Electronic communication with KDPW using the A2A interface is based on IBM MQ connections set up with a dedicated MQ queue manager and dedicated communication queues for the exchange of messages between the participant's system and KDPW services (CSD*, ARM, TR EMIR, TR SFTR, LEI services).
The A2A communication model uses separate message exchange for each service, which means that separate MQ queues identified by name are provided for each service. As the A2A communication rules allow for a dedicated protocol or protocols for exchanging messages with participants for each service, the separation also covers protocols in each service. A communication protocol is understood as a set of strict rules and data storage formats required to successfully establish communication on the basis of a standard MQ connection.
A2A communication is provided both in the production environment (PRD) and the test environments (TST, EDU). The principles of communication in all environments are the same but the configuration parameters enabling the connection may differ in the communications. The connection parameters are defined individually according to an established scheme.
Communication using the A2A interface may only be established where this is allowed by the communication rules laid down in the rules of the service. The rules for establishing A2A communication are the same for all services as set out in the Rules for establishing electronic communication through system connections.
* during the transitional period (until the switchover to the new communication rules), KDPW direct participants are bound by the existing rules for establishing A2A communication in SWI.
How to establish communication using the A2A interface?
Step 1: Formal requirements
Participant
A participant is an entity which has entered into a participation agreement with KDPW under the rules of a service and has been issued a four-character institution code. In A2A communication, a participant can access both the production environment and the test environments (TST, EDU).
Entity seeking participation
An entity which wants to become a participant in a KDPW service but has not yet been granted the participant status may only access the A2A interface to use the application test environments (TST, EDU). To access A2A communication, such an entity is required to get a four-character institution code from KDPW. Eventually, once the entity is granted participant status while keeping the institution code, the entity can maintain the A2A connections previously established to the test environments and request connections to the production environment.
IT vendor (developer)
An entity developing software for participants in KDPW services may only access the A2A interface to use KDPW application test environments. To access A2A communication, such an entity is required to get a four-character institution code from KDPW.
Entities seeking participation or IT vendors can get an institution code after meeting certain formal requirements: Access to KDPW application test environments for non-participants.
A participant is an entity which has entered into a participation agreement with KDPW under the rules of a service and has been issued a four-character institution code. In A2A communication, a participant can access both the production environment and the test environments (TST, EDU).
Entity seeking participation
An entity which wants to become a participant in a KDPW service but has not yet been granted the participant status may only access the A2A interface to use the application test environments (TST, EDU). To access A2A communication, such an entity is required to get a four-character institution code from KDPW. Eventually, once the entity is granted participant status while keeping the institution code, the entity can maintain the A2A connections previously established to the test environments and request connections to the production environment.
IT vendor (developer)
An entity developing software for participants in KDPW services may only access the A2A interface to use KDPW application test environments. To access A2A communication, such an entity is required to get a four-character institution code from KDPW.
Entities seeking participation or IT vendors can get an institution code after meeting certain formal requirements: Access to KDPW application test environments for non-participants.
Step 2: Downloading the electronic certificate for A2A communication
The TLS protocol using PKI certificates issued by the KDPW certification authority is the primary mechanism for authenticating the other party in MQ connections. To set up an A2A connection, it is necessary to download an electronic certificate for the institution code held. The certificate allows to establish an encrypted TLS connection and to authenticate the participant’s system to a dedicated MQ communication channel.
A certificate can be downloaded using the A2A Certificates application available on the KDPW Service Portal after opening an access account and obtaining access to the application in accordance with the rules set out under the U2A interface access description.
The A2A Certificates application allows participants to manage electronic certificates used for the authentication of systems for communication based on MQ queues. The application allows to get certificates for both the production (PRD) and the test (TST or EDU) environments. Using a single downloaded certificate, the participant can authenticate communication channels to all KDPW services in which A2A communication is available and in which the participant is or will in the future be acting under the same institution code.
Instructions on how to download and manage certificates can be found directly in the A2A Certificates application under "Help".
A certificate can be downloaded using the A2A Certificates application available on the KDPW Service Portal after opening an access account and obtaining access to the application in accordance with the rules set out under the U2A interface access description.
