Swift 5

SWIFT

Swift.com Support services

For SWIFTNet 7.0

Self-help Guide

This self-help guide provides recommendations and guidelines on how you can troubleshoot the SWIFT environment.

20 January 2012

Self-help Guide Table of Content

20 January 2012 2

Table of Contents 1 The SWIFT environment in a nutshell .................................................................................... 3

1.1 Introduction ............................................................................................................................. 3 1.2 Message flows ........................................................................................................................ 4

1.2.1 SWIFTNet FIN using a FIN CBT through an Alliance Gateway ......................................... 4 1.2.2 Accessing a SWIFTNet Browse service from an Alliance WebStation ............................... 5 1.2.3 An Alliance WebStation / Alliance WebPlatform Browse connected to an Alliance Gateway

............................................................................................................................................ 5

2 Maintaining the SWIFT environment ...................................................................................... 6

2.1 Regular activities ..................................................................................................................... 6 2.1.1 Daily activities ..................................................................................................................... 6 2.1.2 Weekly activities ................................................................................................................. 6 2.1.3 Monthly activities ................................................................................................................ 6 2.1.4 Mid-Year activities .............................................................................................................. 6

2.2 Best practices .......................................................................................................................... 6 2.2.1 For a system upgrade ......................................................................................................... 6 2.2.2 For resilience ...................................................................................................................... 7

3 Troubleshooting ....................................................................................................................... 8

3.1 FIN CBT .................................................................................................................................. 8 3.2 Alliance WebStation ................................................................................................................ 9 3.3 Customer network .................................................................................................................10 3.4 Alliance Gateway ..................................................................................................................13 3.5 SWIFTNet Link ......................................................................................................................14 3.6 Connection between SWIFTNet Link and the VPN box .......................................................15 3.7 5XT VPN box ........................................................................................................................16 3.8 SSG5 VPN box (Alliance Connect) .......................................................................................18 3.9 Connection between SWIFTNet Link and the HSM box .......................................................20 3.10 HSM box ...............................................................................................................................21 3.11 Alliance WebPlatform ............................................................................................................24 3.12 PKI & Online Operations Manager ........................................................................................25 3.13 RMA ......................................................................................................................................25

4 Reporting a problem .............................................................................................................. 26

4.1 Methodology ..........................................................................................................................26 4.2 Collecting evidences .............................................................................................................27

4.2.1 Alliance Access/Entry ....................................................................................................... 27 4.2.2 Alliance WebStation ......................................................................................................... 27 4.2.3 Alliance Gateway .............................................................................................................. 27 4.2.4 SWIFTNet Link ................................................................................................................. 28 4.2.5 The HSM box .................................................................................................................... 28 4.2.6 Alliance WebPlatform ....................................................................................................... 29

5 SWIFTSupport services ......................................................................................................... 30

5.1 Organization ..........................................................................................................................30 5.2 Services ................................................................................................................................30

Self-help Guide The SWIFT environment in a nutshell

20 January 2012 3

1 The SWIFT environment in a nutshell

1.1 Introduction

Preamble

A typical SWIFT customer environment consists of a combination of individual components that interact with each other to provide messaging services. Use this section as your reference and your glossary.

Throughout this document, references are made to additional SWIFT documents in the following annotation: SWIFTSupport_Self_Help_Guide - The SWIFT environment in a nutshell. You can find the documents on the software installation CD or on the www.swift.com website (Recommended). There are links to the documents when you use the electronic version of this guide on the Internet.

Glossary

1. FIN CBT

Software product that processes and that exchanges FIN messages, by using the FIN application through the SWIFT network. Alliance Access and Alliance Entry are FIN CBT products that are provided by SWIFT. As of now, these CBT products also offer the functionality to send messages for your Solutions through the Alliance Messenger (On Alliance WebPlatform) interface.

2. HSM

Hardware Security Module. A hardware device that is tamper-resistant and that ensures the secure storage and the processing of PKI secrets. There are three types of HSM devices: HSM boxes, HSM tokens, and HSM cards and card readers. Only one type of HSM is supported on the same SWIFTNet Link.

3. HTTPS

Secure Hypertext Transport Protocol. A protocol that is used in order to access web servers that are hosted on SWIFTNet. The HTTPS proxy, which is a part of Alliance Gateway, is used for routing purposes.

4. MQ

Message Queue. IBM middleware component that is used in order to link back-end applications through the Alliance Gateway.

5. PKI

Public Key Infrastructure certificate. SWIFT acts as the certification authority on SWIFTNet.

6. RA

Remote API. SWIFT middleware component that is used in order to link back-end applications and workstations to Alliance Gateway, which acts as the messaging concentrator.

7. SNL

SWIFTNet Link. Mandatory SWIFT software component that is required in order to connect to SWIFTNet.

8. Vendor Product

Product that is offered by a SWIFT partner and that allows to connect to additional services hosted on SWIFTNet. These products have an embedded SWIFTNet Link, or they connect to Alliance Gateway.

9. VPN box

Virtual Private Network hardware device. Mandatory SWIFT network component for the connection to MV-SIPN. A VPN box implements network security that is based on IPsec.


20 January 2012 4

1.2 Message flows

Introduction

Four message flows for typical SWIFTNet services are described below. The diagram illustrates each message flow.

1.2.1 SWIFTNet FIN using a FIN CBT through an Alliance Gateway

In a SWIFTNet single-window infrastructure, based on Alliance Gateway, the basic SWIFTNet FIN message flow consists of the following steps.

1. FIN messages are built in the FIN CBT. FIN messages can be entered directly by using a screen-based message entry product, or they can be entered through a link to a back-office application.

2. The FIN CBT creates the SWIFTNet FIN protocol envelope for the message and sends it through the customer network to the Alliance Gateway, by using the Remote Application or the Message Queue software on the FIN CBT.

3. The Alliance Gateway receives the message through the corresponding host adaptor. Then it calls the local SWIFTNet Link software in order to request transportation through SWIFTNet.

