This section describes the data exchanges between UKG HR Service Delivery and the IS client in terms of protocols, procedures, and naming conventions.
All CSV files transmitted as part of data synchronization must respect this protocol (see: Synchronizing data).
The protocol used for file exchanges is SFTP (SSH File Transfer Protocol).
This service uses the SSH-2 protocol version.
Sessions must be established from the client to UKG HR Service Delivery, whether it involves sending or receiving data.
The company has a single account used for identification.
UKG HR Service Delivery verifies that the login request originates from the company using an identification/authentication mechanism, which is performed using an encryption key provided by the company.
UKG HR Service Delivery provides different SFTP servers for data transfer.
This section details the information required for SFTP data transfer from customer IS to UKG HR Service Delivery (ingress) and from UKG HR Service Delivery to customer IS (egress).
For clients hosted on the UKG HR Service Delivery European platform there are 2 servers:
EU Platform |
Staging server |
Production server |
|---|---|---|
Server |
sftp.staging.eu.people-doc.com |
sftp-9d87a130f70b.eu.people-doc.com |
Ingress IP |
37.188.117.11 |
159.135.141.101 |
Port |
9030 |
9030 |
ED25519 Host key |
|
|
RSA-SHA2-512 Host key |
|
|
RSA-SHA2-256 Host key |
|
|
RSA Host key |
|
|
PGP encryption public key |
||
Egress IP |
162.13.159.37 |
159.135.141.79 |
Egress public key |
For clients hosted on the UKG HR Service Delivery United States platform there are 2 servers:
US Platform |
Staging server |
Production server |
|---|---|---|
Server |
sftp.staging.us.people-doc.com |
sftp.us.people-doc.com |
Ingress IP |
166.78.156.49 |
173.203.147.43 |
Port |
9030 |
9030 |
ED25519 Host key |
|
|
RSA-SHA2-512 Host key |
|
|
RSA-SHA2-256 Host key |
|
|
RSA Host key |
|
|
PGP encryption public key |
||
Egress IP |
162.209.78.123 |
146.20.165.237 |
Egress public key |
For clients hosted on the Ultimate Software platform there are 2 servers:
Ultimate Software Platform |
Atlanta server |
Toronto server |
|---|---|---|
Server |
sftp-a5g0wchkaeb5.hrsd.ultipro.com |
sftp-h2ohy6ogo7ew.hrsd.ultipro.ca |
Ingress IP |
135.84.64.194 |
206.152.14.144 |
Port |
9030 |
9030 |
ED25519 Host key |
|
|
RSA-SHA2-512 Host key |
|
|
RSA-SHA2-256 Host key |
|
|
RSA Host key |
|
|
PGP encryption public key |
To use our SFTP service, you must be able to contact our SFTP servers.
Request an authorization from your IT department if they are filtering outgoing connections.
Your IT department must allow outbound traffic through the port used by the SFTP server.
Communicate to UKG the public IP addresses that must be allowed.
Please request the list of public IP addresses from your IT department.
Up to 254 IP addresses can be allowed.
It is strongly recommended to assign a unique IP address to the flow to our SFTP server.
Please contact your IT department for more information.
Warning
UKG HR Service Delivery can ban the concerned IPs if a suspicious behavior is detected (flood, too many connections, dangerous payload, …)
Each SFTP account allows up to two authentication methods:
Using public SSH keys:
Method to use by default.
Minimum security requirements apply.
Password based: (Warning: upcoming deprecation in 2022)
Disabled by default.
Only enabled if you can’t use SSH keys.
UKG HR Service Delivery only accepts public SSH keys of the following types. Other SSH key types, sizes and formats are rejected.
