SWIFT

Swift.com Support services

For SWIFTNet 7.0

Self-help Guide
This self-help guide provides recommendations and guidelines on how you can troubleshoot the SWIFT environment.

20 January 2012

Self-help Guide

Table of Content

Table of Contents
1 The SWIFT environment in a nutshell ....................................................................................3
1.1 1.2 Introduction .............................................................................................................................3 Message flows ........................................................................................................................4 1.2.1 SWIFTNet FIN using a FIN CBT through an Alliance Gateway ......................................... 4 1.2.2 Accessing a SWIFTNet Browse service from an Alliance WebStation ............................... 5 1.2.3 An Alliance WebStation / Alliance WebPlatform Browse connected to an Alliance Gateway ............................................................................................................................................ 5 Regular activities .....................................................................................................................6 2.1.1 Daily activities ..................................................................................................................... 6 2.1.2 Weekly activities ................................................................................................................. 6 2.1.3 Monthly activities ................................................................................................................ 6 2.1.4 Mid-Year activities .............................................................................................................. 6 Best practices ..........................................................................................................................6 2.2.1 For a system upgrade ......................................................................................................... 6 2.2.2 For resilience ...................................................................................................................... 7 FIN CBT ..................................................................................................................................8 Alliance WebStation ................................................................................................................9 Customer network .................................................................................................................10 Alliance Gateway ..................................................................................................................13 SWIFTNet Link ......................................................................................................................14 Connection between SWIFTNet Link and the VPN box .......................................................15 5XT VPN box ........................................................................................................................16 SSG5 VPN box (Alliance Connect) .......................................................................................18 Connection between SWIFTNet Link and the HSM box .......................................................20 HSM box ...............................................................................................................................21 Alliance WebPlatform ............................................................................................................24 PKI & Online Operations Manager ........................................................................................25 RMA ......................................................................................................................................25 Methodology ..........................................................................................................................26 Collecting evidences .............................................................................................................27 4.2.1 Alliance Access/Entry ....................................................................................................... 27 4.2.2 Alliance WebStation ......................................................................................................... 27 4.2.3 Alliance Gateway .............................................................................................................. 27 4.2.4 SWIFTNet Link ................................................................................................................. 28 4.2.5 The HSM box .................................................................................................................... 28 4.2.6 Alliance WebPlatform ....................................................................................................... 29 Organization ..........................................................................................................................30 Services ................................................................................................................................30

Maintaining the SWIFT environment ......................................................................................6

2.1

2.2

Troubleshooting .......................................................................................................................8
3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13

Reporting a problem ..............................................................................................................26

4.1 4.2

SWIFTSupport services .........................................................................................................30

5.1 5.2

20 January 2012

Self-help Guide

The SWIFT environment in a nutshell

1
1.1

The SWIFT environment in a nutshell

Introduction
Preamble
A typical SWIFT customer environment consists of a combination of individual components that interact with each other to provide messaging services. Use this section as your reference and your glossary. Throughout this document, references are made to additional SWIFT documents in the following annotation: SWIFTSupport_Self_Help_Guide - The SWIFT environment in a nutshell. You can find the documents on the software installation CD or on the www.swift.com website (Recommended). There are links to the documents when you use the electronic version of this guide on the Internet. Glossary 1. FIN CBT Software product that processes and that exchanges FIN messages, by using the FIN application through the SWIFT network. Alliance Access and Alliance Entry are FIN CBT products that are provided by SWIFT. As of now, these CBT products also offer the functionality to send messages for your Solutions through the Alliance Messenger (On Alliance WebPlatform) interface. HSM Hardware Security Module. A hardware device that is tamper-resistant and that ensures the secure storage and the processing of PKI secrets. There are three types of HSM devices: HSM boxes, HSM tokens, and HSM cards and card readers. Only one type of HSM is supported on the same SWIFTNet Link. HTTPS Secure Hypertext Transport Protocol. A protocol that is used in order to access web servers that are hosted on SWIFTNet. The HTTPS proxy, which is a part of Alliance Gateway, is used for routing purposes. MQ Message Queue. IBM middleware component that is used in order to link back-end applications through the Alliance Gateway. PKI Public Key Infrastructure certificate. SWIFT acts as the certification authority on SWIFTNet. RA Remote API. SWIFT middleware component that is used in order to link back-end applications and workstations to Alliance Gateway, which acts as the messaging concentrator. SNL SWIFTNet Link. Mandatory SWIFT software component that is required in order to connect to SWIFTNet. Vendor Product Product that is offered by a SWIFT partner and that allows to connect to additional services hosted on SWIFTNet. These products have an embedded SWIFTNet Link, or they connect to Alliance Gateway. VPN box Virtual Private Network hardware device. Mandatory SWIFT network component for the connection to MV-SIPN. A VPN box implements network security that is based on IPsec.

2.

3.

4.

5. 6.

7.

8.

9.

20 January 2012

Self-help Guide

The SWIFT environment in a nutshell

1.2

Message flows
Introduction
Four message flows for typical SWIFTNet services are described below. The diagram illustrates each message flow.

1.2.1

SWIFTNet FIN using a FIN CBT through an Alliance Gateway

In a SWIFTNet single-window infrastructure, based on Alliance Gateway, the basic SWIFTNet FIN message flow consists of the following steps. 1. FIN messages are built in the FIN CBT. FIN messages can be entered directly by using a screen-based message entry product, or they can be entered through a link to a back-office application. The FIN CBT creates the SWIFTNet FIN protocol envelope for the message and sends it through the customer network to the Alliance Gateway, by using the Remote Application or the Message Queue software on the FIN CBT. The Alliance Gateway receives the message through the corresponding host adaptor. Then it calls the local SWIFTNet Link software in order to request transportation through SWIFTNet. The SWIFTNet Link encapsulates the message payload with a SWIFTNet message envelope, and sends it through an established TCP/IP connection to the VPN box.

