White Paper: OFTP2 Implementation Checklist

This document provides a checklist for the implementation of the new Odette OFTP2 standard for data exchange.

Implementation of OFTP2 requires the installation of Trubiquity's software TRUeurex-c. TRUeurex-c is also required if OFTP2 is needed for a TRUfusion Connect or TRUfusion Enterprise customer.

Quick Links

• General Requirements
• General Requirements for TRUeurex-c OFTP Server /TRUeurex-c RMI Server
• Option 1 - TRUeurex-c with TRUeurex-c DMZ Proxy Server for OFTP2 via TCP/IP (Internet)
  • OFTP Receiving Process (Option 1)
  • OFTP Sending Process (Option 1)
• Option 2 - TRUeurex-c without DMZ-Proxy Server for OFTP2 via TCP/IP (Internet)
  • OFTP Receiving Process (Option 2)
  • OFTP Sending Process (Option 2)
• OFTP2 Checklist

General Requirements

• Valid license for TRUeurex-c 3.0 OFTP2
• The same software requirements as for TRUeurex-c 3.0 apply. However, using Java 5 or 6 is recommended for use of OFTP2 when the deployed certificates are featuring long key lengths (≥ 8192).
• The Java version deployed must support strong encryption (>56 bit). Please note, it may be required to patch the Java installation accordingly ("Unlimited Strength Jurisdiction Policy Files").
• A company X509v3 certificate that was issued by a certificate authority registered in Odette's OFTP TLS list.
• When the system is in operation, one OFTP2 TLS/SSL port (generally port 6619) must be accessible from the outside at all times. The deployed TLS/SSL certificate must support server and client authentication as well as include the DNS/IP of the server which enables access to the chosen port.
• For outbound communication, access via OFTP2 to the partner ports must be allowed (generally port 6619, others are possible). Furthermore, the OFTP2 server must provide access to Certificate Revocation Lists (CRL) in the internet.

Note: Of course, all communication channels of TRUeurex-c, including OFTP1 TCP/IP and OFTP2 TCP/IP without TLS/SSL, are still available for use after the successful OFTP2 implementation.

System Configuration Option

For the implementation of TRUeurex-c OFTP2 capabilities, two different system configurations are available:

• "Option 1 - TRUeurex-c with TRUeurex-c DMZ Proxy Server for OFTP2 via TCP/IP."
• Note: No certificates and private keys will be stored on the server in the DMZ.
• "Option 2 - TRUeurex-c without TRUeurex-c DMZ-Proxy for OFTP2 via TCP/IP (Internet)": All TRUeurex-c versions support the direct establishment of TLS/SSL-secured OFTP2 connections.

General Requirements for TRUeurex-c OFTP Server / TRUeurex-c RMI Server

The below specified requirements for the TRUeurex-c OFTP Server / TRUeurex-c RMI Server apply for both system configurations, unless otherwise specified.

• Access:
  • For CRL and TLS access, the server must be configured to enable connections via HTTP/HTTPS (via HTTP proxy if needed).
  • Configuration with TRUeurex-c DMZ Proxy: Access via TCP/IP to TRUeurex-c DMZ Proxy Server (e.g., via port 10010) OR Configuration without TRUeurex-c DMZ Proxy: Direct access to the partner's OFTP ports.
• Load balancing:
  • TLS/SSL encryption is normally being processed by the TRUeurex-c DMZ Proxy Server(s). If no TRUeurex-c DMZ Proxy is used, TLS encryption is thus being processed on the OFTP server.
  • EERP signing and OFTP2 certificate-based authentication are being processed by the OFTP server.
  • File encryption, signing and compressing are being processed by the RMI server (RMI - Remote Method Invocation).
• Certificates:
  • Note: Certificates and private keys are stored in the database.
  • Note: In principle, CA-signed certificates (CA - Certficate Authority) as well as self-signed certificates can be used. Odette's TLS service can be leveraged to verify certificates. The service lists all CA's that are approved as a valid OFTP2-CA by Odette. As the case may be, you may also use certificates an OEM has provided you with from its own PKI (PKI - Public Key Infrastructure).
  • A bilateral agreement with the trading partner governs the actual use of certificates, e.g. it rules which particular certificates are to be used.
  • The trading partner must then accept the CA-signed or self-signed certificate.
  • You may either use one certificate for all of OFTP2's security features or apply individual certificates to each single feature (combinations thereof are also possible).
  • The employed certificates must meet the requirements of the Odette OFTP2 policy: http://www.odette.org/TLS/POL_OFTP2.TXT
  • When operating CA-signed certificates, special notice needs to be paid to the section about the requirements regarding the certificates' usage properties (cf. chapter 2.5. "Usage flags to crypto functions mapping").

Option 1 - TRUeurex-c with TRUeurex-c DMZ Proxy Server for OFTP2 via TCP/IP

• Installing the TRUeurex-c DMZ Proxy Server: All operating systems supported by TRUeurex-c can provide the server foundation in the DMZ. Beyond that, only the installation of Java is required – the selected version must feature an encryption power of more than 56 bit. Note that it is not required to install a data base on the TRUeurex-c DMZ Proxy Server.
• Note: Multiple TRUeurex-c DMZ Proxy Servers can be deployed for better load balancing if and when required.
• One port (e.g. port 10010) of the TRUeurex-c DMZ Proxy Server must be accessible from the internal network. The respective connection route leads exclusively from the internal network into the DMZ.
• In order to provide access to the Certificate Revocation List (CRL), the system must be configured to allow the establishment of connections from the TRUeurex-c DMZ Proxy Server via HTTP/HTTPS protocol (via HTTP proxy if needed).