Key type |
Format |
Min. size |
Recommendation level |
|---|---|---|---|
ed25519 |
OpenSSH |
Recommended |
|
rsa-sha2-512 |
OpenSSH |
3,072 bits |
Recommended |
rsa-sha2-256 |
OpenSSH |
3,072 bits |
Not recommended |
rsa |
OpenSSH |
3,072 bits |
Will enter depreciation shortly, not recommended |
Comment your SSH key
It is strongly recommended to assign a comment to each of your SSH keys in order to differentiate them and thus allow an easier access revocation.
Secure your SSH key:
It is strongly advised to provide a passphrase when generating your SSH key pair to ensure its security.
Keep your SSH key secret:
Never communicate your private key
UKG HR Service Delivery will never ask you to provide your private key: We only request your public key.
Documentation (FR): SFTP_Configuration_fr-FR.pdf
Documentation (EN): SFTP_Configuration_en-US.pdf
Warning
The ssh-keygen tool exists on the 3 main operating systems (Linux, Mac, Windows) to allow you to generate your SSH key.
The customer is free to use any tool, as long as it complies with UKG HR Service Delivery safety regulations.
Our service is based on OpenSSH 7.4 and unsecured communication algorithms are disabled.
Ensure your software is compatible with UKG HR Service Delivery version.
Here are a few compatible softwares:
AsyncSSH >= 1.18 (2019-08-23)
FileZilla >= 3.13.0 (2015-08-15)
J2SSH Maverick >= 1.7.14 (2019-04-23)
libssh >= 0.9.1 (2019-10-25)
OpenSSH >= 6.6 (2014-03-15)
Paramiko >= 2.5.0 (2019-09-06)
SSHJ >= 0.27.0 (2019-01-24)
Winscp >= 5.9.4 (2017-02-15)
Kex algorithms: curve25519-sha256@libssh.org, curve25519-sha256, diffie-hellman-group18-sha512, diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256
Server host key algorithms: ssh-ed25519-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ssh-ed25519, rsa-sha2-512, rsa-sha2-256,ssh-rsa
Encryption algorithms (ciphers): chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes256-ctr, aes128-ctr
Mac algorithms: hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512, hmac-sha2-256
Compression algorithms: none, zlib@openssh.com
Kex algorithms |
OpenSSH 7.4 |
|---|---|
curve25519-sha256 |
yes |
yes |
|
diffie-hellman-group-exchange-sha1 |
no |
diffie-hellman-group-exchange-sha256 |
yes |
diffie-hellman-group1-sha1 |
no |
diffie-hellman-group14-sha1 |
no |
diffie-hellman-group14-sha256 |
yes |
diffie-hellman-group16-sha512 |
yes |
diffie-hellman-group18-sha512 |
yes |
ecdh-sha2-nistp256 |
no |
ecdh-sha2-nistp384 |
no |
ecdh-sha2-nistp521 |
no |
Server host key algorithms |
OpenSSH 7.4 |
|---|---|
rsa-sha2-256 |
yes |
rsa-sha2-512 |
yes |
ssh-dss |
no |
ssh-ed25519 |
yes |
ssh-rsa |
yes |
Algorithm |
OpenSSH 7.4 |
|---|---|
3des-cbc |
no |
aes128-cbc |
no |
aes128-ctr |
yes |
no |
|
aes192-cbc |
no |
aes192-ctr |
no |
aes256-cbc |
no |
aes256-ctr |
yes |
yes |
|
arcfour128 |
no |
arcfour256 |
no |
arcfour |
no |
blowfish-cbc |
no |
cast128-cbc |
no |
yes |
|
rijndael128-cbc |
no |
rijndael192-cbc |
no |
rijndael256-cbc |
no |
no |
Algorithm |
OpenSSH 7.4 |
|---|---|
no |
|
hmac-md5-96 |
no |
no |
|
hmac-md5 |
no |
no |
|
no |
|
hmac-ripemd160 |
no |
no |
|
hmac-sha1-96 |
no |
no |
|
hmac-sha1 |
no |
hmac-sha2-256-96 |
no |
yes |
|
hmac-sha2-256 |
yes |
hmac-sha2-512-96 |
no |
yes |
|
hmac-sha2-512 |
yes |
no |
|
no |
|
no |
|
no |
Algorithm |
OpenSSH 7.4 |
|---|---|
none |
yes |
yes |
Modulus |
OpenSSH 7.4 |
|---|---|
Modulus size |
>= 2048 bit |
An SFTP account with no activity for 12 months is disabled.