4. The SWIFTNet Link encapsulates the message payload with a SWIFTNet message envelope, and sends it through an established TCP/IP connection to the VPN box.


20 January 2012 5

5. The VPN box has established IPsec tunnels with the SWIFTNet central systems through the MV-SIPN network. These tunnels are established over physical lines between your premises and the MV-SIPN Backbone Access Points.

6. The SWIFTNet central systems are connected to the FIN application servers at SWIFT, which send back a SWIFTNet FIN response to the initial FIN CBT.

7. When a FIN ACK response message is received, you are assured that the FIN application will deliver the original message to the intended receiver. On the other hand, a NAK message indicates that an error occurred and that the message cannot be delivered to the intended receiver.

1.2.2 Accessing a SWIFTNet Browse service from an Alliance WebStation

Using an Alliance WebStation directly connected to SWIFTNet:

1. SWIFTNet Browse services are offered by organisations that have a Web Server that is connected to the SWIFTNet network. The access to the external Web Server is accomplished by creating an HTTPS request on a standard Web Browser product that runs as part of the Alliance WebStation. This standard Web Browser product can be Internet Explorer or Netscape Navigator.

2. The HTTPS request is sent through a new TCP/IP connection to the VPN box. Then this request is sent further to the external Web Server.

3. The Web Server collects the data and responds to the HTTPS request. It returns the response to the Alliance WebStation browser.

1.2.3 An Alliance WebStation / Alliance WebPlatform Browse connected to an Alliance Gateway

Similar to SWIFTNet FIN, other SWIFTNet services can also be accessed through an Alliance WebStation / Alliance WebPlatform Browse that is connected to a SWIFTNet single-window infrastructure that is based on Alliance Gateway. However, the step 2 is replaced by the following two steps:

1. The HTTPS request is sent through the customer network to the HTTPS proxy that runs on the Alliance Gateway.

2. The HTTPS request is sent through the MV-SIPN network to the external Web Server.

Note Similar flows are applicable for vendor applications and for other SWIFTNet InterAct services or SWIFTNet FileAct services.

Self-help Guide Maintaining the SWIFT environment

20 January 2012 6

2 Maintaining the SWIFT environment

2.1 Regular activities

2.1.1 Daily activities Back up the system and the application data

Monitor the systems and review the error logs

Login to FIN to process messages that have been received

Export the RMA authorisations and distribute them to your other applications, if required

Open and empty their generic queue(s) regularly

2.1.2 Weekly activities Check the SWIFTNet Link connectivity after a weekend when SWIFTNet maintenance

activities are performed (see www.swift.com/support for the planning of the full year)

Check the connection to the HSM box by performing the SwHSMSelfTest command

Archive the Alliance Gateway logs and journals

Archive and backup the Alliance Access and Entry messages and events

2.1.3 Monthly activities Restart SWIFTNet Link and Alliance Gateway, in order to ensure that the processes that

use certificates are stopped. By performing this restart, the certificates can be renewed the next time that they are used to log on.

Open all the PKI certificates at least once. Use the CertInfo command (see SWIFTNet Link 7.0 - Operations Guide - Certificate Management for SWIFTNet Link on the SWIFTNet Link on User handbook online)

Back up all the PKI certificates after you have opened them. Use SNL_BackUp.pl command to backup files for a specific SNL instance and use SwHSMBackupRestore.pl command to backup all SWIFTNet PKI certificates & SSL certificate contained within the HSM box.

Test the unused spare VPN box (see the VPN box section in this guide)

Check the correct functioning of your fallback connectivity.

2.1.4 Mid-Year activities Reboot all your HSM boxes

2.2 Best practices

2.2.1 For a system upgrade

Before installation

Take a full system backup

Note the version of the operating system and patches

Read the release letter and check the operating system release and patch levels

Check the Knowledge Base for any known issues

After installation

Take a full system backup

http://www.swift.com/support/

Self-help Guide Maintaining the SWIFT environment

20 January 2012 7

Back up all the PKI certificates after you have opened them. Use the SNL_BackUp.pl command (see SWIFTNet Link 7.0 - Operations Guide - Backup/Restore for SWIFTNet Link on User handbook online)

Run the swiftnet status, command and save the output in a new reference file. Do this when the SWIFTNet Link is running.

2.2.2 For resilience Building a resilient infrastructure can be done by duplicating the components in various

configurations. Your prime site should not contain any single point of failure. This ensures that you can continue the operation in case of a failure of a component, instead of having to wait until the component has been replaced. See the SWIFTNet Resilience Guide for the possible configurations. Back up all the PKI certificates after you have opened them.

For critical operations, SWIFT recommends that you build a disaster site to continue the operation after a major problem in the prime site. It should be possible to switch to the disaster site in 2 hours and to start the processing of the business traffic in 4 hours after a prime site failure. The disaster site should be kept up-to-date and the fail-over procedures should be tested twice per year.

Alternatively, you can also spread the operations over two sites that are simultaneously active. Procedures to re-route the traffic to one site in order to cope with a site failure should also be tested twice per year. Special care should be taken on the organisational aspects and on the usage of PKI certificates in recovery scenarios.

https://www2.swift.com/search/kb/fetchTip.faces?tip=913502

Self-help Guide Troubleshooting

20 January 2012 8

3 Troubleshooting

3.1 FIN CBT

FIN CBT - Table of symptoms

Symptom Investigation Action

Unable to login to FIN 1. FIN logical error received, for example, L33 or S33 (Login or Select sequence number error)

Correct the error according to the error description and send another Login.

See SWIFT Knowledge Base –FIN Error Codes and the FIN error codes for Login, Select and Abort

2. FIN CBT error Check the error message and the related events. Correct the problem (for example, disk space error) and send another Login.

See the FIN CBT documentation from the vendor.

3. FIN CBT connectivity to SWIFTNet

Check the events in the CBT and check the connectivity to the next component.

Continue with the SWIFTNet Link section in this guide or with the customer network section in case an Alliance Gateway is used.

