Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
information). Figure 2-19 illustrates the conceptual architecture for the PKI / digital<br />
certificate solution.<br />
127 For Internet Explorer browser users, during the SSL handshake, and after the user has<br />
manually or automatically presented an <strong>IESO</strong> issued and valid browser based<br />
certificate, the MOSMIM Web Server identifies itself and requests that certain access<br />
permissions are granted by the user to enable downloading of the MIM MPI Applet<br />
and the running of that software. This means that the MOSWEB server requires that<br />
the user present his or her certificate previously imported into the Internet Explorer<br />
browser certificate database. The server will verify that the client certificate within<br />
Internet Explorer is a valid certificate issued by the <strong>IESO</strong>‟s Certification Authority<br />
through comparison with the CA certificate installed on the <strong>IESO</strong>‟s web server. In fact<br />
this happens to a large extent automatically and the user can only present <strong>IESO</strong> issued<br />
client certificates to the MOSWEB server. The client certificate information within the<br />
Internet Explorer browser presented for logon must also correspond in version,<br />
validity dates, and content with the EPF file to be used in the next step or logon will<br />
not be permitted.<br />
128 After establishment of an SSL session, the MIM MPI Applet is downloaded to user‟s<br />
workstation and the market participant user is taken to a main Web site where he/she<br />
is required to enter the name and path of an EPF file and the Passphrase (a string of<br />
words and characters that one types in to authenticate) for the EPF. The user at EPF<br />
creation with the <strong>IESO</strong> CLS application chose this passphrase. This gives the<br />
individual, rights to the necessary areas of the Web site. The process works like this;<br />
an End Entity at the market participant presents their digital certificate (encapsulated<br />
in an EPF) to the Certification Authority system via the MPI applet. The MPI applet<br />
completes some checks. A critical check is the validity check of the client‟s <strong>IESO</strong><br />
digital certificate. To perform this check the MPI applet PKI code downloaded from<br />
the MOSMIM Web Server checks a current CRL (Certificate Revocation List) that<br />
resides on a X.500 directory at the Certification Authority under normal online mode<br />
operation. If the digital certificate passes the checks, a USERID value is parsed from<br />
the certificate and is used to allow access to predefined web sites. If the user‟s<br />
certificates require updating due to reaching the rollover point of the encryption or<br />
signing keys the EPF and P12 files shall be updated by the MPI applet PKI code and<br />
the keys and certificates will be renewed automatically upon login.<br />
129 The <strong>IESO</strong> may choose to operate the MPI in certificate offline mode if the need arises<br />
due to service outages at the Certificate Authority. The probability of this occurring is<br />
likely to be minimal and of short duration. The <strong>IESO</strong> maintains total control over the<br />
mode of operation, online or offline. Under such circumstance the Market <strong>Participant</strong><br />
users will still be able to login to the Market systems and conduct business. No<br />
configuration changes are required on the part of Market <strong>Participant</strong>s for the mode of<br />
MPI operation and it will be completely transparent. Under such circumstances the<br />
<strong>IESO</strong> issued certificates will not undergo CRL checks during login but will go through<br />
all other backend security checks as they do now. This does not impact the technical<br />
requirements for normal communications to the CA systems.<br />
130 The layout of the USERID is the REGISTRATION User Login Name, concatenated<br />
with an @ symbol, and finished with the REGISTRATION market participant<br />
Constant Shortname. See the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site for details<br />
on how the REGISTRATION User Login Name and REGISTRATION market<br />
participant Constant Shortname are created. Below is an example of the syntax of the<br />
UserID:<br />
Issue 21.1 – March 15, 2010 - estimated Public 43