J.P. Morgan is committed to sharing information about best practices that are commonly used to help keep file transmissions reliable and secure. Please review the information below and apply these practices to the extent possible to improve your experience with J.P. Morgan Host-to-Host.

Bank Environments

Host-to-Host has two independent environments: Client Acceptance Testing (CAT), also known as User Acceptance Testing (UAT), and Production.

Clients are required to use separate security credentials in each of the environments.

Please note that production data must never be transmitted to the J.P. Morgan CAT environment, nor should test data ever be sent to the J.P. Morgan production environment, except as specified by special setups that are designed for production verification testing.

Client Environments

J.P. Morgan strongly recommends that you keep your environments and applications up to date with respect to security patches and currently supported software versions.

We will, without notice, routinely update the Host-to-Host environments to ensure that proper versioning and applicable security patching is up to date.

Failure to maintain your applications at current release versions may result in connectivity errors.

Maintenance Windows

J.P. Morgan has regularly scheduled maintenance windows for the Host-to-Host environments:

• Production: Saturday 8 p.m. ET – Sunday 5 a.m. ET
• Client Acceptance Test (CAT): Tuesday 5 p.m. – 10 p.m. ET and Thursday 5 p.m. – 10 p.m. ET

Effective October 1, 2024 the Production maintenance window will change:

• Production as of Oct 1: Saturday 5:00 p.m. ET – Sunday 1:00 a.m. ET

We will conduct routine updates and patching during these times, and it may be necessary, on occasion, to make Host-to-Host unavailable to clients. To minimize disruption, it is strongly recommended that clients avoid scheduled transmissions during these maintenance windows. If you experience connectivity issues during one of these windows, please retry after the window has expired.

Host Addressing

All connectivity to Host-to-Host servers must be addressed to the URL that you have been assigned.

It is J.P. Morgan's policy to utilize multiple data centers for connectivity as part of our resiliency strategy. This strategy requires that we periodically switch data centers as a normal course of business. Because this will be routinely done without notice, clients must not use direct IP addressing or cache Host-to-Host IP addresses for an extended period of time.

Clients who use hard-coded IP addressing must assume the responsibility for service interruptions that may result when planned or unplanned events result in IP address changes on the J.P. Morgan infrastructure. J.P. Morgan is unable to change its resiliency-related business practices, and is unable to make special accommodations for the use of hard-coded IP addressing.

Firewall Configuration

J.P. Morgan is a large organization with a highly distributed, globally load-balanced proxy infrastructure. We own specific IP address space that has been specifically reserved for services hosted globally within our own public DMZ infrastructures. Since we are a known business partner accessing services over the Internet and we only source transmissions from hosts under our management, we hope clients would not have concerns to trust this address space.

Firewalls should be configured to allow traffic across the J.P. Morgan owned IP ranges below:

• 159.53.0.0/16 – Heritage Datacenter to be decommissioned.
• 170.148.0.0/16 – Heritage Datacenter to be decommissioned.
• 198.36.0.0/22 - New Datacenter for client to bank connections.
• 146.143.0.0/16 – New Datacenter required to receive files pushed to you.

Supported Protocols

• SFTP
• AS2
• HTTPS
• Swift FileAct
• Multiversa (EBICS)

Keys and Certificates

• All client certificates and keys have a finite validity period of two years or less.
  • J.P. Morgan will set the expiry date on SSH keys when they are installed.
• All client certificates and keys must be unique and not previously used with J.P. Morgan.
• Key strength must be 2048 bits minimum.
• SSH and PGP keys must use RSA algorithm.
• SSL certificates must use a SHA2 algorithm.
  • SSL certificates submitted by email must be provided in a .txt format
  • If Enhanced Key Usage is used, the certificate must also include Client Authentication.
  • If the certificate is chained, the root and intermediate certificates must also be provided.
• Certificate/key install times are SUNDAY 19:00 EST – FRIDAY 19:00 EST; no weekends or holidays
  • All PAYLOAD installs MUST be requested to be scheduled during a 2 hour window in respect to install times above

Please note that J.P. Morgan Host-to-Host will replace our SSH keys and SSL certificates annually, while our PGP key will be replaced every 2 years.

