Swift - AutoClient for Alliance Lite 20 - SS

AutoClient 2.0.1For Alliance Lite 2.0

Installation and User GuideThis guide describes how to install, configure, and run AutoClient. It also explains how to send and receive messagesand files with AutoClient. This guide is for those who install and configure AutoClient, and those who send and receivefiles with AutoClient.

19 November 2010

Connectivity

Table of Contents

1 Introduction ....................................................................................................................................................... 4

2 Installation .......................................................................................................................................................... 62.1 System Requirements .............................................................................................................................. 62.2 Security Recommendations for AutoClient ........................................................................................... 72.3 Install AutoClient ..................................................................................................................................... 112.4 Uninstalling AutoClient ........................................................................................................................... 16

3 Configuring AutoClient .............................................................................................................................. 183.1 Configuring Local Authentication .......................................................................................................... 183.2 Modifying Configuration Parameters .................................................................................................... 193.3 List of Configuration Parameters .......................................................................................................... 20

4 How AutoClient Works ............................................................................................................................... 234.1 Emission Directory .................................................................................................................................. 234.2 Reception Directory ................................................................................................................................ 244.3 Archive Directory ..................................................................................................................................... 274.4 Error Directory ......................................................................................................................................... 274.5 FileAct Delivery Notification ................................................................................................................... 28

5 Running AutoClient ..................................................................................................................................... 295.1 Starting AutoClient .................................................................................................................................. 295.2 Monitoring the Status of AutoClient ...................................................................................................... 305.3 Stopping AutoClient ................................................................................................................................ 31

6 Sending Files .................................................................................................................................................. 336.1 FIN Message Files .................................................................................................................................. 336.2 FileAct Files .............................................................................................................................................. 376.3 CSV Files .................................................................................................................................................. 396.4 Local Authentication Files ...................................................................................................................... 436.5 Local Test Mode Process ...................................................................................................................... 446.6 Approval of Autoclient Messages and Files ........................................................................................ 44

7 Receiving Files ............................................................................................................................................... 457.1 Process for Receiving FIN Messages .................................................................................................. 457.2 Process for Receiving FileAct Files ...................................................................................................... 467.3 Process for Receiving CSV Files .......................................................................................................... 47

8 Monitoring File Transfers .......................................................................................................................... 49

9 List of Errors ................................................................................................................................................... 509.1 Errors When Uploading Files to the Alliance Lite Server .................................................................. 509.2 Pseudo NAK Errors ................................................................................................................................. 519.3 CSV NAK Codes ..................................................................................................................................... 52

AutoClient 2.0.1 for Alliance Lite 2.0

2 Installation and User Guide

10 File Examples ................................................................................................................................................. 5510.1 FIN Message File (RJE Format) ........................................................................................................... 5510.2 FileAct Companion Parameter File ...................................................................................................... 5710.3 FileAct Report Files ................................................................................................................................. 6010.4 CSV File .................................................................................................................................................... 65

.Appendix A Bank Codes and Field Tag Information .................................................................................67A.1 Built in Bank Codes ................................................................................................................................. 67A.2 Field Tag Information .............................................................................................................................. 68

.Legal Notices ...............................................................................................................................................................84

Table of Contents

19 November 2010 3

1 IntroductionWhat is AutoClient

AutoClient is an optionally installed part of Alliance Lite, that allows to integrate other softwareapplications with Alliance Lite. Through AutoClient, your back-office applications can send andreceive messages and files over SWIFTNet, in a fully automated way and with strong security.This application provides file-based communication to and from FIN and FileAct services. Youcan send and receive files containing Standards MT and MX messages, and FileAct files.

D11

4000

1

Customer

Internet

SWIFT

Bank

SWIFTNetAutoClient

Alliance LiteWeb interface

AllianceLite

serverBack-officeapplication

AutoClient is designed for simplicity and ease of use:

Easy automation: AutoClient automatically checks a specific folder, on the PC where it runs,at regular intervals (the frequency is configurable). If AutoClient finds a file in that folder, inone of the supported file formats, it automatically uploads it to the Alliance Lite server. Thesefiles are then converted into standard SWIFT messages, or sent as entire files, overSWIFTNet. Vice versa, AutoClient regularly checks on the server for messages or filesreceived from SWIFTNet, and automatically downloads them to a specific reception folder onthe PC where it runs.

Simple file-based integration: Back-office applications simply need to produce files and putthem in a designated AutoClient emission folder to send them on to SWIFTNet. And viceversa, they can read received files from a designated AutoClient reception folder. The filescan be in one of 3 formats (for examples see chapter 10"File Examples" on page 55) : FIN files: These are text files, containing messages in standard SWIFT FIN format (MT

format). All MT message types are supported, from MT 101 to MT 999. A FIN file cancontain several messages, to one or more correspondents. The messages in the file aresent as individual messages on SWIFTNet to your correspondents. The syntax of eachmessage is verified by SWIFT against the SWIFT standard, providing a guarantee to bothsender and receiver that the message complies to the SWIFTStandards MT format (seethe SWIFT User Handbook, SWIFTStandards MT volumes).

CSV files: These are text files, where each line contains a series of comma-separatedvalues. Each line is converted by Alliance Lite into a standard SWIFT message (MT orMX), and that message is sent over SWIFTNet . Only a subset of MT and MX messagesare supported. The CSV file formats are described in the Alliance Lite CSV Upload FileFormat Guide. As these file formats are all simple, they can be produced with a text editor



or a spreadsheet application like Microsoft Excel. Many applications exist on the marketthat can produce or process this formats.

FileAct files: These are files in any proprietary format, for example a domestic file format,or an agreed format. The file is transferred in its entirety 'as such', and no validation of theformat is performed by SWIFT.

Simple start/stop: To start AutoClient, you need an AutoClient token inserted in a USB portof the PC where AutoClient is installed, and you need to provide the password of that token.AutoClient can not run without this token inserted. You do not need to provide the token'spassword for every message or file that you send.

Strong security: The AutoClient USB token is a tamper-proof hardware security module,that digitally signs and authenticates every communication with the Alliance Lite server, usinga strong 2048-bit PKI certificate that resides on the token. By default, messages and filesuploaded through AutoClient require manual approval by one or more authorised personsthat hold their own personal security tokens, as designated by the customer's Alliance LiteAdministrators. Finally, the AutoClient can be configured for 'local authentication' i.e. tosecure files in transit between the back-office application and the AutoClient, with anadditional digital signature that accompanies each file. See "Security Recommendations forAutoClient" on page 7 section 2.2 for more information on security.

AutoClient offers two types of services:

Live service: This service is used to send and receive real live business messages and files.This service is also called Production service.

Test service: This service allows users send and receive messages and files for test andtraining purposes. Messages and files sent using this Test service will be automaticallymarked as "test" or "pilot" towards your correspondents, and thus this Test service provides a"safe" environment.

Only one security token can be assigned to the AutoClient. Your Alliance Lite Administratorscan configure this token to allow use of the Live service, Test service, or both Live and Testservices.

When AutoClient is used on Test service:

only FIN messages sent to FIN Test and Training are accepted and CSV files containing datafor Funds MX messages are processed for the pilot Funds service.

only files sent to FileAct Test and Training services and Funds MX messages areaccepted(service names ending with !p).

Introduction

19 November 2010 5

2 Installation

2.1 System RequirementsOverview

This section outlines the system requirements for AutoClient.The default installation folder is \Program Files\SWIFT\Alliance Lite\ which is referredto throughout this document as \.Only the base directory (by default, C:\Program Files\SWIFT\Alliance Lite\files ) must be madeaccessible to the (remote) application for placing and retrieving files. The entire AutoClientinstallation directory that includes logs, configs, and so forth (by default, C:\Program Files\SWIFT\Alliance Lite) must never be made accessible remotely, because it contains theautoclient.properties file and other sensitive files.

Category Requirement

Operating system AutoClient runs on the following operating systems:

Windows XP with Service Pack 2 (SP2) or Service Pack 3 (SP3)

Windows Server 2003 with Service Pack 2 (SP2)

Windows Vista with Service Pack 1 (SP1) or Service Pack 2 (SP2)

Note SWIFT only supports 32-bit versions for these operatingsystems.

Note Non-English versions of Windows are supported.

Disk space Minimum 120 MB for the software installation

Minimum 30 MB for the base directory

Minimum 60 MB for the log directory

Connectivity Standard broadband Internet access, such as ADSL, WiFi, cable, andother forms. Dial-up connectivity will be insufficient.

