ServiceSupport Self-help Guide This self-help guide provides recommendations and guidelines on how you can troubleshoot the SWIFT environment. 24 January 2014 Support Table of Contents .Preface .............................................................................................................................................................................3 1 The SWIFT Environment in a Nutshell ................................................................................................... 5 1.1 Introduction to the SWIFT Environment ................................................................................................ 5 1.2 SWIFTNet Message Flows ...................................................................................................................... 6 2 Maintaining the SWIFT Environment .................................................................................................... 11 2.1 Regular Activities ..................................................................................................................................... 11 2.2 Best Practices .......................................................................................................................................... 12 3 Troubleshooting the SWIFT Environment ......................................................................................... 15 3.1 Alliance Gateway ..................................................................................................................................... 15 3.2 Alliance Web Platform ............................................................................................................................ 16 3.3 Alliance WebStation ................................................................................................................................ 17 3.4 Customer Network .................................................................................................................................. 19 3.5 FIN CBT .................................................................................................................................................... 20 3.6 HSM Box ................................................................................................................................................... 22 3.7 PKI and Online Operations Manager ................................................................................................... 24 3.8 Problem with Connectivity between SWIFTNet Link and the HSM Box ......................................... 25 3.9 Problem with Connectivity between SWIFTNet Link Host and VPN Box ....................................... 25 3.10 Relationship Management Application ................................................................................................ 26 3.11 SSG5 VPN box (Alliance Connect) ...................................................................................................... 26 3.12 SWIFTNet Link ........................................................................................................................................ 30 4 Reporting a Problem .................................................................................................................................... 32 4.1 Methodology for Reporting a Problem ................................................................................................. 32 4.2 Collecting Evidence ................................................................................................................................ 33 5 SWIFT Support Services ............................................................................................................................ 38 5.1 Organisation of SWIFT Support ............................................................................................................ 38 5.2 Support Information on swift.com ......................................................................................................... 38 .Legal Notices ...............................................................................................................................................................40 2 Self-help Guide Preface Preface Purpose of the document This guide provides recommendations and guidelines on how to troubleshoot the SWIFT environment. Audience This guide is for SWIFT co-ordinators. Significant changes This guide replaces the edition of 20 January 2012. It has been thoroughly revised and reformatted. Related documentation This guide refers to the following manuals on the User Handbook Online. • Alliance Connect Implementation Guides – Alliance Connect Bronze Implementation Guide – Alliance Connect Silver Implementation Guide – Alliance Connect Silver Plus Implementation Guide – Alliance Connect Gold Implementation Guide • Alliance Gateway – Alliance Gateway MQ Host Adapter Configuration Guide – Alliance Gateway Operations Guide – Alliance Gateway Remote API Operations Guide – Alliance Gateway Security Guide – High-Level Guidelines for Cluster Configurations • Alliance WebStation – Alliance WebStation Installation Guide – Alliance WebStation User Guide – SWIFT CheckIP User Guide • Connectivity to SWIFT – Network Access Control Guide – Network Configuration Tables Guide – Resilience Guide – SWIFT Connectivity Test Tool User Guide • FIN 24 January 2014 3 Support – FIN Error Codes • Hardware Security Module – Hardware Security Module Operations Guide • SWIFTNet Link – SWIFTNet Link Error Codes – SWIFTNet Link Operations Guide 4 Self-help Guide The SWIFT Environment in a Nutshell 1 The SWIFT Environment in a Nutshell 1.1 Introduction to the SWIFT Environment Preamble A typical SWIFT customer environment consists of a combination of individual components that interact with each other to provide messaging services. Use this section as your reference and your glossary. Throughout this document, there are references to additional SWIFT documents. You can find these documents on the software installation CD or on the User Handbook Online. There are clickable links to the documents when you use the electronic version of this guide. This section describes some key concepts of the SWIFT environment. For more detailed information, see the SWIFT Glossary. DMZ In a computer network, a DMZ ("demilitarized zone") is a sub-network that contains the hosts that are most vulnerable to attack from outside. Hosts in the DMZ provide services both to the internal local area network and to the external network. A firewall controls traffic between the DMZ hosts and clients in the internal network. FIN CBT Software product that processes and exchanges FIN messages, by using the FIN application through the SWIFT network. Alliance Access and Alliance Entry are FIN CBT products that are provided by SWIFT. Currently, these CBT products also offer the functionality to send messages for your solutions through the Alliance Message Management interface (on Alliance Web Platform). HSM Hardware Security Module. A tamper-resistant hardware device within which the user generates and stores its SWIFTNet Public Key Infrastructure private keys. The HSM performs cryptographic operations such as signing the data that is sent over SWIFTNet. There are three types of HSM devices: HSM boxes, HSM tokens, and HSM cards and card readers. A SWIFTNet Link can use only one type of HSM. HTTPS Secure Hypertext Transport Protocol. A protocol that is used to access web servers that are hosted on SWIFTNet. MQ WebSphere MQ (Message Queue). IBM middleware component that is used to link back-end applications to the Alliance Gateway or Alliance Access/Entry. PKI Public Key Infrastructure certificate. SWIFT acts as the certification authority on SWIFTNet. 