Participant Technical Reference Manual - IESO

More documents

Recommendations

Info

2. Participant Workstation, Network & Security IMO_MAN_0024 142 The Portal TruePpass applet only requires communications access 'via' port 443 (SSL protocol) to the IESO Portal server. Except for communications to the CA‟s web based Entrust Authority Administration tool, the IESO server based TruePass components proxy all communications between the Certification Authority systems and the market participant workstation. 143 The IESO Portal User Interface User’s Guide should be referenced for Portal login procedures. MIM Programmatic API Application (Application Based Solution) 144 Market participants can choose to use the application based MIM programmatic API solution. 145 The MIM API Application can be downloaded from the IESO Web site as a part of the IDK (IESO Development Kit) (see the Technical Interfaces Page of IESO‟s Web site). 146 An alternative route for accessing the MOSMIM Web Server is via the MIM programmatic API with a Market Participant custom application. This MIM programmatic API uses the same underlying code set as the MIM MPI Applet. There are two differences between the MIM programmatic API and the MIM MPI Applet. First, the MIM programmatic API does not need a browser-based certificate. This means no exporting and importing of the PKCS#12 browser based file format is required. (See MIM MPI Applet above for references to exporting and importing). Secondly, only Template based bids and offers may be submitted using the MIM programmatic API. HTML Form data cannot be submitted using the MIM programmatic API Application because HTML Form data is browser based and the MIM programmatic API Application is not using a browser. 147 See MIM MPI Applet section for SSL Handshake details. 148 See MIM MPI Applet section for UserID details. 149 See MIM MPI Applet section for REGISTRATION Profile details. 150 See MIM MPI Applet section for key generation reference. 151 See MIM MPI Applet section for key storage recommendations. 152 To enable access to the MOSMIM Web Server, the IESO & ABB developed a Java MIM programmatic API Application that uses IESO Digital Certificates. When a market participant uses the MIM programmatic API Application to access the IESO Web Server MOSMIM, a SSL (Secure Socket Layer) is session is started. The market participant uses an IESO digital certificate to authenticate to the IESO. The End Entity is able to automatically navigate the IESO site based on the End Entity‟s “REGISTRATION Profile.” Figure 2-21 illustrates the conceptual architecture for the PKI / digital certificate solution. 153 Bids and offers may be submitted using the MIM programmatic API Application in Template form only. The bid or offer is signed with the private signing key of the End Entity that has been authenticated during the SSL session. 154 See MIM MPI Applet for signature verification. 155 The MIM programmatic API Application requires access to the following ports: 389 (LDAP), 443 (SSL) and 829 (Entrust based CA). Market participants with firewalls 46 Public Issue 21.1 – March 15, 2010 - estimated
Participant Technical Reference Manual 2. Participant Workstation, Network & Security must have these ports open for communication with the IESO and its CA. Port 829 for the appropriate CA Manager is extremely critical for certificate updates as secure PKI communications for certificate management is processed via this port. The “IESO Developer's Toolkit (IDK), Implementation Manual” should also be referenced for information on defining communications with the CA Manager. 156 The IESO shall choose to control the mode that the API utilizes a certificate, as of September 2004 for enabling web access continuity. If and when the need arises due to service outages at the Certificate Authority, the IESO is able to set certificate use to offline mode. The probability of this occurring is likely to be minimal and of short duration. The IESO shall maintain total control over the mode of operation, online or offline. Under such circumstance the Market Participant users will still be able to login to the Market systems with the API and conduct business. In general this is centrally controlled by the IESO so that no configuration changes are required on the part of Market Participants for the mode of API operation and it shall be transparent. Under such circumstances the IESO issued certificates do not undergo CRL checks during login but will go through all other backend security checks as they do now. This does not impact the technical requirements for normal communications to the CA systems. 157 „Application‟ (i.e. used by a computer application) certificates contained in the EPF file, when used only for login with the programmatic MIM API, can be updated automatically by the API. This will only occur if the appropriate CA Manager IP address and port is specified by the market participant as described in the “IESO Developer's Toolkit (IDK), Implementation Manual”. The custodian of the certificates must manually update the certificates using the CLS, if the CA Manager IP address information is not specified. The management of such is up to the market participant. Issue 21.1 – March 15, 2010 - estimated Public 47
Page 1 and 2:
MANUAL PUBLIC IMO_MAN_0024 Market M
Page 3 and 4: Participant Technical Reference Man
Page 53: Participant Technical Reference Man
Page 99 and 100: Appendix B: List of Commonly Used A
show all

Participant Technical Reference Manual - IESO

Create successful ePaper yourself

Delete template?

Save as template?