AutoClient can connect to the Internet through a firewall or HTTP proxy,see "Security Considerations" on page 7

AutoClient connects to the Alliance Lite server over SSL/TLS, TCP port443. AutoClient does not listen on this port, or any other port.

Unlike the Alliance Lite web interface, AutoClient does not need Internet Explorer or a Javaplug-in, and can be run on a PC where Internet Explorer is not used to browse. However, wheninstalling AutoClient, a system check is performed and this check requires Internet Explorer 6, 7or 8.The software can be installed on the system running under VMWare Workstation. RunningAlliance Lite under other virtualisation technology is not supported. Do not use MicrosoftRemote Desktop or VMware server for the installation, de-installation, or monitoring.



2.2 Security Recommendations for AutoClientOverview

This section provides recommendations for securing the Alliance Lite AutoClient and additionalinformation about the security requirement for normal browsing to Alliance Lite.

2.2.1 Security ConsiderationsImportant

It is recommended not to use Alliance Lite from a PC which is used for other applications thatuse USB based security devices.

Access to AutoClientTo run AutoClient, the user must plug in a USB token created by the customer's Alliance Liteadministrators, see the Alliance Lite Administration Guide. This USB token contains a certificatewhich, together with an associated password, authenticates the files sent from AutoClient to theAlliance Lite server. The user obtains the USB token from an Alliance Lite administrator.

Firewall between AutoClient and the InternetIt is strongly advised to use a firewall between the workstations used for Alliance Lite (both theAlliance Lite Web Interface (browser), as well as the AutoClient) and the Internet. For AllianceLite to function, the firewall must allow outgoing TCP connections from the Alliance Liteworkstation(s) towards www.swiftalliancelite.com (for Live service) and totest.swiftalliancelite.com (for Test service) on the standard port for SSL/HTTPS (tcp/443). Noincoming connections are required, and we recommend to block all incoming connections fromthe Internet. Note that if you are using a local (host based) firewall on the computer runningAutoClient, it must be configured to accept a local connection between two AutoClientprocesses on this computer (localhost port 8000). This TCP connection flow is required forAutoClient to function normally.

Note You can use an HTTP proxy between AutoClient and the Internet. The HTTP proxymust not attempt to inspect (break) the SSL session. Proxy authentication usinglogin and password is supported by Alliance Lite. See "Configuring AutoClient" onpage 18 for more details.

Security mechanisms between AutoClient and the Alliance Lite server

Use of PKI:

X.509 certificates, issued by SWIFT and stored on the USB token

identities are issued at BIC level

Authentication and encryption:

SSL 3.0/ TLS 1.0 using 2-way authentication

encryption algorithm: AES-256

Installation

19 November 2010 7

Electronic signature:

Hash: SHA-256

The RSA 2048 bit Private Key (used for signing) remains on the USB token. The USBtoken is password-protected. The key pair generation (USB token) is performed locally atthe customer's site. The RSA signature operation is performed internally on the USBtoken.

digital signature of the message exchanges (X.509 V 3.0. PKCS #7 standard)

Security between AutoClient and the back-office applicationIt is the user's responsibility to implement the necessary security and access mechanismsbetween the AutoClient directories and the back-office application.

Permissions on directoriesThe Windows user that starts AutoClient with a token, see "Starting AutoClient" on page 29,does not require read or write permissions on the AutoClient file directories. This allows asegregation of duties, for example, the person that can put a file in the AutoClient's emissiondirectory, can be different from the person that can instruct AutoClient to start sending.The AutoClient file directories (emission, reception, archive, and error), located by defaultunder the base directory \files, must have read and write permissionfor "SWIFT AutoClient Service". This is a Windows service that typically always runs in thebackground on the PC where AutoClient is installed , whether or not AutoClient has beenstarted with a token, or not. This Windows service is by default started when the PC that hostsAutoClient is started, with no user logged on yet. Therefore by default the user that started thisservice is the "Local System account", and thus it is this user that must have read and writepermission on the AutoClient file directories. These permissions are set automatically by theAutoClient installation. If you require other users or applications to read or write files in thosefolders, you (a user with Windows Administrator privileges) might need to set these folders'permissions accordingly. Do not give access to these folders to large groups of users, such asUsers or Everyone.The logging directory by default is \logs and must have read andwrite permission for the "Local System account". For more information about permissions andprotection, see "Protection of the System" on page 9.

Local AuthenticationThe AutoClient can be configured to require local authentication between the back-officeapplication and the AutoClient, to protect files in transit between the application and AutoClient.This is strongly recommended. When local authentication is enabled, the back-office applicationdigitally signs each file that it submits to AutoClient, and AutoClient verifies this signature. If thefile has been altered between the back-office application and the AutoClient, then the signatureverification will fail and the AutoClient will refuse to send the file. Correspondingly, when localauthentication is enabled, the AutoClient will digitally sign every received file when putting it inits reception folder. This allows the back-office application to verify this signature. The signatureis calculated with HMAC-SHA-256, a well-known secure hash algorithm with strong key length.This algorithm requires a secret key to be shared between the back-office application and theAutoClient. See "Configuring AutoClient" on page 18 for an explanation on how to configureAutoClient for local authentication.



Automatic prompting for file download for ReportsThe reports function uses the "automatic prompting for file downloads" when requesting files.Therefore in the Windows Security Settings, the "automatic prompting for file downloads"option should be set to "enabled".

2.2.2 Protection of the SystemOverview

The customer must protect the systems used for Alliance Lite AutoClient in line with industrysecurity practices, such as:

Harden all operating systems involved in the AutoClient flow with industry best practices

Protect the Alliance Lite AutoClient system from unauthorised network access. Install andmanage firewalls to shield that system from incoming Internet traffic, and from unauthorisedaccess over the customer's internal network

The firewall solution must be:

a physical one to protect incoming traffic from and outgoing traffic to Internet and internalnetworks. Ideally, no Internet incoming traffic must be accepted that is not required by theAutoClient

a PC-local one to ensure that only authorised programmes communicate with the outside.

Restrict outgoing traffic from the system to business-critical sites, and to legitimate sitesrequired for software updates.Ideally, do not browse or access the Internet from the PC where you access Alliance LiteAutoClient and dedicate the system for AutoClient only.

Use up-to-date virus scanners and malware scanners to protect the Alliance Lite system frommalware such as viruses, worms, keyboard loggers, trojans, and rootkits.Scan for viruses any file sent to or received from the AutoClient.

Ensure the system used for hosting the AutoClient is only physically and logically accessibleby persons entitled to access this system.

Ensure that only authorised and required software products are installed on the system usedto access Alliance Lite. Ideally, dedicate the system for AutoClient only.

Ensure that all software applications that run on the Alliance Lite system are regularlyupdated and patched. This includes:

Windows patches

critical Java runtime patches

patches for other applications running on the system like the Internet Explorer browser

additional features of the browser, called plug-ins like Shockwave, QuickTime, Realplayer,and any others.

Ensure that all critical internal flows to or from the system hosting the AutoClient areprotected against disclosure or malicious changes, especially, if the AutoClient emission andreceiving files are transferred through the network.

Installation

19 November 2010 9

Ideally, use strong authentication controls and cryptography means, like flow encryption andauthentication, in line with Customer Policy.

Note Local Authentication between a back-office application and AutoClient isrecommended by SWIFT. See "Security Considerations" on page 7 for furtherdetails.

2.2.3 Protection of the AutoClient USB TokenUSB Token Protection

Users must take the utmost care to protect the AutoClient token from unauthorised borrowing,loss, and theft. They must also take all necessary measures to prevent any unauthoriseddisclosure of the AutoClient token's password.

Ensure only authorised and identified individuals use the AutoClient token

Ensure each active AutoClient token is safe-stored when not used

Revoke any unused or lost token. The customer's Alliance Lite administrator can do this, seethe Alliance Lite Administration Guide.

The users must never:

lend the AutoClient token to others

leave the token inserted in the PC, unless the PC is in a secured area, protected fromphysical and logical (network) access by unauthorised persons or applications

write down any password or communicate a password to unauthorised people

use a password that can be deduced easily

allow anybody to watch over its shoulder when the token's password is entered

2.2.4 Local Protection of the AutoClient SystemLocal protection

The customer must implement the following management principles to mitigate the risks to itssystem:

Establish user management practices to ensure that only authorised users are created andremain on the systemBecause users change roles or leave the company, ensure that the administrator maintainsan accurate and up-to-date list of authorised users aligned with the actual access to thesystem.