Operations

Please consider the following best practices when setting up your file transmission operation to help reduce transmission failures:

• SSH or SSL secured connections are required.  (Password authentication is not supported)
• Use DNS addressing with short-lived caching.  (Do not Hard Code IP Addresses)
• Digital signing is required on all files uploaded to Host-to-Host.
• Ensure that your cryptography configurations are prioritizing more secure settings first and weaker settings last.
• Ensure that your system provides confirmation of both success and failure conditions.
• It is recommended that all pending files be uploaded and/or downloaded during the same session, rather than a single file per session.
• It is recommended to avoid scheduling jobs at the top and bottom of the hour.

• Connections must be closed/disconnected after applicable activity is completed.  Keeping connections open for extended periods will cause performance issues and impact other clients.
• On a connectivity failure, automatically retry the connection. After three successive failures, publish an alert to your operations team. If assistance is required, contact J.P. Morgan
• Track failures over time, such that you may identify an intermittent problem.
• Refresh your DNS/IP addressing cache whenever a connectivity failure occurs.
• Make sure that transaction acknowledgements and confirmations that are generated and sent to you by J.P. Morgan are distributed to your business users.
• All files should have a UNIQUE naming convention, reusing filenames can and will causes file overwrites
• Introduce a slight delay in-between each file
• Make sure that there is a current email address on file at J.P. Morgan so that you receive notifications from us. J.P. Morgan will send automated email notifications on certain failure conditions.

If you receive failure notifications from J.P. Morgan, please contact us prior to resending files in order to prevent duplicate transactions.

Certain behaviors may result in service disruptions and impact your ability to upload and download files requiring corrective action.

The following behaviors should be avoided to prevent service disruption or performance.

• Uploading more than 1000 files in a single day
• Uploading many files in a very short period of time (Rapid Fire)
• Uploading or downloading very large files (> 100MB)
• Uploading files that contain only a single transaction.  (Payments should be batched into files)
• Keeping multiple concurrent sessions open without disconnecting (Concurrent Logon Sessions)
• Polling the server for new files at a rate greater than four times per hour.

If you have any of the following requirements, please discuss with the J.P. Morgan technical team prior to implementation.

Concurrent Logon Sessions

It is J.P. Morgan's policy to limit the number of concurrent sessions allowed on Host-to-Host. J.P. Morgan recommends establishing a single connection to transmit and/or retrieve files and immediately disconnect upon completion. Clients who insist upon using multiple concurrent sessions may experience temporary connection failures due to exceeding the maximum number of allowed sessions. Impacted clients will resume normal operations as their open sessions above the maximum allowed threshold are disconnected.

Rapid Fire

If you are sending a large number of files in a short period of time, this may trigger a denial of service attack alert at J.P. Morgan. To protect its clients, J.P. Morgan may take action to terminate a connection and disable an account when such alerts occur.

You should note that Host-to-Host often acts only in the capacity of sending your files to target systems, and that there may be limitations to the speed by which those systems may receive and process files. Because of this, there are times when it may be necessary to adjust the timing of your file delivery process. Please discuss all high volume considerations with the J.P. Morgan technical team prior to implementation.

Failure/Recovery

If you are not sure whether we received your file, or if a failure occurs after successful delivery of a file to us, do not resubmit the file without consulting the J.P. Morgan support team. Resubmission may result in a duplicate file.

Know that certain files cannot be recovered, and must be re-sent. This includes, although not exclusively, any file with improper naming, and any file for which the digital signature could not be confirmed.

Viruses

If J.P. Morgan detects a virus within a received file, the file will be quarantined, and will not be processed. We will invoke our standard process to notify you and instruct you to send a clean file.

Repeated occurrences of virus detection may result in the locking of your Host-to-Host account.

Support

Contact the Solution Center Transmissions Support team at 978-805-1200, or by emailing HosttoHost.helpdesk@jpmorgan.com, with any questions about the J.P. Morgan Host-to-Host platform. Representatives are available to assist you, 24 hours a day, Monday through Friday. Government, municipal and public sector clients should call 844-718-0643. Please note that the support team cannot advise clients on specific actions needed to make required changes to their systems. Clients should contact their application vendors for assistance.

All trademarks, trade names and service marks appearing herein are the property of their respective owners