Swift Alliance Administration Manual

Alliance Lite2
Administration Guide
This guide describes how to perform Alliance Lite2 administration tasks. These tasks include user management and
reference data management. This guide is for security officers and the personnel who have been assigned the role of
Alliance Lite2 administrator.
20 July 2017
Alliance Lite2
Administration Guide Table of Contents
Table of Contents
Preface............................................................................................................................................................... 4
1 Introducing Alliance Lite2.......................................................................................................................6

1.1 What is Alliance Lite2?............................................................................................................................ 6
1.2 What Does the Web Interface Provide?...................................................................................................7
1.3 What Does AutoClient Provide?.............................................................................................................. 9
1.4 How is Alliance Lite2 Packaged?.............................................................................................................9
1.5 System Requirements........................................................................................................................... 10
1.6 Token-Based Certificates and Channel Certificates.............................................................................. 12
2 Get Started............................................................................................................................................. 14
2.1 DNS Installation and Configuration........................................................................................................17
2.2 Firewall Settings.................................................................................................................................... 19
2.3 Install Java............................................................................................................................................. 21
2.4 Configure Java Settings.........................................................................................................................21
2.5 Configure Internet Explorer Settings..................................................................................................... 22
2.6 Install Driver for Personal Tokens.......................................................................................................... 22
2.7 Remove the Token Software..................................................................................................................29
2.8 Activate Tokens for Customer Security Officers.....................................................................................30
2.9 Create a Distinguished Name................................................................................................................32
2.10 Authorise the DN and Approve the Operator and Issue the Activation Code........................................ 36
3 User Management..................................................................................................................................38
3.1 Operators...............................................................................................................................................38
3.2 Operator Profiles................................................................................................................................... 50
3.3 RBAC Roles for Browse Services..........................................................................................................55
4 Reference Data Management............................................................................................................... 62

4.1 Correspondents..................................................................................................................................... 62
4.2 Countries............................................................................................................................................... 70
4.3 Currencies............................................................................................................................................. 74
5 Default Operator Profiles...................................................................................................................... 77

5.1 How Entities, Actions, and Permissions Work....................................................................................... 80
20 July 2017 2
Alliance Lite2
Administration Guide Table of Contents
5.2 AutoClient.............................................................................................................................................. 81
5.3 BIC_View............................................................................................................................................... 82
5.4 LSO and RSO........................................................................................................................................82
5.5 MsgUpload............................................................................................................................................ 83
5.6 Msg_All..................................................................................................................................................84
5.7 Msg_AllOthr...........................................................................................................................................90
5.8 Msg_Audit..............................................................................................................................................90
5.9 Msg_Auth...............................................................................................................................................91
5.10 Msg_Oper..............................................................................................................................................94
5.11 OPER_SignOn...................................................................................................................................... 99
5.12 RMA_All.................................................................................................................................................99
5.13 RMA_Auth........................................................................................................................................... 103
5.14 RMA_Oper...........................................................................................................................................106
6 Relationship Management.................................................................................................................. 108
Legal Notices................................................................................................................................................. 109
20 July 2017 3
Alliance Lite2
Administration Guide Preface
Preface
Purpose of the document
This administration guide describes how to perform Alliance Lite2 administration tasks. These tasks
include user management and reference data management.
Audience
This document is for the following audience:
• Security officers
• Alliance Lite2 administrators
Significant changes
The following table lists all significant changes to the content of the Alliance Lite2 Administration
Guide since the April 2016 edition. This table does not include editorial changes that SWIFT makes
to improve the usability and comprehension of the document.
Updated information Location
New section added How to Change the Name of Customer Security Officers on
page 8
System requirements for AutoClient have System Requirements for AutoClient on page 11
been updated.
The section on how to renew personal Token-Based Certificates and Channel Certificates on page 12
token certificates has been updated, in
case of token expiry.
The firewall settings have been updated. Firewall Settings on page 19
When to use the SWIFTNet Online Log in to SWIFTNet Online Operations Manager on page 32
Operations Manager has been updated.
A section "Next" describing the result of Add an Operator on page 46

adding an operator has been added.
The section on disabling an operator has Disable an Operator on page 49

been updated.
The operator profile <BIC8>_Msg_View Profiles Assignment on page 50

has been added.
Operator profiles visible in Alliance Lite2, Msg_All on page 84

but that cannot be used in Alliance Lite2
have been added for information.
Alliance Lite2 documentation set

• Administration Guide
• Administration Guide - RMA
20 July 2017 4
Alliance Lite2
Administration Guide Preface
• AutoClient User Guide

• Find Your Way in Alliance Lite2
• Security Officer Guide
• Service Description
• User Guide
20 July 2017 5
Alliance Lite2
Administration Guide Introducing Alliance Lite2
1 Introducing Alliance Lite2

1.1 What is Alliance Lite2?
What are the components of Alliance Lite2?
Alliance Lite2 is an Internet-based solution aimed at any SWIFT customer including corporates,
investment managers, funds distributors, and transfer agents that want to connect to SWIFT easily
and securely. You can use Alliance Lite2 to send and receive message transactions using the FIN,
InterAct, FileAct, and Browse services over SWIFTNet.
Alliance Lite2 includes a Web interface and AutoClient. Your organisation can use either or both of
them for manual or automated operations.
• The Web interface: Use the Web interface that has message data entry and business features if
your organisation prefers to manually process a low number of message transactions per day.
This interface offers a web experience for sending and receiving all MT and MX message
transactions and for file exchange. Alliance Lite2 customers who have ordered Browse services
can also connect to Browse from the Web interface. For more information, see What Does the
Web Interface Provide? on page 7.
The Web interface can also monitor the status of message transactions that have been initiated
through AutoClient.
• AutoClient: Use AutoClient if your organisation has business applications and wants to enable
these applications to send and receive message transactions in an automated way. For more
information, see What Does AutoClient Provide? on page 9.
Customer SWIFT
Alliance Lite2
Web interface
Internet or
AutoClient SWIFTNet
MV-SIPN
Alliance
Lite2 Bank
server
Back-office
application
D1370004
20 July 2017 6
Alliance Lite2
Types of environment
Alliance Lite2 offers two types of environments:
• Live environment: You use this environment to send live business messages and files. This
environment is also called Production environment.
• Test environment: You use this environment to exchange Test and Training messages and
files. Other benefits of this environment are as follows:
- New Alliance Lite2 users can try the Alliance Lite2 service in a safe environment before
using the Live environment. Messages and files that users exchange in the Test environment
have no financial consequences.
- Existing Alliance Lite2 users can exchange test messages and files with a new
correspondent to learn how to send and process messages and files properly.
- Customers can test new Alliance Lite2 releases.
You can view only live messages and files in the Live environment and only test messages and files
in the Test environment. The Test environment is a simulation of the Live environment, and you
cannot send, view, or process a live message or file in the Test environment. Messages or files that
you send from the Test environment are marked as test or pilot so that recipients of these
transactions do not process them as live messages or files.
Who are Alliance Lite2 users?

There are three types of Alliance Lite2 users:
• Customer security officers. See What Can Alliance Lite2 Customer Security Officers Do? on
page 7.
• Operators, use Alliance Lite2 for the creation, update, approval, sending, and receiving of
messages and files to and from SWIFT. See What Can Alliance Lite2 Operators Do? on page
8
• AutoClient operators (with access to the account that runs AutoClient) with a USB token or a
channel certificate. For more information, see the Alliance Lite2 AutoClient User Guide.
1.2 What Does the Web Interface Provide?

The following types of users perform tasks in Alliance Lite2 through the Web interface:
• customer security officers that are responsible for sensitive tasks (for example, creating
operators and defining what tasks operators can do)
• operators that perform day-to-day operations (for example, message creation, monitoring and
approval)
Each customer security officer and operator has a personal token and password.
1.2.1 What Can Alliance Lite2 Customer Security Officers Do?

For each organisation that uses Alliance Lite2, SWIFT configures two customer security officers.
For the most critical tasks, an approval by the other customer security officer is required before the
action can take effect.
20 July 2017 7
Alliance Lite2
The Alliance Lite2 customer security officers are responsible for user management of both the Live
and Test environments.
A customer security officer's functions fall into the following categories, as shown in the following
table.
User setup tasks Define an operator for each Alliance Lite2 user.
Assign each user an operator profile.
Create and maintain a corresponding personal token for each operator.
Generate reports related to roles, user entitlements, and security audit trails.
Assign RBAC user roles using SWIFTNet Online Operations Manager
Relationship Select the RMA relations or BICs that your organisation wants to transact with.
Management
For more information, see the Alliance Lite2 Administration Guide - RMA.
tasks
1.2.2 How to Change the Name of Customer Security Officers

Change Alliance Lite2 Security Officers
How do you change the names of one or more (or all) of the Alliance Lite2 customer security
officers?
The following situations can occur:
1. One or more of the Alliance Lite2 customer security officers want to handover their role to other
people in the institution.
2. One or all Alliance Lite2 customer security officers have left the institution without handover.
Refer to KB tip 5019265.
1.2.3 What Can Alliance Lite2 Operators Do?

What can operators do with the Alliance Lite2 Web interface?
You can use the Alliance Lite2 Web interface to access some or all of the following functions. For
more information, see the Alliance Lite2 User Guide.
The functions that are available to operators depend on the operator permissions that the Alliance
Lite2 customer security officer allocates. According to their permissions, operators can perform the
following tasks:
• create or initiate message transactions (from scratch, or from a predefined template).
• create and modify message transaction templates.
• approve (sign) message transactions ready for transmission to correspondents.
• reject message transactions or return them for modification.
• view incoming message transactions.
20 July 2017 8
Alliance Lite2
• monitor and confirm the status of message transactions, from creation to final delivery, including
those transactions handled by AutoClient.
• generate reports on message transactions or file transfers.
• access Browse services that are offered on SWIFTNet. This function is only available if your
institution has subscribed to one or more of these Browse services.
An operator may have the permission to create message transactions, but may not have the
permission to approve these message transactions. Another operator may have the permission to
create and approve message transactions, including their own.
1.3 What Does AutoClient Provide?

AutoClient is an application that provides automated file-based communication to and from FIN,
InterAct (MX), and FileAct services that enables your organisation to send and receive message
transactions. Through the Web interface an Alliance Lite2 operator can monitor the status of these
message transactions that have been initiated through AutoClient.
Note MX files are sent using the XMLv2 format.
Related information
AutoClient User Guide
1.4 How is Alliance Lite2 Packaged?

The Welcome box
SWIFT delivers a Welcome box to the person who is identified as the first Alliance Lite2 customer
security officer.
This box contains the following items:
• A Welcome card
• One mini-USB memory key with the Alliance Lite2 installer used to install AutoClient
Note For existing customers, the latest version of the AutoClient installer is available on
swift.com > Support > Download centre. In Product name field, select Alliance Lite2
from drop-down list.
• 10 personal tokens
• A set of 10 Quick Start cards for each operator that receives a security token
SWIFT creates an initial “technical” certificate for each of the two Alliance Lite2 customer security
officers, and stores their certificate on their personal token. The first customer security officer
receives the box of tokens. SWIFT sends an e-mail to the second customer security officer with a
password to unlock the tokens.
On receipt of the Welcome box and the e-mail, the first customer security officer can start the
installation and bootstrap process. This process replaces the bootstrap certificate with a new
certificate. The certificate is based on a new public and private key pair generated locally on the
personal token. At the first login, the customer security officers must change the password that
protects the token.
20 July 2017 9
Alliance Lite2
Generating the certificate and key pair on the tamper-proof token ensures that the private key is
completely secret. The key is not known to any other party, not even SWIFT. Only a person that has
a valid token and knows the password associated with this token can use Alliance Lite2.
1.5 System Requirements
1.5.1 System Requirements for Alliance Lite2 Web Interface

Operating system and connectivity
Category Requirement
Operating system The Alliance Lite2 Web interface runs on the following operating systems:
• Windows 7 Professional (32-bit or 64-bit) with Internet Explorer 8.0, 9.0, or 10 (compatibility
mode)
• Windows 8.1 R2 (64-bit) with Internet Explorer 11 (compatibility mode)
Connectivity You have three different possibilities to connect to Alliance Lite2:

• Connect over the Internet from any location, using a PC or laptop and your secure personal
token.
• Connect optionally (by means of a separate subscription) through SWIFT's highly resilient
and reliable multi-vendor secure IP network (MV-SIPN). You can find more information about
SWIFT's Alliance Connect products at www.swift.com > Products & services > Connectivity.
You can ask SWIFT to disable Internet access for all your users, only allowing access
through SWIFT's Virtual Private Network (VPN).
• You can also use both connection methods. For more information, see Infrastructures
connected to both the Internet and MV-SIPN on page 10.
For more information about firewalls, see Firewall Settings on page 19.
Infrastructures connected to both the Internet and MV-SIPN

If your institution has both multi-vendor secure IP network (MV-SIPN) access and Internet access
to the Alliance Lite2 environment, then you need to take specific steps to set up the routing and
naming resolution.
Based on your specific environment, SWIFT strongly recommends the following:
• Segregated environments
Use segregated environments where possible.
• Mixed environments
If you use a mixed environment, then you must do the following:
- Add more specific routes in your local network with next-hop the Internet for SWIFT services
reachable over the Internet.
20 July 2017 10
Alliance Lite2
For more information, see the most recent version of the Network Access Control Guide >
Multiple Secure IP Network Access Configurations and Routing.
- Decide which host uses which environment (MV-SIPN or Internet).
- Configure the name resolvers in their workstations according to the environment.
• Central DNS proxy/forwarders
If your institution enforces the use of central Domain Name System (DNS) proxy/forwarders,
then it must support DNS capabilities (Views/ Split Horizon) that based on the source IP resolve
the URL according to your institution's policy specification (that is, use MV-SIPN or Internet).
1.5.2 System Requirements for AutoClient

