Scribd
Upload
138 views14 pages

TAFJ MessageIntegrity

Uploaded by

Fry Lennon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
138 views14 pages

TAFJ MessageIntegrity

Uploaded by

Fry Lennon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

TAFJ M e s s a g e I n t e g r i ty

R20
TAFJ M e s s a g e I n t e g ri ty

Amendment History:

Revisio
Date Amended Name Description
n
1 22nd Mar 2019 Riswana Initial version
th
2 17 Oct 2019 Riswana Update XML signing

3 25th March 2020 Riswana F R20 AMR review

Page 2
TAFJ M e s s a g e I n t e g ri ty

Copyri g h t
Copyright © Temenos Headquarters SA 2009-2020. All rights reserved.
This document contains proprietary information that is protected by copyright. No part of this document may
be reproduced, transmitted, or made available directly or indirectly to a third party without the express
written agreement of TEMENOS UK Limited. Receipt of this material directly TEMENOS UK Limited
constitutes its express permission to copy. Permission to use or copy this document expressly excludes
modifying it for any purpose, or using it to create a derivative therefrom.

Errat a and Com m e n t s


If you have any comments regarding this manual or wish to report any errors in the
documentation, please document them and send them to the address below:
Technology Department

Temenos Headquarters SA
2 Rue de l’Ecole-de-Chimie,
CH - 1205 Geneva,
Switzerland

Tel SB: +41 (0) 22 708 1150


Fax: +41 (0) 22 708 1160

Please include your name, company, address, and telephone and fax numbers, and email
address if applicable. [email protected]

Page 3
TAFJ M e s s a g e I n t e g ri ty

Table of Contents
Copyright................................................................................................................................................ 3
Errata and Comments............................................................................................................................ 3
Overview................................................................................................................................................ 5
Features................................................................................................................................ 5
Create Keystore...................................................................................................................................... 5
Configuration......................................................................................................................... 5
Start the Web APP............................................................................................................. 6
Create Keystore.................................................................................................................... 6
JBC & JAVA API..................................................................................................................................... 7
JBC API................................................................................................................................. 7
Configuration..................................................................................................................... 7
Sign.................................................................................................................................... 8
Verify.................................................................................................................................. 9
Error Details..................................................................................................................... 10
JAVA APIs........................................................................................................................... 11
Configuration................................................................................................................... 11
AppServer............................................................................................................................................ 14

Page 4
TAFJ M e s s a g e I n t e g ri ty

Overvi e w
The primary Objective of this document is to provide guidance to create Keystore and use
JBC and JAVA API provided for Message Integrity.

Message Integrity is a solution for handling messages securely. We sign the outgoing
message and verify the message using the signature. Also we provide solutions to manage
keys securely.
Sign/Verify can be done using Symmetric or Asymmetric Key.
Asymmetric Key -A message should be signed with PrivateKey and the same is verified
using PublicKey.
Symmetric key – Same SecretKey is used sign and verify the message.

Feat u r e s
1. Store the Security keys in Java keystore.

2. Provide API to sign the outward message and verify the inward message using the
keys stored in Keystore, which can be accessed from both JBC and Java.
 Sign: It is used to sign the message and it will provide the signature or hash value
for the message using the configured keys. For XML type messages, the
signature element is appended to the actual message.
 Verify: It is used to verify the message and it will return 0 in case of successfull
verification.
 Digest

Creat e Keys t o r e
Use TemenosSecurityWeb.war to create Keystore and register entries and keys to it.
TemenosSecurityWeb is available as a zip folder at $TAFJ_HOME/MessageIntegrity. Extract
it in a folder.

Confi g u r a t i o n
Edit the keystore.properties file, which is available in resource/conf folder in
TemenosSecurityWeb.war.

Page 5
TAFJ M e s s a g e I n t e g ri ty

If the Keystore is available as a physical file in the machine, provide the path in the property
temn.keystore.location. Multiple path can be provided as comma seperated.

If the Keystore is available in database provide the properties temn.keystore.database.url,


temn.keystore.database.driver, temn.keystore.database.user and
temn.keystore.database.password.

