Technical Briefing Pack - ANNI Participants
Contents
1. ASX SETTLEMENT CORPORATION Technical Briefing Pack ANNI Participant Austraclear System Release 3 Aug v3 2011 ASX Settlement Corporation ANNI Technical Brief ASX TABLE OF CONTENTS ANNI Participant 1 Introduction 3 About this Document 3 Background 3 Client Workstation Requirements 4 Software Requirements 4 Hardware Specifications 5 Network Infrastructure amp Security Requirements 5 Network and Security Requirements 5 system Connectivity Typical Configuration 6 Network Infrastructure 7 Participant Firewalls 7 Proxy Servers 8 DNS TCP IP Configuration 9 BCP DR Scenario ASX ANNI Router failure 10 BCP DR Configuration Requirements Internet 11 ANNI Participants with Internet Backup 12 security 13 Deployment of the Client Software 14 Deployment Models 14 Browser Deployment 14 File Deployment 14 Digital Certificates 14 PC Setup for IWT and Go Live 15 Deployment and user guides 16 Frequently Asked Questions 16 Glossary 17 Disclaimer amp Copyright 18 2011 ASX Settlement Pty Limited ABN 49 008 504 532 ASX Settlement Corporation ANNI Technical Brief ASX Introduction About this Document This is the technical briefing paper for the ASX Austraclear Release 3 system and will supersede the previously published paper once Release 3 is implemented into Production Its purpose is to assist Participant technology Staff in the implementation of the Austraclear Release 3 system The information in this2. 75 asx austraclear com au 203 15 145 78 asxhelp austraclear com au 203 15 146 75 asxta austraclear com au 203 15 146 78 asxhelpta austraclear com au 2011 ASX Settlement Pty Limited ABN 49 008 504 532 12 ASX Settlement Corporation ANNI Technical Brief ASX Security Application authentication in the ASX Austraclear Release 3 System is currently controlled through various security controls such things as End to end encryption of data between the Client and server using SSL Three factor application authentication when connecting over the internet something you know and something you have Comprehensive password policies Automatic application lock for idle users ASX Austraclear Release 3 system all users will still be required to both have and know something This includes the use of an ASX issued Client Side Digital Certificate and a username password pair for application authentication From a security perspective the security controls are related to the application rather than the network Under ASX Austraclear Release 3 system there are no changes in the protocols required Production ANNI HTTPS TCP port 443 DNS TCP UDP port 53 BCP DR Internet HTTPS TCP port 443 DNS TCP UDP port 53 It should be noted that no connections will be initiated from the ASX network ANNI to the Participant site As such Participants should only allow connections to be initiated outbound to ANNI
3. ASX with established connections also allowed through firewalls router access control lists 2011 ASX Settlement Pty Limited ABN 49 008 504 532 13 ASX Settlement Corporation ANNI Technical Brief ASX Deployment of the Client Software Deployment Models The ASX Austraclear Release 3 system is installed as a Net Windows Forms application There are two options available to deploy the Client on your desktop workstation Browser Deployment This model enables a user to deploy the software using their browser via a regular web address URL By clicking on the appropriate link on the ASX Austraclear website the weblauncher is initiated which will carry out the initial download and execution of the application This model ensures that each time you initiate the login procedure the web launcher will check for updates to the underlying application The web launcher Security Policy needs to be installed initially in order to configure the trust relationship between the client and the middle tier File Deployment This model enables a user to install the ASX Austraclear system on the local PC client The installation file can be downloaded from the ASX website and allows the application to be packaged and distributed if necessary It will require some intervention on the Participant s part to download and install the most recent version of software periodically This model is launched from the Start menu or by using a desktop sho
