories: session level (transport) and data level (payload).
JPMC uses Secure Sockets Layer (SSL) and Secure File Transfer Protocol (SFTP) for session level
(transport) security. In addition, see Appendix B for a listing of prohibited malicious file extensions.
All connections to the MFT infrastructure between external and/or internal application connections
must use secure Protocol. The options are:
• AS2 (EDI-INT)
• HTTPS
• SFTP / SCP
• Rest API over HTTPS
Please see Appendix D - Line of Business Specific Security Requirements for more
detailsSecurity at the Session Level (Transport)
SSL
SSL is a protocol used to send encrypted information over the Internet. SSL provides session
encryption to prevent others from being able to see information that you send over the Internet.
How does it work?
▪ Authenticates the server and client using a user ID and password
▪ Provides an encrypted connection using session keys
When connecting to JPMC MFT, client-side authentication takes place. Your public certificate
is passed to the server and the server authenticates the certificate, checking that it has been
set up on our servers as a valid client before allowing the connection to proceed. An
automated signoff takes place during which the server and client agree to the type of
encryption to use to secure the connection. After a successful signoff, you are able to send or
receive files.
SFTP
SFTP is a network protocol that allows data to be exchanged over a secure channel between
two computers.
How does it work?
2 CP-2880: Cryptographic Key Lifecycle Management

Page 4
▪ Authenticates the server and client using the public SSH keys
▪ Provides an encrypted connection
Encryption provides confidentiality and data integrity. SSH uses public-key cryptography to
authenticate the remote computer and allow the remote computer to authenticate the user.
3. 1 Security at the Data Level (Payload)

PGP is based on a standard encryption technology known as public key cryptography in which two
complementary keys, called a key pair, are used to secure the payload during communications.
One of these keys is a private key and the other key is a public key. The private key is for your use
only and the public key is exchanged with JPMC.
How does it work?
• After you exchange your public key for the JPMC public key successfully, you can exchange
files. When you send a file to JPMC, you encrypt the file with the JPMC public key and sign it
with your private key.
• JPMC decrypts the file using its private key and verifies that it was signed using your public
key. The reverse occurs for files you receive from JPMC.
You must perform a key exchange with JPMC: You provide JPMC with a copy of your public PGP
keys and JPMC provides you with a copy of our public PGP keys. For production, there is a formal
key addition procedure and schedule to follow. Your Implementation Engineer will coordinate this
activity with you. For testing purposes, keys can be exchanged via e-mail with your
Implementation Engineer.
3. 2 Adding Certificates and Keys to Production

Your Implementation Engineer will coordinate this activity with you.
Key Instructions
Key type Procedure
PGP Key Upload your PGP public key to the folder, “/PGP_Key”,
within your account
SSH Key Upload your SSH public key to the folder, “/SSH_Key”,
within your account
SSL Cert Upload your SSL public certifiacte to the folder, “/SSL_Cert”,
within your account
4 JPMC Environments Used to Receive Files

JPMC uses two environments to receive files: Customer Acceptance Testing (CAT) and Production.
Each environment has a unique address to use when establishing the connection for your chosen
protocol. The address you use depends on whether you are sending files to CAT or to Production. An
Implementation Engineer will assign a specific DNS address to you. Addresses are listed below for
reference.
SFTP / FTPS / AS2 / HTTPS Environments

CAT ftscat2.mfts.jpmchase.com (159.53.78.18)
Production fts3.mfts.jpmchase.com (159.53.46.33 & 159.53.110.33)

