Vous êtes sur la page 1sur 1149
A D M I N I S T R A T O R G U

A D M I N I S T R A T O R

G U I D E

Interchange

Version 5.12

Copyright © 2015 Axway All rights reserved. This documentation describes the following Axway software: Axway

Copyright © 2015 Axway

All rights reserved.

This documentation describes the following Axway software:

Axway Interchange 5.12

No part of this publication may be reproduced, transmitted, stored in a retrieval system, or translated into any human or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of the copyright owner, Axway.

This document, provided for informational purposes only, may be subject to significant modification. The descriptions and information in this document may not necessarily accurately represent or reflect the current or planned functions of this product. Axway may change this publication, the product described herein, or both. These changes will be incorporated in new versions of this document. Axway does not warrant that this document is error free.

Axway recognizes the rights of the holders of all trademarks used in its publications.

The documentation may provide hyperlinks to third-party web sites or access to third-party content. Links and access to these sites are provided for your convenience only. Axway does not control, endorse or guarantee content found in such sites. Axway is not responsible for any content, associated links, resources or services associated with a third-party site.

Axway shall not be liable for any loss or damage of any sort associated with your use of third-party content.

Contents

Preface

23

Who should read this guide Related documentation

 

23

 

23

Support services About this guide

 

23

 

24

Accessibility

 

26

Accessibility features of Interchange Keyboard shortcuts

 

26

 

26

Screen reader support

 

27

Accessibility features of the documentation Screen reader support

 

27

 

27

Graphic readabilty

 

27

What's new in Interchange 5.12

 

28

Product enhancements

 

28

Documentation enhancements

 

33

1 About Interchange

 

34

Features and services

34

Support for transport protocols Support for trading exchanges Support for security protocols

 

34

 

34

 

35

Message services

 

35

Trading partner management

 

36

Security services and operations Visibility

 

37

37

Standards certification

 

37

2 Planning considerations

 

38

Security considerations

 

38

Firewalls and proxy servers

 

39

Interchange in a firewall environment

 

40

Editing

URLs to allow for firewalls

 

41

Getting

a partner’s external connection details

42

Proxy servers

42

User interface with proxy servers

 

42

Deployment in proxy environment Forward proxy

 

42

 

43

Reverse proxy 44 Run the UI over HTTPS Configure HTTPS 44 45 Switch between HTTP
Reverse proxy
44
Run the UI over HTTPS
Configure HTTPS
44
45
Switch between HTTP and HTTPS
Data backup recommendations
47
47
Document custom configurations
Trade large messages
48
49
Disk space
49
Databases, firewalls and large messages
Considerations by transport
49
50
3 Network and server administration
52
System Management page
52
Open the System Management page
Tabs
52
52
Related task links
53
Add a trading engine node
View and manage nodes
54
54
Node status
54
Add a trading engine node
55
Start the trading
engine node
55
Stop
the trading
engine node
55
Pause/restart pickup message consumption
Configure UI connection
55
56
Configure HTTPS
57
Switch between HTTP and HTTPS
59
Configure server IP
binding
59
Configure global transport settings
60
Configure the global external SMTP server
Generate cluster thread dumps
60
61
Manage the system throttle
62
About the system throttle
62
System throttle management
63
4 Peer network
65
Can you use peer network?
Peer network overview
65
66
Protocols for peer communication
66
Trading protocols supported for peer cloning
Cloneable objects and their dependent objects
Example architectures
66
67
68
Peer network business use cases
Disaster recovery
71
72
Staging environment
72
Large-scale and global enterprises Staging for upgrades 74 75 Compare peer network and trading network
Large-scale and global enterprises
Staging for upgrades
74
75
Compare peer network and trading network objects
Configure a peer network
76
77
Peer network settings
Tabs and fields
78
79
Peer rules
80
Open the Peer partner rules page
80
Tabs and
fields
81
Peer network cloning restrictions
85
Manually clone an application delivery
Start the wizard
86
86
Wizard page descriptions
86
Manually clone an application pickup
Start the wizard
87
87
Wizard page descriptions
Manually clone a partner
Start the wizard
87
87
87
Wizard page descriptions
88
Manually clone a trading pickup
Manually clone CPAs
88
89
Start the wizard
89
Wizard page descriptions
89
Manage duplicate messages in
peer network
89
Have the back-end perform duplicate checking
90
Use a smart router to direct inbound messages
Log peer network debug events
90
90
Track peer messages
91
Peer Tracker controls
91
Peer Tracker versus Message Tracker
92
5 Tools and options
93
Trading
engine governance script
93
Tools in bin directory
93
Database configuration tool
Document generator
95
97
Tools in tools directory
101
Check the collaboration and action trees
107
6 User interface
110
Open the user interface
110
Before logging on the first time
Logon procedure
110
110
The toolbar
111
Navigation aids for the Interchange user interface 112 7 Interchange user administration 114 Admin user
Navigation aids for the Interchange user interface
112
7 Interchange user administration
114
Admin user
114
Manage users
Add a user
115
115
Modify a user
Delete a user
115
115
Tips to manage users
Change password
115
116
Manage roles
116
View available roles
Add a role
117
117
Modify a role
Delete a role
118
118
Role permissions
118
Partner restrictions for roles
121
Manage multiple partner-restricted roles
122
Application
restrictions for roles
123
Community restrictions for roles
Advice for PassPort users
125
126
Date and time preferences
Global user settings
126
127
Session management tab
User security tab
127
127
Unlock a blocked user
128
Manage password policies of transport users
129
Add,
change transport user password policy
129
Transport users password policy settings
Assign password policy to transport user
130
131
8 Trading configuration
132
How configurations work
Communities
133
134
Work with communities
Add a community
136
136
Modify a community
138
Use the community search tool
141
Checklist for community configuration
Partners
141
142
Work with partners
Add a partner
143
143
Community trading partners
147
Add a partner to a community
148
Partner data form Modify a partner Delete a partner 151 156 158 Group partners by
Partner data form
Modify a partner
Delete a partner
151
156
158
Group
partners by categories
158
Use the partner search tool
Application pickups
159
160
When to use an application pickup
Work with application pickups
160
161
Add an application pickup
Application deliveries
161
162
When to use an application delivery
Work with application deliveries
162
162
Add an application delivery
162
Application pickup and application delivery fields
From address and To address wizard fields
163
164
FTP (external) transport configuration
166
FTP (embedded) transport configuration
SFTP (external) transport configuration
169
176
SFTP (embedded) transport configuration
File system transport configuration
180
189
JMS transport configuration
190
IBM MQSeries transport configuration
Add an MLLP application delivery
196
198
Add an MLLP application pickup
199
Web Services API pickup and delivery configuration
Pluggable server
200
202
Modify an application pickup or delivery
202
Fields for modifying application
Common fields and tabs
pickups and application deliveries
203
203
Transport-specific tabs
General fields
203
203
Proxy tab
204
From address and To address tabs
Message attributes tab
204
206
EDI splitter tab
207
Inline processing tab
Schedule tab
208
208
Modify an FTP (embedded) pickup or delivery
Modify an FTP (external) pickup or delivery
209
213
Modify an SFTP (embedded) pickup or delivery
Modify an SFTP (external) pickup
223
226
Modify a file system pickup or delivery
Modify a JMS pickup or delivery
232
236
Modify an MQSeries pickup or delivery
240
Modify a Web Services API server application pickup or delivery Modify an MLLP application delivery
Modify a Web Services API server application pickup or delivery
Modify an MLLP application delivery
245
249
Modify an MLLP application pickup
File renaming patterns
252
253
Community trading pickups and partner deliveries
Work with trading pickups and deliveries
256
261
Add a trading pickup
261
Add a partner trading delivery
262
Trading pickup and trading delivery fields
View certificates
263
302
Add certificate
303
Remove certificate
303
View certificates
303
Add certificate
304
Remove certificate
304
Modify a trading
pickup
326
Modify a partner trading delivery
327
Fields for modifying community pickups and partner deliveries
Routing IDs
328
408
Work with routing IDs
Add a routing ID
409
409
Modify a routing ID
410
Message metadata and attributes
Attributes
412
412
Metadata uses
413
Metadata definitions
414
Metadata for record file management
418
Add
Add
a community attribute
a partner attribute
421
422
Add
or delete message attributes
423
Message attributes templates
Export and import profiles
424
426
Export a community as a partner profile
Export a partner profile
427
428
Import a partner profile
428
Automatic profile imports
429
Create profiles outside the application
430
9
Embedded transport servers
431
Concepts
431
Pages and fields
431
Types of embedded servers
432
Global and community-specific servers
FTP and SFTP servers
432
432
ODETTE FTP servers MLLP servers 433 433 PeSIT servers 433 Servers for the user interface
ODETTE FTP servers
MLLP servers
433
433
PeSIT servers
433
Servers for the user interface
434
X.400servers
434
Usage summary of embedded servers
Manage embedded servers
434
435
Types of embedded server pages
436
UI navigation for embedded servers
Global embedded HTTP server
437
437
Lockout settings for cXML (embedded HTTP) users
Set lockout rules
439
440
Unlock a blocked user
440
Modify a global embedded SMTP server
Settings tab
440
441
DMZ ports tab
Advanced tab
441
442
Set the system property to permit EDI processing
Global embedded Web Services API server
442
442
User interface embedded servers
HTTP (embedded) fields
443
444
FTP (embedded) fields
446
Lockout settings for FTP (embedded) server users
Set lockout rules
452
452
Unlock a blocked user
452
SFTP (embedded) server fields
453
Lockout settings for SFTP (embedded) users
Set lockout rules
458
458
Unlock a blocked user
458
SMTP (embedded) configuration
Modify the configuration
459
459
Set the system property to permit EDI processing
OFTP (embedded) fields
461
461
Settings tab
(without TLS)
462
Settings tab
(with TLS)
462
DMZ ports tab
Advanced tab
462
463
OFTP X.25 over ISDN (embedded) fields
Settings tab
463
464
Advanced tab
464
PeSIT (embedded) fields
Settings tab
465
465
DMZ ports tab
Advanced tab
466
466
HTTP (embedded) business cases Case A 468 469 Case B 469 Case C 470 Case
HTTP (embedded) business cases
Case A
468
469
Case B
469
Case C
470
Case D
471
Case E
472
Case F
473
10 Secure Relay DMZ nodes
474
Can you use DMZ nodes?
474
Overview of Secure Relay nodes
Types of secure connections
474
476
Encryption and authentication keys
Load balancing
477
478
Security features
Add DMZ zones
478
478
Add
a DMZ node
481
Prerequisites
Add a node
481
482
Export the node
483
Run node as Windows service
484
Enable port forwarding for an exchange
Steps for port forwarding
484
485
Port forwarding details
486
Configure load balancer or firewall
Configure load balancer
487
487
Update load balancer as needed
488
Configure outbound connection proxy
Open the outbound proxy page
488
488
Enable outbound proxy and exceptions
Manage IP address whitelists
489
490
How IP addresses are checked
491
Add, change IP address whitelist
Enable IP address checking
492
493
HTTP trading and Secure Relay
493
11 Work with protocols, formats, and standards
494
Exchanges with applications
494
Application exchanges managed by Interchange
494
Managing Interchange exchanges with applications
Exchanges with trading partners
495
495
Trading
partner exchange types
495
Managing Interchange exchanges with trading partners
Registration wizard for partners
496
496

