Configuring the signature verification service

To help you configure the signature verification service (DNF_V_REQ) and the signature verification API (DNF_V_API), FTM SWIFT generates, during customization, for each business OU, scripts with names of the form: 
deployment_dir/instance/admin/ou_dnfcvcsv.cli
where:
deployment_dir
Directory specified in the CDP initialization file.
instance
Name of the instance.
ou
Name of the OU.
Each of these scripts contains the following commands:
add -ou DNIvOU -ct DnfVerifService -co <service> -attr AutoInterval         -val 5
add -ou DNIvOU -ct DnfVerifService -co <service> -attr MaxInterval          -val 0
add -ou DNIvOU -ct DnfVerifService -co <service> -attr MaxTransactionSize   -val 20
add -ou DNIvOU -ct DnfVerifService -co <service> -attr DefaultVerifConn     -val <number>
add -ou DNIvOU -ct DnfVerifService -co <service> -attr SNLRequestExpiration -val 90
com -ou DNIvOU

The customization process substitutes the placeholder DNIvOU in the scripts with the name of the OU. To modify and run these scripts:

  1. Copy the script into your home directory.
  2. In each copy of ou_dnfcvcsv.cli, copy the set of commands once for each SWIFT service that is to be used (for example, for SWIFTNet FIN) and once for the signature verification API.
  3. Replace the following items as appropriate
    <service>
    A character string that indicates the service for which the values apply:
    DnfFIN
    The SIPN FIN service.
    DnfAPI
    The signature verification API addressed via flow DNF_V_API.
    AutoInterval
    The number of minutes that DNF_V_REQ is to wait between automatic signature reverification attempts. If automatic signature reverification is not to be performed, specify 0. The default is 5.
    Note: This attribute does not affect the processing of FIN MT398 messages nor the signature verification API. However, when processing a FIN MT398 message, the DNF_ILS_FIN flow triggers signature verification only once. If that attempt fails due to a recoverable error, the signature remains in the DNFV_REQUEST table until another verification attempt is made. That attempt can be made manually, by issuing the verify command, or will be made automatically if AutoInterval > 0.
    MaxInterval
    When automatic verification is to be performed (that is, when AutoInterval > 0), this attribute specifies the number of minutes after a received message is stored in the DNFV_REQUEST table by which DNF_V_REQ must have verified its signature. If no limit is to be placed on the time available to automatically verify signatures, specify 0. The default is 0.

    The first time automatic verification is performed for a message, DNF_V_REQ attempts to verify its signature even if the interval specified by MaxInterval has expired. However, before each subsequent attempt, DNF_V_REQ first checks whether the interval expired and, if so, passes the message to the application.

    Note: This attribute does not affect the processing of FIN MT398 messages nor the signature verification API.
    MaxTransactionSize
    A number from 1 to 70 that indicates the maximum transaction size, that is, the maximum number of messages that DNF_V_REQ is to include in each signature verification transaction. The default is 20. If a database timeout occurs before a signature verification transaction can be completed, reduce the maximum transaction size.
    Note: This attribute does not affect the processing of FIN MT398 messages nor the signature verification API.
    DefaultVerifConn <number>
    A two-digit number that indicates which connection between DNF_V_REQ and an SAG is to be used for automatic signature reverification, or for a manually issued verify command for which no connection is specified. Such a connection is configured by means of a CO of type DnfVerifConn (see Configuring a connection between the signature verification service and an SAG).
    SNLRequestExpiration
    The value of this attribute specifies the maximum amount of time, in seconds, after the signature verification service puts a VerifyDecrypt request into the input queue of an SAG, by which the SAG must begin to process the request. If the SAG does not remove the request before this amount of time elapses, the message is deleted from the queue. The default is 90 seconds.

    Additionally, the Signature Verification service checks for requests of previous verification cycles that did not receive a response from the SAG within at least two times this number of seconds. If it detects such a request, the signature verification service issues an event and removes the corresponding record from the verification cycle table.

    As long as a VerifyDecrypt request awaits a response, the signature verification service does not attempt to verify the signatures of any of the messages it contains. Therefore, the value of SNLRequestExpiration must be large enough to give the SAG enough time to process VerifyDecrypt requests and their responses, but not so large as to block subsequent verification attempts.

  4. Run each copy of the ou_dnfcvcsv.cli script. To do this, you must have the system configuration administrator (DniSA) role. For example, to run the scripts for the OU BANKA in instance INST1, enter the following command: 
    dnicli -i INST1 -ou SYSOU -s DNI_SYSADM -cft BANKA_dnfcvcsv.cli
  5. Approve and deploy the changes: 
    dnicli -i INST1 -ou SYSOU -s DNI_SYSADM 
app -ou BANKA
dep -ou BANKA

    If dual authorization is enabled, another user with the appropriate access rights must approve the changes before they can be deployed. If dual authorization is disabled, you can skip approving the changes and immediately deploy them.