Valicert SecureTransport TM. Secure Internet data delivery and application integration

(1)

Secure Internet data delivery and application integration

(2)

Valicert SecureTransport™ is a proven solution used by major corporations and financial institutions to securely move sen-sitive data between geographically dis-persed offices, customers, partners and suppliers; replace the costly private net-work infrastructure required for EDI sys-tems; and reliably exchange data between back-office applications across multiple sites. SecureTransport has been deployed by hundreds of major corporations at thou-sands of sites around the world.

Many Valicert customers integrate SecureTransport with existing applications and business processes. They use it to secure extranet services; replace costly leased lines, modem pools and VANs; streamline paper, fax and phone-based processes inside and outside the organiza-tion; and support demanding, mission-criti-cal production processes.

Leading banks, insurance companies and government departments use

SecureTransport to transparently incorpo-rate secure data and document delivery into the Web services and portals they offer to their corporate customers and business partners.

SecureTransport now provides even greater value by adding a rich set of appli-cation integration capabilities to the secure data delivery platform. This unique combi-nation is a highly cost-effective way to

extend Enterprise Application Integration (EAI) out over the Internet to small and large companies.

The Valicert team brings extensive knowl-edge in securely deploying these solutions in the most demanding financial and sup-ply chain processes. The consulting team has experience with a variety of enterprise authentication solutions, DMZ security practices, high-availability deployments, and load-balanced configurations.

Product Overview

Valicert SecureTransport is a data transfer and business process integration solution offering security, reliability, scalability and performance. It provides secure file trans-fer and data integration over the Internet and private IP networks, with enterprise-class features, including:

■_{Support for both FTP/S and HTTP/S}

pro-tocols for secure data transfer

■_{The strongest levels of authentication,}

data encryption and audit trails

■_{Guaranteed delivery and data integrity}

with retransmits for failed transfers

■_{Reliable transfer of very large files with}

checkpoint/restart

■_{Scheduled batch transfers}

■_{Transaction management for structured}

EDI and XML messages

■_{Thin and thick clients available across a}

wide range of operating systems

■_{Integration with many authentication}

sys-tems including LDAP, SSO and PKI

■_{Event-driven agents, data conversion and}

application integration

■_{Distributed deployment architecture for}

high availability and performance

■_{Push and pull data delivery with}

central-ized partner management

■_{Rapid deployment services}

Because of these attributes,

SecureTransport provides a compelling return on your investment (ROI). SecureTransport is used extensively in large-scale production environments by:

■_{Leading commercial and central banks,}

inter-bank networks, clearinghouses and other financial institutions

■_{National and state government agencies} ■_{Insurance companies and health records}

processors

■_{Global 2000 companies in the}

manufac-turing, pharmaceutical and high-tech industries

In many instances SecureTransport is deployed for complete automation of appli-cation-to-application data delivery across organizational boundaries. It can be deployed more securely and quickly than a VPN solution, with lower Total Cost of Ownership (TCO), while providing a more complete set of automation capabilities for secure and reliable data exchange.

“To secure the delivery of financial transactions and highly sensitive documents to our

customers over the Internet, we selected

Valicert’s SecureTransport

software because it provides us

a confidential and guaranteed

solution.”

JPMorgan Chase

SecureTransport Applications

FINANCIAL SERVICES

■_{Treasury and cash management}

■_{Electronic funds transfer (ACH, SWIFT)}

■_{Lockbox services with images}

■_{Positive Pay file delivery} ■_{Trust and custodial services} ■_{Brokerage position updates} ■_{Credit card reporting services} ■_{Insurance claims processing and}

enrollment

■_{Trade finance documentary collection}

ENTERPRISE

■_{Internet EDI}

■_{Software and disk image distribution} ■_{Product design, shipment and logistics} ■_{Credit processing and recovery services} ■_{Remote inventory reporting}

GOVERNMENT

■_{Tax and wage reporting}

■_{Regulatory filings} ■_{Records delivery}

Benefits

■_{More reliable than e-mail and ftp} ■_{Protects data in transit and in DMZ} ■_{Transparently encrypts stored data}

