This Is Not The .exe You Are Looking For Xcom

The XCOM file transfer protocol allows partners to transfer files securely and reliably over the internet. PGP is used to provide encryption of data between partners, and digital signing assures the identity of each partner.

This document defines Westpac's XCOM file transfer protocol. The intended audience of this document is:

Ensure you have the correct version of XCOM. If you are installing XCOM on a server you need the server edition of XCOM. If you are installing it on a desktop you need the professional edition. XCOM must be installed via the console or terminal services using the console switch i.e. XCOM will not install via a. Seems if you hack the exe you can get at least the demo working. Not sure of the details, but if one file name needs changing in the exe, it shows how 2K/Fireaxis must have done a deal with Microsoft to use the Win 7 filename to hopefully get people to upgrade.

For
  • Server administrators who wish to use the provided command line scripts, and
  • Software developers who wish to implement this messaging protocol in their software.

All files transferred must be encrypted and digitally signed between Westpac and the customer's site. This serves two purposes; the first is to ensure that the data cannot be viewed by unauthorised sources. The second is to provide non-repudiation. Through the user of public/private keys, data can be digitally signed, by signing the file both Westpac and the customer can be assured that the data originated from a known source and it has not been tampered with.

To set up the XCOM transfer the customer will:

  • Provide Westpac with the PGP public key used to verify the digital signature of the data file that is transferred between the customer and Westpac. Banking policy mandates that any file written to a hard drive in an untrusted zone (a server connected to an external network) must be PGP encrypted and digitally signed.
  • Provide a username and password for Westpac to log onto the customerr XCOM server if Westpac is required to push files back to the customer.

In return Westpac will:

  1. Provide a username and password to log onto Westpac's XCOM server.
  2. Provide the customer with Westpac's PGP public key. This would be used by the customer to encrypt a file that is sent to Westpac (this customer signs the file with their private key.)
  3. Agree with the customer on the file naming convention and directory paths.

To push a file to Westpac the sending site carries out the following steps:

  1. Encrypts the data using Westpac's public key and signs the encrypted data with it's private key. To ensure the data does not get corrupted, when messages are encrypted they must be ASCII armoured.
  2. The file is then given to the XCOM client for transmission. XCOM connects to the remote computer using the username/password that Westpac provided.
  3. Once it is connected, the file is transferred to the Westpac XCOM server into the agreed directory.
  4. Westpac detects the arrival of the file. The digital signature is checked against the customers previously supplied PGP public key. Once the security aspects of the file have been verified, it is then processed.
  5. Once the file has been processed, it will be deleted from the incoming directory on Westpac's XCOM server.

For Westpac to push a file to the customer the following steps are carried out:

  1. Westpac encrypts the data using the customer's public key and signs the encrypted data with it's private key. To ensure that data does not get corrupted, when messages are encrypted they must be ASCII armoured.
  2. The file is then given to the XCOM client for transmission. Westpac's XCOM server connects to the remote computer using the username/password that the customer provided.
  3. Once it is connected the file is transferred to the customer's XCOM server into the agreed directory.
  4. The customer detects the arrival of the file. The digital signature is checked against Westpac's previously supplied PGP public key. If this matches then the file is decrypted using the customer's private PGP key.
  5. Once the security aspects of the file has been verified, it is then preocessed.

To poll a file from Westpac the polling site carries out the following steps:

  1. Westpac encrypts the file using the customer's public key, ASCII armours it and signs it with Westpac's private key and deposits it in a customer directory ready to be picked up.
  2. The customer's XCOM client connects to the remote computer using the username/password that Westpac provided.
  3. Once the customer connects, the customer performs a 'Retrieve' to fetch the file based on the agreed file naming convention.
  4. Once the customer has fetched the file back to their site they should check the digital signature and compare is against the Westpac's previously supplied PGP key. If this matches then the file is decrypted using the customer's private PGP key.
  5. Once the security aspects of the file have been verified, it is then processed.
  6. Westpac will keep the file on its XCOM server for 30 days. After 30 days, Westpac will automatically delete the file.

File names can be of any format as long as they do contain only standard ASCII characters that are valid for file names. Do not include spaces.

The destination directories of both Westpac and the customer sites must be agreed before transfer can take place.