Additional information for working with protocols, formats and standards in Interchange 496

AS1 / AS2 partner self-registration Wizard preparation 497 498 Using the partner wizard 499 AS4
AS1 / AS2 partner self-registration
Wizard preparation
497
498
Using the partner wizard
499
AS4
499
Can you use AS4?
AS4 overview
499
500
AS4 messages
501
AS4 metadata
503
Message Partition Channels (MPC)
AS4 user authentication
515
518
Large message splitting and joining
521
Enable handling of empty SOAP Body messages
Configure a one-way client pull
523
524
AS4
use case: One-way push (MMD initiated)
use case: One-way pull (MMD initiated)
527
AS4
529
AS4 tasks
533
ebXML
545
Can you use ebXML?
ebXML overview
545
545
ebXML message lifecycle
ebXML message metadata
546
548
ebXML message metadata documents (MMDs)
Supported ebXML trading transports
552
558
Supported ebXML application transports
ebXML message compression
558
561
Set up a community for ebXML trading
Send ebXML via an intermediary
561
562
Extract KeyInfo element for a CPA
Manage CPAs
567
567
Tools for CPAs
570
STAR BODs with ebXML
574
HL7 payloads with ebXML
575
ebXML partner self-registration
ebXML troubleshooting
576
579
Email client partners
Procedures
579
580
Trade without certificates
580
Trade with
certificates
582
Send from email partner
HTTP outbound proxy
583
584
HTTP security solutions
586
HTTP (embedded) server
586
External staged HTTP server
588
HTTP connection troubleshooting MLLP 589 592 MLLP server configuration 592 MLLP client configuration 592 MLLP
HTTP connection troubleshooting
MLLP
589
592
MLLP
server configuration
592
MLLP client configuration
592
MLLP
use cases
592
Use case 1: Asynchronous MLLP exchanges
Use case 2: Synchronous MLLP exchanges
592
594
Add or modify an MLLP application delivery
Add or modify an MLLP application pickup
Add or modify an MLLP trading delivery
595
599
602
Add or modify an MLLP trading pickup
MLLP (embedded) fields
605
608
OFTP
611
Concepts
611
Procedures
611
Pages and fields
OFTP overview
611
612
TSL support for OFTP2
613
OFTP transport configuration
617
Use X.25
with OFTP
628
Use X.25
over ISDN
632
X.25 requirements
634
Configuration outline for X.25
X.25 troubleshooting
634
635
Add or edit an X.25/B-ISDN router
X.25/B-ISDN router fields
635
635
Modify an OFTP pickup or delivery
PeSIT
637
651
Using PeSIT with Axway Transfer CFT
PeSIT limitations and special usages
About your PeSIT license
651
651
652
PeSIT configuration overview
652
Pickups and deliveries for PeSIT
655
Manage PeSIT pickups and deliveries
659
Add
or modify a PeSIT application
delivery
659
Add or modify a PeSIT application pickup (embedded server)
Add or modify a PeSIT application pickup (polling client)
667
670
Add
or modify a PeSIT partner delivery
675
Add or modify a PeSIT trading pickup (polling client)
684
Add or modify a PeSIT trading pickup (embedded server)
PeSIT send and fetch using an MMD
689
691
PGP secure trading
693
Can you use PGP?
PGP certificates
693
693
Add a PGP pickup or delivery Manage PGP certificates 693 695 PGP collaboration settings RosettaNet
Add a PGP pickup or delivery
Manage PGP certificates
693
695
PGP collaboration settings
RosettaNet
699
699
Can you use RosettaNet?
RosettaNet overview
699
699
RosettaNet configuration outline
Add DTD-based PIP
700
701
Add schema-based PIP
702
Configure pipdefinitions.xml file
RNIF metadata elements
702
707
Message metadata documents
710
Special handling of metadata
Trade CIDX messages
711
714
Web services
715
Web Services roles
715
Interchange Web
Services support
715
Interchange Web
Interchange Web
Services provider mode
716
Services consumer mode
716
Web
Services provider configuration
overview
716
Web
Services consumer configuration
Services collaboration settings
718
Web
722
Web
Services message protocol
726
Implement MTOM encoding
730
Lockout settings for Web Services (HTTP embedded) users
Troubleshoot Web Services configurations
731
732
WebSphere MQ configuration
733
Configuration in MQ Explorer
733
Configuration
of the Interchange environment
733
WebSphere MQ multiple instances
736
Set up
WebSphere MQ
736
Set up Interchange
736
How the multi-instance functions
737
X.400
737
Can you use X.400?
738
Operating system exception
Concepts
738
738
Pages and fields
X.400 subsystem
738
739
Valid characters for O/R addresses
X.400 trading configuration
740
740
Modify an x400 pickup or delivery
X.400 (embedded) servers
744
751
MSP7 for an X.400 server
759
 

P7 client polling schedules

 

760

Remote MTA for an X.400 server X.400 log events

 

761

 

763

X.400 glossary

 

763

12

Certificates and keys

 

767

   

767

Do you use PGP? Concepts

 

767

PKI description

 

768

PKI options

 

768

 

The role of trust in PKI Scalability

 

769

 

770

Certificate revocation Dual-key pairs

 

770

 

770

Why use encryption and digital signatures Interchange encryption method

 

770

 

771

 

Symmetric key lengths

 

771

Public-private (asymmetric)

key algorithms

771

key lengths

772

Public-private (asymmetric) Support for dual keys

 

772

Encryption and signing summary Outbound documents

 

772

 

772

 

Inbound documents

 

773

Ensure data integrity and trust Signature verification

 

773

 

773

Certificate path validation Certificate basics

 

774

 

774

SSL authentication

 

775

Distribute certificates to partners

 

776

Axway partners

 

776

 

Certificate exchange with Certificate exchange with

other partners

 

776

   

777

Self-signed or CA certificates When to get certificates

 

777

Manage expiring certificates View expiration dates

 

777

 

778

 

Interchange checks

 

778

Expiring certificates

 

778

Certificate replacement and archiving Trusted roots

 

778

 

779

 

Import root certificates

 

780

Auto import intermediate and root certificates FIPS compliance

780

781

Manage certificates Do you use PGP?