24 January 2014 5 Support Remote API (RA) The remote API concentrates SWIFTNet traffic between Alliance Gateway and service-specific products that run on remote machines that operate with SWIFTNet Link. Alliance Access and Alliance Entry are examples of such service-specific products. The remote API software emulates the SWIFTNet Link API calls towards the service-specific product. An application that runs over remote API is not aware that it communicates with Alliance Gateway because the underlying remote API emulates a SWIFTNet Link instance. The remote API also enables applications to exchange messages using the Alliance Gateway API. Remote API connections may be secured using a Secure Socket Layer (SSL). SWIFTNet Link Mandatory SWIFT software component that is required to connect to SWIFTNet. Vendor product Product that is offered by a SWIFT partner and connects to additional services hosted on SWIFTNet. These products have an embedded SWIFTNet Link, or they connect to Alliance Gateway. VPN box The IPsec security device installed on customer premises. The VPN (Virtual Private Network) box enables SWIFT to create and manage a secure tunnel between the customer site and the SWIFT-managed backbone access points. SWIFT uses the secure tunnel to implement end-to- end security. 1.2 SWIFTNet Message Flows Introduction This section describes message flows for typical SWIFTNet services. 6 Self-help Guide The SWIFT Environment in a Nutshell 1.2.1 FIN Using a FIN CBT through an Alliance Gateway SWIFTNet single-window infrastructure, based on Alliance Gateway SWIFT SWIFT Customer network network operating partners centres DMZ LAN Customer Premises Equipment HSM FIN CBT Network RA (for example, HSM partner routers Alliance Access or vendor product) MQ VPN Box HTTP proxy VPN Box RA SWIFT Alliance systems Gateway MQ D1440001 SWIFT supplied and/or managed Flow In a SWIFTNet single-window infrastructure, based on Alliance Gateway, the basic FIN message flow consists of the following steps: 1. FIN messages are built in the FIN CBT. FIN messages can be entered directly by using a screen-based message entry product, or they can be entered through a link to a back-office application. 2. The FIN CBT creates the FIN protocol envelope for the message and sends it through the customer network to the Alliance Gateway, by using the remote application or the message queue software on the FIN CBT. 3. The Alliance Gateway receives the message through the corresponding host adaptor. Then it calls the local SWIFTNet Link software to request transportation through SWIFTNet. 4. The SWIFTNet Link encapsulates the message payload with a SWIFTNet message envelope, and sends it through an established TCP/IP connection to the VPN box. 5. The VPN box has established IPsec tunnels with the SWIFTNet central systems through the MV-SIPN network. These tunnels are established over physical lines between your premises and the MV-SIPN backbone access points. 6. The SWIFTNet central systems are connected to the FIN application servers at SWIFT, which send back a FIN response to the initial FIN CBT. 7. When a FIN ACK response message is received, you are assured that the FIN application will deliver the original message to the intended receiver. On the other hand, a NAK 24 January 2014 7 Support message indicates that an error occurred and that the message cannot be delivered to the intended receiver. 1.2.2 Accessing a Browse Service from a Standalone Alliance WebStation Alliance WebStation directly connected to SWIFTNet SWIFT SWIFT Customer network network operating partners centres DMZ LAN Customer Premises Equipment Alliance WebStation Network partner routers VPN Box VPN Box SWIFT systems D1440002 SWIFT supplied and/or managed Flow 1. Browse services are offered by organisations that have a web server that is connected to the SWIFTNet network. The access to the external web server is accomplished by creating an HTTPS request on a standard web browser product that runs as part of the Alliance WebStation. Currently, this standard web browser product must be Internet Explorer. 2. The HTTPS request is sent through a new TCP/IP connection to the VPN box. Then this request is sent further to the external web server. 3. The web server collects the data and responds to the HTTPS request. It returns the response to the Alliance WebStation browser. 1.2.3 Browse Connected to an Alliance Gateway Browse through Alliance WebStation or Alliance Web Platform Other SWIFTNet services can also be accessed through an Alliance WebStation or Alliance Web Platform Browse that is connected to a SWIFTNet single-window infrastructure based on Alliance Gateway. 8 Self-help Guide The SWIFT Environment in a Nutshell Alliance WebStation Browse SWIFT SWIFT Customer network network operating partners centres DMZ LAN Customer Premises Equipment HSM HSM Network partner routers VPN Box 2 HTTP proxy Alliance VPN Box WebStation 1 RA SWIFT Alliance Gateway systems MQ SWIFT supplied and/or managed 1 Authentication D1440003 2 Browse (HTTPS traffic) 24 January 2014 9 Support Alliance Web Platform Browse SWIFT SWIFT Customer network network operating partners centres DMZ LAN Customer Premises Equipment HSM Network HSM partner routers VPN Box HTTP proxy RA Alliance VPN Box SWIFT MQ Gateway systems Internet Browser 1 Alliance 1 Web Platform 2 HTTP proxy SWIFT supplied and/or managed 1 Authentication (InterAct traffic) D1440004 2 Browse (HTTPS traffic) Flow 1. Browse services are offered by organisations that have a web server that is connected to the SWIFTNet network. The access to the external web server is accomplished by creating an HTTPS request on a standard web browser product that runs as part of the Alliance WebStation or Alliance Web Platform. Currently, this standard web browser product must be Internet Explorer. 2. The HTTPS request is sent through the customer network to the HTTPS proxy that runs on the Alliance Gateway or on the Web Platform (or on any other HTTPS proxy for which provisioning was done). 3. The HTTPS request is sent through the multi-vendor secure IP network to the external web server. 4. The web server collects the data and responds to the HTTPS request. It returns the response to the HTTPS proxy, which forwards it to the Alliance WebStation browser. Note Similar flows are applicable for vendor applications and for other InterAct services or FileAct services. 10 Self-help Guide Maintaining the SWIFT Environment 2 Maintaining the SWIFT Environment 2.1 Regular Activities Daily activities • Back up the system and the application data (Messages, Events, Configuration, and Database). • Monitor the systems and review the error logs (Alliance Access or Alliance Entry, Alliance Web Platform, Alliance Gateway, SWIFTNet Link, HSM). • Log in to the FIN service to process messages that have been received. • Export the RMA authorisations and distribute them to your other applications, if required. • Open and empty their generic queue(s) regularly. • Ensure that all messages of the previous day are completed for archiving and back-up purposes. • Check the connectivity to all HSM boxes. Weekly activities • Stop all processes (Alliance Access, Alliance Gateway and SWIFTNet Link, Alliance Web Platform) and the Oracle database completely, and perform a full system back-up. • Check the SWIFTNet Link connectivity after a weekend when SWIFTNet maintenance activities are performed (see www.swift.com/support for the planning of the full year). • Archive the Alliance Gateway logs and journals. • Archive and back up the Alliance Access and Alliance Entry messages and events. • Check that the system has enough resources to cope with a disaster situation and high peak- hour traffic. See Hardware requirements for release 7.0 for more information. • Check the recent tips on swift.com (Support -> Knowledge Base -> Recent tips) to keep up with the latest known issues, enhancements, and best practices. Monthly activities • Restart SWIFTNet Link and Alliance Gateway. This restart stops the processes that use certificates, and the certificates can be renewed the next time that they are used to log in. • Open all the non-active certificates at least once, using the CertInfo or sag_test_connect commands. For more information, see "Certificate Management for SWIFTNet Link" in the SWIFTNet Link Operations Guide. • Check the validity and the renewal period of the PKI certificates. You can generate a report using the SWIFTNet Online Operations Manager (O2M), or you can use the certlist and SwHSMVerifyUserCert commands. 