4. delivered as MSI Microsoft Installer once downloaded for browser deployment only Three Factor Three Factor Authentication Authentication Security Policy Security Policy 2011 ASX Settlement Pty Limited ABN 49 008 504 532 17 ASX Settlement Corporation ANNI Technical Brief ASX Disclaimer amp Copyright Disclaimer This participant briefing pack has been prepared by ASX Limited and its related bodies corporate ASX ABN 98 008 624 691 and is intended to provide information regarding updates on System functionality guidance on industry wide test procedures and general aspects of the Austraclear System s structure ASX reserves the right at any time with or without notice to change any proposed project specifications and timeline The information contained in this participant briefing pack has been compiled from sources believed to be reliable and in good faith but no representation or warranty express or implied is made as to their accuracy To the extent permitted by law ASX and its employees officers and contractors shall not be liable for any loss or damage arising in any way including by way of negligence from or in connection with any information provided or omitted or from any one acting or refraining to act in reliance on this participant briefing pack Copyright ASX Limited ABN 98 008 624 691 2011 All rights reserved 2011 ASX Settlement Pty Limited ABN 49 008 504 532 18
5. go live Participants must note that running both Release 2 and 3 GUI s on the same PC during IWT poses an operational risk to the user To mitigate this risk the Release 3 GUI during IWT will be coloured yellow to assist users in differentiating the versions The Release 3 GUI will automatically revert to the standard grey colour at go live Using the same PC for Release 2 and 3 may also pose a technical risk if any installation delays are experienced during deployment by participant s internal IT Additional set up is required if this approach is to be taken the details of which are provided below 1 install net to a version that meets the software requirements listed in Table 1 along side the existing install of net 1 1 service pack 1 ie net 1 1 service pack 1 must not be removed 2 upgrade Internet Explorer to a version that meets the software requirements listed in Table 1 3 If the XP machine is not automatically patched by Windows Root Certificate Updates then a root certificate must be installed called VeriSign Class 3 Public Primary Certification Authority G5 Current Release 2 uses the root certificate called Class 3 Public Primary Certification Authority Windows 7 PC s should already have this root certificate installed as default This certificate can be downloaded from Verisign at http www verisign com support roots html 4 For Browser deployment users Users who click on the web link to launch the GUI the
6. new updated version of Weblauncher Weblauncherlnstaller_R1394 msi must be installed along side the existing version of Weblauncher WebLauncherlnstaller_V18 msi Both versions can coexist on the same PC However please note that clicking on the new link to launch the Release 3 GUI will overwrite the Release 2 GUI in the user s windows profile space Vice versa clicking on the current link to launch the Release 2 GUI will overwrite the Release 3 GUI This means that every time the user switches between Release 2 and 3 GUl s they will be required to download the GUI again However both GUI s can be used side by side after the download For File deployment users both Release 2 and 3 GUI s can be installed side by side on the same PC Both can be launched and used at the same time 2011 ASX Settlement Pty Limited ABN 49 008 504 532 15 ASX Settlement Corporation ANNI Technical Brief ASX Deployment and user guides All the relevant documentation and user guides relating to the deployment and installation of both the ASX Austraclear system and the related Digital Certificates will be available on the ASX Austraclear websites in due course 1 week prior to IWT http www asx com au professionals asx austraclear technical documents htm Go Live http Awww asx com au professionals asx austraclear technical documents htm Frequently Asked Questions An FAQ register is available on the Austraclear Website in the Business Section and i
7. b browser and another server It intercepts all requests to the real server to see if it can fulfill the requests itself and if not forwards the request to the real server It also can be used to filter requests i e to prevent users from accessing a specific web page or sites There are two common types of proxy configuration e Authenticating o Manual requires all users to authenticate when browsing internet sites o Automatic Integrated allows users to browse internet sites automatically using a common authentication integrated to each of the user ids e Non Authenticating The ASX Austraclear Release 3 system is designed to work with proxy servers that support HTTP 1 1 RFC2616 Please note that the deployment of the ASX Austraclear system differs according to which method of authentication is used Please see the appropriate user manual for further details These will be made available on the following ASX Austraclear websites in due course 1 week prior to IWT http Awww asx com au professionals asx austraclear technical documents htm Go Live http www asx com au professionals asx austraclear technical documents htm See 2011 ASX Settlement Pty Limited ABN 49 008 504 532 8 ASX Settlement Corporation ANNI Technical Brief ASX DNS TCP IP Configuration The design of the Austraclear environment makes provision for dynamic failover between Austraclear processing sites for Business Continuity purposes It is impo