2.

3.

4.

20 January 2012

Self-help Guide

The SWIFT environment in a nutshell

5.

The VPN box has established IPsec tunnels with the SWIFTNet central systems through the MV-SIPN network. These tunnels are established over physical lines between your premises and the MV-SIPN Backbone Access Points. The SWIFTNet central systems are connected to the FIN application servers at SWIFT, which send back a SWIFTNet FIN response to the initial FIN CBT. When a FIN ACK response message is received, you are assured that the FIN application will deliver the original message to the intended receiver. On the other hand, a NAK message indicates that an error occurred and that the message cannot be delivered to the intended receiver.

6. 7.

1.2.2

Accessing a SWIFTNet Browse service from an Alliance WebStation

Using an Alliance WebStation directly connected to SWIFTNet: 1. SWIFTNet Browse services are offered by organisations that have a Web Server that is connected to the SWIFTNet network. The access to the external Web Server is accomplished by creating an HTTPS request on a standard Web Browser product that runs as part of the Alliance WebStation. This standard Web Browser product can be Internet Explorer or Netscape Navigator. The HTTPS request is sent through a new TCP/IP connection to the VPN box. Then this request is sent further to the external Web Server. The Web Server collects the data and responds to the HTTPS request. It returns the response to the Alliance WebStation browser.

2. 3.

1.2.3

An Alliance WebStation / Alliance WebPlatform Browse connected to an Alliance Gateway

Similar to SWIFTNet FIN, other SWIFTNet services can also be accessed through an Alliance WebStation / Alliance WebPlatform Browse that is connected to a SWIFTNet single-window infrastructure that is based on Alliance Gateway. However, the step 2 is replaced by the following two steps: 1. 2. Note The HTTPS request is sent through the customer network to the HTTPS proxy that runs on the Alliance Gateway. The HTTPS request is sent through the MV-SIPN network to the external Web Server. Similar flows are applicable for vendor applications and for other SWIFTNet InterAct services or SWIFTNet FileAct services.

20 January 2012

Self-help Guide

Maintaining the SWIFT environment

2
2.1
2.1.1

Maintaining the SWIFT environment

Regular activities
Daily activities

Back up the system and the application data Monitor the systems and review the error logs Login to FIN to process messages that have been received Export the RMA authorisations and distribute them to your other applications, if required Open and empty their generic queue(s) regularly

2.1.2

Weekly activities

Check the SWIFTNet Link connectivity after a weekend when SWIFTNet maintenance activities are performed (see www.swift.com/support for the planning of the full year) Check the connection to the HSM box by performing the SwHSMSelfTest command Archive the Alliance Gateway logs and journals Archive and backup the Alliance Access and Entry messages and events

2.1.3

Monthly activities

Restart SWIFTNet Link and Alliance Gateway, in order to ensure that the processes that use certificates are stopped. By performing this restart, the certificates can be renewed the next time that they are used to log on. Open all the PKI certificates at least once. Use the CertInfo command (see SWIFTNet Link 7.0 - Operations Guide - Certificate Management for SWIFTNet Link on the SWIFTNet Link on User handbook online) Back up all the PKI certificates after you have opened them. Use SNL_BackUp.pl command to backup files for a specific SNL instance and use SwHSMBackupRestore.pl command to backup all SWIFTNet PKI certificates & SSL certificate contained within the HSM box. Test the unused spare VPN box (see the VPN box section in this guide) Check the correct functioning of your fallback connectivity.

2.1.4

Mid-Year activities

Reboot all your HSM boxes

2.2
2.2.1

Best practices
For a system upgrade
Before installation

Take a full system backup Note the version of the operating system and patches Read the release letter and check the operating system release and patch levels Check the Knowledge Base for any known issues

After installation
Take a full system backup

20 January 2012

Self-help Guide

Maintaining the SWIFT environment

Back up all the PKI certificates after you have opened them. Use the SNL_BackUp.pl command (see SWIFTNet Link 7.0 - Operations Guide - Backup/Restore for SWIFTNet Link on User handbook online) Run the swiftnet status, command and save the output in a new reference file. Do this when the SWIFTNet Link is running.

2.2.2

For resilience

Building a resilient infrastructure can be done by duplicating the components in various configurations. Your prime site should not contain any single point of failure. This ensures that you can continue the operation in case of a failure of a component, instead of having to wait until the component has been replaced. See the SWIFTNet Resilience Guide for the possible configurations. Back up all the PKI certificates after you have opened them. For critical operations, SWIFT recommends that you build a disaster site to continue the operation after a major problem in the prime site. It should be possible to switch to the disaster site in 2 hours and to start the processing of the business traffic in 4 hours after a prime site failure. The disaster site should be kept upto-date and the fail-over procedures should be tested twice per year. Alternatively, you can also spread the operations over two sites that are simultaneously active. Procedures to re-route the traffic to one site in order to cope with a site failure should also be tested twice per year. Special care should be taken on the organisational aspects and on the usage of PKI certificates in recovery scenarios.

20 January 2012

Self-help Guide

Troubleshooting

3
3.1

Troubleshooting
FIN CBT
FIN CBT - Table of symptoms
Symptom Unable to login to FIN Investigation 1. FIN logical error received, for example, L33 or S33 (Login or Select sequence number error) 2. FIN CBT error Action Correct the error according to the error description and send another Login. See SWIFT Knowledge Base FIN Error Codes and the FIN error codes for Login, Select and Abort Check the error message and the related events. Correct the problem (for example, disk space error) and send another Login. See the FIN CBT documentation from the vendor. Check the events in the CBT and check the connectivity to the next component. Continue with the SWIFTNet Link section in this guide or with the customer network section in case an Alliance Gateway is used. This problem may occur due to an intervention at SWIFT. We recommend that you activate the Auto Re-connect feature, in order to minimise the duration of the disconnection. See SWIFT Knowledge Base FIN Error Codes, and SWIFTNet FIN errors See SWIFTNet Link error codes SWIFTNet FIN errors In case of frequent aborts, check the FIN CBT connectivity to SWIFTNet. Continue with the SWIFTNet Link section in this guide or with the customer network section in case an Alliance Gateway is used. NAKed messages are kept in a message correction queue for manual correction. Check the FIN error code in field 405 of the NAK message. The message can be corrected and can then be re-sent later on. See SWIFT User Handbook FIN Error Codes Ensure that all the FIN Logical

3. FIN CBT connectivity to SWIFTNet

FIN session is aborted

1.