24 January 2014 11 Support • Back up all the PKI certificates after you have opened them: – To back up files for a specific SWIFTNet Link instance, use the SNL_BackUp.pl command. – To back up all SWIFTNet PKI certificates and SSL certificates contained within the HSM cluster, use the SwHSMBackupRestore.pl command. • Check the leased line utilisation report on swift.com (-> Support -> Leased line usage) and perform a test to ensure that the connectivity through the back-up line is working as expected. • Check the correct functioning of your fallback connectivity (standby and disaster recovery plan). • Check for the availability of new patches on swift.com. Read the release letter of any available patch to evaluate whether you require the patch. Mid-Year Activities • Reboot all your HSM boxes. 2.2 Best Practices 2.2.1 Best Practices for a System Upgrade Before installation 1. Check the compatibility of the operating system release and patch levels: – Read the release letter. – Check the Knowledge Base for any known issues. 2. Note the current version of the operating system and patches. 3. Stop the applications and the Oracle database and take a full system back-up. After installation 1. Take a new full system back-up when all the processes (including Oracle database) are stopped, and take application data (Alliance Access database). 2. Take a new back-up of the application: – To back up files for a specific SWIFTNet Link instance, use the SNL_BackUp.pl command. – To back up all SWIFTNet PKI certificates and SSL certificates contained within the HSM cluster, use the SwHSMBackupRestore.pl command. 3. Check the connectivity to the SWIFT network and check the availability of the HSM boxes. 4. Perform testing and proactive monitoring of the system and of the application on your test environment before upgrading the production system. 12 Self-help Guide Maintaining the SWIFT Environment 2.2.2 Best Practices for Resilience Resilience • You can create a resilient infrastructure by duplicating the components in various configurations. Your prime site should not contain any single point of failure. This ensures that you can continue operations if a component fails, instead of having to wait until the component has been replaced. See the Connectivity Resilience Guide and the Alliance Gateway High-Level Guidelines for Cluster Configurations for the possible configurations. • For critical operations, SWIFT recommends that you build a disaster site to continue operations after a major problem in the prime site. It should be possible to switch to the disaster site within two hours and to start the processing of business traffic within four hours after a prime site failure. The disaster site should be kept up-to-date and the fail-over procedures should be tested twice a year. • Alternatively, you can spread the operations over two sites that are simultaneously active. Procedures to re-route the traffic to another site in order to cope with a site failure should also be tested twice a year. You should pay special attention to the organisational aspects and the usage of PKI certificates in recovery scenarios. 2.2.3 Best Practices for Monitoring Monitoring • Check the SWIFT Link connectivity: swiftnet status -c -h -v selftest • Check the status of the Alliance Gateway subsystems: sag_system -- status • Check the validity and renewal of the PKI certificates using the certlist and SwHSMVerifyUserCert commands. • Test the DNS service on the SWIFTNet Link host: nslookup • Check the validity and renewal of the LAU keys and SSL certificates. • Check the connectivity of the HSM boxes: perl SwHSMSelfTest.pl • Monitor the status of all your HSM boxes on a daily basis: swiftnet status -T -v • Check all critical events on the Alliance Gateway Event Journal (Alliance Gateway events can be sent to a syslog server, or to an SNMP Manager, or to both). • Check the logs of the SWIFTNet Link application (ULOG.<date>, gentrace.log, LunaClusterLog.htm, sag_bootstrap, spkaudit_<SNL-ID>.log) and the operating system logs. 24 January 2014 13 Support • Check the logs of the HSM boxes: perl SwHSMGetLog.pl -a • Check the software and database integrity of the applications. For more information, see Knowledge Base tip 50178615017861. • Ensure that archiving and back-ups of the system and of the application (Messages, Events, Configuration, and Database) are correctly done. • Check that no core file is present on the system. • Check the system performance of the server (CPU, memory, swap, disk IO, network). • Check the leased line utilisation report on swift.com (-> Support -> Leased line usage). • Monitor the disk space. 14 Self-help Guide Troubleshooting the SWIFT Environment 3 Troubleshooting the SWIFT Environment 3.1 Alliance Gateway 3.1.1 Messages are Not Received in the Server Application Event Journal reports: ”Sag:APL-I - 9 - Server unreachable" or ”Sag: APL-I - 50 - Request time- out" 1. Check whether the server that is identified for this Message Partner is still running. 2. Check the network components between the server application and the Alliance Gateway for dropped packets. 3. Restart the server application in order to reconnect to the Alliance Gateway. 4. If this does not solve the problems, then continue with "Customer Network" on page 19 and "SWIFTNet Link" on page 30. 3.1.2 Operational Problem with the Alliance Gateway Subsystems The Event Journal reports errors that are related to processes 1. Use the Alliance Gateway Admin GUI or run the following command: sag_system -saguser <username> -sagpwd <passwd> -- status Overview See "Using the sag_system Tool" in the Alliance Gateway Operations Guide. 2. If any activated subsystems are not started, then restart the subsystems by using the Alliance Gateway Admin GUI or as follows: sag_system -block -- start [<subsystem>] 3.1.3 Local Authentication (LAU) Failure The Event Journal reports the error: Message Partner authentication failed Check the definition of the Message Partner, and the configuration of the application. See "The Application Interface Module" in the Alliance Gateway Operations Guide . 3.1.4 Problems with the File Transfer The monitoring application reports that files were rejected or that files failed 1. Check if the configuration is correct. See "Using Alliance Gateway Commands and Tools" in the Alliance Gateway Operations Guide. 2. Send a test message with default parameters: sag_test_connect -snuser <username> -snpwd <password> -fileact 24 January 2014 15 Support See "Check an Alliance Gateway Connection (sag_test_connect)" in the Alliance Gateway Operations Guide. See "SWIFTNet Link" on page 30. Rejection by the counterparty Your counterparty may reject a file (for example, because of insufficient disk space). If this occurs, then contact the counterparty and agree on appropriate actions. 3.2 Alliance Web Platform 3.2.1 Login Page Cannot be Loaded with JavaScript Disabled Description The Login page cannot be opened and the system displays JavaScript is disabled, please enable and reload this page. Enable JavaScript 1. Go to Internet Explorer Tools -> Internet Options -> Security Settings -> Scripting -> Active Scripting. If it is not enabled, then enable it. 2. Use the following URL to display your current settings for the Internet Explorer and Java parameters that Alliance Web Platform requires: https://<WebPlatformHost>:<port>/swp/support.html For more information, see "User Desktop Requirements" and "Requirements for Browse" in the Release Letter for Alliance Web Platform or Alliance Web Platform Server-Embedded. 