■_{Cuts private network/VAN costs}

■_{Increases efficiency via automation}

■_{Provides demonstrable, quick ROI}

■_{Eliminates need for paper proof}

■_{Improves regulatory compliance}

(3)

Secure Data Delivery Features

Authenticated, Encrypted File Transfer

The foundation of SecureTransport is its ability to transfer data securely and reliably over the public Internet or private IP networks. Secure access and data transfers are available with a Web browser, a wide range of platform-specific clients or an application using the

SecureTransport Software Developer Kit (SDK). Security is provided by:

■ _{Authenticating the SSL connection between}

the client and server

■ _{Encrypting the connection during data}

deliv-ery

■ _{Controlling access based on credentials}

man-aged by SecureTransport or an enterprise authentication system

SSL-encrypted sessions protect important information, such as userID, password, com-mands, file names and data.

Guaranteed Delivery

SecureTransport file transfers are based on industry-standard protocols: FTP and HTTP. ValiCert brings enterprise-class reliability and efficiency to these protocols, by adding the fol-lowing guaranteed delivery features:

■ _{Data integrity checks on both sides of the}

transfer, with a retransmit if the match fails

■ _{Auto-restart in case of a failed transmission} ■ _{Checkpoint/Restart in case of an interrupted}

connection. After reconnection, the client transfers only the remaining data, saving time and bandwidth and improving performance

Authentication and Authorization

Users or applications require authenticated cre-dentials to access SecureTransport. Supported credentials include: userID/password, secure tokens, digital certificates, smartcards or any other enterprise authentication means. SecureTransport can also be used in conjunc-tion with an LDAP server such as Netscape Directory Server or anOCSP server such as Valicert Validation Authority™.

When used with digital certificates, SecureTransport accepts standard X.509v3 certificates or Entrust Entelligence user profiles. It works with any commercial Certificate Authority (CA), but also has a built-in CA for customers preferring an integrated solution. SecureTransport can be extended with cus-tomizable Agents to authenticate against any Single Sign-On (SSO) server or enterprise authentication solution such as tokens. Customers have used agents to integrate with:

■ Network authentication systems, such as

RADIUS

■ Secure token systems, such as RSA SecureID

ACE/Server

■ SSO environments, such as Netegrity

SiteMinder and IBM Tivoli Policy Director

■ Computer Associates’ CA-ACF2

After validating the credentials,

SecureTransport determines user access per-missions based on the IP address, user class and user types – real (OS) or virtual

(SecureTransport application). Any combina-tion of user type, name pattern, group and IP address can be used to create a user class with enterprise access policies.

Virtual users operate in a higher security envi-ronment; their access is restricted to the SecureTransport application, preventing unau-thorized access to the system and to other parts of the network. Their home directories restrict access to a defined segment of the file system, but they can be granted access per-missions to shared directories.

Audit Trails and Tracking

Secure data delivery requires strong audit trails for tracking and proof management. All data transfers in SecureTransport are tracked via log files and Messaging Disposition Notification (MDN) receipts.

These digitally signed and vaulted audit

records capture relevant file transfer and non-repudiation information, including: timestamp, data integrity check and user credentials. Tracking reports are available based on userID, disposition status, time period, etc.

Data Protection and Encryption

SecureTransport also addresses enterprise and regulatory requirements for data protection through:

■ DMZ Security Application Proxy ■ Repository Encryption

■ End-to-End Encryption

These features help financial institutions com-ply with GLB Title V (Privacy) regulations and healthcare organizations with HIPAA privacy and security regulations.

Enterprise policies often preclude storing sensi-tive data in the Demilitarized Zone (DMZ). SecureTransport’s DMZ Security Application

Proxy streams data securely between the

Internet and the SecureTransport Data Management server on your enterprise network without writing it to disk in the DMZ. Once data reaches the back-end network, the SecureTransport Repository Encryption Module protects data on the server from unauthorized internal users or those with access to backups. Finally, the End-to-End Encryption Module pro-vides asymmetric encryption to protect data at the client before it is sent, ensuring that only the receiving party can decrypt the data – pro-tecting it in transit and while on servers.