Transport mechanism

XCOM will function on a variety of platforms and IP based networks. This includes the Internet, Frame Rely and ISDN. Before you will be able to access Westpac's XCOM server you must provide the IP address of your server running your XCOM client.

Westpac will then modify its firewall to allow your server access to Westpac's XCOM server on port 8044. The customer may also need to engage their own network support staff to allow their XCOM client to connect on port 8044.

Addresses

Test

  • To transmit to Westpac via the Internet you must configure XCOM to send to ssiw.support.qvalent.com (203.39.159.31) on port 8044.
  • To transmit to Westpac via a dedicated leased line (Frame relay, ISDN, dial or Ethernet) you must configure XCOM to send to 10.168.252.4 or port 8044.

Production

  • To transmit to Westpac via the Internet you must configure XCOM to send to ssiw.qvalent.com (192.170.86.151) on port 8044.
  • To transmit to Westpac via a dedicated leased line (Frame relay, ISDN, dial or Ethernet) you must configure XCOM to send to 10.120.16.32 or port 8044.
  1. Qvalent implementation consultant creates an iLink test account for the customer's technical contact.
  2. Customer contact completes iLink connectivity form in test iLink.
  3. Qvalent implementation consultant arranges configuration of the test iLink XCOM server.
  4. Customer configures 3rd party software.
  5. Customer codes XCOM scripts.
  6. Customer undertakes testing in the test environment.
  7. Once customer is satisfied that testing is complete a sign off email is required to progress into production.
  8. Qvalent implementation consultant creates an iLink production account for the customer's technical contact.
  9. Customer contact completes iLink connectivity form in production iLink.
  10. Qvalent implementation consultant arranges configuration of the production iLink XCOM server. 11.Customer tests the XCOM connection in the live environment.
  11. Once this testing is successful customers can perform low value live testing of the other Westpac products that are being implemented.

In the early stages of your Westpac project you will be asked to provide the contact details of the IT person who will be responsible for setting up your XOM connection.

Once these details are received you will be provided with an iLink login to enter your IP addresses and public keys.

The iLink connectivity process has the following steps:

  1. The Qvalent implementation consultant will provide the user's technical contact with a login to the iLink test instance.
  2. Fill in the setup connectivity form and submit
  3. The iLink connectivity team will receive a notification when the form is completed and will configure the iLink XCOM server with the new details. Please allow up to 3 working days for this configuration.
  4. Once this configuration is complete a notification will be sent and the user will need to configure the connection details provided on the updated connectivity page.
  5. User to send in a test file to test the XCOM connection and PGP encryption. Once this is confirmed the use can also undertake any user acceptance testing relative to their implementation.
  6. Once the Qvalent implementation consultant has received confirmation that all relevant testing has been completed steps 1 - 5 will need to be repeated in the production environment.

iLink URLs

  • Test - https://ilink.support.qvalent.com
  • Production - https://ilink.westpac.com.au

Setup connectivity form

To setup your connectivity, click the Connectivity menu option at the top of the screen, then click the Setup connectivity button. The Setup connectivity page will be displayed where you can enter the following details:

  • PGP key - Before files are sent via XCOM they are encrypted, the user's PGP public key is required to decrypt these files before processing them in the iLink messaging server.
  • Your XCOM server details - The fields in this section are the details that iLink uses when connecting to the user's XCOM server to place files. The login provided for this connection will need to have privileges to write to the directory provided.
  • IP addresses - The iLink solution has a white list of IP addresses accepted for each user. Users need to provide the IP address or addresses that their incoming requests will be coming from, this is the external IP address taking into account any proxy servers or other externally facing network infrastructure. This can be found by logging on to iLink on your XCOM server and taking the browser address shown in the IP addresses section of the connectivity form.

Once the iLink server configuration is complete the user will receive an email notifying them that they can begin testing. The user will then be able to see the iLink server details on the Connectivity details page.

  • Westpac's key - This is the public PGP key that you will need to use to decrypt the files you receive from iLink.
  • Your key - You can use these fields during testing to confirm which key you have loaded into iLink
  • Westpac's XCOM server details - This section contains the XCOM username and password to enter to connect to the iLink XCOM server and the directory for placing customer iLink files.
  • Your XCOM server details - This section contains the XCOM username and password for iLink to connect to your server and the directory for placing iLink customer files.