3.2.2 Login Page Cannot be Loaded Description The Login page cannot be loaded and the system displays Internet Explorer cannot display the webpage. Procedure 1. Check whether the Web Platform service has started. Windows: select Administrative Tools> Services> Alliance Web Platform <SWP instance name> to check if the service has started. UNIX: run the command swp_bootstrap status to check if the bootstrap of Web Platform has started. 2. If the Web Platform service has not started, then start it: swp_bootstrap start 3. Check whether the application behind the Web Platform (Alliance Access or Alliance Gateway) is running. 16 Self-help Guide Troubleshooting the SWIFT Environment 4. From the user's desktop, check the network connectivity between the user's desktop and the Web Platform server: telnet <Web_Platform server> <https port configured> 5. Check the configuration of the browser (including URL used, proxy settings, Internet Explorer, and JAVA settings). 3.3 Alliance WebStation 3.3.1 Unable to Log in to a Standalone Alliance WebStation Problem with the authentication of the user on the HSM 1. Check that the cables are correctly connected, and that the HSM is correctly inserted. For more information, see "Daily Logon Procedure" in the Alliance WebStation User Guide. 2. Verify that the certificate is still valid, and recover the certificate if necessary (Security Officer profile required). For more information, see "Recovering Your User Certificate" in the Alliance WebStation User Guide. Problem with the connectivity to SWIFTNet 1. Use the Online Check Link tool, or run the command testtcp.bat. For more information, see "Verifying the Connection to SWIFTNet" in the Alliance WebStation User Guide. 2. If there is a failure, then check the connection between SWIFTNet Link and the VPN box. 3.3.2 Unable to Log On to Alliance Gateway Description You receive one of the following errors: • SwGUI.203.007: Logon failed. Click on “More Info...” • Sw.04.002: Could not create the security context • Sag:System.001.001: Operator is not entitled to perform the operation SWIFTNet user or Alliance Gateway operator not properly defined 1. Check that the entered user name is an enabled SWIFTNet user. Check whether the certificate that is linked to the user is still valid at SWIFTNet Link level, and recover the certificate if necessary. For more information, see "The SWIFTNet Users Module: Managing Certificates Used by SWIFTNet users" in the Alliance Gateway Operations Guide. Otherwise, continue with "SWIFTNet Link" on page 30. 2. Check whether the entered user name is a valid and enabled Alliance Gateway operator. 3. Check whether the entered password is correct. 24 January 2014 17 Support For more information, see "The Operators Module" in the Alliance Gateway Operations Guide. 3.3.3 Connection with Alliance Gateway Lost SwGUI.203.010: The connection with the SAG is lost or cannot be established There is a problem with the connectivity to Alliance Gateway. For more information, see "Customer Network" on page 19 and "SWIFTNet Link" on page 30. 3.3.4 Unable to Connect to a Web Server Web server unreachable Run checkip <URL> <port> TCP. Contact the service provider for the correct URL and ask for information about the port number. For more information about the checkip command on Alliance WebStation, see the CheckIP User Guide. For more information about the checkip command on SWIFTNet Link, see the SWIFTNet Link Operations Guide. Problem with the validity of the Browse certificate Check the validity of the certificate in the standard browser configuration and in the preferences. Recover the certificate if needed (Security Officer profile required). For more information, see "Managing SWIFTNet Users, Browse Users, and Message Routing Rules" in the Alliance WebStation User Guide. HTTPS proxy server on Alliance unreachable 1. Run checkip <HTTP proxy IP address> <HTTP listening port> TCP. For more information about the checkip command on Alliance WebStation, see the CheckIP User Guide. For more information about the checkip command on SWIFTNet Link, see the SWIFTNet Link Operations Guide. 2. If there is a failure, then verify the settings of your browser, then check the customer network components and the status of the HTTPS proxy. For more information , see "Configure Browse Traffic" in the Alliance Gateway Operations Guide. RequestorDN, ResponderDN and Request Type not valid (CUG 001 error) When you try to connect to a web server, you receive the following error message: The RequestorDN, ResponderDN and Request Type combination specified in the Request is not valid for this Service The user is not activated on the service. Contact the service provider and request the activation of the user. 18 Self-help Guide Troubleshooting the SWIFT Environment 3.4 Customer Network Description There is a connection problem between Alliance Gateway and a vendor product, the FIN CBT, or Alliance WebStation. Problem with connectivity to applications that are based on the Remote API (RA) 1. On the RA host give the following command: sag_system -saguser <username> -sagpwd <passwd> -- status system For further information see "Remote Administration of Alliance Gateway" in the Alliance Gateway Remote API Operations Guide. If there is a failure, then carry out the following actions. 2. Run ping <SAG_host> in order to check the connectivity at IP level, and check the firewall configuration. 3. Run telnet <SAG host> <SAG port> and verify whether the listening port exists for the hostname that is provided in the sagta_ra.cfg file. For more information, see "Security Configurations" in the Alliance Gateway Security Guide. 4. Check whether the Alliance Gateway bootstrap is started. See "The Alliance Gateway Bootstrap" in the Alliance Gateway Operations Guide. 5. Check whether the IP address, the port number, and the SSL mode are correctly configured on both the RA host and the Alliance Gateway host. See "Configuring Remote API" in the Alliance Gateway Remote API Operations Guide. If the command is successful, then the problem could be intermittent. 6. Check the dynamic parameters of the firewall. See "Alliance Gateway and Firewalls" in the Network Configuration Tables Guide. 7. Check the logs of the network components between RA and Alliance Gateway, for dropped packets. Problem with connectivity to applications that are based on Message Queue (MQ) 1. Run a ping test from the Alliance Gateway host to the Queue Manager host. 2. Run a telnet test from the Alliance Gateway host to the Queue Manager host on the QMGR port. 3. Run a telnet test from the application host to the Queue Manager host. 4. If there is a failure, then check the network components between the application host and the Alliance Gateway. Check the log files of the components for any dropped packet. See the Alliance Gateway Security Guide - Security Configurations, and "Alliance Gateway and Firewalls" in the Network Configuration Tables Guide. 5. Check the configurations of the components: • MQHA on the Alliance Gateway computer 24 January 2014 19 Support • Queue Manager and queues • MQ configuration in the application software • The SSL mode that is used See the Alliance Gateway MQ Host Adapter Configuration Guide. 6. Run a complete connectivity test: • Configure the Alliance Gateway and the MQ series appropriately. • Run mq_test_connect See "Testing Connectivity with mq_test_connect" in the Alliance Gateway MQ Host Adapter Configuration Guide. Also see the documentation about the configuration of the vendor product. Problem with connectivity to Alliance WebStation 1. Check the Alliance WebStation configuration: • Run WebStationConfig.exe. • Check whether the configuration corresponds with the Alliance Gateway configuration. See "Configuring Alliance WebStation" in the Alliance WebStation Installation Guide. 2. Check the connectivity: • Run ping <SAG host> • Run checkip <SAG host> <RAHA port> <TCP> See the SWIFT CheckIP User Guide. 3. If there is a failure, then verify whether the network components between Alliance WebStation and Alliance Gateway are correctly configured. Also verify that no dropped packets are observed in the component's log files. See "Security Configurations" in the Alliance Gateway Security Guide, and the Network Configuration Tables Guide. 