Configuring DNs and access to them

You use distinguished names (DNs) to specify who is to authorize, request, sign, respond to, or encrypt SWIFTNet messages. A distinguished name consists of two parts:
  • The first part is defined by the customer. For example, it can specify a user name, such as cn=john-smith.
  • The second part is defined by SWIFT, and is always of the form o=destination,o=swift, where destination represents the BIC8 of the destination organization. This part determines the subtree of your institution within the SWIFT database of distinguished names. Within this subtree, you can create SWIFTNet users, additional sub-trees (which might represent departments), or security officers.
For example, in the DN cn=john-smith,o=xxxxdeff,o=swift, the part cn=john-smith is defined by the customer, and the part o=xxxxdeff,o=swift is defined by SWIFT during the SWIFTNet ordering process.

To specify which action or set of actions a DN authorizes a user in instance INST1 to perform:

  1. Open the CLI with the following parameters: 
    dnicli -i INST1 -ou SYSOU -s DNI_SYSADM
    You must have the DniSA role or an equivalent role to execute this.
  2. Create a CO of type DnfSWIFTDn:
    1. As its name, specify the name of the SWIFTNet user concatenated with the string dn.
    2. As the value of the dn attribute, specify the DN. You can use a percent character (%) as a wildcard to represent any number of characters of the first part of the DN.
    3. Assign to the CO one or more of the following pseudo attributes:
      auth
      The DN is to be used as an authoriser DN.
      encr
      The DN is to be used as an encrypter DN.
      req
      The DN is to be used as a requestor DN.
      rsp
      The DN is to be used as a responder DN.
      sign
      The DN is to be used as a signer DN.
    For example:
    • To allow the DN cn=sec_officer1,o=xxxxdeff,o=swift to be used as requestor, signer, and authoriser DN for the OU BANKA: 
      add -ou BANKA -ct DnfSWIFTDn -co sec_officer1dn -attr dn -val cn=sec_officer1,o=xxxxdeff,o=swift
add -ou BANKA -ct DnfSWIFTDn -co sec_officer1dn -attr req
add -ou BANKA -ct DnfSWIFTDn -co sec_officer1dn -attr sign
add -ou BANKA -ct DnfSWIFTDn -co sec_officer1dn -attr auth
    • To allow the DN cn=sec_officer5,o=xxxxdeff,o=swift to be used as an authoriser DN for the OU BANKA: 
      add -ou BANKA -ct DnfSWIFTDn -co sec_officer5dn -attr dn -val cn=sec_officer5,o=xxxxdeff,o=swift
add -ou BANKA -ct DnfSWIFTDn -co sec_officer5dn -attr auth
    • To allow all DNs that end with o=xxxxdeff,o=swift to be used as authoriser, requestor, signer, responder, and encrypter DNs for the OU BANKA: 
      add -ou BANKA -ct DnfSWIFTDn -co orgdn1 -attr dn -val \\%,o=xxxxdeff,o=swift
add -ou BANKA -ct DnfSWIFTDn -co orgdn1 -attr auth
add -ou BANKA -ct DnfSWIFTDn -co orgdn1 -attr req
add -ou BANKA -ct DnfSWIFTDn -co orgdn1 -attr sign
add -ou BANKA -ct DnfSWIFTDn -co orgdn1 -attr rsp
add -ou BANKA -ct DnfSWIFTDn -co orgdn1 -attr encr
      The escape characters (\\) are needed to indicate that the % is a wildcard for the DN and not for the add command.
  3. Commit, approve, and deploy the changes: 
    com -ou BANKA
app -ou BANKA
dep -ou BANKA

    If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.

  4. Verify that the COs that are necessary for access control with DNs are correct: 
    list -ou BANKA -ct DnfSWIFTDn -lo ncosv

To specify that a user is authorized to use one or more DNs in OU BANKA of instance INST1:

  1. Open the CLI with the parameters required to issue security commands: 
    dnicli -i INST1 -ou BANKA -s DNI_SECADM
  2. If the user is to be allowed to use all the DNs of a particular OU, you can use the predefined role DnfDNSec. Otherwise, create a role that specifies the corresponding COs of type DnfSWIFTDn. For example, to create a role with the name secoff that authorizes a user to use the DNs defined by the COs with the names sec_officerdn and fincbtdn as both authoriser and requestor DNs, issue the following commands: 
    add -ro secoff -ct DnfSWIFTDn -co sec_officerdn -attr auth
add -ro secoff -ct DnfSWIFTDn -co sec_officerdn -attr req
add -ro secoff -ct DnfSWIFTDn -co fincbtdn      -attr auth
add -ro secoff -ct DnfSWIFTDn -co fincbtdn      -attr req
  3. Assign the role to a user for a particular OU, for example: 
    add -user JSMITH -ro DnfDNSec -ou BANKA
    or 
    add -user JSMITH -ro secoff -ou BANKA
    Repeat this step for every required combination of user, role, and OU.
  4. For each user, commit and approve the changes, for example: 
    com -user JSMITH
app -user JSMITH
    If dual authorization is enabled, another user with the appropriate access rights must issue the approve commands. Otherwise, you can issue the approve commands.