Participant Technical Reference Manual - IESO

More documents

Recommendations

Info

2. Participant Workstation, Network & Security IMO_MAN_0024 REGISTRATION_User_Login_Name@REGISTRATION_MP_Shortname The required “REGISTRATION Profile” (Registration Profile) is accessed via the UserID. The UserID is stored in a non-critical extension in the digital certificate. In this instance the extension is an optional (“non-critical”) information storage place in the digital certificate. An important aspect of an extension is an OID (Object Identifier). The OID uniquely identifies the USERID (known as an “attribute type”). The OID for this IESO specific “attribute type” for the Cybertrust issued digital certificates is 1.3.6.1.4.1.6334.2.1.2.5.x. 131 When an End Entity at the market participant authenticates, the USERID is parsed from the correct certificate and is used to fetch the “REGISTRATION Profile” from the MIM Netscape Directory Server. The “REGISTRATION Profile” is the access permissions given to the UserID by a specified, responsible individual at the market participant. For more information on the use of the REGISTRATION system please see the Technical Interfaces Page of IESO‟s Web site. 132 See the Certificate Lifecycle System (below) for details on how keys and digital certificates are generated. 133 The users, as noted previously, must have read/write access to their own digital certificate files (EPF and P12), wherever they are stored at the time of login to the MPI. Individual subscriber (person) certificates contained in the EPF and P12 files, when used on a consistent basis for login to the MPI applet via the Internet Explorer browser will be automatically updated by the MPI PKI code when required.. The update schedule for encryption and signing keys is currently every 12 months based on date of creation for each user. The triggering point for update is about 110 days before expiry. If the automatic update is successful, a dialogue window in the MPI will inform the user. The use of the Certificate Lifecycle System (CLS) is not required for update of certificates for users logging onto the MPI on a regular basis. If read/write access to the EPF and P12 files is not enabled, certificate updates, when triggered, will not complete successfully and access to the IESO secure systems by the user will be lost until certificate key recovery can be processed between the market participant and IESO LRA. The CLS is still required for initial certificate creation, P12 file export and recovery purposes. The CLS can be used for manual certificate update if it is known by the user that their certificate has passed its update trigger point and login to the MPI has not been done recently, is not required for some time, or will not occur until after certificate expiry. 134 Bids and offers may be submitted via the browser in two ways: Template and HTML Form. When the bid or offer is submitted in the browser, the bid or offer data is signed with the private signing key from the EPF file of the individual that has been authenticated during the SSL session and a unique digital signature of the data is created in the process and stored with the unique transaction ID on the IESO systems. The transaction ID binds the submitted bids and offers to the signature as it is also embedded within the signature as well as the MIM database. 135 The browser is also used to verify the digital signatures of Templates and HTML Forms. 136 The MIM MPI Applet requires communications access 'via' the following ports to the PKI servers: 389 (LDAP protocol), 443 (SSL protocol) and 829 (PKIX-CMP protocol). Market participants with firewalls must have these ports open appropriately for communication with the IESO and its CA. Port 829 for communications with the 44 Public Issue 21.1 – March 15, 2010 - estimated
Participant Technical Reference Manual 2. Participant Workstation, Network & Security appropriate CA Manager is extremely critical for certificate updates as secure PKI communications for certificate management is processed via this port. Portal TruePass Applet (Browser Based Solution) 137 Market participants can download the “Identity Management Operations Guide” and the “Portal User Interface User‟s Guide” (see the Technical Interfaces Page of IESO) for instructions on browser interface use. 138 The small TruePass Applet is automatically downloaded after an individual browses to the IESO Portal Web site URL, chooses to login with a digital certificate (instead of a User ID / Password) and presents their authentic digital certificate EPF file to login to the Portal. 139 To enable digital certificate access to the IESO Portal, the IESO employs the Entrust TruePass Java Applet that uses IESO Digital Certificates and keys held in the EPF file. Periodic certificate and key updates to the EPF is handled by the TruePass product. When a market participant browses to the IESO Portal and chooses to login, a SSL (Secure Socket Layer) session is started. The market participant can then choose to login with a digital certificate instead of the standard User ID / password and uses the IESO digital certificate to authenticate to the IESO Portal. The user is then logged in to the IESO Portal based on the individual‟s access profile and authorization level”. 140 After establishment of an SSL session when the user chooses to login with a digital certificate the TruePass Applet is automatically downloaded to user‟s workstation and the market participant user is taken to a web page where he/she is required to enter the name and path of an EPF file and the password for the EPF. The user at EPF creation with the Entrust Authority Administration tool chose this password. Once authenticated this gives the individual, rights to the authorized areas of the Portal web site. A critical check is the validity check of the client‟s IESO digital certificate. To perform this check the TruePass applet PKI code downloaded from the IESO Portal server checks a current CRL (Certificate Revocation List) that resides on a X.500 directory at the Certification Authority. If the digital certificate passes the checks, the user is logged in to the Portal with their authentication passed through to the Portal Identity Management system and Portal. If the user‟s certificates require updating due to reaching the rollover point of the encryption or signing keys the EPF file shall be updated by the TruePass applet and the keys and certificates will be renewed automatically upon login. 141 The users, as noted previously, must have read/write access to their own digital certificate EPF file, wherever they are stored at the time of login to the Portal. Individual subscriber (person) certificates contained in the EPF file, when used on a consistent basis for login to the Portal via browser will be automatically updated by the TruePpass PKI code when required. The update schedule for encryption and signing keys is currently every 12 months based on date of creation for each user. The triggering point for update is about 110 days before expiry. If the automatic update is successful, a TruePass dialogue window / page will inform the user. If read/write access to the EPF file is not enabled, certificate updates, when triggered, will not complete successfully and access to the IESO Portal by the user will be lost until certificate key recovery can be processed between the market participant and IESO Identity Management Officer. The web based Entrust Authority Administration tool is still required for initial certificate creation and recovery purposes for digital certificates used with the IESO Portal. Issue 21.1 – March 15, 2010 - estimated Public 45
Page 1 and 2: MANUAL PUBLIC IMO_MAN_0024 Market M
Page 3 and 4: Participant Technical Reference Man
Page 51: Participant Technical Reference Man
Page 99 and 100: Appendix B: List of Commonly Used A

Participant Technical Reference Manual - IESO

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?