Secure File Transfer (SFT) Implementation Guide

Welcome to the American Express @ Work1 Corporate Payment Solutions Guide

This guide is designed to provide American Express®  Account Managers and American Express client partners with step-by-step instructions to manage the implementation of Secure File Transfer (SFT).

INTRODUCTION

About the Guide

 

This guide is designed to provide American Express Account Managers and American Express client partners with step-by-step instructions to manage the implementation of Secure File Transfer (SFT).

About Secure File Transfer

 

Secure File Transfer (SFT) from American Express provides a fast and reliable process to securely exchange files with our client partners and to provide tracking and setup services for these file exchanges. Using SFT enables consolidation and central management of file transfers across the enterprise. SFT provides a single hub for file transfers using industry standards for security and regulatory compliance. The existing Service Level Agreement (SLA) for a standard SFT Implementation is 2-12 weeks, including connectivity testing in both test and production environments, as well as file creation and secured transmission to client. Depending on the technical readiness of the client, and engagement of second level support resources for issue identification and resolution, this timeframe may be extended as needed.

Benefits of SFT

 

  1.  PGP secure channel to encrypt or decrypt file during transmission. 
  2.  Files securely transferred between different operating systems. 
  3.  Secure file transfers to multiple servers (destinations). 
  4. Files compressed or decompressed using WinZip, PKZip, and GZip. 
  5.  Push technology for secure file transmission. 
  6.  Automatic retransmission triggered upon file delivery failure. 
  7.  No physical file size limitation, no limit on the number of transferred files, no space limit on server, and no need to buy software or licenses. 
  8.  Windows and Linux/UNIX client software available at no cost. 
  9.  Retrieval of recently downloaded files from sent box. No need to call American Express to refresh file for pickup.
  10.  Speed of transmission is significantly faster.

What SFT Does Not Do

 

  • Will not validate file content 
  • Will not modify file content
IMPLEMENTATION

User Requirements

 

The client partner may be the Sender or the Receiver of the data files. The role of the client partner is to comply with SFT American Express system requirements and to ensure that it dedicates technical resources to perform the following tasks:

 

  • Select protocol and configure client software 
  •  Set up transmission schedule 
  •  Configure ports and firewall 
  • Set up file transmission parameters 
  •  Embed and chain certificates as needed

Implementation Planning

 

A client partner that would like to use SFT must first contact the American Express Account Manager. Upon request, consultation regarding the product functionality and availability is available.

The implementation process is initiated by engaging the Electronic Transmission Team (ETT). Analysis of the client partner’s needs and projected timelines is conducted as part of the implementation process. Service Level Agreement terms are provided and the technical teams are engaged in defining parameters required for configuration and testing.

Implementation Overview

 

The following three steps make up the implementation process.

 

1. Completing the setup form

 

The client partner is responsible for completing the SFT Client Engagement Form and submitting it to American Express. Once the form has been processed, American Express will provide the client with the appropriate technical contact(s). This contact will assist the client and its technical staff in ensuring a smooth implementation and will be available to answer questions.

 

 2. Creating the file transfer setup and transmitting a file in test

 

The American Express technical contact works with the client partner to create SFT file transmission in the test environment. Testing is then conducted to ensure the file is sent or received correctly.

 

3. Transmitting a file in production

 

The last step in implementation is for American Express to mirror the setup in the production environment. As a final test, a data file is transmitted to check that it is delivered correctly. Proactive measures taken to avoid issues with the production transfer include checking the setup for accuracy, validating connectivity, and conducting a “dry run” before actual production date.