This section outlines the system requirements for AutoClient.
The default installation directory is %Program Files%\SWIFT\Alliance Lite2\, which is referred to
throughout this document as <installation directory>. On 64-bit systems, the default installation
location is: %Program Files (x86)%\SWIFT\Alliance Lite2.
Only the base directory and its subdirectories (by default, C:\Program Files (x86)\SWIFT\Alliance
Lite2\files) must be accessible to the (remote) application for placing and retrieving files. The other
folders and files in the AutoClient installation directory, including logs, configs, and similar files are
by default in C:\Program Files (x86)\SWIFT\Alliance Lite2 and must never be accessible
remotely.
Operating system AutoClient runs on the following operating systems:

• Windows 7 Professional with any Service Pack (32-bit, 64-bit)
• Windows 8.1 R2 (64-bit)
• Windows Server 2008 R2 (64-bit)
• Windows Server 2012 R2 (64-bit)
Note AutoClient is only qualified on US-English Windows versions.
Disk space • Minimum 500 MB for the software installation

• Minimum 300 MB for the base directory (400 MB is recommended)
• A few hundred MB of free disk space
Memory Windows PC or laptop with a minimum 1 GB of memory.
20 July 2017 11
Alliance Lite2
Connectivity • Standard broadband Internet access with minimum 128 kbps (for example, ADSL, WiFi,
cable, and other forms). Dial-up connectivity is insufficient.
- AutoClient can connect to the Internet through a firewall or HTTP proxy (see Firewall
Settings on page 19).
- AutoClient connects to the Alliance Lite2 server over TLS (V1.2 and above), TCP port
443. SSL V3 (or previous versions) is no longer supported.
- When using the configuration tool to create a channel certificate, TCP port 49171
must be open.
• Connect optionally (by means of a separate subscription) through SWIFT's highly resilient
and reliable multi-vendor secure IP network (MV-SIPN). You can find more information
about SWIFT's Alliance Connect products at www.swift.com > Products & services >
Connectivity.
You can ask SWIFT to disable Internet access for all your users, only allowing access
through SWIFT's Virtual Private Network (VPN).
• You can also use both connection methods. For more information, see the "Infrastructures
connected to both the Internet and MV-SIPN" of the Administration Guide.
Unlike the Alliance Lite2 web interface, AutoClient does not need Internet Explorer or a Java plug-in
and can be run on a PC where Internet Explorer is not used to browse.
Note Even if Java is installed, it will not be used by AutoClient. AutoClient comes with its
own Java Runtime Environment (JRE).
The AutoClient software can be installed and operated on a system running under virtualisation
technologies that properly support USB ports, such as VMWare Workstation. A notable
counterexample is the (free) version of VMWare server, which cannot be used due to lack of proper
support for USB ports. USB ports are not required if you use AutoClient with a channel certificate.
AutoClient can be remotely monitored and operated using technologies that do not create conflicts
with USB ports, such as SSH or the VNC protocol (for example, RealVNC). A notable
counterexample is Windows Remote Desktop (or Windows Terminal Services), which cannot be
used due to conflicts with the SafeNet driver for the USB ports. Citrix is not supported, for the same
reason as that for VMWare server.
Note Remote desktop, Citrix, and VMWare Server can be used with channel certificate.
Important SWIFT cannot test against all virtualisation technologies available on the market. It is
the user's own responsibility to verify the suitability of the virtualisation technology
chosen by the user.
1.6 Token-Based Certificates and Channel Certificates

Token-based certificates
A token-based certificate is a certificate that resides on a personal token. A personal token, also
called USB token or physical token, is a piece of hardware that provides a means for SWIFT to
authenticate the identity of a user or an application. The token includes PKI credentials that the
owner of the token has generated. The PKI credentials are used to create digital signatures that
20 July 2017 12
Alliance Lite2
allow the owner of the token or the application itself to be identified. The token is personal and must
not be shared with another user. It is protected by a password that the owner of the token must
keep private.
How to renew personal token certificates

There is no automatic renewal process for personal token certificates and keys. Manual renewal
must occur at least once every 24 months. The token is ready for renewal as of 90 days before its
expiry date.
When the certificate expiry date is less than 3 months (120 days) away, a warning message is
displayed during login.
The personal token user uses the SWIFT Certificate Centre to renew the token. If the token is not
renewed in time, then the token expires.
If a token has expired, then the token can only be reset, see the SWIFT Certificate Centre Portal
User Guide. However, its certificate can be recovered by using the SWIFTNet Online Operations
Manager, see the SWIFTNet Online Operations Manager guide.
Channel certificates
A channel certificate is an encrypted, disk-based profile file that provides a means for SWIFT to
authenticate the identity of an application. Alliance Lite2 supports channel certificates as an
alternative means to physical tokens. The channel certificate only secures the connection from the
Alliance Lite2 machine to the Alliance Lite2 server in SWIFT's central infrastructure. In addition,
SWIFT uses channel certificates to generate non-repudiation evidence of the emission of a
business message from an Alliance Lite2 customer to the Alliance Lite2 server at SWIFT.
Channel certificates can only be used for AutoClient with an MV-SIPN connection that belongs to
the owner of the channel certificate. Channel certificates cannot be used for the Alliance Lite2 Web
interface. In addition, channel certificates are not permitted for human-to-application flow, such as
SWIFT WebAccess services.
20 July 2017 13
Alliance Lite2
Administration Guide Get Started
2 Get Started
Before you begin
Alliance Lite2 is provisioned with two predefined customer security officers: the left customer
security officer (left-cso) and the right customer security officer (right-cso).
These security officers must receive all of the following items from SWIFT before starting the
installation process:
• the Alliance Lite2 installer (to install AutoClient)
The installer for AutoClient is on the mini-USB memory key that you received from SWIFT.
• the box of 10 personal tokens (sent to one of the security officers)
• the initial token password to unlock the tokens (sent by e-mail to the other security officer)
Start-up process
This section explains how to get started with Alliance Lite2.
20 July 2017 14
Alliance Lite2
WHO WHAT/WHERE
Customer Configure
Install/configure DNS Install Java
system firewall security
administrator Depends on customer between Alliance Lite2
workstation and the internet all PCs that use personal token
1 DNS setup 2 3
Installation staff Install driver for

USB tokens
all PCs that use
personal token
4
Customer security officers
Active tokens Create a new Add an operator Authorise and approve

distinguished name operator and issue token
SWIFT SWIFTNet Online Alliance Lite2 interface activation code
Certificate Centre Operations Manager Alliance Lite2 interface
5 6 7 8
All Lite2 users

Log in to Alliance Lite2
Alliance Lite2 interface

9
Operators with
Set up RMA authorisations
appropriate
permissions
Alliance Lite2 interface
10
D1370008
WHEN
20 July 2017 15
Alliance Lite2
Step Description Where Who performs the task
1. DNS Installation For MV-SIPN connectivity only Several options are Your system
and Configuration on available including: administrator
Install and configure DNS
page 17 (1)
server. • install a DNS server
on each workstation
• install a DNS server
on one workstation
and point other
workstations to this
workstation
• deploy a central
DNS server
SWIFT recommends
that you discuss the
DNS flow deployment
with your internal IT
department.
2. Firewall Settings on Configure the firewalls to allow Between the Alliance Your system
page 19 the appropriate IP addresses Lite2 workstations (both administrator
and ports. the Alliance Lite2 Web
interface (browser) and
the AutoClient) and the
Internet or the multi-
vendor secure IP
network (MV-SIPN).
3.Install Java on page This is a one-off set-up On all PCs on which the Your system
21 procedure that you must do personal token is used administrator
before you install the driver for
the personal tokens.
4. Install Driver for This is a one-off procedure that On all PCs on which the Your staff responsible for
Personal Tokens on you must complete to have the personal token is used SWIFT installation
page 22 necessary software to configure
and to read the certificates on
personal tokens.
5. Activate Tokens for This is a one-off procedure that SWIFT Certificate Both customer security
Customer Security both customer security officers Centre on officers
Officers on page 30 must complete to access www.swift.com/
SWIFTNet services. certificates
6.Create a DN on Both customer security officers Alliance Lite2) > Both customer security
page 33 must follow this procedure to Browse Services > officers
create the DNs for each of the SWIFTNet Online
institution's Alliance Lite2 Operations Manager (2)
operators.
20 July 2017 16
Alliance Lite2
Step Description Where Who performs the task
7. Add an Operator on Add and approve the operators. Alliance Lite2 > User The left or right
page 46 Configuration > customer security officer
Operators (2)
8. Authorise the DN Authorise the operators Alliance Lite2) >

and Approve the Browse Services > The left or right
Operator and Issue SWIFTNet Online customer security officer
the Activation Code Operations Manager (2)
If the left security officer
on page 36 performed step 6, then
Approve the operators then give Alliance Lite2 > User the right security officer
the initial password and token Configuration > performs this step.
activation code to the operators. Operators (2)
9. Log in to Alliance For more information about the Alliance Lite2 All staff that use Alliance
Lite2 normal daily login procedure, Lite2
see the Alliance Lite2 User
Guide.
10. Set up RMA Relationship Management helps Alliance Lite2 > RMA (2) Operators with the
authorisations with you manage business appropriate permissions
your correspondents relationships with counterparties (see the Administration
(banks or other through authorisations that are Guide - RMA > Operator
institutions). sent as XML messages over the Profiles and
RMA service. Permissions)
(1) This task is applicable only to Windows server versions, not Windows 8.1, or Windows 7. For a Windows Client OS, a third-
party DNS server must be installed. Alternatively, you may use an HTTP proxy to deal with the DNS requests.
(2) Alliance Lite2 menu items appear in bold.
2.1 DNS Installation and Configuration

Scope
Installation and configuration of the DNS and name server are only required when Alliance Lite2
connects over MV-SIPN.
This task is applicable only to Windows server versions, not Windows 8.1, or Windows7. For a
Windows Client OS, a third-party DNS server must be installed. Alternatively, you may use an
HTTP proxy to deal with the DNS requests.
Process
1. Install the DNS on page 18.
2. Configure the DNS Server on page 18.
3. Configure the Network Adaptor to Use Local DNS (Windows) on page 18.
20 July 2017 17
Alliance Lite2
2.1.1 Install the DNS

Procedure
1. Log in to the computer with administrator privileges.
2. Click Start > All Programs > Administrative Tools >Server Manager.
3. The Server Manager window opens.
4. Click Roles on the top left, then click Add Roles.
5. Click Next on the information window.
6. Select the box with DNS Server.
7. Click Next
8. Click Next on the information window.
9. Confirm your installation selections.
Click Install .
10. When the DNS Server installation is complete, click Close .
Note Host File: C:\Windows\System32\drivers\etc\hosts should not contain any
entries related to SWIFT or SWIFT DNS entries.
2.1.2 Configure the DNS Server

Procedure
1. Log in to www.swift.com and download the DNSConfig ZIP file, located in Knowledge Base tip
5018318.
2. Extract the DnsConfig folder for your operating system to the computer where the DNS server
is installed.
3. Log in with administrator privileges to the computer where the DNS server is installed.
4. Run the DnsConfig.bat file, located inside the extracted DnsConfig folder.
Type Yes when prompted to configure the DNS.
5. Close the Command Prompt window when the configuration is complete.
CAUTION You must disable DNS caching. This is critical for Alliance Lite2 to work correctly.
2.1.3 Configure the Network Adaptor to Use Local DNS

(Windows)
This task verifies that the IP address of the SWIFTNet Link host corresponds to the IP address
provided to SWIFT.
Procedure
1. Log in to the computer with administrator privileges.
2. Click Start > Control Panel > Network and Internet > Network and Sharing Center.
3. Click Local Area Connection.
20 July 2017 18
Alliance Lite2
4. Click Properties and select Internet Protocol Version 4 (TCP/IPv4).

5. The Internet Protocol Version 4 (TCP/IPv4) window opens.
6. Click Properties .
7. The IP address and Preferred DNS Server addresses must match.
8. Click OK to save changes.
Close the window.
2.2 Firewall Settings

When a PC uses channel or token-based certificates, SWIFT strongly advises that you use a
firewall between that PC and the Internet or the multi-vendor secure IP network (MV-SIPN).
Firewall security
For services to function correctly, the firewall must allow outgoing TCP connections to the URLs or
IP addresses listed in the table below. Systems using channel or token-based certificates require
these connections.
For AutoClient, open TCP port 49171 so that the configuration tool can create the channel
certificate.
Note No incoming connections are required. SWIFT recommends that users block all
incoming connections from the internet.
Alliance Lite2 URLs
Live environment Test environment
On the Internet https://alliancelite2.swift.com https://test.alliancelite2.swift.com
On MV-SIPN https://alliancelite2.swiftnet.sipn.swift.com https://

test.alliancelite2.swiftnet.sipn.swift.com
FileAct over https://fileact.alliancelite2.swift.com https://fileacttest.alliancelite2.swift.com

Browse through
(for firewall set-up only) (for firewall set-up only)
Internet
connection
If you are using a local (host-based) firewall on the computer that runs AutoClient, then it must be
configured to accept a local connection between two AutoClient processes on this computer
(localhost port 8000). This TCP connection flow is required for AutoClient to function normally.
To benefit from SWIFT's Distributed Denial of Service (DDoS) mitigation solution available for
Internet-facing services, additional firewall configuration is required. This additional configuration
limits the operational impact to your institution in case SWIFT is subject to a DDoS attack. For
additional information, see Knowledge Base tip 5019964
20 July 2017 19
Alliance Lite2
Test environment
If you have a firewall set up on your system, and if you encounter problems accessing Alliance
Lite2 because of this, then configure your firewall to allow the following IP addresses:
Description Internet MV-SIPN
For GUI access and AutoClient 149.134.170.12 (TCP port 443) 149.134.63.4 (TCP port 443)
For FileAct over SWIFT 149.134.170.13 (TCP port 443) (1)
WebAccess
fileacttest.alliancelite2.swift.com
For SWIFT WebAccess 149.134.170.14 (TCP port 443) (2)
For SWIFT Certificate Centre 149.134.170.6 (TCP port 443) 149.134.63.252 (TCP port 443)
(1) FileAct over SWIFT WebAccess is not supported with MV-SIPN.