Software required

SoftwareDescription
CA-XCOM Unicenter Data Transport (version R11).This is a commercial file transfer product created by Computer Associates (CA). Westpac will provide a copy to the customer.
PGP GNUPG (version 2.1.x).GnuPG. This is a public domain PGP server that may be used free of charge. Obtaining of this product is the responsibility of the customer; however Westpac is able to provide technical assistance to support this. Gpg4win is the Windows binary containing GnuPG.

Installing Gpg4win

Step 1: Run the installer and select your language.

Step 2: Select Next.

Step 3: Choose only the components: GnuPG, Kleopatra, GpgOL, GpgEX.

Step 4: Choose the install directory.

Click Install and follow the prompts.

Installing Unicenter CA-XCOM Data Transport (version R11)

Artefacts

This Is Not The .exe You Are Looking For Xcom

Advantage CA-XCOM Unicenter Data Transport (version R11) installation CD.

System requirements

Required OS for windows install:

  • Windows 2003 Server.

Note: XCOM R11 will not install on a domain controller.

Install Notes

Ensure you have the correct version of XCOM. If you are installing XCOM on a server you need the server edition of XCOM. If you are installing it on a desktop you need the professional edition.

XCOM must be installed via the console or terminal services using the console switch i.e. mstsc /console <server.rdp>. XCOM will not install via a standard terminal server window.

Steps

Step 1: Insert the Advantage CA-XCOM installation CD into the machine's CD-ROM drive. If the installation process does not start automatically, start it by running the 'setup.exe' executable in the root directory of the CD.

Step 2: Click 'Next'

Step 3: Click 'Yes'

Step 4: Click 'Next'.

Step 5: Ensure the 'Anyone who uses this computer (all users)' radio button is selected, and click 'Next'.

Step 6: Set the XCOM installation directory by clicking the 'Browse' button. The recommended installation directory for Unicenter CA-XCOM is 'D:xcomnt'. If a different installation directory is chosen then record it for later use. Once the installation directory has been set, click 'Next'.

Step 7: Select 'Custom' and click 'Next'.

Step 8: Un-check the 'CA-XCOM SNA' checkbox and click 'Next'.

Step 9: Click 'Next'.

Step 10: When the installation is complete, select the 'No, I will restart my computer later' radio button and click 'Finish'.

Step 11: Using the Windows Services configuration window, change the 'XCOMD Unicenter CAXCOM Scheduler Service' service to 'Automatic' start-up type.

Step 12: Restart the machine.

Verification

Check that the 'XCOMD Unicenter CA-XCOM Scheduler Service' exists in the list of system services, and is 'Started'.

CA-XCOM R11 Application configuration

  1. From the root directory of the CA-XCOM application installation, open the file configxcom.glb in Notepad, (or your preferred text editor)
  2. Set the value for the property EXPIRATION_TIME= to 600 instead of the default 6000
  3. A batch file can be set up to run upon XCOM successfully receiving a file. Set the value for the property XPPCMD= to the name of the batch file to be run (full path required).
  4. Set the value for the property XCOM_USERID= to the empty string (ie. Nothing).
  5. Save and close the file.
  6. Restart the 'XCOMD Unicenter CA-XCOM Scheduler Service' Windows service.
  7. To obtain external access to the XCOM Client, a Windows User will need to be added to the Windows Operating System, as per details required by the external system, which the XCOM Client will be used to communicate with. This will be the XCOM username/password logon details used by external systems to communicate with your XCOM client.

Security permissions

In order for Westpac to send a file to your XCOM server you must provide Westpac with an account and password. This is a system level account i.e. Windows or Unix account.

The account must have enough privileges to do the following:

  1. Write to the directory where you installed XCOM. This is required to place the incoming data on the XCOM queue.
  2. Write to the directory where you require the incoming file to be placed. This is the directory where Westpac will tell XCOM to write the file.

Testing the XCOM connection

The next step is to test the connectivity between your XCOM client and Westpac. Before doing this please confirm the following:

  1. You have provided your server's IP address and Westpac has confirmed that it has allowed that address through its firewall on port 8044.
  2. You have allowed your server to communicate on port 8044 through your own firewalls.
  3. You have provided your PGP public key to Westpac.
  4. Westpac has provided you with their PGP public key.
  5. Westpac has provided you with an XCOM username and password.