3.5 FIN CBT 3.5.1 Unable to Log In to FIN FIN logical error received, for example, L38 (The BIC that sent this Login request does not match the BIC of the Signing DN organisation) 1. Correct the error according to the error description. 2. Try to log in again. For more information, see Knowledge Base tip 1905595. FIN CBT error 1. Check the error message and the related events. 2. Correct the problem (for example, disk space error). 20 Self-help Guide Troubleshooting the SWIFT Environment 3. Try to log in again. See the FIN CBT documentation from the vendor. FIN CBT connectivity to SWIFTNet 1. Check the events in the CBT. 2. Check the connectivity to the next component. For more information, see "SWIFTNet Link" on page 30. If you are using an Alliance Gateway, see "Customer Network" on page 19. See also Knowledge Base tip 990203. 3.5.2 FIN Session is Aborted FIN protocol errors in the CBT logs, for example, FS012, SA100, SS100 1. Check Knowledge Base tip 129821. 2. If there are frequent aborts, check the FIN CBT connectivity to SWIFTNet. For more information, see "SWIFTNet Link" on page 30. If you are using an Alliance Gateway, see "Customer Network" on page 19. APC or FIN abort error received in the CBT logs, for example, A90 This problem may occur due to an intervention at SWIFT. We recommend that you activate the Auto Re-connect feature, in order to minimise the duration of the disconnection. For more information, see the FIN Error Codes. 3.5.3 FIN Messages are Rejected with a NAK Error Code Message format errors, for example, T13 or H20 (Text error or Header error) NAKed messages are kept in a message correction queue for manual correction. Check the FIN error code in field 405 of the NAK message. The message can be corrected and then re-sent later. For more information, see the FIN Error Codes. 3.5.4 FIN Messages are Queued Up in the FIN CBT FIN CBT not ready Ensure that all the FIN logical terminals are fully logged in. For more information, see "Unable to Log In to FIN" on page 20. Verify the size of the components Check the system specifications with the recommended sizing. See SWIFTNet Connectivity Packs. 24 January 2014 21 Support 3.6 HSM Box 3.6.1 User Profile is Locked Description The user profile that is present on the HSM box becomes locked after five unsuccessful log-in attempts to a certificate. Unlock the partition Is the current password available? • If the user can obtain the current password, then the admin account, or any other user account with the admin role, can use the unlock option. Unlocking the partition restores the working state of the partition for the current password. See "Unlock Partitions" in the Hardware Security Module Operations Guide. • If the user cannot get the current password, then the partition must be initialised and the profile must be recreated by using the CA secrets. Note This requires PED operations. See "Initialise Partition" in the Hardware Security Module Operations Guide. 3.6.2 HSM Box Configuration Fails PIN Entry Device (PED) gives a time-out error If a time-out occurs before you have completed a PED operation, then you must follow these instructions: 1. Press and hold the CLEAR button on the PED for at least five seconds. 2. In the message dialog box, click OK . The PED receives the task instruction from the HSM box, and you can start the sequence of PED operations again. For the procedure, see "HSM Box Configuration and Administration" in the Hardware Security Module Operations Guide. The PED must also be reset by using the power switch that is located on the side of the PED. 3.6.3 CKR_PIN_LOCKED Error on HSM Boxes Description The partition on the HSM box is locked after five consecutive unsuccessful login attempts to a certificate and the customer is not able to log in. If the password is known This command requires use of the PIN Entry Device. Before issuing this command, you must have the Security Officer PIN Entry Device key, and access to the primary HSM box. This command can only be performed on the primary node. 22 Self-help Guide Troubleshooting the SWIFT Environment 1. Windows: double-click the SWIFTNet Link icon on the desktop. UNIX: browse to the SWIFTNet Link swiftnet\bin directory. 2. Type the following command: perl SwHSMManagePartitions.pl -U -h <HSM Box IP address> -p <Partition Name SWIFTNet user profile> Example: perl SwHSMManagePartitions.pl -U -h 192.168.5.3 -p HSM1:PNYBB01 If the password is not known A user with the HSM admin account cannot reset the partition password. If the password is lost, then you must re-initialise the partition and set up the user for recovery. You must have access to the HSM box before issuing this command. This command can only be performed on the primary node. The command requires both PIN Entry Device keys - the Security Officer PIN Entry Device key, and the User PIN Entry Device key. • Re-initialise the partition 1. Windows: double-click the SWIFTNet Link icon on the desktop. UNIX: browse to the SWIFTNet Link swiftnet\bin directory. 2. Type the following command: perl SwHSMManagePartitions.pl -R -h <HSM box ip address> -p <Partition Name / SWIFTNet user profile> 3. When initialisation of the partition is performed, the partition gets disabled. You must enable the partition manually to reuse it using the -E option: perl SwHSMManagePartitions.pl -E -p <Partition Name> [-h <HSM Box>] Example: perl SwHSMManagePartitions.pl -R -h 192.168.5.3 -p HSM2:PNYBB01 4. Set up for recovery and recover SWIFTNet user profile after re-initialisation. • Recover the profile on the partition After you have re-initialised the partition, you must recover the profile on the partition. You must perform the set-up for recovery procedure on Alliance Gateway using Alliance WebStation. 1. Log in as Security Officer - SWIFTNet user using Alliance WebStation on Alliance Gateway. 2. In the Users module, browse to the certificate that you need to set up for recovery. 3. Right-click the certificate and select the Setup for Recovery command from the pop-up menu. 4. When the Certificate tab is re-displayed, click the Activation Secrets arrow. Write down the new reference number and authorisation code displayed. 5. Log off. 24 January 2014 23 Support 6. Log on as Administrator - Gateway Operator. 7. Go to the SWIFTNet users module and click the Certificates tab. 8. Right-click the certificate that was set up for recovery and choose the Recover command from the drop-down menu. If the certificate is not visible, then right-click in the blank area and select Recover. 9. Fill in all the details required, including the authorisation code, reference number, and certificate name, then recover it on the partition. You can choose a new profile name and password for the certificate. For more information, see Knowledge Base tip 2147226. 3.6.4 NTLS/SSL Fails Procedure 1. Check whether the NTLS service is running on the HSM box. Run swiftnet status -T -v to see the service status of the HSM. If it is down or partial, then use the SwHSMManageServices.pl to restart the HSM services (including NTLS). 2. Does the server have more than one IP address or has the IP address changed? If so, then you must re-register the SWIFTNet Link to the HSM Cluster by using the SwHSMWiz GUI. Alternatively, you can use the perl SwHSMInst.pl -A deregister | register command. For more information about -A deregister and -A register, see the Hardware Security Module Operations Guide for more information. For more information about NTLS/SSL failures, see Knowledge Base tip 2094230. 3.6.5 HSM Status is Down but HSMServiceStatus is Up Description HSM status is down but HSMServiceStatus is up or no partitions are enabled in SwHSMSelfTest result. Check the activation status of the HSM Run the command perl SwHSMActivate.pl -a -h _HSM Box_. For more information, see Knowledge Base tip 2146133. 