Customers can request reactivation for 6 additional months before definitive deletion of the account and its accesses.
A Firewall rule with no activity for 12 months is disabled.
An RSA key whose size is between 3072 bits and 4095 bits is valid for 2 years.
An RSA key greater than or equal to 4096 bits is valid for 5 years.
An ED25519 key is valid for 5 years.
Customers have 15 days to retrieve subscription reports made available on their account (out/ins directory).
Customers have 90 days to retrieve other reports made available on their account (out/ directory).
Files processed are saved and deleted 45 days after their processing date.
Files not processed are deleted 90 days after their creation date.
The company has input/output directories on the UKG HR Service Delivery server by document type and by data type.
input directory (in) and the output directory (out) are symmetrical. The documents sent by the IS client are deposited in the in directory.
The processing reports associated with the input files are made available in the out directory (error report).
Some other specific purpose directories are not symmetrical.
Warning
Report files related to data synchronization and document distribution.
The provision of these reports is optional and must be planned during the project phase.
Warning
If the client’s tool does not automatically create a file with a “.filepart” suffix during its transfer, the client company must include the “.filepart” suffix when writing the file, which must be subsequently removed at the end of the transfer.
This step is necessary to prevent UKG HR Service Delivery from processing a file that is being sent or has failed to be sent before the transfer is complete.
UKG is responsible for the destruction or archiving of files after processing.
UKG HR Service Delivery uses the same mechanism (See .filepart above) to prevent the client company from retrieving a file in the process of being created.
The company is responsible for destroying the files after recovery; otherwise, UKG HR Service Delivery destroys them automatically after three months.
Customer agrees to deposit these files with at least file permissions 640 (rw-r—–).
Symmetrical INPUT directories |
Symmetrical OUTPUT directories |
Other directories |
|---|---|---|
in |
out |
dev |
Symmetrical INPUT directories |
Usage |
|---|---|
in/rpa/emp |
Directory containing Zip File to Document Manager with Robotic Process Automation |
in/rpa/gen |
Directory containing Csv to Docgen to Document Manager with Robotic Process Automation |
in/rpa/prc |
Directory containing Csv to process with Robotic Process Automation |
in/rpa/req |
Directory containing Csv to requests with Robotic Process Automation |
in/rpa/sig |
Directory containing Csv to Docgen to Signature with Robotic Process Automation |
in/sal |
Directory containing the import and update employee files (see Employee synchronization) |
in/sig |
Directory containing mass signature distribution |
in/sir |
Directory containing the import and update files for the organizations (see Organization synchronization) |
in/usr |
Directory containing the document management user import and update files (see User profile synchronization) |
Symmetrical OUTPUT directories |
Usage |
|---|---|
out/rpa/emp |
Directory containing reports of Zip File to Document Manager with Robotic Process Automation |
out/rpa/gen |
Directory containing reports of Csv to Docgen to Document Manager with Robotic Process Automation |
out/rpa/prc |
Directory containing reports of Csv to process with Robotic Process Automation |
out/rpa/req |
Directory containing reports of Csv to requests with Robotic Process Automation |
out/rpa/sig |
Directory containing reports of Csv to Docgen to Signature with Robotic Process Automation |
out/sal |
Directory containing the employees synchronization error reports |
out/sig |
Location of the PGP public key that allows the signature of the generated files to be verified. |
out/sir |
Directory containing the organizations synchronization error reports |
out/usr |
Directory containing the users synchronization error reports |
Other directories |
Usage |
|---|---|
dev |
Directory used for logging purpose |
in/dis |
Directory containing distribution files and spool |
in/dse |
|
in/emp |
|
in/pro |
Directory containing the project files (see Creating a distribution project) |
in/rpa/custom_xxx |
Directory containing specific or custom integration |
out/bil |
Directory containing the billing reports |
out/bir |
Directory containing business intelligence reports |
out/emp |
|
out/ins |
Directory containing the employee registration reports |
out/rpa/custom_xxx |
Directory containing specific or custom integration reports |
out/tra |
Directory containing the file transmission reports through SFTP |
For each file sent to UKG HR Service Delivery server via SFTP, the system generates a proof of receipt containing the hash of the received file.