To test the connection via the Internet or leased line

To first check that you have connectivity try the following from your XCOM client:

  1. Open a command prompt (cmd.exe)
  2. Depending on your network path try the following telnet command:
    1. Via Internet try: telnet ssiw.qvalent.com 8044
    2. Via Leased line try: telnet 10.120.16.32 8044

If you get a connection the screen should look like:

If the screen looks like:

Then you can not establish a connection so consult with your network personnel. This could mean one of a couple of things. If you are connecting to the TEST environment (ssiw.support.qvalent.com) then it could mean that you have not opened your firewall for outbound connections. Westpac has no firewall restrictions on connections from the internet to its test environment.

If you are connecting to production, then you must provide Westpac with your production IP address as you must open your own firewall and Westpac need to open there's as well. The IP address must be provided 5 days in advance before the go live date.

To send a test transmission use a command similar to:

Note: If your XCOM server is in a windows domain then please refer to FAQ section.

An example XCOM transfer is similar to:

GnuPG RSA public/private key generation

Once GnuPG has been installed you need to generate a public key and private key. You will give the public key to partners you will exchange files with.

Both keys will be kept in your private and public key rings. Your private key ring will only contain your private key. Your public key ring will contain your own public key nad the public keys of any other business partners (such as Westpac) who will provide your with their public key.

The steps are:

  1. Create the Key Pair.
  2. Export your Public Key.
  3. Import Westpac's Private Key.

Step 1: Create the Key Pair

This Is Not The .exe You Are Looking For Xcom

The first step is to create:

  1. Your key rings.
  2. Your own public/private key pair.

Log onto the server that you installed GnuPG and change to the GnuPG installation directory.

Enter the following command:

Note that the pubring and secring are stored in the following locations. GPG2 knows these locations via the registry.

To specify a different location of the key rings, use the ``--homedir` parameter. Please make sure these files will not be removed/deleted.

Step 2 - Export your public key

Once the public and private keys are generated you need to export your public key and provide it to Westpac (or any other business partner you will be exchanging PGP encrypted data with).

From the command prompt, navigate to the GnuPG folder.

Issue the command

To check if a PGP public key was generated

This Is Not The .exe You Are Looking For Xcom Online

The output of these commands should be similar to:

Upload this file using the iLink Connectivity Setup.

To check the fingerprint of your public key

The output should be similar to:

The above fingerprint is 3230 E29F BA96 23D3 DA57 1D9E 204A B8F7 A28F 9F1C.

Step 3 - Import Westpac's public key

Westpac will provide you with their public key to import into your public key ring. This is Qvalent's public key. This is a 2-step process. You firstly import the key then you digitally sign it to indicate that you trust the key.

To import the Qvalent public key

To verify the key was added to the keystore correctly, list the public keys in the public keyring

The output from the above two steps should be similar to:

In Production, the Qvalent Production Key is 17155x01.

The Qvalent public key needs to be validated (assuming the imported key id was imported_key).

Validate the key

You should receive some text on screen and them a prompt that looks like:

Command>

At the Command> prompt within gpg2, type the following

sign

You should verify at this step that the Qvalent key is valid and that the key you are signing with is the key generated in the previous section. If you are confident of this, enter Y to sign the key.

Enter the passphrase of the keys generated in the Step 1.

Gpg2 will then take you back to the Command> prompt once completed.

This Is Not The .exe You Are Looking For Xcom

At the Command> prompt press q to quit.

When asked to confirm the changes, press Y.

The output from these steps should be similar to:

Decrypt a file using GnuPG

Decrypt an incoming file

Enter password for private key.

Decrypt an incoming file in a batch-type environment

An example of a batch file to do this would consist of:

where password.txt contains your PGP private key password and is piped into the gpg2 command.

The output when this batch file is executed would be:

Encrypt, sign and ASCII armour a file

Encrypt (and sign) data to send to Westpac (assume recipient key id is imported_Westpac_key, and your local key-pair id is local_key).

To encrypt and sign a file

Enter password for private key.

Encrypt an outgoing file in a batch-type environment

An example of a batch file to do this would consist of:

This Is Not The .exe You Are Looking For Xcom 2

where password.txt contains your PGP private key password and is piped into the gpg2 command.

