Participant Technical Reference Manual - IESO

More documents

Recommendations

Info

2. Participant Workstation, Network & Security IMO_MAN_0024 Layer) session logon established with the certificate presented to the server from the browser certificate database. This is inherent in the Portal‟s TruePass component functionality. This successfully accomplishes data integrity checking, authenticity and authorization of the user. 120 The ABB provided software helps to make the use of certificates as transparent and user friendly as possible. 121 Entrust supports the following Digital Signature Algorithms: RSA DSA ECDSA The current choice for the IESO is RSA. 122 Entrust supports the following Hashing Algorithms: SHA-1 MD5 MD2 RIPEMD-160 The current choice by the IESO is SHA-1. 2.3.3 Integration of Digital Certificates with IESO Web Servers MIM MPI (Market Participant (Graphical User) Interface) Applet (Browser Based Solution) 123 All market participants must have the ability to use the browser-based solution. 124 Market participants can download the “Identity Management Operations Guide”, the “Market Participant Graphical User Interface User’s Guide” and “Portal User Interface User’s Guide” ( see the Technical Interfaces Page of IESO‟s Web site) for instructions on browser interface use. 125 The MIM MPI Applet is automatically downloaded after an individual browses to the IESO secure MPI Web site URL and presents their authentic digital certificate from the browser certificate database and establishes an SSL session. 126 To enable access to the IESO MOSMIM Web Server, the IESO and ABB developed a Java Applet that uses IESO Digital Certificates and keys. To use the browser interface, certificates and keys must also be available within the browser certificate database. Browser based keys and certificates are generated by exporting a set of signing keys and certificate from the Entrust Profile file (EPF) into a file format the browser can understand (for example in the IESO environment, the PKCS#12 file format). Periodic certificate and key updates to the EPF and P12 files shall require re-importing of the certificates from the P12 file into the browser certificate database. When a market participant browses to the IESO MOSMIM Web Server, a SSL (Secure Socket Layer) session is started. The market participant uses the IESO digital certificate to authenticate to the IESO. The user is then logged in to the IESO Web site based on the individual “REGISTRATION profile” (see below for REGISTRATION Profile 42 Public Issue 21.1 – March 15, 2010 - estimated
Participant Technical Reference Manual 2. Participant Workstation, Network & Security information). Figure 2-19 illustrates the conceptual architecture for the PKI / digital certificate solution. 127 For Internet Explorer browser users, during the SSL handshake, and after the user has manually or automatically presented an IESO issued and valid browser based certificate, the MOSMIM Web Server identifies itself and requests that certain access permissions are granted by the user to enable downloading of the MIM MPI Applet and the running of that software. This means that the MOSWEB server requires that the user present his or her certificate previously imported into the Internet Explorer browser certificate database. The server will verify that the client certificate within Internet Explorer is a valid certificate issued by the IESO‟s Certification Authority through comparison with the CA certificate installed on the IESO‟s web server. In fact this happens to a large extent automatically and the user can only present IESO issued client certificates to the MOSWEB server. The client certificate information within the Internet Explorer browser presented for logon must also correspond in version, validity dates, and content with the EPF file to be used in the next step or logon will not be permitted. 128 After establishment of an SSL session, the MIM MPI Applet is downloaded to user‟s workstation and the market participant user is taken to a main Web site where he/she is required to enter the name and path of an EPF file and the Passphrase (a string of words and characters that one types in to authenticate) for the EPF. The user at EPF creation with the IESO CLS application chose this passphrase. This gives the individual, rights to the necessary areas of the Web site. The process works like this; an End Entity at the market participant presents their digital certificate (encapsulated in an EPF) to the Certification Authority system via the MPI applet. The MPI applet completes some checks. A critical check is the validity check of the client‟s IESO digital certificate. To perform this check the MPI applet PKI code downloaded from the MOSMIM Web Server checks a current CRL (Certificate Revocation List) that resides on a X.500 directory at the Certification Authority under normal online mode operation. If the digital certificate passes the checks, a USERID value is parsed from the certificate and is used to allow access to predefined web sites. If the user‟s certificates require updating due to reaching the rollover point of the encryption or signing keys the EPF and P12 files shall be updated by the MPI applet PKI code and the keys and certificates will be renewed automatically upon login. 129 The IESO may choose to operate the MPI in certificate offline mode if the need arises due to service outages at the Certificate Authority. The probability of this occurring is likely to be minimal and of short duration. The IESO maintains total control over the mode of operation, online or offline. Under such circumstance the Market Participant users will still be able to login to the Market systems and conduct business. No configuration changes are required on the part of Market Participants for the mode of MPI operation and it will be completely transparent. Under such circumstances the IESO issued certificates will not undergo CRL checks during login but will go through all other backend security checks as they do now. This does not impact the technical requirements for normal communications to the CA systems. 130 The layout of the USERID is the REGISTRATION User Login Name, concatenated with an @ symbol, and finished with the REGISTRATION market participant Constant Shortname. See the Technical Interfaces Page of IESO‟s Web site for details on how the REGISTRATION User Login Name and REGISTRATION market participant Constant Shortname are created. Below is an example of the syntax of the UserID: Issue 21.1 – March 15, 2010 - estimated Public 43
Page 1 and 2: MANUAL PUBLIC IMO_MAN_0024 Market M
Page 3 and 4: Participant Technical Reference Man
Page 49: Participant Technical Reference Man
Page 99 and 100: Appendix B: List of Commonly Used A

Participant Technical Reference Manual - IESO

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?