Initializing a User

A bank enters into a contract with its trading partners. The contract defines the terms and conditions of business transactions agreed upon between the bank and the trading partner.

The bank does not yet have the user's public certificates. Transmission of the user's public certificates to the bank's system is required to initialize the user.

There are three order types used for subscriber initialization: H3K, INI, and HIA. H3K is the simplest and transmits all three public certificates at the same time. However, H3K cannot be used in all cases, such as if trusted keys are used or with protocol version H003. If you cannot, or prefer not to, use H3K, you can use INI and HIA together to transmit the public certificates.

Table 1. Order types for subscriber initialization
Order types Protocol Keys/certificates
H3K H004
  • Bank Technical Key certificate for Electronic Signature (ES)
  • Identification and Authentication certificate
  • Encryption certificate
INI H003, H004 Bank-technical key
HIA H003, H004
  • Identification and Authentication key
  • Encryption key


With protocol version H004, you can use order type H3K, which simplifies and automates the procedure, essentially combining INI and HIA into a single step. Trusted keys are not supported for H3K, and at least the bank technical key used for the ES must be a certificate issued by a Certification Authority (CA). The remaining two certificates for identification and authorization and for encryption can be self-signed certificates. H3K requires no initialization letters.

Use INI and HIA for initialization with non-CA issued certificates or trusted keys, or with protocol version H003.


The supported versions for the Electronic Signature (ES), encryption, and identification and authentication signature are components of the bank parameters. The user's bank-technical key must be newly-generated if the user does not have a suitable bank-technical key or does not want to use an existing bank-technical key for the new bank connection. The same applies for the encryption key and the identification and authentication key.

The user transmits the public certificates to the financial institution through two independent communication paths:
  • INI - Sends the public bank-technical key
  • HIA - Sends the public identification and authentication key and the public encryption key

When the user is first assigned to a partner, the status of the user is New. If the user sends only the INI request to the bank, the status is changed to Partly Initialized (INI). If the user sends only the HIA request to the bank, the status is changed to Partly Initialized (HIA). After the user sends both the INI and HIA requests to the bank, the status is changed to Initialized in the bank's system.

The user generates the INI and HIA letters with the hash value of the keys using the Sterling B2B Integrator EBICS Client dashboard interface, manually signs them and mails the letters to the bank. When the bank receives the initialization letters of INI and HIA, it verifies the hash values in the letters against its database. After successful verification, the status of the user is set to Ready in the bank's system, indicating that the user can now transact with the bank. The user then downloads the bank's public certificates by using the HPB system order type and validates them using the Sterling B2B Integrator EBICS Client dashboard interface. After successful validation, the bank status is set to Activated, indicating that transaction with the bank is now possible.

The subscribers can retrieve information stored by the bank using the HKD and HTD order types after the user status is set to 'Ready'.