The output when this batch file is executed would be similar to:

the <file_to_retrieve> will be nasProductionXcomRetrieve<CustomerDir><filename> i.e. nasProductionXcomRetrieveAcmeRecall20080815.txt.asc

An example command file that gets executed by the XCOM client when it receives a file:

From a batch file you should always check the error level after the xcom call to ensure that the transfer was successful. Sample pseudo code for the batch file would be:

Common XCOM error messages

If the XCOM error message looks like:

This means that your XCOM client could not obtain a connection to the external XCOM client. This will be due to either a network issue, or the external system's XCOM client service not running.

If the XCOM error message looks like:

This means that when Westpac sends you a file the batch job you has specified in the <xcom install directory>Configxcom.glb i.e.

XPPCMD=e:FileTransferReceivedNewXComFile.bat

is failing to execute correctly and terminating abnormally. To debug the issue edit the xcom.glb file and change:

  1. SHELL_CMD='cmd.exe' '/c' To SHELL_CMD='cmd.exe' '/k'
  2. Restart the XCOM service

This will cause the DOS box to stay on the screen when the batch file runs when a file is received. Log into the server using the console and you will be able to see what is causing the error in your batch file. When it is fixed ensure that you set SHELL_CMD back to the /c switch to prevent the dialog boxes staying on the console.

XCOM will not install via terminal services

Please see section Install Notes.

What Platforms is XCOM available for?

Please consult the following link: http://supportconnectw.ca.com/public/xcom/infodocs/ca-xcom_verschart.asp

XCOM User Account / Windows Domains

When you create an XCOM user account under Windows NT it must be a local user on the server XCOM is installed and not a domain user account.

It is also advisable that you create an 'XCOM User Group' and place this user into this group. For NT2000 and NT2003, ensure that the 'XCOM User Group' has sufficient privileges to read & write files and execute scripts on the disk(s) where XCOM is installed or files will be accessed (such as the batch file that is called when a file is received).

This is not the .exe you are looking for xcom free

Try logging into the server using the just created XCOM user to ensure that there was no typo's with the username or password.

If you are using NT2003, ensure that the 'XCOM User Group' has the security rights to 'Access this computer from the network'.

If your xcom server is in a windows domain you must use the command line parameter

DOMAIN= (blank space following equals sign) when sending to Westpac i.e.

If you do not use this you will receive an 'error setting the remote user id' from Westpac as your xcom server will be passing its domain name with its user name and Westpac will reject it.

GPG2 questions

When I decrypt a file with GPG2 I get the following WARNING:

This is a compatibility issue between GPG2 and eBusiness server and can be ignored. The important line to note is 'Good signature from 17155x01' This tells you that the file has not been tampered with.

When I encrypt a file using GPG2 I receive the following WARNING even though I have imported Westpac's key and signed it:

Try setting the trust level on the key using the command:

Set the trust level to ultimate.

When I encrypt a file using a batch program with GPG2 and the file already exists the batch job stops and prompts me to about replacing the file:

Try using the parameter --yes on your GPG2 encrypt / decrypt command line. This will automatically answer 'Yes' for most questions GPG2 prompts for i.e.

I'm having trouble connecting to Westpac's test or production environments, what should I try?

Refer to Testing the XCOM Connection.

Can a file be encrypted with more than one public key?

Yes! Westpac always encrypts files that it is sending to customers with both the customers public key and Westpac's public key. This allows a customer that is having difficulty decrypting a file (it may have become corrupted in transit) to send it back to Westpac to test decrypting it.

How can a file be encrypted with more that one public key? Doesn't this make the file twice as big?

This Is Not The .exe You Are Looking For Xcom Video

No.

When GPG2 encrypts a file it generates a random session key and uses this random key to do the actual encryption. It then encrypts this session key with the recipient's public key and appends this data to the encrypted file. As Westpac always encrypts an outbound file with its own public key, the session key is also encrypted with Westpac's public key and this data is also added to the encrypted file.

This Is Not The .exe You Are Looking For Xcom For Free

So encrypting with additional public keys only makes the file slightly larger. By doing this either the recipient or Westpac can use their private key to decrypt the session key which inturn is used to decrypt the file.

This Is Not The .exe You Are Looking For Xcom Youtube

When I receive an encrypted file how do I know what public key(s) it has been encrypted with?'

Use the following gpg2 command: