PKI services   >   IE/FTP certificates   >  

Support

Process information
Self-registration process
Ftps clients
Interoperability issues with OpenSSL 0.9.6d
Certificate expiry notification
Reseller process
IE/FTP gateways
Firewall configuration
CA certificate
Frequently asked questions

Process information

With the IE/FTP certificate generation process, you can request a new X.509 v3 certificate for use with the Internet gateway(s). In order to use this Web site to request a certificate to access the gateway, you must satisfy the following prerequisites:

  1. You must have an Information Exchange account. N.B. If you do not currently access your Information Exchange mailbox via the Internet but wish to try Internet access, you can follow the self-registration process. You must also satisfy prerequisites (3) and (4).
  2. You must have two Identification tokens (User number and Challenge token). These will have been sent to you via a secure postal method or sent to your Information Exchange mailbox if you used the self-registration process.
  3. You must use an ftps client that conforms to RFC 4217 - Securing FTP with TLS.
  4. Mozilla Firefox 1.5 and Internet Explorer v6.0 or later are supported.

Once you have your Identification tokens follow the instructions for your browser:
Mozilla Firefox 1.5
Internet Explorer 6

Once your certificate is installed in your browser, you will need to export it to your ftps client. To export the certificate from your browser follow the instructions for your browser:
Mozilla Firefox 1.5
Internet Explorer 6
You must save your certificate in PKCS#12 format.

Self-registration process

This process can be used by the following user:

  1. Existing Information Exchange customers who use the Secure gateway and wish to register for the Internet gateway. In this instance, there is no need to register via normal registration since your X.509 certificate is issued free of charge.
  2. Existing Information Exchange customers who already use the Internet gateway and who have received a certificate expiry notification and need to request a new certificate.
  3. Existing Information Exchange customers who have lost their certificate.

To use the Self-Registration process you must submit the following registration block from your Information Exchange mailbox (with message class: ffmsg001):
/register SYS.ACCOUNT.USER
contact_name John Doe
contact_dept EDI
contact_company Acme Inc
contact_street PO Box 1, Acme Drive
contact_city Warwick
contact_zip CV34 5JL
contact_country UK
contact_tel 004401926111111
contact_email john@acme.org
/end

NOTE: Substitute values in italics with your own values.

NOTE: The following is compulsory: /register, /end, contact_name, contact_company, contact_street, contact_city, contact_zip, contact_country

NOTE: Please ensure each line ends with a new line character. Fixed width files will not be accepted unless submitted via IEAS.

Please include your e-mail address as we will use this to notify you when your certificate expires. If your e-mail address changes, please contact your GXS Help Desk and ask for your e-mail address to be updated in our server database.

The destination address for your registration request is USA.GXS1.SELFREG.

Your self-registration request will be processed and two Identification tokens (User number and Challenge token) will be returned to your mailbox along with the address of the registration Web site. You can then go to the registration Web site and use your Identification tokens to request a new certificate.

NOTE for Self-Registrations made from IE systems other than "USA": Your Information Exchange user profile must accept send charges for sending the request and receive charges to receive the reply. This may be managed via the IE user profile or through an entry in the IE trading partner list for USA.GXS1.SELFREG. You require a trading partner list if your profile states that communications is blocked, that is use of trading partner lists is mandatory. If your profile defaults do not allow send charges then you can either change the profile or set up a trading partner list entry for USA.GXS1.SELFREG. Once the userid supports the correct payment levels, either through the profile or trading partner list, then the message must be sent to USA.GXS1.SELFREG using a message charge option which can resolve to split charging, that is 2, 3, 4 or 5. If desired, USA.GXS1.SELFREG may be removed from the trading partner list after Self-Registration has been completed.

Ftps clients

The following table lists a variety of ftps clients that you can use with our service. (Please note that inclusion in this table does not represent our official endorsement. We cannot be held responsible for information held on external sites.)

