mendelson OFTP2 Wiki

Implementation of the OFTP2 protocol (RFC 5024)

Brought to you by: heller, mendelson

Overview

mendelson opensource OFTP2

Thank you for choosing the mendelson opensource OFTP2 software for your OFTP2 data transmission.

This OFTP2 implementation supports encryption, digital signatures, TSL and secure session authentication. It does
NOT work with any OFTP 1.x partner station (even not with OFTP 1.x partner stations using TCP/IP),
OFTP2 is required.

Requirements:

A java 1.7 (or higher) compatible JVM platform like windows, linux, solaris, mac OS X.
64 bit systems are also supported, just use a 64 bit JVM. Anyway 32 JVMs will also run on 64 bit systems.
Your system must be reachable from the internet, please open the ports 3305 or 6619 in your
firewall - the ports could be configured, please see below. Beneath the inbound access of others
your system must have outbound access to the internet
A valid Odette Id (only for productive data exchange, this product supports any id from a technical perspective).
This Odette id could be obtained from Odette, please refer to
https://forum.odette.org/service/oscar/oscar-explained for further information
A key/certificate - you could buy this or work with self-signed certificates. Please
remember that you have to ask your partners if they accept self-signed certificats. If they dont
accept them: Ask them for the list of CA they support.
There is a whitepaper called "ODETTE Recommendation - OFTP2 Certificate policy" which might be worth
reading: http://www.odette.org/TSL/POL_OFTP2.txt

Hardware:
A computer that is up to date - this product encrypts/signs data which could require some processing time.
About 4GB ram
*About 80GB harddisk

Installation:

On windows just double click the installer and follow the instructions. Afterwards start the application. The
installation is out of the box
Any other OS: Unpack the zip, install a java VM >= 1.7, patch the JVM with Oracles "jurisdiction strength
files" (could be downloaded at the Oracle java download page), edit the start script (if required, depends
on your OS), start the application. The installation for non-windows OS is not out of the box but it is
possible to set it up in a short time.

Updating an existing mendelson opensource OFTP2 installation:

Create a backup of your installation
Delete the existing jlib directories content
Unpack the zip to the installation or execute the installer (windows). Do not overwrite the files that
contain your personal data like certificates.p12, certificates_ssl.p12 and the notification templates
Start the OFTP2 server - it will start an update routine for the underlaying database structure - it's done. If additional
steps are required for the update process the system will inform you.
If the update fails please contact us.
*Whenever something unexpected occurs during this update procedure just recover the directory using your backup -
this will bring the server back to exact the old state

Quick intro:

The mendelson OFTP2 solution supports encryption, digital signature, compression, TLS and secure session authentication.
Before communicating to your trading partners please ensure the following things as mentioned before:
You must have a key/certificate to sign your outbound messages and decrypt inbound messages. The key
may be self signed if your partner accepts this. If not there is the possibility to get trusted keys at the
mendelson CA (http://ca.mendelson-e-c.com). Please ask your partner first if they accept keys
that are trusted to this CA.
This open source version does not contain a graphical key/certificate manager, please
use 3rd party tools for that purpose. Download links could be found at http://community.mendelson-e-c.com/links.
Even if we think that the user interface of the mendelson opensource OFTP2 server is fairly easy to use
it is recommended to be informed about basic security mechanism like PKI. Having basic knowledge about
security will help you setting up the system and will help you in basic themes like how to get a key
or how to work with certificates and certificate authorities.
If you require more information about the key/certificate/CA theme please have a look at the following links:
http://en.wikipedia.org/wiki/Public_key_infrastructure
http://en.wikipedia.org/wiki/Public_key
http://en.wikipedia.org/wiki/Digital_signature
http://en.wikipedia.org/wiki/Certificate_authority
There are some communication parameters that are not negotiable on the protocol level for OFTP2 connections,
this is for example the secure authentication. Please clearify all communication parameters with your partner.

There is one local station in the partner configuration, that is you. Your trading partners need to be setup
as remote partner. Please aks your trading partners for their communication parameters and enter them into the
partner management. On the other site please clearify your own communication parameter and send them to your
partner.

The OFTP2 server listens by default to the ports 3305 (no SSL) and 6619 (SSL). To listen to different ports/adapters please
navigate to the "Preferences" and setup the new ports at the section "Inbound ports"
Each partner has an outbox directory. Send your files in, they will be taken and sent to the partner. For test purpose
you could also send files manual using the client (file-send).
To use your own certificates and keys please navigate to the certificate manager of the product (File-Certificates). The
certificate manager supports
Key import (from PEM, PKCS#12)
Certificate and certificate chain import from your partner (.p7b, PEM, .cer),
works with additional optional certificate BASE64 encoding
Certificate and certificate chain export for your partner (.p7b, .cer, PEM)
Key export (backup purpose, PKCS#12)
Self signed key generation + integrated possibility to trust a self signed key at the mendelson CA
Key and certificate handling (rename, delete, set alias, ..)
It might confuse you that you receive files from your partner without receiving an inbound connection from them
but just establishing an outbound connection. OFTP2 is a push/pull protocoll, you could receive files on
outbound connections.

Resources/Ports, Startup

3305 OFTP port (could be changed: "Preferences-Inbound ports")
6619 OFTP SSL port (could be changed: "Preferences-Inbound ports")
3333 Internal DB port
1235 Client/Server port

Please keep in mind to open the firewall for the inbound ports 3305 and/or 6619.