(2) Intentionally left blank: SWIFT WebAccess traffic via MV-SIPN is sent directly to the Alliance Lite2 server, and bypasses the
Alliance Lite2 http proxy.
Live environment
Description Internet MV-SIPN
For GUI access and AutoClient 149.134.170.9 (TCP port 443) 149.134.63.8 (TCP port 443)
For FileAct over SWIFT 149.134.170.10 (TCP port 443) (1)
WebAccess
fileact.alliancelite2.swift.com
For SWIFT WebAccess 149.134.170.11 (TCP port 443) (2)
For channel certificates NA 149.134.252.8 (TCP port 49171 and

(AutoClient only) TCP port 80)
wbcl01.swiftnet.sipn.swift.com
149.134.244.134 (TCP port 49171 and
TCP port 80)
wbcl02.swiftnet.sipn.swift.com
For SWIFT Certificate Centre 149.134.170.6 (TCP port 443) 149.134.63.252 (TCP port 443)
certificates.swift.com
scc.swiftnet.sipn.swift.com
(1) FileAct over SWIFT WebAccess is not supported with MV-SIPN.

(2) Intentionally left blank: SWIFT WebAccess traffic via MV-SIPN is sent directly to the Alliance Lite2 server, and bypasses the
Alliance Lite2 http proxy.
For more information about firewall settings, see the Network Configuration Tables Guide.
20 July 2017 20
Alliance Lite2
2.3 Install Java

To view the Alliance Lite2 Web interface, the minimum supported versions of Java are as follows:
• 1.6.0.45 for Java 6
• 1.7.0.85 for Java 7
• 1.8.0.51 for Java 8
You must install your version of Java (32-bit version) as detailed in the following procedure before
installing the driver for the Alliance Lite2 personal tokens. Make sure that you install Java on each
PC on which a personal token will be used.
Note Java installation is not a requirement for a PC on which you are only installing Alliance
Lite2 AutoClient.
If you have already installed a version of Java, then check the version. If you do not have a recent
enough version, then you must download it from the Java website and configure it.
2.3.1 Verify Which Version of Java is Installed

Procedure
1. Click Start and select Settings > Control Panel > Java.
The Java Control Panel appears. (For Windows 7, click Start > Control Panel > Java).
2. Click the General tab, and click About .
Check which version and build of Java is installed.
If you do not have at least Java version with build 6, or you do not have Java installed at all,
then you must install it.
2.3.2 Download and Install Java

Procedure
1. Access the latest Java software from www.java.com.
2. Download and install the Java software.
Next
Configure Java Settings on page 21
2.4 Configure Java Settings

The required settings of the Java plug-in are normally part of its default settings. If the default
settings of the Java plug-in have been modified or you installed Java after the driver of the personal
USB token, then make sure that the correct settings are configured. You can access the settings by
going to the Java Control Panel > Advanced.
SWIFT recommends correctly configuring the Java settings to improve PC performance and to
avoid pop-up warning messages. See the Knowledge Base tip 5019757 for the latest settings.
20 July 2017 21
Alliance Lite2
Depending on the version of Java that you are using, some of the settings may not be applicable. If
a setting does not exist for your version, then please ignore it.
2.5 Configure Internet Explorer Settings

The required Internet Explorer settings are normally part of its default settings. If the default
settings of Internet Explorer have been modified, then make sure that the correct settings are
selected or enabled. You can access the settings by going to Internet Explorer > Tools > Internet
Options > Advanced.
SWIFT recommends correctly configuring the Internet Explorer Settings to improve PC
performance and to avoid pop-up warning messages. See the Knowledge Base tip 5019758 for the
latest settings.
2.6 Install Driver for Personal Tokens

Before you can use your personal token on a PC, you must install the token software. Make sure
that you install the software on each PC on which a personal token will be used.
• AutoClient installer
If you want to use AutoClient with a token, then you must run two installers: the personal token
installer (see following sections) and the Alliance Lite2 installer (to install AutoClient). If you want
to use AutoClient with a channel certificate, then you only need to run the Alliance Lite2 installer
to install AutoClient. Channel certificates are only available for connection over MV-SIPN.
For more information about how to install AutoClient and create channel certificates, see the
AutoClient User Guide.
• Personal token installer
See the following sections:
- Token Software Installation Prerequisites on page 22
- How to Obtain the Token Installation Software on page 23
- Install the Token Software in Silent Mode on page 24
- Install the Token Software in Interactive Mode on page 25
2.6.1 Token Software Installation Prerequisites

General prerequisites
• Administrator rights are required to install the necessary drivers and software.
• Your PC must be running one of the following operating systems:
- Windows 7 (32-bit or 64-bit), optionally with a Service Pack and Internet Explorer 8.0, 9.0, or
10 (compatibility mode)
- Windows 8.1 R2 (64-bit) and Internet Explorer 11 (compatibility mode)
- Windows Server 2008 R2 (32-bit or 64-bit)
- Windows Server 2012 R2 (64-bit)
• Your PC must have free space of at least 500 MB.
20 July 2017 22
Alliance Lite2
• To check this, open Windows Explorer, right-click the C: drive and select Properties. A System
(C:) Properties window opens:
• To access the SWIFT Certificate Centre, your system requires a 32-bit version of the Java
Runtime Environment (JRE). For more information about the minimum supported versions, see
Install Java on page 21.
• The Windows Script Host (WSH) must be enabled for the .vbs scripts used by the installer to
execute properly. This setting is enabled by default.
• The Windows Smart Card Service must be started for the proper detection of the certificate by
the SafeNet authentication client. This service is started by default.
You can install the token software on a PC that is running either the 32-bit version or the 64-bit
version of Windows. However, you must use the 32-bit versions of Internet Explorer and the Java
Runtime Environment to access the SWIFT Certificate Centre and configure your tokens.
The installation procedure checks that the required versions are installed on your system. For more
information, see Install the Token Software in Interactive Mode on page 25.
2.6.2 How to Obtain the Token Installation Software
2.6.2.1 Download the installation software
Procedure
1. For Windows 8 and above: From the Start window, click the Desktop tile to enter desktop
mode.
2. Navigate to the SWIFT Certificate Centre.
3. On the Getting started page, there is a link that enables you to download the token installation
software.
Click the link.
20 July 2017 23
Alliance Lite2
4. Save the software installation file on your PC. The file name is Personal_token_install.zip.
2.6.2.2 Unzip and run the software installation file
Procedure
1. Navigate to the folder in which you saved the installation software zip file.
Either unzip the archive and navigate to the extracted folder OR
Double-click the zip file. In either case, the following window appears.
2. Double-click the software installation file contained within the zip file.
The Welcome to the SWIFT Token Client Installer window opens and you are ready to start
the installation in Interactive Mode. Refer to Install the software on page 25.
2.6.3 Install the Token Software in Silent Mode

In silent mode, you can remotely install the token software without interactive user input. The
installation procedure takes the input from a response file instead.
You must extract the installer files to one location, and use a script to install the token software in
silent mode.
Prerequisites
To install or remove the token software on PCs in silent mode, you must have administrator rights
for all of the PCs involved.
Note SWIFT recommends that you close all other applications running on the PC before
installing the token software.
Procedure
1. Extract the contents of the zip file Personal_token_install.zip, including the Silent
subfolder to a folder of your choice.
2. Start a DOS command window and navigate to that folder. Execute the following command to
start the silent installation:
If you want to customise the installation, then you can do so by setting the options in the file
silent-install.properties. This file provides the explanation of each option available.
20 July 2017 24
Alliance Lite2
2.6.4 Install the Token Software in Interactive Mode
Install the software
Prerequisites
To install or remove the token software on a PC in interactive mode, you must have administrator
rights for that PC.
Note SWIFT recommends that you close all other applications running on the PC before
installing the token software.
Procedure
1. After you double-click the software installation file, the Welcome to the SWIFT Token Client
Installer window opens. This window informs you of the actions that are performed during
installation.
Click Next .
The SWIFT Token Client Location window opens.
Important Although it is possible to customise the options, SWIFT recommends that you
accept the proposed installation options.
2. If you want to customise the installation, then you can do so by selecting or clearing the
following options:
• Install SafeNet Authentication Client - the installer checks whether there is already an
appropriate version of the SafeNet Authentication Client installed on the PC and installs it if
needed. The SafeNet software contains the drivers needed for the token to be recognised.
You can clear this box if you want to install the SafeNet software after the token software is
installed.
• Install SWIFT Token Client - this configures the SWIFT environment on the PC and,
therefore, you cannot modify this setting.
20 July 2017 25
Alliance Lite2
• Import SWIFT CA certificate - if you select this box, the installer automatically imports the
SWIFT CA certificate on to your PC.
Clear this box if your company policy does not allow you to import certificates. (In this case,
each time that you access the portal you get a warning pop-up message that says you are
using an untrusted certificate. Click OK on the warning, the pop-up closes, and you can
access the portal.)
• Configure Browser settings - if you select this box, then the installer enables TLS version
1.0, TLS 1.1 and TLS 1.2 on your internet browser and disables SSL 2.0 and SSL 3.0 as
these options are considered not secure.
When you have selected your installation options, click Next .

3. The SWIFT Token Client Location window opens.
It shows the proposed folder location for the software installation files. If you want to change the
default location, then click Browse... and navigate to the required folder for installation.
However, the SafeNet authentication software is stored in a default folder that cannot be
changed. The location of this software is shown in the field SafeNet Authentication Client
Folder Name.
Click Next .
4. The installer then runs a test to verify that the PC can support the token software installation.
This can take a few moments to complete.
If one or more of the configuration tests fail, then the System Configuration Test Results
window opens.
If all of the configuration tests are successful, then the SWIFT Token Client Installer
confirmation window opens (see the next step).
20 July 2017 26
Alliance Lite2
The tests compare the Recommended conditions for installation to the Actual conditions of
the user's PC.
The Result in each case appears as OK, as a Warning or an ERROR.
If there is a Warning/ERROR, then an explanation appears in the lower half of the screen.
In the case of a Warning, the installation can continue. In the case of an ERROR, it cannot.
In the example above, the PC does not have a recommended version of Java installed on it. It
is only a Warning because the installation can complete with a lower version of Java, but there
can be problems when accessing the SWIFT portal.
In this case, there is also a link directly to the Java web site from where you can download the
latest version of Java software.
Click Next .
5. The SWIFT Token Client Installer confirmation window opens.
It confirms the actions that are performed during installation.
20 July 2017 27
Alliance Lite2
Click Install to proceed with the installation.

The installation can take a couple of minutes. Do not interrupt the installation procedure during
this time.
6. The results of the installation appear.
If there is a Warning, then an explanation appears at the bottom of the window.

Click Next .
7. The Installation Complete window opens.
20 July 2017 28
Alliance Lite2
Click Finish .
8. The Reboot notice window opens.
Restart your computer to complete the installation. Click Restart now or Restart later .
2.7 Remove the Token Software

You must have administrator rights on each PC from which you want to remove the token software.
2.7.1 Remove the Token Software in Interactive Mode

Procedure
1. From the Control Panel menu, ensure that you have the View by: Category option active.
Click the link Uninstall a program.
The Uninstall or change a program window opens.
2. Select the appropriate SWIFT Token Client program from the list and click Uninstall .
The Welcome to the SWIFT Token Client Uninstaller window opens.
3. Click Next .
Click Yes to confirm the uninstallation.
The Uninstallation Complete window opens.
Click Finish .
The Reboot notice window opens.
The token software is removed, but you must restart your computer for the uninstallation to take
effect. You can choose to Restart now or Restart later .
2.7.2 Remove the Token Software in Silent Mode

In silent mode, you can remotely uninstall the token software without interactive user input.
To install or remove the token software on PCs in silent mode, you must have administrator rights
for all of the PCs involved.
Note The directory in which the uninstall command is executed is important.
The command must not be under the installation directory otherwise the uninstaller will
not be able to remove some installation files.
20 July 2017 29
Alliance Lite2
Execute the uninstaller as shown in the above example.

