SDEDS – Certificate Renewal User guide
Version 3
Document Date 15/06/2016
Prepared by BT
Status Issue
Contents
1. Document Objective 3
2. Renewed/New Certificate 4
3. Instructions 4
3.1. Instructions for FTPS clients based on Windows Platform 5
3.1.1 Steps to form FTPS connection using CORE FTP LE Client 5
3.1.2 Steps for FTPS connection using FileZilla Client 5
3.2. Instructions for FTPS clients based on Linux Platform 5
3.2.1 Steps for FTPS connection using LFTP Client : 6
4. FAQs 6
5. Support Details 8
6. GLOSSARY 9
7. Version Control 9
1. Document Objective
CPs connect to the SDEDS gateway by using digital server certificate to securely place or retrieve data files, to/from SDEDS server over ports 55021 & 50021.
The server certificate which is being used to secure the SDEDS servers over ports 55021 & 50021 needs to be upgraded from SHA1 to SHA2 to further enhance the security. This change impacts all CPs who connects to SDEDS.
If you are connecting to the SDEDS server by importing the server certificate and CAs explicitly (i.e., importing the certificate on your FTPS client manually) then the new certificate and corresponding new CAs to be installed in your system are provided in section 2.
If you trust/import the server certificate and the corresponding CAs implicitly/automatically when you connect to the SDEDS server, then please check once the changes (switching over to new server certificate) are done on SDEDS side.
If you can have more than one certificate on your side, you can add this new certificate beforehand. Otherwise, you have to add the same during the cut over window mentioned below.
The new server certificate will be configured on 6 August 2016 at 22.00 BST. This process will take around 2 hours during which you may not be able to access the SDEDS server.
The details of the current certificate are –
· Serial number: 13913f96656836e597add838695df1c0
· CN = sdeds.bt.co.uk
· Valid From: 10 October 2013
· Valid To: 9 October 2017
· Issued by: VeriSign Class 3 Public Primary Certification Authority - G5 VeriSign Class 3 Secure Server CA - G3
The details of the new certificate are -
· Serial number: 21a2536c486006b125679146a6a2788e
· CN = sdeds.bt.co.uk
· Valid From: 30 June 2016
· Valid To: 1 July 2019
· Issued by: VeriSign Universal Root Certification Authority
Symantec Class 3 Secure Server SHA256 SSL CA
NOTE –Failure to install the new certificates as per the guidance in this documentation will mean that a CP will not be able to exchange data with BT through the SDEDS gateway.
This document gives detailed instructions required to switch from the OLD certificate to the NEW certificate of the SDEDS gateway on CP/client system, along with any attendant instructions to make the certificate effective.
2. Renewed/New Certificate
CA Certificates /New Server Certificate (.pem, .cer, .txt) /
New Server Certificate File (Linux servers require this “.key” file along with the “.pem” file. Please note that the “.key” file is an extract of the “.pem” file.) /
Instructions for usage of above attached certificate files are mentioned later on in the ‘Instructions’ Section.
3. Instructions
This section provides instructions to
A. Install the new server certificate of the SDEDS gateways on CP systems/machines
B. Create a connection to the SDEDS gateway with the new certificate having made any necessary configuration changes
C. Test the connectivity to the SDEDS gateway, using the NEW certificate and the newly changed configuration settings.
IMPORTANT
A. This certificate renewal activity will impact all the customers/CPs that are using the port 50021 and 55021.
3.1. Instructions for FTPS clients based on Windows Platform
Please follow the steps in the attached artifact (common for all FTPS clients) to install the renewed certificate
3.1.1 Steps to form FTPS connection using CORE FTP LE Client
Please find instructions for windows based CPs using Core FTP LE FTPS client, in the attached artifact.
3.1.2 Steps for FTPS connection using FileZilla Client
Please find instructions for windows based CPs using FileZilla FTPS client, in the attached artifact.
3.2. Instructions for FTPS clients based on Linux Platform
Please follow the steps in the attached artifact to install the renewed certificate
3.2.1 Steps for FTPS connection using LFTP Client :
Please find instructions for windows based CPs using LFTP FTPS client, in the attached artifact.