Client-Server & Hub-and-Spoke

SecureTransport supports client-initiated con-nections to push or pull data from the server. It also supports a “Hub-and-Spokes” deploy-ment, in which the “Hub” server connects to centrally administered “Spoke” servers (SecureTransport Partner Edition) for very secure and cost-effective server push capability. Transaction Manager Secure Data Transfer Services Fir ewall Fir ewall Valicert Software Clients Third Party Clients Enterprise Authentication Back-End Applications http and http/s ftp and ftp/s ftp secure ftp Web Browser http http/s Valicert SecureTransport

Key Components of Valicert SecureTransportTM

■ Secure Data Transfer Services: Accept and process

secure file transfer requests.

■ Transaction Manager: Server-side agent framework

that triggers scripts on file transfer events, for integration of third-party functionality or back-end applications.

■ Web-Browser Client: Securely transfer files

to the SecureTransport server without requiring client-side installation. Optional ActiveX control pro-vides guaranteed delivery.

■ ValiCert Software Clients: Securely transfers files to

and from the SecureTransport server, using advanced automation features such as batch upload and schedul-ing.

(4)

Enterprise Transaction Manager Secure Data Transfer Services Fir e wall Fir e wall SecureTransport DMZ Security Application Proxy Enterprise Authenti-cation Back-End Applications Valicert Software Clients Third Party Clients http and http/s ftp and ftp/s ftp secure ftp Web Browser http http/s SecureTransport Data Management Server Client

SecureTransport Server Family Valicert’s SecureTransport product family includes a range of server offerings to suit var-ied customer needs.

Standard Edition Servers

Standard Edition servers provide secure data delivery with agent-based integration infra-structure and user-based licensing. Secure data transfer with guaranteed delivery and checkpoint/restart is supported over FTP, FTP/S, Secure FTP (RFC2228), HTTP, and HTTP/S protocols. Web browsers, all Valicert client software and a number of 3rd party clients can connect securely to Standard Edition Servers.

Customers can augment Standard Edition with a range of options, including:

■ _{Repository Encryption Module} ■ Data Integration Suite ■ _{Forms Manager Suite}

SecureTransport Enterprise Edition

The SecureTransport Enterprise Edition server has an unlimited user license and provides the built-in features that large enterprise customers demand, such as:

■ _{Repository encryption} ■ EDI INT AS2 support

■ _{DMZ Security Application Proxy} ■ Tracking and proof management ■ _{Role-based user management} ■ Delegated user administration

■ _{Enterprise Transaction Manager & Rules}

Editor

In addition to all the protocols and clients sup-ported by the Standard Edition, Enterprise Edition provides unique deployment modes to

meet the higher security and flexibility needs of banks, financial networks, insurers and large enterprises.

Secure DMZ Streaming Deployment

The SecureTransport Enterprise Edition server provides a DMZ Security Application Proxy, which ensures greater security by streaming data between an Internet client and internal secure network. The data is securely trans-ferred across the DMZ by SecureTransport’s application proxy without it ever being written to storage in the DMZ.

Hub-and-Spokes Deployment

SecureTransport Enterprise Edition provides a Partner Management Hub for centralized man-agement of a distributed community of SecureTransport Partner Edition servers used in push-oriented data delivery and transaction processing. This is an ideal capability for trad-ing communities and financial networks. This capability enables the Enterprise Edition server to initiate secure, guaranteed transfers of data from the Hub to the Partners and to accept incoming secure transfers from the Partner Edition servers. These bi-directional transfers over managed queues with exception monitoring can be initiated in real time or con-trolled by a scheduler.

The Partner stores data delivered by the Hub in a mailbox designated for a specific applica-tion or user and can trigger a pre-defined action, including notifications, data movement, or more complex processing with the Data Integration Suite.

Similarly, data delivered by a Partner to the

Hub can be stored in a defined mailbox and trigger Transaction Manager rules for notifica-tions or more complex processing.

SecureTransport Partner Edition

In concert with the Enterprise Edition Hub, SecureTransport Partner Edition can be deployed as a spoke of a distributed network. Built for simple and easy deployment, the Partner Edition is an ideal solution for environ-ments requiring reliable and secure data deliv-ery from a Hub without the high cost and bur-den of administering a full server at each Partner site.