The uninstall.exe-silent command line requires a response file as argument. A sample
response file is present in the installation folder at %PDI_HOME%\..\config\silent-
uninstall.properties.
2.8 Activate Tokens for Customer Security Officers

Token activation prerequisites
Ensure that the IP address 149.134.170.6 is allowed through your firewall as the SWIFT Certificate
Centre resolves to this IP address.
2.8.1 Token Activation Process

Customer security officers
Alliance Lite2 is provisioned with two predefined customer security officers: the left security officer
(left-cso) and the right security officer (right-cso).
SWIFT creates a distinguished name (DN) for these two security officers:
• cn=left-cso, o=<BIC8>, o=swift
• cn=right-cso, o=<BIC8>, o=swift
Token Activation Process

1. The customer security officers must have all the items ready that are needed to activate their
tokens, see Before you begin.
2. The customer security officers activate their tokens on the SWIFT Certificate Centre. The
activation process generates the PKI private key on the token (see Activate the Token on page
30).
3. After the token activation, the customer security officers can register operators and set them up
for certification in the SWIFTNet Online Operations Manager portal to create a DN for the
operator and provide the activation code (see Create a DN on page 33).
Important For back-up purposes, SWIFT recommends the creation of an additional left security
officer (LSO) and an additional right security officer (RSO). This means that your
institution will have four operators with security officer permissions. This is very useful
when one of the two original customer security officers is unavailable (for example, on
holiday) or forgets his password. Certain actions can only be done if both the left
security officer and the right security officer are present. To create these additional
operators with security officer permissions, see Knowledge Base tip 5017169.
2.8.2 Activate the Token

When you receive your personal token from SWIFT, the token is inactive because it does not yet
contain your certificate.
You must activate your token on the SWIFT Certificate Centre before you can use it for SWIFT
services. The activation process generates your PKI private key and stores it on the token.
20 July 2017 30
Alliance Lite2
Procedure
1. Retrieve the activation code from Secure Channel (see the Secure Channel User Guide).
2. Open Internet Explorer and navigate to http://www.swift.com/certificates.
The SWIFT Certificate Centre window appears.
3. Insert your token into a free USB port of your workstation.
4. Click Login .
The Confirm Certificate window appears.
5. Check that you are using the correct certificate by clicking the link Click here to view
certificate propr....
The correct certificate is issued by SWIFT and has a numeric name.
6. Select the certificate and click OK .
The Token Logon window appears.
7. Type the initial password that was supplied with the token in the Token Password field and
click OK .
You receive your token from one security officer, and the initial password from the other security
officer.
8. You may have to provide the password a second time.
The SWIFT Certificate Centre Login window appears.
9. Type the initial password that was supplied with the token in the Enter your token password
field and click Login .
The Token Activation window appears.
10. Click Next .
11. In the Enter Activation Code window, type the activation code that you obtained through
Secure Channel and click Validate .
If there is a problem with the activation code, then re-enter the code and click Validate again.
Note The activation code is required only once to complete the activation. After
activation is complete, this code cannot be reused.
12. You must now set your own password for the token. Complete the following fields in the
Change password window:
Current Password Enter the initial password that was supplied with the token.
New Password(1) Provide a strong new password. The rules for passwords are as follows:
• Minimum length is four characters (maximum is 20 characters).
• Lowercase (a-z) and uppercase (A-Z) characters are allowed.
Password is case-sensitive.
• Digits 0-9 are allowed.
• All printable ASCII characters are allowed.
• You must use at least two different characters. For example, you cannot
set the password to aaaa or 11111.
• You cannot reuse the previous password. There is a password history
of two years.
20 July 2017 31
Alliance Lite2
Confirm new password Re-enter the new password.
(1) There is no expiry date set on this password. The system will never ask you to change the password.
13. Click Change .

Your private key is now being generated on the token and certified by SWIFT.
The Activation complete window appears.
14. Click Logout to quit the SWIFT Certificate Centre.
When the activation has been completed successfully your personal token is ready for use.
2.9 Create a Distinguished Name

One of the customer security officers must create a Distinguished Name (DN) for each operator
before creating the new operator in Alliance Lite2. The operator can then be approved by the other
customer security officer.
The customer security officer must provide the following to the new operator:
• the initial token password
• a token activation code that is used to activate the operator's token and to access Alliance Lite2
To use AutoClient with a channel certificate, you must first create a Distinguished Name (DN) for
the AutoClient operator and then configure it in the setPasswords tool. For more information about
how to create a channel certificate and a Distinguished Name for AutoClient, see the AutoClient
User Guide
The customer security officers create distinguished names in the SWIFTNet Online Operations
Manager.
2.9.1 Log in to SWIFTNet Online Operations Manager

You must log in to the SWIFTNet Online Operations Manager to create DNs and set them up for
certification. These steps are needed to provide the end users in your institution a token or channel
certificate.
Prerequisites
You must be a Alliance Lite2 customer security officer to perform this task.
Procedure
1. Insert the activated token.
2. Log in to Alliance Lite2 with the appropriate URL:
• on the Internet
https://alliancelite2.swift.com
• on MV-SIPN
https://alliancelite2.swiftnet.sipn.swift.com
3. Click Login to Live Service - Alliance Lite2 customers on the right of the page.
The Select a Certificate window appears.
20 July 2017 32
Alliance Lite2
4. Select the corresponding certificate.

5. On the Token Logon window, enter the token password that you chose in step 12 on page 31
of Activate the Token on page 30.
6. Click OK .
The Alliance Lite2 login page appears.
7. Select Browse Services > SWIFTNet Online Operations Manager.
Important The SWIFTNet Online Operations Manager can be accessed only through the
Alliance Lite2 login page for the Live environment (see step 2). It is not accessible
through the Test environment.
If you (customer security officer) must create a DN for an operator in the Test
environment, then do the following:
• Go through the Alliance Lite2 Live environment to create the DN in SWIFTNet
Online Operations Manager.
• Log in to the Test environment to create the Test and Training operator with the
DN.
You follow the procedure of creating an operator in the Test environment in the
same way as you do to create an operator in the Live environment, see the
Administration Guide.
8. Select your Alliance Lite2 certificate and click OK .

9. In the Token Logon window, enter the token password that you chose in step 11 of Activate the
Token on page 30. Click OK .
You are now in SWIFTNet Online Operations Manager.
Note If you select the Message Confirmation checkbox in the Browse Preferences window
(accessible through the Preferences button on the top right corner of Alliance Lite2
home page), then the Browse Confirmation window appears. If this check box is not
selected, then the Token Logon window appears.
2.9.2 Create a DN
2.9.2.1 Create a new distinguished name
Procedure
1. Log in to the SWIFTNet Online Operations Manager (O2M). For more information, see Log in to
SWIFTNet Online Operations Manager on page 32.
2. Go to Security > Certificate Management - User and click the User certs tab.
Note In the same way as you click New to create new users, you also have a Recover
option that allows generating new codes and secrets in case they are required for
existing users. You must follow the same procedure as the one for creating new
users (described as follows) when you use the Recover option
20 July 2017 33
Alliance Lite2
3. In the tree view, determine where in the hierarchy the new user is to be positioned. This
position in the tree determines the unique distinguished name created for the new user. SWIFT
recommends that you minimise the number of levels used in the tree to facilitate maintenance
of the tree. Put the user under an existing node by clicking that node to select it. The DN has a
size limit of 100 characters.
Example of a DN: cn=john-smith,ou=departmentname,o=bankbebb,o=swift, where:
• the cn= segment has the name of the token holder
• the ou= segment allows you to group multiple users under the same organisation unit in your
tree
• the first o= segment contains your live BIC
CAUTION You must not put multiple cn=xxx in one DN as this does not work. It is possible to
create the node in the SWIFTNet Online Operations Manager, but it is not possible
to use it for Browse. For example, you must NOT use
cn=bruno,cn=john,o=bankbebb,o=swift.
Because one DN corresponds to one physical token, it is not possible to duplicate

tokens for the same DN (for example for usage in disaster sites). The AutoClient
User Guide describes that the DN names, corresponding to the AutoClient token,
can be preceded by %1, %2... to have several AutoClient tokens. That only applies
to AutoClient operators and not to any other types of operator.
4. Click New .
The New window appears.
Type a name for the new user and select the type Human or Application.
20 July 2017 34
Alliance Lite2
The rules for entering the name are as follows:

• Minimum length is four characters (maximum is 20 characters)
• First character must be alphabetic, but can be lowercase or uppercase
• Subsequent characters, in any order, can be:
- alphabetic (lowercase or uppercase)
- digits (0-9)
- hyphen (-)
Note Human or Application identifies an individual or an application. For Alliance Lite2
always select Human or Application.
Organisational Unit enables identification by department or by geographical
location.
5. Click OK .
6. Enter your token password.
7. Click OK .
8. A confirmation window appears and asks you if you want to set up the user for certification.
9. Click OK
The Setup for Certification window appears.
10. Select the certificate class:

Personal token.
For Alliance Lite2, channel certificates are used only for AutoClient. For information about
setting up the channel certificate for AutoClient, see the AutoClient User Guide.
20 July 2017 35
Alliance Lite2
Important Do not select the Business, Lite, or Channel certificate class.
11. Click OK .
The 4-Eyes-Token window appears. This window displays a 14-digit code. Copy the full name
of the created DN for reference later.
12. Copy the 4-eyes token code and click OK .

Give the 4-eyes token code to another customer security officer. The other customer security
officer must perform the 4-eyes authorisation of the action before midnight GMT of the next
calendar day.
13. Click Log off to quit the SWIFTNet Online Operations Manager.
14. You are still logged in to Alliance Lite2. Select Operators from the User Configuration menu.
15. Follow the procedure Add an Operator on page 46.
2.10 Authorise the DN and Approve the Operator and

Issue the Activation Code
The customer security officer who created the DN cannot authorise the DN. Another customer
security officer must perform the authorisation procedure.
Procedure
1. In Alliance Lite2, the other customer security officer must select the Browse Services menu
and select the SWIFTNet Online Operations Manager.
2. Go to Security > 4-eyes Authorisation.
3. Enter the 14-digit 4-eyes token code (see step 11 on page 36) and click Retrieve .
Once the retrieval is done, the Authorise button is enabled.
4. Click Authorise .
After a few moments, the information for the DN is updated.
5. Enter your token password and click OK .
An Operation Successful window appears. Click OK .
6. Go to Security > Certificate Management - User.
20 July 2017 36
Alliance Lite2
Note The status Ready for Certification will be shown and the Certify button does not
need to be used.
7. Double-click the DN that the first security officer has created to display the information for the
DN.
8. Click the + sign to the left of the Activation Secrets field to display the 28-digit activation code.
9. Copy the activation secrets and pass them to the personal token user (operator).
Give also the initial password to the operator. The initial password was sent by SWIFT to the
right customer security officer. It is the same for all tokens. The operator needs this password to
activate the token on the SWIFT Certificate Centre.
10. You can optionally enter a description of the new user and DN in the Description field.
11. Click Log off to quit the SWIFTNet Online Operations Manager.
12. You are still logged in to Alliance Lite2. Select Operators from the User Configuration menu.
13. From the list of operators, select the check box next to the operator that has been created. Click
Approve .
The Approval Status of the operator is now Approved. The Enable Status of the operator is
now Enabled.
Next
Activate the Token on page 30
20 July 2017 37
Alliance Lite2
Administration Guide User Management
3 User Management
3.1 Operators
3.1.1 Operators: Definition

Overview
Alliance Lite2 is installed with two predefined operators: the left customer security officer (left-cso)
and the right customer security officer (right-cso). The left customer security officer and the right
customer security officer are initially used to define other operators. Each operator that you define
has a current status which indicates whether the operator can use the system. Until a new operator
is approved separately by both security officers, the operator cannot sign on. Before approving a
new operator, a security officer must assign profiles to the operator. The name, current status, and
assigned profile or profiles that an operator has are called an operator definition.
For back-up purposes, SWIFT recommends the creation of an additional left security officer (LSO)
and an additional right security officer (RSO). This means that your institution will have four
operators with security officer permissions. This is very useful when one of the two original
customer security officers is unavailable (for example, on holiday) or forgets his password. Certain
actions can only be done if both the left security officer and the right security officer are present. To
create these additional operators with security officer permissions, see Knowledge Base tip
5017169.
Note Operators who have not logged in successfully during the last 90 days will be disabled.
Types of security officers
At SWIFT, there are different types of security officers:
Type of security Description Who plays the role

officer
SWIFTNet security Authorised representative for all the The SWIFT Customer Security
officer communication with SWIFT about Management (CSM) department plays the
SWIFTNet security. role of SWIFTNet security officer for all
Alliance Lite2 customers.
SWIFTNet security officers control the
security of their institution by maintaining
the certificates of their institution and
assigning roles to these certificates.
An institution must have at least two
security officers.
20 July 2017 38
Alliance Lite2
Type of security Description Who plays the role

officer
Alliance security Configures and manages the security SWIFT controls the left security officer
officer functions within Alliance Access or Alliance (LSO) and the right security officer (RSO)
Entry. role of the Alliance Lite2 infrastructure.
There are two security officers, the left
security officer (LSO) and the right security
officer (RSO). Together they control which
users can sign on to Alliance Access and
what those users are permitted to do.
Alliance Lite2 Used to create, manage and approve This role is played by staff of each Alliance
customer security operators. Lite2 customer and allows them, for their
officer own institution, to maintain operators on
This role combines the roles of SWIFTNet
Alliance Lite2 and to control security on
security officer and Alliance security officer
SWIFTNet.
but the role is restricted for some
operations and is assigned to one
institution only. Each institution has a copy
of this role that restricts operations to the
institution itself.
3.1.2 Operators Page

Content
The Operators page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Operators page:
- See Operators on page 40
- See Functions on page 45
• Details of the operators
See Operators on page 40
• Details of security officers: LSO, RSO, and new security officers (visible with the name assigned
during their creation) are visible to security officers.
• Functions that enable you to manage the operators
20 July 2017 39
Alliance Lite2
Display
Operators
Operators page
Field Description Filtering

criteria
Name The operator's login. ✓

For filtering, the wildcard characters % and _ enable you to search for a
group of names.
% Replaces one or more contiguous unknown characters in a string
_ Replaces one unknown character in a string
Status You can select one of these values to filter on the approval status of the ✓
operator definitions:
• Approved
• Wait RSO Approval
• Wait LSO Approval
• Unapproved
You can also select one of these values to filter on the operator status
values:
• Enabled
• Disabled
• Time Disabled
Authenticati The value is set to Token.

on type
20 July 2017 40
Alliance Lite2
Operators page

criteria
Last Login This picker enables you to filter operators who have not logged in since a ✓
Date selected date. No result is returned for an operator who has never logged in.
Profiles You can filter on the profiles using one of these two options: ✓
• Matching String: If you select this option, then type an operator
profile name in the corresponding field. The wildcard characters % and _
enable you to search for a group of names.
• Matching Selection: If you select this option, then select one or
several operator profiles in the Available list.
Units The only available unit is <BIC8>_Unit.

