Getting started with SFTP (Offline Dataprovisioning)

This section contains information on how to make a successful connection to the SFTP endpoint. The main objective of this section is to guide the bank through the process of key management, file creation and a successful connection and delivery of the file in both test and production (PRD) environments.

Endpoints

EnvironmentEndpoint URL
SandboxProvided via MSafe after being requested
ProductionProvided via MSafe after being requested

Getting Connected

SurePay operates in two environments: a Sandbox environment (ACC) and a production (PRD) environment.

  • Initially, the connection is established to the Sandbox environment: This serves as a mid-stage process to guarantee that the data provided by the customer and the quality of the responses are processed as expected.
  • This onboarding process is the same for both environments. After completing the connection for the test environment, the same steps have to be followed to enable the connection on the Production environment.

image

1. Share public key via MSafe

  1. For the connection to be established, it will be necessary to set you up on MSafe, which will facilitate the secure transfer of keys and customer credentials. Please ensure that you have provided your contact information (Name - Email - Phone number) to service@SurePay.nl.
    1. After we set you up on MSafe, you will receive an email from MSafe confirming that you have been added to the shared folder.
    1. To establish the connection, we'll require a public key from you: one for SSH (public) key.
  1. SSH key creation: SSH keys refer to a pair of cryptographic keys used for secure communication and authentication between the bank and SurePay's systems.
    1. To generate the SSH Key, you will need to enter the following command into the command line:

Command for SSH Key generation

$ ssh-keygen -P "" -t rsa -b 4096 -f bankname
  • Replace 'bankname' with your bank's name.
    1. When you generate an SSH key via the command line, the key pair is typically stored in your user's home directory within a hidden folder called .ssh. Inside this .ssh directory, you will find two files:

    • bankname : This is your private SSH key, and it should be kept secret and never shared.

    • bankname.pub: This is your public SSH key which you can share with us enabling access securely.

    1. After being created, share the public key (bankname.pub) with us via MSafe in the designated folder.

2. Connect to the SFTP endpoint

  1. We will provide you with the necessary items to perform the connection via MSafe:
  • SFTP account credentials will be shared: username and password.
  • You will receive a 4096-bit public GPG key for data encryption.
  • We will provide the hostname and port details for the SFTP server.
  1. To connect to our testing SFTP server using the command line, you need to follow these steps:
    1. Open your terminal or command prompt on your local machine.
    1. Use the 'sftp' command followed by the port using the '-P' option, the username and the SurePay's hostname:

Command line


sftp -P PORT_NUMBER username@sftp.surepay.com
  • Replace PORT_NUMBER with the actual port number and username provided via MSafe.
    1. As this is your first time connecting to the SurePay SFTP server, you need to accept the SurePay's host key. Type "yes" to accept it.
    1. You'll then be prompted to enter your SFTP password (provided via MSafe). Enter the password associated with your SFTP account.
    1. Once you're connected, you can navigate the SurePay server using SFTP commands. For example, you can use ls to list files on our remote server and get or put to transfer files between your local machine and SurePay.

3. Create GPG key for signing and metadata.json

  1. Create GPG for signing key and upload it into the root folder.
    1. GPG signing involves using the private key of the GPG key-pair to generate a digital signature for a file or a message. This signature provides a way to verify the authenticity and integrity of the data.
    1. To generate the GPG Key, you will need to enter the following command into the command line. This command will create and export the key.

Command line


                %echo Generating a default key
                Key-Type: default
                Key-Usage: sign
                Key-Length: 4096
                Name-Real: signingkey.bankname.com
                Name-Email: operations@bankname.com
                Expire-Date: 2y
                Passphrase: xxxxxxxxxxxxxxxxxx
                %commit
                %echo done

                $ gpg --batch --gen-key config

                $ gpg --export -a "signingkey.bankname.com" > pkey.pem
  • Replace 'xxxxxxxxxxxxxxxxxx' with a 32 characters password (including special characters !@#%^&*).
    1. When you generate a GPG key (pkey.pem) via the command line, the file containing the exported public key will be stored in the same directory from which you ran the command.
    1. After created, upload this key (pkey.pem) into the root folder with the command put.

    Upload pkey.pem file to the root folder

    
sftp> put pkey.pem
  1. Create metadata.json and upload it into the root folder.
    1. To ensure that the customer receives a notification via email of the status of the data loaded into the SFTP connection, metadata.json is the medium to ensure so.
    1. The metadata.json contains the following fields which have to be filled in with the customer's emails.

    Content of the metadata.json

    
    {
        "emailAddressSuccessfulLoad": "Your email",
        "emailAddressFailedLoad": "Your email"                    
    }
    1. This file should be generated and filled (adding the expected name and extension 'metadata.json'), upload this file into the root folder with the command put.

    Upload metadata file

    
sftp> put metadata.json

4. Create and encrypt a file with dummy data

    1. Within the File Format section, you will find the layout and the required data fields that should be included by you in the .xml file.
    1. The main data file should undergo both encryption and signing processes, adhering to the openPGP. To encrypt and sign the file, you will need to encrypt the file through the following command:

    Command line

    
$ gpg --recipient 'encryption.endpoint.nl' --local-user 'signingkey.bankname.com' --encrypt --sign accounts

  • In the command example, you'll find the following values:

    • Replace 'signingkey.bankname.com' with the actual key.
      • --recipient 'encryption.endpoint.nl': This option specifies the recipient of the encrypted message or file. In this case, the recipient is identified as 'encryption.endpoint.nl,' which means the output will be encrypted for Surepay.
      • --local-user 'signingkey.bankname.com': This option specifies the local user's key to use for signing the message or file. The key identified as 'signingkey.bankname.com' has to be replace and will be used to sign the message.

5. Deliver the first file via SFTP with data

Depending on the environment you are connecting to, we will require different file to be uploaded:

  • For test environment: A Dummy file with not production data added for us to analise the fields provided, the encryption and signing and the connection itself.

  • For production environment (PRD): A file with production data.

    1. To transfer the 'Accounts' file (account_bankname.pgp), use the command set on code snippet to add it from your local machine. And send a copy of the file not encrypted via email to service@surepay.nl.
    1. Make sure that you are in the root folder before adding the file using the pwd command and use the command put followed by the file name:

Command line


sftp> pwd
Remote working directory: /data-provisioning/bankName
sftp> put account_bankname.pgp
    1. We will verify whether the encryption and format of file is correct and if all accounts are loaded correctly into the system. Otherwise, we'll notify you if the load was not successful.

6. Celebrate! and next steps

Congratulations on the successful establishment of the offline data provisioning connection with SurePay! Your trust in us is greatly valued. If you have completed the connection to our test environment, you'll have to repeat the same steps for Production environment.

For those who have successfully established the connection in the PRD environment, here are the next steps:

  1. We will actively monitor the received data for quality.
  2. In the event that the data does not meet the required level of quality, we will provide support to help you achieve the expected data quality.
  3. We will promptly notify you if the data provided has the necessary level of quality and when subsequent checks have been conducted against the data you've provided.
We always look to improve the implementation experience of our customers, so if you have any questions or feedback on the documentation or the process, please let us know at info@SurePay.nl.
Previous
Next