TEMENOS T24

Security Overview

User Guide

No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of TEMENOS Holdings NV.

Copyright 2005 TEMENOS Holdings NV. All rights reserved.

Security Overview

Table of Contents
Introduction.............................................................................................................................................. 5
Purpose................................................................................................................................................ 5
References ....................................................................................................................................... 5
Summary ................................................................................................................................................. 6
High-Level Design Overview ................................................................................................................... 7
Component Schematic......................................................................................................................... 7
Component Descriptions .................................................................................................................. 8
ARC-IB Tomcat Web Server ........................................................................................................ 8
Temenos Browser Web Server .................................................................................................... 8
T24 Server .................................................................................................................................... 8
Authentication Server ................................................................................................................... 8
Identity Stores............................................................................................................................... 8
Authentication Process ........................................................................................................................ 8
T24 Authentication Sub-process (Mandatory) ................................................................................. 8
Impersonate Sub-process (Optional) ............................................................................................... 9
T24 Server............................................................................................................................................. 10
T24 Identities ..................................................................................................................................... 10
Base Identity Provisioning ................................................................................................................. 10
Identity Authentication........................................................................................................................ 10
Cryptography ..................................................................................................................................... 10
Authorisation ...................................................................................................................................... 10
Access Channels and Audit............................................................................................................... 11
T24 Browser Servlet .............................................................................................................................. 11
Overview ............................................................................................................................................ 11
Connection to the T24 Server............................................................................................................ 11
Authentication .................................................................................................................................... 11
Standard T24 Authentication.......................................................................................................... 11
Login Session Ticket Management ............................................................................................ 12
PKI Certificate-Based Authentication (X.509) ................................................................................ 12
Basic Authentication (HTTP 1.0).................................................................................................... 12
Single Sign-On (SSO) .................................................................................................................... 12
Web Security...................................................................................................................................... 12
Cross site scripting ......................................................................................................................... 13
SQL injection .................................................................................................................................. 13
Denial of Service ............................................................................................................................ 13

TEMENOS T24 User Guide

Page 2 of 22
Security Overview

Directory Traversal ......................................................................................................................... 13

Command Injection ........................................................................................................................ 13
Client side validation ...................................................................................................................... 13
Replay attack.................................................................................................................................. 13
Elevation of rights........................................................................................................................... 13
Coffee shop scenario ..................................................................................................................... 13
T24 ARC Internet Banking .................................................................................................................... 14
Overview ............................................................................................................................................ 14
Authentication .................................................................................................................................... 14
Java Authentication and Authorization Service (JAAS) ................................................................. 15
ActivIdentity 4TRESS ..................................................................................................................... 15
RSA Authentication Manager......................................................................................................... 15
Cryptography ..................................................................................................................................... 15
Web Security...................................................................................................................................... 15
Obfuscation of JavaScript code ..................................................................................................... 15
Strip comments / log messages from the client side code............................................................. 15
Reduce attack surface.................................................................................................................... 16
Generic 404 page........................................................................................................................... 16
Generic error messages................................................................................................................. 16
ToolBox ................................................................................................................................................. 17
Overview ............................................................................................................................................ 17
Authentication .................................................................................................................................... 17
Temenos Open Connectivity Framework (TOCF)................................................................................. 18
Overview ............................................................................................................................................ 18
Temenos Connector .......................................................................................................................... 18
Temenos Connector Client (TCC).................................................................................................. 18
Temenos Connector Server (TCS) ................................................................................................ 18
LDAP .............................................................................................................................................. 18
X.509 Certificates ........................................................................................................................... 18
SSL................................................................................................................................................. 19
IBM Websphere MQ SSL ............................................................................................................... 19
Cryptography.................................................................................................................................. 19
Temenos Application Gateway (TAG) ............................................................................................... 19
TAG Internal Services .................................................................................................................... 20
The Impersonate Service ........................................................................................................... 20
TAG Agents.................................................................................................................................... 20

TEMENOS T24 User Guide

Page 3 of 22
Security Overview

Glossary of Terms ................................................................................................................................. 20

TEMENOS T24 User Guide

Page 4 of 22
Security Overview

Introduction
Temenos T24 is a banking system deployed on an internal corporate network. The main access to
the T24 system for end-users is via a web browser GUI, which provides access to the T24 banking
operations business services. In a system-to-system scenario, commands to execute T24 business
services can be submitted in the form of W3C compliant XML messages.
Both of these channels support a general access principle, provisioning access to T24. Hence, both
of these channels are subject to the various security policies required of a banking system.
T24 also has an internet banking interface called ARC Internet Banking which provides secure internet
facing web access to T24.