8. document applies to Participants who operate in Australia or overseas This document does not cover the functionality of the replacement system For further information regarding the content of this document or the ASX Austraclear system please send any enquires by email to Exigo asx com au Background The ASX Austraclear system is a next generation Central Securities Depository CSD system that utilises an open architecture with a Windows Graphical User Interface GUI front end Client The system s Release 3 provided improvement onto technical requirements and architecture as well as additional and improved functionalities The ASX Austraclear system is a Net Windows Forms application and can be deployed either by browser deployment or file deployment further information provided in Section 4 The Client application connects to a central web service utilising Microsoft Net technologies See Diagram 1 below Diagram 1 ASX Austraclear System Architecture Overview Client Tier Middle Tier Database Tier WinForms NET Client DATABASE Web Services COMMON GUI 2011 ASX Settlement Pty Limited ABN 49 008 504 532 3 ASX Settlement Corporation ANNI Technical Brief ASX Client Workstation Requirements Software Requirements The following table outlines the software requirements for the ASX Austraclear Release 3 system The Participant is responsible for the supply installation and support of the required Softwa
9. es the basic technical requirements to enable Participants to make the appropriate network configuration changes at their BCP DR site in order to be able to access the ASX Austraclear Release 3 system via the Internet Table 7 Network and Security Requirements Internet Connection ASX Austraclear Internet connectivity 256Kbps Participant ee ee ee Requirements Responsible Firewall ports required to be opened X e HTTPS TCP port 443 X Participant e DNS TCP UDP port 53 Client Side Digital Certificates Participant The ASX advises a recommended minimum connection speed of 256Kbps per user connectivity for Internet connectivity to the ASX Austraclear Release 3 system 2011 ASX Settlement Pty Limited ABN 49 008 504 532 11 ASX Settlement Corporation ANNI Technical Brief ASX ANNI Participants with Internet Backup For ANNI participants who do use internet connected PC s as a backup i e PC s not using the ANNI network to connect to Austraclear it is recommended that these internet PC s resolve using either of the following two methods 1 Forwarding requests to the authoritative public DNS servers for austraclear com au which are nsi austraclear com au 203 18 165 215 and ns2 austraclear com au 59 154 35 23 This is the normal case for ADSL dialup as the ISP DNS will forward any request to the authoritative name server by default 2 Local hosts files with the following entries 203 15 145
10. ol used for Internet HTML web pages Protocol HTTPS ee ee lane The protocol used for Secure Internet HTML web pages Protocol Secure intemereier inane Software provided by Microsoft used to browse the Internet Used to P P view and interact with HTML pages A simultaneous electronic transfer and settlement system for Commonwealth Government Securities This facility has now been largely transferred to the Austraclear system Secure Sockets laver This is an industry wide standard for encrypting data securely across y the Internet via the HTTP and HTTPS protocols RITS Reserve Bank Information amp Transfer System Three Factor authentication is based on something you know password or PIN and something you have an authenticator an lt token providing a much more reliable level of user authentication than a reusable password The 3 factors are Username amp password digital certificate and RSA token TTL is set by an authoritative name server for a particular resource record When a caching name server queries the authoritative name Time To Live aaa server for a resource record it will cache that record for the defined period in seconds set as a TTL Universal Resource An address for resource available on the Internet eg Locater www asx com au This file was provided by the vendor to ensure that assemblies are secure when downloaded This file also gives access to run the program The security policy file will be