Figure 1 - Firewall configuration with TRUeurex-c DMZ Proxy Server

OFTP Receiving Process (Option 1)

• Start the TRUeurex-c DMZ Proxy Server (listens for incoming connections from TRUeurex-c OFTP Server on port 10010).
• Start the TRUeurex-c OFTP Server.
• During the start process the TRUeurex-c OFTP Server automatically establishes a connection to the TRUeurex-c DMZ Proxy Server and transfers configurations, certificates and private keys (via port 10010). Meanwhile, the Listener which listens for incoming connections from the OFTP partner will be started on the TRUeurex-c Proxy Server.
• In order to receive incoming OFTP connections, the TRUeurex-c OFTP Server establishes an idle connection to the TRUeurex-c DMZ Proxy Server (via port 10010).
• An incoming OFTP2 call on port 6619 will be routed through the firewall to the TRUeurex-c DMZ Proxy Server. The data is TLS-decoded by the TRUeurex-c DMZ Proxy Server and will subsequently be routed to the TRUeurex-c OFTP Server using the previously established idle connection.
• The TRUeurex-c OFTP Server establishes a new idle connection for incoming OFTP2 calls.
• The OFTP Server performs the OFTP2 authentication for the OFTP connection.
• After the data has been received the TRUeurex-c RMI Server decrypts, decompresses and verifies the data files' signature if needed (depending on configuration).
• The TRUeurex-c OFTP Server signs EERPs (End-to-end Response) if needed.

OFTP Sending Process (Option 1)

• Data files to be sent will be signed, compressed and encrypted by the TRUeurex-c RMI Server if needed.
• The TRUeurex-c OFTP Server establishes a connection to the partner's OFTP server via the TRUeurex-c DMZ Proxy Server.
• The TRUeurex-c OFTP Server conducts the OFTP authentication.
• The TRUeurex-c OFTP Server verifies the signed EERPs (End-to-end Response).

A check of the certificates' CRLs may be required for any of the above steps. This requires the establishment of a HTTP connection to the CA's.

Option 2 - TRUeurex-c without TRUeurex-c DMZ-Proxy for OFTP2 via TCP/IP (Internet)

In order to provide access to the Certificate Revocation List (CRL), the system must be configured to allow the establishment of connections from the TRUeurex-c OFTP Server + TRUeurex-c RMI Server via HTTP/HTTPS protocol (via HTTP proxy if needed)

Figure 2 - Firewall Configuration without TRUeurex-c DMZ Proxy Server

OFTP Receiving Process (Option 2)

• Start the TRUeurex-c OFTP Server (including automatic start of the Listener on port 6619).
• The OFTP partner establishes a connection to the (generally static) external IP address. The firewall routes the incoming connection to the TRUeurex-c OFTP Server which performs the TLS encryption and OFTP authentication.
• The TRUeurex-c RMI Server decrypts, decompresses and verifies the signature if needed.
• The OFTP server signs EERPs (End-to-end Response) if needed.

OFTP Sending Process (Option 2)

• Prior to sending, files will be signed, compressed and encrypted by the TRUeurex-c RMI Server if needed.
• The TRUeurex-c OFTP Server establishes a connection to the partner's OFTP server and performs the TLS encryption and OFTP authentication.
• The TRUeurex-C OFTP Server verifies the signed EERPs (End-to-end Response) if needed.

OFTP2 Checklist

In general, OFTP2 requires the setup of a static IP address and the registration of a related DNS name. Only in case the trading partners have agreed by bilateral agreement to use a different configuration can these measures be waived.

1. Apply for your own X509v3 security certificate(s) (via Odette, via an OEM or a public CA from the Odette-TLS)
2. Plan the configuration of firewall(s)
   • (see "Figure 1 - Firewall Configuration with TRUeurex-c DMZ Proxy Server" and "Figure 2 - Firewall Configuration without TRUeurex-c DMZ Proxy Server", respectively)
3. Check the deployed Java version:
   1. Java must support strong encryption (> 56 bit) - It might be required to patch the Java installation accordingly ("Unlimited Strength Jurisdiction Policy Files").
   2. Deploying Java version 5 or 6 is advisable should the partner and CA certificates feature long key lengths (≥ 8192).
4. Vaild TRUeurex-c license
5. Installation of Trubiquity's OFTP2 software TRUeurex-c
6. Import Odette-TLS (via Graphical User Interface - GUI)
7. Setup your own certificate(s) and configure the sending and receiving systems accordingly
8. Setup / change the partner profile including the required configuration for the deployment of your own certificate(s) and pre-configuration of your partner's certificates
9. Optional: Automated exchange of OFTP2 certificates with your partner
10. Ready to leverage OFTP2 data exchange?

To find out more about OFTP2, the Trubiquity solution lines TRUeurex-c and TRUfusion or other Trubiquity Managed Data Exchange and business process automation solutions send an e-mail to sales@trubiquity.com.