APC or FIN abort error received in the CBT logs, for example, A90

2.

SWIFTNet FIN protocol errors in the CBT logs, for example, FS012, SA100, SS100

FIN messages are rejected with a NAK error code

Message format errors, for example, T13 or H20 (Text error or Header error)

FIN messages are

1.

FIN CBT not ready

20 January 2012

Self-help Guide

Troubleshooting

Symptom queued up in the FIN CBT

Investigation

Action Terminals are fully logged in (see above)

2. Verify the size of the components

Check the system specifications with the recommended sizing See SWIFTNet Connectivity Packs

3.2

Alliance WebStation
Alliance WebStation - Table of symptoms
Symptom Unable to log on to a stand-alone Alliance WebStation Investigation 1. Problem with the authentication of the user on the HSM Action Check whether the cables are correctly connected, and whether the HSM is correctly inserted. See Alliance WebStation User Guide - Daily logon procedure. Verify whether the certificate is still valid, and recover the certificate if necessary (Security Officer profile required). See Alliance WebStation User Guide - Recovering Your User Certificate Use the Online Check Link tool or run the command testtcp.bat. See Alliance WebStation User Guide - Verifying the connection to SWIFTNet In case of failure, check the connection between SWIFTNet Link and the VPN box. The SWIFTNet user or the Alliance Gateway operator is not properly defined. Check whether the entered user name is an enabled SWIFTNet user. Check whether the certificate that is linked to the user is still valid at SNL level, and recover the certificate if necessary. See Alliance Gateway Operations Guide - The SWIFTNet Users module: Managing certificates used by SWIFTNet users Otherwise, continue with the SWIFTNet Link section in this guide. Check whether the entered user name is a valid and an enabled Alliance Gateway operator. Check whether the entered password is

2.

Problem with the connectivity to SWIFTNet

Unable to log on to Alliance Gateway

1.

SwGUI.203.007: Logon failed. Click on More Info... Sw.04.002: Could not create the security context Sag:System.001.001: Operator is not entitled to perform the operation

20 January 2012

Self-help Guide

Troubleshooting

Symptom

Investigation

Action correct. See Alliance Gateway Operations Guide - The Operators module

2.

SwGUI.203.010: The connection with the SAG is lost or cannot be established Web Server unreachable

There is a problem with the connectivity to Alliance Gateway. See the customer network section and the SWIFTNet Link section in this guide. Run checkip <URL><port> TCP See the SWIFT CheckIP User Guide. Contact the service provider for the correct URL and for information about the port number Check the validity of the certificate in the standard browser configuration and in the preferences. Recover the certificate if needed (Security Officer profile required) See Alliance WebStation User Guide - Managing SWIFTNet Users, Browse Users, and Message Routing Rules Run checkip <HTTP proxy IP address><HTTP listening port> TCP See SWIFT CheckIP User Guide In case of failure, verify the settings of your browser, then check the customer network components and the status of the HTTPS proxy. See Alliance Gateway Operations Guide - Configuring Browse Traffic Contact the service provider in order to request the activation of the user on the service

Unable to connect to a Web Server

1.

2.

Problem with the validity of the SWIFTNet Browse certificate

3.

HTTPS proxy server on Alliance unreachable

4.

User not activated by the service provider (CUG 001 error)

3.3

Customer network
Customer network - Table of symptoms
Symptom Connection problem between Alliance Gateway and a vendor product, the FIN CBT or Alliance WebStation Investigation 1. Connectivity with the applications that are based on Remote API (RA) Action On the RA host: Run sag_system saguser <username> -sagpwd <passwd> - status system See Alliance Gateway Remote API Operations Guide - Remote Administration of SAG on User

20 January 2012

10

Self-help Guide

Troubleshooting

Symptom

Investigation

Action handbook online. In case of failure: - Run ping <SAG host> in order to check the connectivity at IP level, and check the firewall configuration - Run telnet <SAG host> <SAG port> and verify whether the listening port exists for the hostname that is provided in the sagta_ra.cfg. See Alliance Gateway Security Guide - Security Configurations and the SWIFTNet Network Configuration Tables Guide Alliance Gateway customers on the User handbook online. Check whether the SAG bootstrap is started See Alliance Gateway Operations Guide - The Alliance Gateway Bootstrap Check whether the IP address, the port number and the SSL mode are correctly configured on both the RA host and the SAG host See Alliance Gateway Remote API Operations Guide Configuring Remote API on User handbook online. If the command is successful, then the problem could be intermittent Check the dynamic parameters of the firewall See SWIFTNet Network Configuration Tables Guide Alliance Gateway customers on User handbook online Check the logs of the network components between RA and SAG, for dropped packets

2.

Connectivity with applications that are based on Message Queue (MQ)

Run ping tests from the SAG host to the Queue Manager host from the application host to the Queue Manager host In case of failure, check the network components between the application host and the SAG. Check the log files of the components for any dropped packet. See Alliance Gateway Security Guide - Security Configurations,

20 January 2012

11

Self-help Guide

Troubleshooting

Symptom

Investigation

Action and the SWIFTNet Network Configuration Tables Guide Alliance Gateway customers on User handbook online. Check the configurations of the components MQHA on the SAG computer Queue Manager and queues MQ configuration in the application software the SSL mode that is used See Alliance Gateway MQ Host Adapter Configuration Guide. Run a complete connectivity test Run mq_test_connect after you have configured the SAG and the MQ series appropriately See Alliance Gateway MQ Host Adapter Configuration Guide Testing Connectivity with mq_test_connect. Also see the documentation about the configuration of the vendor product.