11. ormance improvements can be realised with increases in processor speed and memory Table 2 Recommended Hardware Requirements Hardware Requirements Specifications Intel Core 2 3 16 GHz PC client Or AMD _ _ Memory RAM RAM 4 AB Monitor amp screen resolution 17 1024 x 768 30M per Windows user profile Network Infrastructure amp Security Requirements This section outlines minimum Network infrastructure and Security requirements for connecting to the ASX Austraclear Release 3 system Network and Security Requirements Table 3 Network and Security Requirements Production ASX Austraclear Responsible Internet connectivity 256Kbps ok Participant ee ee ee Requirements Firewall ports required to be opened X e HTTPS TCP port 443 X Participant e DNS TCP UDP port 53 Client Side Digital Certificates Participant 2011 ASX Settlement Pty Limited ABN 49 008 504 532 5 ASX Settlement Corporation ANNI Technical Brief ASX System Connectivity Typical Configuration Diagram 3 ANNI Participant Austraclear amp RITS RBNZ ANNI Participant Participant Production Site ASX Austraclear Austraclear Client TCP Por 80 HTTP TCP Port 443 HTTPS TOPUDP Port 53 DAS Wbp Primary ee el 2011 ASX Settlement Pty Limited ABN 49 008 504 532 6 ASX Settlement Corporation ANNI Technical Brief ASX Network Infrastructure Connectivity for ANNI Participants is c
12. re as specified below and the Hardware required for the Release 3 system Table 1 Software Requirements Microsoft Windows XP Professional Service pack 3 Ea Participant Microsoft Windows 7 32 bit or 64 bit Microsoft Internet Explorer 7 0 or 8 0 Participant Microsoft Net Framework version 3 5 Service Pack 1 Participant The Microsoft Net Framework can be downloaded from the Microsoft web site http www microsoft com downloads en resultsForProduct aspx displaylang en amp ProductID de7bb609 3fd0 4b0f 865d 5ed2463ad5d0 amp nr 10 amp sortCriteria Popularity amp sortOrder Ascending amp stype ss_sd The Microsoft Net Framework Redistributable package includes everything necessary to run applications developed using the Net Framework You are only required to install the Redistributable and NOT the SDK version This Framework can also be obtained on CD from Microsoft Please note that you need to be logged in with Administrator rights to install the Microsoft Net Framework as you would normally do when installing operating system software Internet Explorer 7 0 or 8 0 can be downloaded from the Microsoft web site http www microsoft com downloads 2011 ASX Settlement Pty Limited ABN 49 008 504 532 ASX Settlement Corporation ANNI Technical Brief ASX Hardware Specifications The minimum recommended PC specification for the ASX Austraclear Release 3 system is shown below ASX testing has indicated that perf
13. rtant that Participants make use of DNS based name resolution wherever possible Details are shown in Table 5 Where DNS based name resolution is not possible an alternate mechanism is available to support Business Continuity as specified in Table 6 Table 5 Application access via DNS Application URL https asx austraclear com au Online Help https asxhelp austraclear com au Test Environment https asxta austraclear com au Test Online Help https asxhelpta austraclear com au Participant DNS systems should resolve all name queries for the austraclear com au domain as follows e Add DNS forwarding entries for the austraclear com au domain to your internal DNS servers to directly resolve the austraclear com au domain against the Austraclear DNS servers The authoritative Austraclear name server is 203 4 179 50 for ANNI participants e TTLor Time To Live should be set to recommended setting of 30 seconds 2011 ASX Settlement Pty Limited ABN 49 008 504 532 9 ASX Settlement Corporation ANNI Technical Brief ASX In Austraclear Release 2 ANNI participants used the address of 203 18 165 249 to access the system This address was either configured in their corporate internal DNS or a local host file on the PC For Austraclear Release 3 ANNI participants can continue to use their corporate internal DNS or the host file but add the entries in table 6 They now also have the option to forward their DNS requests to 203 4 179 50 Af
14. rtcut and doesn t require the use of the browser to execute the system Digital Certificates Users of the ASX Austraclear system will be required to enrol in the ASX controlled Certificate Authority CA Once the user has been validated a certificate will be issued and downloaded into the users Web browser This certificate will be exportable E g installed at a Participant BCP DR site Use of this exportable capability is a security policy decision owned by the Participant ASX does not take responsibility for the management of the certificate and authentication process within a Participant s operations When logging into the application a valid certificate and username and password pair will need to be presented to the application Without these items a user will not be able to login Please see the Technical FAQ s for further details regarding digital certificates 2011 ASX Settlement Pty Limited ABN 49 008 504 532 14 ASX Settlement Corporation ANNI Technical Brief ASX PC Setup for IWT and Go Live ASX Austraclear recommends use of PCs that are separate to the current Production environment for testing during IWT which would then become the new Production PCs at go live This approach will minimize any impacts to existing Production PC s used for current Release 2 However if necessary and while not recommended participants can set up existing production PCs to also be used for Release 3 IWT and therefore