Purpose
This document describes the security aspects of the T24 system and the surrounding components.
The main security aspects of each component are described and other more comprehensive
documents are referenced in order to offer better context to them.

References

Title Description
Security Management System The Security Management System (SMS) controls who is
User guide allowed to use T24, when they are allowed to use it and to
what parts of the System they can have access. It will detect,
stop and record any attempt at unauthorized use of the
System. SMS can also, if required, record all activities
performed by selected Users.
Open Financial Service User The Open Financial Service module (OFS) provides an
Guide interface to allow the update and interrogation of T24
applications. The user guide for OFS describes the
architecture of the OFS module and how to construct
messages to send to T24 via OFS.
Temenos Browser Security Guide The Browser security guide describes the different security
configurations available in Temenos Browser and Temenos
ARC Internet Banking.
Temenos Connector Security A detailed description of the security aspects of the Temenos
Service Overview connector and how to set them up.
ARC Internet Banking A detailed description of the architecture of ARC-IB
Authentication White Paper authentication.
Temenos Application Gateway The user guide for the TAG .NET component.
(.NET) User Guide
TIB Product Overview An overview of the architecture and functionality of Temenos
Internet Banking.

TEMENOS T24 User Guide

Page 5 of 22
Security Overview

Summary
T24 supports a wide range of authentication mechanisms to suit the needs of different customers. As
well as its own username / password based authentication T24 supports many industry standard
methods of authentication. The main ones are Basic Authentication, impersonation via an LDAP
directory, and with our ARC-IB offering, authentication using RSA Authentication Manager (SecurID)
or ActivIdentity 4TRESS.
T24 also supports access to its web interface via corporate single-sign-on mechanisms. It also allows
impersonation via Microsoft Active Directory (AD) or Active Directory Application Mode (ADAM) when
using the TAG.net to connect to T24.
All components of the T24 system can be configured to connect with each other using secure
connections (usually SSL or mutual SSL).

T24 Basic LDAP Active X.509 RSA ActivIdentity

Internal Authentication Directory / / SSL Authentication 4TRESS
Login (http 1.0) ADAM Manager
T24 Toolbox D
T24 Browser D D D D
T24 ARC-IB D D D D D D
TCS D D D
TCC D D D
TAG.net D D D D
TAG.JEE D D D
Table 1 - The authentication and connection mechanisms supported by T24 products

TEMENOS T24 User Guide

Page 6 of 22
Security Overview

High-Level Design Overview

Component Schematic
The diagram below shows the high-level static components for the technical security solution
employed by T24, including the ARC-IB sub-system and other key security-related components.
These components collaborate to provide a secured deployment for the T24 access channels,
controllable via configuration.
Username /
password / 4TRESS
ARC Login Authentication or SecurID token
JAAS Module Server
Connectivity
Module
Authentication
Filter External
Internet User
ARC-IB
Servlet

ARC-IB
TCC Internal
Tomcat Web
Server User

Authenticate

Authentication Server
Username/password,
(e.g. RSA, 4TRESS) X.509 Certificate or
SSO Principal

Basic Http Login

Module
T24
Server TCS
Basic Auth SSO Browser
Filter Filter Filter
OFS
Browser
Servlet

T24 TCC Temenos

Browser
Web Server
Retrieve Retrieve
T24 user / Internal User DN
password Firewall
Corporate
T24 Identity Store
Identity
Store

Figure 1 - The T24 high-level Component Schematic

TEMENOS T24 User Guide

Page 7 of 22
Security Overview

Component Descriptions

ARC-IB Tomcat Web Server

The tomcat web server for ARC-IB contains a login module and authentication filter, which deal with
authentication to an external authentication server, the ARC-IB servlet which deals with the
communication to the T24 server, and the TCC which deals with the transport of communications to
the T24 server.

Temenos Browser Web Server

This is the web server used for internal bank access to the T24 server. It contains filters and login
modules to enable basic authentication and single-sign-on. It also contains the Browser Servlet which
deals with communication to the T24 server, and the TCC which deals with the transport of
communications to the T24 server.

