Tenant Rails Onboarding
This area lets a tenant institution submit the credentials and operational details required to activate their side of the Vector Zulu sovereign rails. Bank-side prerequisites are listed here for context only — the bank completes them in parallel; you do not upload anything related to them.
Security boundaries (read first)
You upload your institution's side of the rails. Tenant-side credentials — including private keys, mTLS bundles (.pfx/.p12), API secrets, and HMAC keys — are accepted and stored encrypted-at-rest with Fernet (AES-128-CBC + HMAC-SHA256). Every deposit and every reveal is recorded in an append-only audit trail.
You do NOT upload:
- Bank credentials — the bank operates its own keys and certificates.
- Customer data — KYC, account balances, personal identifiers.
- Anything outside the five sections below.
What you submit (tenant side)
| Section | What to include |
|---|---|
| Institution Identification | Registration number, regulatory licence number, jurisdiction, signatory list (no national ID numbers). |
| Rails Connectivity | SWIFT BIC, IBAN/account stubs, public mTLS certificate, JSON of your endpoint URLs. (Private keys go in the encrypted credential vault below.) |
| Settlement Alignment | Cut-off times, value-date policy, currency list, settlement calendar (PDF). |
| Security & Compliance | Penetration-test attestation, ISO 27001 / SOC 2 certificate, FATF / sanctions screening attestation. |
| Operational Contacts | Treasury ops contact, incident response on-call, business continuity contact. |
Bank-side prerequisites (informational only)
The bank completes the following in parallel. They are listed here so your operations team understands the full picture; you do not upload anything related to these items.
- Rail identifiers — bank issues internal rail IDs, SWIFT routing keys, settlement corridor codes.
- Settlement windows — per-currency cut-off times for your jurisdiction.
- Certificates — bank's own mTLS server certificate and CA bundle.
- Failover configuration — Sentinel monitoring, kill-switch posture, HA routing.
- LICK key exchange — bank and tenant agree on HMAC key IDs for service-to-service signing.
File policy
Allow-listed file types
Public documents and certificates:
.asc .cer .crt .enc .jks .json .key .p12 .pdf .pem .pfx .txt
Maximum 10 MiB per file. Files outside the allow-list are rejected with HTTP 415 before they touch the filesystem.
Encrypted credential vault
Private keys, PFX/JKS bundles, API secrets and HMAC keys are accepted
through the credential vault. Payloads are encrypted at rest with
Fernet (AES-128-CBC + HMAC-SHA256) using a key sourced from Azure
Key Vault. Only bank-side operators with the owner role
can reveal the cleartext, and every reveal is audit-logged.
Need access?
Your bank-side processor will issue a one-time invitation token to the contact email on file. Use it at the Tenant Submission Area.
Support: rails-onboarding@korenet.cloud · +27 (0)10 590 7717