SWIFT can configure additional units for Alliance Lite2 customers as a
payable option.
Additional units can be requested either as part of the initial set-up services,
or ordered as additional configuration change requests. To request this
configuration change, contact SWIFT Support.
3.1.3 Operator Details: Configuration Tab

Content
To view the operator details, click the row of a specific operator. The Operator Details window
opens.
The Configuration tab contains these elements:
• Details for the configuration of the operator selected
See Details on page 42
• Functions that enable you to manage the operator
See Functions on page 45
20 July 2017 41
Alliance Lite2
Display
Details
Field Description
Name The operator's login. This name must be unique and can have up to 150 alphanumeric
characters. The following characters are allowed: @ . _ - : .
The operator's name must be prefixed with <BIC8>_. For example,
BANKBEBB_James.
The <BIC> in the operator's name is the Live BIC.
Description The full name of the operator or other description
Status The approval status of the operator definition and operator status
Last Login The date and time of the last login
Type The type of operator that connects to Alliance Lite2:

• Human user
• Application user
For Alliance Lite2 (including AutoClient), always select Human.
20 July 2017 42
Alliance Lite2
Field Description
User DN The distinguished name of the operator as created by the left or right customer
security officer on the SWIFT Online Operations Manager.
DN validation is performed on this field as follows:
• Length <= 100
• Number of levels between 2 and 10
• All levels of the form "…=<<value>>", with <value> between 1 and 20
alphanumeric characters (plus "-", "%", " ")
• Last level = "o=swift"
• Next-to-last level = "o=<bic8>" or "o=swift"
• Others in the format "ou=…" or "cn=…"
Profiles/Available The list of available operator profiles

To request additional profiles, contact SWIFT Support.
Profiles/Selected The list of operator profiles selected for the operator
Units/Available and The only available unit is <BIC8>_Unit.

Units/Selected SWIFT can configure additional units for Alliance Lite2 customers as a payable option.
Additional units can be requested either as part of the initial set-up services, or
ordered as additional configuration change requests. To request this configuration
change, contact SWIFT Support.
3.1.4 Operator Details: Monitoring Tab

Content
To view the operator details, click the row of a specific operator. The Operator Details window
opens.
The Monitoring tab contains these elements:
• Details for the monitoring of the sessions currently open by the operator selected
• Functions that enable you to manage the operator
20 July 2017 43
Alliance Lite2
Display
Details
Field / Column Description
Last Login The date and time of the last login
Host Address The IP address or host name of the Alliance Web Platform Server-Embedded host
where the operator initiated a session. The address of the browser used to create the
session is logged in Alliance Web Platform Server-Embedded. For more information,
see viewing user session properties in the Web Platform Administration and
Operations Guide.
Expiration For Web services sessions, the time at which the session automatically expires if no
action is taken before
20 July 2017 44
Alliance Lite2
Field / Column Description
Session Type The type of session.

WebService: for sessions run through Alliance Web Platform Server-Embedded or
Web service applications
3.1.5 Operator Functions

Overview
These functions enable you to manage operators.
Functions
Function Purpose Operators Operator Details Operator Details

page - Configuration - Monitoring tab
tab
Hides the content of the filtering ✓ x x

criteria area
Present only when the content
is visible
Shows the content of the ✓ x x

filtering criteria area
Present only when the content
is hidden
Clear Resets the filtering criteria fields ✓ x x

to the default values
Submit Filters the list of entities ✓ x x

according to the current filtering
criteria values
Report Produces reports of the entities ✓ x x

returned by the filtering criteria
as well as the filtering criteria
Change View Changes the layout of the list for ✓ x x

the current page
20 July 2017 45
Alliance Lite2
Function Purpose Operators Operator Details Operator Details

page - Configuration - Monitoring tab
tab
Add / Add As To add an operator ✓ x x

You can also create an operator
using the characteristics of an
existing operator with the
Add As button
Procedure: Add an Operator on

page 46
Delete To delete an operator ✓ x x

Procedure: Delete an Operator
on page 48
Enable To enable an operator ✓ ✓ ✓

Procedure: Enable an Operator
on page 49
Disable To disable an operator ✓ ✓ ✓

Procedure: Disable an Operator
on page 49
Reset Password This function is not available for Alliance Lite2.
Approve To approve the operators' ✓ ✓ x

definitions
Procedure: Approve an
Operator on page 48
Report Produces summary or details ✓ ✓ ✓

reports
Previous Displays the details of the x ✓ ✓

previous entity
Next Displays the details of the next x ✓ ✓

entity
Close Closes the current window x ✓ ✓
3.1.6 Add an Operator

Prerequisites
Procedure
1. From the list of operators, click Add .
20 July 2017 46
Alliance Lite2
You can also add an operator using the characteristics of an existing operator.
Select the check box of an operator and click Add As .
The Operator Details window opens.
The status is Unapproved/Disabled.
2. In the Configuration tab, type a name for the operator in the Name field.
This name must be unique and can have up to 150 alphanumeric characters. The following
characters are allowed: @ . _ - : .
SWIFT recommends that you select something simple, such as the operator's first name.
The name must be prefixed with your <BIC8>_. For example, BANKBEBB_James.
If you are using the AutoClient token, then <BIC8>_AutoClient appears by default in the Name
field. You must not change this value.
3. In the Description field, type the full name of the operator or another description.
4. In the Type drop-down list, select one of the following values:
• Application
• Human
Note For Alliance Lite2 (including AutoClient), always select Human.

5. The Authentication Type field is set to Token by default.
6. In the User DN field, type the distinguished name (DN) of the operator that you just created in
the SWIFT Online Operations Manager.
7. Assign one or more profiles from the Profiles/Available list to the operator definition.
Note SWIFT can configure additional operator profiles for Alliance Lite2 customers as a
payable option. Additional operator profiles can be requested either as part of the
initial set-up services, or ordered as additional configuration change requests. To
request this configuration change, contact SWIFT Support.
8. The only available unit is <BIC8>_Unit that appears in the Units Selected list by default.
Note SWIFT can configure additional units for Alliance Lite2 customers as a payable
option. Additional units can be requested either as part of the initial set-up
services, or ordered as additional configuration change requests. To request this
configuration change, contact SWIFT Support.
9. Click Save then click Approve .
On the Operators page, the Approval Status of the operator that you just added changes to
Wait LSO Approval or Wait RSO Approval.
If you change the profiles, then the operator must be re-approved by both security officers or
operators with the appropriate approval entitlement.
20 July 2017 47
Alliance Lite2
Next
Effect on passwords when modifying an operator:
• If user passwords are used on your system, then the modified operator can continue to sign on
with an existing password.
• If you are using a Radius one-time passwords:
- If you change the Authentication Type to Radius One-time Password, then the operator
must sign on using the one-time password generated by the hardware token, even if it is the
first sign-on.
- If Radius One-time Password is selected and you select another authentication method,
then the operator must use the associated user password. If the new authentication method
is Password, then the user is prompted to change password.
• If the authentication method is LDAP, then the operator must sign on with an LDAP password.
3.1.7 Delete an Operator

This procedure enables you to delete an operator.
Procedure
1. From the list of operators, select the check box for one or several operators in the left column.
2. Click Delete .
The Delete Confirmation window opens.
3. Click OK .
A status popup message appears.
Note The action of deleting an operator does not need to be approved.
When the security officers log in to SWIFTNet Online Operations Manager, they
still see the certificates (if any) for that operator as valid for eight days after the
operator is deleted from the Alliance Lite2 user management. The security officer
must not change anything to these certificates. The certificates of the deleted
operator will be automatically removed from the user tree after additional 124 days
and after automatic deletion of all its child nodes.
3.1.8 Approve an Operator

This procedure enables you to approve an operator.
Procedure
1. From the list of operator sessions, click the row of the operator that you want to approve.
2. Click Approve .
20 July 2017 48
Alliance Lite2
Note The other security officer or operator with the necessary entitlements and permissions
must now sign on and approve the operator or operators. When both security officers
or operators have approved the changes, the status changes to Approved and the
operator is automatically enabled.
3.1.9 Disable an Operator

This procedure enables you to disable an operator or a security officer (LSO/RSO).
The operator definition for an approved and enabled operator can be disabled, so that the operator
cannot sign on to Alliance Lite2. For example, you may decide to disable an operator's definition
because the operator has left your institution.
You can disable an operator definition until a specific date and time, or disable it indefinitely. You
can also automatically disable an operator who has not signed on for a certain period of time. For
more information, see the .
An LSO can only be disabled if there is at least one other LSO and at least one RSO must be
approved and enabled. The same rule applies when disabling an RSO (at least one other RSO and
at least one LSO must be approved and enabled). If it is not the case an error message is
returned:”You are not allowed to perform the requested operation. Cannot disable because there is
not another enabled and approved security officer pair."
Prerequisites
Procedure
1. From the list of operator sessions, click the row of the operator that you want to disable.
2. Click Disable .
The Disable Operator window opens.
3. In the Next Sign On Allowed drop-down list, select one of the following options:
• By Enable Command: To disable the operator definition until you enable the definition again
with the Enable button.
• On the Following Date: To disable the operator definition until the date, and time that you
specify.
4. Click OK .
Next
An LSO or an RSO that has been disabled will have the approval status Unapproved and must be
approved. For more information, see Approve an Operator on page 48.
Related information
3.1.10 Enable an Operator

This procedure enables you to enable an operator.
20 July 2017 49
Alliance Lite2
Prerequisites
Procedure
1. From the list of operator sessions, click the row of the operator that you want to enable.
2. Click Enable .
3.1.11 Monitor an Operator Session

This procedure enables you to monitor an operator session.
Prerequisites
Procedure
1. From the list of operators, click the row of the operator which you want to monitor.
2. Click the Monitoring tab.
3. You can click Refresh to refresh the list.
4. Click Close .
The Operator Details window closes.
3.2 Operator Profiles
3.2.1 Operator Profiles: Definition

Alliance Lite2 consists of a number of entities. The security officers in your institution are
responsible for deciding which entities that you can use. The security officers do this by creating an
operator definition for each Alliance Lite2 operator. As part of this definition, the security officers
assign an Alliance Lite2 profile to operators.
An operator profile defines:
• The entities that an operator is allowed to use.
• The entitlements to use actions (functions) within a particular entity.
• The permissions associated with an entitlement.
3.2.2 Profiles Assignment

Operator profiles
The operator profile assigned to you depends on your job role. Your profile determines the menus,
menu options, windows, and available choices which are displayed on the screen when you sign on
to Alliance Lite2.
20 July 2017 50
Alliance Lite2
Any number of operators can be given the same profile, so that the duties which involve Alliance
Lite2 can be shared within your institution. If an operator has a combination of responsibilities, then
more than one profile can be assigned to the operator, provided there is no conflict between the
entitlements and the permissions in one profile and those in another.
Alliance Lite2 is delivered with various default profiles (pre-defined profiles) that security officers
can assign to new operators. Each profile corresponds to a specific user role.
Operator profiles in Alliance Lite2

SWIFT creates the operator profiles for Alliance Lite2 customers. Alliance Lite2 customers cannot
create these profiles.
The <BIC8>_ in the following table is replaced by the BIC8 of each Alliance Lite2 customer. Each
BIC has its own version of the profiles.
As described in the following table, the <BIC8>_OPER_SignOn profile is mandatory for all
operators.
For each institution, the following profiles are created:
Operator profile Description
<BIC8>_AutoClient (1) For connectivity through the AutoClient
<BIC8>_BIC_View Allows queries on the BIC Directory
<BIC8>_LSO Creation, management, and approval of operators
<BIC8>_MsgUpload Manual upload of files through message partners already defined on

Alliance Lite2
<BIC8>_Msg_All (2) All permissions for message handling
<BIC8>_Msg_AllOthr (2) All permissions for message handling except for the authorisation of own
message
<BIC8>_Msg_Audit Message search
<BIC8>_Msg_Auth Message verification and approval
<BIC8>_Msg_Oper (2) Message creation
<BIC8>_Msg_View Enables an operator to view messages of an 8-character BIC even when it

moves from an Alliance Lite2 subscription to an Alliance Remote Gateway
subscription
<BIC8>_OPER_SignOn Required to log in to the application (mandatory for all human users,
including SWIFT WebAccess)
<BIC8>_RMA_All All permissions for RMA
20 July 2017 51
Alliance Lite2
<BIC8>_RMA_Auth RMA approval
<BIC8>_RMA_Oper RMA creation
<BIC8>_RSO Creation, management, and approval of operators
(1) This profile must not be assigned to an operator as it is for internal use only. However, the security officer must assign the
OPER_SignOn profile to the AutoClient operator.
(2) To enable operators with these profiles to send MT messages from Message Management, the security officer must also
assign the BIC_View profile to these operators.
Security officers' profiles and security-related entitlements