T24 Server

This contains The main T24 database and application. It also contains the OFS module to interpret
messages from clients and TCS to retrieve the messages from clients.

Authentication Server

This is only currently used in ARC-IB. It is a 3rd party authentication server that allow users to
authenticate themselves using many different kinds of hardware tokens.

Identity Stores

The corporate or T24 identity stored can currently be LDAP directories, or if using TAG.net, could be
Active Directory (AD) or ADAM directories. These can be used to map from a corporate identity to a
T24 identity in order to log into the T24 system without the user having to know their T24 credentials.

Authentication Process
A common high-level process is employed to authenticate end user and system-to-system messages.
This process is divided in to a mandatory sub-process and an optional sub-process. The optional part
utilises a controlled variable to permit the use of external authentication services.
In all cases, the order of execution of the authentication sub-processes is to first execute the optional
sub-process and thereafter the mandatory sub-process. This order constitutes a fixed “pipeline” which
helps to assure the validity of the authentication process itself.

T24 Authentication Sub-process (Mandatory)

The mandatory sub-process consists of T24 identity authentication, known as the T24 sign-on
process. This is applicable to all received messages across all channels and is performed internal to
T24, server-side.

TEMENOS T24 User Guide

Page 8 of 22
Security Overview

• The provided T24 identity is checked for validity against the associated T24 identity’s “user”
profile.
• If the profile is valid, the associated T24 identity’s password is validated.
• At any step in the sub-process, access is granted or denied depending on the status of the
sign-on checks.
For end-user authentication, there is an alternative flow for messages received where the user has
previously signed-on. Once end-users are signed-on, their logon session information is retained in the
T24 database and hence may be recovered based only on a security ticket derived from the original
logon. The validation of the security ticket, which must be supplied on each end-user request,
replaces the T24 identity check and password validation. In the mandatory sub-process, the security
tickets are issued by T24 itself.

Impersonate Sub-process (Optional)

The optional sub-process, where selected, provides the mechanism whereby an external
authentication provider may be utilised to authenticate requests to T24. This is known as the T24
impersonate process, as it can provision for the mapping (association) of an arbitrary external identity
with a T24 identity. The impersonate sub-process is authentication focussed and hence does not
directly include the identity provisioning process itself, which can vary by selected authentication
provider.
The detailed flow of exactly how the impersonate process operates varies partly by access channel
(end-user vs. system-to-system) and partly by the selected authentication provider. However, at a
higher-level, the sub-process is common to all access channel and authentication provider. Note, the
detailed implementation of this sub-process can vary by authentication provider, but in general should
adhere to the prescribed technology standards.
• An external identity is provided to T24.
• If the provided external identity is not authenticated, if supported a request to authenticate the
provided external identity is sent to the authentication provider and the authenticated
credentials are returned to T24.
• If the provided external identity is authenticated already, T24 accepts the supplied credentials.
• Option A: where the identity mapping is retained fully outside of T24, the T24 identity and
password are recovered by the external authentication provider and returned to T24.
• Option B: where the identity mapping is retained by T24, the authenticated credentials are
used to recover the associated T24 identity and password from the T24 identity store.
• The external identity is “switched” for the associated T24 identity and the request is
propagated to T24 for processing.
• At any step in the sub-process, access is granted or denied depending on the status of the
authentication or impersonate checks.
The optional sub-process executes always as a collaboration between T24 components and
components of external authentication server(s) and/or identity stores.

TEMENOS T24 User Guide

Page 9 of 22
Security Overview

T24 Server
T24 Identities
T24 identities, known as T24 “users”, are provisioned by T24 and are used both in base authentication
and on the T24 audit trail. These identities are internal to T24 and are always present, in part due to
the strict enforcement of de facto banking security standards and in part due to the required link to the
audit trail of activity required by banking compliance.
Authentication of T24 identities is always present.
However, as presented in the previous section, the T24 authentication sub-process for “users” can be
effectively reduced to user credentials verification via substitution with an alternative authentication
provider. The critical measurement of identity for T24 is that an assure source of identity is employed
– with exactly which source depending on secured configuration and limited customisation.