FIN session is aborted 1. APC or FIN abort error received in the CBT logs, for example, A90

This problem may occur due to an intervention at SWIFT. We recommend that you activate the Auto Re-connect feature, in order to minimise the duration of the disconnection.

See SWIFT Knowledge Base – FIN Error Codes, and SWIFTNet FIN errors

2. SWIFTNet FIN protocol errors in the CBT logs, for example, FS012, SA100, SS100

See SWIFTNet Link error codes - SWIFTNet FIN errors

In case of frequent aborts, check the FIN CBT connectivity to SWIFTNet.

Continue with the SWIFTNet Link section in this guide or with the customer network section in case an Alliance Gateway is used.

FIN messages are rejected with a NAK error code

Message format errors, for example, T13 or H20 (Text error or Header error)

NAKed messages are kept in a message correction queue for manual correction. Check the FIN error code in field 405 of the NAK message. The message can be corrected and can then be re-sent later on.

See SWIFT User Handbook – FIN Error Codes

FIN messages are 1. FIN CBT not ready Ensure that all the FIN Logical





https://www2.swift.com/kb/index.cfm?item_name=488030

https://www2.swift.com/kb/index.cfm?item_name=488030


20 January 2012 9


queued up in the FIN CBT

Terminals are fully logged in (see above)

2. Verify the size of the components

Check the system specifications with the recommended sizing

See SWIFTNet Connectivity Packs

3.2 Alliance WebStation

Alliance WebStation - Table of symptoms


Unable to log on to a stand-alone Alliance WebStation

1. Problem with the authentication of the user on the HSM

Check whether the cables are correctly connected, and whether the HSM is correctly inserted.

See Alliance WebStation User Guide - Daily logon procedure.

Verify whether the certificate is still valid, and recover the certificate if necessary (Security Officer profile required).

See Alliance WebStation User Guide - Recovering Your User Certificate

2. Problem with the connectivity to SWIFTNet

Use the Online Check Link tool or run the command testtcp.bat.

See Alliance WebStation User Guide - Verifying the connection to SWIFTNet

In case of failure, check the connection between SWIFTNet Link and the VPN box.

Unable to log on to Alliance Gateway

1. SwGUI.203.007: Logon failed.

Click on ―More Info...‖

Sw.04.002: Could not create the security context

Sag:System.001.001: Operator is not entitled to perform the operation

The SWIFTNet user or the Alliance Gateway operator is not properly defined.

Check whether the entered user name is an enabled SWIFTNet user. Check whether the certificate that is linked to the user is still valid at SNL level, and recover the certificate if necessary.

See Alliance Gateway Operations Guide - The SWIFTNet Users module: Managing certificates used by SWIFTNet users

Otherwise, continue with the SWIFTNet Link section in this guide.

Check whether the entered user name is a valid and an enabled Alliance Gateway operator. Check whether the entered password is

http://www.swift.com/solutions/connectivity/connectivity_products/alliance_connect_overview.page?

http://www.swift.com/solutions/connectivity/connectivity_products/alliance_connect_overview.page?

https://www2.swift.com/uhbonline/books/protected/en_uk/7_0_sab_user_guide_20101231/index.htm








https://www2.swift.com/uhbonline/books/protected/en_uk/7_0_sag_ops_guide_20101231/index.htm





20 January 2012 10


correct.

See Alliance Gateway Operations Guide - The Operators module

2. SwGUI.203.010:

The connection with the SAG is lost or cannot be established

There is a problem with the connectivity to Alliance Gateway.

See the customer network section and the SWIFTNet Link section in this guide.

Unable to connect to a Web Server

1. Web Server unreachable

Run checkip <URL><port> TCP

See the SWIFT CheckIP User Guide. Contact the service provider for the correct URL and for information about the port number

2. Problem with the validity of the SWIFTNet Browse certificate

Check the validity of the certificate in the standard browser configuration and in the preferences. Recover the certificate if needed (Security Officer profile required)

See Alliance WebStation User Guide - Managing SWIFTNet Users, Browse Users, and Message Routing Rules

3. HTTPS proxy server on

Alliance unreachable

Run checkip <HTTP proxy IP address><HTTP listening port> TCP

See SWIFT CheckIP User Guide

In case of failure, verify the settings of your browser, then check the customer network components and the status of the HTTPS proxy.

See Alliance Gateway Operations Guide - Configuring Browse Traffic

4. User not activated by the service provider (CUG 001 error)

Contact the service provider in order to request the activation of the user on the service

3.3 Customer network

Customer network - Table of symptoms


Connection problem between Alliance Gateway and a vendor product, the FIN CBT or Alliance WebStation

1. Connectivity with the applications that are based on Remote API (RA)

On the RA host:

Run sag_system –saguser <username> -sagpwd <passwd> -- status system

See Alliance Gateway Remote API Operations Guide - Remote Administration of SAG on User



https://www2.swift.com/uhbonline/books/protected/en_uk/snl_7_0_ops_guide_20101231/index.htm










https://www2.swift.com/uhbonline/books/protected/en_uk/7_0_sag_ra_ops_guide_20101231/index.htm




20 January 2012 11


handbook online.

In case of failure:

- Run ping <SAG host> in order to check the connectivity at IP level, and check the firewall configuration

- Run telnet <SAG host> <SAG port> and verify whether the listening port exists for the hostname that is provided in the sagta_ra.cfg.

See Alliance Gateway Security Guide - Security Configurations and the SWIFTNet Network Configuration Tables Guide - Alliance Gateway customers on the User handbook online.

— Check whether the SAG bootstrap is started

See Alliance Gateway Operations Guide - The Alliance Gateway Bootstrap

— Check whether the IP address, the port number and the SSL mode are correctly configured on both the RA host and the SAG host

See Alliance Gateway Remote API Operations Guide - Configuring Remote API on User handbook online.

