General
What is SFTP?
SFTP is the acronym for SSH File Transfer Protocol, a more secure version of File Transfer Protocol (FTP), which is used to transfer data between end points. SFTP uses SSH keys to authenticate, instead of a username and password.
Why is SFTP needed?
The United States Department of Agriculture (USDA) has mandated that all data transmitted must occur via the SFTP method.
How is SFTP implemented?
Agencies will work with the National Finance Center (NFC) and establish a project team, considering roles, responsibilities, and skill sets required. Agencies will also identify Points of Contact (POCs) and vendor/contract support, and communicate the roles and responsibilities to their project team. The complete process can be found on NFC’s SFTP Resource page at https://www.nfc.usda.gov/Publications/HR_Payroll/HR_Payroll_Processing/Bulletins/2019/HRPAY-19-13.htm.
What is required to implement SFTP?
Agencies must submit their SFTP requirements to NFC via Form AD-3003, Software Change Request (SCR). In addition, Form AD-3113, Secure File Transfer Protocol (SFTP) File Transmission Request, must be completed to provide all file-related information. Both forms can be found on NFC’s SFTP Resource Page. The NFC-assigned project number must be included in all subsequent correspondence related to the project. Once NFC receives forms from the Agency, NFC will schedule a meeting to review the request with the Agency technical team. If an outside contractor or servicing Agency manages the actual FTP process, they must participate as well.
When is SFTP conversion required?
There is no specific time frame to have all transmissions converted to SFTP. NFC processes each request in the order received.
Who is required to convert to SFTP?
All entities requiring connections to NFC, including Agencies or their third party vendors, must implement SFTP.
Can an Agency continue to manually pull files from the mainframe without using SFTP? (i.e., TSO SEND/RECEIVE)
Yes. Those TSO sessions all go through a VPN tunnel which is relatively secure.
Must an Agency have an SFTP server to pull files from NFC’s external SFTP server, with an “SFTP Server” being any server or workstation that allows the user to run software to transfer the file from NFC’s external server?
Yes. There are several no cost and low cost software solutions available that allow secure file transfer.
FESI
What is NFC’s preferred frequency for receiving FESIs? Would NFC prefer the FESIs be held and sent at end of the day (e.g. 5:00 pm), or is receiving a separate FESI for each PAR (i.e., one at a time) preferable?
There is no preferred frequency to receive files. The process is designed to handle more than one file per business day. One file per PAR could be quite inefficient if done often. End of day is the most common time frame to submit. Cutoff for the end of the business day is 5:00 PM, CST. Files received after the cutoff will be processed on the next business day.
Are there any days of the week, or month/year, that NFC does not process FESIs?
FESI is a sub-component of the nightly PINE process. Every time PINE runs, FESI runs. If there is ever an abnormal schedule for PINE, Customer Notifications are sent to inform Agencies.
Do award FESIs need to be processed in a certain order, e.g. 075 before a 110?
FESI users should process any personnel actions, cash awards, payroll documents, benefits documents, etc. in the same order they would if they were using NFC entry systems (EPIC or EmpowHR). If the 075-doc would be processed one day and then the 110-doc the next day, you would follow the same process as a FESI user. If you would enter both the 075-doc and the 110-doc on the same day, then you can do the same with FESI.
Can NFC process more than one (1) award FESI for a person per day?
Follow any processing rules that you currently follow. FESI changes nothing about processing. FESI is a substitute for using NFC’s entry systems. The same rules for processing should be followed as a FESI user.
Is there a minimum or maximum limit on the number of records in a FESI file?
There are no minimum or maximum limits.
Does NFC send a completed SF-50, Notification of Personnel Action, to eOPF for all PAR/Award types in a FESI transmission, regardless of FESI format?
The use of FESI has no bearing on these processes or any manual processes. FESI is a substitute for using NFC’s entry systems. All personnel actions processed via FESI that apply will be reported to eOPF.
Can NFC accept any corrections via a FESI?
No, all corrective work, e.g., HCUP packages, must be processed using NFC entry systems (EPIC or EmpowHR).
Can NFC provide test data without PII data?
For high-volume testing, only “live” data is provided for testing to users authorized to view production data.
Can I submit actions for multiple organizations in one file?
The FESI/PINE process does not check for multiple organizations in a file. All sub-agencies and POIs for a department (agency) could be placed in the same file; however, the sub-agency/POI combo has to be valid in Table 001.
It is the agency’s responsibility to ensure that the correct agency/POI is sending transactions in each file, so that actions are not duplicated. Files can be submitted for an entire department (agency), for a sub-agency, for a POI, or combinations of sub-agencies/POIs.
Why use tmp files for file transfers?
Large files may be corrupted when copied before the transfer is complete, resulting in only a part of the original file available for download. A corrupted file may also result when the connection fails during the transfer. This could occur due to loss of power or network unavailability. To address this problem, files can be transferred using a temporary name, then renamed to their permanent name once all data has been pushed to the client.
Keys
What are SSH keys?
SSH is a protocol called Secure Shell that gives user and system accounts a secure way to access other systems across a network using SSH key pairs. SSH keys are used to authenticate to a server, instead of a username and password.
When you generate a SSH key pair, a public and private key are generated. The private key should NEVER be sent outside your network. Only the public key should be sent. If the private key was sent out by mistake, it is best to create another key pair.