 

782

 

782

Concepts 782 Procedures 782 Pages and fields 782 Certificates search results page Certificates pages 783
Concepts
782
Procedures
782
Pages and fields
782
Certificates search results page
Certificates pages
783
786
Add a certificate
792
Set up certificates for a community
Generate self-signed certificates
792
793
Import Entrust certificate
794
Import RSA Keon certificate
796
Import key pair in certificate file
Import certificates for partners
797
798
Export a certificate to a file
799
Globally prohibit exporting private keys
Delete certificate
801
801
Manage certificate revocation lists (CRLs)
Analyze certificates for errors
802
809
Collect data about certificates
810
Replace certificates automatically
Do you use PGP?
811
811
Concepts
812
Procedure
812
Pages and
fields
812
Automatic replacements
Types of CEM messages
SCX details
812
814
816
Send a CEM or SCX request
818
Track CEM and SCX requests
820
13
Message Tracker
826
Message Tracker search controls
Message Tracker page
826
826
Custom search
827
Peer Network Tracker
Trading information
828
828
Date
831
Columns
832
Search with wildcard characters
833
Search
results page
833
View details of search results
835
Message details tabbed pages
835
Search results attributes in pop-up windows
Icons on search results page
838
841
Message receipts
841
Delete, resend, reprocess options Share saved searches 842 843 Manage default search settings Default menu
Delete, resend, reprocess options
Share saved searches
842
843
Manage default search settings
Default menu items
843
844
Query restrictions
845
Peer Network Tracker query restrictions
Collect message attributes
845
846
Configure payload view
846
Force a document type for XML
848
14 Data storage, backups, and purging
849
Message backup
configuration
849
Backup configuration page field descriptions
850
States of backed-up
files
851
Backup options and Message Tracker
Back up a community and its partners
Back up a community
851
853
854
Import a backed-up community and its partners
Back up a community as a partner
855
855
Community backup
as partner procedure
856
After you back up a community as a partner
856
Back up
a partner
857
Import a partner
858
Import a single partner profile
858
Import all partner profiles found in a directory on the server
859
After you
import a partner profile
860
Back up and restore a custom configuration
Automatic profile importing
860
861
Configure automated Interchange purge
Purge Interchange manually
862
863
Parameters
863
Example
864
Event logging
864
Configure event purge
865
15 FTP client scripting interface
866
Concepts
866
Reference
866
Levels of scripting
866
Edit the command set document
FTP tester tool
867
868
Consumer options
868
Producer options
869
FTP scripts for Interchange application exchanges
871
Script comments 871 Variables 871 Script execution 873 Error Suppression 873 FTP commands 874 16
Script comments
871
Variables
871
Script execution
873
Error Suppression
873
FTP commands
874
16 Test trading
885
Configure for test trading
Start the test
886
887
Troubleshoot email testing
Complete the testing
888
888
17 Extend and tune your flow configuration
889
Delivery settings
889
Add an application delivery setting
889
Manage application delivery settings
Message Simulator
890
890
Uniqueness in Interchange
Unique object names
891
892
Message handler
892
Set up message-processing actions
Define message attributes
893
895
Define message actions
Message re-routing
897
899
Configure record transformation in message handler
Configure error processing
902
904
About error processing
904
Configure error processing
Post-processing configuration
904
905
Post-processing message metadata
Add post-processing elements
906
906
Methods for writing scripts
Post-processing events
907
908
Post-processing
points to consider
909
Collaboration settings
909
Search and display collaboration settings
Manage default collaboration settings
910
910
Default collaboration fields
911
Manage community-specific collaboration settings
931
Manage community-to-category collaboration settings
Community and category collaboration fields
932
933
Manage community-to-partner specific collaboration settings
934
Manage community-to-partner delivery specific collaboration settings
Inbound message validation rules
937
939
Configure message validation rules 940 Validation rules: Duplicate messages tab 940 Validation rules: Signing tab
Configure message validation rules
940
Validation
rules: Duplicate messages tab
940
Validation rules: Signing tab
941
Validation rules: Encryption tab
942
Validation rules: CSOS duplicate orders tab
942
Validation
rules: Web Services tab
943
Validation rules: AS4 tab
945
Validation rules: cXML tab
Sequential message delivery
946
947
How Interchange manages sequential delivery
Supported protocols
947
947
Sequential delivery behavior
947
Previous message sequence saved as metadata
Empty message handling
949
949
Out of sequence behavior
Recovery on shut down
950
952
Manual resubmission and sequential delivery
953
Unique identities in metadata for sequenced messages
Sequential delivery limitations
953
954
Use generic MMDs
954
Outbound messages
Inbound messages
955
957
18 Staged HTTP
958
Overview of staged HTTP
958
Staged HTTP configuration outline
Staged HTTP files to deploy
960
960
Log on to servlet UI
Manage mailboxes
Add a mailbox
960
961
961
Partner connection to staged HTTP
Edit, delete, view mailboxes
962
963
Global settings
963
Staged HTTP UI fields
963
Message protocols for staged HTTP
964
AS2
964
ebXML
964
RosettaNet 1.1 and 2.0
Secure file
964
964
File forwarding to bypass polling
High availability staged HTTP
966
967
Deploy the web servlet
968
Deploy on WebLogic
969
Deploy on
Apache Tomcat
969
Deploy on WebSphere 970 19 Secure file message protocol 971 Sender and receiver determination Sender
Deploy on WebSphere
970
19 Secure file message protocol
971
Sender and receiver determination
Sender determination
971
972
Receiver determination
Outbound packaging
972
972
Minimal MIME headers
973
Frequently asked questions
Curl command
973
974
Packaging examples
975
Secure file signed encrypted request signed ack
Secure file no security
975
977
Secure file from curl
978
20 WebTrader
980
Can you use WebTrader?
Terminology
980
980
WebTrader overview
981
Manage WebTrader partners and users
981
After you create a WebTrader partner
Add a WebTrader partner
982
982
Manage sponsor and trading relationships
Manage trading restrictions
984
985
Add a WebTrader user to a partner
990
Delete a WebTrader user from a partner
Add WebTrader user roles
991
992
Set WebTrader password policy
993
Additional WebTrader user management options
Group WebTrader partners by category
994
994
Enable trading with non-WebTrader partners
Use the WebTrader partner search tool
995
996
Activate self-registration
for WebTrader partners
996
Manage WebTrader partner and community attributes templates
Create a partner or community attributes template
997
998
Modify a partner or community attributes template
Fill in required WebTrader partner attributes
999
999
Change the attributes template display order
1000
Delete partner or community attributes template
Manage WebTrader document attributes templates
Create a document attributes template
1000
1000
1001
Modify a document attributes template
1001
Change document attribute display order
Delete a document template
1002
1002

Activate large message handling

 

1002

Activate large message sending for WebTrader partners UI behavior for WebTrader users

1003

1003

File chunking

 

1004

Reset standard upload limit Monitor WebTrader exchanges

 

1005

 

1005

WebTrader end user browser issues

 

1005

Manage unlimited strength JCE policy download issues Analyze the issue

 

1006

 

1006

Correct the issue

 

1006

Confirm the resolution

 

1007

21 Axway CSOS

 

1008

Can you use CSOS?