3.

Connectivity with Alliance WebStation

Check the WebStation configuration Run WebStationConfig.exe, and check whether the configuration corresponds with the SAG configuration. See Alliance WebStation Installation Guide - Configuring Alliance WebStation on User handbook online Check the connectivity Run ping <SAG host> Run checkip <SAG host> <RAHA port> <TCP> See SWIFT CheckIP User Guide In case of failure, verify whether the network components between SAB and SAG are correctly configured. Also verify that no dropped packets are observed in the components log files. See Alliance Gateway Security Guide - Security Configurations and the SWIFTNet Network Configuration Tables Guide Alliance Gateway customers on User handbook online.

20 January 2012

12

Self-help Guide

Troubleshooting

3.4

Alliance Gateway
Alliance Gateway - Table of symptoms
Symptom Messages are not received in the server application Investigation Event Journal reports: Sag:APL-I 9 Server unreachable or Sag: APL-I 50 Request time-out Action Check whether the server that is identified for this Message Partner is still running. Check the network components between the server application and the SAG for dropped packets. Restart the server application in order to reconnect to the SAG. If unsuccessful, continue with the SWIFTNet Link section and the customer network section in this guide Use the SAG admin GUI or run sag_system saguser <username> -sagpwd <passwd> - status Overview See Alliance Gateway Operations Guide - Using the sag_system Tool If a number of activated subsystems are not started, then restart the subsystems by using the SAG Admin GUI or by launching the command sag_system -- start Check if the configuration is correct See Alliance Gateway Operations Guide - Using SAG commands and tools Send a test message with default parameters, by running sag_test_connect snuser <username> -snpwd <password> -fileact See Alliance Gateway Operations Guide - Checking an Alliance Gateway Connection (sag_test_connect) See the SWIFTNet Link section in this guide 2. Rejection by the counterparty Files can be rejected by your counterparty (for example, because of insufficient disk space). Contact your counterparty and agree on appropriate actions. Check the definition of the

Operational problem with the Alliance Gateway subsystems

The Event Journal reports errors that are related to processes

Problems with the file transfer

1.

The monitoring application reports that files were rejected or that files failed

Local Authentication

The Event Journal reports

20 January 2012

13

Self-help Guide

Troubleshooting

Symptom (LAU) failure

Investigation the error: Message Partner authentication failed

Action Message Partner, and the configuration of the application. See Alliance Gateway Operations Guide The Application Interface module

3.5

SWIFTNet Link
Prerequisite
Before you further investigate SWIFTNet Link, you should run the selftest command. This command will check whether the SNL subsystems are running, whether you have connectivity to SWIFTNet, and whether you can send a test message to the SWIFTNet central systems by using your SWIFTNet Link certificate. The output of the command must be: SWIFTNet Subsystems: Up IP Connectivity Test: Success InterAct Test : Success Heartbeat Test: Success If the selftest command fails:

If IP Connectivity Test is not successful, then investigate the connection between SWIFTNet Link and the VPN box Look at the selftest log, which you can find in the log directory. Investigate further as mentioned below.

SWIFTNet Link - Table of symptoms

Symptom Messages are rejected by SWIFT Investigation Network transmission errors are reported Action Check the configuration of the components that are running on top of SWIFTNet Link (for example, roles and profiles) See SWIFTNet Link Error codes Detailed Codes Returned by SNL API Run swiftnet status c h See SWIFTNet Link 7.0 Operations Guide on User handbook online Compare the output with the saved output taken during business operation activities (see the section Best practices for a system upgrade in this guide). If the output is different, then restart the affected components 2. SWIFTNet Link connectivity towards SWIFTNet Run swiftnet checkip See SWIFT CheckIP User Guide If successful, check the network

Errors: TPESYSTEM Local domain is down. Or: selftest resulted in SWIFTNet Subsystems: Not Up

1.

SWIFTNet Link Processes not Up

20 January 2012

14

Self-help Guide

Troubleshooting

Symptom

Investigation

Action components between SNL and the VPN box for dropped packets. In case of failure, make sure that the network components between SNL and the VPN box are correctly configured See SWIFTNet Network Configuration Tables Guide on User handbook online. Also see the section Connection between SNL and the VPN box in this guide

Errors: Security kernel initialization resulted in error. Or: selftest resulted in InterAct Test failed

3.

The certificate has expired

Run certlist and check the expiry date of your SWIFTNet user. Recover the certificate if expired. If your SNL certificate is expired, then a SWIFT offline intervention will be required (Tip 35582) See SWIFTNet Link Operations Guide - Certificate Management for SWIFTNet Link on User handbook online

4.

Certificate password

Run CertInfo u <profile> -p <password> Recover the certificate if the password is lost. See SWIFTNet Link Operations Guide - Certificate Management for SWIFTNet Link on User handbook online

3.6

Connection between SWIFTNet Link and the VPN box

Connection between SWIFTNet Link and the VPN box - Table of symptoms
Symptom Connection problem between the SWIFTNet Link host and the VPN box Investigation VPN box unreachable Action Run swiftnet checkip from the SNL host See SWIFT CheckIP user Guide If the result is CHECKIP-GLOBALSUCCESS, then the connectivity is OK If the result is something else, then check whether the configuration of your network components, such as DNS, routers and firewalls, is compliant with the Network Access Control Guidelines on User handbook online. To test the connectivity of your VPN box, you can also execute the ping command. For a primary VPN box: ping 149.134.255.254 For a secondary VPN box:

20 January 2012

15

Self-help Guide

Troubleshooting

Symptom

Investigation

Action ping 149.134.255.253 If no problems are found in the network components, then look at the state of your VPN box: see the VPN box section in this guide If the command is successful, then the problem could be intermittent Check the dynamic parameters of the firewall (for example, the session idle timeout must be minimum 1 hour) See SWIFTNet Network Configuration Tables Guide - Principles on User handbook online Check the logs of the network components for dropped packets

Note

To reduce complexity, SWIFT strongly recommends that you have the SNL host and the VPN boxes in the same location (see the recommended configuration that is described in the Network Access Control Guidelines).