Establish entitlement management practices to ensure that users are granted access toAlliance Lite functions only on a need to know or need to have basis. Specially, protect theAutoClient software, files, and hosting directories against unauthorised local and domainaccess by setting up strict permissions and remove any default access like Users andEveryone permissions. Take into consideration any local and remote access (like RDP andWindows File Sharing/CIFS).

Implement Segregation of Duty principles to separate tasks like administration of the system,security administration tasks, and users of the AutoClient.



Control and monitor the access and usage of the system administrator and any accounthaving access to any of the AutoClient files and hosting directories, specially the emission,and reception directories. For instance, implement 4-eyes procedures to access privilegedaccounts in a way that two or more people are required to do administrative tasks. Ideally,monitor as well the activities of these accounts to detect any malicious action. Establish asolution to log the access and all activities of the privileged accounts and protect these logsfor forensic purposes as well.

Protect the AutoClient backups against malicious modification and disclosure ideally bycryptographic means, like strong signature and encryption of the backups, in line withCustomer Policy.

Monitor daily traffic, to detect mismatches between authorised and actual traffic, both, sent orreceived.

The user must not delegate all the Alliance Lite administrator roles to a single person that canthen use the two different USB tokens to create its own AutoClient token.

2.3 Install AutoClientOverview

The following section provides details of how to install the AutoClient Software.

Note Do not use Microsoft Remote Desktop or VMware server for the installation, or de-installation. Running Alliance Lite under other virtualisation technology is notsupported.

Note You must remove your USB token when installing or upgrading your AutoClient.

What you need to install AutoClient

the CD labelled "Alliance Lite 2.0.1", which contains the AutoClient software, or the AllianceLite 2.0.1 software downloaded from www.swift.com > Support > Download centre. Onlyuse one of these two sources, do not use software provided by others.

you must be logged in as a Windows user with Windows Administrator privileges, to installAutoClient. To start or use AutoClient once it is installed, you do not need WindowsAdministrator privileges.

the user who is installing the AutoClient software needs the All Access permission (read andwrite) on the installation directories. The installation directory is by default \ProgramFiles\SWIFT\Alliance Lite but the user can change this at the start of the installation.

Note The new installation removes the previously installed AutoClient.If you have been using a previous version of Alliance Lite, then SWIFTrecommends using the same folders when installing Alliance Lite 2.0.1. Thesoftware is upgraded, and the content of AutoClient file directories (emission,reception, archive, and error), are preserved.The installation of the driver for the Alliance Lite USB tokens over-writes allexisting SafeNet software that was already present on your PC.If you have older SafeNet software and want to preserve it, then install AllianceLite on a different system.

Installation

19 November 2010 11

Note Installing AutoClient through a Remote Desktop can lead to a corrupted SafeNetdriver on the local machine. This can be seen by looking at the SafeNet icon thatidentifies a USB token is present but when the certificate details are checked thepop-up shows the "token removed" text.

installation.logThe installation.log file records events that occur during installation. This file is created under\logs.If you encounter a problem during installation, then check the contents of this file.

To install AutoClient:1. Insert the CD labelled "Alliance Lite 2.0.1" in the CD drive.

2. Double-click the AllianceLite-install.exe file.The installation application unpacks the files in the installer. This may take 2 to 3 minutes.When the installer files are unpacked, the following window appears:

3. Select Install Alliance Lite AutoClient, and click Next . This also installs the Alliance LiteUSB token driver automatically.The End-user Licence window appears.

4. Accept the terms, and click Next .The following window appears.



5. Select a directory where to install Alliance Lite, by doing either of the following:

To accept the default directory, click Next .

To select another directory, click Browse... to locate the directory, or type a local directoryof your choice. Then click Next .

Note The directory must be a local directory if the default directory was notselected.

The following window appears.

6. In this window, define the following parameters:

Base Directory: the directory used by AutoClient to store files and exchange files withcustomer applications, by default this is \Program Files\SWIFT\Alliance Lite\files, that is, a subdirectory of the installation directory. This directory does not have to

Installation

19 November 2010 13

be a subdirectory of the installation directory, and can reside on another disk on thesame computer. For security reasons, do not put this directory on another computer oron a networked disk.

Note If you migrate from a previous version of the AutoClient, then the previousversion of the AutoClient is un-installed but the contents of the BaseDirectory are left untouched. SWIFT recommends that you specify the samedirectory when installing a newer version of the AutoClient.

Emission Timer: the interval (in seconds) with which AutoClient checks for files ready tobe sent to counterparties.

Reception Timer: the interval (in seconds) with which AutoClient checks for filesreceived from counterparties.

Advanced: if you want AutoClient to connect to the Internet through an HTTP proxyserver, then click Advanced... .

Configuration window

In the configuration window that appears, select the Configure AutoClient to connectthrough a proxy checkbox, and specify the following information:

in the Hostname field, type the IP address or hostname of the proxy server throughwhich to connect to the Internet

in the Port field, type a valid TCP port for the proxy serverThen click OK or optionally if the proxy requires authorisation, then in Username,type the name of the proxy, and in Password, its password.

Note To modify these parameters after installation, see "Configuring AutoClient" onpage 18.

7. Click Next after specifying the parameters.If the base directory that you have selected does not exist, then click Yes to create it.After you click Next or Yes , the Close Applications window may appear if you have otherapplications currently running. If not, go to step 9.

8. Do either of the following:

Close the applications listed in the window, and click Next (this is the SWIFTrecommended method)

Select Continue installation without closing the running applications, and clickNext



Note If the previously installed AutoClient is still running, then there might be a slightdelay during which the Next is disabled while the installer shuts down therunning AutoClient.

9. A window appears to confirm the Alliance Lite installation details that you have entered inthe previous steps.

Do either of the following:

To confirm the installation details, and proceed with the installation, click Install .

Note When you click Install , you cannot roll back the installation.

To modify the installation details, click Previous and make the necessary changes.

Note If there is already SafeNet Drivers installed, you are asked to confirm thatyou want to overwrite them.

After you click Install , the AutoClient software and the Alliance Lite USB token driver areinstalled. You need to remove the USB token when prompted.

Installation

19 November 2010 15

10. The Test Firewall Configuration screen appears:

Click the Test Connections button to run the test to ensure that your firewall does not blockcommunications, or Next to skip the test.If there are any configuration problems with your firewall, the response received will dependon the firewall. but normally you will receive a message asking you if you wish to "allow theconnection now and in the future". To configure the firewall accept the request.When the test is complete click OK in the pop-up message that appears.

11. Upon successful installation, the Installation Complete window appears.Select your preferred restart option, and click Finish . You must restart your computerbefore you start using AutoClient.

2.4 Uninstalling AutoClientTo remove AutoClient:

1. Remove the USB token (note that the uninstall may fail if the USB token is still inserted).2. Do the following:

Click the Windows Start > Settings > Control Panel and use the:

Add or Remove Programs option on Windows XP

Programs and Features option on Windows Vista.The Alliance Lite Uninstallation window appears.

3. Click Next to proceed, or Cancel to terminate the process.A warning prompts you to confirm the uninstallation.

4. Click Yes to remove the software, or No to terminate the process.After you click Yes , the Close Applications window may appear if you have otherapplications currently running.



5. Do either of the following:

Close the applications listed in the window, and click Next

Select Continue installation without closing the running applications, and clickNext .

After you click Next , the removal of the software starts. When the process is complete, theUninstallation Complete window appears to confirm that the software was removedsuccessfully.

6. Click Finish .

Note The content of AutoClient file directories (emission, reception, archive, anderror), are preserved after installation. It is the responsibility of the user to removethe contents and the directories.

Installation

19 November 2010 17

3 Configuring AutoClientIntroduction

This section explains how you can configure Local Authentication and modify the AutoClientconfiguration parameters that you set during AutoClient installation.

3.1 Configuring Local AuthenticationOverview

The Local Authentication (LAU) option can be turned on or off by the user for each of the threedifferent file types that AutoClient supports. The different file types that AutoClient supports areFIN, FileAct, and CSV files.If LAU signature is required for a file type, then AutoClient generates an LAU signature toaccompany a received file of that type. AutoClient also verifies the correctness of LAUsignatures that the back-office application generates to accompany the files to be sent of thattype. LAU signatures are placed in separate files called LAU files with a ".lau" file extension.These LAU files are always stored alongside the payload file to which they refer to, so that theymay be stored in all the four directories: archive, emission, error, and reception.