 

1008

Standards certification

 

1008

User validation with PassPort Concepts

 

1008

 

1008

Procedures

 

1009

Overview of CSOS functionality Security

 

1009

1009

CSOS in Interchange

 

1010

CSOS configuration for sending

 

1011

CSOS configuration for receiving About CSOS roles

 

1012

 

1013

CSOS WebTrader

 

1014

Use the CSOS applet on your web page

 

1015

Manage unlimited strength JCE policy download issues Sponsor requirements

1015

1016

WebTrader partner requirements

 

1017

Approve CSOS documents in WebTrader Turning on HTTP chunking

 

1018

 

1020

Import CSOS signing certificate

 

1021

CSOS certificate revocation lists Identify CSOS purchase orders Order identification tab

 

1021

 

1022

 

1022

Order sources tab

 

1024

Related documents tab

 

1025

CSOS

duplicate orders tab

 

1025

Link EDI 855 PO Acknowledgement to 850 PO Sign pending orders

 

1026

 

1028

Configure PKCS#7-encrypted XML trading

 

1030

22 eSubmissions

 

1032

Can you use eSubmissions?

 

1032

Concepts

1032

Procedures

 

1032

Overview of eSubmissions Configure eSubmissions

 

1032

 

1033

Getting started with eSubmissions Add an application pickup

 

1033

 

1034

Add partner-specific collaboration settings Complete the FDA partner

 

1037

 

1038

Import root certificate for SSL Send messages to the FDA

 

1039

 

1039

FDA WebTrader end user browser issues

 

1040

Manage unlimited strength JCE policy download issues Analyze the issue

 

1040

 

1041

Correct the issue

 

1041

Confirm the resolution

 

1041

23 Interoperability with other Axway products

 

1042

Integrate with Axway Sentinel

 

1042

Open the Integrate the trading engine with Sentinel page Organization of the page

1042

1043

Sentinel tab

 

1043

Filters tab

 

1044

Custom objects tab Related tasks list

 

1044

 

1045

About Sentinel filters

 

1045

Add or modify Sentinel filters Filter expressions

 

1046

 

1048

Integrate with Axway Integrator

 

1048

Message picked up from Integrator Message sent to Integrator

 

1050

 

1051

Integrate with Axway Gateway

 

1051

Axway Gateway configuration Interchange configuration

 

1052

 

1053

Integrate with

Axway PassPort

 

1055

Integration overview

 

1055

Functional limitations for PassPort AM

 

1055

Database and installation

requirements

 

1055

Verify PassPort host name

 

1056

About PassPort AM component instances Steps after installation

 

1056

 

1057

24 Track activities and events

 

1060

Sentinel

1061

About Sentinel

 

1061

How Sentinel works 1061 Interchange Tracked Objects for Sentinel HeartBeat Tracked Object 1062 1062 XFBTransfer
How Sentinel works
1061
Interchange Tracked Objects for Sentinel
HeartBeat Tracked Object
1062
1062
XFBTransfer Tracked Object
XFBLOG Tracked Object
1065
1083
Activity tracking and logs
1085
User interface home page
Monitor file system health
Message Tracker
1085
1085
1086
Alert activity report
1087
External monitoring of server status
1087
Create audit files of UI object changes
Log file tracking
1089
1092
Real-time viewing of log files
1094
Set up tail as a Windows option
1095
Troubleshooting with the log4j file
Send log files to technical support
System events
1095
1100
1102
Event levels
1102
The events.xml file
The alerts.xml file
Event tables
1102
1114
1119
25 Troubleshooting
1139
Troubleshoot online help
1139
Use the log4j file for troubleshooting
Troubleshoot test trading
1139
1139
Troubleshoot protocols and standards
ebXML
1139
1139
HTTP
1139
SFTP
1140
Web service
1140
X.25
1140
Troubleshoot unexpected Interchange restarts
Unexpected Interchange restarts
1140
1140
Analyze restart problems
1140
Glossary
1144

Preface

The Interchange Administrator Guide provides information necessary for configuring and administering Axway Interchange 5.12.

Who should read this guide

This guide is intended for administrators and advanced users who are responsible for the configuration of Interchange for:

l

Networks

l

Servers

l

Databases

l

Security

l

User accounts and permissions

l

Document exchanges with applications and business partners

This guide presumes you have knowledge of:

l

Your company's business processes and practices

l

Your company's hardware, software, and IT policies

l

The Internet, including use of a browser

Others who may find parts of this guide useful include other technical or business users.

Related documentation

Go to Axway Sphere at support.axway.com to view and download Interchange documentation.

Support services

Go to Axway Sphere at support.axway.com to contact a representative, learn about training programs, or download software, documentation, and knowledge-based articles. The website is for customers with active Axway support contracts. You need a user name and password to log on.

Preface

About this guide

This guide describes how to configure and manage Interchange from the user interface.

What's new in Interchange 5.12 — Describes the new features and functional improvements in this release of Interchange. See What's new in Interchange 5.12 on page 28.

About Interchange — Describes use cases, EDI standards, information about how Interchange processes messages, and standards certification. See About Interchange on page 34.

Planning considerations — Describes how to plan for your Interchange installation, including security considerations; firewalls and proxy servers; trading large messages; and documenting custom configurations. See Planning considerations on page 38.

Network and server administration — Describes processing nodes and configuration

considerations. See Network and server administration on page 52.

Peer network — If your software license enables peer networking, this chapter describes business use cases, peer network settings, configuration, cloning, managing duplicate messages, and how to track peer messages. See Peer network on page 65.

Tools and options — Describes the tools available for use with Interchange. See Tools and options on page 93.

Interchange user interface — Describes the various component of the UI. See User interface on page 110.

Interchange user administration — Describes how to manage users, passwords, roles, and other configuration settings. See Interchange user administration on page 114.

Trading configuration — Learn about the trading configuration used by Interchange. See

Trading configuration on page 132.

Embedded transport servers — Describes the embedded servers provided for use with Interchange. See Embedded transport servers on page 431.

Secure Relay DMZ nodes — Describes Secure Relay and DMZ nodes and zones. See Secure Relay DMZ nodes on page 474.

Work with specific protocols and standards — Describes several of the different protocols and standards that can be used with Interchange. See Work with protocols, formats, and standards on page 494.

Certificates and keys — Describes how Interchange offers true security by providing authentication, confidentiality, integrity and non-repudiation of documents. See Certificates and keys on page 767.

Message Tracker — Message Tracker is a tool in the user interface for monitoring database records of traded messages. See Message Tracker on page 826 for more information.

Backup and restore — Explains and lists the steps for data storage, backing up the data, and

purging data. See Data storage, backups, and purging on page 849.

Preface

Extend and tune a flow configuration — Describes how to use the features of the Interchange user interface to fine tune your flow configurations. See Extend and tune your flow configuration on page 889.

Staged HTTP — Describes how The staged HTTP transport provides a secure way for communities to receive messages from partners without having to change firewall configurations. See Staged HTTP on page 958.

WebTrader — You can use WebTrader if your software license.xml file enables the webtrader key. See WebTrader on page 980.

CSOS — For licensed users, Interchange supports digital signing and verification of controlled substance orders in compliance with the U.S. Drug Enforcement Administration. See Axway CSOS on page 1008.

eSubmissions — Describes the functionality within Interchange to send large messages to the U.S. Food and Drug Administration. See eSubmissions on page 1032.

Integration with Sentinel, Integrator, Gateway, and PassPort — Learn about the interoperability between Interchange and these products. See Interoperability with other Axway products on page 1042.

Activity and event tracking — Describes the activity reports and system events. See Track

activities and events on page 1060.

Troubleshooting — Describes the steps you can take if you are having trouble installing or using Interchange. See Troubleshooting on page 1139.

Accessibility

At Axway, we strive to create accessible products and accessible documentation for all users.

This section describes the accessibility features of the Interchange product and its documentation.

Accessibility features of Interchange

Interchange provides the following accessibility features:

l

Keyboard shortcuts on page 26

l

Screen reader support on page 27

Keyboard shortcuts

Interchange provides a set of shortcuts for navigating the interface screens and for executing various actions.

Note

To use shortcuts with JAWS, turn off the virtual PC cursor. For more information, see

Screen reader support on page 27.

The following table contains a list of keyboard shortcuts that you can use:

To do this

Press

Move forward through selectable objects

Tab

Move backwards through selectable objects

Shift + tab

Multi-select in list boxes (where multi-select is enabled) Ctrl + click

Multi-select (where multi-select is enabled)

Shift + click

Select/clear check boxes and radio buttons

Space

Display drop-down box content

Alt + down arrow

Move cursor within drop-down box

Up arrow / down arrow

Accessibility

Screen reader support

Interchange supports JAWS. Before you can use JAWS with Interchange, you must first configure your screen reader.