Start th e Web APP


Navigate to the bin folder of extracted MessageIntegrity directory. Execute the
LaunchKeyStoreWebApp.bat to start jetty-runner deploying TemenosSecurityWeb.war

Now access the web application with the URL http://localhost:8080/TemenosSecurity

Crea t e Keys t o r e
Create Keystore page will be as below.

Page 6
TAFJ M e s s a g e I n t e g ri ty

Keystore Name : Name of the keystore


Keystore Password: Password to access keystore
Select one of the below key Type :
 Asymmetric – Private Key : It can be used only for sign operation. It should be
an instance of PrivateKey.
 Asymmetric – Public Key : It can be used only for verify operation. It should be
an instance of PublicKey.
 Symmetric Key : Key can be used for both sign and verify operations.
Should be an instance of SecretKey
 Split the keys and enter it as left and right key.
 Grace days is number of days the keys can be configured to be valid. This is
used based on configurations.

JBC & JAVA API


JBC API’s are interface to access SIGN and VERIFY features from an Infobasic program
using CALLJ.

Java API’s are interface to access SIGN and VERIFY features from a Java program.

JBC API

Confi g u r a t i o n
Copy all the dependency jars from TAFJHome\3rdParty\integrity to TAFJHome\lib

Either option provided to use the Keystore as a physical file or it could be from a database.
We configure this in keystore.properties file available in conf folder of TemenosSecurity.jar.

Page 7
TAFJ M e s s a g e I n t e g ri ty

If the Keystore is available as a physical file in the machine, provide the path in the property
temn.keystore.location. Multiple path can be provided as comma seperated.

If the Keystore is available in database provide the properties temn.keystore.database.url,


temn.keystore.database.driver, temn.keystore.database.user and
temn.keystore.database.password.

Note: Only when the location is not provided, Keystore is read from the database

Si g n
Sign API from JBC should be accessed using CALLJ. Use
“com.temenos.security.jbc.Integrity” as package.class to access the method sign as in
below sample request.

Sample Sign Request

Page 8
TAFJ M e s s a g e I n t e g ri ty

Set “ENTRY.TYPE” as unidirectional for private and public key (Asymmetric). Set it as
bidrectional for secret key(Symmetric).

The message can be classified as XML type as below. Specify the message type at <1,12>
and the digest algorithm at <1,13> . SHA1, SHA256, SHA512 are supported digest
algorithms. In case if it is not set, SHA1 is used as default algorithm. If the message is
classified as XML, then the <signature> element is added to the actual message and
provided as output for sign API.

signRequest<1,12> = "XML" ;*Message Type

signRequest<1,13> = "SHA256" ;* Digest Algorithm

Verify
Verify API from JBC should be accessed using CALLJ. Use
“com.temenos.security.jbc.Integrity” as package.class to access the method verify as in
below sample request.

Sample Verify Request:

Page 9
TAFJ M e s s a g e I n t e g ri ty

Set “ENTRY.TYPE” as unidirectional for private and public key (Asymmetric). Set it as
bidrectional for secret key(Symmetric).

As below, set message type as XML to verify the message signed as XML and note here the
message with <signature> element should be available at <1,9> .

signRequest<1,payload>=returnValue

signRequest<1,12> = "XML" ;*Message Type

Note: EB.SEC.INTEGRITY.API is a wrapper available for T24 to use the Message Integrity
API.

Error Det a i l s
SYSTEM(0) holds the errors for CALLJ. Below are the error codes specific to Message
Integrity.

Error Number Description

-1 Keystore doesnot exist or incorrect password.

-2 Invalid keystore password.

-3 Entry not found.

-4 Invalid Entry Password.

-5 All Entries Expired

Page 10
TAFJ M e s s a g e I n t e g ri ty

-6 Invalid Request.

-7 Verification Failed

-8 Algorithm Not supported.

-9 Configuration not found.

-10 SQL\Database Error.

JAVA APIs
Add TemenosSecurity.jar and the dependency libraries available at
$TAFJ_HOME\3rdParty\integrity in classpath.