 

Implementation Checklist

 

  1. Request: (To be owned by ETT Analyst / Client ) SFT Client Engagement Form is submitted to ETT with appropriate agreements. [For AS2 protocol, the AS2 Setup Form is also sent to the client. The AS2 Setup Form provides American Express setup parameters; the client returns the form to ETT with system setup parameters identified.] 
  2.  Verification: (To be owned by ETT Analyst / Client ) Upon receipt of completed SFT Client Engagement Form and AS2 Setup Form (as applicable), ETT Analyst contacts the Client to verify desired file type(s) and requests any needed additional documents or information. 
  3.  Software Access: (To be owned by ETT Analyst / Client ) If client requires Secure Transport Client software, the ETT Analyst will provide the link to the site to download the free software, Otherwise the client is responsible for purchasing supported software. 
  4. Testing: (To be owned by ETT Analyst / Client ) ETT tests file transfer with client using test URL. The sender and receiver groups work together to achieve a successful file transfer in the test environment. If there Is a testing Issue identified, ETT Analyst will research and resolve the issue. If unable to resolve Issue, ETT contacts File Services second level support. 
  5.  Validation of Production: (To be owned by ETT Analyst) Once successful testing is completed. ETT will instruct client to retrieve data file from the production URL. Client will notify ETT of a successful download of data file. 6. Closure: (To be owned by ETT Analyst) ETT communicate the successful completion of the business partner setup.
CLIENT OPTIONS AND CLIENT SFT PORTAL

Secure Transport Client Options

 

Secure Transport command line clients are available for the UNIX and Linux operating systems and the AS/400 platform which supports Java 1.2.2 or higher. A standalone graphical client is available under Windows 32 bit operating systems.

 

SecureTransport Client Distribution

 

American Express offers a Secure Transport Client download site hosted by Tumbleweed. In order to download the client software, the client partner will access the website of https://support-st.axway.com, input the User Name of scdownload and Password of sCD0wn!0aD and click on the executable file to download the client software. This software will replace the current SIFT and STU software that currently most of our clients have. This software has all of the scheduling capabilities and easy-to-read graphic user interface that SIFT and STU had. Please call us at 1-800-337- 7283 if you need assistance in downloading the software. Once you have downloaded the software, this is all you will need to communicate with American Express.

 

Implementation Overview

 

Client partners can purchase off-the-shelf products that adhere to these file transfer options as supported by the American Express network. While client partners may choose a product not included on the examples listed for each standard protocol, American Express cannot guarantee success of the implementation or support any special needs resulting from the product selection.

 

File Transfer Options

 

American Express offers a number of IP-based file transfer options. Our intent is to use industry standard file transfer protocols whenever possible. Supported industry standard file transfers are

 

  • File Transfer Standard (v 4.7) – HTTPS
    • Pull – Yes
    • Push – Yes
    • Description - HTTP with SSL (secure socket layer) encryption for security. This option is fairly simple since it does not require any software and only the use of a browser.
    • Supported browser versions:
      • Microsoft Internet Explorer 6.0 SP1
      • Netscape Navigator 7.1 and 7.2
      • Mozilla Firefox 1.0.4
  • File Transfer Standard (v 4.7) – FTPS (RFC2238)
    • Pull – Yes
    • Push – Yes
    • Description - This is an industry standard using the FTP protocol over an SSL channel.
    • Supported software listed below:
      • Tumbleweed 4.7
      • CuteFTP Professional 7.0
      • WS_FTP Professional 2006
      • LFTP 2.6.3
      • Curl 7.13.2
      • FileZilla 2.2.14
      • IglooFTP Professional 3.9
      • SmartFTP 1.0
  • File Transfer Standard (v 4.7) – SFTP (SSH)
    • Pull – Yes
    • Push – Yes
    • Description - This is an FTP-like transfer protocol which occurs over an SSH-encrypted channel. This option allows you to authenticate yourself with a public key or a password assigned to you by American Express:
    • Supported software listed below:
      • Tumbleweed 4.7
      • OpenSSH (SCP and SFTP) 3.8p1
      • VanDyke SecureFX 2.2.9
      • SCP and SFTP shipped with Solaris version 2.9
      • PuTTY SecureFile Transfer (SFTP) 0.58
      • CuteFTP Professional 7.0
      • WinSCP 3.8.2
      • Tectia 5.1.3.8
  • File Transfer Standard (v 4.7) – AS2
    • Push – Yes
    • Description - This standard is a Server-to-Server HTTP-based file transfer protocol. It can be used to securely send any type of file over an IP connection (including over the Internet). Any client certified by the Drummond Group is supported.
  • File Transfer Standard (v 4.7) – Connect Direct Secure +
    • Pull – No
    • Push – Yes
    • Description - This is a node to node mainframe connection. SSL Encrypted C:D. Sterling Commerce software package must be purchased by client.