Page 5
fts4.mfts.jpmchase.com (159.53.78.19 & 159.53.110.34)
fts5.mfts.jpmchase.com (159.53.46.34 & 159.53.110.35)
JPMC has no influence over the method used to obtain an SSL certificate. OpenSSL is a
software package that is available from HTTP://www.OpenSSL.org at no charge. If you require
explanations for each of the parameters used when using OpenSSL, please refer to the
documents stored at the OpenSSL Web site. OpenSSL is a command-line product and all
examples are shown in a Microsoft Windows® command window.
Some Certificate Authorities (CAs) we currently accept include; Entrust, Verisign®, Thawte®, and
Geotrust®.
JPMC also accepts self-signed keys.
Key Requirements
For production systems, JPMC cryptographic standards require:
• Key strength of 2048 bits or greater
• Expiration dates of two years or less
Please reference these requirements when you obtain your certificate or when you generate self-
signed keys.
Establishing HTTPS/SSL Connectivity
SSL certificates are used for authentication and session-level (transport) encryption when using
Hypertext Transfer Protocol Security (HTTPS). This applies to Rest API and browser based
HTTPS traffic. For the AS2 protocol, SSL certificates are used for, session-level encryption, data
encryption and data signing.
Sending/Receiving Data Using HTTPS
This MFT interface supports a wide variety of communication protocols, security solutions, and
input Data formats/types.
Procedure
Note: JPMC does not support using HTTPS in an automated fashion, nor does it endorse using
HTTPS for any pull/get transmissions.
1. Open a Web browser.
2. Log in to the JPMC MFT’s HTTPS servers with the login credentials you received from your
assigned MFT Implementation Engineer.
The JPMC MFT interface requires certificate-based client authentication for all incoming HTTPS
connection requests. This client authentication process is performed during the initial HTTPS/SSL
signoff process and is transparent to the customer. After successful SSL authentication, remote
systems can use the following URL/HTTPS request and parameters to securely send/receive
data to JPMC using the MFT Interface:
The Implementation Engineer will assign a DNS name to you. Examples that follow are complete
URLs using primary DNS names for JPMC:
• CAT: https://ftscat2.mfts.jpmchase.com
• PROD: https://fts3.mfts.jpmchase.com
https://fts4.mfts.jpmchase.com
Note: Most connectivity applications use URL names when making connections. This means that
the URL will always resolve to the correct IP address that our servers use. If your company
Page 6
uses a firewall, the firewalls probably use IP addresses. In this case you must create a
firewall rule for our Secondary IP address. Please refer to the section on URL/IP addresses
to obtain the correct IP for your assigned URL.
5 AS2 Connectivity Requirements

We provide the JPMC MFT AS2 identifier and URL details. You need to provide your AS2 identifier
and URL details as well. Once we receive your information, we prepare our AS2 profile to
communicate with your AS2 setup.
Outbound AS2 service from JPMC to you must be transmitted over Port 443.
It is your responsibility to acquire/install compatible Drummond® certified AS21 client software on your
system. The customer software used must support customer-side validation. This software is used for
the setup and communication with JPMC. You are required to provide JPMC with one SSL certificate
as it is used for both session-layer and data encryption.
Note: MFT Implementation Engineers will assist you with any issues surrounding your connectivity.
However, if the issue is with software setup or operation, your vendor is responsible for
providing support.
5.1 SSL/AS2 Certificate Installation
When installing your SSL certificate into the system, please keep in mind that your certificate
is used for the Session-Layer (SSL Connection) and for customer-side validation. Therefore,
please ensure that the certificate is installed in accordance with your AS2 software.
Trading Partner Information
Corporation Name JPMorgan Chase & Co.
AS2 Cert CA Entrust
Port Inbound (from Client to 10443 (HTTPS)

JPMorgan Chase)
Port Outbound (from JPMorgan 443 (HTTPS)

Chase & Co.to Client)
Receive Encryption Type Triple DES
Receive Signature Type SHA256
Send Encryption Type Triple DES
Send Signature Type SHA256
AS2 URL CAT https://ftscat2.mfts.jpmchase.com
AS2 URL PROD https://fts3.mfts.jpmchase.com


Page 7
6 Required IP Ranges
You must add the following IP ranges to your firewall list:
*159.53.0.0/16 which is equivalent to 159.53.0.0 - 159.53.255.255
7 SFTP
To connect via SFTP you will use port 22.
When connecting via SFTP you can authenticate using a password or a key.
Note: Our software only supports the RSA algorithm for SSH keys. Key strength needs to be 2048-
bits or more.
Send your Public RSA SSH Key for JPMorgan Chase & Co. to your assigned Implementation
Engineer. Specify your Private Key location in your SFTP software.
Note: Upon receipt of your Public SSH key, JPMC sets the key to expire in up to five years. You will
receive notification from JPMC when your key is close to expiration.
Refer to Appendix F for a current list of approved and certified software clients.
8 Data-level (Payload) Encryption - File Encryption and Signing