If the command is successful, then the problem could be intermittent

— Check the dynamic parameters of the firewall

See SWIFTNet Network Configuration Tables Guide -Alliance Gateway customers on User handbook online

— Check the logs of the network components between RA and SAG, for dropped packets

2. Connectivity with applications that are based on Message Queue (MQ)

Run ping tests

— from the SAG host to the Queue Manager host

— from the application host to the Queue Manager host

In case of failure, check the network components between the application host and the SAG. Check the log files of the components for any dropped packet.

See Alliance Gateway Security Guide - Security Configurations,

https://www2.swift.com/uhbonline/books/protected/en_uk/7_0_sag_security_guide_20101231/index.htm











20 January 2012 12


and the SWIFTNet Network Configuration Tables Guide - Alliance Gateway customers on User handbook online.

Check the configurations of the components

— MQHA on the SAG computer

— Queue Manager and queues

— MQ configuration in the application software

— the SSL mode that is used

See Alliance Gateway MQ Host Adapter Configuration Guide.

Run a complete connectivity test

— Run mq_test_connect after you have configured the SAG and the MQ series appropriately

See Alliance Gateway MQ Host Adapter Configuration Guide – Testing Connectivity with mq_test_connect.

Also see the documentation about the configuration of the vendor product.

3. Connectivity with Alliance WebStation

Check the WebStation configuration

— Run WebStationConfig.exe, and check whether the configuration corresponds with the SAG configuration.

See Alliance WebStation Installation Guide - Configuring Alliance WebStation on User handbook online

Check the connectivity

— Run ping <SAG host>

— Run checkip <SAG host> <RAHA port> <TCP>


In case of failure, verify whether the network components between SAB and SAG are correctly configured. Also verify that no dropped packets are observed in the component’s log files.

See Alliance Gateway Security Guide - Security Configurations and the SWIFTNet Network Configuration Tables Guide - Alliance Gateway customers on User handbook online.

https://www2.swift.com/uhbonline/books/protected/en_uk/7_0_sag_mqha_config_guide_20101231/index.htm






https://www2.swift.com/uhbonline/books/protected/en_uk/7_0_sab_inst_guide_20101231/index.htm







20 January 2012 13

3.4 Alliance Gateway

Alliance Gateway - Table of symptoms


Messages are not received in the server application

Event Journal reports:

Sag:APL-I – 9 – Server unreachable

or

Sag: APL-I – 50 – Request time-out

Check whether the server that is identified for this Message Partner is still running.

Check the network components between the server application and the SAG for dropped packets.

Restart the server application in order to reconnect to the SAG.

If unsuccessful, continue with the SWIFTNet Link section and the customer network section in this guide

Operational problem with the Alliance Gateway subsystems

The Event Journal reports errors that are related to processes

Use the SAG admin GUI or run sag_system –saguser <username> -sagpwd <passwd> -- status Overview

See Alliance Gateway Operations Guide - Using the sag_system Tool

If a number of activated subsystems are not started, then restart the subsystems by using the SAG Admin GUI or by launching the command sag_system -- start

Problems with the file transfer

1. The monitoring application reports that files were rejected or that files failed

Check if the configuration is correct

See Alliance Gateway Operations Guide - Using SAG commands and tools

Send a test message with default parameters, by running sag_test_connect

–snuser <username> -snpwd <password> -fileact

See Alliance Gateway Operations Guide - Checking an Alliance Gateway Connection (sag_test_connect)

See the SWIFTNet Link section in this guide

2. Rejection by the counterparty

Files can be rejected by your counterparty (for example, because of insufficient disk space). Contact your counterparty and agree on appropriate actions.

Local Authentication The Event Journal reports Check the definition of the












20 January 2012 14


(LAU) failure the error:

Message Partner authentication failed

Message Partner, and the configuration of the application.

See Alliance Gateway Operations Guide – The Application Interface module

3.5 SWIFTNet Link

Prerequisite

Before you further investigate SWIFTNet Link, you should run the selftest command.

This command will check whether the SNL subsystems are running, whether you have connectivity to SWIFTNet, and whether you can send a test message to the SWIFTNet central systems by using your SWIFTNet Link certificate.

The output of the command must be:

SWIFTNet Subsystems: Up

IP Connectivity Test: Success

InterAct Test : Success

Heartbeat Test: Success

If the selftest command fails:

If IP Connectivity Test is not successful, then investigate the connection between SWIFTNet Link and the VPN box

Look at the selftest log, which you can find in the log directory. Investigate further as mentioned below.

SWIFTNet Link - Table of symptoms


Messages are rejected by SWIFT

Network transmission errors are reported

Check the configuration of the components that are running on top of SWIFTNet Link (for example, roles and profiles)

See SWIFTNet Link Error codes - Detailed Codes Returned by SNL API

Errors:

TPESYSTEM – Local domain is down.

Or:

selftest resulted in SWIFTNet Subsystems: Not Up

1. SWIFTNet Link Processes not Up

Run swiftnet status –c –h

See SWIFTNet Link 7.0 - Operations Guide on User handbook online

Compare the output with the saved output taken during business operation activities (see the section Best practices for a system upgrade in this guide). If the output is different, then restart the affected components

2. SWIFTNet Link connectivity towards SWIFTNet

Run swiftnet checkip


If successful, check the network




https://www2.swift.com/uhbonline/books/protected/en_uk/snl_7_0_error_codes_20100831/index.htm





20 January 2012 15


components between SNL and the VPN box for dropped packets.

In case of failure, make sure that the network components between SNL and the VPN box are correctly configured

See SWIFTNet Network Configuration Tables Guide on User handbook online. Also see the section Connection between SNL and the VPN box in this guide

Errors:

Security kernel initialization resulted in error.

Or:

selftest resulted in InterAct Test failed

3. The certificate has expired

Run certlist and check the expiry date of your SWIFTNet user.

Recover the certificate if expired.

If your SNL certificate is expired, then a SWIFT offline intervention will be required (Tip 35582)

See SWIFTNet Link Operations Guide - Certificate Management for SWIFTNet Link on User handbook online

4. Certificate password Run CertInfo –u <profile> -p <password>

Recover the certificate if the password is lost.