The A2A Certificates application allows participants to manage electronic certificates used for the authentication of systems for communication based on MQ queues. The application allows to get certificates for both the production (PRD) and the test (TST or EDU) environments. Using a single downloaded certificate, the participant can authenticate communication channels to all KDPW services in which A2A communication is available and in which the participant is or will in the future be acting under the same institution code.
Instructions on how to download and manage certificates can be found directly in the A2A Certificates application under "Help".
Step 3: Requesting a network connection
The network connection is established in the context of the institution code held and the connection method selected, together with the network parameters defined for the connection.
To establish an A2A connection for a specific service:
and then
To establish an A2A connection for a specific service:
- submit to KDPW a request for A2A communication and meet additional requirements, if any, for the service
and then
- exchange technical information concerning the establishment of a connection, including the connection parameters.
Step 4: Configuring the telecommunications link
KDPW allows the same connection to its infrastructure at its primary and backup sites. It is possible to use the infrastructure of two independent MPLS network operators at each of the sites and the global Internet network.
KDPW's access to the MPLS network and the Internet is based on the BGP protocol, using teletransmission links connected to two independent telecommunications operators. This solution ensures a high level of resilience to network failures. To ensure the security of data transmission, A2A communication is supported by secure TLS channels.
Due to its high reliability and guaranteed bandwidth, MPLS is the preferred technology for data exchange with KDPW.
If you opt for the Internet, a VPN tunnel based on the IPSec protocol with PSK pre-shared key authentication is additionally used. The TLS and IPSec protocols ensure that both sides of the connection can be authenticated and guarantee data confidentiality and integrity at the transport layer. It should be noted that Internet access does not ensure a specific bandwidth or response time. The technical parameters of the connection, such as available bandwidth, instantaneous throughput or reliability of network access, depend on the quality of the service offered by a telecommunications operator and the instantaneous load on the network.
KDPW's access to the MPLS network and the Internet is based on the BGP protocol, using teletransmission links connected to two independent telecommunications operators. This solution ensures a high level of resilience to network failures. To ensure the security of data transmission, A2A communication is supported by secure TLS channels.
Due to its high reliability and guaranteed bandwidth, MPLS is the preferred technology for data exchange with KDPW.
If you opt for the Internet, a VPN tunnel based on the IPSec protocol with PSK pre-shared key authentication is additionally used. The TLS and IPSec protocols ensure that both sides of the connection can be authenticated and guarantee data confidentiality and integrity at the transport layer. It should be noted that Internet access does not ensure a specific bandwidth or response time. The technical parameters of the connection, such as available bandwidth, instantaneous throughput or reliability of network access, depend on the quality of the service offered by a telecommunications operator and the instantaneous load on the network.
Step 5: Establishing and verifying the connection
The connection is verified on network equipment in the KDPW IT systems. Due to different solutions used by counterparties establishing the connection, as well as different security policies, KDPW does not verify the connection outside its own infrastructure, nor does KDPW diagnose any problems within the counterparties' own systems.
Verification of the connection (layers L1 to L4 as defined in the OSI model) covers verification of the session set-up in the connection to the KDPW system, including the set-up of a VPN tunnel (in the case of IPSec over the Internet) or a BGP session (using MPLS).
Once KDPW confirms the correct operation of the network connection, KDPW provides the counterparty with information about the MQ configuration, including the names of the MQ objects used in the service. This allows the MQ connection to be verified.
The MQ connection check (layer L5-L7 of the OSI model) is initiated by the counterparty and involves checking the ability to connect to the MQ queue, send a test message and receive a response.
Verification of the connection (layers L1 to L4 as defined in the OSI model) covers verification of the session set-up in the connection to the KDPW system, including the set-up of a VPN tunnel (in the case of IPSec over the Internet) or a BGP session (using MPLS).
Once KDPW confirms the correct operation of the network connection, KDPW provides the counterparty with information about the MQ configuration, including the names of the MQ objects used in the service. This allows the MQ connection to be verified.
The MQ connection check (layer L5-L7 of the OSI model) is initiated by the counterparty and involves checking the ability to connect to the MQ queue, send a test message and receive a response.
A2A communication requirements for individual services
CSD services:
Naming the person authorised to send information via the system connection to KDPW - declaration to be submitted with the request for A2A communication in the production environment to CSD services
Naming the person authorised to send information via the system connection to KDPW - declaration to be submitted with the request for A2A communication in the production environment to CSD services