This section provides examples1 of how to create a Pretty Good Privacy (PGP) key pair.
Information consists of examples from various providers and should not be relied upon for any
purpose. Please consult your third-party software provider for more information. We strongly
recommend that you review the documentation provided with your third-party software to become
familiar with its capabilities and support options. In addition, there are required security rules to follow
when you create PGP Keys to use with JPMC. These rules are covered in this section.
Many JPMC customers use Symantec PGP Command Line v9.9 for file encryption and decryption.
This product is fully compatible with Secure Transport for basic cryptographic operations. Symantec
PGP CLI v9.9 is licensed proprietary software. For more information about third-party software,
please use the links in the table that follows. Also reference Appendix C – Known Compatible
Software Clients.
PGP Payload • If payload encryption required, then provide us • Configure your connectivity
Encryption with your public PGP key application/web browser to use
the appropriate protocol you
• We will provide you with our public PGP key
have selected
• Log in to your account and upload your PGP
• Encrypt your payload with your
key in your PGPkey folder
public PGP key
Third-Party Software
Link Description Link
1. Symantec PGP http://www.symantec.com/business/support/index?page=landing&key=59287
Command Line
Manual/User Guide

Page 8
2. List of Symantec http://www.symantec.com/connect/articles/pgp-installation-upgrade-user-s-
PGP documents by admin-guide#3
operating system
3. GnuPG product http://www.gnupg.org/
details
4. PGP for Windows http://www.symantec.com/docs/DOC3586
online manual
8.1 JPMC PGP Security Rules

1. Key Validity period should be less than or equal to two years and have a key strength of at
least 2048 bits.
2. You must encrypt inbound files with the JPMC public PGP key and sign with your Private
Key.
3. JPMC encrypts outbound files with your PGP Public Key and signs them with the JPMC
Private Key.
4. When you export the key from your keyring, ensure that you export the entire key and not
just the subkey. An example of how a key should look when opened in Notepad is shown
below. PGPfreeware is used in this example.
9 JPMC Key Management Requirements

Please exchange your keys with your assigned Implementation Engineer. Test the key/certificate
properly before JPMC moves your setup to production. You should have different keys for CAT and
Production file transfers. You can schedule your Key Addition session with your Implementation
Engineer.
JPMC MFT adheres to these key standards:

• Key must be RSA
• Key strength must be 2048 bits or more
• Key expirations must be two years or less
9.1 Firewalls
We do not filter incoming IP address. Therefore, we do not need to add your IPs to our firewall
if you are connecting to JPMC. However, if you need our IP addresses, please see Section 10
in this document or consult your assigned Implementation Engineer.
If JPMC MFT sends the files to your server, we need to add your IP address in our firewall. If
you filter your IPs, you need to add class B IP ranges to your firewall:
Page 9
9.2 Internet Source Address Filtering Requirements

JPMorgan Chase & Co. is a global organization with a sophisticated infrastructure. It is an
infrastructure that is widely distributed with proxy configurations that are load balanced across
multiple locations. JPMC owns two Class B /16s of IP address spaces that are reserved for
services hosted globally within our own public DMZ infrastructures. As a recognized and trusted
partner delivering services over the Internet, we only initiate transfers from hosts under our
management.
9.3 Alternative Solution

If a customer’s firewall policy does not allow these addresses to be added for any reason, then
a direct business partner connection should be reviewed as an alternative solution such as an
IP/Virtual Private Network. Services and applications offered on the Internet should not use
source IP address filtering because customers cannot always guarantee the source address.
Using cookies that track and validate based on a customer source IP is not recommended
because the source IP cannot be guaranteed when Network Address Translation (NAT) polling
occurs or when proxies are used in a load-balanced manner.
10 Risk Analysis
Many organizations do not open firewall rules from such large address blocks as the Class B ranges
that JPMC provides. Standard security policies within these organizations often limit them to small
blocks of IP addresses, possibly up to a Class C range. The strategy behind these policies is that if
fewer addresses are open, risk is reduced for their organization. This may be true when securing
communication between individual hosts or customers that are initiating or receiving communication
as stand-alone devices.
This strategy is challenged when the policy provides access from a proxy infrastructure outbound to a
customer’s application environment. The risk exposure is the same whether individual IP addresses
are identified or the full ranges are included. Typically, the applications being accessed provide some
form of authentication and encryption services. This provides for endpoint validation and security of
the data being sent or received. The endpoint validation functions prevent unauthorized partners from
gaining access to the application or data transfer functionality. The encryption provides protection
against eavesdropping or a “man in the middle” type of attack. These controls should mitigate any of
the additional risk exposure within a shared transport environment such as the proxy infrastructure
used at JPMC.
Registered IP Address Netblock details