Configu r a tio n
Edit the KeyConfig.json in TemenosSecurity.jar/conf with the key that has to be used for
sign\verify operation.

Below is a sample configuration for a symmetric and asymmetric key respectively.

"COMPLAINCE" can be set "SwiftLAU" to get the signature as a HEX 64 bytes value.

“USE.GRACE”, if set to TRUE then the key is valid for the GRACE DAYS registered in
Keystore.

"WARN.EXPIRY" is to describe when onwards expiry warning should be notified in


SECURITY.log. If it is 30, then the warning message is started to log 30 days before the key
expire date until the key expire.

“DIGEST.ALGORITHM” is to set the algorithm to be used to generate digest for the XML
type messages. SHA1, SHA256, SHA512 are supported algorithms. In case if it is not set,
SHA1 is used as default algorithm.

Set “ENTRY.TYPE” as unidirectional for private and public key (Asymmetric). Set it as
bidrectional for secret key(Symmetric).

{
"ConfId1":
{
"ALGORITHM":"HmacSHA256",
"DIGEST.ALGORITHM":"SHA256",
"COMPLAINCE":"SwiftLAU",
"Entries":[
{"KEYSTORE.NAME":"TESTKEYSTORE",
"KEYSTORE.ENCRYPTED.PASSWORD":"temenos",

Page 11
TAFJ M e s s a g e I n t e g ri ty

"ENTRY.NAME":"testalias1",
"ENTRY.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.TYPE":"bidirectional",
"USED.FOR":[
{"OPERATION":"sign","USE.GRACE":"FALSE"},
{"OPERATION":"verify","USE.GRACE":"FALSE"}
]
},
{"KEYSTORE.NAME":"TESTKEYSTORE",
"KEYSTORE.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.NAME":"testalias2",
"ENTRY.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.TYPE":"bidirectional",
"USED.FOR":[
{"OPERATION":"sign","USE.GRACE":"FALSE"},
{"OPERATION":"verify","USE.GRACE":"FALSE"}
]
}
],
"WARN.EXPIRY":30
},
"ConfId2":
{
"ALGORITHM":"SHA256withRSA",
"COMPLAINCE":"",
"Entries":[
{"KEYSTORE.NAME":"TESTKEYSTOREUNI",
"KEYSTORE.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.NAME":"testalias3",
"ENTRY.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.TYPE":"unidirectional",
"USED.FOR":[
{"OPERATION":"sign","USE.GRACE":"FALSE"}
]
},
{"KEYSTORE.NAME":"TESTKEYSTOREUNI",
"KEYSTORE.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.NAME":"testalias4",
"ENTRY.ENCRYPTED.PASSWORD":"temenos",
"ENTRY.TYPE":"unidirectional",
"USED.FOR":[
{"OPERATION":"verify","USE.GRACE":"FALSE"}
]
}
],
"WARN.EXPIRY":30
}

Below is a sample program to use the JAVA API from Temenos Security library.

Page 12
TAFJ M e s s a g e I n t e g ri ty

import com.temenos.security.java.Integrity;

public class TestJavaApi {

public static void main(String[] args) {


System.out.println("test message");
Integrity obj = new Integrity();
try{
String signature = obj.sign("message","SwiftLAU");
System.out.println(signature);
String retVal = obj.verify("message","SwiftLAU",signature);
System.out.println(retVal);
} catch (Exception e){
System.out.println("Error from API " + e.getMessage());
}

//For XMLType messages, pass type as third parameter

try{
String signature = obj.sign("message","SwiftLAU",
MISecurityConstants.MessageType.XML);
System.out.println(signature);
String retVal = obj.verify("message","SwiftLAU",null,
MISecurityConstants.MessageType.XML);
System.out.println(retVal);
} catch (Exception e){
System.out.println("Error from API " + e.getMessage());
}

Page 13
TAFJ M e s s a g e I n t e g ri ty

AppS e rv e r
While the product is used through the appserver make sure the TemenosSecurity.jar, json-
simple.jar and bcprov-jdk15on.jar is available in classpath

Jboss
Add the libraries in jboss/modules/com/temenos/tafj/main/module.xml

Page 14

You might also like