Jet and Collective - Data Upload

Business contacts: Chloe Haywood, Alice Wheeler

IT Contacts: Philippa Lock, Sam Barber

3rd Party Contacts: vasy@collectivebenefits.com , alexander@collectivebenefits.com

Summary:

Collective are a Hire & Reward Insurance provider that Just Eat Takeaway have decided to use. Any of our couriers that want to use their own mopeds to make deliveries need to have Hire & Reward insurance to be able to work, so there will be a two-way flow of data.

Randstad will provide Collective with courier details so their eligibility (for the insurance) can be checked and policy created; Collective will be sending us results of the eligibility checks, policy information, and details of anyone whose policy is no longer valid. We will provide the data via a portal upload, however the remaining data sharing is what needs to be done via SFTP.

Solution:

In this instance we are pushing and pulling data (CSV File) daily, this is from a hosted SFTP service looked after by Collective which is an AWS hosted solution (Transfer Family). The 3rd party SFTP service is restricted via Randstad UK external IP and an RSA public key which is used by Collective to generate the user accounts.

External IP Notes:

We have the standard external IP adddresses as per each ISP per location but since the introdiction of Zscaler by Randstad Global our egress IP is now different and random. To overcome this Zscaler provide Randstad with a set of External IPs that (if configured) allow specific traffic to NAT to these IPs. This is called SIPA and must be requested via the Zscaler team, the IPs are listed below:

Zscaler SIPA IPs as of March 2022

54.217.153.113

54.246.37.107

79.125.113.50

54.75.44.204

52.16.180.90

34.255.222.242

Egress from our AWS VPC

34.250.17.120

34.251.4.163

SSH notes:

In order to create authenticated users to use this service we need to generate an RSA1 key pair (Public/Private), please note the later section about SFTP Upload Download, we need to keep users to a minimum. The key pair can be generated on any windows computer using the guidance here;

1. Ensure your windows computer has the SSH Client windows feature enabled

2. From an admin command prompt window generate the key using this command - ssh-keygen by default this will use the RSA format with 2048 key size (for more info go here https://www.ssh.com/academy/ssh/keygen)

3. When you execute the command you will be prompted for:

Location = Enter the full path of where you want the file saved including file naming convention - Service_User_Date e.g. c:\JetCollective_SamBarber_240322

Passphrase = Do not enter at this stage

4. The command will generate 2 files as shown - Rename the .pub file name and append _Public to the name

5. Convert the file that has no extension visible to a ppk format using the "PuttY Key Generator" application (may need to be installed). Run the application and load the file.

6. Enter a pasphrase that the inteded user/robot can use and then click on "Save private key" use the naming convention as before but instead ensure file ends with _Private.ppk

7. You should now have a Private key file with extension .ppk. The private key should never be shared with anyone apart form the intended user and IT admin. This file is use to connect to the 3rd party SFTP service using the FileZilla Application.

8. Delete the file with no extension which used to create the .ppk file, as this is not password protected

9. Save the files in the key store - (We do not currently have a key store, this section needs to be updated)

SFTP up/download notes:

Send the Public key to Collective (Contacts at the begining) who will create a user account to access the SFTP Service.

RPA process

The process flow of uploading and downloading files must be carried out by the RPA process, this is documented as part of that team but in essence is the same as the manual way just a Robot completes the upload and download using Randstad_JETCollectiveRPA and its certificate stored in the password keeper.

Manual User Creation

You must have generated a certificate as per above instructions, requested the user creation and then you can manually upload/download form the SFT service. To achieve this the user must open FileZilla via a citrix desktop or laptop, then set up the connection using the Private key file, username sent by collective and then when connecting, the passphrase used for that keyfile.

Collective SFTP Server: 13.40.230.47 Port 22

Username example: Randstad_Sam

**Remember the external IP must be allowed (at time of writing the Zscaler IPs above are allowed, Luton HQ and the AWS egress IPs)