POST/files/[filePath] Parameter Descriptions POST/files/[filePath] Parameter Descriptions
11 JPMC Inbound URL/IP addresses and Ports

External URLs: All IP Addresses listed below must be included in all configuration settings.
PRODUCTION
• fts3.mfts.jpmchase.com (159.53.46.33 & 159.53.110.33)
Page 10
CAT (Customer Acceptance Testing)
• ftscat2.mfts.jpmchase.com (159.53.78.18)
Ports
• SFTP: 22
• AS2: HTTPS (10443)
• RestAPI: 443
12 MFT RESTful API Webservices

MFT offers REST API based file transfer and operations protocols.
12.1 GET a Collection of Files and Folders in the User Home Directory
GET protocol gets a collection a files and folders in the user home directory.
GET /files Parameter Descriptions
Parameter Description Location Data Type

sortBy Specifies the sort by attribute. Possible values: Query String
‘fileName’, ‘lastModifiedTime’, ‘size”
order Specifies the sort direction. Possible values: ‘ACS’ Query String
or ‘DESC’
transferMode Specifies the file transfer mode: ‘ASCII’ or Query String
‘BINARY’
status If present in the query string will return all Query String
metadata for the user home directory
offset The start row to list; if this parameter is not set, Query Integer
then it is considered 0
limit The limit of the listed rows. If this parameter is not Query Integer
set, then it is considered to list all rows
GET /files Responses Descriptions
Status Reason Data Type

200 Successful Operation Model
Files
{
files(Array[FileObject], optional)
}
Example Value:
{
"files": [
{
"fileName": "string",
"newFilePath": "string",
"lastModifiedTime": 0,
"size": 0,

Page 11
"isDirectory": true,
"isRegularFile": true,
"isSymbolicLink": true,
"isOther": true,
"group": "string",
"owner": "string",
"permissions": "string",
"isShared": false,
}
]
}
400 Bad Request – The
returned error message
will tell what was
incorrect in the request.
401 Unauthorized – Incorrect
login credentials.
404 Not Found
500 Internal Server Error
12.2 POST Uploads File to the User Home Folder

POST files uploads file(s) to the user home folder.
NOTE: This method can also update the user home folder metadata if body parameter is specified and
the content type is ‘application/json’ or ‘application/xml’.
POST /files Parameter Descriptions

‘BINARY’
File* The file to be updated formData File
POST /files Responses Descriptions

200 Successful Operation
400 Bad Request – the returned error meswage will
tell what was incorrect in the request
401 Unauthorized – incorrect login credentials
404 Not Found

Page 12
12.3 GET a List of Files
GET a list of files, if the specified files is in a directory. If the files are not in a directory, the file content will
be retrieved. If the file path contains GLOB characters a listing will be performed. If the status parameter
is present, the file metadata will be retrieved.
GET /files/[filePath] Parameter Descriptions

filePath Specifies the target file path Path String
sortBy Specifies the sort by attribute. Possible values: Query String
‘fileName’, ‘lastModifiedTime’, ‘size’
‘BINARY’
status If presnt in the query string will return all metadata Query String
for the user home directory
offset The start row to list; if this parameter is not set, Query Integer
then it is considered 0
limit The limit of the listed rows. If this parameter is not Query Integer
set, then it is considered to list all rows
GET /files/[filePath] Responses Descriptions

400 Bad Request – the returned error message will tell what was
incorrect in the request
404 Not Found
12.4 POST an Update to a File’s Metatdata

Updates metadata of the file, pointed by the file path. If the file name stored in the file object is different
than the one in the file path, the target file / directory will be renamed.
NOTE: This method can also upload a file to the folder, pointed by the file path, if the query parameter
‘transferMode’ is specified and the content-type is ‘multipart/form-data’.
POST /files/[filePath] Parameter Descriptions