Outbound data files sent to client

 

  •  (Pull) American Express sends data files to SFT server. At that time, the client pulls data files (retrieves/download) down from SFT server. (Secure Transport Client, AS2, FTPS, and HTTPS)) 
  •  (Push) American Express pushes data files (transmit/upload) to the Client partner systems without client having to pull data files from SFT server (AS2, FTPS, SFTP, and HTTPS, Connect Direct Secure Plus)

Note: User 1 Authentication process regarding push - If public key authentication is chosen when pushing the data out to a client system, it is the client’s responsibility to install the American Express provided public key in its proper location. American Express is unable to advise where to install the public key due to the different types of hardware and software that a client might have.

Note: PGP Encryption process regarding push - the data while stored on our Amex disk is encrypted and will only be decrypted by the recipient. That way no one from Amex can read the data file while it is being stored on the SFT server. With the public/private key, the side decrypting the file will generate the public/private key. The public key is given to the sender of the data. “In this case, the client would send the public key to American Express and keep the private key. Incoming Data Files sent to American Express

  • Client sends data files to SFT server at American Express (Secure Transport Client, AS2, FTPS, SFTP, HTTPS, and Connect Direct Secure Plus)

Note: PGP Encryption process regarding sending data files - If client encrypts the file before sending it to American Express, then American Express would send the public key to the client and keep the private key to decrypt incoming file

.

FILE OPTION OF HTTPS PROTOCOL

Description

 

HTTPS is a server-to-client HTTP-based protocol, and is certificate-enabled using SSH encryption. Benefits of the HTTPS protocol are the ability to push files and the protection of data in transit.

 

HTTPS Protocol Implementation

 

When logging into American Express using HTTPS, the client partner will be placed in a home directory. In this home directory, there should be three subdirectories: inbox, outbox, and sent. In order to send a file, the client changes directory to the inbox and uploads the file for delivery to American Express. A file delivered from American Express is picked up in the outbox. Files previously sent are stored in the sent directory (until the files are purged from the system). Provision of the HTTPS parameters to be client partner is achieved through the use of the SFT Client Engagement Form. The following chart details the HTTPS parameters for the American Express system for file transfers.

 

American Express Internet Connection Parameters

 

Test URL — https://fsgatewaytest.aexp.com/

Production URL—  https://fsgateway.aexp.com/

User ID —<assigned by American Express>

Password —<assigned by American Express>

Filename(s) —<assigned by American Express>

Port — 443

 

American Express Extranet Parameters (e.g., lease line, dial line)

 

Test URL — https://fsgatewaytest.intra.aexp.com/

Production URL — https://fsgateway.intra.aexp.com/

User ID —<assigned by American Express>

Password —<assigned by American Express>

Filename(s) —<assigned by American Express>

Port — 443

American Express supports HTTPS over port 443 only, which is the standard port for SSL transmissions. The client partner should have 128bit SSL client sessions enabled to send files and 128bit SSL server sessions to receive files. To receive files from American Express, the client partner must have a registered domain and obtain a site certificate from a trusted root authority that certifies the site URL. Each side of the partnership must exchange an encryption certificate (for decrypting incoming documents). The public key of the encryption certificate is provided to the remote partner (client) who then uses the certificate to decrypt files sent to the client partner. A public key is provided to American Express for decrypting files received from the client partner.