As with other screen readers, you interact with JAWS using keyboard shortcuts. Most of the time, you must press the JAWS key in combination with other keys. By default, the JAWS key is the Insert key.

To use the arrow keys and keyboard shortcuts with Interchange, turn off the virtual PC cursor by pressing the JAWS key+Z.

Accessibility features of the documentation

The product documentation includes the following accessibility features:

l

Screen reader support on page 27

l

Graphic readabilty on page 27

Screen reader support

l

Text is provided as an alternative to displayed images throughout the documentation.

l

PDFs are optimized for screen reader navigation.

Graphic readabilty

l

The documentation is very readable on high-contrast displays.

l

There is sufficient contrast between the text and the background color.

l

The colors used in graphics are designed to be easily distinguishable by people who have color blindness.

What's new in Interchange

5.12

Axway Interchange 5.12 introduces the following new features and functional improvements.

l

Product enhancements on page 28

l

Documentation enhancements on page 33

Product enhancements

The following product changes have been made:

What's new

Description

New Functionality

Platform updates Operating systems (all 64-bit):

l

Windows 2012

l

RHEL 7

l

AIX 7

Databases:

l

DB2 10.5

l

Oracle 12c

l

MySQL 5.6

l

Axway Database 4.6.0

Java: JRE 7

Security: TLS 1.2

See the Interchange Installation Guide for a full overview of supported platforms.

Admin user

password change the first time as the admin user, the interface requires you to change the default

requirement

To enhance product security, when logging into the Interchange user interface for

admin password.

What's new in Interchange 5.12

What's new

Description

Acceptance of email sender by domain

Email pickups now include an option for accepting inbound email from a POP3 server based on server domain. Wild card characters are supported for defining groups of accepted email sending addresses.

See:

l

Modify an SMTP (embedded) transport on page 383

l

Modify an SMTP/POP (external) transport on page 388

Swagger

Swagger is automatically deployed by the installer to provide a user-friendly interface for REST API operations.

automatic

deployment

Web Services

You can now configure Interchange to generate metadata attributes from the SOAP headers of inbound Web Services messages. The metadata can be used in ways similar to other Interchange-handled metadata.

SOAP header

metadata

Sequential

Guarantees the delivery order of distributed messages. The new capability ensures the messages are delivered in a first-in first-out (FIFO) order. For example, this makes certain that a Purchase Order message and an Order Update message are delivered sequentially. This promotes productive and efficient supply chain relationships.

delivery

Security

Enhanced fine-grained roles and access controls ensure a comprehensive approach to user level permissions and restrictions. Complete support for encryption and TLS/SSL is supported throughout the product, as well as password credential encryption.

governance

FTP message processing can now be set to the order of oldest to newest

FTP external pickup configuration now enables you to use the consumption order (consumption timestamp) to determine the message processing order.

See "Modify an FTP (external) pickup or delivery" in the Interchange Administrator

Guide.

New database / version support

Interchange now supports:

l

DB2 10.5

 

l

The use of DB2 HADR in cluster environments.

l

Oracle 12c

See "Set up DB2 database" or "Set up Oracle database" in the Interchange Installation

Guide.

Audit logging of changes made in the user interface

You can now generate CVS and XML formatted logs of the changes that users perform in the user interface.

See Create audit files of UI object changes on page 1089.

What's new in Interchange 5.12

What's new

Description

Enhanced system The system throttle can now be manually engaged to enable the system to complete

throttling of

the processing of all currently active messages.

message

See Manage the system throttle on page 62.

processing on

Interchange

nodes

Enhanced

Communication adapter enhancements have been made to multiple communication protocols including:

communication

adapters

l

APOP (Email)

l

MQ (V8/SSL, Multi-Instance)

l

FTP (SAPPEND/SUNIQUE)

l

PeSIT

l

SMTP (New sender validation allows broader range of sender email addresses)

l

Staged HTTP (Updated OS and JRE support)

l

FTP/SFTP (Embedded servers upgraded to create events when files are downloaded)

Visibility -

l

More detailed reporting to Sentinel

Sentinel

l

Heartbeat information from Interchange

performance and

Improved installation and configuration, including configuration of the backup Sentinel server for notifications

exchange

l

monitoring

 

l

Sentinel server connection configuration from the Interchange user interface

l

Sentinel tracking of WebTrader events - Sentinel now collects information about WebTrader user and administrator actions

l

Sentinel Tracked Object evolutions - The number of events reported by the Sentinel Tracked Object for Interchange has been reduced to limit processing load.

See Sentinel on page 1061.

What's new in Interchange 5.12

What's new

Description

Sentinel tracking When a remote partner accesses the embedded FTP/SFTP server to download a file,

of FTP/SFTP

Interchange now generates and sends an event to Sentinel that indicates one of the following new STATES:

customer

download events

l

Downloading

l

Downloaded

l

Interrupted

l

Removed

For additional information about Sentinel tracking of embedded FTP/SFTP server

event states, see the Interchange Administrator Guide.

Additional

New standards support for retail value chain, healthcare, and financial have been added for:

message

standards and

l

MLLP

protocols

l

AS4

AS4 support

Interchange provides support for AS4 message trading with remote partners. This includes support for:

l

One-way message push exchanges

l

One-way message pull exchanges

l

Server-mode AS4 message queuing

l

Client-mode polling of remote AS4 server queues

l

Large message splitting and joining

l

Duplicate message detection

l

Message retry and resending

l

UserNameToken and X509 user authentication

See AS4 on page 499.

User interface

l

Enhanced search tools including more granularity for searches of unpackaged protocols

enhancements

 

l

Improved display controls - Pagination / scalability for displays of thousands of configuration objects

l

Updated navigation and help links

l

Permission-driven control of users' rights to change/delete all objects

l

Flexible trading partner management, with user-defined attributes

What's new in Interchange 5.12

What's new

Description

Security

l

Access control enhancements - More permissions, controls, and restrictions

improvements

l

Broader support for encryption and TLS/SSL everywhere

l

Broader configuration of encryption on partner and transaction type levels

l

PGP enhancements

WebSphere MQ

Interchange now provides JARs in support of WebSphere MQ 8.x.

8.x support

REST APIs

APIs now support a Representational State Transfer (REST) model for accessing processing resources. See the Interchange Developer Guide for more information.

CRL retrieval

You can now configure automated CRL checking and downloading using HTTPS URLs, in addition to the HTTP and LDAP URLs that were already supported.

using HTTPS

URLs

Axway DB 4.6.0 support

Interchange now supports the use of Axway Database 4.6.0. To use this database, it must be installed using the dedicated Axway Database Installer.

See "Set up Axway Database" in the Interchange Installation Guide.

 

Discontinued Functionality

Platforms

Interchange 5.12 is only supported on Windows, Linux, and AIX. See the Interchange

Installation Guide for more details.

32-bit support

From this release, Interchange is installed only in 64-bit mode.

EBICS

Interchange 5.12 does not support EBICS.

ePedigree

ePedigree is not embedded in Interchange 5.12.

Transaction

As of this release, Transaction Director is no longer delivered. End-to-end visibility is now provided by Sentinel.

Director

Synchrony

Synchrony Database 4.4.0 is not supported with Interchange 5.12. Users must upgrade to Axway Database 4.6.0.

Database 4.4

Persistable event The persistable event queue for Sentinel is no longer supported.

queue

Anonymous user The anonymous user feature is no longer supported. Instead, a default remote user is included with the deployment. See the Interchange Administrator Guide for more information.

What's new in Interchange 5.12

Documentation enhancements

This release of Interchange includes the following documentation changes:

l

The documentation set for Interchange has been reorganized and a new standalone installation guide was created.

l

Accessibility features, such as alternative tags for images, have been added to each document, as well as a new Accessibility chapter.

About Interchange

1

Interchange provides organizations with a secure, scalable gateway for B2B collaboration. The unified framework helps establish relationships with trading partners, transact business over the Internet, and integrate with back-end systems. The gateway provides flexibility in connecting to partners and legacy systems using widely used protocols, transports, and integration methods. Interchange enables you to organize and automate the flow of electronic documents between participants located both inside and outside your enterprise network.

