Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
163 The Entrust Profile File (EPF) and P12 File for use with the MPI or MIM API (but not<br />
the Portal) are initially created by the end user using the Certificate Lifecycle System<br />
(CLS). The CLS is a Java software application supplied by ABB. The code used in the<br />
MIM MPI Applet and MIM programmatic API Application is the same underlying<br />
code set used in the CLS. The CLS lets the End Entity (i.e. user) interface with the<br />
Certification Authority for initialization, recovery, viewing and testing of EPF‟s. The<br />
CLS is a platform independent application, meaning it may be run on any operating<br />
system that supports a Java 2 Runtime Environment.<br />
164 To initialize or recover an EPF and P12 using the CLS, the end Entity needs Activation<br />
Codes. The Activation Codes consist of a <strong>Reference</strong> Number and an Authorization<br />
Code, which are good for a one-time use and for a limited time of 14 days. The<br />
<strong>Reference</strong> Number is e-mailed directly to the End Entity by the Certification Authority<br />
after the End Entity has been registered or recovered (see the <strong>Technical</strong> Interfaces Page<br />
of <strong>IESO</strong>‟s Web site for digital certificate registration information). The Authorization<br />
Code is sent from a designated officer at the <strong>IESO</strong> (i.e. a Local Registration Authority<br />
Officer (LRA Officer) (a.k.a. Market Coordinator) to the End Entity via a secure<br />
channel (ex: in person or via secure courier).<br />
165 The process of initialization employs the CLS in conjunction with the Activation<br />
Codes. New keys and certificates are created through secure Internet communications<br />
with the PKI infrastructure and stored in the chosen, secured media at the market<br />
participant. The keys are secured by entering a Passphrase meeting the required<br />
content rules within the CLS. The Passphrase is determined and set by the Individual<br />
Subscriber or Application Subscriber Custodian and only they and other formally<br />
authorized individuals at the market participant as applicable should know it. Please<br />
reference the Certificate Subscriber Agreement regarding market participant<br />
obligations regarding this.<br />
166 Recovery uses the CLS in conjunction with the Activation Codes. The Recovery<br />
function of the CLS application allows certificates and Encryption/Decryption keys to<br />
be recovered and stored with new Signing/Verification keys and certificate on the<br />
chosen, secured media at the market participant. The keys are secured by entering a<br />
Passphrase meeting the required content rules within the CLS. The original Passphrase<br />
can be changed at the time of recovery.<br />
167 The CLS requires access to be provided by the MP „to‟ the following ports at the<br />
Certification Authority: 389 (for the CA Directory Server LDAP calls), and 829 (for<br />
Entrust CA Manager functions). Market participants with firewalls must have these<br />
ports open for the specific Certification Authority IP addresses for communication with<br />
the <strong>IESO</strong> and its CA. The domain names, IP addressees for all test and production PKI<br />
systems are included in section 2.3.6 below.<br />
Installing & Operating the Certificate Lifecycle System<br />
168 An “Identity Management Operations Guide” has been provided on the <strong>IESO</strong> Web site<br />
(see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site). This guide describes<br />
recommended procedures for an on-site System Administrator or End Entity to perform<br />
initial installation and operation of the CLS.<br />
Operating the Entrust Authority Administration Tool<br />
169 The “Identity Management Operations Guide” guide describes recommended<br />
procedures for an on-site System Administrator or End Entity to access and use the<br />
Issue 21.1 – March 15, 2010 - estimated Public 49