See SWIFTNet Link Operations Guide - Certificate Management for SWIFTNet Link on User handbook online

3.6 Connection between SWIFTNet Link and the VPN box

Connection between SWIFTNet Link and the VPN box - Table of symptoms


Connection problem between the SWIFTNet Link host and the VPN box

VPN box unreachable Run swiftnet checkip from the SNL host

See SWIFT CheckIP user Guide

— If the result is CHECKIP-GLOBAL-SUCCESS, then the connectivity is OK

— If the result is something else, then check whether the configuration of your network components, such as DNS, routers and firewalls, is compliant with the Network Access Control Guidelines on User handbook online. To test the connectivity of your VPN box, you can also execute the ping command.

For a primary VPN box: ping 149.134.255.254

For a secondary VPN box:









20 January 2012 16


ping 149.134.255.253

— If no problems are found in the network components, then look at the state of your VPN box: see the VPN box section in this guide

If the command is successful, then the problem could be intermittent

— Check the dynamic parameters of the firewall (for example, the session idle timeout must be minimum 1 hour)

See SWIFTNet Network Configuration Tables Guide - Principles on User handbook online

— Check the logs of the network components for dropped packets

Note To reduce complexity, SWIFT strongly recommends that you have the SNL host and the VPN boxes in the same location (see the recommended configuration that is described in the Network Access Control Guidelines).

3.7 5XT VPN box

VPN box - Table of symptoms


Problem with the connectivity between the VPN box and SWIFTNet

1. Problem with the cabling

The cabling for the various VPN box configurations is described in the Dual-P Access Configuration for MV-SIPN User Guide, and in the VPN box Installation Guide for Dial-up Connections - Troubleshooting on User handbook online

2. Problem with the connectivity of the VPN box

Check the LED status on the front panel of the box. If the LEDs are different from those that are shown below, then the box is in an invalid state. Check the procedure for correction in the Dual-P Access Configuration for MV-SIPN User Guide, and in the VPN box Installation Guide for Dial-up Connections - Troubleshooting on User handbook online

Note: In a Dual-P configuration, both VPN boxes carry traffic into MV-SIPN in an alternating way, and they communicate through the link between each other

3. Dual-P Active VPN box (box with active customer LAN interface)

Standby VPN box (box with standby customer LAN interface)

https://www2.swift.com/uhbonline/books/protected/en_uk/sn_7_0_network_access_control_guide_20100430/index.htm


20 January 2012 17


4. Dual-I Active VPN box (box with active customer LAN interface)

Standby VPN box (box with standby customer LAN interface)

5. Dial-up Active VPN box

Spare VPN box

The spare dial-up VPN box should be regularly tested, to ensure that it remains operational. Connect the box to the electrical supply, with no other cables, and verify the LED status as indicated below

Dial-up connectivity problem

1. ISDN connectivity

Check the LEDs of the ISDN Terminal Adapter

Check whether the power is on: must be red

If one or more LEDs are blinking, then the device has encountered an error:

— Reset the ISDN Terminal Adapter by unplugging and reconnecting the power cable. Check whether this solves the problem

— Reset the VPN box: unplug the power cable and then plug it in again

If none of the ISDN LEDs light up, then verify that the ISDN cable is correctly plugged in

— Execute the swiftnet dialtest command, in order to verify whether all the telephone numbers that are configured in the VPN box can be dialled

2. PSTN connectivity

Check the PSTN modem


20 January 2012 18


If the modem cannot successfully establish a connection (CD blinking red, the LED with the number corresponds with the selected bandwidth):

— Verify that your telephone cable is correctly plugged in

— Test the telephone line

— Reset your modem

— Reset your VPN box: unplug the power cable and then plug it in again

— Execute the swiftnet dialtest command, in order to verify whether all the telephone numbers that are configured in the VPN box can be dialled

3.8 SSG5 VPN box (Alliance Connect)

VPN box - Table of symptoms


Problem with the connectivity between the VPN box and SWIFTNet

1. Problem with the cabling

The cabling for the various VPN box configurations is described in the Implementations Guide of Alliance Connect on www.swift.com, Alliance Connect Bronze/Silver/Gold, additional information.

Alliance Connect

2. Problem with the connectivity of the VPN box

Check the LED status on the front panel of the box.

Please check Alliance Connect Resiliency Testing Scenarios or Alliance Connect Implementation guide for Bronze/Silver/Gold.

3. Bronze/Silver/Gold a. RJ-45 cable from Ethernet port 0/2-A to Ethernet port 0/2-B

b. RJ-45 cable from Ethernet port 0/3-A to Ethernet port 0/3-B

c. RJ-45 cable from Ethernet port 0/6-A to customer's LAN switch

d. RJ-45 cable from Ethernet port 0/6-B to customer's LAN switch

e. RJ-45 cable from Ethernet port 0/0-A to primary router

f. RJ-45 cable from Ethernet port 0/1-B to secondary router

http://www.swift.com/

http://www.swift.com/solutions/connectivity/index.page?lang=en


20 January 2012 19


connectivity problem

1. Firewall in between VPN boxes and Internet router

1. 1. Allow connectivity to SWIFT public IP addressing range from its source IP address to destination IP address 149.134.0.0/16 (range 149.134.0.0 to 149.134.255.255).

2. Open the following ports: UDP/IKE 500, UDP/NAT-T 4500, and ESP IP protocol 50.

1) Contact your Internet Service Provider (ISP) and make certain these IP addresses and ports are not being blocked.

2) Logon to the WebGUI from your SNL (https://149.134.255.252) and check the alarms.

3) Download the Connectivity Test Tool from the Knowledge Base (see Tip 3000419) and run the tool, as mentioned in the document Tip 3000419

The tool can now be downloaded from swift.com at the following link.

http://www.swift.com/products/alliance_connect_bronze

http://www.swift.com/products/alliance_connect_silver

2. VPN boxes not co-located

1. Customers may not implement network equipment along the length of both direct connections between the 2 VPN boxes.

2. The standard distance between VPN boxes is 3 meters, which is a fully supported configuration.

2. 3. Configurations that have a distance of more than 100 meters or that have layer 2 networking devices (or both) may work, but SWIFT does not support these configurations.