Interchange can be implemented as a single end-point solution or as a clustered, fault tolerant gateway with unlimited trading partners. The application's user interface integrates gateway management, monitoring and metrics into one view.

Features and services

Interchange provides the following features and services in support of exchanges between participants.

Support for transport protocols

In the Interchange user interface, administrative users configure Community and Partner objects to specify the participants in message exchanges. Administrative users can then select the message protocols and transport protocols that support these exchanges. Additionally, administrative users can define application pickups and application deliveries to specify patterns of interaction with the various applications in the trading community.

Support for trading exchanges

Interchange supports the following trading exchange formats and protocols:

l

AS4

l

EDIINT AS1, AS2, AS3

l

OFTP (V1 and V2) over TCP/IP, X.25, and ISDN

l

RosettaNet RNIF (V1.1 and V2)

l

ebXML ebMS (V2)

l

HL7 MLLP (V1 and V2)

l

cXML (V4)1

l

Web Services (SOAP/REST)

1 About Interchange

l

X.400 over X.25 and TCP/IP (X.420 and X.435 profiles)

l

HTTP, HTTP/S, Staged HTTP Web Servlet

l

Axway Transfer CFT, and PeSIT

l

FTP, S/FTP, FTP/S

l

JMS, IBM WebSphere MQ

l

WebDAV

l

Secure email (via SMTP)

l

File System

l

WebTrader - WebTrader is a browser-based interface for mailbox-based exchange of files over secure HTTP. Non technically trained end users can send and receive documents, and manage copies of these exchanges from a user-friendly interface.

l

Software Development Kit for custom protocols

Note

CXML V4.0 protocol is currently in beta status. (Limited tests have been done. Available upon request only.)

Support for security protocols

Interchange supports the following security protocols:

l

SSL 2.0, 3.0

l

TLS 1.0 - TLS 1.2

l

SSH 2.0 (client authentication)

l

S/MIME

l

PGP

l

Certificates (X509, PGP) with CRL, CSR, CEM, and OCSP support

l

FIPS

l

NIST 800-52

l

Encryption: RC2, RC4, DES, 3DES, AES

l

Signature: MD5, SHA-1, SHA-256

l

Algorithms for key exchange: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-

hellman-group-exchange-sha1.

Message services

Interchange provides the following message-handling services:

l

Integration with back-end applications

l

Message identification based on one or more exchange attributes, standards, identifiers, or individual content.

1 About Interchange

l

Multiplication (duplication)

l

Message routing

l

Message handling can be extended with optional processing of inbound or outbound messages based on metadata attributes and actions. Interchange enables you to set up conditions to:

o

o

o

o

o

o

Copy messages to parties other than the sending or receiving party

Re-route messages from one partner to another

Prohibit re-routing of messages

Reject messages

Perform custom processing using your own Java class

Generate notifications

Message handling involves performing message actions. Message actions are triggered by single or multiple conditions, which are a combination of attributes and operators. For example, you can specify that whenever a community sends a message to partner A, a copy is sent to partner

B.

Message actions can be applied to inbound and outbound messages. For inbound messages, message actions are applied after a message has been validated, unpackaged and parsed, but before the payload is sent to a back-end system via an application transport. For outbound messages, message actions are applied after a document has been picked up from the backend, but before it has been packaged.

Trading partner management

Interchange provides the following trading partner management services:

l

Community definitions – A community represents your local way of grouping trading partners. It defines your organization’s internal processes for handling messages. It also defines how your community expects to receive messages from partners. The local information is used by your system to set document back-up options, tune system performance, and integrate with back-end systems. While these settings are significant to you, they are not relevant for your partners.

l

Ramping, in-Life, and decommissioning management.

l

A registration wizard helps members of a community generate partner information for trading. This functionality is for partners who want to trade via AS1, AS2, ebXML, or WebTrader. The wizard prompts a user to supply the information Interchange needs to build a valid partner.

l

Security certificate management – Interchange offers true security by providing authentication, confidentiality, integrity, and non-repudiation of documents. Interchange uses state-of-the-art cryptography to ensure the security of the documents that are exchanged over the Internet.

l

Role-based access – Users and roles enable administrators to add and manage ranges of user permissions. Roles define the permissions users have for performing tasks. Roles can be defined with few or many permissions. Each user should be assigned at least one role, although it is possible to assign multiple roles to a single user.

1 About Interchange

Security services and operations

Interchange provides the following security-related features:

l

Signing – Interchange supports digital signatures. Signing is a mechanism by which a message is authenticated, proving that the message is effectively coming from a given sender.

l

Encryption – Interchange uses a combination of public-private key encryption (asymmetric encryption), and symmetric key encryption. This hybrid system uses the best characteristics of each method and minimizes the shortcomings of each. It follows the widely adopted S/MIME standard for securing messages.

l

SSL authentication – Interchange optionally allows certificates to be used for authenticating the identity of trading partners. Secure Sockets Layer (SSL) protocol authentication provides an added layer of security to trading relationships.

Visibility

Interchange provides the following visibility-related features:

l

End-to-end visibility – There are a number of ways to monitor system activity. Methods are available through the user interface and log files. The user interface methods are easier to use and understand than the log files, which are designed for software developers or advanced users. The user interface has tools for monitoring various types of system activity.

l

Alerts/Events – Each product generates events and alerts that aid in tracking abnormal or unexpected behavior across the system. Alerts and events are written to log files.

Standards certification

The Interchange trading engine has been certified for interoperability for AS1, AS2, AS3, AS4, and ebXML. See http://www.drummondgroup.com for a list of software the trading engine has been tested with successfully for interoperability.

the trading engine has been tested with successfully for interoperability. Interchange 5.12 Administrator Guide 37

Planning considerations

2

The practices described in this section are recommended to make production operations, upgrading, and disaster recovery easier.

l

Security considerations on page 38

l

Firewalls and proxy servers on page 39

l

User interface with proxy servers on page 42

l

Run the UI over HTTPS on page 44

l

Data backup recommendations on page 47

l

Document custom configurations on page 48

l

Trade large messages on page 49

l

See also: Peer network on page 65

Security considerations

To ensure the integrity of data, the following security measures are recommended in addition to your company's own security policies. Although risks are possibly remote, failure to institute minimum security measures may result in compromised data.

l

Do not install or run Interchange under a privileged account. This includes root in UNIX and administrator or system accounts in Windows.

l

Do not view a binary document that has been received by Interchange without first scanning the document for viruses.

l

Institute a policy for periodically changing the password for logging on to the user interface.

l

Control access to the computer running Interchange to authorized users.

l

If you use an external database on a different computer than the one running Interchange, control access to the database computer to authorized users.

l

If you manually distribute your digital certificates to trading partners, do so via a secure means. Encourage your partners to do likewise. If you send certificate files as email attachments, compressing the files with WinZip or another such tool is recommended.

2 Planning considerations

Firewalls and proxy servers

Many organizations have firewalls to prevent unauthorized access to their computer networks. A firewall is a server placed outside of a network. The firewall intercepts all inbound connections from the Internet, allowing only authorized users to connect to a server on the organization’s network. In addition, a firewall may limit the outbound connections you can make.

It is likely you or your partners have firewalls to guard against unauthorized connections. You must take firewalls into account when configuring Interchange.

Moreover, your network may require outbound HTTP messages to the Internet to go through a proxy server on your network. On rare occasions, the messages you send may have to go through a proxy server on your partner’s network.

Caution

Message trading can fail if firewalls or proxy servers are not considered when configuring Interchange. This is a common issue for new users. Consult with your network administrator if you need help with firewalls or proxy servers.

The following figure shows where a firewall or proxy server could be located in proximity to your or your partner’s network.

be located in proximity to your or your partner’s network. The following are guidelines for outbound

The following are guidelines for outbound and inbound traffic.

l Outbound – As a general rule, your firewall must be configured to allow outbound HTTP traffic on the port you specify in the URL for your partner (for example, 4080). Your partner's firewall must be configured to allow inbound HTTP traffic on the port you specify.