Note Users should note that the autoclient.properties file contains confidential data(the LAU keys), so only the "files" directory should be made accessible remotely forplacing and retrieving files. In no case should the whole AutoClient directory (thatincludes logs, configs, and so forth.) be accessible remotely.

To configure LAU in AutoClient:1. Double-click the setPasswords.cmd file located in the Alliance Lite installation directory.

The Set Passwords tool appears.

2. In the Set Passwords tool, select 2 to set the FIN LAU key, select 3 to set the FileAct LAUkey, or select 4 to set the CSV LAU key. Press ENTER.

3. Type the 17 to 32 ASCII characters for your key and press ENTER.

4. Type the 17 to 32 ASCII characters again to confirm the key values entered in the previousstep and press ENTER.

Note Make a note of the key value, since exactly the same key value needs to beconfigured into the back-office application.

5. If the ASCII characters are

accepted, go to step 6.

rejected, repeat steps 3 and 4.6. Select 5 and click ENTER to save the changes and exit the Set Passwords tool. Select 6

and press ENTER to discard the changes and exit.

To remove LAU from AutoClient:1. Load the autoclient.properties file into an editor from the config subdirectory in the

Alliance Lite installation directory.



2. Locate the line at the end of the file that defines the encrypted key value an delete the line.For the FIN key, the line will start at FinLauKey.enc. For the FileAct key, the line will startFileActLauKey.enc. For the CSV key, the line will start CsvLauKey.enc.

3. Save the file.

3.2 Modifying Configuration ParametersNote

When you modify a configuration parameter, you must restart AutoClient before the new settingtakes effect.

To modify a configuration parameter:1. Locate the autoclient.properties file under \config, and double-

click this file. All lines that start with a # (hash character) are comment lines. The content ofthis file resembles the following:# Parameter Name: BaseDirectory# Public : YES# Possible values: N/A# Default Value: No default value.# Description: Base directory: may not exceed 50 characters. Must be a# valid local directory with read and write permissions.# BaseDirectory=C:\\Program Files\\SWIFT\\Alliance Lite\\files# Parameter Name: AllowRetries# Public : YES# Possible values: TRUE | FALSE# Default Value: TRUE# Description: When set to TRUE, will retry a failed upload up to 3 times # and each attempt will be separated by 3600 sec.# When set to FALSE, the AutoClient will not retry a failed upload. The # upload status is immediately set to error.AllowRetries=TRUE# Parameter Name: EmissionTimerInMillis# Public : YES# Possible values: min = 5000 msec, max = 600000 msec# Default Value: 120000 msec# Description: The local emission directory polling frequence.EmissionTimerInMillis=5000# Parameter Name: ReceptionTimerInMillis# Public : YES# Possible values: min = 60000 msec, max = 600000 msec# Default Value: 120000 msec# Description: The remote server polling frequence.ReceptionTimerInMillis=60000# Parameter Name: HttpsProxyEnabled# Public : YES# Possible values: TRUE | FALSE# Default Value: FALSE# Description: Specifies whether this autoclient should connect through a # Proxy server.HttpsProxyEnabled=FALSE# Parameter Name: HttpsProxyHost# Public : YES# Possible values: valid host name or IP address of the proxy server.# Default Value: No default value.# Description: Address of the proxy server through which to connect # to the Internet. Only taken into account if 'HttpsProxyEnabled' is set to TRUE.HttpsProxyHost=localhost# Parameter Name: HttpsProxyPort

Configuring AutoClient

19 November 2010 19

# Public : YES# Possible values: Valid TCP port for the proxy server.# Default Value: No default value.# Description: Valid TCP port for the proxy server. Only taken # into account if 'HttpsProxyEnabled' is set to TRUE.HttpsProxyPort=8080# Parameter Name: HttpsProxyUser# Public : YES# Possible values: Valid user name for accessing the Internet through the # proxy server configured by 'HttpsProxyHost' and 'HttpsProxyPort'.# Default Value: No default value.# Description: Valid user name as configured within the proxy server. Only # taken into account if 'HttpsProxyEnabled' is set to TRUE and none of # the 'HttpsProxyUser' and 'HttpsProxyUser' is left empty.HttpsProxyUser=# Parameter Name: HttpsProxyPassword[.enc]# Public : YES# Possible values: Valid password for proxy user defined in 'HttpsProxyUser'.# Default Value: No default value.# Description: Valid password as configured within the proxy server for the # 'HttpsProxyUser'. Only taken into account if 'HttpsProxyEnabled' is set to # TRUE and none of the 'HttpsProxyUser' and 'HttpsProxyUser' is left empty.HttpsProxyPassword.enc=# Parameter Name: LocalTestMode# Public : YES# Possible values: TRUE | FALSE# Default Value: FALSE# Description: When set to TRUE, causes AutoClient to process messages for# emission up to an including LAU validation but will not send any files.# This can be used to test interoperability between back-office applications and AutoClient.LocalTestMode=FALSE

2. Edit the parameters manually, as appropriate. To do this, change the value specified in thelast line of the details of a parameter. In the example shown, to modify the current value(120000) for the ReceptionTimer parameter, the value in the following line must bechanged:ReceptionTimerInMillis=120000

Note For HttpsProxyPassword, FinLauKey, FileActLauKey, and CsvLauKeyparameters, the value must be changed using the setPasswords tool in theinstallation directory.

3. Save and close the file once you have made the required modifications.

4. Stop and start AutoClient for your changes to take effect.

3.3 List of Configuration ParametersYou can modify the following configuration parameters:

Parameter Description

BaseDirectory The directory used by AutoClient to store and retrieve files.It must not exceed 50 characters. It must be either a valid local directoryor a valid remote UNC directory with read and write permissions for theWindows account that started the "SWIFT AutoClient Service" Windowsservice (by default, this is the "Local System account").



Parameter Description

AllowRetries Default value: TRUE

When set to TRUE, AutoClient retries a failed upload 3 times, andeach retry is separated by 3600 sec

When set to FALSE, AutoClient does not retry a failed upload. Theupload status is immediately set to error.

EmissionTimerInMillis The interval (in seconds) with which AutoClient checks for files ready tobe sent to counterparties.Default value: 120 secondsThe value of this parameter must be between 60 and 5000 seconds.

ReceptionTimerInMillis The interval (in seconds) with which AutoClient checks for files receivedfrom counterparties.Default value: 120 secondsThe value of this parameter must be between 60 and 5000 seconds.

HttpsProxyEnabled Specifies whether AutoClient must connect through a proxy server.Default value: FALSE

HttpsProxyHost The IP address (or hostname) of the proxy server through which toconnect to the Internet. Only taken into account if "HttpsProxyEnabled" isset to TRUE.Used if the connections to the Internet are made through a proxy, such asan Apache. In some cases, an administrator wants to authenticate theusers connecting to the proxy. In that case the uname / pwd is used ontop of regular proxy settings.

HttpsProxyPort A valid TCP port for the proxy server. Only taken into account if"HttpsProxyEnabled" is set to TRUE.

HttpsProxyUser The username to authenticate the AutoClient towards its Proxy

HttpsProxyPassword.enc The password of the ProxyUser. Note that the value of this parametermust be changed using the setPasswords tool in the installationdirectory.

FinLauKey.enc LAU key for FIN file transfers. Note that the value of this parameter mustbe changed using the setPasswords tool in the installation directory..

FileActLauKey.enc LAU key for FileAct file transfers. Note that the value of this parametermust be changed using the setPasswords tool in the installationdirectory.

CsvLauKey.enc LAU key for CSV file transfers. Note that the value of this parameter mustbe changed using the setPasswords tool in the installation directory.

LocalTestMode Used to test the flow between the Back-Office and the AutoClient withoutactually sending the files to Alliance Lite. The AutoClient checks the LAUbut does not submit or lock the files.

