Participant Technical Reference Manual - IESO

More documents

Recommendations

Info

2. Participant Workstation, Network & Security IMO_MAN_0024 IESO Conceptual Architecture for Secure Web Server Connectivity Client Custom Software EPF File Market Participant Users MIM programmatic API Application uses an EPF to authenticate and authorize End Entities to the site as well as sign bids and offers. Cybertrust CA Certification Authority Certificate Database CA X. 500 Directory Server MIM Programmatic API MIM MPI Applet Internet Browser Certificate Client Browser MIM MPI Applet uses a browser certificate to authenticate and uses an EPF based certificate to authorize and sign bids and offers. SSL (Secure Socket Layer) Server and Client communications to Certification Authority and to the IESO. Firewall DMZ Thawte Web Server Certificate CA Parent Certificate MOSMIM MPI Web Server PLC Web Server Thawte Web Server Certificate Secure redirection and secure establishment of new SSL session Firewall Internal PLC User Profile is in this directory MIM Server (& Netscape Directory Server) Figure 2-21: MPI and MIM API Conceptual Architecture 2.3.4 Portal SSO and Identity Management System 158 In addition to Entrust digital certificates, Portal users can login with a User ID account credential where transactional read/write access privileges are not required. Any user who needs access for read–only purposes to confidential information can apply, register for and utilize a User ID account identity credential with the Portal. 159 The Portal is protected by Oracle and Microsoft technologies. These components provide for single-sign-on, authentication, authorization and in conjunction with SSL protocols confidentiality and integrity of communications. 160 All Portal identity management components for User ID account credentials are server based and only a web browser is required by the market participant, as specified in this document, to access the Portal with this type of identity credential. 161 The IESO Portal User Interface User’s Guide should be referenced for Portal login procedures. 2.3.5 Certificate Lifecycle System & Entrust Authority Administration Tool 162 The Certificate Lifecycle System can be downloaded from the IESO Web site (see the Technical Interfaces Page of IESO‟s Web site). 48 Public Issue 21.1 – March 15, 2010 - estimated
Participant Technical Reference Manual 2. Participant Workstation, Network & Security 163 The Entrust Profile File (EPF) and P12 File for use with the MPI or MIM API (but not the Portal) are initially created by the end user using the Certificate Lifecycle System (CLS). The CLS is a Java software application supplied by ABB. The code used in the MIM MPI Applet and MIM programmatic API Application is the same underlying code set used in the CLS. The CLS lets the End Entity (i.e. user) interface with the Certification Authority for initialization, recovery, viewing and testing of EPF‟s. The CLS is a platform independent application, meaning it may be run on any operating system that supports a Java 2 Runtime Environment. 164 To initialize or recover an EPF and P12 using the CLS, the end Entity needs Activation Codes. The Activation Codes consist of a Reference Number and an Authorization Code, which are good for a one-time use and for a limited time of 14 days. The Reference Number is e-mailed directly to the End Entity by the Certification Authority after the End Entity has been registered or recovered (see the Technical Interfaces Page of IESO‟s Web site for digital certificate registration information). The Authorization Code is sent from a designated officer at the IESO (i.e. a Local Registration Authority Officer (LRA Officer) (a.k.a. Market Coordinator) to the End Entity via a secure channel (ex: in person or via secure courier). 165 The process of initialization employs the CLS in conjunction with the Activation Codes. New keys and certificates are created through secure Internet communications with the PKI infrastructure and stored in the chosen, secured media at the market participant. The keys are secured by entering a Passphrase meeting the required content rules within the CLS. The Passphrase is determined and set by the Individual Subscriber or Application Subscriber Custodian and only they and other formally authorized individuals at the market participant as applicable should know it. Please reference the Certificate Subscriber Agreement regarding market participant obligations regarding this. 166 Recovery uses the CLS in conjunction with the Activation Codes. The Recovery function of the CLS application allows certificates and Encryption/Decryption keys to be recovered and stored with new Signing/Verification keys and certificate on the chosen, secured media at the market participant. The keys are secured by entering a Passphrase meeting the required content rules within the CLS. The original Passphrase can be changed at the time of recovery. 167 The CLS requires access to be provided by the MP „to‟ the following ports at the Certification Authority: 389 (for the CA Directory Server LDAP calls), and 829 (for Entrust CA Manager functions). Market participants with firewalls must have these ports open for the specific Certification Authority IP addresses for communication with the IESO and its CA. The domain names, IP addressees for all test and production PKI systems are included in section 2.3.6 below. Installing & Operating the Certificate Lifecycle System 168 An “Identity Management Operations Guide” has been provided on the IESO Web site (see the Technical Interfaces Page of IESO‟s Web site). This guide describes recommended procedures for an on-site System Administrator or End Entity to perform initial installation and operation of the CLS. Operating the Entrust Authority Administration Tool 169 The “Identity Management Operations Guide” guide describes recommended procedures for an on-site System Administrator or End Entity to access and use the Issue 21.1 – March 15, 2010 - estimated Public 49
Page 1 and 2:
MANUAL PUBLIC IMO_MAN_0024 Market M
Page 3 and 4:
Participant Technical Reference Man
Page 5 and 6: Participant Technical Reference Man
Page 55: Participant Technical Reference Man
Page 99 and 100: Appendix B: List of Commonly Used A
show all

Participant Technical Reference Manual - IESO

Create successful ePaper yourself

Delete template?

Save as template?