• Other configurations may work but SWIFT does not support them.

LED status Before enrolment Primary VPN box (labeled A) Power : green solid Status : green blinking port 0/0 TX/RX/RX : green blinking link port 0/0: green solid port 0/2 TX/RX : off link port 0/2: off port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made link port 0/6: green solid

Secondary/ backup VPN box (labeled B) Power : green solid Status : green blinking port 0/1 TX/RX : green blinking link port 0/1: green solid port 0/2 TX/RX : off link port 0/2: Off port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made

https://149.134.255.252/

https://www2.swift.com/support/knowledgebase/tip/3000419






20 January 2012 20


link port 0/6: green solid

After enrolment link ports should show activity (blinking green)

Primary VPN box (labeled A) Power : green solid Status : green blinking port 0/0 TX/RX/RX : green blinking link port 0/0: green solid port 0/2 TX/RX : green blinking link port 0/2: green solid port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made link port 0/6: green solid

Secondary/ backup VPN box (labeled B) Power : green solid Status : amber blinking port 0/1 TX/RX : green blinking link port 0/1: green solid port 0/2 TX/RX : green blinking link port 0/2: green solid port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made link port 0/6: green solid

VPN box freeze Speed/duplex setting Please make certain speed setting is set properly, as mentioned in Tip 3000688

Requirement to change from static IP to DHCP for backup VPN box

When you change your IP configuration to DHCP the IP address does not seem to be updated.

Tip 3000625

3.9 Connection between SWIFTNet Link and the HSM box

Connection between SWIFTNet Link and the HSM box - Table of symptoms


Connection problem between the SWIFTNet Link host and the HSM box

HSM box unreachable - Run perl SwHSMSelfTest.pl and check the results

- If the selftest output shows a connectivity issue, contact your network department, to verify the network components between the SNL host and the HSM box. If there is a firewall between the SNL host and the HSM box, then check the firewall for dropped packets.

- Login to the HSM box with an admin user through a serial connection, and verify the IP settings of the HSM box by using the following commands:

system hostname show


20 January 2012 21


network interface show

If the settings are not correct, then follow the instructions in the SWIFTNet Link 7.0 - HSM Operations Guide

3.10 HSM box

HSM box - Table of symptoms


User profile is locked The user profile that is present on the HSM box becomes locked after five unsuccessful logon attempts to a certificate.

If the user can obtain the current password, then the admin account, or any other user with the admin role, can use the unlock option. Unlocking the partition restores the working state of the partition for the current password.

See Hardware Security Module Operations Guide - Section 3.13 - Unlock Partitions on User handbook online.

If the user cannot get the current password, then the partition must be initialised and the profile must be recreated by using the CA secrets. Note: This requires PED operations.

See Hardware Security Module Operations Guide - Section 3.12 – Initialise partition on User handbook online

HSM box configuration fails

PIN Entry Device (PED) gives a timeout error

If a timeout occurs before you have completed a PED operation, then you must follow these instructions:

1. Press and hold the CLEAR button on the PED for at least five seconds.

2. In the message dialog box, click OK.

The PED receives the task instruction from the HSM box, and you can start the sequence of PED operations again.

For the procedure, see Hardware Security Module Operations Guide - Section 2 - HSM Box Configuration and Administration. The PED must also be reset by using the power switch that is located on the side of the PED.

CKR_PIN_LOCKED error on HSM boxes

The partition on the HSM box is locked after five consecutive unsuccessful login attempts to a certificate and caused customer not able to login

If password is known:

This procedure can be applied if the password is known. This command requires use of the PIN Entry Device.

Before issuing this command, you must have the Security Officer PIN Entry Device key, and access to the primary HSM box.

This command can only be performed on the primary node.

https://www2.swift.com/uhbonline/books/protected/en_uk/snl_7_0_hsm_ops_guide_20101231/index.htm











20 January 2012 22


Double-click the SWIFTNet Link icon on the Windows desktop or browse to the the SWIFTNet Link swiftnet\bin directory on UNIX.

Type the command:

Syntax:

perl SwHSMManagePartitions.pl -U -h <HSM Box IP address> -p <Partition Name SWIFTNet user profile>

Example:

SwHSMManagePartitions.pl -U -h 149.134.5.3 -p HSM1:PNYBB01

If password is not known:

A user with the HSM admin account can not reset the partition password. If the password is lost, you must re-initialise the partition and set up the user for recovery.

You must have access to the HSM box before issuing this command.

This command can only be performed on the primary node.

The command requires both PIN Entry Device keys:

Security Officer PIN Entry Device key, and

User PIN Entry Device key.

Double-click the SWIFTNet Link icon on the Windows desktop or browse to the the SWIFTNet Link swiftnet\bin directory on UNIX.

Type the command:

Syntax:

perl SwHSMManagePartitions.pl -R -h <HSM box ip address> -p <Partition Name SWIFTNet user profile> [-i<HSM Username>]


20 January 2012 23


Example:

perl SwHSMManagePartitions.pl -R -h 149.134.5.3 -p HSM2:PNYBB01

or with Admin password:

perl SwHSMManagePartitions.pl -R -h 149.134.5.3 -p HSM2:PNYBB01 -i bsmith

Setup for recovery and recover SWIFTNet user profile after re-initialisation

After you have re-initialised the partition, you must recover the profile back on to the partition. You must perform the setup for recovery procedure on Alliance Gateway or Alliance Starter Set using Alliace Webstation.

Procedure

Log on as Security Officer SWIFTNet user using Alliance WebStation on the Alliance Starter Set or Allliance Gateway.

Browse to the certificate you need to set up for recovery using the Users Module.

Right-click the certificate and select the Setup for Recovery command from the pop-up menu.

