The SFMS system consists of four main units - Hub, Gateway, Branch Servers and Thin or Thick Clients.
Hub System: The Hub system is a Compaq Himalaya Server located at IDRBT, Hyderabad. The Hub system switches inter-bank messages from the sending bank's gateway to the receiving bank's gateway.
Gateway for Banks: Each Bank will have a Gateway system. All Branch servers of the Bank send all intra-bank and inter-bank messages to the gateway system. The gateway system switches all the intra-bank messages from the sending branch server to the receiving branch server and forwards all inter-bank messages addressed to other banks to the Hub system. It also receives inter-bank messages addressed to its own branches and switches them to the appropriate branch server.
Branch Server: One or more branches can be parented to a single branch server. Users of all these branches can create, verify and authorize outgoing messages and view and view and process incoming messages using on-line thin clients or off-line thick clients, which are called off-line servers.
Off-line servers (Thick Clients): Off-line servers are PCs that are provided with the SFMS Off-line module software, which allows off-line creation, verification, authorization, viewing and processing of messages. Off-line servers connect to a Branch Server to send/receive messages. Unlike on-line terminal, copies of sent and received messages are also available at the off-line server.
SFMS Architecture
Security
SFMS uses X.509 Digital signatures for access control and authentication messages. Messages are encrypted with the receiving node's Public Key to protect confidentiality of the message while in transit. Access control and authentication procedures are different for different categories of users. There are four kinds of users in SFMS namely Creator, Verifier, Authorizer and Super Users.
- Creator: Creator users are only allowed to create, list and view messages.
- Verifier: Verifier users verify outgoing messages created by creator users.
- Authorizer: Authorizer users authorize messages verified by verifier users.
- Super Users: Super users create and maintain other user accounts.
Access control Access Control for creator users is based on passwords. All other categories of users will have to sign the login message with their private keys stored in their smart cards to gain access to any SFMS server (viz., Hub, CGBS, Gateway, Branch, or Off-line server).
Authentication When a message is verified or authorized, the verifier/authorizer user has to digitally sign the message. The digital signature of the verifier user is stored in the local database and the authorizer user's signature is appended to the message and travels to the destination server. Even after the message is processed at the destination node, the signature is stored with the message when it is archived so that it is available even at a later date for verification and also to prevent altering of messages after archival.
Certification Thus, all categories of users except Creator users will have to have legally valid Public Key Certificates (PKC). Similarly, every server (viz., Hub, CGBS, Gateway, Branch, or Off-line Server), will have to be provided with a signing PKC and an encryption PKC. In addition, banks may opt for Secure Server (SSL) Certificates for allowing HTTPS access to those servers which are accessed by remote on-line terminals: Thus, the various PKCs required for SFMS operations will be as follows
User PKCs: For Every User at Gateway or CGBS, For Every Verifier, Authoriser or Super User at Branches
Server Signing PKC: For Every SFMS Server (viz., Hub, CGBS, Gateway, Branch, or Off-line Server)
Server Encryption PKCs: For Every SFMS Server (viz., Hub, CGBS, Gateway, Branch, or Off-line Server)
Secure Server PKCs: For any server where the Bank feels it is necessary to Restrict access to HTTPS mode.
For the procedure to be followed to obtain PKCs please visit the IDRBT CA Website.
SFMS Message Usage
SFMS messages can be used for relaying any type of message from one bank branch to another. Irrespective of whether the message has financial implication or not and whether the information contained therein is confidential or not, every message is relayed in strict confidence and authenticated with the digital signature of the authorizing official. This signature is stored along with the message in the receiving system's database in such a manner that the signature is verified whenever the message is printed or processed.
As SFMS messages cover every conceivable method of information interchange between any two offices of a bank or banks, its usage in day-to-day banking would be limited only by the limits of user's imagination. Download Message Usage Guide 