3.7

5XT VPN box

VPN box - Table of symptoms
Symptom Problem with the connectivity between the VPN box and SWIFTNet Investigation 1. Problem with the cabling Action The cabling for the various VPN box configurations is described in the Dual-P Access Configuration for MV-SIPN User Guide, and in the VPN box Installation Guide for Dial-up Connections Troubleshooting on User handbook online Check the LED status on the front panel of the box. If the LEDs are different from those that are shown below, then the box is in an invalid state. Check the procedure for correction in the Dual-P Access Configuration for MV-SIPN User Guide, and in the VPN box Installation Guide for Dialup Connections - Troubleshooting on User handbook online Note: In a Dual-P configuration, both VPN boxes carry traffic into MV-SIPN in an alternating way, and they communicate through the link between each other 3. Dual-P Active VPN box (box with active customer LAN interface)

2.

Problem with the connectivity of the VPN box

Standby VPN box (box with standby customer LAN interface)

20 January 2012

16

Self-help Guide

Troubleshooting

Symptom

Investigation

Action

4.

Dual-I

Active VPN box (box with active customer LAN interface)

Standby VPN box (box with standby customer LAN interface)

5.

Dial-up

Active VPN box

Spare VPN box The spare dial-up VPN box should be regularly tested, to ensure that it remains operational. Connect the box to the electrical supply, with no other cables, and verify the LED status as indicated below

Dial-up connectivity problem

1.

ISDN connectivity

Check the LEDs of the ISDN Terminal Adapter

Check whether the power is on: must be red If one or more LEDs are blinking, then the device has encountered an error: Reset the ISDN Terminal Adapter by unplugging and reconnecting the power cable. Check whether this solves the problem Reset the VPN box: unplug the power cable and then plug it in again If none of the ISDN LEDs light up, then verify that the ISDN cable is correctly plugged in Execute the swiftnet dialtest command, in order to verify whether all the telephone numbers that are configured in the VPN box can be dialled 2. PSTN connectivity Check the PSTN modem

20 January 2012

17

Self-help Guide

Troubleshooting

Symptom

Investigation

Action

If the modem cannot successfully establish a connection (CD blinking red, the LED with the number corresponds with the selected bandwidth): Verify that your telephone cable is correctly plugged in Test the telephone line Reset your modem Reset your VPN box: unplug the power cable and then plug it in again Execute the swiftnet dialtest command, in order to verify whether all the telephone numbers that are configured in the VPN box can be dialled

3.8

SSG5 VPN box (Alliance Connect)

VPN box - Table of symptoms
Symptom Problem with the connectivity between the VPN box and SWIFTNet Investigation 1. Problem with the cabling Action The cabling for the various VPN box configurations is described in the Implementations Guide of Alliance Connect on www.swift.com, Alliance Connect Bronze/Silver/Gold, additional information. Alliance Connect Check the LED status on the front panel of the box. Please check Alliance Connect Resiliency Testing Scenarios or Alliance Connect Implementation guide for Bronze/Silver/Gold. a. RJ-45 cable from Ethernet port 0/2-A to Ethernet port 0/2-B b. RJ-45 cable from Ethernet port 0/3-A to Ethernet port 0/3-B c. RJ-45 cable from Ethernet port 0/6-A to customer's LAN switch d. RJ-45 cable from Ethernet port 0/6-B to customer's LAN switch e. RJ-45 cable from Ethernet port 0/0-A to primary router f. RJ-45 cable from Ethernet port 0/1-B to secondary router

2.

Problem with the connectivity of the VPN box

3.

Bronze/Silver/Gold

20 January 2012

18

Self-help Guide

Troubleshooting

Symptom connectivity problem

Investigation 1. 1. Firewall in between VPN boxes and Internet router

Action 1. Allow connectivity to SWIFT public IP addressing range from its source IP address to destination IP address 149.134.0.0/16 (range 149.134.0.0 to 149.134.255.255). 2. Open the following ports: UDP/IKE 500, UDP/NAT-T 4500, and ESP IP protocol 50. 1) Contact your Internet Service Provider (ISP) and make certain these IP addresses and ports are not being blocked. 2) Logon to the WebGUI from your SNL (https://149.134.255.252) and check the alarms. 3) Download the Connectivity Test Tool from the Knowledge Base (see Tip 3000419) and run the tool, as mentioned in the document Tip 3000419 The tool can now be downloaded from swift.com at the following link. http://www.swift.com/products/alliance_connect_ bronze http://www.swift.com/products/alliance_connect_ silver

2.

VPN boxes not colocated

1.

2.