Base Identity Provisioning

T24 identities (hereafter termed “users” or “user”) may be created, amended, enabled and disabled
only by administration users who have been authorised appropriately in the T24 SMS authorisation
sub-system (see section 4.4).
Once a new user has been created and authorized, the password must be set on first sign-on. For
user identities intended for use in system-to-system messaging, this should be performed by the
administrator and thereafter may be subject to control by the system-to-system interfacing
components. However, it is recommended that the administrator initially performs this task for end-
users also, in order to provide a default password that then must be changed.

Identity Authentication
There are three primary classes of user available in T24. These are normal T24 end-users (from the
USER table), general external users (from the EB.EXTERNAL.USER table, covering all external
users) and the legacy internet banking users (from the IB.USER table, planned for deprecation from
the release of T24 R08).
All three sets of users log in through the same routine – VALIDATE.SIGNON. This routine validates
the user against the relevant table, then hashes the password and compares the hash against the one
stored in the T24 database. If both of these match, then access is granted.

Cryptography
Passwords in the T24 server are hashed by an internal Temenos algorithm. Note that this is a one-
way hash, and there is no key available to decrypt it.
For security reasons the algorithm is not published.

Authorisation
Access authorisation to T24 business services (applications) and data is controlled by the T24
Security Management System (SMS) module in T24. This provisions extensive multi-level
authorisation based on groups. Based on configuration, one or more of these [SMS] groups are
attached to a T24 user profiles to enforce one or more access authorisation roles for that user.
Groups may be defined at the legal entity, organisation unit, channel or individual level.

TEMENOS T24 User Guide

Page 10 of 22
Security Overview

Details of how to configure SMS can be found in the Security Management System User Guide.

Access Channels and Audit

The use of T24 users and SMS groups is equally applicable to end-users and system-to-system
interfacing, regardless of the business channel used to access T24. This enforces a consistent
access control base for T24.
In addition, the T24 user is used on all audit records and audit fields within T24. This facilitates a
comprehensive audit capability; via cross referencing it is possible to “see” all activity performed by
any given T24 user, regardless of access channel. The T24 impersonate process permits this strong
audit capability to be retained even when an arbitrary third-party authentication server is employed.

T24 Browser Servlet

Overview
The Temenos Browser Servlet is a web application that allows access to T24 via a web browser
(HTML) based GUI. It provides access to any permitted T24 business service and is intended for use
by banking operations staff. It is not intended for delivery over the public Internet.

Connection to the T24 Server

The Temenos Browser Servlet connects to the T24 server via the Temenos Open Connectivity
Framework (the TOCF – commonly known as the Temenos Connector or Temenos Application
Gateway).
The TOCF components offer the facility of selecting a number of supported network transports via
configuration. For security, this can and should be configured to use a minimum of an SSL connection
such that the network transport employed between the T24 Browser Servlet and the T24 Server is
encrypted.

Authentication
Standard T24 Authentication
The standard authentication mechanism with Browser is based on the T24 server authentication
mechanism.
The Temenos Browser Servlet constructs a login page that requests the username and password from
the user. The Browser Servlet constructs an XML login message, which submits the message via the
Temenos Connector and OFS to T24.
If the T24 login is successful, XML is returned to the browser client, which allows the web browser to
display the T24 home page.

TEMENOS T24 User Guide

Page 11 of 22
Security Overview

Login Session Ticket Management

The initial response from T24 after a login contains a token generated by T24. This token must be
returned to T24 in the subsequent request. If the token is missing from the request or if it is the wrong
value, then T24 will reject the command and the user will get a security violation error message.
In addition, if T24 gets a second request with the same token, it will reject the command giving an
error stating that it is possibly a duplicate transaction.

PKI Certificate-Based Authentication (X.509)

The X.509 certificate based authentication defers authentication to the Temenos Connector. The
Temenos Browser Servlet receives an X.509 certificate in the http session. It passes it to the
Temenos connector client (TCS) which uses the certificate to look up the user’s corporate id in a
corporate LDAP directory. The TCS then passes the corporate distinguished name (DN) to the
Temenos Connector Server (TCS). The TCS then looks up the DN in a T24 LDAP directory and
retrieves the user’s T24 username and password from the directory. These credentials are then used
to log in to T24. This process is known as impersonation, as the user details passed in are not the
details used to eventually give the user access to T24.
Further details of this process and how to set it up can be found in the Temenos Connector Security
Service Overview.