 

Description

 

FTPS is a client-server protocol that enables secure file transfers using FTP. An SSL/TLS TCP layer is invoked, which lies below the standard FTP protocol. The SSL/TLS layer is used to encrypt the control and/or data channels. FTPS servers must provide a public key certificate, which must be signed by a certificate authority. FTPS should not be confused with either SSH file transfer protocol (SFTP), or FTP over SSH. Also, it should be noted that FTP is not supported by American Express.

 

HTTPS Protocol Implementation

 

When logging into American Express using FTPS, the client partner will be placed in a home directory. In this home directory, there should be three subdirectories: inbox, outbox, and sent. In order to send a file, the client changes directory to the inbox and uploads the file for delivery to American Express. A file delivered from American Express is picked up in the outbox. Files previously sent are stored in the sent directory (until the files are purged from the system).

FTPS Requirements

 

Port 21 is used for the control port and only passive mode is supported. Port range 1024 through 1124 is secured for the passive data port connection.

 

American Express Internet Connection Parameters

 

Test URL— https://fsgatewaytest.aexp.com/

Production URL —https://fsgateway.aexp.com/

User ID—<assigned by American Express>

Password—<assigned by American Express>

Filename(s)—<assigned by American Express>

Port —21

Passive Port Range— 1024-1124

 

American Express Extranet Parameters (e.g., lease line, dial line)

 

Test URL — https://fsgatewaytest.intra.aexp.com/

Production URL — https://fsgateway.intra.aexp.com/

User ID —<assigned by American Express>

Password —<assigned by American Express>

Filename(s) —<assigned by American Express>

Port—  21

Passive Port Range — 1024-1124

FILE OPTION OF SSH PROTOCOL

Description

 

Secure Shell (SSH) is also referred to as Secure File Transfer Protocol (SFTP); it requires exchange of public certificate keys and user ID/password. It is a server-to client protocol that allows files to be transmitted using an encrypted channel. SSH is certificate-enabled using key cryptography. Both the command channel and data channel are encrypted. A benefit of the SSH protocol is the protection of data in transit.

 

SSH Protocol Implementation

 

American Express assigns a user ID and password, and imports the client’s public key (required in RSA format) into the American Express server’s public key store. The SSH client may be authenticated through either secure sign on (user ID and password) or public key (RSA).

If public key authentication is chosen by the client, it is the responsibility of the client to know where they need to put the public key. Each vendor product is different, and uses different ways to store the key.

Provision of the SSH parameters to the client partner is achieved through the use of the SFT Client Engagement Form. The following chart details the SSH parameters for the American Express system for file transfers.

 

American Express Internet Connection Parameters

 

Test URL - https://fsgatewaytest.aexp.com/

Production URL - https://fsgateway.aexp.com/

User ID -<assigned by American Express>

Password -<assigned by American Express>

Filename(s) -<assigned by American Express>

Port - 22

 

FILE OPTION OF AS2 PROTOCOL

Description

 

AS2 is a peer-to-peer HTTPS and coded SMIME-based protocol, and is certificate-enabled using SSH encryption. The benefits of the AS2 protocol are the ability to push files and the ability to receive mail delivery notification (MDN). Optionally, MDNs may be signed and/or encrypted.

 

Technical Consultation

 

The client partner and American Express jointly conduct technical sessions to evaluate implementation requirements and to test connectivity. The AS2 Setup Form is used to capture the parameters for the configuration of the protocol and also to exchange certificates.

 

AS2 Requirements

 

The client partner must be using fully interoperable AS2 software for transport and must configure the software for asynchronous trading. It is strongly recommended that HTTPS be used. MDN format receipts must be provided in response to transactions. A trusted root authority certificate is required for HTTPS. A digital certificate will also be required for encryption and identity which can be self-generated by the AS2 software, but must follow the DER Encoded binary X.509 standard.