This is the usage to start the mendelson OFTP2:

java de.mendelson.comm.oftp2.OFTP2 <options>
Options are:
-lang <string>: Language to use for the server, nonpersistent. Possible values are "en" and "de".</string></options>

SSL setup

The SSL certificates are stored in the keystore "certificate_ssl.p12". There must be only a single
key in the keystore (this is the SSL key your server hosts) and certificates of all your partners.
If you change the SSL key in your ssl keystore you must restart the OFTP2 server. To connect to partners
using SSL please check the "Connect using SSL" checkbox in the partner manager and set the receivers port
to 6619 or the port where your trading partners OFTP2 system listens on for inbound SSL connections.
To debug the SSL handshake please start the server with the java option "-Djavax.net.debug=all" (a start using a
start script is required, this a parameter for the java command)

Send files:

Each partner is assigned to a poll thread of a directory and a virtual filenames. You could add additional
poll threads that are assigned to user defined virtual filenames per partner. The poll interval could be configured,
ignore patterns are supported. You could start a user defined command per partner after a file has been send
(error/without error). Please dont let the system poll a directory once a second or something like this - this will
slow down the system.

Receive files:

Every partner could have user defined virtual filename processing. Each file with a specified virtual filename
will be written to a specified directory. This could defined in the partner management.
For a powerful integration into your process flow you could start a user defined command per partner after
a file has been received - either on failure or on success. These user defined commands could have access to several
parameters of the transmission - please have a look at the user interface (partner management-events) for
more information.

Notification:

You could set up external mail account credentials - the mendelson opensource OFTP2 server will send mails
for several events which could be configured, too.
These events are

certificate messages arrive
transmissions failed
*certificates are up to expire/have been expired

If you enable the certificate expire notification you will be informed 10 - 5 - 1 day before the certificate
has been expired. If this isn't your certificate but a partner certificate this is mainly not that interesting -
anyway you should monitor this issue.
Please keep in mind that the main OFTP2 security mechanism like encryption and signatures do not work if you
use expired certificates.

Using gateway partners/routing:

The mendelson OFTP2 server supports full OFTP2 routing and message sending to partners who are
accessible via an OFTP2 gateway partner.
If you would like to send data to a partner that is accessible via a gateway partner just configure
this in the partner management - tab "send". The mendelson opensource OFTP2 server will connect to this partner
and tell him that the destination of the data is a routed partner. Please be aware that every partner
you are sending data to and receive data from must be available - and well configured - in your
partner management. The partner icon indicates if you will connect direct to a partner or connect to it via
an other partner.
Beneath the physical routing were you send routed data to an other system you could also create a virtual routing
by adding local identities to your local station. In this case your partner will see these identities as routed
partners but you will receive them on your instance - you could also send data using an other identity
Technical spoken:
This allows to send data with a different SFIDORIG and SSIDCOD in a single instance, this also allows to receive
data with a different SFIDDEST and SSIDCOD in a single instance.
There is no limitation in the number of routed partners in this version.

Exchange certificates:

This product supports the certificate exchange messages DELIVER, REPLACE and REQUEST as defined in the
OFTP2 implementation guide. Please remember that this functionality goes beyond the OFTP2 protocol definition
of RFC5024. Certificate exchange messages are not signed and encrypted. Because of this we recommend
to exchange them using SSL connections.
Using the menu "file-certificate exchange" you could send certifiates to your partners. Please dont
forget to set up the mail notification in this case - you will be informed about every certificate message
that arrives.
Before enabling certificates you received by certificate exchange messages in the product please check the
key values of the certificate to see if you should really trust it. If you are not sure if you should trust
a certificate please contact your trading partner and compare the fingerprints of the keys/certificates.

Connection strategies:

There are three different strategies available to connect to a partner:

Connect if outbound data is available
The system will create an outbound connection to the partner if any data is available for this partner. Your partners firewall must be configured
for your connection to come through.
Connect to partner even if no outbound data is available (Poll n minutes option)
The system will create an outbound connection even if no data is available for this partner. As OFTP2 is a push-pull protocol this will
receive data from a partner without the need that the partner connects to you. (Partner uses connection strategy 3)
No outbound connection to this partner - the partner will connect
Your system will never connect the partner - even if data is available for him. Your partner uses connection strategy 2.

System maintenance/administration:

Its recommended to monitor the system - have a look on the user interface from time to time, let the
system be monitored by Nagios (or similar), configure the systems mail notification and read these mails
Configure the system to auto delete old transmission logs, this could be done in the system settings. We
recommend to not have more than 50000 transmissions in the log as this will slow down the user interface.
*Please ensure not to make backups on the partition where the mendelson opensource OFTP2 system is running. The
system will run into problems if there is no harddisk space left - monitoring the harddisk space is also
recommended (e.g. windows could be configured to monitor the space of a partition and write mails, Nagios is
also a good option in this case)

Upgrading to a commercial license:

If you require support and software maintenance for production use of the OFTP2 server please upgrade to a
commercial license. You could do this in the mendelson online shop at http://shop.mendelson-e-c.com
The commercial version will work fine with the open source data, there is no need to setup a new configuration.

Any questions or feedback? Please refer to the forum http://community.mendelson-e-c.com/forum/oftp2
We are looking forward for your comments and questions.