Basic Authentication (HTTP 1.0)

HTTP Basic Authentication requires the web server to return a 401 error to the client if the client has
tried to access a protected resource. If the client is a web browser, it will prompt the user for a
username and password on receiving the 401 error. The username and password are encoded using
Base64 encoding and passed back to the web server in the header of the request.
The Temenos Browser application must be configured to use the JAAS Realm in Tomcat. This
causes the server to call the Basic Authentication login module for web tier authentication. The login
module authenticates by default and defers the actual authentication to the T24 server.
More details on Basic Authentication can be found in the Browser Security User guide.

Single Sign-On (SSO)

This process is a web server based authentication mechanism. It enables users who are already
logged into a corporate single sign on system to move seamlessly into their T24 account. In this
process, The T24 username and password must be stored in the corporate single sign on system.
The process relies on the creation of an SSOPrincipal object, which gets passed to the Temenos
Browser Servlet in the HTTP session. The SSOPrincipal must contain the T24 username and
password of the user attempting to log in. If the SSOPrincipal is present, an SSOFilter web filter
intercepts the call to the Browser Servlet and causes it to bypass the normal login page. The
username and password from the SSOPrincipal are instead submitted to log into T24.
More details on SSO authentication can be found in the Browser Security User guide.

Web Security
There are several potential web security threats that are addressed within the Temenos Browser
Servlet. These are listed here for information.

TEMENOS T24 User Guide

Page 12 of 22
Security Overview

Cross site scripting

Data entered into input fields is encoded by the BrowserFilter in order to prevent scripting characters
to be returned to the client.

SQL injection
This is unlikely as the internal representation of data access/update in T24 is based on JQL, not SQL.
The filter mentioned in section 0 can be amended to prevent JQL keywords from being entered into
form fields.

Denial of Service
The Temenos Browser Servlet is an internal web application, which should not be accessible from
outside a corporate network; therefore DOS attacks are highly unlikely. In any case, if the system does
come under attack, the web server hosting the Temenos Browser can be brought down to protect the
T24 server.

Directory Traversal
A filter can be enabled to prevent “..” expressions to be used in order to move up a directory structure.
In addition the BrowserFilter can be configured to block requests containing “..”.

Command Injection
The Temenos Browser Servlet is intended to be used with commands input through form fields.
These are application specific commands. It is not possible to execute operating system level
commands through T24 form fields.

Client side validation

We have no reliance on client side validation, all validation takes place in the web server and/or T24
server.

Replay attack
The Browser ‘token’ described in section 0 protects against replay attacks.

Elevation of rights
The rights or permissions of a user are controlled by the SMS system (see section 0). It is not
possible for users to execute commands that are not enabled in their user profile.

Coffee shop scenario

This scenario is when one user logs out, another comes in and hits 'back‘. This is not possible
through Temenos Browser, as the http session is invalidated when the user logs out.

TEMENOS T24 User Guide

Page 13 of 22
Security Overview

T24 ARC Internet Banking

Overview
ARC Internet Banking (ARC-IB) is a web application that is intended to be used as an internet banking
product for bank customers. It is based on Temenos Browser, but has had several updates in order to
make it suitable for internet accessibility. At present it is only available on the Tomcat web server
version 5.5 or later.

Authentication
The authentication mechanism of ARC-IB is described in detail in the ARC-IB Authentication White
Paper.

Key:
rd
3 party

ARC-IB

Core T24

Users Web Browser

HSM
Via Internet

PKCS#11
Tomcat Authentication Listener TCS OFS T24
OFS Adapter
<transport>
Browser TCC SSL
Authentication
Filter Servlet Arc 4TRESS
Management
JAAS Arc Login Java EE App Component
adapter Modules Client
Container Java Crypto
(4TRESS Component
Java Crypto EJB stubs)
Component Session

PKCS#11 secure
HSM RMI/IIOP secure
(SSL) RMI/IIOP
(SSL)
HSM
Internal Browser to 4TRESS
4TRESS Admin PKCS#11
GUI

TEMENOS T24 User Guide

Page 14 of 22
Security Overview

Java Authentication and Authorization Service (JAAS)

The authentication mechanism implemented for ARC-IB uses the standard JAAS framework. The
integration of the JAAS framework with the web server is currently only available with Tomcat v5.5, but
is an approved standard and will be available in most mainstream web servers.
See http://java.sun.com/products/jaas/index.jsp for further information.