2 Planning considerations

In highly secure environments you may want to set up firewall rules that only allow outbound HTTP traffic on this port to the IP address of your partner. However, this imposes a firewall maintenance burden on you if your partner's IP address changes or if you add partners. The same applies to your partners if they choose to configure their firewalls to allow inbound traffic only from specific IP addresses.

l Inbound – The firewall considerations for inbound traffic are similar to those for outbound traffic. You can allow blanket inbound traffic on a particular port such as 4080 or you can specify per-partner firewall rules based on the IP address of each partner who connects to you. Specifying partner-specific firewall inbound firewall rules provides a high level of protection against denial-of-service attacks. As with partner-specific outbound firewall rules, however, it imposes a firewall maintenance burden if the partner’s IP address changes or if you add partners.

Note If your software license supports DMZ nodes, your configuration can be different. See

Secure Relay DMZ nodes on page 474.

As part of normal operation, the operating system's socket layer dynamically allocates a local port for each outbound connection you make. This requirement is a fundamental part of socket-based protocols such as Telnet, FTP and HTTP. It is not specific to Interchange. For example, if an outbound connection is made to an HTTP host on port 4080, the operating system allocates a dynamic port for the client's end of the connection. This can be seen by running the netstat -an command on the client after the outbound connection is established. If your firewall is so strict that it checks the ports in each packet that passes through it, you must configure the firewall to allow packets containing dynamic ports associated with local addresses. These are typically in the range of 49152 to 65535 with most operating systems, but on some systems the range is 1024 to 65535. These dynamic ports are associated only with outbound connections. It is not necessary to allow new inbound connections on these ports.

Interchange in a firewall environment

The following figure depicts a standard architecture for deploying Interchange in an environment where firewalls are present. To maintain document and back-end security throughout the entire process, we recommend placing the transport servers in a demilitarized zone (DMZ) and Interchange in the data layer. A DMZ is the area between an organization’s trusted internal network and an untrusted, external area such as the Internet.

If you place Interchange in the DMZ, take precautions to move the decrypted documents out of the DMZ to a secure location. You can accomplish this any number of ways. The method usually depends on your back-end needs and choice of integration options.

2 Planning considerations

2 Planning considerations Editing URLs to allow for firewalls If you use the embedded HTTP or

Editing URLs to allow for firewalls

If you use the embedded HTTP or HTTPS inbound transport in your community, you may have to make sure your partners have the right URL. This is because the URL Interchange uses may not be the one your partners need to send documents to you through your company’s firewall or load balancer or both.

When you configure the embedded HTTP or HTTPS inbound transport, the default local URL is in the following format:

http://<cluster machines>:4080/exchange/<routing ID>

https://<cluster machines>:4080/exchange/<routing ID>

The local URL contains the internal name (cluster machines) for the computer running Interchange. You cannot change the local URL. If you installed Interchange behind a firewall or load balancer, you must make sure your partners have the correct public URL to send you documents. Values such as the host, port and path in the public URL may be different than the internal values because of remapping performed by the firewall or load balancer.

Depending on your transport, your partner needs a URL in the following format:

http://<fully qualified domain name or IP address>:4080/exchange/<routing ID>

https://<fully qualified domain name or IP address>:4080/exchange/<routing ID>

You may have to contact your company’s firewall administrator to obtain the correct public URL.

2 Planning considerations

You can change the URL for partners on the transport maintenance page of the user interface. After confirming the URL is correct, you can export your community profile for your partner to import as a partner profile. The external URL is contained in the partner profile.

A similar consideration applies to embedded FTP servers. You must specify the external public host

and port in the server settings.

Getting a partner’s external connection details

If you must send documents via HTTP or FTP, contact your partner to determine the correct external

host, port and path (if applicable) for connecting to the partner’s server. If your partner uses Interchange 5 or later, the partner may already have provided the correct public URL in the profile the partner sent you to import as a partner on Interchange.

Ask the partner for the external name or IP address and port number for each transport protocol you intend to use.

From the Partners page, select the partner and open the maintenance page for the transport for

sending messages to the partner. Make sure the URL for sending is correct on the Settings tab. Enter

a user name and password to connect if required.

Proxy servers

If your network requires all outbound HTTP traffic to navigate a proxy server to access the Internet,

you can enable this for the community. For more information see HTTP outbound proxy on page

584.

User interface with proxy servers

The following topics are for system administrators who must deploy Interchange in a network environment where end-user browsers make HTTP connections through proxy servers.

l

Deployment in proxy environment on page 42

l

Forward proxy on page 43

l

Reverse proxy on page 44

Deployment in proxy environment

Interchange has a web-based user interface served by a built-in servlet container. When the server is running, it listens for HTTP connections on port 6080.

2 Planning considerations

Interchange can be deployed in a network environment where proxy servers are used to enhance security, caching or logging. Two typical proxy server implementations are described: forward proxy and reverse proxy.

Forward proxy

In a forward proxy configuration, the web proxy server is used within a company’s local area network behind a firewall or in the DMZ. Path A in the following figure illustrates that browser users connect to internal and external servers via a proxy server behind a firewall. Usually as a matter of policy, all browsers in the company are configured to go through the proxy server to connect to internal and external web servers. A browser can be configured to bypass the proxy server (path B in the figure), but this probably would go against policy.

The web proxy server might be set up inside the firewall, as in the figure, or in the DMZ. If inside the firewall, the proxy server is configured to route internal HTTP traffic directly to the servers. It does this based on the domain name or IP subnet. If in the DMZ, the browser is configured to route HTTP to the proxy when an Internet server is detected.

Interchange can be deployed in a forward proxy environment. While this does not require modifying browsers, adjustments are required for the proxy server.

The proxy server needs to be configured to restrict hosts to Interchange domains. It also must be configured to provide direct access to internal web servers.

It also must be configured to provide direct access to internal web servers. Interchange 5.12 Administrator

2 Planning considerations

Reverse proxy

In a reverse proxy configuration, the web proxy server is in the DMZ as shown in the following figure. It provides a secure path for external client browsers through the firewall to the internal web server. The external users address their browsers to the proxy host name and port number and might use the secure HTTP protocol, HTTPS. The proxy server translates external browser requests to the host name and port number on the inside of the firewall.

To deploy Interchange in a reverse proxy environment, configure the proxy with reverse mapping. Consult with the proxy server administrator or see the proxy documentation for how to configure the mapping. For example, consider a situation where the server runs on HostA port 6080 and the proxy server runs on HostB port 8080. In this case external browsers would use the following URL to connect to the server on the inside: http://HostB.collaborationsoftware.com:8080.

the inside: http://HostB.collaborationsoftware.com:8080 . Run the UI over HTTPS The default way for browsers to

Run the UI over HTTPS

The default way for browsers to connect to the application server's user interface is via HTTP. Typically, the URL a browser uses to connect is http://<host>:6080/ui, where <host> is the name or IP address of the computer running the server. Optionally, you can have browsers connect instead via HTTPS (HTTP over SSL). You can also allow connections via HTTP and HTTPS at the same time. The following sections explain how to configure this.

2 Planning considerations

Configure HTTPS

Use this procedure to configure the server so that browsers can log on to the user interface via HTTPS.

1.

Click System management on the toolbar in the user interface to open the System

management page.

2.

Click Configure UI connection to open the Configure UI connection page.

If

you are opening the page for the first time, the connections via HTTP option is already

configured by default. You can leave the page as-is or add a configuration for connecting via HTTPS. You cannot disable connections via HTTP until you have configured HTTPS. Once HTTPS has been configured, you can return to this page and select to have browsers connect via HTTP or HTTPS or both.

3.

On the General tab, select UI connections made via HTTPS.

Although port 6443 is suggested, you can change the number as your situation requires.

4.

If

you want port forwarding for the user interface, select the DMZ ports tab. Select to enable

port forwarding for HTTP or HTTPS or both. See Secure Relay DMZ nodes on page 474 for more information about port forwarding.

This option is available only if your software license supports DMZ nodes functionality.

5.

Optionally, select the checkbox for overriding cipher suites. The following describes this feature.

Override SSL and TLS cipher suites

Select this checkbox to specify, using the Add and Remove buttons, the specific cipher suites supported for the embedded server. If not selected, all cipher suites are supported by default. The default is less secure than specifying only certain cipher suites.

The default order in the Available column is the preferred order of use. Once ciphers are moved to the Selected column, you can arrange the order. Interchange uses the ciphers in the order listed.