When are public SSH keys required?
The sender’s public SSH keys are added to the destination server by the server owner. For example, if a customer is connecting to NFC’s SFTP server, NFC adds the customer’s public SSH key to NFC’s SFTP server. If NFC is connecting to a customer’s SFTP server, the customer adds NFC’s public SSH key to the customer’s STP server. The sender’s public SSH key is always added to the destination.
What port does the SSH protocol use?
The port that the SSH protocol uses is port 22
How do SSH keys work?
The user initiating the connection determines who needs to send their public key. Only the customer/agency who is initiating the connection needs to send their SSH Public Key to the people they are connecting to. The receiver of the SSH Public key will put that key into the account setup for the sender into their .ssh/authorized_keys file. If SSH connections are being set up to go both directions, both parties need to send their SSH public key to the other party.
Should I do anything with my private SSH key?
If your SSH key pair was not set up by the account that is initiating the private key, then yes. You will need to put that SSH private key into the .ssh folder that is going to be used to initiate an SSH connection.
If you generated the SSH key pair using the account you are initiating the SSH connection from, then you do not need to do anything with that private key.
When do SSH keys expire?
SSH keys do not expire.
What is PGP?
PGP is an encryption system that stands for Pretty Good Privacy. It can be used to encrypt and decrypt both emails and files.
What are PGP keys?
At NFC we use PGP keys to encrypt and decrypt files. It is a policy at NFC to have resting files encrypted. The reason is that files that are at rest can potentially be compromised and customer data protection is ensured using PGP encryption.
What is PGP used for by NFC?
At NFC, PGP is used to encrypt files for customers and decrypt files that customers send to us. This requires that PGP keys be created. Like SSH keys, only the public keys should be given out. Customers sending data to NFC will use the NFC Public PGP key to encrypt the file. When NFC receives the file, NFC will use our private NFC PGP key to decrypt it. When NFC sends files, we will encrypt the file with the customer’s Public PGP key and they will in turn decrypt the file with their private PGP key.
How do I generate PGP public and private key pairs?
Visit the following link for information on creating a PGP pair: https://www.redhat.com/sysadmin/creating-gpg-keypairs
Which PGP key does each organization provide to the other organization?
Only public keys are exchanged. Private keys are NEVER exchanged.
When are public PGP keys required?
PGP keys ensure that the receiver of NFC files is the only one who can read the files. If we’re sending a customer a file, we need their public PGP key to encrypt the file ensure they are the only one that can read (decrypt) the file. If a customer is sending a file to NFC, they need NFC’s public PGP key to encrypt the file.
When do PGP keys expire?
PGP key expiration is user defined. It can be weeks, months, years or never.
How do I exchange keys?
Agency Security Officers must submit a Form AD-3100-P, PAYROLL PERSONNEL REQUEST FOR SECURITY ACCESS, to NFC Security, via the ServiceNow portal. Agency keys must be attached to the request. Detailed instructions on submitting the request are provided after network connectivity is established.
How can I use PGP in Linux/Windows?
Linux systems have PGP built in to most distributions. NFC Linux systems are predominantly RedHat Linux, which has GPG (GNU Privacy Guard) – an OpenPGP encryption and signing tool that is installed by default.
Windows systems have a variety of tools that can be used. The most common and trusted tool that we recommend is GPG4win. It is one of the most popular and fairly easy to use. This is not an endorsement of the product, just the one we are most familiar with. This can be downloaded for free at: https://www.gpg4win.org/
How do I decrypt a file using PGP?
Visit the following link for information on how to decrypt a file using PGP: https://www.redhat.com/sysadmin/getting-started-gpg
Troubleshooting
What if I do not receive a scheduled file?
If you do not receive a file within its expected transmission time frame, please submit an incident ticket via the ServiceNow portal which includes responses to the following questions:
- Did you make networking or configuration changes to networking equipment or servers since the last successful transmission?
- Are you using Site to Site VPN or Server to Server (Internet)?
- What is your IP address?
- Has your IP address changed since the last successful transmission?
- When did the last successful transfer occur?
- Are you missing some or all expected files?
- What are the names of the missing files?
- Are you pulling files from NFC, or is NFC pushing files to your server?
- If you are pulling files from NFC, did you attempt to retrieve the file within 24 hours of expected transmission?*
- If NFC pushes the file to you, did your SSH key or server account change?
- Did you receive an email notification of the job status? If so, what did it say?
- Are you receiving error messages from the transfer software? If so, can you provide screenshots?
* If retrieval of the file within 24 hours of transmission is a recurring problem, you may need to work with NFC to establish the capability to push the file to your SFTP server, instead of pulling the file from NFC's SFTP server.
What do I do if I can no longer connect to NFC?
Make sure you are attempting to connect only from an authorized IP address and that you are connecting via SFTP.
How do I report problems?
If a ‘job ended notok’ email is received, or you do not receive an email with the status of the transfer, or there are problems with the data in the file, customers can submit an incident ticket via the ServiceNow portal. Include as many details as possible about the issue for faster resolution.
Where can I find more information?
To learn more about the SFTP Process, as well as NFC’s Data Center Migration, please visit the National Finance Center (NFC) Homepage.