ActivIdentity 4TRESS
The 4TRESS authentication server is one of the leading authentication products on the market. It
supports several forms of authentication, from simple passwords (including seeded passwords), to
sequence and time-based one-time passwords from token devices to smartcard based tokens.
4TRESS also supports tokens from other vendors such as Vasco (with VASCO APIs) or any OATH-
compliant tokens. In the near future, 4TRESS will support mobile-phone based software tokens.
The ARC IB system uses the 4TRESS authentication server as the default authentication mechanism.
The 4TRESS database contains the user’s encrypted T24 user details as a method of indirection
which means that attackers cannot directly log in to T24 using the 4TRESS login details.
For more details of how 4TRESS can be integrated into ARC-IB, see the ARC-IB Authentication White
Paper.

RSA Authentication Manager

RSA Authentication Manager uses a one time password (OTP) and PIN mechanism for two-factor
authentication. ARC-IB can use the java interface to Authentication Manager in order to perform
authentication.

Cryptography
Any sensitive data stored on the system are encrypted using 256bit AES keys. All keys can be stored
in Hardware Security Modules (HSM). There is a requirement for there to be one available to the web
server and one to the T24 server. These could be the same HSM if a network HSM is used. 4TRESS
also uses an HSM to encrypt its data.

Web Security
This section describes any further enhancements to security on top of those implemented for
Temenos Browser.

Obfuscation of JavaScript code

There is JavaScript code in ARC-IB inherited from Temenos Browser. In order to make it difficult to
exploit JavaScript code, the decision has been made to obfuscate it using “rhino”
‘Internal Obfuscation’ is used to encode T24 commands that are on the client side.

Strip comments / log messages from the client side code

All comments and log messages have been removed from client side code (Javascript and HTML).
This means that any potential attacker does not get any help by looking at the client side code. It does
not prevent an attack, but it makes it more difficult.

TEMENOS T24 User Guide

Page 15 of 22
Security Overview

Reduce attack surface

Any servlets that are in Temenos Browser but are not required by ARC Internet Banking have not
been included in the ARC-IB web application.

Generic 404 page

The 404 error is displayed when a particular page is not found.

Generic error messages

If specific error messages are provided to a user, these can be used to discover the underlying actions
of the application. Generic error messages mean that a potential attacker does not get any information
about why a particular command failed. Once a user is logged in, the application level messages
provided can be more specific as the user is trusted. However at login it is especially important not to
reveal too much information as to why the login failed.

TEMENOS T24 User Guide

Page 16 of 22
Security Overview

ToolBox
Overview
T24 ToolBox provides an interface to components that perform specialised business functions. These
components are referred to as ToolBox ‘Plug-Ins’. T24 ToolBox provides a framework where Plug-Ins
are made accessible to the users.

Authentication
Toolbox uses either an http or https connection to the Temenos Browser servlet in order to access
T24. Toolbox users must provide their T24 username and password in order to make the connection
to T24. The connection is made via the Temenos Browser servlet which identifies a login request as
being from ToolBox. As the username and password have already been provided, the Browser servlet
then forwards the request to T24 via the Temenos Connector without returning the T24 login page.
The only configuration that is required for ToolBox to connect to T24 is the URL of the Browser servlet
and the T24 username and password.

TEMENOS T24 User Guide

Page 17 of 22
Security Overview

Temenos Open Connectivity Framework (TOCF)

Overview
The TOCF is comprised of several components that are used to connect the T24 Server with middle-
tier T24 components, external applications and transports such as a message bus.
The original design was client-server oriented, based on a TOCF server and a TOCF client, known
respectively as the Temenos Connector Server (TCS) and the Temenos Connector Client (TCC).
However, the latest design is peer-to-peer and is known as the Temenos Application Gateway (TAG).
The primary function of the TOCF is to provision configurable technical access to T24 business
services. There is no business logic in the TOCF; it is a purely technology-oriented component of
T24. However, as with any technical access mechanism, an element of security is present.

Temenos Connector
A detailed description of the security components and how to set them up can be found in the
Temenos Connector Security Service Overview.

Temenos Connector Client (TCC)

The TCC is the client side component of the Temenos Connector, which is used to connect to the T24
server. Customers can write their own clients that integrate with the TCC in order to send OFS
messages to T24.