LED status

Before enrolment

Customers may not implement network equipment along the length of both direct connections between the 2 VPN boxes. 2. The standard distance between VPN boxes is 3 meters, which is a fully supported configuration. 3. Configurations that have a distance of more than 100 meters or that have layer 2 networking devices (or both) may work, but SWIFT does not support these configurations. Other configurations may work but SWIFT does not support them. Primary VPN box (labeled A) Power : green solid Status : green blinking port 0/0 TX/RX/RX : green blinking link port 0/0: green solid port 0/2 TX/RX : off link port 0/2: off port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made link port 0/6: green solid Secondary/ backup VPN box (labeled B) Power : green solid Status : green blinking port 0/1 TX/RX : green blinking link port 0/1: green solid port 0/2 TX/RX : off link port 0/2: Off port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made

20 January 2012

19

Self-help Guide

Troubleshooting

Symptom

Investigation After enrolment

Action link port 0/6: green solid link ports should show activity (blinking green) Primary VPN box (labeled A) Power : green solid Status : green blinking port 0/0 TX/RX/RX : green blinking link port 0/0: green solid port 0/2 TX/RX : green blinking link port 0/2: green solid port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made link port 0/6: green solid Secondary/ backup VPN box (labeled B) Power : green solid Status : amber blinking port 0/1 TX/RX : green blinking link port 0/1: green solid port 0/2 TX/RX : green blinking link port 0/2: green solid port 0/3 TX/RX : green blinking link port 0/3: green solid port 0/6 TX/RX : short blinking after connection is made link port 0/6: green solid Please make certain speed setting is set properly, as mentioned in Tip 3000688 Tip 3000625

VPN box freeze Requirement to change from static IP to DHCP for backup VPN box

Speed/duplex setting When you change your IP configuration to DHCP the IP address does not seem to be updated.

3.9

Connection between SWIFTNet Link and the HSM box

Connection between SWIFTNet Link and the HSM box - Table of symptoms
Symptom Connection problem between the SWIFTNet Link host and the HSM box Investigation HSM box unreachable Action - Run perl SwHSMSelfTest.pl and check the results - If the selftest output shows a connectivity issue, contact your network department, to verify the network components between the SNL host and the HSM box. If there is a firewall between the SNL host and the HSM box, then check the firewall for dropped packets. - Login to the HSM box with an admin user through a serial connection, and verify the IP settings of the HSM box by using the following commands: system hostname show

20 January 2012

20

Self-help Guide

Troubleshooting

Symptom

Investigation

Action network interface show If the settings are not correct, then follow the instructions in the SWIFTNet Link 7.0 - HSM Operations Guide

3.10

HSM box
HSM box - Table of symptoms
Symptom User profile is locked Investigation The user profile that is present on the HSM box becomes locked after five unsuccessful logon attempts to a certificate. Action If the user can obtain the current password, then the admin account, or any other user with the admin role, can use the unlock option. Unlocking the partition restores the working state of the partition for the current password. See Hardware Security Module Operations Guide - Section 3.13 - Unlock Partitions on User handbook online. If the user cannot get the current password, then the partition must be initialised and the profile must be recreated by using the CA secrets. Note: This requires PED operations. See Hardware Security Module Operations Guide - Section 3.12 Initialise partition on User handbook online If a timeout occurs before you have completed a PED operation, then you must follow these instructions: 1. Press and hold the CLEAR button on the PED for at least five seconds. 2. In the message dialog box, click OK. The PED receives the task instruction from the HSM box, and you can start the sequence of PED operations again. For the procedure, see Hardware Security Module Operations Guide - Section 2 HSM Box Configuration and Administration. The PED must also be reset by using the power switch that is located on the side of the PED. If password is known: This procedure can be applied if the password is known. This command requires use of the PIN Entry Device. Before issuing this command, you must have the Security Officer PIN Entry Device key, and access to the primary HSM box. This command can only be performed on the primary node.

HSM box configuration fails

PIN Entry Device (PED) gives a timeout error

CKR_PIN_LOCKED error on HSM boxes

The partition on the HSM box is locked after five consecutive unsuccessful login attempts to a certificate and caused customer not able to login

20 January 2012

21

Self-help Guide

Troubleshooting

Symptom

Investigation

Action

Double-click the SWIFTNet Link icon on the Windows desktop or browse to the the SWIFTNet Link swiftnet\bin directory on UNIX.

Type the command: Syntax: perl SwHSMManagePartitions.pl -U -h <HSM Box IP address> -p <Partition Name SWIFTNet user profile> Example: SwHSMManagePartitions.pl -U -h 149.134.5.3 -p HSM1:PNYBB01 If password is not known: A user with the HSM admin account can not reset the partition password. If the password is lost, you must re-initialise the partition and set up the user for recovery. You must have access to the HSM box before issuing this command. This command can only be performed on the primary node. The command requires both PIN Entry Device keys: Security Officer PIN Entry Device key, and User PIN Entry Device key.

Double-click the SWIFTNet Link icon on the Windows desktop or browse to the the SWIFTNet Link swiftnet\bin directory on UNIX.

Type the command: Syntax: perl SwHSMManagePartitions.pl -R -h <HSM box ip address> -p <Partition Name SWIFTNet user profile> [-i<HSM Username>]

20 January 2012

22

Self-help Guide

Troubleshooting

Symptom

Investigation

Action Example: perl SwHSMManagePartitions.pl -R -h 149.134.5.3 -p HSM2:PNYBB01 or with Admin password: perl SwHSMManagePartitions.pl -R -h 149.134.5.3 -p HSM2:PNYBB01 -i bsmith Setup for recovery and recover SWIFTNet user profile after reinitialisation

After you have re-initialised the partition, you must recover the profile back on to the partition. You must perform the setup for recovery procedure on Alliance Gateway or Alliance Starter Set using Alliace Webstation.

Procedure Log on as Security Officer SWIFTNet user using Alliance WebStation on the Alliance Starter Set or Allliance Gateway. Browse to the certificate you need to set up for recovery using the Users Module. Right-click the certificate and select the Setup for Recovery command from the pop-up menu. When the Certificate tab is re-displayed, click on the Activation Secrets arrow and write down the new reference number and authorisation code displayed. Log off. Log on as Administrator - Gateway Operator. Go to SWIFTNet users module and click the Certificates tab. Right-click the certificate that was setup for recovery and choose the Recover command from the popup menu. If the certificate is not visible, right-click in the blank area and select Recover. Fill in all the details required including the authorisation code, reference number, certificate name, and recover it on the partition. The certificate can be given a new profile name and password chosen by the customer.