Example with proxy

Parameter Value

HttpsProxyEnabled TRUE

HttpsProxyHost 172.0.1.1

HttpsProxyPort 8080

HttpsProxyUser username

Configuring AutoClient

19 November 2010 21

Parameter Value

HttpsProxyPassword

Example without proxy

Parameter Value

HttpsProxyEnabled FALSE

HttpsProxyHost localhost

HttpsProxyPort 8080

HttpsProxyUser

HttpsProxyPassword



4 How AutoClient WorksOverview

AutoClient uses a directory structure on the local host to interface with your back-officeapplication. This section describes the AutoClient directory structure, what are the functions ofeach directory, and the types of file contained in each directory.It is the user's responsibility to determine the way the back-office application communicates withAutoClient.

The AutoClient directory structureWhen you install AutoClient, you must specify a location for the installation directory (by default,C:\Program Files\SWIFT\Alliance Lite ) and a location for the base directory (by default, C:\Program Files\SWIFT\Alliance Lite\files ) on the AutoClient host. The base directory containsfour subdirectories: emission, reception, archive, and error.Other technical directories also exist and are located in the installation directory, such as:

logs: contains the AutoClient log files and installation log files

config: contains the AutoClient configuration file called autoclient.properties

The previous diagram shows the default directory structure under Program Files. The 'files'directory is the base directory, and can be placed elsewhere at installation time.

4.1 Emission DirectoryEmission

The back-office application uses the emission directory to request upload of files by AutoClientto SWIFTNet. AutoClient regularly scans the emission directory for new files to be uploaded.The EmissionTimerInMillis polling timer determines how often the emission directory isscanned, see "List of Configuration Parameters" on page 20.The back-office application can submit FIN (RJE) files, FileAct files, and CSV files, with orwithout LAU files with the following conventions:

How AutoClient Works

19 November 2010 23

For FIN:

.fin (data file) .fin.lau ( LAU file)

For FileAct,:

[.pde] (data file) [.pde].par (a companion parameter file). The file transfer only starts if

the .par file is present.[.pde]: the back-office application may add a .pde (Possible Duplicate Emission)extension to the file name. This .pde extension is then carried up to the destination.The .pde extension can be added to the file name to indicate that this file may have beensent already. This extension forces the file transfer to be marked as possible duplicate onthe reception side (.S[_pdr]). The .pde extension is notapplicable to FIN files.

[.pde].par.lau (LAU file) for CSV,

.csv (data file) .csv.lau ( LAU file)

The emission directory does not require any maintenance because the AutoClientautomatically moves a file from its emission directory to its archive directory (see "ArchiveDirectory" on page 27), when the file has been uploaded to the Alliance Lite server.

Note However, the back-office application must monitor the emission directory. Should afile stay in the emission directory for more than 30 minutes, the back officeapplication must raise an alarm. The AutoClient Operator must investigate theissue.

4.2 Reception DirectoryReception

The reception directory contains the files that your organisation receives from counterparties. Italso contains the status of the messages that your organisation sent previously throughAutoClient.AutoClient regularly polls the Alliance Lite server for new files ready for download. Files appearin the server when they are completely downloaded and ready for the back-office application toprocess. The ReceptionTimerInMillis timer determines how often AutoClient checks thereception directory for files received from counterparties, see "List of ConfigurationParameters" on page 20.The reception directory can contain the following types of file:

FIN (Standards MT) files: identified by extension .fin and if LAU is enabled, LAU files are identified by extensionfin.lau

containing the business MTs addressed to your organisation.



with the status of messages that you have sent through AutoClient (ACK, NAK, MT 010,MT 011, MT 012, MT 019, or pseudo NAK).

Conforming to the following conventions:

.fin (data file) .fin.lau ( LAU file)For more information, see "Process for Receiving FIN Messages" on page 45.

FileAct files (any format): files received

transfer status of files sent previously

LAU file in reception directory (if LAU is enabled)Conforming to the following conventions

.S[_pdr] .S[_pdr].par .S[_pdr].ok .S[_pdr].errIf LAU is enabled:

.S[_pdr].par[.lau] .S[_pdr].ok[.lau] .S[_pdr].err[.lau]For the transfer status of files sent previously

.C.ok

.C.dlv

.C.err

..errIf LAU is enabled:

.C.ok.lau

.C.dlv.lau

.C.err.lau

..err.lauFor more information, see "Process for Receiving FileAct Files" on page 46.

: SWIFT generates a unique string of characters called TransferRef. TheTransferRef contains a timestamp assigned by SWIFTNet, and is the same at the senderand at the receiver side, except for the last character.


19 November 2010 25

The last character is:

C for files sent by AutoClient S for files received by AutoClient

[_pdr]: in some cases (for example, after retries during the FileAct transfer), the FileActprotocol adds a _pdr extension (Possible Duplicate Reception) to the received data file,companion parameter, or report file names. This additional extension is carried unalteredto the reception directory.

.lau for the LAU of files sent previously

CSV Application Files

identified by an extension .csv, or .csv.lau if LAU is activated

contain the statuses of messages previously sent within a CSV file. Received CSV files donot contain business messages.

Conforming to the following conventions

.csv (data file) .csv.lau ( LAU file)The structure consists of : __.csv[.lau]where the structure elements can contain the following:

Instructions: Subscription, Redemption, SwitchSLeg, SwitchRLeg, ConfSubscription,ConfRedemption, ConfSwitchSLeg, ConfSwitchRLeg, Status, StatusSwitch.

Status: can be ACK, DLV, NAK, ABD, DELNAK and OVRDUE

Note The instruction type is the message business name as defined in the CSV layoutdefinition document. It is the keyword used in the incoming CSV to identify themessage type.

Example: Subscription_ACK_20090609100143592.csvThe following is the format of a CSV file:

[,,,,,] will be present for switch orders, may bepresent for semt*[,,,,,] may be present for semt*[,,,,,] may be present for semt*It is the user's responsibility to maintain the reception directory - AutoClient does notautomatically move files from the reception directory. SWIFT recommends that you performregular archives of the files contained in this directory.



4.3 Archive DirectoryArchive

FIN and FileAct files that have been successfully uploaded to the Alliance Lite server are movedfrom the emission directory to the archive directory.

Note The presence of a file in the archive directory does not mean that the file has beensent on SWIFTNet, or delivered to the receiver - that is indicated through othermeans, see "Sending Files" on page 33.

The archive directory can contain the following types of file:

for a FIN file:

..fin (original) ..fin.lau (original) if LAU enabled

for a FileAct file, two files are present:

[.pde]. (original) [.pde]..par [.pde]..par.lau (copy of original) if LAU enabled

for a CSV file:

..csv (original) ..csv.lau (copy of original) if LAU enabled

It is the user's responsibility to maintain the archive directory. SWIFT recommends that youperform regular archives of the files contained in this directory.

4.4 Error DirectoryError

The error directory contains copies of the files that resulted in an error before or during upload,together with an error file (with extension .err) containing a description of the error.The error directory can contain the following types of file:

for a FIN file, two files are present:

..fin (original) ..fin.err

..fin.lau if LAU enabled

..fin.err.lau if LAU enabled

for a FileAct file, three files are present:

[.pde]. [.pde]..par


19 November 2010 27

..err

[.pde]..par.lau if LAU enabled [.pde]..err.lau ) if LAU enabled

for a CSV file, two files are present:

..csv

..csv.err

[.pde]..csv.lau if LAU enabled [.pde]..csv.err.lau if LAU enabled

It is the user's responsibility to maintain the error directory. SWIFT recommends that youperform regular archives of the files contained in this directory.

4.5 FileAct Delivery NotificationSending a notification

Should a FileAct transfer require a Delivery Notification, Alliance Lite creates this DeliveryNotification Automatically for the receiver. Alliance Lite creates the Delivery Notification once theReceiver's AutoClient has successfully downloaded the file.The FileAct delivery notification is stored in the reception directory.

Receiving a notification When you send a FileAct Transfer, you receive the Delivery Notification in the Reception

directory of your AutoClient as a .dlv file.



5 Running AutoClientOverview

This section explains how to start and stop AutoClient, and how to monitor the status ofAutoClient.To run AutoClient, you must have a USB token created by an Alliance Lite Administratorspecifically for AutoClient. You also need the password associated with this USB token. Formore information, see the Alliance Lite Administration Guide.

5.1 Starting AutoClientTo start AutoClient:

The "SWIFT AutoClient Service" runs automatically as a Windows Service under a systemaccount:

1. Insert the AutoClient USB token in a USB port.

2. Do one of the following:

Click the Windows Start button, and select Programs > Alliance Lite > StartAutoClient.