File path Specifies the file path Path String
Body The new file metadata FileObject
to create {
fileName (string, optional): The file name
newFilePath (string, optional): The new file path
lastModifiedTime (integer $int64, optional): The file
last modified time
size (integer $int64, optional): The file size.
isDirectory (boolean, optional): Specifies whether
the file is directory or not
Page 13
isRegularFile (boolean, optional): Specifies
whether the file is regular file or not
isSymbolicLink (boolean, optional): Specifies
whether the file is symbolic link or not
isOther (boolean, optional): Specifies whether the
file type is other or not
group (string, optional): Specifies the group id
owner (string, optional): Specifies the owner id
permissions (string, optional): Specifies the file
permissions
isShared (boolean, optional): Specifies whether the
folder is shared or not (only present for folders).
}
POST /files/[filePath] Responses Descriptions

400 Bad Request – the returned error message will
tell what was incorrect in the request
404 Not Found
13 Supported Ciphers on MFT 6.0
Unsupported Protocols and Ciphers
Unsupported Ciphers
Blowfish
ARC4
No CBC below 256
3DES
TLS_RSA_*
diffie-hellman-group-14-sha1
Unsupported Protocols
SSLv3
TLS 1.0
TLS 1.1
Supported Protocols and Ciphers

Page 14
The following are supported ciphers and protocols according to Risk and JPMC policy:
AES 256 bit or higher
TLS 1.2 for Protocol
Supported HTTPS Ciphers:
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Supported SFTP/SCP Ciphers
HMAC
hmac-sha1-96
hmac-sha256
hmac-sha256@ssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
CIPHERS
aes128-ctr
aes192-ctr
aes256-ctr
KEX
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512

Page 15
Supported FTPS Ciphers
TLS 1.2
Supported AS2 Ciphers
TLS 1.2
Supported Connect: Direct Ciphers
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Support for TLS 1.2 was added in Secure+ for the below versions:

Page 16
Connect:Direct for z/OS version 5.2
Connect:Direct for Microsoft Windows version 4.7
Connect:Direct for UNIX version 4.2
Connect:Direct for i5/OS version 3.8
Supported Restful Webservices Ciphers
14 Standard Operating Procedure
Service • Business Partner connections/VPN services are available for larger

Capabilities file transfer; please refer to Business Partner Engineering for more
information or send an email to JPMC GTI FTS Consulting
• Sustained Resiliency: The service is geographically established for
load balancing between two JPMorgan Chase data centers
• Self-Signed Certificates: JPMorgan Chase supports self-signed
certificates
• File resend capabilities
• Rapid-Fire File Transfers are available and require special build
configurations
• FTS Consulting must perform a technical review for these requests
• FTS Consulting must conduct a technical review of file transfer
requests for files larger than 2GB
• FTS does not provide data storage for file retention; files will be
deleted upon successful download and files that have not been
downloaded will be purged after seven calendar days
• Contact GTI FTS Consulting for additional details.
Connections • Unsecure connections are prohibited

• Only 20 simultaneous connections to an account is permitted at any
time. Connections are throttled after 20.
• Users should upload/download multiple files per session, not one file
per session.

Page 17
• Polling the server for new files must not be done at a rate greater
than four times per hour.
• Improperly logging off can cause a session to remain open for an
extended period of time, causing performance issues, and is
prohibited.
• Keeping an open session without downloading or uploading data is
prohibited.
Security • Any new request or any request to add transfers to existing routes
must be compliant with the security requirements above. Existing
non-compliant routes must be remediated.
• Users must select the appropriate file transfer protocol, encryption,
authentication, and non-repudiation method that adheres to the firm’s
cryptographic standards, including any necessary line of business
encryption requirements. Additional security requirements for lines of
business can be found in the File Transfer Services Technical Guide.
• Customers must upgrade if they are non-compliant.
• The lines of business are expected to:
• Explain policies to customers
• Ensure and enforce customers’ compliance
• Contact the FTS Consulting Group or the assigned
implementation engineer for support in discussion with
customers
• Escalate immediately if the customer is not able/willing to
comply with security standards
• Account IDs and passwords are assigned to specific users and
systems and must not be shared.
• Desktop users must use their SSO credentials
• All Certificates and Keys must be 2048-bit or more in key strength.
Certificates and keys must have an expiration date of two years or
less
• Digital Signatures are supported for non-repudiation of files
• SSH2 keys must use the RSA algorithm
Sustained • DNS/URL routing must be used when connecting to all environments;

resiliency hard-coded IP addresses must not be used as this practice prevents
sustained resiliency.
• External customers and internal clients must not cache the IP
addresses associated with server URLs; this causes connection
problems in the event sustained resiliency is invoked.
• To ensure high availability during sustained resiliency events, service
users must configure their automated retry-on-connection processes
three times at five-minute intervals at the minimum.
File Transfer • Creating any type of directory inside an account is prohibited as it will
Management create system errors.
• Any post processing on a file is prohibited and will cause errors.
• Duplicate downloads of the same file are prohibited.

