We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Partner Key Management Overview

The Partner Key Management (PKM) process is used by J.P. Morgan as a way to verify that the credentials submitted for activation on the Host-to-Host servers not only meet the requirements for validity period and key strength, but also that they have been submitted by persons duly authorized by the client.

Key strength and expiration requirements

  • All certificates and keys have a finite validity period of two years or less.
    • J.P. Morgan will set the expiry date on SSH keys when they are installed.
  • All certificates and keys must be unique and not previously used with J.P. Morgan.
  • Key strength must be 2048 bits minimum.
  • SSH keys must use RSA algorithm.
  • SSL certificates must use a SHA2 algorithm.
    • If Enhanced Key Usage is used, the certificate must also include Client Authentication.
    • If the certificate is chained, the root and intermediate certificates must also be provided.
  • When naming keys, please use your company name. Do not use "J.P. Morgan" or the word "Expires" as part of the key name.

There are two options for submitting renewal keys for inspection and approval.

 

I. Rapid Renewal

The use of Rapid Renewal depends on eligibility and considers the following criteria:

  • You must be able to send a digitally signed inbound file to us.
  • You must submit new certificates prior to their existing credentials expiration.

If you are eligible, the use of Rapid Renewal is mandatory.

If the above criteria are not met or you are unable to accommodate these specific requirements, then you must use the Email Submission process.

Benefits include:

  • A secure submission process as you will use your existing credentials to submit new certificates
  • The elimination of documentation requirements such as the signed hardcopy and SADF validation
  • A more effective method that improves SLAs, and lowers rejection rates

Rapid Renewal Process

  1. Using the applicable file naming conventions below, you should transmit the new keys as you would normally send files to J.P. Morgan H2H, while ensuring that each file is digitally signed with the current key in use.
    1. <Partner ID>.TRANSPORT.IN.DAT (for SSH or SSL keys)
    2. <Partner ID>.PAYLOAD.IN.DAT (for PGP or X.509 keys)
    3. <Partner ID>.ACTIVATE.IN.DAT (for PGP, SSL or X.509 keys)
  2. Once the file is received, certificate validation will be performed to ensure it meets the acceptable criteria.
    1. If the keys/certificates meet minimum requirements, emails will be sent indicating:
      1. SSH key has been installed with a 2-year expiration and you may begin using it immediately.
      2. SSL, x.509, PGP keys have been staged for activation. Please submit your ACTIVATE file when you are ready to begin using the new key.
      3. SSL, x.509, PGP keys have been activated and are ready for immediate use.
    2. If the keys/certificates are not valid, emails will be sent indicating the rejection reason(s) and provide additional steps to remediate the issue.

 

II. Email Submission

If you do not meet the criteria for Rapid Renewal, the email submission process must be used as described below. The J.P. Morgan Security Services (IMSD) group will action only those requests received from any one of the authorized individuals listed as Security Administrators using the Security Administration Designation Form (SADF). Using the SADF, you will identify the individuals with their names, complete mailing addresses, original signatures, phone numbers and email addresses. The email request must be received at least five days prior to the key implementation date. It is of utmost importance that the printed email is countersigned by one of the authorized individuals.

Please note: All submissions are subject to a callback process.

Email Submission Process

  1. Draft an email with Keyword "Renewal" on the subject line, a description of the action to be taken, a request for a suggested date and time the action is to be taken, and an attached zipped text file containing the key/certificate(s) to the IMSD email address below. The body of the email must contain a printed copy of any public keys contained in the zipped text file.
  2. Print the email, physically sign by a documented Security Administrator and scan as PDF file.
  3. Attach the scanned signed hardcopy of the email to the Draft email and send to IMSD at the email address below. It is of utmost importance that the printed email physically signed by one of the authorized individuals listed on the aforementioned SADF.
    • If scanning is not available, please fax the signed hard copy of the email to the number listed below.
  4. Upon receipt of this email and the signed hard copy, IMSD will:
    1. Validate the email by comparing the printed public key/certificate in the hard copy with the electronic one contained in the zipped attachment
    2. Compare the signature on the hard copy with the authorized original signature on the SADF, and
      1. If the key/certificate is approved, IMSD will forward the approved keys for installation.
        • You will then be informed of receipt of the key file and a scheduled date and time for the action to take place will be requested.
      2. If the key is not approved, IMSD will notify you directly via email to indicate the rejection reason(s) and provides additional steps to remediate the issue, copying the associated service representatives for awareness.

J.P. Morgan
IMSD Security Operations: Key Management
Fax: 813-649-8367
Email: IMSD.Security.Operations@jpmorgan.com

Requests for key adds, updates or deletes will be actioned during the course of normal business hours, Monday through Friday, 5 a.m. – 11:30 p.m. Eastern Time. Please note that no action will be taken unless the email received was from an authorized email address as indicated in the initial authorization letter.

 

Support

Contact the Solution Center Transmissions Support team at 978-805-1200 with any questions about the Host-to-Host platform. Representatives are available to assist you, 24 hours a day, Monday through Friday. Please note that the support team cannot advise on specific actions needed to make required changes to your systems. You should contact your application vendors for assistance.