The Partner Key Management (PKM) process is used by J.P. Morgan as a way to verify that the credentials submitted for activation on the Host-to-Host servers not only meet the requirements for validity period and key strength, but also that they have been submitted by persons duly authorized by the client.

Key strength and expiration requirements

  • All client certificates and keys have a finite validity period of two years or less.
    • J.P. Morgan will set the expiry date on SSH keys when they are installed.
  • All client certificates and keys must be unique and not previously used with J.P. Morgan.
  • Key strength must be 2048 bits minimum.
  • SSH and PGP keys must use RSA algorithm.
  • SSL certificates must use a SHA2 algorithm.
    • SSL certificates must be provided in a .p7b format
    • If Enhanced Key Usage is used, the certificate must also include Client Authentication.
    • If the certificate is chained, the root and intermediate certificates must also be provided.
  • When naming keys, please use your company name. Do not use "J.P. Morgan" or the word "Expires" as part of the key name.

Please note that J.P. Morgan Host-to-Host will replace our SSH keys and SSL certificates annually, while our PGP key will be replaced every 2 years.

To update your test SSL certificates, SSH keys, and/or PGP keys; please send an email with the key files attached to cas.helpdesk@chase.com and include your Partner ID.

For Production, there are three options for submitting renewal keys for inspection and approval.

I. Online via Host-to-Host on J.P. Morgan Access (RECOMMENDED)

  • You are able to perform your renewal online via Host-to-Host on J.P. Morgan Access
  • Digital Signature or Token approval is required for this option
  • Self-activate your renewal key when you are ready to use it
  • Enrollment is required. If you do not have the necessary entitlements, please contact your service representative
  1. Login into J.P. Morgan ACCESS

a. You must have the Key Management entitlement for the applicable Host-to-Host Partner ID
b. These entitlements are managed by your company’s J.P. Morgan ACCESS Security Administrator.

  1. Click on Administration and select Key Management
  2. Identify the key to be renewed on the applicable Partner ID and click the Upload button
  1. Select either the Certificate or Token box or both for digital signature.

a. If Certificate is used, the key file must be Ascii Armor signed with your current PGP key

  1. Click the Browse button and select the applicable replacement key file and click Upload
  2. a. Filenames must not contain spaces or special characters

    b. SSH and PGP key filenames must have a .txt extension

    c. SSL certificates must be in p7b format and extension

  3. A second user with Activate entitlements should then Activate when you are ready to begin using the new key.
  4. If you are activating a PGP key, please wait 30 minutes before using the new key after it has been activated.

II. Rapid Renewal

The use of Rapid Renewal is a secure submission process in which you use your existing credentials to submit new certificates.

  • You must be able to send a digitally signed inbound file to us.
  • You must submit new certificates prior to their existing credentials expiration.

Benefits include:

  • The elimination of documentation requirements such as the signed hardcopy and SADF validation
  • A more effective method that improves SLAs, and lowers rejection rates

Rapid Renewal Process

  1. Digitally sign your new key with your current active PGP key (X.509 signature is not supported). 
  2. Transmit the new key as you would normally send files to J.P. Morgan, using the following naming conventions:
  3. <Partner ID>.TRANSPORT.IN.DAT (for SSH or SSL keys)
    <Partner ID>.PAYLOAD.IN.DAT (for PGP keys)

  4. Once the file is received, the digital signature will be validated, and the key will be inspected to ensure it meets acceptable criteria.
  5. An email will be sent to confirm success or failure of the validation process.
  6. a. The email will be sent to the contacts of record in Host-to-Host.
    b. Please contact your J.P. Morgan Service representative to update these contacts.

  7. If the key meets minimum requirements:
    An SSH key will be installed with a 2-year expiration.  You may begin using it immediately.
    An SSL or PGP key will be staged for activation. 
  8. PGP Keys Only: After you receive the email indicating successful staging, transmit an activation file that is digitally signed with your current active PGP key.
  9. a. The activation filename must be: <Partner ID>.ACTIVATE.IN.DAT.
    b. The content of the activation file is structured XML, as shown below.
    c. After the activation file has been successfully processed, you will receive an email, and your PGP key will be live. 
    d. The previous PGP key can no longer be used.

  10. SSL Only:  Coordinate the activation with Solution Center Transmission Support (978-805-1200 opt 2).

Activation File Contents

<?xml version="1.0"?>
<activateRapidRenewalKeyDetails>

<!—Replace ‘XXXXXX’ with your Partner ID. -->

<partnerID>XXXXXX</partnerID>

<keyType>PGP</keyType>

<!--This serialNumber is the last eight characters of the fingerprint, also called the short KeyID, of the PGP key to replace the ‘1A2B3C4D’ string below.   Add '0x' at the start of the serial number if it is missing.-->

<serialNumber>0x1A2B3C4D</serialNumber>

</activateRapidRenewalKeyDetails>

III. Email Submission

If you do not meet the criteria for Rapid Renewal, the email submission process must be used as described below. The J.P. Morgan Security Services (IMSD) group will action only those requests received from authorized individuals listed as Security Administrators using the Security Administration Designation Form (SADF). Using the SADF, you will identify the individuals with their names, mailing addresses, signatures, phone numbers and email addresses. IMSD cannot disclose security administrator or SADF information, so please contact your J.P. Morgan client service representative for further assistance with this requirement.

Email Submission Process (Requires two Security Administrators)

The email request must be received at least five days prior to the key implementation date.
Requests are actioned Monday through Friday, 8:00 a.m. to 1:00 a.m. Eastern Time.

  1. A Security Administrator should draft an email with your Host-to-Host Partner ID and Keyword "Renewal" in the subject line. In the body of the email, include a description of the action to be taken, the requested date and time the action is to be taken, and an attached zipped text file containing the key/certificate(s).
  2. The Security Administrator should then send the email to IMSD at the email address below and copy an additional Security Administrator(s) listed on the SADF.
  3. The additional Security Administrator must then ‘reply all’ to the email and approve the submission.
  4. Upon receipt of the approval email, IMSD will confirm that both Security Administrator names and email addresses match the current SADF, and that the keys and/or certificates meet minimum requirements for strength and expiration.

a. If the key/certificate is approved, IMSD will forward the approved keys for installation.

i. You will then be informed of receipt of the key file via email and the scheduled date and time for the action to take place will be confirmed or requested.

b. If the key is not approved, IMSD will notify you directly via email to indicate the rejection reason(s) and provide steps to remediate the issue, copying the associated service representatives for awareness.

J.P. Morgan
IMSD Security Operations: Key Management
Fax: 813-649-8367
Email: IMSD.Security.Operations@jpmorgan.com

Support

Contact the Solution Center Transmissions Support team at 978-805-1200, or by emailing HosttoHost.helpdesk@jpmorgan.com, with any questions about the J.P. Morgan Host-to-Host platform. Representatives are available to assist you, 24 hours a day, Monday through Friday. Government, municipal and public sector clients should call 844-718-0643. Please note that the support team cannot advise clients on specific actions needed to make required changes to their systems. Clients should contact their application vendors for assistance.