Or, right-click the AutoClient icon in the Windows Tray and click Start AutoClient fromthe shortcut menu

In the Alliance Lite installation path use one of the command line utility: autoclient -start.

Note You can start AutoClient by connecting either to the Live service or to theTest service.

3. Type the password of the AutoClient USB token and select Live if you want to connectAutoclient to the Live service. Select Test&Training if you want to connect the AutoClientto the Test service.

Do one of the following:

If AutoClient starts successfully, then the AutoClient Monitor icon (in the WindowsTray) turns green. AutoClient polls the Alliance Lite server for files ready for download,and the emission directory for files ready to be sent.

If AutoClient fails to start, then the AutoClient Monitor icon turns yellow or red, and anerror message appears. For more information, see "Monitoring the Status of AutoClient"on page 30.

Running AutoClient

19 November 2010 29

Note To start AutoClient from an application program, the autoclient -startcommand can be used. It is possible to provide the password of the token as aparameter of this command for example, autoclient -start -passwordxxxxx, where "xxxxx" is the value of the token's password. You can providethe mode as the command parameter to indicate whether AutoClient must bestarted on the Live service or Test service. For example, to start AutoClient onthe Test service, use the autoclient -start -mode TT command and tostart AutoClient on the Live service, use the autoclient -start -modeLIVE command.WARNING: for security reasons, SWIFT does not recommend providing thepassword as a parameter to the autoclient -start command. If you do,then make sure that the password is not visible to unauthorised people, forexample, do not store the password in clear in a file, or script , or in log files.The password of the AutoClient token is very important for the protection, andsecure operation of AutoClient.

After three consecutive invalid logon attempts, the AutoClient Monitor icon (in the WindowsTray) turns red. You must stop and start the "SWIFT AutoClient Service" and start theAutoClient again. If you then fail two extra times, your USB token becomes disabled. In thiscase, contact your Alliance Lite Administrator to generate a new USB token.If the user that started AutoClient logs off from Windows then the AutoClient remains running.

5.2 Monitoring the Status of AutoClientYou can monitor the status of AutoClient

You can check the status of AutoClient in three ways:

by looking at the colour of the AutoClient Monitor icon in the Windows Tray.

green: indicates that AutoClient is running properly

yellow: indicates that the AutoClient is not started or that a network problem occurred

red: indicates that the "SWIFT AutoClient Service" is not started or that a major issueoccurred.

by checking the contents of the current autoclient_logs.log file.

by running the AutoClient -status command.

AutoClient state transitionThe following table lists the different states that AutoClient can be in:

State Description

Stopping AutoClient stop was requested

Stopped AutoClient is stopped

Starting AutoClient start was requested

Started AutoClient has started

Unavailable The "SWIFT AutoClient Service" is not started or a major issue occurred



State Description

Network Network problem

Certificate expiry warningThe Certificate on the USB token can be in one of the following states:

Not yet valid

Will expire in (a number of) days Expires today

Expired

ValidIn the first four cases, a balloon pop-up will appear to warn you in terms of Certificate expirywhen you start AutoClient with a token. You must then contact your Alliance Lite Administratorto renew it.

This warning is also logged in the autoclient_logs.log file.

5.3 Stopping AutoClientOverview

This section describes the procedure for stopping AutoClient.

Note AutoClient must not be stopped while files are being transferred. Wait until thetransfer is completed: that is until the emission directory is empty.

To stop AutoClient:1. If you want to stop AutoClient, then do one of the following:

Click the Windows Start button, and select Programs > Alliance Lite > StopAutoClient

Right-click the AutoClient Monitor icon in the Windows taskbar, and select StopAutoClient from the shortcut menu

Navigate to the Alliance Lite installation directory, and run the command: autoclient-stop

2. The system prompts the user to confirm the action in a Stop AutoClient window.

3. Type the AutoClient token's password and click OK .When you select Stop AutoClient, the following occurs:

the last entry in the log file contains an indication that the user stopped the system

AutoClient stops checking its emission and reception directories for new files

any ongoing file transfers are aborted

a notification pop-up is displayed from the Windows taskbar.

Running AutoClient

19 November 2010 31

Note To stop AutoClient from an application programme, the autoclient -stopcommand can be used. It is possible to provide the password of the token as aparameter of this command, for example, autoclient -stop -passwordxxxxx where "xxxx" is the value of the tokens password.WARNING: for security reasons, SWIFT does not recommend providing thepassword as a parameter to the autoclient -stop command. If you do, thenmake sure that the password is not visible to unauthorised people, for example, donot store the password in the clear in a file, script , or in log files. The password ofthe AutoClient token is very important for the protection, and secure operation ofAutoClient.



6 Sending FilesIntroduction

This section explains the process by which AutoClient handles files to be sent, from theemission directory up to the Alliance Lite server. It briefly talks about the preparation of thefiles. It also describes the possible scenarios that can occur when you send files throughAutoClient.

6.1 FIN Message FilesOverview

This section describes the process flow when sending FIN message files.

6.1.1 Message File PreparationPreparation

Before sending a message file, the back-office application must prepare it.

Basic file requirementsEach file must conform to the following basic requirements:

the message file name must:

end in the extension .fin

be less than 200 characters

not contain the ":" (colon) character. The file name can contain dots. the message file must:

be less than 85 KB in size

have the read attribute enabled

File structure and format requirementsThe file format must be RJE. An RJE file contains a number of MT messages, separated by a"$" (dollar) sign. The MT messages in the file must conform to the Standards MT syntax, asspecified in the Standards MT documentation.For an example, see "FIN Message File (RJE Format)" on page 55.

Sending Files

19 November 2010 33

6.1.2 Process FlowFIN message files sent through AutoClient

D11

4000

5

During file upload to Alliance Lite server

Start

WaitingFile Upload

File UploadError

File moved toerror directory

File moved to emission directory

File moved to archive directory

Alliance Liteserver

6.1.2.1 Successful Upload

OverviewThis section describes the process flow of messages successfully uploaded by AutoClient to theAlliance Lite server.

Process flow

1. A file prepared on your back-office application is ready to be sent.

2. The back-office application places the file in the emission directory, with the filenameending in the extension .fin.

3. AutoClient scans the emission directory, finds the file, and starts processing it.

Note If LAU is enabled for FIN messages, AutoClient will wait until the .lau file isfound. See "Local Authentication Files" on page 43 for details of how to setup a LAU file.

4. AutoClient checks whether the file meets the basic requirements listed in "Message FilePreparation" on page 33.

5. On successful validation, AutoClient uploads the file to the Alliance Lite server.

6. During upload, the file remains in the emission directory.

7. On successful completion of the file upload:

AutoClient moves the file to the archive directory (if LAU enabled the LAU files are alsomoved)

the messages are submitted for transmission to FIN.At this stage, you can view and monitor the messages and their status from the Alliance LiteWeb interface. Messages can also be approved manually from the interface. For moreinformation, see "Approval of Autoclient Messages and Files" on page 44.



FIN ACK

1. For every message that is successfully sent on the FIN network, an ACK(Acknowledgement) message is returned. There can also be messages returned thatindicate error, or successful delivery to the receiver. The ACK messages are put in a .finfile generated by the Alliance Lite server.

2. The .fin file is downloaded into the reception directory by AutoClient. The back-officeapplication can then process these ACK messages, see "Process for Receiving FINMessages" on page 45. If LAU is enabled, the LAU file is provided as well.

6.1.2.2 Unsuccessful Upload

Errors can occur at various stagesWhen files are sent to the Alliance Lite server, errors can occur at the following stages:

1. when the file is validated by the sending AutoClient

2. when the files are validated by the Alliance Lite server

3. when the Alliance Lite server validates the messages after successful extraction

4. when the Alliance Lite server sends the message on SWIFTNet

5. during transmission over SWIFTNet, for example, after SWIFTNet accepted the messagebut before the message was delivered successfully to the receiver.

Errors at stage 1, 2, or 3If a file results in an error at one of these stages, then the entire file is rejected, and AutoClientmoves the file to the error directory. AutoClient adds a timestamp extension to the original filename (.fin). In addition, a text file is generated in the error directory. This filecontains an error code with a description of the error.The format of these files is as follows:

..fin - when occurring at stage 1

..fin.err - when occurring at stage 1, 2, and 3where is the current system date and time (in YYYYMMDDhhmmss format) onthe AutoClient host

For a list of the possible errors, see "Errors When Uploading Files to the Alliance Lite Server" onpage 50.

