Configuring a LAU key to be used by a message partner

For more information about LAU keys, see Configuring LAU keys.

To secure message traffic between a service and a message partner you first have to configure LAU keys, and then you have to specify in each CO of your message partners the name of the LAU key to be used. To configure LAU keys choose one of the following two methods and execute the steps of the method:

Method 1: Use the DNFSAGCFG service.
Issue commands to the DNFSAGCFG service that both create the necessary FTM SWIFT configuration objects and configure the LAU key assignments on the SAG:
1. Ensure that you have both the system configuration administrator (DniSA) role in SYSOU and the SagAdmin role in DNFSYSOU, or equivalent rights.
2. Open the CLI with the following parameters:
```
dnicli -i instance -ou DNFSYSOU -s DNFSAGCFG
```
3. Create a new LAU key by issuing the addLauKey command, which is described in addLauKey.
4. Set the half keys that comprise the LAU key by issuing the updateLauKey command, which is described in updateLauKey. Each half key used by a message partner is a character string that must follow these rules:
  - It must have a length of 16 characters.
  - All characters must be printable characters.
  - It must contain at least one uppercase and one lowercase character.
  - It must contain at least one digit.
  - No single character may occur more than 7 times.
5. Add the LAU key to each message partner that is to use it:
  - For a new message partner, issue the amp command with the -lkn parameter. This command is described in addMessagePartner.
  - For an existing message partner, issue the ump command with the -lkn parameter. This command is described in updateMessagePartner.
  Note: When using dynamic workload balancing for FIN messages, the LAU key of a message partner must be the same on each of the SAGs in the SAG cluster. For more information about dynamic workload balancing and SAG clusters, see SAG clusters.
6. Approve and deploy the changes for each of the corresponding SAGs. To see which SAGs you need to deploy, issue the listLauKeys command, which is described in listLauKeys.
  If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.
7. Proceed with the steps described in: Secure the traffic that is transferred between the FTM SWIFT MSIF transfer services and an SAG.
Method 2: Use the DNI_SYSADM service.
Issue commands to the DNI_SYSADM service to create the necessary FTM SWIFT configuration objects, and use the SWIFT Alliance Web Platform to configure the LAU key assignments on the SAG directly:
1. Ensure that you have the system configuration administrator (DniSA) role in SYSOU, or equivalent rights.
2. Open the CLI with the following parameters:
```
dnicli -i instance -ou SYSOU -s DNI_SYSADM
```
3. Create a new LAU key by issuing the following add commands:
```
add -ou DNFSYSOU -ct DnfLAUKeyMP -co laukey -attr lkn -val laukey
add -ou DNFSYSOU -ct DnfLAUKeyMP -co laukey -attr hk1 -secval hk1
add -ou DNFSYSOU -ct DnfLAUKeyMP -co laukey -attr hk2 -secval hk2
add -ou DNFSYSOU -ct DnfLAUKeyMP -co laukey -attr mdt -val timestamp
```
  where:
  laukey
  
  Name of the LAU key.
  
  hk1
  
  First half key of the LAU key.
  
  hk2
  
  Second half key of the LAU key.
  
  timestamp
  A timestamp that indicates when the LAU key was last changed. It must have the format yyyy-mm-dd hh:mm:ss.sssss and must be enclosed in single quotes. The time zone is Coordinated Universal Time (UTC). For example, for one-half second before midnight UTC on 15 February 2018:
  '2018-02-15 23:59:59.50000'
  This date can be used to determine whether the configured LAU key expired and therefore needs to be updated.
  Each half key used by a message partner is a character string that must follow these rules:
  - It must have a length of 16 characters.
  - All characters must be printable characters.
  - It must contain at least one uppercase and one lowercase character.
  - It must contain at least one digit.
  - No single character may occur more than 7 times.
4. To secure the traffic between the FTM SWIFT FIN services and an SAG, add a LAU key to each message partner. To do this, execute the following add commands on all COs of CT DnfMsgPartner:
```
add -ou DNFSYSOU -ct DnfMsgPartner -co sagname.ltname -attr mpn -val ltname
add -ou DNFSYSOU -ct DnfMsgPartner -co sagname.ltname -attr lkn -val laukey
```
5. Commit, approve, and deploy the changes:
```
com -ou DNFSYSOU
app -ou DNFSYSOU
dep -ou DNFSYSOU
```
  If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.
6. Use the SWIFT Alliance Web Platform to update the LAU key of each message partner on the SAG.
7. Proceed with the steps described in: Secure the traffic that is transferred between the FTM SWIFT MSIF transfer services and an SAG.

Secure the traffic that is transferred between the FTM SWIFT MSIF transfer services and an SAG

Execute the following add commands for DNFSYSOU for all existing event message partners. Event message partners are specified with attribute EventMP in your COs of CT DnfEfaSagCommOptionSet.

add -ou DNFSYSOU -ct DnfEfaSagMPOptionSet -co SagMPOptionSet -attr MP -val MP
add -ou DNFSYSOU -ct DnfEfaSagMPOptionSet -co SagMPOptionSet -attr SnlId -val SnlId
add -ou DNFSYSOU -ct DnfEfaSagMPOptionSet -co SagMPOptionSet -attr lkn -val lkn

Commit, approve, and deploy the changes:
```
com -ou DNFSYSOU
app -ou DNFSYSOU
dep -ou DNFSYSOU
```
If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.
Execute the following add commands for all business OUs on all existing COs of CT DnfEfaSagMPOptionSet:
```
add -ou BOU -ct DnfEfaSagMPOptionSet -co SagMPOptionSet -attr lkn -val LauKeyName
```
Commit, approve, and deploy the changes:
```
com -ou BOU
app -ou BOU
dep -ou BOU
```
If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.