The Partner Edition server provides a simple setup wizard to define its Hub connection, cre-ate user profiles, and select actions for incom-ing files. All of the security and protocol set-tings are predefined by the Enterprise Edition Hub and downloaded to the Partner on the first connection or following any updates. The Hub controls the connections, relieving the Partner from SecureTransport administration tasks.

Partner Edition servers support all of the proto-cols and clients supported by the other SecureTransport servers. They can be deployed as data gateways for internal access and data transfers with an Enterprise Edition Hub.

Partner Edition servers can be augmented with these optional modules:

■ _{Repository Encryption Module}

■ _{Data Integration Suite for transforming}

incom-ing or outgoincom-ing data

■ _{Forms Manager Suite for secure form}

submis-sion

Valicert SecureTransportTM_{Enterprise Edition: Secure DMZ Deployment}

Key Components of Valicert SecureTransportTM _{Enterprise Edition}

■ _{DMZ Security Application Proxy:}

Authenticates external connections, converts all supported protocols to a secure stream-ing connection to the Data Management server and examines all user commands for protocol conformance.

■ _{Secure Data Transfer: Supports all internal}

client connections and file transfers.

■ _{Enterprise Transaction Manager:}

Excecutes predefined or custom rules and agents for enterprise authentication, local data management and integration with back-end applications.

(5)

SecureTransport Clients

SecureTransport provides thin and thick clients for diverse needs and supports Web access with Microsoft Internet Explorer and Netscape Navigator in environments with no software clients.

Users of Web browsers can communicate with SecureTransport using HTTP or HTTP/S and navigate customized HTML screens tailored to a corporation’s user interface standard or the needs of a specific application. Full cus-tomization of the interface and the SSO capa-bilities of its authentication framework allow SecureTransport to be integrated into an enter-prise portal.

Thin Client - ActiveX Control

Users of Internet Explorer benefit from the added reliability and efficiency provided by the SecureTransport ActiveX Control. It provides guaranteed delivery via data integrity checks, auto-restarts and checkpoint/restart for IE-initiated transfers within any customized interface or portal.

For simple distribution and management, this client can be downloaded and installed by the browser on the user’s first connection. Afterwards, any updated versions are automati-cally picked up by the browser and installed with one-click approval.

Platform-Specific Clients

Clients for Windows, UNIX, OS/390 (MVS), and AS/400 permit users to:

■ _{Securely transfer data over FTP/S or HTTP/S}

protocols, even through a firewall or HTTP Proxy server

■ Authenticate using userID/password or digital

certificates

■ _{Reliably transfer files over unstable network}

connections or dial-up lines with guaranteed delivery

These clients also feature the platform-specific capabilities described below.

Windows GUI Client

The SecureTransport Client for Windows provides the full client functionality through an easy-to-use graphical interface. Users can select files and folders in a Windows Explorer-like view, then drag and drop file icons to transfer files or folders to and from the server. For strong authentication this client supports X.509 certificates, smartcards and Entrust Entelligence profiles.

This client also includes a multi-event sched-uler that allows data transfer operations to be triggered automatically based on scheduled events. The same client functionality is available from the Windows command line interactively or for use in a script.

Command-Line Client for UNIX

The SecureTransport Client for UNIX is a command-line client that runs on Solaris, HP-UX, AIX and Linux. It provides the same core features and can be used interactively, incorporated into scripts, or used for automat-ed, unattended transfers using the UNIX cron scheduler.

OS/390 (MVS) Client

The SecureTransport Client for OS/390 secures data transfer to and from mainframes in a reli-able manner. It supports both binary and ASCII/EBCDIC file transfers over FTP/S and

HTTP/S with SSL authentication and guaran-teed delivery over internal IP networks or over the Internet.

The SecureTransport Client for OS/390 is a command-line client that runs on OS/390 release 2.4 or later and z/OS release 1.1. Like the UNIX command-line client, you can use the OS/390 client interactively under USS or TSO, or incorporate it into a script or a JCL job.