Errors at stage 4, or 5: NAK and pseudo-NAKAt this stage, the file is accepted by the Alliance Lite server, and messages from the file areprocessed one by one. If a message results in an error at this stage, then only that message isrejected, while other messages in the file may be processed successfully. The error is typically aNAK (Negative Acknowledgement). A FIN NAK is a message returned by the SWIFT network toindicate that the sent message was rejected by the SWIFT network, and could not be forwardedto the receiver.

A pseudo-NAK is a message that is returned by the Alliance Lite server, to indicate that the sentmessage could not be forwarded to SWIFTNet. An error at stage 4 or 5 that indicates rejectionof a message is put in a .fin file generated by the Alliance Lite server. This file is thendownloaded by AutoClient into the reception directory.

Sending Files

19 November 2010 35

The FIN NAK or pseudo NAK message contains a copy of the original message which it rejects.The back-office application can then process these NAK messages, and determine whichmessage was rejected.If a message must be repaired, then it must be created again on the back-office application.

FIN NAKThe FIN network may reject a message, and then return a NAK. Such a NAK is a message witha particular structure.The following is an example of a NAK message:{1:F21BANKBEBBAXXX0001000002}{4:{177:0803051517}{451:1}{405:M50}}{1:F01.......}In this example, the error code is "M50", which means "message length exceeded". A list ofpossible NAK error codes returned by the FIN network is documented in the User Handbook,Standards MT, and FIN Error Codes Guide.In the AutoClient's .fin files, a NAK is followed by a copy of the original message to which theNAK refers. The copy of the original message is appended to the NAK, and starts with {1:F01.

Note The syntax of NAK messages is explained in the User Handbook, Standards MT,and FIN System Messages Guide. In summary, a NAK starts with {1:F21 andcontains a line with {451:1} to indicate rejection and {405:xxx}, where "xxx" isthe error code.

Pseudo NAKThe Alliance Lite server may return a pseudo NAK, containing a specific error code and itsdescription. A pseudo NAK is a NAK generated by Alliance Lite, not by the SWIFT network. Apseudo-NAK looks like a normal NAK, except that the error code starts with "I", or "AUT". Butthe pseudo-NAK does not contain field 108 (Message User Reference) in block 3 (UserHeader).A pseudo NAK is generated in the following cases:

no RMA relation "SEND_TO" exists with your counterparty, with the receiver BIC of themessageAn RMA relation is a relation that you establish with a counterparty that agrees to receiveSWIFT messages from you.

the sender BIC8 inside the header of the message is not the BIC owned by the Alliance Liteuser

message is incorrectly formatted in the FIN blocks or contains incorrect characters

a message is rejected by the approver (in case of manual approval).The following example shows a pseudo NAK due to the absence of RMA relation:{1:F21VNDZBET2BXXX0000000000}{4:{177:0803051517}{451:1}{405:AUT}}{1:F01.......}A pseudo NAK is always followed by a copy of the original message. For the list of pseudo NAKerrors, see "Pseudo NAK Errors" on page 51.



MT 019 abort notificationA message that was successfully sent on FIN (for which an ACK was returned by SWIFTNet),can in exceptional cases be aborted before it is successfully received. There are two reasonsfor this:

the receiver never receives the message, for example, the receiver never logs on to FIN toreceive messages that are waiting for them

in case of a FINCopy message, the central institution does not authorise the message.In both cases, SWIFTNet returns an MT 019 Abort Notification message to the sender of themessage. AutoClient puts these MT 019 messages in .fin files in its reception directory. Formore information, see "Process for Receiving FIN Messages" on page 45.

6.2 FileAct FilesOverview

This section describes the process flow when sending FileAct files.

6.2.1 Data File PreparationPreparation

Before sending a FileAct file, the back-office application must prepare the following files:

a data file, that must be sent to your counterparty, embedded in a FileAct file transmission

a companion parameter file (.par file), that specifies how the file must be sent. For moreinformation, see "Emission .par File" on page 58.

a LAU file (if LAU enabled)

Basic file requirementsEach file must conform to the following basic requirements:

the file name must:

be less than 200 characters

not contain colon characters (:) the file must be less than 20 MB in size

Sending Files

19 November 2010 37

6.2.2 Process FlowFileAct files sent through AutoClient

D11

4000

2


After sucessful file upload to Alliance Lite server


File moved to emission directoryFile moved toerror directoryFile Upload

Error

Start

Waiting Transfer

FileAct Delivered

FileAct Error FileAct ok

.err file in reception directory .ok file in reception directory

.dlv file in reception directory

Waiting FileActFile Upload


OverviewThis section describes the process flow of data files that are successfully uploaded byAutoClient to the Alliance Lite server.

Process flow

1. A data file and its companion .par file, prepared on your back-office application, are readyto be sent.

2. The back-office application places both files in the emission directory, in the followingorder:

1. data file

2. companion .par file

Note The presence of the .par file in the emission directory triggers the fileupload. If no .par file is present in the emission directory, then the data fileupload does not start. If LAU is configured, then the upload will not start untilthe .lau file is also found. See "Local Authentication Files" on page 43 fordetails of how to setup and LAU file.

3. AutoClient scans the emission directory, finds both a data file and a .par file, and startsprocessing the files.



4. AutoClient checks whether the files meet the basic requirements listed in "Data FilePreparation" on page 37.

5. On successful validation, AutoClient uploads the files to the Alliance Lite server.

6. During upload, the files remain in the emission directory.


AutoClient moves the data file and the .par file to the archive directory.

the data file is submitted to FileAct following the routing information contained in thecompanion .par file.

the LAU file (if LAU enabled) is moved to the archive directory.At this stage, the status of the FileAct file transfer can be monitored from:

the Alliance Lite Web interface. See the Inbox/Outox section of the Alliance Lite User Guidefor more information.

report files (with extensions .ok, .err, and .dlv) that are moved to the reception directory.


Errors during basic validation checks and file uploadIf the file upload fails, then AutoClient moves the data file and the companion .par file to theerror directory. AutoClient adds a timestamp extension to the original file names. In the errordirectory, a text file is also generated, containing an error code with a description of the error. IfLAU enabled the LAU file is moved as well.The format of these files is as follows:

[.pde]. [.pde]..par [.pde]..err ..lau

where is the current system date and time (in YYYYMMDDhhmmss format) onthe AutoClient host


Errors during validation by the Alliance Lite serverFileAct errors are put in an .err file. AutoClient then downloads this file into the receptiondirectory.

6.3 CSV FilesOverview

To send certain types of MT or MX messages, you can upload CSV (comma separated values)files with Alliance Lite, and Alliance Lite will transform the lines in these CSV files into messages(MT or MX), and send them as properly formatted MT or MX messages over SWIFTNet.

Sending Files

19 November 2010 39

The following message types can be uploaded in CSV format :

For Funds Distributors

Funds Orders Subscription MX (setr.010) Funds Orders Redemption MX (setr.004) Funds Orders Switch MX (setr.013)

For Funds Transfer Agents or Funds Administrators

Funds Statuses MX (setr.016) Funds Confirmations MX (setr.006, setr.012, setr.015) Funds Statements of Holdings MX (semt.002, semt.003)

For Investment Managers, Broker, or Dealers

Securities Settlement Instructions MT (MT 540, MT 541, MT 542, MT 543)For more information about uploading CSV files, refer to the Alliance Lite CSV File UploadGuide.

6.3.1 Process FlowCSV files sent through AutoClient

D11

4000

5


Start

WaitingFile Upload

File UploadError

File moved toerror directory

File moved to emission directory


Alliance Liteserver


OverviewThis section describes the process flow of CSV files successfully uploaded by AutoClient to theAlliance Lite server.

Process flow

1. The CSV file is dropped in the emission folder of the AutoClient. The file name ends withthe extension .csv.

2. AutoClient scans the emission folder regularly, and if it finds a file, it automatically uploadsthe file and starts processing it.



Note If LAU is configured, then the upload will not start until the .lau file is alsofound. See "Local Authentication Files" on page 43 for details of how tosetup and LAU file.

3. On successful validation, AutoClient uploads the file to the Alliance Lite server.

4. The lines of the CSV file are transformed by Alliance Lite into MT or MX messages.

5. During upload, the file remains in the emission directory.


AutoClient moves the file to the archive directory (if LAU is enabled the LAU files arealso moved)

the messages are submitted for transmission to SWIFTNet.