Security officers (left security officer and right security officer) have a specific set of entitlements
assigned to them by SWIFT. Both security officers have the same operator profile. This profile
cannot be displayed, modified, or removed.
The operators with<BIC8>_LSO and <BIC8>_RSO profiles are the Alliance Lite2 customer security
officers.
The operator details of the left security officer and right security officer must never be changed. If
these details are changed, then the security officer (left or right) will not be able to log in to the
Alliance Lite2 environment and SWIFT will need to intervene.
The approval of both security officers is needed when creating or modifying operators. All other
operations that fall within the scope of a security officer only need one security officer.
3.2.3 Operator Profiles Page

Content
The Operator Profiles page contains these elements:
• A filtering criterion and filtering functionality that enable you to filter the list entities on the
Operator Profiles page. See Details on page 53.
• Details of the available operator profiles
• Functions that enable you to manage the operator profiles
20 July 2017 52
Alliance Lite2
Display
Details
Column Description Filtering criterion
Name The operator profile name ✓

The BIC in the operator profile
name is the Live BIC.
Functions
Function Description
Hides the content of the filtering criteria area

Present only when the content is visible
20 July 2017 53
Alliance Lite2
Shows the content of the filtering criteria area

Present only when the content is hidden
Clear Resets the filtering criteria fields to the default values
Submit Filters the list of entities according to the current filtering criteria values
Report Enables you to produce reports of the entities returned by the filtering criteria as well
as the filtering criteria
Change View Changes the layout of the list for the current page
Report Enables you to produce summary or details reports
Previous Displays the details of the previous entity
Next Displays the details of the next entity
Close Closes the current window
3.2.4 Operator Profile Details

Content
The Operator Profile Details page contains these elements:
• Details of the operator profile selected
• Functions that enable you to manage the operator profile
20 July 2017 54
Alliance Lite2
Display
Details
Field Description
Name The operator profile name
Entities/Available The entities that can be added to the operator profile
Entities/Selected The entities selected for the operator profile
Actions/Available For the entity selected, the actions that can be added to the operator profile
Actions/Selected For the entity selected, the actions selected for the operator profile
Permissions The permissions linked to the action selected
3.3 RBAC Roles for Browse Services
3.3.1 Assign and Approve RBAC Roles for Browse Users

In some Browse services, subroles can be assigned to operators to determine what the operator is
allowed to access within the Browse service. These are called RBAC roles (RBAC = Role-Based
Access Control). To perform tasks in Browse, these users must have the RBAC roles assigned by
the first Alliance Lite2 customer security officers (for example, the left customer security officer)
(see Assign RBAC Roles to a Browse User on page 56).This creates the 4-eyes token number.
The left customer security officer then provides the 4-eyes token number to the second customer
security officer (for example, the right customer security officer) who logs in and approves the
action (see Approve the assigned RBAC roles on page 59).
20 July 2017 55
Alliance Lite2
3.3.1.1 Assign RBAC Roles to a Browse User
Procedure
1. On the Browse home page, click Browse Services > SWIFTNet Online Operations Manager.
The SWIFTNet Browse Confirmation window appears indicating that you must enter your
password. You will be required to enter your password twice.
Note The Browse option does not appear if you logged on to the Test and Training
environment.
2. Enter your password.
3. Click OK .
The system starts the Authenticating process.
When the authentication completes, the SWIFTNet Online Operations Manager window
appears.
20 July 2017 56
Alliance Lite2
4. Click Security > Role Management.

The following window appears that displays a tree view with user nodes and the Role
Information pane on the right side of the window.
5. In Alliance Lite2, the customer security officer defines the Distinguished Name (DN) used by
the token. The Browse nodes add cn=%51 or cn=%52 (or cn=tt for Test and Training) in front of
the DN.
For example, if the token is cn=user,o=<bic8>,o=swift, then the browse nodes are as follows:
For live environment For test environment
cn=%51,cn=user,o=<bic8>,o=swift cn=tt,cn=user,o=<bic8>,o=swift
cn=%52,cn=user,o=<bic8>,o=swift
20 July 2017 57
Alliance Lite2
CAUTION The %51, %52, and tt nodes are automatically created when the corresponding
operator logs in for the first time to Alliance Lite2. The security officers should
never create these nodes.
The %51 and %52 nodes must always be aligned in terms of roles assignments.
6. Double-click a user on the tree view and assign both the %51 and %52 for the live environment
and tt for the test environment the necessary RBAC roles.
The %51 and %52 nodes relate to the high available configuration of the two Alliance Lite2
servers. It is important that you grant the same roles to both %51 and %52. The easiest way of
doing this is to double-click to select both %51 and %52 in the tree view so that they are
displayed on the right side of the screen. You can then use the Group Grant function to assign
the same roles to both %51 and %52 at the same time.
For more information, see the Certificate Administration Guide > Distinguished Name
Equivalence.
7. Expand the roles in the Role Information pane as needed.
8. For each role, select the corresponding checkbox to grant the role (to ungrant a role, clear the
corresponding checkbox).
When you do a modification, a light icon appears above the checkboxes.
This window looks like the following:
Note The meaning of these roles is decided by the third party Browse service provider
(for example, TARGET2). You must follow the guidelines provided by your service
provider to understand and set the right roles.
9. Click Save .
The system prompts you to enter your password.
20 July 2017 58
Alliance Lite2
10. Enter your password and click OK .

The 4-Eyes Token window appears providing you with a 4-eyes token number that the second
customer security officer needs to approve the roles that are assigned to the user. It also
provides additional information about the token. An example 4-Eyes Token is as follows:
11. Click OK to complete the RBAC role assigning procedure.
3.3.1.2 Approve the assigned RBAC roles
Procedure
1. If the left customer security officer assigned the RBAC roles, then the right customer security
officer must approve the RBAC roles. For more information, see Assign and Approve RBAC
Roles for Browse Users on page 55.
2. On the SWIFTNet Online Operations Manager window, click Security > 4-eyes
Authorisations.
3. In the text box as indicated on the screen, type or paste the token that the first customer
security officer received at the end of the procedure for assigning the RBAC roles.
20 July 2017 59
Alliance Lite2
4. Click Retrieve .
The details of the action to authorise appear in the right pane.
5. Verify the details and click Authorise .

The Operation Successful confirmation window appears.
20 July 2017 60
Alliance Lite2
6. Click OK .
For more information about SWIFTNet Online Operations Manager, see the SWIFTNet
Online Operations Manager User Guide.
20 July 2017 61
Alliance Lite2
Administration Guide Reference Data Management
4 Reference Data Management

The reference data described in this section can only be viewed (that is, not modified) by Alliance
Lite2 customers. SWIFT automatically manages this data for Alliance Lite2 customers.
4.1 Correspondents
4.1.1 Correspondents
In Alliance Lite2, a correspondent can be an institution, a department, or an individual with which
Alliance Lite2 can communicate through SWIFT.
You can display the details of correspondents or groups of related correspondents.
4.1.2 Correspondents Page

Content
The Correspondents page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Correspondents
page:
- See Correspondents on page 63
- Functions on page 69
• Details of the available correspondents
See Correspondents on page 63
• Functions that enable you to view the correspondents
20 July 2017 62
Alliance Lite2
Display
Correspondents
Correspondents

criteria
Type The correspondent type. This can be either an institution, a department, or ✓

an individual.
These are the possible filtering criteria:
• Institution: to search only for correspondents that are institutions
• Department: to search only for correspondents that are departments
• Individual: to search only for correspondents that are individuals
Institution The BIC-11 address of the institution. The BIC-8 destination address is ✓
followed by either a specific three-character branch code or by a default
branch code of XXX.
For filtering, the wildcard characters % and _ can also be used.
Department If the correspondent is a department or individual, this is the name of the ✓

department within the institution. Otherwise, it is blank.
For filtering, if the Type drop-down list is empty or set to Department or
Individual, then in the Department field, you can enter the name of the
department within the institution that you are searching for. The wildcard
characters % and _ can be used.
20 July 2017 63
Alliance Lite2
Correspondents

criteria
Last Name If the correspondent is an individual, this is the last name of the individual. ✓
Otherwise, it is blank.
For filtering, if the Type drop-down list is empty or set to Individual, then
in the Last Name field, you can enter the last name of the individual who
you are searching for. The wildcard characters % and _ can be used.
First Name If the correspondent is an individual, this is the first name of the individual. ✓
Otherwise, it is blank.
For filtering, if the Type drop-down list is empty or set to Individual, then
in the First Name field, you can enter the first name of the individual who
you are searching for. The wildcard characters % and _ can be used.
Definition These are the possible values: ✓

• Internal: to search only for internal correspondents. These are
correspondents owned by the institution.
• External: to search only for external correspondents. These are
correspondents not owned by the institution.
Institution The name of the institution. ✓

Name
For filtering, the BIC-11 address of the institution. The BIC-8 destination
address is followed by either a specific three-character branch code or by a
default branch code of XXX
The full name of the institution. The wildcard characters % and _ can be
used.
Branch (Info) The name of the branch. ✓

For filtering, the full name of the branch. The wildcard characters % and _
can be used.
City Name The full name of the city in which the correspondent is located. ✓
For filtering, the wildcard characters % and _ can be used.
Country The two-character ISO standard code for the country in which the ✓
(Code) correspondent is based - the same as characters 5 and 6 of the BIC-11
address in the Institution field.
For filtering, the wildcard characters % and _ can be used.
20 July 2017 64
Alliance Lite2
Correspondents

criteria
Status The status of the correspondent. This can be Active or Inactive. You ✓
cannot send a message to an inactive correspondent.
For filtering, these are the possible values:
• Active: to search only for correspondents with an Active status.
• Inactive: to search only for correspondents with an Inactive status.
You cannot send a message to an inactive correspondent.
Modified Enter a date using the date picker. Only correspondent records which have ✓
Since been modified since this date are included in the search.
Update on Select this check box to filter on any unpublished BICs that you have ✓
BIC Load defined on your correspondents.
Application These are the possible values: ✓

• APPLI: to search only for correspondents that have APPLI as one of
their defined applications. APPLI is the Alliance application interface to
external message partners (such as back-office banking systems).
If you select APPLI, then the Exit Point drop-down list appears. Select the
exit point to which any messages for the correspondent are routed.
4.1.3 Correspondent Details : Profile Tab

Content
The Profile tab contains these elements:
• Details of the correspondents
20 July 2017 65
Alliance Lite2
Display
Details
Field Description
Status The status of the correspondent. This can be Active or Inactive. You cannot send
a message to an inactive correspondent.
Definition These are the possible values:

• Internal: to create an internal correspondent. An internal correspondent is
owned by the institution.
• External: to create an external correspondent. An external correspondent is not
owned by the institution.
20 July 2017 66
Alliance Lite2
Field Description
Header Select a correspondent type in the Type drop-down list.

These are the possible values:
• Institution: to create a correspondent that is an institution
• Department: to create a correspondent that is a department
• Individual: to create a correspondent that is an individual
Then, you can complete the following fields:
• Institution: The BIC-11 address of the institution. The BIC-8 destination address is
followed by either a specific three-character branch code or by a default branch
code of XXX. Special characters are not allowed.
• Department: If the Type field is set to Department or Individual, then in the
Department field, you can enter the name of the department. Special characters
are not allowed.
• Last Name: If the Type field is set to Individual, then in the Last Name field,
you can enter the last name of an individual. Special characters are not allowed.
• First Name: If the Type field is set to Individual, then in the First Name field,
you can enter the first name of an individual. Special characters are not allowed.
Optionally, a more specific description of the correspondent type can appear in the
Sub Type field.
Details In the Profile drop-down list, specify the following:

• Specific: The correspondent profile is specific to this correspondent and is not
inherited from a parent correspondent.
• Same as Institution: The correspondent is a department and inherits its
profile from the institution to which it is associated.
• Same as Department: The correspondent is an individual and inherits its profile
from the department to which it is associated.
The available choices depend on the correspondent type selected in the Type drop-
down list.
If you selected Specific, you have to complete the following fields:
• Institution Name: the full name of the institution

• Branch: the full name of the branch
• City: the name of the city in which the correspondent is located.
The Country field shows the ISO standard country code for the country in which
the correspondent is based. This is character 5 and 6 of the BIC-11 address in the
Institution field.
• Address: the address of the correspondent
• Location: the location of the correspondent
• POB Number: the post office box of the correspondent
• POB Location: the location of the post office box
20 July 2017 67
Alliance Lite2
Field Description
Preferred The preferred language that Alliance Lite2 must use when expanding messages sent
Language to the correspondent
These are the possible values:
• English
• Francais
• Deutsch
• Italiano
• Espanol
Comments Any general comment about the correspondent
Update on BIC Select this check box if you want the correspondent record to be updated when an
Load Alliance Bank File is loaded. This means that the record may be changed or even
deleted as a result of the update.
Clear the check box if you do not want the correspondent record to be updated when
an Alliance Bank File is loaded.
This means that if the Alliance Bank File shows that the correspondent must be
modified, the record is not modified. If the Alliance Bank File shows that the
correspondent must be deleted, then the record is not deleted, but SWIFT is removed
from the list of Preferred Networks for the correspondent.
Last Modification This field shows the date on which the correspondent record was last modified.
4.1.4 Correspondent Details: Preferred Networks Tab

Content
The Preferred Networks tab displays the network applications that Alliance Lite2 can use to send
messages to the correspondent.
The Preferred Networks tab contains these elements:
• Details of the correspondents
20 July 2017 68
Alliance Lite2
Display
Details
Field Description
Preferred All the defined applications for the correspondent that are also network applications.
Networks
By default, Alliance Lite2 sends any message to the correspondent using the first
network application in the Selected list that can handle the message format, unless
you specify a different network application during message creation or modification.
Your correspondent may prefer you to use the applications in a specific order.
4.1.5 Correspondent Functions