A cipher suite is a collection of security algorithms used to make connections via Secure

Sockets Layer (SSL) or Transport Layer Security (TLS). For example, an SSL or TLS protocol

requires signing messages using a message digest algorithm. However, the choice of algorithm

is determined by the particular cipher suite being used for the connection. Typically, you can

select an MD5 or SHA digest algorithm.

Of the many algorithms for encrypting data and computing the message authentication code, there are varying levels of security. Some provide the highest levels of security, but require a large amount of computation for encryption and decryption. Others are less secure, but provide rapid encryption and decryption. The length of the key used for encryption affects the level of security. The longer the key, the more secure the data.

The checkbox for overriding cipher suites lets you select the level of security that suits your needs and enables communicating with others who might have different security requirements. For example, when an SSL connection is established, the client and server exchange

2 Planning considerations

information about the cipher suites they have in common. Then they communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, secure communication is not possible.

In versions of Interchange earlier than 5.9, cipher suites configuration was handled by a file named sslciphersuites.xml. As data in that file is saved in the database, the custom cipher suites configuration is retained upon upgrading and is displayed in the Selected list under the checkbox in the user interface. The sslciphersuites.xml file is no longer used.

6.

Click Save.

7.

Select the Personal certificates tab and click Add a certificate to open the certificate wizard.

You can add a self-signed or a CA certificate. The certificate has a public-private key pair. The certificate is used to secure connections between browsers and the server.

If you choose to add a self-signed certificate, you can accept all default values in the certificate wizard.

The steps for adding a server certificate are the same as adding a certificate for a community profile. See Add a certificate on page 792 for more information.

After adding the certificate, the General tab displays again.

8.

Select the Personal certificates tab again. The certificate you added in step 7 is listed. You can click the certificate's name to display details.

9.

If there is more than one certificate, select the certificate you want as the default and click Save.

10.

On the General tab, check again that the UI connections made via HTTPS is selected.

11.

If you are configuring HTTPS and have selected Require client authentication, select the Trusted roots certificate tab and add a trusted root certificate.

With this option, the server requires the user's browser to send a certificate back to the HTTPS server. The HTTPS server must trust the certificate returned by the browser client. If a browser user has a CA-issued certificate for authentication, you only must trust the root CA certificates. If a browser user has a self-signed certificate, the user must export the certificate and public key to a file and give you the file. You then must import the certificate file.

12.

To complete the configuration, you must do one of the following:

l

Restart the server. If you operate multiple computers in a cluster, restart all servers.

 

or

 

l

Restart all nodes and the user interface. Go to the System management page and click Stop all nodes. On the Stop all nodes page, click Restart all nodes and Yes, include the user interface. Click Stop/restart. Note that restarting the user interface ends your browser session.

13.

Inform users of the URL needed to connect from a browser to the user interface. If you use the suggested port, 6443, the URL is https://<host>:6443/ui where <host> is the fully qualified domain name or IP address of the computer running the server.

2 Planning considerations

Switch between HTTP and HTTPS

Once connections via HTTPS have been configured, you can return to the UI configuration page and select to allow browser connections via HTTP or HTTPS or both.

If you change the configuration, click Save. You also must do one of the following:

l

Restart the server. If you operate multiple computers in a cluster, restart all servers.

or

l

Restart all nodes and the user interface. Go to the System management page and click Stop all nodes. On the Stop all nodes page, click Restart all nodes and Yes, include the user interface. Click Stop/restart. Note that restarting the user interface ends your browser session.

Data backup recommendations

The following lists recommended practices for backing up application files and external databases. These guidelines cover regular operation of Interchange and before upgrading to a new version or service pack.

Although broad in scope, these practices are intended to avoid worst-case issues that may arise in a production environment or when upgrading.

1. Back up the installation directory on a regularly scheduled basis. Follow your company's policy for data backups or make up your own backup schedule. If you store data in one or more directories other than common\data, back up those, too.

If you use Windows, turn off the server before backing up files. This is recommended because Windows locks files in use by an application, which prevents files from being copied while locked. UNIX and Linux systems do not lock files.

2. Back up the external database on a regularly scheduled basis. Schedule database backups to occur at about the same time as file system backups. For the trading engine, it's important to synchronize these backups because the database references certificate data in the common\conf\keys directory.

3. Export the private keys for the encryption, signing, and SSL certificates for each community profile. Keep the key backups in a secure location.

4. Before upgrading to a new version or service pack, do the following:

a. Turn off the server. All processing must be halted before upgrading.

b. Back up files as described in step 1.

c. Back up the external database as described in step 2.

d. Back up private keys as described in step 3.

2 Planning considerations

Unless data are backed up before upgrading, you cannot revert to the previous version if the need arises. Even with proper backups, retreating to the state before the upgrade may be difficult or impossible due to hardware or software issues unique to your network. In the worst case, you may have to re-install the application and begin anew with a fresh database.

Document custom configurations

Managing Interchange typically involves making custom changes to fit your processing needs. This can mean editing system files or adding your own scripts and Java classes for purposes such as post- processing, in-line processing, parsing, pluggable transports or other custom changes.

The extent of custom changes depends on the complexity of your configuration. Regardless of the complexity, the best practice is to document your changes and keep copies of custom scripts or code files.

Interchange provides a file system directory to help in documenting custom changes. The directory is <install directory>\site. A readme text file there provides an overview. An advantage of using the site directory is that upon upgrading to a new version, the contents of the site directory from the old installation directory tree are copied to the new version as part of the installation process.

The site directory has subdirectories with the following recommended uses.

l

bin – Store copies of your post-processing scripts, other scripts or executable files. Where possible in the user interface, use a relative path to point to this directory (for example, for a post-processing script). After upgrading to a new version, you do not have to alter the path in the UI.

l

conf – Store copies of custom configuration files. Your source code should refer to this

directory as

/site/conf.

l

doc – Store text documents containing notes about custom changes. These can be notes about any changes that would be a useful reference for someone performing an upgrade or disaster recovery.

For example, if you edit the alerts.xml or events.xml file in <install directory>\conf, document the changes in a text file and save it here. When upgrading, use the notes to make the same changes to the alerts.xml or events.xml in the new version.

Note that it is not recommended to make backup copies of changed system files for the purpose of substituting the backed up files for ones in a newly installed application. This is because system files may have been changed by the software developers between an old and new version of the application. This is especially true of the filereg.xml file. The filereg.xml file installed with a new version should always be used.

Custom changes for some values in system files do not require documenting because they are forwarded during an upgrade by the application installer. This includes the commonPath entry from filereg.xml.

2 Planning considerations

l

JARs – Store Java archive (JAR) files and class files for in-line processors, pluggable transports, JMS, and custom parsers. Any classes in this directory are included automatically in the classpath before <install directory>\jars. This includes JAR files; there is no need to explicitly add them to the classpath.

l

webapps – Custom web applications developed by users that are to be deployed upon server startup.

Trade large messages

Although Interchange has no inherent limitations on the size of the messages it can process, a number of factors – singly or in combination – can affect the capacity for handling large documents.

Interchange can handle very large messages of 2 gigabytes or more. But external factors can limit the size of messages you can exchange with partners. Such factors can include available disk space and RAM and network hardware, including computers, routers, load balancers and firewalls. These factors not only can affect your system, but your partners’.

The following topics are points to consider if you want to trade very large documents.

Disk space

Disk space requirements can become very large because Interchange creates multiple copies of each message.

The temporary directory, generally located on the local file system, must be large enough to contain multiple copies of each message. See the Interchange Installation Guide, Temp directory requirement.

The backup directory, generally located on a network file system when running in a cluster, must be large enough to hold multiple copies of each message. For example, by default a backup is kept of both the raw “consumed” file and the “packaged” or “unpackaged” file, depending on whether you are sending or receiving. These copies may remain in the backup directory for many days, depending on the purge interval.

The storage associated with the integration pickup and delivery exchanges must be sufficient to hold one copy of each message that is sent or received.

Databases, firewalls and large messages

Since the contents of messages are stored on the file system and not in the database, there is no need to allow additional database space to handle large messages. However, if you are trading a large volume of messages, this can be a consideration because a fixed amount of storage is required in the database for each message.

2 Planning considerations

If you have a firewall between Interchange and the database and you trade large messages that request synchronous AS2 receipts, you must do one of the following to avoid database errors while waiting for synchronous receipts:

l

Change your firewall idle time-out to allow connections between Interchange and the database to remain open and idle for at least as long as it takes for the synchronous re