AS/400 Client

SecureTransport AS/400 client for IBM iSeries provides guaranteed data delivery and check-point/restart capabilities over FTP/S and HTTP/S protocols for users and applications. Designed to support standard firewall settings, this client provides easy-to-use access between AS/400-based users and applications, and SecureTransport servers.

Client Software Development Kit

The SecureTransport client-side Software Development Kit (SDK), available in C and Java, provides the same guaranteed delivery features and checkpoint/restart capabilities as Valicert’s other clients. It permits customers and application software vendors to:

■ Use SecureTransport APIs from their

applica-tions to reliably transfer data to and from SecureTransport

■ _{Build their own custom client for}

SecureTransport

Third Party Clients

In addition to Valicert’s client software, SecureTransport users can use 3rd party clients provided by platform vendors or ISVs, including standard FTP clients and secure FTP clients compliant with RFC2228.

EnterpriseTransaction Manager Secure Data Transfer Services Enterprise Authenti-cation Back-End Applications SecureTransport Partner Edition Client SecureTransport Enterprise Edition Internal Clients Browser HTTP/S Partner Applications Partner Transfers Manager Partner Community Manager

Key Components of Valicert SecureTransportTM

“Hub and Spoke” Deployment

■ SecureTransport Partner Edition: Simple to

deploy partner endpoint accepts Enterprise Edition-initiated connections and data transfers. Stores received data in application mailboxes and delivers to partner applications for final pro-cessing. Accepts client connections for data transfers back to the Enterprise Edition.

■ Partner Community Manager: Defines a

dis-tributed Partner community, their security and other settings, and provides central manage-ment of Partner profiles.

■ Partner Transfers Manager: Initiates and

mon-itors transfers on Partner queues, handles exceptions, schedules regular partner and application-specific transfers.

(6)

Business Process Integration

Transaction Manager

A core requirement for application integra-tion is the ability to connect data flows to and from external organizations with a set of predefined integration policies and actions.

SecureTransport’s Transaction Manager provides this capability to define, execute and manage transactions that link data exchange with back-end processing and applications.

Its foundation is an execution engine trig-gered by incoming and outgoing data transfer events, including:

■_{Client connections to the server} ■_{File uploads & downloads}

■_{Incoming or outgoing transfers on Partner}

queues

■_{Incoming or outgoing AS2 transfers} ■_{Scheduled events}

■_{Errors and exceptions}

Transaction Manager provides two levels of capabilities:

■_{Implicit transaction rules that trigger}

Active Agents based on core events

■_{Explicit transaction rules defined in the}

Rules Editor with conditions and actions for more complex events and actions Transactions Using Active Agents Active Agents are server-side scripts that run when triggered by SecureTransport events to provide automation and simple enterprise application integration. Using the trigger events, one can insert custom processing at different times during a data transfer transaction. Active Agents can be used to:

■_{Extend the authentication framework to}

support Single Sign-On or enterprise authentication solutions

■_{Provide user notifications and operation}

alerts on user login, directory access, or file transfer

■_{Transfer incoming data to a back-end}

application, repository or message queue for further processing

■_{Notify back-end systems of data arrival or}

user requests to retrieve data

■_{Perform local data management and}

archival on the server

Active Agents can be defined for the fol-lowing events:

■_{User login & logout}

■_{User credential presentation (USER &}

PASS commands or certificate presenta-tion)

■_{File upload and download, at the start}

and at the end of the transfer

■_{Most FTP and HTTP commands}

Enterprise Transaction Manager Built to provide additional flexibility and scalability, the Enterprise Transaction Manager is based on a powerful rule-based parallel execution engine. It also provides a Web-based graphical rules edi-tor, which allows users to construct the conditions and actions pertaining to partic-ular events and data transfers.

The Rules Editor permits authorized users to access, import and edit rule packages and individual rules. Rule packages com-bine rules to define a complete easy-to-adapt business process specification or policy for acting on data transferred via SecureTransport.

Within the Rules Editor, the graphical rule definer constructs conditions and actions to be executed on these conditions. Conditions can be constructed using logi-cal operators to combine pre-defined Transaction Manager events with external functions, which can access file data (e.g. to examine certain headers or tags) or lookup external values in a database or directory server. Actions can be construct-ed using external Active Agents and in-process Java Agents. The Enterprise Transaction Manager also supports rule chaining by allowing in-process Java Agents to trigger other rules for multi-step processing.

