SAG configuration commands

This section lists the SAG configuration commands alphabetically.

The SAG configuration commands can be entered in single-command mode, multi-command mode, or non-transactional command-file mode, but not in transactional command-file mode. Because these commands are synchronous, the responses are sent directly to the CLI. The contents of the response depends on the command type. For a list of return codes, see CLI return codes for all commands.

The SAG configuration commands can be grouped depending on the resulting action and response, as shown in Table 1.

Table 1. Types of SAG configuration commands
Command type Commands Response description
Configuration 
addCert
addLauKey
addMessagePartner
addMQConnection
addService
addSiEndpoint
deleteCert
deleteLauKey
deleteMessagePartner
deleteMQConnection
deleteService
deleteSiEndpoint
updateCert
updateLauKey
updateGlobalParameters
updateMessagePartner
updateMQConnection
updateSagEventTemplates
updateService
updateSiEndpoint
 The response indicates whether the configuration data is ready for approval.
Approval and deployment 
approve
deploy
 The response contains information about whether the action was successful.
Configuration verification 
listCertLists
listLauKeys
listMessagePartner
listMQConnection
listSagEventTemplates
listSagInstances
listSagUser
listServiceLists
listSiEndpoints
readCertList
readGlobalParameters
readMessagePartner
readMQConnection
readServiceList
readSiEndpoint
 The response contains the requested configuration data from the SAG Add-On (if -src sag is specified) or FTM SWIFT (if -src cfg is specified) or, if there is an error, information about the error.
LRA, KMA, and RBAC 
acquireCertificate
changeCertificatePassword
createCertificate
defineSagUser
deleteSagUser
disableSwiftNetUser
grantRole
listRoles
listSwiftNetUser
recoverCertificate
registerSwiftNetUser
removeCertFromSag
revokeSwiftNetUser
setCertProtocol
setupUserForCert
setupUserForRecovery
ungrantRole
updateSagEventTemplates
 The response indicates whether the action was successful or provides the requested information.
The checkmarks (✓) in the columns of Table 2 indicate which combination of predefined roles provide the access rights that are needed to issue each SAG configuration command. For example, a user is authorized to issue the command addSiEndpoint if that user was assigned the following predefined roles:
  • SagAdmin for DNFSYSOU
  • DniSA for SYSOU
Table 2. Roles that provide the access rights needed to issue SAG configuration commands
Command Roles
Name Abbr. DNFSYSOU SYSOU Business OU
SagCfgPKIAdmin SagAdmin SagCfgAdmin DniSA DnfDNSec
acquireCertificate acct        
addCert ac      
addLauKey alk      
addMessagePartner amp    
addMQConnection amqc      
addService as      
addSiEndpoint aep      
approve app      
changeCertificatePassword chctp        
createCertificate cct        
defineSagUser dfsu        
deleteCert dc      
deleteLauKey dlk      
deleteMessagePartner dlmp      
deleteMQConnection dlmqc      
deleteSagUser dlsu        
deleteService ds      
deleteSiEndpoint dlep      
deploy dep      
disableSwiftNetUser disnu      
grantRole gr      
listCertLists lcl      
listLauKeys llk      
listMessagePartner lmp      
listMQConnection lmqc      
listRoles lr      
listSagEventTemplates let        
listSagInstances lsag      
listSagUser lsu        
listServiceLists lsl      
listSiEndpoints lep      
listSwiftNetUser lsnu      
readCertList rcl      
readGlobalParameters rgp      
readMessagePartner rmp      
readMQConnection rmqc      
readServiceList rsl      
readSiEndpoint rep      
recoverCertificate rcct        
registerSwiftNetUser rgsnu      
removeCertFromSag rmct        
revokeSwiftNetUser rvsnu      
setCertProtocol sctp        
setupUserForCert suct      
setupUserForRecovery surc      
ungrantRole ur      
updateCert uc      
updateGlobalParameters ugp      
updateLauKey ulk      
updateMessagePartner ump    
updateMQConnection umqc      
updateSagEventTemplates uet        
updateService us      
updateSiEndpoint uep      
Instead of using predefined roles provided by FTM SWIFT, you might prefer to create your own roles to control access to the SAG configuration commands. The check marks (✓) and values (general, list, configuration) in the columns of Table 4 indicate which access rights are needed to issue each command:
Access rights to issue the command
The user must have a role for DNFSYSOU that contains a CO of type DnfSAGopcfg with a name that is identical to the name of the SAG. This CO must have assigned to it the attribute that corresponds to the name of the command to be issued.

For example, if a user is to be able to issue the addCert command for SAG1, that user must have a role assigned for DNFSYSOU that contains a CO of type DnfSAGopcfg with the name SAG1, and that CO must have the attribute addCert assigned to it.

Access rights to specify distinguished names
If the user is to specify DNs as command parameters, that user must have a role for the business OU that contains a CO of type DnfSWIFTDn. This CO must have assigned to it all the attributes that correspond to the DN types for which values are to be specified. How to create such COs is described in Configuring DNs and access to them.

For example, if a user is to be able to specify the authoriser, requestor, responder, and signer (but not encrypter) DNs in a command for the OU BANKC, that user must have a role assigned for BANKC that contains a CO of type DnfSWIFTDn, and that CO must have the attributes auth, req, rsp, and sign (but not encrypt) assigned to it.

