Participant Technical Reference Manual - IESO

Participant Technical Reference Manual
2. Participant Workstation, Network & Security
163 The Entrust Profile File (EPF) and P12 File for use with the MPI or MIM API (but not
the Portal) are initially created by the end user using the Certificate Lifecycle System
(CLS). The CLS is a Java software application supplied by ABB. The code used in the
MIM MPI Applet and MIM programmatic API Application is the same underlying
code set used in the CLS. The CLS lets the End Entity (i.e. user) interface with the
Certification Authority for initialization, recovery, viewing and testing of EPF‟s. The
CLS is a platform independent application, meaning it may be run on any operating
system that supports a Java 2 Runtime Environment.
164 To initialize or recover an EPF and P12 using the CLS, the end Entity needs Activation
Codes. The Activation Codes consist of a Reference Number and an Authorization
Code, which are good for a one-time use and for a limited time of 14 days. The
Reference Number is e-mailed directly to the End Entity by the Certification Authority
after the End Entity has been registered or recovered (see the Technical Interfaces Page
of IESO‟s Web site for digital certificate registration information). The Authorization
Code is sent from a designated officer at the IESO (i.e. a Local Registration Authority
Officer (LRA Officer) (a.k.a. Market Coordinator) to the End Entity via a secure
channel (ex: in person or via secure courier).
165 The process of initialization employs the CLS in conjunction with the Activation
Codes. New keys and certificates are created through secure Internet communications
with the PKI infrastructure and stored in the chosen, secured media at the market
participant. The keys are secured by entering a Passphrase meeting the required
content rules within the CLS. The Passphrase is determined and set by the Individual
Subscriber or Application Subscriber Custodian and only they and other formally
authorized individuals at the market participant as applicable should know it. Please
reference the Certificate Subscriber Agreement regarding market participant
obligations regarding this.
166 Recovery uses the CLS in conjunction with the Activation Codes. The Recovery
function of the CLS application allows certificates and Encryption/Decryption keys to
be recovered and stored with new Signing/Verification keys and certificate on the
chosen, secured media at the market participant. The keys are secured by entering a
Passphrase meeting the required content rules within the CLS. The original Passphrase
can be changed at the time of recovery.
167 The CLS requires access to be provided by the MP „to‟ the following ports at the
Certification Authority: 389 (for the CA Directory Server LDAP calls), and 829 (for
Entrust CA Manager functions). Market participants with firewalls must have these
ports open for the specific Certification Authority IP addresses for communication with
the IESO and its CA. The domain names, IP addressees for all test and production PKI
systems are included in section 2.3.6 below.
Installing & Operating the Certificate Lifecycle System
168 An “Identity Management Operations Guide” has been provided on the IESO Web site
(see the Technical Interfaces Page of IESO‟s Web site). This guide describes
recommended procedures for an on-site System Administrator or End Entity to perform
initial installation and operation of the CLS.
Operating the Entrust Authority Administration Tool
169 The “Identity Management Operations Guide” guide describes recommended
procedures for an on-site System Administrator or End Entity to access and use the
Issue 21.1 – March 15, 2010 - estimated Public 49