4. FAQs
4.1. What Certificate is being changed (or upgraded)?
The server certificate which is being used by SDEDS to securely exchange files with CPs on ports 50021 and 55021 is going to be upgraded from SHA1 to SHA2 for better security reasons.
4.2. What is the certificate being changed, used for?
Certificate is required to be used by CPs for Secured file transfer. Since the current one is planned to be upgraded shortly, certificate change is required for continuing secure file transfer service.
4.3. How do I identify the certificate in question on my current system?
The SDEDS certificate showing on your system should contain the below mentioned values.
Certificate issued to / sdeds.bt.co.ukCertificate Authority / VeriSign Class 3 Public Primary Certification Authority - G5 VeriSign Class 3 Secure Server CA - G3
Certificate Validity / 10 October 2013 to 9 October 2017
Serial Number / 13913f96656836e597add838695df1c0
4.4. How do I identify the new certificate on my system after I have made the switch?
The SDEDS certificate showing on your system should contain the below mentioned values.
Certificate issued to / sdeds.bt.co.ukCertificate Authority / VeriSign Universal Root Certification Authority
Certificate Validity / 30 June 2016 to 1 July 2019
Serial Number / 21a2536c486006b125679146a6a2788e
4.5. If I consume more than one product (e.g. from Openreach and BT Wholesale) do I have to make this change multiple times?
No, as long as you are using only one server to connect to the SDEDS gateway.
4.6. If I connect to the SDEDS gateway through multiple systems do I have keep anything in mind?
You will need to make this change on each of the systems that you use to connect to the SDEDS gateway.
4.7. Why am I not able to connect to the SDEDS server?
A few of the probable reasons for not being able to connect could be:
· The NEW SDEDS server certificate is NOT being used while establishing the connection with the SDEDS server after the server certificate change on SDEDS.
· Login credentials that you supplied are wrong.
· The FTP Connection type is be wrong ( Please make sure it is either ‘FTPES -Over Explicit TLS/SSL’ or ‘AUTH TLS and explicit mode’ depending on the FTP Client)
NOTE:
ü The connection/transfer should be done in passive mode
4.8. Why is the SDEDS gateway not accepting my user credentials after since the certificate switch?
The SDEDS support team will be able to verify your credentials, kindly get in touch with them for assistance.
4.9. How can I connect successfully to the SDEDS gateway?
Please make sure that you have the correct username and password for connection and keep this guide handy.
There could be an error in the connection details in the site manager settings of the FTP clients’ they use. Please be advised that the SDEDS server accepts “FTPES EXPLICIT TLS/SSL” / “AUTH TLS” connections ONLY. Again the connection needs to be in “PASSIVE mode” ONLY.
NOTE: The nomenclature of these modes may vary according to the FTP client used, but please try the closest possible match found in the settings.
4.10. Will the data available in my access area on SDEDS be affected during upgrade activity?
The CP access areas will remain unchanged and the data will NOT be affected due to this certificate switch.
4.11. I am able to see my files on the server but I am not able to download?
This could be an issue around the permissions granted, the SDEDS support team is able to support you with this if you get in touch with them.
4.12. My questions are still NOT answered. What should I do?
Please get in touch with the SDEDS support team at
5. Support Details
SDEDS PEM Team :
6. GLOSSARY
Abbreviation / DescriptionASG / Application Support Group
SDEDS / Secured Data Exchange Distribution System
CP / Communication Provider and any other third party who uses SDEDS to transfer files to and from BT
SP / Service Provider
CDR / Call Data Records
TCP/IP / Transmission Control Protocol/Internet Protocol - The suite of protocols which define the Internet
FTPS / FTP Secure
PEM / Partner Enablement Management
Redside / Any network outside BT firewall
CA / Certificate Authority
7. Version Control
Version No. / Date / Prepared by / Modified by / Reviewed by / Nature of Changes1.0 / 24/11/2015 / Sakthivel S / Shivakumar Sudi
Nagasrinu Inampudi / First draft
2.0 / 27/11/2015 / Sakthivel S / Ian Clark / Issue
3.0 / 15/06/2016 / Sugumar R / Nagasrinu Inampudi
Shivakumar Sudi
Sakthivel S / Modified according to SHA2 certificate change
SDEDS Page 9 of 9