Access rights to specify parameters
If the user is to specify the parameter for this command, that user must have a role for DNFSYSOU that contains a CO of type DnfSAGopcfg with a name that is identical to the name of the SAG, and that CO must have assigned to it the attribute that corresponds to the parameter to be specified. Table 3 lists these DnfSAGopcfg attributes, and indicates which parameter each attribute authorizes a user to specify.
For example, if a user is to be able to issue the second half of a LAU key for SAG1, that user must have, in addition to a role authorizing that user to enter the updateLauKey command, a role assigned for DNFSYSOU that contains a CO of type DnfSAGopcfg with the name SAG1, and that CO must have the attribute accessLauKey2 assigned to it. Only then is the user authorized to enter a command such as this: 
updateLauKey -lkn LAU42123 -hk2 8u8kjhU2339ikkut
Table 3. Command parameters that require specific access rights
Command Parameter DnfSAGopcfg attribute
updateLauKey -hk1 <first_half_key> accessLauKey1
-hk2 <second_half_key> accessLauKey2
updateSagEventTemplates -plugin Sag:APL-I pluginSAGAPL_I
-plugin Sag:APL-BIMFC pluginSAGAPL_BIMFC
-plugin Sag:APL-MQHA pluginSAGAPL_MQHA
-plugin Sag:CM pluginSAGCM
-plugin Sag:FT-I pluginSAGFT_I
-plugin Sag:APL-BIMFC pluginSAG
-plugin Sag:MD pluginSAGMD
-plugin Sag:SN-NA pluginSAGSN_NA
-plugin Sag:LOG pluginSAGLOG
-plugin Sag:SN-I pluginSAGSN_I
-plugin Sag:System pluginSAGSystem
Additional system administration rights
The user requires the following additional system administration rights for SYSOU:
general
The following COs and attributes must be set: 
CT              CO              attr
DniSysAdm.add   DniSysAdm.add   cos
DniSysAdm.add   DniSysAdm.add   ou
DniSysAdm.com   DniSysAdm.com   cos
DniSysAdm.com   DniSysAdm.com   ou
DniSysAdm.rej   DniSysAdm.rej   cos
DniSysAdm.rej   DniSysAdm.rej   ou
DniSysAdm.rem   DniSysAdm.rem   cos
DniSysAdm.rem   DniSysAdm.rem   ou
DniSysAdm.list  DniSysAdm.list  cos
DniSysAdm.list  DniSysAdm.list  ou
list
The following COs and attributes must be set: 
CT              CO              attr
DniSysAdm.list  DniSysAdm.list  cos
DniSysAdm.list  DniSysAdm.list  ou
configuration
The following COs and attributes must be set: 
CT              CO              attr
DniSysAdm.app   DniSysAdm.app   cos
DniSysAdm.app   DniSysAdm.app   ou
DniSysAdm.dep   DniSysAdm.dep   cos
DniSysAdm.dep   DniSysAdm.dep   ou
DniSysAdm.list  DniSysAdm.list  cos
DniSysAdm.list  DniSysAdm.list  ou
Table 4. Which access rights are required to issue SAG configuration commands
Command Requires roles containing...
Name Abbr. Access rights to issue the command Access rights to specify distinguished names Access rights to specify parameters Additional system administration rights
acquireCertificate acct      
addCert ac     general
addLauKey alk     general
addMessagePartner amp   general
addMQConnection amqc     general
addService as     general
addSiEndpoint aep     general
approve app     configuration
changeCertificatePassword chctp      
createCertificate cct      
defineSagUser dfsu      
deleteCert dc     general
deleteLauKey dlk     general
deleteMessagePartner dlmp     general
deleteMQConnection dlmqc     general
deleteSagUser dlsu      
deleteService ds     general
deleteSiEndpoint dlep     general
deploy dep     configuration
disableSwiftNetUser disnu    
grantRole gr    
listCertLists lcl     list
listLauKeys llk     list
listMessagePartner lmp     list
listMQConnection lmqc     list
listRoles lr    
listSagEventTemplates let      
listSagInstances lsag     list
listSagUser lsu      
listServiceLists lsl     list
listSiEndpoints lep     list
listSwiftNetUser lsnu    
readCertList rcl     list
readGlobalParameters rgp     list
readMessagePartner rmp     list
readMQConnection rmqc     list
readServiceList rsl     list
readSiEndpoint rep     list
recoverCertificate rcct      
registerSwiftNetUser rgsnu    
removeCertFromSag rmct      
revokeSwiftNetUser rvsnu    
setCertProtocol sctp      
setupUserForCert suct    
setupUserForRecovery surc    
ungrantRole ur    
updateCert uc   general
updateGlobalParameters ugp     general
updateLauKey ulk general
updateMessagePartner ump     general
updateMQConnection umqc     general
updateSagEventTemplates uet    
updateService us     general
updateSiEndpoint uep     general
Some SAG configuration commands require that an authoriser DN is specified, and that a particular SWIFTNet role is assigned to that authoriser DN. These commands and, for each one, the SWIFTNet role required by the authoriser DN, are shown in Table 5. SWIFTNet roles are not configured in FTM SWIFT. For more information about SWIFTNet roles, refer to SWIFTNet PKI Certificate Administration Guide.
Table 5. Commands that require a SWIFTNet role for the authoriser DN
Command Required SWIFTNet role
Name Abbr. To issue the command without involving another user To issue the command together with another user
disableSwiftNetUser disnu CertificateAdministration CertificateAdministration4eyes
grantRole gr Delegator Delegator4eyes
listSwiftNetUser lsnu CertificateAdministration CertificateAdministration4eyes
registerSwiftNetUser rgsnu CertificateAdministration CertificateAdministration4eyes
revokeSwiftNetUser rvsnu CertificateAdministration CertificateAdministration4eyes
setupUserForCert suct CertificateAdministration CertificateAdministration4eyes
setupUserForRecovery surc CertificateAdministration CertificateAdministration4eyes
ungrantRole ur Delegator Delegator4eyes