Data Integration Suite

SecureTransport customers can add com-prehensive data conversion and integration features to their secure data delivery envi-ronment by leveraging Valicert’s Data Integration Suite for SecureTransport. The Data Integration Suite removes a significant barrier to achieving increased

automation and Straight Through Processing (STP) by enabling enterprises to connect to the multitude of different information systems of cus-tomers and business partners, without custom programming.

The Data Integration Suite supports a wide range of file formats, EDI and XML schemas, enterprise applications and databases. Format conver-sions and integration process flows are specified using an intuitive drag-and-drop design studio. These integration maps are executed by the SecureTransport Transaction Manager on file access and file transfer events.

SecureTransport’s business process integration capabilities open up new opportunities for cut-ting costs and streamlining business processes, at a fraction of the cost of other Enterprise Application Integration products.

Server Platforms

MS Windows Sun Solaris IBM AIX HP-UX Red Hat Linux

Supported Standards

Secure Data Transfer

HTTP, HTTP/S, FTP, FTP/S, Secure FTP (RFC2228) EDIINT AS2 SSL v3, TLS, v1 SNMP, LDAP, SMTP 3DES, RC2, RC4, MD-5 X509 v3, MS CAPI, OCSP PKCS7 Data Integration XML, EDI X12, UN/EDIFACT HL7, HIPAA SWIFT

SQL, ODBC v2 and v3, OLE DB 2.0 SAP IDoc

(7)

Secure File Transfer

■_{FTP, FTP/S, Secure FTP} ■_{HTTP, HTTP/S}

■_{EDI INT AS2}

Guaranteed Delivery and Data Integrity Authentication and Authorization

■_{UserID/Password}

■_{Digital Certificates, Smartcards}

■_LDAP

■_{SSO Extensible}

■_{Class-based access control}

User Management

■_Role-based ■_Delegated

Audit Trails and Tracking

■_{Log Files}

■_{Signed MDN Receipts w/ Reporting}

Data Protection and Encryption

■_{Repository Encryption} ■_{DMZ Security Proxy} ■_{End-to-End Encryption}

Transaction Manager

■_{Active Agents}

■_{In-process Java Agents} ■_{Rules Editor}

■_{Data Integration Suite}

Standard Edition ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Optional ✓ Optional Enterprise Edition ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Optional ✓ ✓ ✓ Optional Partner Edition ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Optional Optional SecureTransport Server Editions Table

Secure File Transfer ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ FTP ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ HTTP ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Scheduling External ✓ External External External External ✓ ✓ Guaranteed Delivery ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ SecureTransport Clients Table

PKI Authentication: Standard X.509v3 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ PKI Authentication Entrust EntelligenceTM ✓ ✓ ✓ ✓ Client-side Interface

UNIX command line client Windows GUI client

Windows command line client OS/390 (MVS) client AS/400 client C SDK Java SDK Web browser Microsoft IE browser on Windows w/ActiveX Control Third Party Clients Native FTP

Secure FTP (RFC2228) EDI INT AS2 products

Japan Headquarters Valicert Japan KK TT-1 Bldg. 11F, 1-14-8 Nihonbashi Ningyo-cho Chuo-ku, Tokyo Japan 103-0013 Tel +81 3 5651 0384 Fax +81 3 5651 0386 Europe Headquarters Valicert BV

Arena Business Park Olympia 1a/1b 1213 NS Hilversum The Netherlands Tel +31 35 646 2616 Fax +31 35 646 2707 Worldwide Headquarters Valicert, Inc.

1215 Terra Bella Avenue Mountain View, CA 94043 USA

Tel +1 650 567 5400 Fax +1 650 969 3554

Toll Free in U.S. 1 877 VALICERT

www.valicert.com

© 2002 Valicert, Inc. All rights reserved. Valicert and the Valicert logo are registered trademarks of Valicert, Inc. All other com-pany and product names are trademarks or registered trademarks of their respec-tive owners. 8/02