3.7 PKI and Online Operations Manager Unable to display the Online Operations Manager welcome page 1. Check that the URL is correct: https://www.o2m.swiftnet.sipn.swift.com 2. Run nslookup and check that the URL https:// www.o2m.swiftnet.sipn.swift.com can be resolved. 24 Self-help Guide Troubleshooting the SWIFT Environment 3. If the URL can be resolved, then run checkip <URL or IP> 443 TCP. See the SWIFT CheckIP User Guide. 3.8 Problem with Connectivity between SWIFTNet Link and the HSM Box HSM box unreachable 1. Run perl SwHSMSelfTest.pl and check the results. 2. If the selftest output shows a connectivity issue, then contact your network department, to verify the network components between the SWIFTNet Link host and the HSM box. If there is a firewall between the SWIFTNet Link host and the HSM box, then check the firewall for dropped packets. 3. Log in to the HSM box as an admin user through a serial connection, and verify the IP settings of the HSM box by using the following commands: system hostname show network interface show 4. If the settings are not correct, then follow the instructions in the Hardware Security Module Operations Guide. 3.9 Problem with Connectivity between SWIFTNet Link Host and VPN Box VPN box unreachable 1. Run swiftnet checkip from the SWIFTNet Link host. For more information, see the SWIFT CheckIP User Guide. If the result is CHECKIP-GLOBAL-SUCCESS, then the connectivity is OK. 2. If the result is something other than CHECKIP-GLOBAL-SUCCESS, then check whether the configuration of your network components, such as DNS, routers and firewalls, is compliant with the Network Access Control Guide. To test the connectivity of your VPN box, you can also execute the ping command: • For a primary VPN box: ping 149.134.255.254 • For a secondary VPN box: ping 149.134.255.253 If no problems are found in the network components, then check the state of your VPN box. For more information, see "SSG5 VPN box (Alliance Connect)". 3. If the command is successful, then the problem could be intermittent. Check the dynamic parameters of the firewall (for example, the session idle time-out must be 1 hour or more). See the Network Configuration Tables Guide. 4. Check the logs of the network components for dropped packets. 24 January 2014 25 Support Note To reduce complexity, SWIFT strongly recommends that you have the SWIFTNet Link host and the VPN boxes in the same location (see the recommended configuration that is described in the Network Access Control Guide). 3.10 Relationship Management Application Relationship Management Application errors The Relationship Management Application (RMA) service is a standard SWIFTNet Store-and- Forward InterAct service. For an explanation of the possible error codes, see "Detail Codes Returned by SNL API" in the SWIFTNet Link Error Codes. For errors related to the Alliance RMA application, see "Collecting Evidence for Alliance Access and Alliance Entry" on page 33. For errors related to the Alliance Web Platform RMA application, see "Collecting Evidence for Alliance Web Platform" on page 36. 3.11 SSG5 VPN box (Alliance Connect) 3.11.1 Problem with Connectivity Between VPN Box and SWIFTNet Problem with the cabling The cabling for the various VPN box configurations is described in the Implementation Guides for Alliance Connect Bronze, Alliance Connect Silver, Alliance Connect Silver Plus, and Alliance Connect Gold. • RJ-45 cable from Ethernet port 0/2-A to Ethernet port 0/2-B • RJ-45 cable from Ethernet port 0/3-A to Ethernet port 0/3-B • RJ-45 cable from Ethernet port 0/6-A to customer's LAN switch • RJ-45 cable from Ethernet port 0/6-B to customer's LAN switch • RJ-45 cable from Ethernet port 0/0-A to primary router • RJ-45 cable from Ethernet port 0/1-B to secondary router Problem with the connectivity of the VPN box Check the LED status on the front panel of the box. • Before enrolment Primary VPN box (labeled A) Power: Green solid Status: Green blinking Port 0/0 TX/RX/RX: Green blinking Link port 0/0: Green solid 26 Self-help Guide Troubleshooting the SWIFT Environment Port 0/2 TX/RX: Off Link port 0/2: Off Port 0/3 TX/RX: Green blinking Link port 0/3: Green solid Port 0/6 TX/RX: Short blinking after connection is made Link port 0/6: Green solid Secondary/ backup VPN box (labeled B) Power: Green solid Status: Green blinking Port 0/1 TX/RX: Green blinking Link port 0/1: Green solid Port 0/2 TX/RX: Off Link port 0/2: Off Port 0/3 TX/RX: Green blinking Link port 0/3: Green solid Port 0/6 TX/RX: Short blinking after connection is made Link port 0/6: Green solid • After enrolment Link ports should show activity (blinking green). Primary VPN box (labeled A) Power: Green solid Status: Green blinking Port 0/0 TX/RX/RX: Green blinking Link port 0/0: Green solid Port 0/2 TX/RX: Green blinking Link port 0/2: Green solid Port 0/3 TX/RX: Green blinking Link port 0/3: Green solid Port 0/6 TX/RX: Short blinking after connection is made Link port 0/6: Green solid Secondary/ backup VPN box (labeled B) Power: Green solid Status: Amber blinking Port 0/1 TX/RX: Green blinking Link port 0/1: Green solid Port 0/2 TX/RX: Green blinking 24 January 2014 27 Support Link port 0/2: Green solid Port 0/3 TX/RX: Green blinking Link port 0/3: Green solid Port 0/6 TX/RX: Short blinking after connection is made Link port 0/6: Green solid Tip To test if your VPN box is operational and ready for enrolment. see "VPN Box Faulty?" on page 29. Related information For more information, see the following manuals on the User Handbook Online: • Alliance Connect Gold Implementation Guide • Alliance Connect Silver Implementation Guide • Alliance Connect Silver Plus Implementation Guide • Alliance Connect Bronze Implementation Guide 3.11.2 Connectivity Problem Check firewall between VPN boxes and Internet router 1. Make sure that connectivity is allowed to the SWIFT public IP addressing range, from its source IP address to destination IP address 149.134.0.0/16 (range 149.134.0.0 to 149.134.255.255). 2. Open the following ports: • UDP/IKE 500 • UDP/NAT-T 4500 • ESP IP protocol 50 3. Contact your Internet Service Provider (ISP) and make certain that these IP addresses and ports are not being blocked. 4. Log in to the Web GUI from your SWIFTNet Link (https://149.134.255.252) and check the alarms. 5. Run the Connectivity Test Tool as described in the SWIFT Connectivity Test Tool User Guide. Check location of VPN boxes Customers may not connect network equipment along the length of the direct connections between the two VPN boxes. 1. The standard distance between VPN boxes is 3 metres, which is a fully supported configuration. 2. Configurations that have a distance of more than 100 metres or that have layer 2 networking devices (or both) may work, but SWIFT does not support these configurations. 28 Self-help Guide Troubleshooting the SWIFT Environment Other configurations may work but SWIFT does not support them. 3.11.3 VPN Box Freeze Port settings In a LAN-based configuration, Ethernet ports 0/6 on both SSG5 VPN boxes are connected to a customer-supplied network switch. The e0/6 ports support the NSRP IP address of the VPN boxes. 1. Make sure that these two ports are set to fixed half-duplex mode. 2. Make sure that the port speed is set to 100Mbps. If that port speed is not supported, then 10Mbps will also work. Note These settings only apply to your network switch. No change must be made on the SSG5 VPN box. 3.11.4 Change from Static IP to DHCP for Back-up VPN Box IP configuration When you install and enrol a new VPN box, you have a choice of IP configuration: DHCP, PPPoE, or Static IP. When you installed the VPN box, you selected Static IP. Because of the change of network regulation, you are now trying to change your IP configuration to DHCP but the IP address does not seem to be updated. For a description of how to make this change, see Knowledge Base tip 3000625. 3.11.5 VPN Box Faulty? Check whether VPN box is operational 1. Connect a PC to port 0/5 on the VPN box using a LAN cable. 