20 January 2012

23

Self-help Guide

Troubleshooting

Symptom NTLS/SSL fails

Investigation

Action For details, please refer to Tip 2147226 1. Check if NTLS services is running on the HSM box Run swiftnet status -T -v to see the service status of the HSM. If it is down or partial, use the SwHSMManageServices.pl to restart the HSM services (including ntls). 2. Is the server has more than 1 IP address or the IP address has changed? If it is, you will need to re-register the SNLto the HSM Cluster by using the SwHSMWiz GUI For details, please refer to Tip 2094230

HSM status is down but HSMServiceStatus is up or no partitions are enabled in SwHSMSelfTest result

Check the activation status of the HSM

Run the command: perl SwHSMActivate.pl -a h <<IP ADDRESS OF THE HSM BOX>> For details, please refer to Tip 2146133

3.11

Alliance WebPlatform
Alliance WebPlatform - Table of symptoms
Symptom Login page cannot be down and display "JavaScript is disabled, please enable and reload this page" Login page cannot be loaded and display "Internet Explorer cannot display the webpage" Investigation Page cannot be loaded with JavaScript disabled Action Go to Internet Explorer -> Tools -> Internet Options -> Security Settings -> Scripting -> Active Scripting and enable it if it is not enabled.

Page cannot be loaded with page cannot display

Check if the WebPlatform service has started or not. Windows: Administrative Tools -> Services -> Alliance WebPlatform SWP01 to check if the service has started or not UNIX: run the command "swp_bootstrap status" to check if the bootstrap of WebPlatform has started or not. If not, start it by issuing the command "swp_bootstrap start"

20 January 2012

24

Self-help Guide

Troubleshooting

3.12

PKI & Online Operations Manager

PKI & Online Operations Manager - Table of symptoms
Symptom Unable to display the Online Operations Manager welcome page Investigation Page cannot be loaded Action Check if the URL is correct: https://www.o2m.swiftnet.sipn.swift.com Run nslookup and check if the URL https://www.o2m.swiftnet.sipn.swift.com can be resolve or not If the URL can be resolved, run checkip <URL> -port <port> See the SWIFT CheckIP User Guide.

3.13

RMA
The RMA service is a standard SWIFTNet Store-and-Forward InterAct service. For an explanation of the possible error codes, see the SWIFTNet Link Error codes - Detailed Codes Returned by SNL API. For errors related to the Alliance RMA application, see the Alliance Access/Entry section of this guide. For errors related to the Alliance WebPlatform RMA application, see the Alliance WebPlatfrom section of this guide.

20 January 2012

25

Self-help Guide

Reporting a problem

4
4.1

Reporting a problem
Methodology
Introduction
A persistent problem that cannot be resolved by the troubleshooting guidelines can be reported to the SWIFT Customer Service Centre.

Register on swift.com
To access the SWIFTSupport service, you must first register yourself on swift.com. Registration will allow you to access our specialised online services such as the knowledge base, case manager, documentation, ordering, and billing information. See SWIFTSupport services further in this guide.

Report the problem

When you report a problem to SWIFT, use by preference the Case manager on our web site (see Case manager further in this guide). You should give as much electronic evidence as possible, in order to allow a faster investigation and a faster resolution of the problem. Alternatively, you can contact the SWIFT Customer Service Centre by telephone (see Customer Service Centres further in this guide). Ensure that you have access to your system and provide the following details: 1. 2. 3. 4. 5. Identify yourself by providing your personal registration number that is mentioned on your SWIFTSupport registration card Your case number, if you are calling about an open problem that you have reported previously What happened and what you were doing when the problem occurred The actions that you have taken to solve the problem The exact wording of any error message

Send collected evidences

You can then send your collected evidences by different means:

by e-mail to support@swift.com. Mention the case number in the subject of the e-mail by the Dropbox service that is available on swift.com/support or through the SWIFTNet Portal by the sendsupportinfo command, directly from your SWIFTNet Link host.

Syntax: swiftnet sendsupportinfo [-d <dir>] -a <case number> <dir> is the name of the directory where the diagnostic files are copied or located. This parameter is optional. If this parameter is not specified, then the command will use the default directory (Windows: %SWNET_HOME%\log\supportinfo, UNIX: $SWNET_HOME/log/supportinfo). <case number> is the number of the case for which the evidences are being sent. This parameter is mandatory in order to be able to link the evidences to the correct case in the case manager application.

20 January 2012

26

Self-help Guide

Reporting a problem

4.2
4.2.1

Collecting evidences
Alliance Access/Entry
Alliance Access/Entry - Table of evidences
Where? UNIX Collect log and configuration information * SAA support information Run saa_supportinfo -output <directory> -from <From_datetime> -to <To_datetime> from $ALLIANCE/common/bin/ Log files can be collected in the $ALLIANCE/support/<directory> Example: saa_supportinfo -from 20110622T0100 -to 20110623T0200 Run saa_supportinfo -output <directory> -from <From_datetime> -to <To_datetime> from %ALLIANCE%\bin Log files can be collected in the %ALLIANCE%\support\<directory> Example: saa_supportinfo -from 20110622T0100 -to 20110623T0200 Where? Windows

Note

* These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

4.2.2

Alliance WebStation
Alliance WebStation - Table of evidences
Where? Windows Collect log information * WebStation log file Result of a connection test to SWIFT SWIFTAlliance\WebStation\log\log.txt Run testtcp.bat on a stand-alone SAB The result is in <installation directory>\WebStation\log\testtcp.txt

Collect configuration information diagnostic.xml diagnostic.txt Run diagnostic.bat The result is in Diagnostic.xml and diagnostic.txt, which are in <installation directory>\WebStation\log\

