Managing SWIFTNet users and SWIFTNet security

You must define SWIFTNet user and security information. This information can be divided into the following types:

SWIFTNet users
Users registered in the SWIFT directory. To use applications with SWIFTNet, you must assign them a SWIFTNet user with certificates. The local registration application (LRA) commands include:
  • registerSwiftNetUser (rgsnu)
  • setupUserForRecovery (surc)
  • revokeSwiftNetUser (rvsnu)
  • disableSwiftNetUser (disnu)
  • setupUserForCert (suct)
  • listSwiftNetUser (lsnu)
SWIFTNet PKI certificates
Certificates for distinguished names (DN) for SWIFTNet access. Use the key management authority (KMA) to manage them. The KMA commands include:
  • createCertificate (cct)
  • recoverCertificate (rcct)
  • changeCertificatePassword (chctp)
  • SiRenewCertificates (rn)
Roles
Roles defined for a service. The role based access control (RBAC) commands include:
  • grantRole (gr)
  • ungrantRole (ur)
  • listRoles (lr)
Only SWIFTNet users with correct roles can access SWIFTNet services. You can also create additional roles for the uet (updateSagTemplates) command
SAG users
Users locally defined on the SAG. The SAG commands include:
  • acquireCertificate (acct)
  • removeCertFromSag (rmct)
  • setCertProtocol (sctp)
  • defineSagUser (dfsu)
  • deleteSagUser (dlsu)
  • listSagUser (lsu)

Figure 1 shows the possible states of SWIFTNet users and how you can use configuration commands to move SWIFTNet users through these states. This figure does not show all possible state transitions. For a complete diagram of state transitions, see SWIFTNet PKI Certificate Administration Guide.

Figure 1. SWIFTNet user states and configuration commands
Figure showing SWIFTNet user states and configuration commands
Before you can issue commands for SWIFTNet users and roles, you must first set up the SWIFTNet security officer (SO) for the same SAG on which the certificate of the SO was created (see Configuring a SWIFTNet security officer). To issue a command:
  1. Log on as an SAG configuration administrator. An SAG configuration administrator must have, for DNFSYSOU, the access rights provided by the SagCfgAdmin role.
  2. Open the CLI with the following parameters: 
    dnicli -i instance -ou DNFSYSOU -s DNFSAGCFG
    The CLI prompt changes to: 
    INST1.DNFSYSOU.DNFSAGCFG>
  3. Enter the command. The commands are described in SAG configuration commands.

The SWIFTNet user and security information is not stored in the FTM SWIFT configuration database. The certificates are stored on the SAG. The SWIFTNet user (LRA) and role information (RBAC) is stored in the corresponding applications in SWIFTNet. However, you can manage this data from the SAG configuration service.

For additional information about LRA, RBAC, and KMA, and their procedures, see SWIFTNet PKI Certificate Administration Guide.

Notes:
  1. Passwords are passed in a readable format.
  2. Some of the command examples show each parameter on a new line for clarity. When you use these commands and their parameters, you need to enter them on one line.