Page 18
• Processing applications should have controls and alerting in place to
handle late, missing, or duplicate files.
Environments • Running production file transfers in the Customer Acceptance Testing

(CAT) environment is prohibited.
• CAT accounts are deactivated once transfer requests move to
production or are canceled.
• Production setup is not provisioned until the client / line of business
approves CAT results.
Implementation • Any increase in daily transfer volume over 25% requires a retest
request.
• The recommended maximum file size transfer capability on FTS
Servers is 2 GB.
• Transfers for files greater than 2 GB will be reviewed on a case-by-
case basis to ensure that latency or performance issues do not
impact SLAs. Additionally, files greater than 2GB will not be archived
and available for resubmit.
• For PUSH (send) transfer requests, there is an additional 16 to 20-
day lead time to implement Application Connectivity Manager (ACM).
Account & Service • CAT maintenance windows are:

Maintenance • Daily 8 p.m. - 2 a.m. ET for non-impacting changes that can
be implemented without a full system outage
• Biweekly windows for impacting changes that require a full
system outage to implement are:
• Wednesday 8 p.m. ET - Thursday 2 a.m. ET
• Friday 8 p.m. ET - Sunday 8 p.m. ET
• Production Maintenance Window:
• 24x7 maintenance window Saturday night into Sunday

morning, midnight to 8 a.m. EST
• Recovery Time Objective: 2 hours or less
• File transfers should be avoided during the weekly maintenance

window, which runs Saturday night into Sunday morning, midnight to
8:00 a.m. EST.
• Quarterly Maintenance Releases (MRs) are scheduled to apply
hardware and software patches and upgrades to production
environments.
• Accounts that are inactive for more than 13 months are deleted.
• FTS does not provide data storage for file retention; files will be
deleted upon successful download. Files that have not been
downloaded will be purged after seven calendar days.
• Accounts are locked after three invalid login attempts. Contact the
Transmission Control Desk at +1 1-800-990-9217 to request a
password reset.

Page 19
• The environment will experience at least two Production Event
Sustained Swap (PRESS) events per year, where the service will run
Production from the High Availability environments.
• Contact GTI FTS Consulting to learn more about specific security
features
Time to market • Assignment: 2 business days

• Requirements/Build: 10 Business days
1. Technical requirements must be provided by the LOB and or
Customer within 10 business days
2. If the technical requirements are supplied the engineer build
the route within one business day
3. If technical requirements are not received within 10 business
days the request will be canceled.
4. Once the end user has gathered the required information, the
request can be re-opened from cancelled.
• Testing: 10 Business days
1. Once the user completes testing the request can be moved to
production
2. If LOB users take more than 10 days to test the route, the
prod route will be disabled, the CAT route will remain enabled
and close the request with an extended testing exception.
3. The user will call the IOC when ready for the prod account to
be enabled
• On Hold: 10 Business days
1. On hold should be leveraged for ACM and KEON delays only
2. Once the ACM or KEON route has been implemented move
to the testing phase
3. Testing phase SLA’s should be followed
• First Production run: 2 week warranty period
1. Once production setup is ready, engineer puts the request in
production.
2. Inform customer to reach out to the Transmission Control
Service Desk with production issues: +1 1-800-990-9217.
3. Transmission Control will reach out to an assigned engineer if
they get a call/alert/tickets for any first production failure
within two weeks.