This proof is stored in the folder out/tra.
The generated file complies with the following naming convention:
cdmat_{client}_tra_{flux}_{timestamp}.xml
With:
client: unique client identifier (the partner is not repeated in this name)
flux: type of file received corresponding to the proof of receipt:
dis: batched distribution files (payslip, etc.)
usr: document management user (user updates)
usa: people assist user (user updates)
sal: employee (employee updates)
ins: registration status
sir: company updates
bil: billing report
dse: data sets
timestamp: Timestamp, corresponding to the creation of the proof
And the content of the file is as follows:
<?xml version='1.0' encoding='utf-8'?>
<transfert_report version="1">
<file>
<file_name>ndmat_198538752_2011091610440841_sal_rhw_930_20130206113837.csv</file_name>
<file_timestamp>2013-01-16T14:20:00+01:00</file_timestamp>
<file_fingerprint algorithm="SHA1">9849a4d500126203a099aca0cd7017cb8748fb2a</file_fingerprint>
<file_size>238</file_size>
</file>
</transfert_report>
With:
file_name: Name of the file received corresponding to the proof
file_timestamp: Date the proof was generated as
file_fingerprint: Hash of the received file
file_size: Size of the received file in bytes
The naming format of the uploaded files is as follows:
{dest}_{partner}_{client}_{flux}_{appemet}_{version}_{timestamp}.{extension}
or {dest}_{client}_{client}_{flux}_{appemet}_{version}_{timestamp}.{extension}
or {dest}_{client}_{client}_{flux}_{timestamp}.{extension}
With:
dest: destination application, may take the values:
ndmat: For files from the IS client to UKG HR Service Delivery
cdmat: For UKG HR Service Delivery files to the IS client
partner or client: unique identifier of the partner in the case of indirect clients.
In the case of a direct client, provide the client identifier
client: unique identifier of the client
flux: type of the file. May take the values:
dis: batched distribution files (payslip, etc.)
usr: document management user (user updates)
usa: people assist user (user updates)
sal: employee (employee updates)
ins: registration status
sir: company updates
bil: billing report
dse: data sets
appemet: (optional) Sending application.
Used in particular when multiple different applications must communicate with UKG HR Service Delivery
From client: application name (ex. SAP)
From UKG HR Service Delivery: UKG HR Service Delivery application name (ex. ndmat)
For data sets synchronization, the appemet is used to pass the code of the dataset to synchronize.
The code of the dataset is unique and available in the administration interface of UKG HR Service Delivery
version: (optional) If possible, use the exact version of the application, following the character set.
Used in particular when multiple different applications must communicate with UKG HR Service Delivery
Note: For test files to be integrated into the client acceptance platform, indicate « tst »
timestamp: Timestamp, corresponding to the creation of the file, in yymmddhhmmss format
extension: zip, pdf, csv, xml, sig
Note: The sig extension corresponds to the signature file for each report file generated by UKG HR Service Delivery
For example, an employee file (flux = sal), for a direct client named macrosoft using an HRIS named hrmanager in version 6 would be named as follows:
ndmat_macrosoft_macrosoft_sal_hrmanager_v6_15486131891569.csv