Temenos Connector Server (TCS)

The TCS is the T24 server side component of the Temenos Connector, which clients use to connect to
the T24 server.

LDAP
It is possible to configure the Temenos Connector to use LDAP as part of the authentication
mechanism. It is most widely used as part of a corporate single sign on mechanism.
A username and password or are passed to the TCC with a T24 command message. If valid, the TCC
looks up the Distinguished Name (DN) of the user in the corporate LDAP directory. The distinguished
name is passed with the message to the TCS. The TCS then looks up the DN in a T24 LDAP
directory. This directory contains the T24 username and password which are then used to log into
T24. The advantage of this system is that the T24 username and password are never known outside
the T24 server.

X.509 Certificates
As mentioned in section 0, in order to log in using an LDAP directory, the client system can specify an
X.509 certificate. The TCS then extracts the user information from the certificate and validates the
certificate chain.

TEMENOS T24 User Guide

Page 18 of 22
Security Overview

SSL
It is possible to configure the connection between the TCC and the TCS using mutual SSL. This
means that X.509 certificates are supplied by the client and the server in order to authenticate to each
other.

IBM Websphere MQ SSL

The Temenos Connector supports sending messages using IBM Websphere MQ (WMQ). With some
configuration, it is possible to set up IBM WMQ to use SSL with the Temenos Connector.

Cryptography
It is possible to configure the Temenos Connector to encrypt the data in the message passed between
TCC and TCS. It is recommended that encryption alone is not used, but the connection should also
be an SSL connection.

Temenos Application Gateway (TAG)

TAG enhances the functionality available in the Temenos Connector, bringing the ability to access T24
via Web Services together with a new configuration regime. There are currently two versions of TAG,
TAG.net implemented on the Microsoft .net framework and TAG.JEE implemented in Java. Details of
TAG functionality can be found in the TAG User Guide.

Figure 2 - The high level TAG design

A key feature is the provision of the configuration service and associated GUI, to enable the easy
setup of the Web Services as well as connections to the T24 Server.

TEMENOS T24 User Guide

Page 19 of 22
Security Overview

TAG Internal Services

TAG has several internal services which facilitate the processing of messages. These are mostly to
do with the management and binding of messages.

The Impersonate Service

The Impersonate Service enables impersonation from an external identity such as a corporate user id
and password or X.509 certificate, to a T24 user id and password. This can be performed using an
LDAP directory, and in the case of TAG.net with Microsoft Active Directory (AD) or Active Directory
Application Mode. Note that use of AD or ADAM is currently not available in TAG.JEE.

TAG Agents
TAG agents are required on a server either to communicate with a T24 instance on another machine,
or for other TAG agents to communicate to a T24 instance on its own machine.
There can be many agents, one of which is designated as the master. In addition to the standard
services, the master agent provides services that are used by the other agents to retrieve
configuration.

Glossary of Terms
Web Server The component that supports the deployment of the Browser web interface to T24.
SSL Secure Sockets Layer. A standard method of secure transport over HTTP and
other channels where the client must validate the server’s X.509 certificate.
Mutual SSL As SSL, but both client and server must validate each others certificates (mutual
authentication).
TCC Temenos Connector Client.
TCS Temenos Connector Server.
TAG Temenos Application Gateway.
T24 Server The server-side host, where the T24 business logic executes.
AD Active Directory.
ADAM Active Directory Application Mode.
LDAP Lightweight Directory Access Protocol.
W3C The World Wide Web Consortium (http://www.w3.org)
JAAS Java Authentication and Authorisation Service
HTTP Basic A simple mechanism of authentication over HTTP 1.0 protocol
Authentication
SMS Security Management Service module of T24.
RSA One of the leading authentication servers on the market today. Formerly know as
Authentication RSA ACE Server. http://www.rsa.com
Manager

TEMENOS T24 User Guide

Page 20 of 22
Security Overview

ActivIdentity One of the leading authentication servers on the market today.

4TRESS http://www.actividentity.com
X.509 An international standard for PKI digital certificates.
HSM Hardware Security Module.
AES Advanced Encryption Standard. A standard encryption algorithm that has been well
tested and accepted in the security world.

TEMENOS T24 User Guide

Page 21 of 22
Security Overview

TEMENOS T24 User Guide

Page 22 of 22