American Express only supports SSL over port 443 (this is the standard SSL port). The client partner should have 128bit SSL client sessions enabled to send data and 128bit SSL server sessions to receive data. Additionally, to receive data from American Express, a registered domain is required and a site certificate issued from a trusted root authority that certifies the site URL.

AS2 is a peer-to-peer file transfer protocol. Each side of the partnership must exchange a signing certificate (used for signing receipts) and encryption certificate (for decrypting incoming documents). The public keys of these local signing and encryption certificates are provided to the remote partner who then uses these certificates to encrypt documents sent to the local partner and to verify receipt and document signatures sent. AS2 gives an option of selecting different certificates for signing and encryption. However, most partners use the same certificate for both signing and encryption, including American Express. American Express prefers to receive the partner certificates in PEM or CER format.

Exchange of the AS2 parameters is achieved through the use of the AS2 Setup Form. The following chart details the AS2 parameters for the American Express system for AS2 file transfers over the Internet.

 

American Express Internet Connection Parameters

 

AS2 Test Name —

Test URL — https://fsgatewaytest.aexp.com/

Test Port Number — 10443

AS2 Production Name —

Production URL — https://fsgatewaytest.aexp.com/

Production Port Number — https://fsgateway.aexp.com/

Receive Encryption Type — 10443

Receive Signature Type — 3DES

Partner Receipt Type — MDN

Send Security Envelope — SSL

Send Encryption Type — 3DES

Send Signature Type — SHA-1

MS Receipt Type — MDN

 

For extranet file transfers, all parameters are as above, except the URLs. The test URL is https://fsgatewaytest.intra.aexp.com and the production URL is https://fsgateway.intra.aexp.com.

Transport Failure

 

If an MDN format receipt is not returned, American Express will attempt to send the data again. The number of retries may vary from implementation to implementation. Currently, the default is three attempts every five minutes.

FILE OPTION OF CONNECT DIRECT SECURE PLUS

Description

 

Connect:Direct C:D Secure Plus allows file transfers from a client’s mainframe to the American Express mainframe. Secure Plus is SSL Encrypted C:D over a leased line or a frame relay connection. This file transfer type is either a push from the client to American Express or an American Express push out to the client.

 

Technical Consultation

 

The client partner and American Express jointly conduct technical sessions to evaluate implementation requirements and to test connectivity. The C:D Form is used to capture the parameters for the configuration of the protocol and also to exchange certificates.

Connect:Direct Secure Plus Requirements

The client partner must purchase the Sterling Commerce software package in order to communicate with American Express. A Digital Certificate is also required.

Maintain C:D Node Details

A vendor-supplied configuration interface is used to manage the information needed by C:D (user names, passwords, file names, access controls). Configuration information is stored in files on the SFT servers. These configuration files are specific to Connect:Direct and are deployed to each site as they are needed.

SFT CLIENT ENGAGEMENT FORM

About the Form

 

The SFT Client Engagement Form is utilized to exchange technical information with the client partner. The form provides American Express contact information and protocol setup parameters, and is used to collect information from the client partner regarding its technical and business contacts and protocol parameters. Upon receiving a request, depending on the type of SFT setup, ETT will send out the form to the client for completion.

 

Submitting the Form

 

The client partner is responsible for completing the form and submitting it to electronictransmissionsteam@aexp.com.

For assistance with filling out the form, the client may call the ETT team at 1-800-337-7283.

 

Terms & Conditions

 

1Use of American Express @ Work ® is restricted to employees, contractors and/or agents that the Company, and its representatives designate for the sole purpose of performing online account queries and maintenance, including accessing and/or creating reports relating to the Company's American Express® Corporate Card programs. @ Work is available to all companies with an American Express Corporate Card program.

 

Enrollment is required. To enroll in @ Work please contact your American Express Representative or call 1-888-800-8564.

© 2021 American Express.

Was this helpful?

Recommended Articles