When the Certificate tab is re-displayed, click on the Activation Secrets arrow and write down the new reference number and authorisation code displayed.

Log off.

Log on as Administrator - Gateway Operator.

Go to SWIFTNet users module and click the Certificates tab.

Right-click the certificate that was setup for recovery and choose the Recover command from the popup menu. If the certificate is not visible, right-click in the blank area and select Recover.

Fill in all the details required including the authorisation code, reference number, certificate name, and recover it on the partition. The certificate can be given a new profile name and password chosen by the customer.


20 January 2012 24


For details, please refer to Tip 2147226

NTLS/SSL fails 1. Check if NTLS services is running on the HSM box

Run swiftnet status -T -v to see the service status of the HSM. If it is down or partial, use the SwHSMManageServices.pl to restart the HSM services (including ntls).

2. Is the server has more than 1 IP address or the IP address has changed?

If it is, you will need to re-register the SNLto the HSM Cluster by using the SwHSMWiz GUI


HSM status is down but HSMServiceStatus is up or no partitions are enabled in SwHSMSelfTest result

Check the activation status of the HSM

Run the command: perl SwHSMActivate.pl -a –h <<IP ADDRESS OF THE HSM BOX>>


3.11 Alliance WebPlatform

Alliance WebPlatform - Table of symptoms


Login page cannot be down and display "JavaScript is disabled, please enable and reload this page"

Page cannot be loaded with JavaScript disabled

Go to Internet Explorer -> Tools -> Internet Options -> Security Settings -> Scripting -> Active Scripting and enable it if it is not enabled.

Login page cannot be loaded and display "Internet Explorer cannot display the webpage"

Page cannot be loaded with page cannot display

Check if the WebPlatform service has started or not.

Windows: Administrative Tools -> Services -> Alliance WebPlatform SWP01 to check if the service has started or not

UNIX: run the command "swp_bootstrap status" to check if the bootstrap of WebPlatform has started or not. If not, start it by issuing the command "swp_bootstrap start"





20 January 2012 25

3.12 PKI & Online Operations Manager

PKI & Online Operations Manager - Table of symptoms


Unable to display the Online Operations Manager welcome page

Page cannot be loaded Check if the URL is correct: https://www.o2m.swiftnet.sipn.swift.com

Run nslookup and check if the URL https://www.o2m.swiftnet.sipn.swift.com can be resolve or not

If the URL can be resolved,

run checkip <URL> -port <port>

See the SWIFT CheckIP User Guide.

3.13 RMA The RMA service is a standard SWIFTNet Store-and-Forward InterAct service. For an explanation of the possible error codes, see the SWIFTNet Link Error codes - Detailed Codes Returned by SNL API.

For errors related to the Alliance RMA application, see the Alliance Access/Entry section of this guide.

For errors related to the Alliance WebPlatform RMA application, see the Alliance WebPlatfrom section of this guide.

https://www.o2m.swiftnet.sipn.swift.com/

https://www.o2m.swiftnet.sipn.swift.com/




Self-help Guide Reporting a problem

20 January 2012 26

4 Reporting a problem

4.1 Methodology

Introduction

A persistent problem that cannot be resolved by the troubleshooting guidelines can be reported to the SWIFT Customer Service Centre.

Register on swift.com

To access the SWIFTSupport service, you must first register yourself on swift.com. Registration will allow you to access our specialised online services such as the knowledge base, case manager, documentation, ordering, and billing information. See SWIFTSupport services further in this guide.

Report the problem

When you report a problem to SWIFT, use by preference the Case manager on our web site (see Case manager further in this guide). You should give as much electronic evidence as possible, in order to allow a faster investigation and a faster resolution of the problem.

Alternatively, you can contact the SWIFT Customer Service Centre by telephone (see Customer Service Centres further in this guide).

Ensure that you have access to your system and provide the following details:

1. Identify yourself by providing your personal registration number that is mentioned on your SWIFTSupport registration card

2. Your case number, if you are calling about an open problem that you have reported previously

3. What happened and what you were doing when the problem occurred

4. The actions that you have taken to solve the problem

5. The exact wording of any error message

Send collected evidences

You can then send your collected evidences by different means:

by e-mail to [email protected]. Mention the case number in the subject of the e-mail

by the Dropbox service that is available on swift.com/support or through the SWIFTNet Portal

by the sendsupportinfo command, directly from your SWIFTNet Link host.

Syntax: swiftnet sendsupportinfo [-d <dir>] -a <case number>

<dir> is the name of the directory where the diagnostic files are copied or located. This parameter is optional. If this parameter is not specified, then the command will use the default directory (Windows: %SWNET_HOME%\log\supportinfo, UNIX: $SWNET_HOME/log/supportinfo).

<case number> is the number of the case for which the evidences are being sent. This parameter is mandatory in order to be able to link the evidences to the correct case in the case manager application.


20 January 2012 27

4.2 Collecting evidences

4.2.1 Alliance Access/Entry

Alliance Access/Entry - Table of evidences

Where? UNIX Where? Windows

Collect log and configuration information *

SAA support information

Run saa_supportinfo

-output <directory>

-from <From_datetime>

-to <To_datetime>

from $ALLIANCE/common/bin/

Log files can be collected in the $ALLIANCE/support/<directory>

Example: saa_supportinfo -from 20110622T0100 -to 20110623T0200

Run saa_supportinfo

-output <directory>

-from <From_datetime>

-to <To_datetime>

from %ALLIANCE%\bin

Log files can be collected in the %ALLIANCE%\support\<directory>

Example: saa_supportinfo -from 20110622T0100 -to 20110623T0200

Note * These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

4.2.2 Alliance WebStation

Alliance WebStation - Table of evidences

Where? Windows

Collect log information *

WebStation log file SWIFTAlliance\WebStation\log\log.txt

Result of a connection test to SWIFT

Run testtcp.bat on a stand-alone SAB

The result is in <installation directory>\WebStation\log\testtcp.txt

Collect configuration information

diagnostic.xml

diagnostic.txt

Run diagnostic.bat

The result is in Diagnostic.xml and diagnostic.txt, which are in <installation directory>\WebStation\log\


