Configuring a connection between a master LT and an SAG

For each master LT, you must configure at least one connection between it and an SAG. Each LT connection specifies the following session parameters:

Authoriser DN
Requestor DN
SAG request queue
SAG queue manager (if required)
SNL endpoint

To configure an LT connection, create a CO of type DnfLTConn and add it and its attributes to the appropriate business OU. You can configure up to 16 such connections for each LT; the additional connections are used when recovering an interrupted session. Each LT connection has a name that is created by appending a two-digit serial number from 01 to 16 to the name (BIC9) of the LT to which the connection applies, for example, XXXXDEFFA01. For more information about LT connections, see LT connections.

You can enable or disable each LT connection individually by adding or removing the pseudo-attribute enabled; disabled LT connections are ignored.

The default connection number is determined by the DefaultLTConn attribute of the CO of type DnfLT that corresponds to the LT. For more information, see Configuring a master LT.

When an SFD prepares to establish a session for an LT, it concatenates the name of the LT (for example, XXXXDEFFA) with the default connection number (for example, 05) to generate the name of the CO of type DnfLTConn (for example, XXXXDEFFA05). If no enabled CO of type DnfLTConn with the resulting name exists, the SFD increments the serial number by one (for example, to 06) and tries again. After it reaches the serial number 16, it begins again with the serial number 01. It repeats this process until it finds an enabled CO of type DnfLTConn. It then uses the session parameters specified by that CO to establish the connection. If a connection fails, the SFD repeats this process: it increments the serial number by one until it obtains the name of the next enabled CO of type DnfLTConn, then uses the session parameters specified by that CO.

You can use the query command to display the serial number of the LT connection that an LT used to establish a session.

To help you configure LT connections, FTM SWIFT generates, during customization, for each business OU, a script with a name of the form:

deployment_dir/instance/admin/ou_dnfcfclc.cli

where:

deployment_dir: Directory specified in the CDP initialization file.
instance: Name of the instance.
ou: Name of the OU.

These scripts contain the following commands:

add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr enabled
add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr AuthoriserDN     -val <authoriserDn>
add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr RequestorDN      -val <requestorDn>
add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr SAGRequestQueue  -val <sagRequestQ>
add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr SAGQMgr          -val <sagRequestQM>
add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr SAGName          -val <sagName>
add -ou DNIvOU -ct DnfLTConn -co <ltname><number> -attr SNLEndpoint      -val <ltname>_FIN
com -ou DNIvOU

The customization process substitutes the placeholder DNIvOU in the script with the name of the OU. Modify and run this script once for each LT:

Copy the script into the home directory.
Replace each of the placeholders in the copy of the script with an appropriate value:
<ltname>

Name (BIC9) of the LT. This name is provided by SWIFT.

<number>

Two-digit number of the connection, for example, 01.

AuthoriserDN <authoriserDn>
Distinguished name of the security endpoint that is to authorize and sign SWIFTNet FIN traffic, for example:
```
 cn=fincbt,o=xxxxdeff,o=swift
```
The corresponding certificate must already have been created on the SAG.
RequestorDN <requestorDn>
Distinguished name of the requestor, for example:
```
cn=fin-requestor,o=xxxxdeff,o=swift
```
SAGRequestQueue <sagRequestQ>

SAG MQHA client request queue.

SAGQMgr <sagRequestQM>

Queue manager of the SAG MQHA client request queue.

SAGName <sagName>
Name of the SAG to which this LT connection applies. The SFD uses the value of this attribute to identify the LAU key to be used for this LT connection.
If you use dynamic workload balancing for FIN messages, the value of this attribute can be the name of any of the SAGs in the SAG cluster. As a consequence, the LAU key of the message partner that corresponds to the LT must be the same on each SAG in the cluster. For more information about:

Dynamic workload balancing and SAG clusters, see SAG clusters

LAU keys and message partners, see Configuring a LAU key to be used by a message partner
SNLEndpoint <ltname>_FIN

Name of the SNL endpoint. This is the name (BIC9) of the LT followed by _FIN, for example, XXXXDEFFA_FIN.
Run the dnfcfclc.cli script once for each LT connection. To do this, you must have the system configuration administrator (DniSA) role. Enter the following command:
```
dnicli -i instance -ou SYSOU -s DNI_SYSADM -cft dnfcfclc.cli -cp IBM-1047
```
Approve and deploy the changes:
```
dnicli -i instance -ou SYSOU -s DNI_SYSADM 
app -ou ou
dep -ou ou
```
If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.