Note

* These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

4.2.3

Alliance Gateway
Alliance Gateway - Table of evidences
Where? UNIX Collect log and configuration information * Run sag_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> The log information can be Run sag_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> The log information can be retrieved Where? Windows

20 January 2012

27

Self-help Guide

Reporting a problem

Where? UNIX Collect log and configuration information * retrieved in <installation directory>/Gateway/support/

Where? Windows

in <installation directory>\Gateway\support\

Note

* These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

4.2.4

SWIFTNet Link
SWIFTNet Link - Table of evidences
Where? UNIX Collect log and configuration information * Collect SNL log and configuration files Run snl_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> Run selftest Selftest.log is in $SWNET_LOG_PATH/ compress the content of the $SWNET_LOG_PATH directory compress the content of the $SWNET_HOME/log directory Run snl_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> Where? Windows

selftest.log

Run selftest Selftest.log is in %SWNET_LOG_PATH%/ compress the content of the %SWNET_LOG_PATH% directory compress the content of the %SWNET_HOME%\log directory

Files in the SNL log directory HSM Log files

Note

* These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

4.2.5

The HSM box

HSM box - Table of evidences
Where? UNIX Collect log information * HSM log files Run perl SwHSMGetLog.pl -a | h <HSM box hostname> The file is then uncompressed and copied to the directory $SWNET_HOME/log/hsm1 or $SWNET_HOME/log/hsm2 Run perl SwHSMSelfTest.pl The output can be found in $SWNET_LOG_PATH/ HSMSelftTest.log Run perl SwHSMGetLog.pl -a | h <HSM box hostname> The file is then uncompressed and copied to the directory %SWNET_HOME%\log\hsm1 or %SWNET_HOME%\log\hsm2 Run perl SwHSMSelfTest.pl The output can be found in %SWNET_LOG_PATH%\ HSMSelftTest.log Where? Windows

HSMSelfTest.log

Collect configuration information HSM configuration Run swiftnet getconfig T -v Redirect the output into a file Run swiftnet getconfig T v Redirect the output into a file

20 January 2012

28

Self-help Guide

Reporting a problem

Note

* These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

4.2.6

Alliance WebPlatform
Alliance WebPlatform - Table of evidences
Where? UNIX Collect log and configuration information * Support information of WebPlatform Run swp_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> Run swp_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> Where? Windows

From the installation directory <SWP_INSTALL_PATH>/bin WebPlatform logs Run swp_readlog -output <file_pathname> -startdate <YYYYMMDD> -starttime <HH:MM:SS> -stopdate <YYYYMMDD> -stoptime <HH:MMLSS>

From the installation directory <SWP_INSTALL_PATH>\bin Run swp_readlog -output <file_pathname> -startdate <YYYYMMDD> -starttime <HH:MM:SS> -stopdate <YYYYMMDD> -stoptime <HH:MMLSS>

From the installation directory <SWP_INSTALL_PATH>/bin

From the installation directory <SWP_INSTALL_PATH>/bin

Note

* These are the minimum evidences that you must provide to SWIFTSupport when you report a case.

20 January 2012

29

Self-help Guide

SWIFTSupport services

5
5.1

SWIFTSupport services
Organization
Worldwide support
SWIFT offers to its customers a worldwide support delivered by a group of expert analysts. This service covers administrative, operational and technical matters. The SWIFT Customer Service Centres (CSCs) are open 24 hours a day, seven days a week. Our key communication channel for support is our website www.swift.com/support, which offers an integrated set of support services. You can also contact a support analyst by telephone, for critical situations or for additional information. Europe Americas Asia Japan +31 71 582 28 22 +1 540 825 60 56 +852 2 852 87 77 +81 3 5223 74 56

5.2

Services
My profile
My profile allows you to configure your access to the support services and to maintain your information. Information such as updates to the BIC data, contact data, the billing profile, the shipping profile and your operational profile, must be maintained online through My profile.

Knowledge base
The Knowledge base provides information about known problems and their solutions. It also includes frequently asked questions, suggestions, and technical documents. The information is organised in the form of tips.

Case manager
The Case manager allows customers to report a technical problem or a query to the SWIFT CSC. For each entry, a case number is assigned. Electronic updates are provided by the support staff. You have a complete overview of all cases with up-to-date status information.

Download centre
Licensed customers automatically receive SWIFT software product releases and patches on CD. In addition, some patches and maintenance releases are also available on the Download centre, where they can be easily downloaded and installed.

Operational status
SWIFT continues to improve the availability of its network and its systems. If a major outage occurs on critical services, then information is directly provided on the operational status. This allows customers to understand the situation and to take appropriate actions.

Documentation
General documentation about SWIFT products and SWIFT services is provided on our website. The documentation can be viewed online and can be downloaded for printing purposes or for further processing. The SWIFT software product documentation is also provided on the software product CD that is sent to licensed customers.

Billing information
This service describes the rules of SWIFT for billing and invoices. You can access the billing information for your company until 12 months in the past and you can also download it.

20 January 2012

30

Self-help Guide

SWIFTSupport services

Translation service
This service provides a real-time, multi-lingual translation of swift.com. The pages are translated by software that is configured with SWIFT-specific terminology. The English version of the web site remains the only official and legally binding version.

BIC Online
BIC Online allows you to perform a quick lookup for the latest information in the BIC Directory.

20 January 2012

31

Self-help Guide

SWIFTSupport services

Legal Notices
Copyright
SWIFT 2012. All rights reserved. You may copy this publication within your organisation. Any such copy must include these legal notices.

Confidentiality
This publication may contain SWIFT or third-party confidential information. Do not disclose this publication outside your organisation without the prior written consent of SWIFT.

Disclaimer
SWIFT supplies this publication for information purposes only. The information in this publication may change from time to time. You must always refer to the latest available version.

Translations
The English version of SWIFT documentation is the only official version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT, the SWIFT logo, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks of their respective owners.

20 January 2012

32