Overview
These functions enable you to view correspondents.
Functions
Function Description Correspondents Correspondent

page Details window
Hides the content of the filtering criteria area ✓ x

20 July 2017 69
Alliance Lite2
Function Description Correspondents Correspondent

page Details window
Shows the content of the filtering criteria area ✓ x

Clear Resets the filtering criteria fields to the default ✓ x

values
Submit Filters the list of entities according to the ✓ x

current filtering criteria values
Report Enables you to produce reports of the entities ✓ x

returned by the filtering criteria as well as the
filtering criteria
Change View Changes the layout of the list for the current ✓ x
page
Report Enables you to produce summary or details ✓ ✓

reports
Previous Displays the details of the previous entity ✓ ✓
Next Displays the details of the next entity ✓ ✓
Close Closes the current window x ✓
4.2 Countries
4.2.1 Countries
You can display the reference data country records. Most of the reference data details are imported
from the Alliance Bank File. Each country record includes a field that defines whether the record
must be updated automatically when an Alliance Bank File is loaded into Alliance.
20 July 2017 70
Alliance Lite2
4.2.2 Countries Page

Content
The Countries page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Countries page.
See Countries on page 72.
• Details of the available countries
See Countries on page 72
• Functions that enable you to view the countries
Display
20 July 2017 71
Alliance Lite2
Countries
Countries

criteria
Code The unique two-character ISO standard country code. ✓

group of codes.
Name The country name. ✓

group of names.
Functions


Upload now After prompting you to confirm or modify the configuration details, loads the Bank
Update File.
20 July 2017 72
Alliance Lite2
4.2.3 Country Details

Content
The Country Details window contains these elements:
• Details of the countries
Display
Details
Field Description
Code The unique two-character ISO standard country code
Name The name of country
Update on BIC Select this check box if you want the country record to be updated when an Alliance
Load Bank File is loaded. This means that the record may be changed or even deleted as a
result of the update.
Clear the check box if you do not want the country record to be updated when an
Alliance Bank File is loaded.
20 July 2017 73
Alliance Lite2
4.3 Currencies
4.3.1 Currencies
You can display the reference data currency records. Most of the reference data details are
imported from the Alliance Bank File. Each currency record includes a field that defines whether
the record must be updated automatically when an Alliance Bank File is loaded into Alliance.
4.3.2 Currencies Page

Content
The Currencies page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Currencies
page:
- See Currencies on page 75
- See Functions on page 75
• Details of the available currencies
See Currencies on page 75
• Functions that enable you to view the currencies
Display
20 July 2017 74
Alliance Lite2
Currencies
Currencies

criteria
Code The unique three-character ISO standard currency code. ✓

group of codes.
Name The currency name. ✓

group of names.
Digits The maximum number of digits needed to correctly display fractional

amounts of the currency. This can be any number between 0 and 6.
Functions


Upload now After prompting you to confirm or modify the configuration details, loads the Bank
Update File.
20 July 2017 75
Alliance Lite2
4.3.3 Currency Details

Content
The Currency Details window contains these elements:
• Details of the currencies
Display
Details
Field Description
Code The unique three-character ISO standard currency code
Name The name of the currency
Number of Digits The maximum number of digits needed to correctly display fractional amounts of the
currency. This can be any number between 0 and 6.
Update on BIC Select this check box if you want the currency record to be updated when an Alliance
Load Bank File is loaded. This means that the record may be changed or even deleted as a
result of the update.
Clear the check box if you do not want the currency record to be updated when an
Alliance Bank File is loaded.
20 July 2017 76
Alliance Lite2
Administration Guide Default Operator Profiles
5 Default Operator Profiles

SWIFT creates the operator profiles for Alliance Lite2 customers. Alliance Lite2 customers cannot
create these profiles.
This section describes the following:
• Alliance Lite2 default operator profiles on page 77
• Entities and operator profiles on page 78
• How Entities, Actions, and Permissions Work on page 80
• Specific entities, actions, and permissions available to each operator profile
Note In this chapter several entities or permissions, visible on the screen as 'selected', are
not documented because they cannot be used with Alliance Lite2.
Alliance Lite2 default operator profiles
For each institution, the following profiles are created:
AutoClient on page 81 (1) For connectivity through the AutoClient
BIC_View on page 82 Allows queries on the BIC Directory
LSO Creation, management, and approval of operators
MsgUpload on page 83 For manual upload of files
Msg_All on page 84 (2) All permissions for message handling
Msg_AllOthr on page 90 (2) All permissions for message handling except for the authorisation of own
message
Msg_Audit on page 90 Message search
Msg_Auth on page 91 Message approver
Msg_Oper on page 94 (2) Message creator
OPER_SignOn on page 99 Required to log in to the application (mandatory for all human users)
Required for Browse users
RMA_All on page 99 All permissions for RMA
RMA_Auth on page 103 RMA approver
RMA_Oper on page 106 RMA creator
20 July 2017 77
Alliance Lite2
RSO Creation, management, and approval of operators
(1) This profile must not be assigned to an operator as it is for internal use only. However, the security officer must assign the
OPER_SignOn profile to the AutoClient operator.
assign the BIC_View profile to these operators.
Entities and operator profiles
The following table describes the different entities in Alliance Lite2 and the default operator profiles
that have certain permissions for each entity:
Entity Description Default operator profiles
Access Control Controls all access to Alliance LSO and RSO

Lite2 and, therefore, to all of the
OPER_SignOn
other entities and functions.
Application Interface Controls the transfer of messages AutoClient

and files between Alliance Lite2
MsgUpload
and back-office applications,
printers, or any other system that
communicates with Alliance Lite2.
Suitable messages for transferring
include SWIFT FIN, MX, FileAct,
and system messages. Suitable
files include payload files, or files
that contain several messages.
Correspondent Information File Contains essential data about a BIC_View

user's correspondents, in the form
of correspondent, alias, country,
network, and currency records.
Message Creation Provides all the functions Msg_All (1)

necessary to create messages.
Msg_Oper (1)
Msg_AllOthr (1)
Message Modification Messages that fail validation during Msg_All

message creation, or that fail
Msg_Auth
verification or authorisation can be
sent to a Text Modification Msg_Oper
message queue for later editing. Msg_AllOthr
An entitled user can use the
Message Modification entity to edit
the messages in these queues.
20 July 2017 78
Alliance Lite2
Entity Description Default operator profiles
Message Approval Allows entitled operators to verify Msg_All

and authorise messages.
Msg_Auth
Msg_Oper
Msg_AllOthr (2)
Message File Provides a central query, Msg_All

maintenance, and archiving facility
Msg_Auth
for all messages processed by
Alliance Lite2. Msg_Oper
Msg_AllOthr
Msg_Audit
Relationship Management The Relationship Management RMA_All

functionality allows institutions to
RMA_Auth
manage business relationships
with their counterparties. RMA_Oper
When one party in a business

relationship consents to receive
messages from a specific
correspondent, that consent is
recorded in an Authorisation.
The Relationship Management
entity allows an entitled user to
create and manage the
authorisations that restrict the
sending of messages between
parties in a business relationship.
Security Definition The LSO/RSO or other entitled LSO and RSO

user can use the Security
Definition entity to define which
Alliance Lite2 entity functions each
user can access, by assigning an
operator profile to each user.
assign these operators the BIC_View profile.
(2) An operator with this profile can verify his own message, but cannot authorise his own message.
Related information
Operator Profile Details on page 54
20 July 2017 79
Alliance Lite2
5.1 How Entities, Actions, and Permissions Work

Example of an operator profile with no permissions
Description
1 The BIC_View profile can use the Correspondent Info entity as this is the entity that is
selected.
2 Within the Correspondent Info entity, this profile can perform the three actions that are
selected:
• OpenPrint Corr Dets
• OpenPrint Country
• OpenPrint Currency
3 There are no specific permissions linked to these actions.
20 July 2017 80
Alliance Lite2
Example of an operator profile with specific permissions
Description
1 The Msg_Oper profile can use the Mesg Approval, Mesg Creation, Mesg Modification,
and Message File entities.
2 Within the Mesg Modification entity, this profile can perform the three actions that are
selected:
• Complete Message*
• Dispose Message*
• Modify Message*
3 An asterisk indicates that there are specific permissions linked to an action. In this case,
there are specific permissions for all of the selected actions.
4 This example shows the permissions for Complete Message*.
5.2 AutoClient
The AutoClient operator profile can perform certain actions related to the Application Interface
entity:
Actions Permissions Specific permissions for AutoClient
Create Message Own destination Allowed

(Allowed/Prohibited)
MT Prohibited
20 July 2017 81
Alliance Lite2
Actions Permissions Specific permissions for AutoClient
CCY+[AMOUNT] Prohibited
Service $ identifier Prohibited

Dispose Message Bypass verify MT Prohibited

Bypass verify CCY Prohibited

Bypass auth. MT Prohibited

Bypass auth. CCY Prohibited

Bypass authorisation: service $ identifier Prohibited

Move to Routing Point
Important This profile must not be assigned to an operator as it is for internal use only. However,
the security officer must assign the OPER_SignOn profile to the AutoClient operator.
5.3 BIC_View
Entity Actions allowed for BIC_View Specific permissions for BIC_View
Correspondent Info OpenPrint Corr Dets (Correspondent details) None
OpenPrint Country None
OpenPrint Currency None
5.4 LSO and RSO
Entities Actions allowed for LSO and Specific permissions LSO Specific permissions RSO
RSO
Access Control Signon
20 July 2017 82
Alliance Lite2
Entities Actions allowed for LSO and Specific permissions LSO Specific permissions RSO
RSO
Start time 0000 0000
End time 2357 2357
Start time 2358 2358
End time 2359 2359
WS Session Timeout 0 0
Security Definition Add Operator None None
Approve Operator Left Right

Approve Left or Right part
Create Op List
Disable Operator
Enable Operator None None
Mod Operator
Rem Operator
5.5 MsgUpload
The MsgUpload operator profile can perform certain actions related to the Application Interface
entity:
Actions Permissions Specific permissions for

MsgUpload
Create Message Own destination Allowed

MT Prohibited
CCY+[AMOUNT] Prohibited

20 July 2017 83
Alliance Lite2

MsgUpload
Dispose Message Bypass verify MT Allowed

Bypass verify CCY Allowed

Bypass auth. MT Allowed

Bypass auth. CCY Allowed

Bypass authorisation: service $ identifier Allowed

Move to Routing Point
Open/Print Partner Local Authentication Key:
First part (Yes/No) No
Second part (Yes/No) No
Session Authentication Key:
First part (Yes/No) No
Second part (Yes/No) No
Message Partner(s) e.g. Batchinput or Batch% Allowed

Start Session Message Partner(s) Allowed

5.6 Msg_All
Introduction
The Msg_All operator profile can perform certain actions related to the following entities:
• Mesg Approval on page 85
• Mesg Creation on page 86
• Mesg Modification on page 87
20 July 2017 84
Alliance Lite2
• Message File on page 89

• SWIFTNet Interface on page 90
Note To enable operators with the Msg_All profile to send MT messages from Message
Management, the security officer must also assign these operators the BIC_View
profile (see BIC_View on page 82).
Note Only operators with the Msg_All profile can manage locked templates.
Entities, actions, and permissions
Mesg Approval
Actions Permissions Specific permissions for Msg_All
Advanced Editing Not in use in Alliance Lite2 Not in use in Alliance Lite2
Approve Message Own destination Allowed

Can Verify (Yes/No) Yes
Can Authorise (Yes/No) Yes
Verify own entered mesg (Yes/No) Yes
Auth. own entered mesg (Yes/No) Yes
Auth. own verified mesg (Yes/No) Yes
Group authorise (Yes/No) Yes
CCY/Amount Prohibited
(Prohibited/Allowed)
SWIFT FIN User MT Prohibited

SWIFT FIN System MT Prohibited

SWIFT APC System MT Prohibited


trans App Limit Not in use in Alliance Lite2

20 July 2017 85
Alliance Lite2
Daily App Limit Not in use in Alliance Lite2

Final Approver (Yes/No)(1) Yes
Dispose Message Bypass Authorisation CCY/Amount Prohibited

Bypass Authorisation SWIFT FIN User MT Prohibited

Own Destination Allowed

Route Message Own Destination Allowed

(1) Decides whether a message to be sent to SWIFT requires dual or single approval.
Mesg Creation
Add/Mod/Rem Template Own destination Allowed

Create Message List of Own-Destination Allowed

Can create broadcasting (Yes/No) No
Swift FIN User MT Prohibited

Swift FIN System MT Prohibited


20 July 2017 86
Alliance Lite2
Multiple Retrieval Allowed for FIN System mesg. No

(Yes/No)
Multiple Retrieval Allowed for APC System mesg. No

(Yes/No)
FIN-Copy Allowed (Yes/No) Yes
Dispose Message Bypass Verification CCY/Amount Prohibited

Bypass Authorisation CCY/Amount Prohibited

Bypass Verification SWIFT FIN User MT Prohibited


Bypass Authorisation SWIFT FIN System MT Prohibited

Bypass Authorisation SWIFT APC System MT Prohibited


Bypass Authorisation: service $ identifier Prohibited


Mesg Modification
Complete Message Own Destination Allowed

20 July 2017 87
Alliance Lite2


Bypass Verification SWIFT FIN User MT Prohibited


Bypass Authorisation SWIFT FIN System MT Prohibited

Bypass Authorisation SWIFT APC System MT Prohibited



Modify Message Own destination Allowed

Mod. in Text_modifcation (Yes/No) Yes
Mod. in Emission_security (Yes/No) Yes
Mod. in Transmission_modif (Yes/No) Yes
Mod. in modif_after_reception (Yes/No) Yes
Mod. in Reception_security (Yes/No) Yes