Page 20
Appendix A – File Extension Blocking
Top of Form File Type Top of Form File Type

Extension Extension
Bottom of Form Bottom of Form
A6P Authorware 6 Program HMS HostMonitor Script File
AC Autoconfig Script HTA HTML Application
AS Adobe Flash ActionScript ICD SafeDisc Encrypted
File Program
ACR ACRobot Script INX Compiled Script
ACTION Automator Action IPF SMS Installer Script
AIR Adobe AIR Installation ISU InstallShield Uninstaller
Package Script
APP FoxPro Generated JAR Java Archive File
Application
JS JScript Executable Script
APP Symbian OS Application
JSE JScript Encoded File
AWK AWK Script
JSX ExtendScript Script File
BAT Batch File
KIX KiXtart Script File
CGI Common Gateway
LUA Lua Scripting File
Interface Script
MCR 3ds Max Macroscript File
CMD Windows Command
MEM Macro Editor Macro
COM DOS Command File
MPX FoxPro Compiled Menu
CSH C Shell Script
Program
DEK Eavesdropper Batch File
MS 3ds Max Script File
DLD EdLog Compiled Program
MSI Windows Installer File
DS TWAIN Data Source
MST Windows SDK Setup
EBM EXTRA! Basic Macro Transform Script
ESH Extended Shell Batch File OBS ObjectScript Script File
EXE Windows Executable File PAF Portable Application
Installer File
EZS EZ-R Stats Batch Script
PEX ProBoard Executable File
FKY FoxPro Macro
PHP Hypertext Preprocessor
FRS Flash Renamer Script
PIF Program Information File
FXP FoxPro Compiled Source
PL Perl Script File
GADGET Windows Gadget

Page 21
Top of Form File Type Top of Form File Type
Extension Extension
Bottom of Form Bottom of Form
PRC Palm Resource Code File VBS VBScript File
PRG Generica Program File VBSCRIPT Visual Basic Script
PVD Instalit Script WCM WordPerfect Macro
PWC PictureTaker File WPK WordPerfect Macro
PY Python Script WS Windows Script
PYC Python Compiled File WSF Windows Script File
PYO Python Optimized Code XQT SuperCalc Macro File
QPX FoxPro Compiled Query
Program
RBX Rembo-C Compiled Script
REG Registry Data File
RGS Registry Script
ROX Actuate Report Object
Executable File
RPJ Real Pac Batch Job File
SCAR SCAR Script
SCR Script File
SCRIPT Generic Script File
SCT Windows Script
Component
SHB Windows Shortcut into a
Document
SHS Shell Scrap Object File
SPR FoxPro Generated Screen
File
TLB OLE Type Library
TMS Telemate Script
U3P U3 Smart Application
UDF Excel User Defined
Function
VB VBScript File
VBE VBScript Encoded Script
File
Page 22
Appendix C – Known Compatible Software Clients
Examples1 of certified software are provided only as a guide to assist with establishing a successful
connection to JPMC.
Software type Supported Software Versions

PGP Clients GnuPG on RHEL, 2.0
GPG4Win, 2.1.0
PGP Desktop, 9.0.0
PGP Desktop on Win32 9.8.2
Symantec PGP Command Line v9.9 (Proprietary
and licensed software)
Symantec PGP Command Line 9.9 Build 110
AS2 Clients Axway Secure Transport 5.0, 5.2.1, 5.3.0,
5.3.1, 5.3.3, 5.3.5, 5.3.6, 5.4
Axway Gateway 6.16
HTTPS clients Apple Safari 4
Axway Secure Client 5.5, 5.6
Axway SecureTransport Command Line Client
(FDX) 4.5.2, 4.5.3
Axway SecureTransport Rich Internet Client 4.9.x,
5.0
Axway SecureTransport Windows Client 4.5.2
cURL 7.19
Microsoft Internet Explorer 6 SP3, 7, 8
Mozilla Firefox 2.x, 3.x
SFTP clients Axway Secure Client 5.5, 5.6
cURL 7.19
FileZilla 3.3.x
PSCP 0.60
PSFTP 0.60
Tectia Client 6.1
VanDyke SecureFX 6.6.1
WinSCP 4.2.9
Any client that complies with RFCs 4251-4254
HTTP/S servers for Axway SecureTransport 4.7.2, 4.8.2, 4.9.2, 5.0,
server-initiated transfers 5.3.6, 5.4
FTP/S servers for Axway Gateway 6.12
server-initiated transfers Axway SecureTransport 4.7.2, 4.8.2, 4.9.2, 5.0,
5.3.6, 5.4
GlobalSCAPE EFT Server 6
IBM Mainframe FTP/S
Ipswitch WS_FTP Server 7.1
Oracle Solaris 10 FTP Server
SFTP servers for Axway Gateway 6.12
server-initiated transfers Axway SecureTransport 4.7.2, 4.8.2, 4.9.2, 5.0,
5.3.6, 5.4
OpenSSH 5.x
Tectia Server 6.0.7
VanDyke VShell 3.5.3
Browsers
• Microsoft Internet Explorer 11 (Compatibility View is not supported)
Page 23
• Microsoft Edge - latest version
• Mozilla Firefox - latest version
• Apple Safari - latest version (not supported for Administration Tool)
• Google Chrome - latest version (not supported for Administration Tool)
Appendix D – Line of Business Specific Security Requirements