Note The messages uploaded from the CSV files are visible in the Alliance Lite userinterface with the Outbox feature. The messages are displayed in a summary gridwith the most important elements of the message. For more information, seechapter Inbox Outbox of the Alliance Lite User Guide.

CSV ACK

1. For every message that is successfully sent on the network, an ACK (Acknowledgement)message is returned. There can also be messages returned that indicate error, orsuccessful delivery to the receiver. The ACK messages are put in a .csv file generated bythe Alliance Lite server.

2. The .csv file is downloaded into the reception directory by AutoClient. The back-officeapplication can then process these ACK messages, see "Process for Receiving CSV Files"on page 47. If LAU is enabled, the LAU file is provided as well.


Errors can occur at various stagesWhen files are sent to the Alliance Lite server, errors can occur at the following stages:

1. when the file is validated by the sending AutoClient

2. when the files are validated by the Alliance Lite server

3. when the Alliance Lite server validates the messages after successful extraction

4. when the Alliance Lite server sends the message on SWIFTNet

5. during transmission over SWIFTNet, for example, after SWIFTNet accepted the messagebut before the message was delivered successfully to the receiver.

Sending Files

19 November 2010 41

Errors at stage 1, or 2If a file results in an error at one of these stages, then the entire file is rejected, and AutoClientmoves the file to the error directory. AutoClient adds a timestamp extension to the original filename (.csv). In addition, a text file is generated in the error directory. This filecontains an error code with a description of the error.The format of the filenames of these files is as follows:

..csv - when occurring at stage 1

..csv.err - when occurring at stage 1, 2, and 3where is the current system date and time (in YYYYMMDDhhmmss format) onthe AutoClient host


Errors at stage 3, 4, or 5: NAKAt this stage, the file is accepted by the Alliance Lite server, and messages from the file areprocessed one by one. If a message results in an error at this stage, then only that message isrejected, while other messages in the file may be processed successfully.A NAK is a message returned by the network to indicate that the sent message was rejected bythe SWIFT network, and could not be forwarded to the receiver.A NAK can also be returned by the Alliance Lite server, to indicate that the sent message couldnot be forwarded to SWIFTNet. An error at stage 4 or 5 that indicates rejection of a message isput in a .csv file generated by the Alliance Lite server. This file is then downloaded byAutoClient into the reception directory. The NAK message contains a copy of the originalmessage which it rejects. The back-office application can then process these NAK messages,and determine which message was rejected.If a message must be repaired, then it must be created again.

CSV NAKNAK reporting on CSV files is achieved by using the Status CSV file. The Status CSV file isreturned to AutoClient with the NAK status and contains the NAk'd message. The file cancontains the status of one message or more.The filename of the Status CSV file is as follows:

__ .csvWhere: the is the message business name, the is NAK, and the is the current system date and time (in YYYYMMDDhhmmss format) on theAutoClient host.The following is the format of a CSV file:

[,,,,,] will be present for switch orders, may bepresent for semt*[,,,,,] may be present for semt*[,,,,,] may be present for semt*



The status for these messages is NAK and the error codes and text are described in "CSV NAKCodes" on page 52.An example of Status CSV filename is as follows: DeliverFree_NAK_20100318154345644.csvAn example of the contents of this Status CSV status file is as follows:NAK,CSVNAK_113,in Position 3,543_003.csv,3,DeliverFree,SWBPBEHA,ABCD,ABCD,Invest Account at HA,,EGS673T1C012,5000,UNIT,,,TRAD,20100102,20100101,CEDELULL,SWBPBEHA,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

6.4 Local Authentication FilesIntroduction

This section describes the process flow for Local Authentication (LAU) with files.

Process flow

1. The back-office application is configured with the same key value as the characters of thekey value(s) for the defined file types (CSV, FIN, or FileAct). The management of the keysis application specific and must be secure.

2. The back-office application creates a 256-bit array and fills the array with byte valuescorresponding to the LAU key ASCII characters. If the LAU key is less than 32 characters(256 bits), then the application will right-pad the remainder of the keys with 0 bits.

3. The back-office application calculates the HMAC-SHA256 signature over the entire bytestream of the payload file using the 256-bit array created in step 2 as the algorithm'ssymmetric key. This generates a 256-bit (32-byte) binary signature value.

4. The back-office application encodes the binary signature value in Base-64 encoding. ForFIN and CSV files, the Base-64 encoded value of the signature is put in a separate file withthe .lau extension. For FileAct files, the signature is put as a parameter in the .par file, andan additional signature is calculated on that .par file and put in a .par.lau file.

5. The remainder of the process flow depends on the file type (CSV, FIN, or FileAct).For FIN and CSV payload files:

The back-office application writes the base-64 encoded signature value to a filealongside the payload file in the AutoClient emission directory using the same name asthe payload file name but appended with .lau extension. This .lau file contains no othercharacters except the signature.

The AutoClient initiates a transfer when it finds both the payload file and the .lau file inthe emission directory.

For binary payload files to be transported using FileAct:

The back-office application writes a property called 'Algorithm' to the payload's .par filewith the 'HMAC_SHA256' as the property value. For example,Algorithm=HMAC_SHA256

The back-office application writes a property called 'Value' to the .par file with thebase-64 encoded signature value as the property value. For example,Value=OXD9/6TwIHqROLr6ZXi8Y3cD03pV+wk6IGtoi4gQqrQ\=

Sending Files

19 November 2010 43

The back-office application writes the updated .par file to disk.

The back-office application calculates a second HMAC-SHA256 signature over the entirebyte stream of the .par file using the symmetric key created in step 2. This generates asecond 32-byte, binary signature value.

The back-office application encodes the binary signature value as base-64.

The back-office application writes the base-64 encoded signature value to a filealongside the payload file in the AutoClient emission directory using the same name asthe payload file name but appended with .par.lau extension. This par.lau file contains noother characters except the signature.

The AutoClient initiates a transfer when it finds the payload file, the .par file andthe .par.lau file in the emission directory.

6.5 Local Test Mode ProcessIntroduction

When setting up a system, if an operator would like to test the flow between the back-officeapplication and the AutoClient without actually sending the file to Alliance Lite. This sectiondescribes the process flow for Local Test Mode.

Process Flow

1. In the back-office application, the operator creates a file for each type (FIN, CSV, FileAct).2. The back-office application creates the LAU files and stores the files in the emission

directory.

3. The AutoClient retrieves the files and validates the LAU signatures (logging the results inthe log file), but does not send the files.

4. After validation, the operator deletes the files after stopping AutoClient.

Note In case of failure, the operator configures the keys again and validates theLAU signatures.

6.6 Approval of Autoclient Messages and FilesOverview

AutoClient allows you to manually approve any outgoing AutoClient message or FileAct file.Using Inbox/Outbox you can see all files/messages sent with AutoClient. From the Outbox youcan approve these files or messages. The Outbox module lists all messages and FileAct filesthat require approval. You can approve each message or file, if the message or file wasuploaded from AutoClient and if the auto-approval option is not enabled in AutoClient.You can also use Automatic Approval for messages in AutoClient. For information aboutapproval of outbox instructions, see chapter Inbox Outbox of the Alliance Lite User Guide.



7 Receiving Files

7.1 Process for Receiving FIN MessagesOverview

This section describes the process flow when receiving Standards MT messages.

Process flow

1. A .fin file containing Standards MT messages is processed by the Alliance Lite server.AutoClient then downloads the file into the reception directory. The file name is.fin.This .fin file can contain the following types of message:

business messages addressed to your institution

status of messages sent previously

a combination of both

an LAU file (if LAU enabled)2. The back-office application checks the reception directory for the presence of .fin files.

3. The back-office application moves the file from the reception directory to the workingdirectory of the back-office application.

Note If LAU is configured, the back-office application should wait until the LAU file isavailable in the reception directory before processing the message.

Status of messages sent previouslyThe back-office application can track the status of all messages sent previously throughAutoClient. The following message states exist:

Message Description Means that the message that yousent

Additional information

FIN ACK FINacknowledgement

was successfully sent (accepted bySWIFTNet)

A FIN ACK contains:

a message user reference or atransaction reference number toidentify the original message in theback-office application

a message input reference to enablethe following MT 019, MT 011, and MT010

Documents

Swift - AutoClient for Alliance Lite 20 - SS