Example 1: Configuring users and security for a master LT

This example assumes that:
  • All commands are issued for SAG1
  • The OU of the master LT is BANKA
  • The security officer is cn=sec-officer,o=xxxxdeff,o=swift
  • Dual authorization is reactivated

To set up users and security for a FIN application in instance INST1:

  1. Ensure you have the role SagCfgPKIAdmin.
  2. Open the CLI with the following parameters: 
    dnicli -i INST1 -ou DNFSYSOU -s DNFSAGCFG
  3. Create the SWIFTNet user that is to be used as the requestor DN. Customer applications use this to send FIN messages. 
    registerSwiftNetUser  -sag SAG1 
                      -ou BANKA
                      -user fincbt1 
                      -parent o=xxxxdeff,o=swift
                      -type CommonName
                      -authDn cn=sec-officer,o=xxxxdeff,o=swift
                      -reqDn cn=sec-officer,o=xxxxdeff,o=swift
                      -signDn cn=sec-officer,o=xxxxdeff,o=swift
  4. Apply for a certificate for the SWIFTNet user that is to be used as the authoriser DN. Customer applications use this to authorize FIN messages. Use the user created in step 3. 
    setupUserForCert      -sag SAG1
                      -ou BANKA
                      -user cn=fincbt1,o=xxxxdeff,o=swift
                      -type Managed
                      -policy 1.3.21.6.2
                      -authDn cn=sec-officer,o=xxxxdeff,o=swift
                      -reqDn cn=sec-officer,o=xxxxdeff,o=swift
                      -signDn cn=sec-officer,o=xxxxdeff,o=swift
    This command sets up the user cn=fincbt1,o=xxxxdeff,o=swift for certification. The response to this command contains the authorization code 9DTK-AXWT-7TKD and the reference number 45870124. You need the authorization code and reference number when you create the certificate.
  5. Create a certificate for the authoriser DN. Use the authorization code and reference number returned from step 4. 
    createCertificate    -sag SAG1
                     -authcode 9DTK-AXWT-7TKD
                     -refcode 45870124
                     -name cbt1cert
                     -password M1Tg8ghk
                     -certlocation Hardware
    This creates a file-based certificate for the user in the local file cbt1cert, which is protected by the password M1Tg8ghk. You must issue this command for each SAG used by the SWIFTNet user.
  6. Set the SNL protocol mode for the certificate to the relaxed mode. 
    setCertProtocol     -sag SAG1
                    -cert cbt1cert
                    -password M1Tg8ghk
                    -protocol Relaxed
    You must issue this command for each SAG used by the SWIFTNet user.
  7. To enable the authoriser DN to send SWIFTNet FIN messages, grant this DN the SWIFTNet role based access control (RBAC) role fin. 
    grantRole           -sag SAG1
                    -ou BANKA
                    -user cn=fincbt1,o=xxxxdeff,o=swift
                    -role fin
                    -service swift.fin
                    -authDn cn=sec-officer,o=xxxxdeff,o=swift
                    -reqDn cn=sec-officer,o=xxxxdeff,o=swift