2. Configure the PC with the following network settings: IP Address 149.134.172.2 Subnet Mask 255.255.255.224 Default Gateway 149.134.172.1 3. Open a web browser (for example, Internet Explorer) on the PC and enter the following URL: https://149.134.255.252 The web GUI of the SSG5 VPN box appears. 4. Attempt to log on to the VPN box by using the MAC address of the VPN box for both the username and the password. If you are able to log in successfully, then the VPN box is ready for enrolment. If you are not able to access the web GUI or are not able to log in to the VPN box, then please contact SWIFT Customer Support. 24 January 2014 29 Support How to replace a faulty VPN box If you believe that one of your VPN boxes is faulty and you want to replace it with a spare VPN box, then you must contact SWIFT Customer Support. Customer Support will work with you to perform troubleshooting procedures. If the VPN box is determined to be faulty, then SWIFT must take actions to provision the spare VPN box for your connectivity pack before connecting the box to your infrastructure. 3.12 SWIFTNet Link Prerequisite Before you further investigate SWIFTNet Link, you should run the selftest command. This command checks whether the SWIFTNet Link subsystems are running, whether you have connectivity to SWIFTNet, and whether you can send a test message to the SWIFTNet central systems by using your SWIFTNet Link certificate. The output of the command must be: SWIFTNet Subsystems: Up IP Connectivity Test: Success InterAct Test: Success Heartbeat Test: Success What to do if the selftest command fails: • If the IP Connectivity Test is not successful, then investigate the connection between SWIFTNet Link and the VPN box. • Check the selftest log, which you can find in the log directory. Investigate further as described in the following sections. 3.12.1 Messages are Rejected by SWIFT Network transmission errors are reported Check the configuration of the components that are running on top of SWIFTNet Link (for example, roles and profiles). See "Detail Codes Returned by SNL API" in the SWIFTNet Link Error Codes. 3.12.2 SWIFTNet Connectivity Problems Description You receive one of the following errors: • TPESYSTEM - Local domain is down • selftest resulted in SWIFTNet Subsystems: Not Up 30 Self-help Guide Troubleshooting the SWIFT Environment SWIFTNet Link Processes not Up 1. Run swiftnet status -c -h -v. See the SWIFTNet Link Operations Guide. 2. Compare the output with the saved output taken during business operation activities (see "Best Practices for a System Upgrade" on page 12). If the output is different, then restart the affected components. Problem with SWIFTNet Link connectivity to SWIFTNet 1. Run swiftnet checkip. See the SWIFTNet Link Operations Guide. 2. If successful, check the network components between SWIFTNet Link and the VPN box for dropped packets. If there is a failure, then make sure that the network components between SWIFTNet Link and the VPN box are correctly configured. See the Network Configuration Tables Guide. Also see "Problem with Connectivity between SWIFTNet Link Host and VPN Box" on page 25. 3.12.3 SWIFTNet Link Certificate Problems Description You receive one of the following errors: • Security kernel initialization resulted in error • selftest resulted in InterAct Test failed The certificate has expired 1. Run certlist and check the expiry date of your SWIFTNet user. Recover the certificate if it has expired. 2. If your SWIFTNet Link certificate has expired, then a SWIFT offline intervention is necessary (see Knowledge Base Tip 35582). Alternatively, use the profilerecovery command to facilitate SWIFTNet Link profile recovery (Knowledge Base Tip 3001023). For more information, see the SWIFTNet Link Operations Guide. 24 January 2014 31 Support 4 Reporting a Problem 4.1 Methodology for Reporting a Problem Introduction If a persistent problem cannot be resolved by the troubleshooting guidelines, then report it to the SWIFT Customer Support Centre. Register on swift.com To access the Support service, you must first register yourself on swift.com. Registration allows you to access our specialised online services such as the Knowledge Base, Case Manager, User Handbook Online, ordering, and billing information. Report the problem When you report a problem to SWIFT, the Case Manager is the main communication channel with our regional support centres. Give as much electronic evidence as possible, in order to allow a faster investigation and a faster resolution of the problem. For more information, see "Collecting Evidence" on page 33. Alternatively, if your problem is urgent, then you can contact us by telephone. For more information, see "Organisation of SWIFT Support" on page 38. Ensure that you have access to your system and provide the following details: 1. The personal registration number that is shown on your SWIFT Support registration card. 2. Your case number, if you are calling about an open problem that you have reported previously. 3. What happened and what you were doing when the problem occurred. 4. The actions that you have taken to solve the problem. 5. The exact wording of any error message. Send collected evidence You can then send your collected evidence by different means: • For large files, with a size up to 250,000 KB, you can upload them at the same time as you update your open cases, through the Case Manager. • You can send files by using the sendsupportinfo command, directly from your SWIFTNet Link host: swiftnet sendsupportinfo [-d <dir>] -a <case number> – <dir> is the name of the directory where the diagnostic files are copied or located. This parameter is optional. If this parameter is not specified, then the command will use the default directory: Windows: %SWNET_HOME%\log\supportinfo 32 Self-help Guide Reporting a Problem UNIX: $SWNET_HOME/log/supportinfo – <case number> is the number of the case for which the diagnostic files are being sent. This parameter is mandatory in order to be able to link the evidence to the correct case in the Case Manager application. • If your evidence refers to an existing case, then you can send it by e-mail to
[email protected]. Be sure to mention the Case Email Thread ID in the subject of the e-mail. The Case Email Thread ID is given when the case is created, and is used to link the e-mail to the case automatically. 4.2 Collecting Evidence Overview The following sections describe the minimum evidence that you must provide to SWIFT Support when you report a case for the various components of the SWIFT environment. 4.2.1 Collecting Evidence for Alliance Access and Alliance Entry UNIX: Collect log and configuration information 1. Navigate to $ALLIANCE/common/bin/. 2. Run the following command: saa_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: saa_supportinfo -from 20110622T0100 -to 20110623T0200 3. Collect the log files from $ALLIANCE/support/<directory>, or the directory that you specified with the -output parameter. Note By default, saa_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. Windows: Collect log and configuration information 1. Navigate to %ALLIANCE%\bin. 2. Run the following command: saa_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: saa_supportinfo -from 20110622T0100 -to 20110623T0200 3. Collect the log files from %ALLIANCE%\support\<directory>, or the directory that you specified with the -output parameter. 24 January 2014 33 Support Note By default, saa_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. 