15. s updated regularly a O A 2011 ASX Settlement Pty Limited ABN 49 008 504 532 16 ASX Settlement Corporation ANNI Technical Brief ASX Glossary Tem Definition Meaning ANNI Austraclear National The network supported by the ASX that provides access to the Network Infrastructure Austraclear RITS amp ACNZ systems Authentication Establishes the credentials of a user as an authorised user Server based technology designed to provide web based services with Net Net Framework minimal need for manual software installation on the desktop For more details see http www microsoft com net The process by which data is temporarily re arranged into an Data Encryption Data Encryption unreadable or unintelligible form for confidentiality transmission or other security purposes A Digital Certificate is the electronic version of an ID card that Digital Certificates Digital Certificates establishes your credentials and authenticates your connection when performing transactions over the Internet The Domain Name System is the system that translates Internet Domain Name System domain names into IP numbers A DNS Server is a server that performs this kind of translation The part of the application with which the user interacts Windows Graphical User Interface applications interact graphically HTML Hyper Tax Markup The language used to create Web pages and read by a browser anguage HTTP wee 1 Manele The protoc
16. ter Go Live of Austraclear Release 3 the address of 203 18 165 249 will no longer be used Where DNS resolution against the authoritative Austraclear name servers is not possible the following host file entries or static DNS entries should be used Table 6 Application access using Host files or static DNS entries at Participant sites Application Host Address n Name Online Help 203 4 179 228 asxhelp austraclear com au Test Environment Online Help 203 4 179 229 Asxhelpta austraclear com au BCP DR Scenario ASX ANNI Router failure Although unlikely in the event of an ANNI access router failure at the ASX Production site two options are available for participants to continue using the ASX Austraclear system 1 Connect to the Austraclear system via the internet authentication via RSA token 2 Relocate to the Business Continuity Processing Disaster Recovery site Some participants will utilise 2Mbps dedicated links to their DR site while others will utilise internet connectivity 2011 ASX Settlement Pty Limited ABN 49 008 504 532 10 ASX Settlement Corporation ANNI Technical Brief ASX BCP DR Configuration Requirements Internet For Participants who prefer to use to access Austraclear Release 3 from their BCP DR site using Internet connection the ASX advises a recommended minimum connection speed of 256kbps for Internet connectivity to the ASX Austraclear Release 3 system The following section provid
17. urrently configured to 2Mbps Network redundancy is provisioned through the use of a second 2Mbps service Participant Firewalls Where Participant firewalls are installed modifications will be required to firewalls in order to communicate successfully with the ASX Austraclear system from the Client Workstation This information is detailed below in Table 4 Table 4 Firewall rules required ANNI participants should use one of the two methods of name resolution 1 Corporate internal DNS servers forwarding requests to the authoritative ANNI DNS server for austraclear com au which is 203 4 179 50 This request must be sent to the ANNI network TABLE 4 1 Destination Port s Action Description 203 4 179 50 DNS UDP 53 ALLOW Allow access to Austraclear DNS systems where required 2 Local hosts files with the entries in Table 4 2 Refer to Table 6 for further details TABLE 4 2 Primary Site 203 4 179 224 HTTPS ALLOW Allow access to the Release 3 Production TCP 443 203 4 179 228 HTTPS ALLOW Allow access to the Release 3 Online Help TCP 443 Production environment 203 4 179 230 HTTPS ALLOW Allow access to Release 3 Test Environment TCP 443 203 4 179 229 HTTPS ALLOW Allow access to the Release 3 Online Help Test TCP 443 environment 2011 ASX Settlement Pty Limited ABN 49 008 504 532 7 ASX Settlement Corporation ANNI Technical Brief ASX Proxy Servers A proxy server is one which sits between a we
Download Pdf Manuals
Related Search