4.2.3 Alliance Gateway

Alliance Gateway - Table of evidences



Run sag_supportinfo

-output <directory>

-from <YYYYMMDDTHHMM>

-to <YYYYMMDDTHHMM>

The log information can be

Run sag_supportinfo

-output <directory>


-to <YYYYMMDDTHHMM>

The log information can be retrieved


20 January 2012 28



retrieved in <installation directory>/Gateway/support/

in <installation directory>\Gateway\support\


4.2.4 SWIFTNet Link

SWIFTNet Link - Table of evidences



Collect SNL log and configuration files

Run snl_supportinfo

-output <directory>


-to <YYYYMMDDTHHMM>

Run snl_supportinfo

-output <directory>


-to <YYYYMMDDTHHMM>

selftest.log Run selftest

Selftest.log is in $SWNET_LOG_PATH/

Run selftest

Selftest.log is in %SWNET_LOG_PATH%/

Files in the SNL log directory

compress the content of the $SWNET_LOG_PATH directory

compress the content of the %SWNET_LOG_PATH% directory

HSM Log files compress the content of the $SWNET_HOME/log directory

compress the content of the %SWNET_HOME%\log directory


4.2.5 The HSM box

HSM box - Table of evidences


Collect log information *

HSM log files Run perl SwHSMGetLog.pl -a | –h <HSM box hostname>

The file is then uncompressed and copied to the directory $SWNET_HOME/log/hsm1 or $SWNET_HOME/log/hsm2

Run perl SwHSMGetLog.pl -a | –h <HSM box hostname>

The file is then uncompressed and copied to the directory %SWNET_HOME%\log\hsm1 or %SWNET_HOME%\log\hsm2

HSMSelfTest.log Run perl SwHSMSelfTest.pl

The output can be found in $SWNET_LOG_PATH/ HSMSelftTest.log

Run perl SwHSMSelfTest.pl

The output can be found in %SWNET_LOG_PATH%\ HSMSelftTest.log

Collect configuration information

HSM configuration

Run swiftnet getconfig –T -v

Redirect the output into a file

Run swiftnet getconfig –T –v

Redirect the output into a file


20 January 2012 29


4.2.6 Alliance WebPlatform

Alliance WebPlatform - Table of evidences



Support information of WebPlatform

Run swp_supportinfo

-output <directory>


-to <YYYYMMDDTHHMM>

From the installation directory <SWP_INSTALL_PATH>/bin

Run swp_supportinfo

-output <directory>


-to <YYYYMMDDTHHMM>

From the installation directory <SWP_INSTALL_PATH>\bin

WebPlatform logs Run swp_readlog

-output <file_pathname>

-startdate <YYYYMMDD>

-starttime <HH:MM:SS>

-stopdate <YYYYMMDD>

-stoptime <HH:MMLSS>


Run swp_readlog

-output <file_pathname>

-startdate <YYYYMMDD>

-starttime <HH:MM:SS>

-stopdate <YYYYMMDD>

-stoptime <HH:MMLSS>



Self-help Guide SWIFTSupport services

20 January 2012 30

5 SWIFTSupport services

5.1 Organization

Worldwide support

SWIFT offers to its customers a worldwide support delivered by a group of expert analysts. This service covers administrative, operational and technical matters. The SWIFT Customer Service Centres (CSCs) are open 24 hours a day, seven days a week.

Our key communication channel for support is our website www.swift.com/support, which offers an integrated set of support services. You can also contact a support analyst by telephone, for critical situations or for additional information.

Europe +31 71 582 28 22 Americas +1 540 825 60 56 Asia +852 2 852 87 77 Japan +81 3 5223 74 56

5.2 Services

My profile

My profile allows you to configure your access to the support services and to maintain your information. Information such as updates to the BIC data, contact data, the billing profile, the shipping profile and your operational profile, must be maintained online through My profile.

Knowledge base

The Knowledge base provides information about known problems and their solutions. It also includes frequently asked questions, suggestions, and technical documents. The information is organised in the form of tips.

Case manager

The Case manager allows customers to report a technical problem or a query to the SWIFT CSC. For each entry, a case number is assigned. Electronic updates are provided by the support staff. You have a complete overview of all cases with up-to-date status information.

Download centre

Licensed customers automatically receive SWIFT software product releases and patches on CD. In addition, some patches and maintenance releases are also available on the Download centre, where they can be easily downloaded and installed.

Operational status

SWIFT continues to improve the availability of its network and its systems. If a major outage occurs on critical services, then information is directly provided on the operational status. This allows customers to understand the situation and to take appropriate actions.

Documentation

General documentation about SWIFT products and SWIFT services is provided on our website. The documentation can be viewed online and can be downloaded for printing purposes or for further processing. The SWIFT software product documentation is also provided on the software product CD that is sent to licensed customers.

Billing information

This service describes the rules of SWIFT for billing and invoices. You can access the billing information for your company until 12 months in the past and you can also download it.


20 January 2012 31

Translation service

This service provides a real-time, multi-lingual translation of swift.com. The pages are translated by software that is configured with SWIFT-specific terminology. The English version of the web site remains the only official and legally binding version.

BIC Online

BIC Online allows you to perform a quick lookup for the latest information in the BIC Directory.


20 January 2012 32

Legal Notices

Copyright

SWIFT © 2012. All rights reserved.

You may copy this publication within your organisation. Any such copy must include these legal notices.

Confidentiality

This publication may contain SWIFT or third-party confidential information. Do not disclose this publication

outside your organisation without the prior written consent of SWIFT.

Disclaimer

SWIFT supplies this publication for information purposes only. The information in this publication may change from time to time. You must always refer to the latest available version.

Translations

The English version of SWIFT documentation is the only official version.

Trademarks

SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT, the SWIFT logo, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks of their respective owners.

Documents

Swift 5