4.2.2 Collecting Evidence for Alliance WebStation Collect log information 1. Collect the WebStation log file: SWIFTAlliance\WebStation\log\log.txt. 2. On a stand-alone Alliance WebStation, run a connection test to SWIFT: testtcp.bat The result is in <installation directory>\WebStation\log\testtcp.txt. Collect configuration information 1. Run diagnostic.bat. 2. Collect the result files, diagnostic.xml and diagnostic.txt, from <installation directory>\WebStation\log\ 4.2.3 Collecting Evidence for Alliance Gateway UNIX: Collect log and configuration information 1. Run the following command: sag_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: sag_supportinfo -from 20110622T0100 -to 20110623T0200 2. Collect the log files from <installation directory>/Gateway/support/, or the directory that you specified with the -output parameter. Note By default, sag_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. Windows: Collect log and configuration information 1. Run the following command: sag_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: sag_supportinfo -from 20110622T0100 -to 20110623T0200 2. Collect the log files from <installation directory>\Gateway\support\, or the directory that you specified with the -output parameter. Note By default, sag_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. 34 Self-help Guide Reporting a Problem 4.2.4 Collecting Evidence for SWIFTNet Link UNIX: Collect log and configuration information 1. Run the following command: snl_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: snl_supportinfo -from 20110622T0100 -to 20110623T0200 Note By default, snl_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. 2. Run selftest. The Selftest.log file is in $SWNET_LOG_PATH/. 3. Compress the content of the SWIFTNet Link log directory, $SWNET_LOG_PATH. 4. Compress the content of the HSM log directory, $SWNET_HOME/log . Windows: Collect log and configuration information 1. Run the following command: snl_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: snl_supportinfo -from 20110622T0100 -to 20110623T0200 Note By default, snl_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. 2. Run selftest. The Selftest.log file is in %SWNET_LOG_PATH%/. 3. Compress the content of the SWIFTNet Link log directory %SWNET_LOG_PATH%. 4. Compress the content of the HSM log directory, %SWNET_HOME%\log . 4.2.5 Collecting Evidence for the HSM Box UNIX: Collect log and configuration information 1. To collect the HSM log files, run the following command: perl SwHSMGetLog.pl -a | -h <HSM Box> The file is uncompressed and copied to the directory $SWNET_HOME/log/hsm1 or $SWNET_HOME/log/hsm2. 2. To collect the HSM self-test log files, run the following command: perl SwHSMSelfTest.pl You can find the output in $SWNET_LOG_PATH/HSMSelfTest.log. 24 January 2014 35 Support 3. To collect HSM configuration information, run the following command: swiftnet getconfig -T -v Redirect the output into a file. Windows: Collect log and configuration information 1. To collect the HSM log files, run the following command: perl SwHSMGetLog.pl -a | -h <HSM Box> The file is uncompressed and copied to the directory %SWNET_HOME%\log\hsm1 or %SWNET_HOME%\log\hsm2. 2. To collect the HSM self-test log files, run the following command: perl SwHSMSelfTest.pl You can find the output in %SWNET_LOG_PATH%\HSMSelfTest.log. 3. To collect HSM configuration information, run the following command: swiftnet getconfig -T -v Redirect the output into a file. 4.2.6 Collecting Evidence for Alliance Web Platform UNIX: Collect log and configuration information 1. To collect the Web Platform support information, navigate to <SWP_INSTALL_PATH>/bin/ and run the following command: swp_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: swp_supportinfo -from 20110622T0100 -to 20110623T0200 Note By default, swp_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. 2. To collect the Web Platform logs, navigate to <SWP_INSTALL_PATH>/bin/ and run the following command: swp_readlog -output <file_pathname> -startdate <YYYYMMDD> - starttime <HH:MM:SS> -stopdate <YYYYMMDD> -stoptime <HH:MMLSS> Windows: Collect log and configuration information 1. To collect the Web Platform support information, navigate to <SWP_INSTALL_PATH>\bin\ and run the following command: swp_supportinfo -output <directory> -from <YYYYMMDDTHHMM> -to <YYYYMMDDTHHMM> For example: swp_supportinfo -from 20110622T0100 -to 20110623T0200 Note By default, swp_supportinfo collects the evidence of the last 24 hours. You can change the period by using the -from and -to parameters. 36 Self-help Guide Reporting a Problem 2. To collect the Web Platform logs, navigate to <SWP_INSTALL_PATH>\bin\ and run the following command: swp_readlog -output <file_pathname> -startdate <YYYYMMDD> - starttime <HH:MM:SS> -stopdate <YYYYMMDD> -stoptime <HH:MMLSS> 24 January 2014 37 Support 5 SWIFT Support Services 5.1 Organisation of SWIFT Support Worldwide support SWIFT provides customers with worldwide support delivered by a group of expert engineers. This service covers administrative, operational, and technical matters. The SWIFT Customer Support Centres (CSCs) are open 24 hours a day, seven days a week. For full information about SWIFT Support, see Support > Support packages and services on swift.com. Contact Support All customers who contact a regional support centre must be registered on swift.com. For information about how to contact SWIFT support, see Support > Need help? > Contact support on swift.com. 5.2 Support Information on swift.com Manage your profile Manage your profile on the Support page enables you to configure your access to the support services and to maintain your information online. This information includes updates to your BIC data, contact data, billing profile, shipping profile, and operational profile. Knowledge Base The Knowledge Base provides information about known problems and their solutions. It also includes frequently asked questions, suggestions, and technical documents. The information is organised in the form of tips. Case Manager Customers use the Case Manager to report a technical problem or a query to the SWIFT Customer Support Centres. For each entry, a case number is assigned. Electronic updates are provided by the support staff. You have a complete overview of all cases with up-to-date status information. Download centre All SWIFT software products are by default distributed via the Download centre on our web site. Only in exceptional cases will they be distributed via DVD or CD. Operational status SWIFT continues to improve the availability of its network and its systems. If a major outage occurs on critical services, then information is directly provided on the operational status. This enables customers to understand the situation and to take appropriate actions. 38 Self-help Guide SWIFT Support Services Documentation General documentation about SWIFT products and SWIFT services is provided on the User Handbook Online. The documentation can be viewed online and can be downloaded for printing purposes or for further processing. For some SWIFT software products, documentation is provided on the software product DVD or CD that is sent to licensed customers. It is also possible to register to receive the User Handbook on a USB stick. Billing information This service describes the rules of SWIFT for billing and invoices. You can access the billing information for your company up to 12 months in the past, and you can also download it. Translation service This service provides a real-time, multi-lingual translation of swift.com. The pages are translated by software that is configured with SWIFT-specific terminology. The English version of the web site remains the only official and legally binding version. 24 January 2014 39 Support Legal Notices Copyright SWIFT © 2014. All rights reserved. Restricted Distribution Do not distribute this publication outside your organisation unless your subscription or order expressly grants you that right, in which case ensure you comply with any other applicable conditions. Disclaimer The information in this publication may change from time to time. You must always refer to the latest available version. Translations The English version of SWIFT documentation is the only official and binding version. Trademarks SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: the SWIFT logo, SWIFT, SWIFTNet, SWIFTReady, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo, MyStandards, and SWIFT Institute. Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks of their respective owners. 40 Self-help Guide