In addition to the firm’s IT Risk Standards and Policies4, some lines of business have implemented
supplemental security requirements. These requirements are documented in this Appendix.
Treasury
Security controls through the use of digital signatures are required for:
1. Any application that processes payment transaction and/or settlement instructions such as: wire
transfer, capital/debt/currency trades and/or settlement instructions.
2. Applications that deal with High Payment value information.
3. Applications that deal with information pertaining to the general ledger or nominal ledger.
The applications used for JPMC MFT are subject to this requirement: Transaction initiation files which are
sent to the bank must be digitally signed.
Appendix G – Production Support Contact Details

Location DID
Argentina 541128221367
Australia 61290038922
Brazil 551149503245
Canada 14169812302
Chile 56224255172
China 862152002565
Germany 496971244509
India 918061383904
Ireland 35316123438
Israel 97297607920
4 See IT Control Procedures CP-2880 and CP-2812.

Page 24
Italy 390288952049
Japan 81367361465
Luxembourg 352462685925
Mexico 525559009713
Netherlands 31207198648
Philippines 63272145525
Poland 48223726130
Russia 74959677287
Saudi Arabia 966112993894
Singapore 6568828987
South Africa 27115070562
Spain 34915161263
Sweden 441793454146
Switzerland 41442068644
Taiwan 886227259631
United Kingdom 442034933380

Page 25

Tech File

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tech File

Uploaded by

Copyright:

Available Formats

JPMorgan Chase & Co.

Managed File Transfer 6.0

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

2 CP-2880: Cryptographic Key Lifecycle Management

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

3. 1 Security at the Data Level (Payload)

3. 2 Adding Certificates and Keys to Production

4 JPMC Environments Used to Receive Files

SFTP / FTPS / AS2 / HTTPS Environments

Production fts3.mfts.jpmchase.com (159.53.46.33 & 159.53.110.33)

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

5 AS2 Connectivity Requirements

AS2 Cert CA Entrust

Port Inbound (from Client to 10443 (HTTPS)

Port Outbound (from JPMorgan 443 (HTTPS)

Receive Encryption Type Triple DES

Receive Signature Type SHA256

Send Encryption Type Triple DES

Send Signature Type SHA256

AS2 URL CAT https://ftscat2.mfts.jpmchase.com

AS2 URL PROD https://fts3.mfts.jpmchase.com

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

8 Data-level (Payload) Encryption - File Encryption and Signing

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

8.1 JPMC PGP Security Rules

9 JPMC Key Management Requirements

JPMC MFT adheres to these key standards:

9.2 Internet Source Address Filtering Requirements

9.3 Alternative Solution

Registered IP Address Netblock details

11 JPMC Inbound URL/IP addresses and Ports

12 MFT RESTful API Webservices

GET /files Parameter Descriptions

Parameter Description Location Data Type

GET /files Responses Descriptions

Status Reason Data Type

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

12.2 POST Uploads File to the User Home Folder

POST /files Parameter Descriptions

Parameter Description Location Data Type

POST /files Responses Descriptions

Status Reason Data Type

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

GET /files/[filePath] Parameter Descriptions

Parameter Description Location Data Type

GET /files/[filePath] Responses Descriptions

Status Reason Data Type

12.4 POST an Update to a File’s Metatdata

POST /files/[filePath] Parameter Descriptions

Parameter Description Location Data Type

POST /files/[filePath] Responses Descriptions

Status Reason Data Type

13 Supported Ciphers on MFT 6.0

Unsupported Protocols and Ciphers

Supported Protocols and Ciphers

AES 256 bit or higher

TLS 1.2 for Protocol

Supported HTTPS Ciphers:

Supported SFTP/SCP Ciphers

Copyright © 2022 JPMorgan Chase & Co. All rights reserved.

Supported AS2 Ciphers

Supported Connect: Direct Ciphers