20 July 2017 88
Alliance Lite2

Multiple Retrieval Allowed for FIN System Mesg. No

(Yes/No)
Multiple Retrieval Allowed for APC System Mesg. No

(Yes/No)
FIN-Copy Allowed Yes

Reporting Not in use in Alliance Lite2 Not in use in Alliance Lite2

Message File
Complete Instance Own Destination Allowed

Export Messages Not in use in Alliance Lite2 Not in use in Alliance Lite2
Search Completely hide messages of other units No

(Yes/No)
Own destination Allowed

Reporting
View I/O Reports Not in use in Alliance Lite2 Not in use in Alliance Lite2
View Oper Reports Not in use in Alliance Lite2 Not in use in Alliance Lite2
20 July 2017 89
Alliance Lite2
SWIFTNet Interface
Open/Print RProf RT
RT File Get Request Service(s) e.g. swift.fin Prohibited

Request type(s) e.g. pacs.001.001.01 Prohibited

Own Destination(s) (BIC8) e.g. BBBBCC22 Allowed
5.7 Msg_AllOthr
The Msg_AllOthr operator profile can perform the same actions as the profile Msg_All on page 84
except for the Mesg Approval entity, where the specific permission for “Auth. own entered mesg” is
set to “No”.
Note To enable operators with the Msg_AllOthr profile to send MT messages from Message
5.8 Msg_Audit
Introduction
The Msg_Audit operator profile can perform only the Search action related to the Message File
entity.
Message File
Actions Permissions Specific permissions for Msg_Audit
Search Complete hide messages of other units No

(Yes/No)

20 July 2017 90
Alliance Lite2
5.9 Msg_Auth
Introduction
The Msg_Auth operator profile can perform certain actions related to the following entities:
Mesg Approval

Msg_Auth

Can Authorise (Yes/No) Yes
Verify own entered mesg (Yes/No) Yes
Auth. own entered mesg (Yes/No) Yes
Auth. own verified mesg (Yes/No) Yes
Group authorise (Yes/No) Yes


Swift APC System MT Prohibited


Final Approver (Yes/No)(1) No
20 July 2017 91
Alliance Lite2

Msg_Auth

Bypass Authorisation SWIFT FIN User MT Allowed for MT 999s


Route Message Own destination Allowed

Mesg Modification

Msg_Auth



Bypass Verification SWIFT FIN User MT Allowed for MT 999s


Bypass Authorisation SWIFT FIN System MT Allowed

Bypass Authorisation SWIFT APC System MT Allowed


20 July 2017 92
Alliance Lite2

Msg_Auth


Mod. in Emission_security (Yes/No) Yes
Mod. in Reception_security (Yes/No) Yes


SWIFTAPC System MT Prohibited


(Yes/No)

(Yes/No)


20 July 2017 93
Alliance Lite2
Message File

Msg_Auth
Complete Instance Own destination Allowed


(Yes/No)

5.10 Msg_Oper
Introduction
The Msg_Oper operator profile can perform certain actions related to the following entities:
• Mesg Creation on page 95
• SWIFTNet Interface on page 99
Note To enable operators with the Msg_Oper profile to send MT messages from Message
Mesg Approval

Msg_Oper

Can Authorise (Yes/No) No
Verify own entered mesg (Yes/No) No
Auth. own entered mesg (Yes/No) No
Auth. own verified mesg (Yes/No) No
20 July 2017 94
Alliance Lite2

Msg_Oper
Group authorise (Yes/No) No


Swift APC System MT Prohibited


Final Approver (Yes/No)(1) No




Mesg Creation

Msg_Oper
Add/Mod/Rem Template Own destination Allowed

Create Message List of Own-Destination Allowed

20 July 2017 95
Alliance Lite2

Msg_Oper
Can create broadcasting (Yes/No) No



Multiple Retrieval Allowed for FIN System mesg. No

(Yes/No)
Multiple Retrieval Allowed for APC System mesg. No

(Yes/No)
FIN-Copy Allowed (Yes/No) Yes







20 July 2017 96
Alliance Lite2

Msg_Oper
Bypass Authorisation: service $ identifier Allowed


Mesg Modification

Msg_Oper








Bypass Authorisation: service $ identifier Allowed


Mod. in Emission_security (Yes/No) No
20 July 2017 97
Alliance Lite2

Msg_Oper
Mod. in Reception_security (Yes/No) No


SWIFTAPC System MT Allowed


(Yes/No)

(Yes/No)


Message File

Msg_Oper

(Yes/No)

20 July 2017 98
Alliance Lite2
SWIFTNet Interface

Msg_Oper
Open/Print RProf RT
RT File Get Request Service(s) e.g. swift.fin Prohibited

Request type(s) e.g. pacs.001.001.01 Prohibited

Own Destination(s) (BIC8) e.g. BBBBCC22 Allowed
5.11 OPER_SignOn
The OPER_SignOn profile can perform the Signon action related to the Access Control and the
Monitoring entities.
Access Control
Action Permissions Specific permissions for

OPER_SignOn
Signon Start time 0000
End time 2357
Start time 2358
End time 2359
WS Session Timeout 0
Monitoring
Action Permissions Specific permissions for

OPER_SignOn
Abort File Transfer None None
5.12 RMA_All
The RMA_All profile can perform all actions related to the Relationship Mgmt entity.
20 July 2017 99
Alliance Lite2
Action Permissions Specific permissions for RMA_All
Accept Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Service(s) Prohibited
Bypass Approval Yes

(Yes/No)
Answer Message Own Destination(s) Allowed

App Granularity Dest
Approve Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Approve own Actions Yes

(Yes/No)
Approve Create Yes

(Yes/No)
Approve Revoke Yes

(Yes/No)
Approve Accept Yes

(Yes/No)
Approve Reject Yes

(Yes/No)
Approve Delete Yes

(Yes/No)
Clean up Auth
20 July 2017 100

Alliance Lite2
Creat Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Bypass Approval Yes

(Yes/No)
Def Granularity Dest
Def Signing BIC T&T
Delete Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Bypass Approval Yes

(Yes/No)
Delete Query/Answer Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Export Auth Own Destination(s) Allowed

Store Schedule Yes

(Yes/No)
Modify Operator Mode Yes

(Yes/No)
Export on Change
20 July 2017 101

Alliance Lite2
Import Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Store Schedule Yes

(Yes/No)

(Yes/No)
Mark Obsolete Auth
Modify Signing BIC T&T Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed
BBBBCC%
Modify Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Bypass Approval Yes

(Yes/No)
Open/Print Auth Del Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Query Message Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
20 July 2017 102

Alliance Lite2
Reject Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Bypass Approval Yes

(Yes/No)
Revoke Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
Bypass Approval Yes

(Yes/No)
Treat Query/Answer Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed

BBBBCC%
5.13 RMA_Auth
The RMA_Auth profile can perform certain actions related to the Relationship Mgmt entity.
The RMA_Auth profile cannot create or modify authorisations.
Action Permissions Specific permissions for RMA_Auth
Accept Auth Own Destination(s) Allowed

Bypass Approval No
(Yes/No)
20 July 2017 103

Alliance Lite2

App Granularity Dest
Approve Auth Own Destination(s) Allowed

Approve own Actions no

(Yes/No)
Approve Create Yes

(Yes/No)
Approve Revoke Yes

(Yes/No)
Approve Accept Yes

(Yes/No)
Approve Reject Yes

(Yes/No)
Approve Delete Yes

(Yes/No)
Clean up Auth
Def Granularity Dest
Def Signing BIC T&T
Delete Auth Own Destination(s) Allowed

20 July 2017 104

Alliance Lite2
Bypass Approval No
(Yes/No)
Delete Query/Answer Own Destination(s) Allowed

Export Auth Own Destination(s) Allowed

Store Schedule Yes

(Yes/No)

(Yes/No)
Export on Change
Import Auth Own Destination(s) Allowed

Store Schedule Yes

(Yes/No)

(Yes/No)
Mark Obsolete Auth
Modify Signing BIC T&T Own Destination(s) Allowed

Open/Print Auth Del Own Destination(s) Allowed

20 July 2017 105

Alliance Lite2
Query Message Own Destination(s) Allowed

Reject Auth Own Destination(s) Allowed

Bypass Approval No
(Yes/No)
Revoke Auth Own Destination(s) Allowed

Bypass Approval No
(Yes/No)
Treat Query/Answer Own Destination(s) Allowed

5.14 RMA_Oper
The RMA_Oper profile can perform certain actions related to the Relationship Mgmt entity.
Action Permissions Specific permissions for RMA_Oper

20 July 2017 106

Alliance Lite2
Action Permissions Specific permissions for RMA_Oper
Creat Auth Own Destination(s) Allowed

Bypass Approval No
(Yes/No)
Modify Auth Own Destination(s) Allowed

Bypass Approval No
(Yes/No)
Open/Print Auth Del Own Destination(s) Allowed

Query Message Own Destination(s) Allowed

Treat Query/Answer Own Destination(s) Allowed

20 July 2017 107

Alliance Lite2
Administration Guide Relationship Management
6 Relationship Management
RMA (Relationship Management Application) enables an institution to control the traffic that it
accepts from other institutions. An RMA relationship is a set of authorisations exchanged between
your BIC and your counterparty's BIC that defines who can send traffic to whom and when. The
use of the Relationship Management Application mechanism is mandatory for the FIN service.
As an administrator, you can add, view, and delete data related to RMA relations.
When you add an RMA relationship in Alliance Lite2, you are sending a special message over the
SWIFT network to your counterparty. This message is called an RMA authorisation. This message
grants your correspondent the permission to send you SWIFT messages. Your counterparty can
also send you an RMA message to grant you permission to send messages. Alliance Lite2 users
can request that you, as an administrator, add a new authorisation to the system.
For more information, see the Alliance Lite2 Administration Guide - RMA.
20 July 2017 108

Alliance Lite2
Administration Guide Legal Notices
Legal Notices
Copyright
SWIFT © 2017. All rights reserved.
Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order
expressly grants you that right, in which case ensure you comply with any other applicable
conditions.
Disclaimer
The information in this publication may change from time to time. You must always refer to the
latest available version.
Translations
The English version of SWIFT documentation is the only official and binding version.
Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT:
the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo,
MyStandards, and SWIFT Institute. Other product, service, or company names in this publication
are trade names, trademarks, or registered trademarks of their respective owners.
20 July 2017 109

Swift Alliance Administration Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Swift Alliance Administration Manual

Uploaded by

Copyright:

Available Formats

Alliance Lite2

1 Introducing Alliance Lite2.......................................................................................................................6

4 Reference Data Management............................................................................................................... 62

5 Default Operator Profiles...................................................................................................................... 77

6 Relationship Management.................................................................................................................. 108

Legal Notices................................................................................................................................................. 109

Updated information Location

The firewall settings have been updated. Firewall Settings on page 19

A section "Next" describing the result of Add an Operator on page 46

The section on disabling an operator has Disable an Operator on page 49

The operator profile <BIC8>_Msg_View Profiles Assignment on page 50

Operator profiles visible in Alliance Lite2, Msg_All on page 84

Alliance Lite2 documentation set

• AutoClient User Guide

1 Introducing Alliance Lite2

Who are Alliance Lite2 users?

1.2 What Does the Web Interface Provide?

1.2.1 What Can Alliance Lite2 Customer Security Officers Do?

Assign each user an operator profile.

Create and maintain a corresponding personal token for each operator.

Assign RBAC user roles using SWIFTNet Online Operations Manager

1.2.2 How to Change the Name of Customer Security Officers

1.2.3 What Can Alliance Lite2 Operators Do?

1.3 What Does AutoClient Provide?

1.4 How is Alliance Lite2 Packaged?

1.5 System Requirements

1.5.1 System Requirements for Alliance Lite2 Web Interface

Connectivity You have three different possibilities to connect to Alliance Lite2:

Infrastructures connected to both the Internet and MV-SIPN

1.5.2 System Requirements for AutoClient

Operating system AutoClient runs on the following operating systems:

Disk space • Minimum 500 MB for the software installation

Memory Windows PC or laptop with a minimum 1 GB of memory.

1.6 Token-Based Certificates and Channel Certificates

How to renew personal token certificates

Installation staff Install driver for

Customer security officers

Active tokens Create a new Add an operator Authorise and approve

All Lite2 users

Alliance Lite2 interface

Step Description Where Who performs the task

Step Description Where Who performs the task

8. Authorise the DN Authorise the operators Alliance Lite2) >

2.1 DNS Installation and Configuration

2.1.1 Install the DNS

2.1.2 Configure the DNS Server

2.1.3 Configure the Network Adaptor to Use Local DNS

4. Click Properties and select Internet Protocol Version 4 (TCP/IPv4).

2.2 Firewall Settings

Alliance Lite2 URLs

Live environment Test environment

On the Internet https://alliancelite2.swift.com https://test.alliancelite2.swift.com

On MV-SIPN https://alliancelite2.swiftnet.sipn.swift.com https://

FileAct over https://fileact.alliancelite2.swift.com https://fileacttest.alliancelite2.swift.com

Description Internet MV-SIPN

For FileAct over SWIFT 149.134.170.13 (TCP port 443) (1)

For SWIFT WebAccess 149.134.170.14 (TCP port 443) (2)

(1) FileAct over SWIFT WebAccess is not supported with MV-SIPN.

Description Internet MV-SIPN

For FileAct over SWIFT 149.134.170.10 (TCP port 443) (1)

For SWIFT WebAccess 149.134.170.11 (TCP port 443) (2)

For channel certificates NA 149.134.252.8 (TCP port 49171 and

(1) FileAct over SWIFT WebAccess is not supported with MV-SIPN.