Client Version ftps compatible with IE-FTP Certificate import format Usage notes
Cleo LexiCom FTP

cleo.com

2 YES PKCS#12

(As exported from most web browsers)

100% Java client that understands Information Exchange processing. Supports any platform with the java 1.3 runtime (Officially tested by Cleo on Windows, Solaris, Linux, HP, AIX, and OS/400). Select AUTH SSL as transport mechanism.
FTP-TLS

Archived at ford-hutchinson.com

Currently unavailable

- YES PEM Open Source command line / batch client for UNIX. Requires OpenSSL
Ipswitch ws_ftp

ipswitch.com

6.6 Pro onwards (Note: compatability problems reported with version 7.6.x have been reported fixed in version 8.0) YES WS-FTP Pro 8

V8 now imports pkcs12 files without the need to convert to PEM.

Pre V8 - PEM

Suggestion: configure with "SITE LISTSTYLE SHORT" upon connection.

A document explaining how to use ws_ftp with Information Exchange can be found here.

Patrick Townsend & Associates, Inc.
Alliance FTP Manager

patownsend.com

2.79 YES PKCS#12

(As exported from most web browsers)

Client for OS/400.
Trailblazer Systems Inc.
ZMOD Exchange FTP

trailblazersystems.com

? YES ? Client for OS/400.
Columbia University in the City of New York - Kermit 95

columbia.edu

2.1 YES PEM (Kermit 95 ships with OpenSSL) Runs on Windows.
A document explaining how to use Kermit with Information Exchange can be found here.
Columbia University in the City of New York - C-Kermit

columbia.edu

8.0.208 YES PEM Runs on UNIX and VMS.
A document explaining how to use Kermit with Information Exchange can be found here.
ClickCommerce TDAccess

clickcommerce.com

2k.01.37 YES PKCS#12

(As exported from most web browsers)

Integrated Windows (TM) GUI client that understands Information Exchange processing. Also available for z/OS, i/OS, and many UNIX operating systems.

BTrade have provided instructions to update the gateway address for the EasyAccess client here. Btrade customers are strongly advised to contact their reseller.

The PEM file format

Some clients require a certificate file in PEM format. The OpenSSL toolkit can be used to create PEM files.

To convert a PKCS#12 certificate to PEM, use the command 'openssl pkcs12 -in <pkcs12file> -out <pemfile>'.

We also have detailed instructions.

OpenSSL is available from openssl.org

Interoperability with OpenSSL 0.9.6d

The interoperability issue affecting users of clients based on OpenSSL 0.9.6d has now been fixed.

Certificate expiry notification

You will receive your first notification either via e-mail or via your Information Exchange mailbox. If we do not have your e-mail address and we send the notification to your Information Exchange mailbox, we will use a Free Format message. The first notification is sent 60 days before your certificate is due to expire. The notification will include details of the self-registration process and the address of the registration Web site. If you take no action within 30 days, you will receive a second and final notification.

Reseller process

If you are a reseller and wish to issue certificates on behalf of your customers, please contact your GXS Help Desk . You can then use your reseller mailbox to submit registration requests, per the self-registration process, on behalf of your customers as long as they satisfy the prerequisites. The destination address for your registration request is USA.GXS1.RSLREG; you will not be charged for sending/receiving data from this mailbox. Once you have submitted the registration, you can either distribute the Identification tokens to your customers (along with details of the self-registration process and the registration Web site address), or you can use the tokens to obtain a certificate for your customer. If you choose to send certificates to your customers, you must also send the private/public key pair generated by your browser and our root CA certificate. Always distribute tokens or certificates via a secure postal method.

IE/FTP gateways

Configure your secure client to use one of the following addresses:

Firewall configuration

If your FTP client is separated from the Internet by a firewall, ask your firewall administrator to configure the firewall to allow FTP/TLS traffic as defined in RFC 4217 - Securing FTP with TLS.

Some useful information about FTP/TLS and firewalls is available in an IETF draft.

Click here for help in configuring your Checkpoint NG firewall (Please note that we do not provide support for firewall configuration and that the following document has been provided as a guide only. We cannot be held responsible for any changes made).

CA certificate

To download a copy of the PKI Services root CA certificate click here.

Alternatively the certificate is available in PEM format here.

Frequently asked questions

Click here to access the frequently asked questions.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.

GXS Trading Grid
  PKI Services home
Support documentation
IE/FTP Certificates
Expedite Certificates
Web IEAS Certificates
Certificate file converter