1. Document Information. 2. Related documents / References. 3. Version control

Transcription

1

2 1. Document control 1. Document Information Document title: Project Reference: Document Archival Code: EBGCA Pilot Platform User Manual IDA PKI II / EBGCA Pilot / WP1 EBGCA-DEL EBGCA Pilot Platform_User_Manual 2. Related documents / References Reference Document filing code [1] A bridge CA for European public administrations Feasibility study. [2] ETSI TR V1.1.1 ( ) Provision of harmonized Trust Service Provider status information [3]... IDA-BridgeCA-WP1-Annex-6.doc [4]... ETSI TS STF V1.1.1 ( ) Requirements for Trust Service Provider status information [6]... European Bridge and Gateway CA Pilot WP Doc 4 - Technical Architecture [7]... European Bridge and Gateway CA Pilot WP Doc 5 - Test Programme [8] EBGCA-DEL EBGCA Testing Guide [9] EBGCA-DEL EBGCA Pilot WP1- Use Cases [10] CWA : CEN Workshop Agreement Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signature Part 2: Cryptographic Module for CSP Signing Operations Protection Profile (MCSO-PP) 3. Version control Version Date Description / Status Responsible V First version for review Marc Jadoul V Second version for final review Marc Jadoul V Reviewed version User Guide Marc Jadoul Houcine Bel Mamoune Joris Ballet V Q Review CerticomPro on Pilot Platform User Guide Kris Van Aken : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 2 / 24

3 4. Distribution Version Company Name Action required 1.0 European Commisison - IDA Member States Admin SPOCs Apply User Manual during EBGCA test phase Certipost EBGCA Support team EBGCA Project team Documentation; Assistance towards MS test users : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 3 / 24

4 Table of content!"# $ # # % & # # # : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 4 / 24

5 2. Abbreviations EBGCA: BCA : CA : ZTL : PKI : European IDA Bridge Gateway CA Bridge Certification Authority Certification Authority Zipped Trust List Public Key Infrastructure TSL : Trust Service Provider List (as defined by [2], ETSI TR V1.1.1 ( )) TSP : Trust Service Provider : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 5 / 24

6 3. Introduction The EBGCA pilot Portal is built around the concept of entities. An entity represents a domain under which TSP and Scheme Operator are created. TSP and Scheme Operator are resources. A TSP or Trust Service Provider is an organization (governmental or commercial) acting as trusted third party and providing some electronic trust services. In the case of this pilot implementation, trust services possible to include are: o Certification Authority issuing public key certificates. o Certification Authority issuing qualified certificates. A Scheme Operator is an organization responsible of the operation and management of the Scheme. The Scheme is any organized process of supervision, monitoring, approval or such practices that are intended to apply oversight with the objective of ensuring adherence to specific criteria in order to maintain confidence in the services under the scope of the scheme. In this pilot, the role of the scheme operator is reduced to decide arbitrarily which TSP/Trust Services he will accept to include in his TSL as it is not the goal of the pilot to investigate which Trust Service should or not be included in a Scheme. An Entity can have several TSPs and/or Scheme Operators. In most of the cases, we will have a one to one mapping of entities and member state participating in the pilot. In addition the pilot Portal is working with a system of credential and role on some resources. By default, the web front-end does not verify access at the level of URL, as the verification of the access to a particular function is done in the business logic layer. A credential is also created under an entity and should only receive Role on resources created under this entity. Some special Roles and Entities are defined on the platform. The Role SYSTEM grants access to some special operations on the system and is reserved for managing the platform. It is possible to grant 'TSP Admin'or 'Scheme Admin'Roles on all resources of the platform to a particular user. The Interface as been designed to implement a subset of the ETSI TS V standard. There are some restrictions to be noted: Language is supposed to be only English: All fields should be in English in the TSL. MS are required to send required information in English. History of Schemes, TSPs or Services is not recorded. The security is very low and some operations are allowed in the Pilot Portal that would not be possible in a Production Environment Process We remind you here the process concerning the platform. This does not take into account communication between Member State and EBGCA provider. The process to configure a Trust Service Provider and require the inclusion of Services is: 1. EBGCA Administrator creates the Entity (Member State) 2. EBGCA Administrator creates create the TSP 3. EBGCA Administrator creates a Credential for the user who wills admin the TSP. 4. EBGCA Administrator grants TSP Admin Role to the Credential on the resource (the TSP created) 5. Created user log in with credential. 6. User verifies TSP's parameters. 7. User register the Services and upload Digital Identities for Services 8. User request inclusion of Services in Schemes (at least IDA Scheme) : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 6 / 24

7 The process to configure a Scheme and include Services is: 1. EBGCA Administrator creates the Entity (Member State) 2. EBGCA Administrator creates create the Scheme 3. EBGCA Administrator creates a Credential for the user who wills admin the Scheme. 4. EBGCA Administrator grants Scheme Operator Admin Role to the Credential on the resource (the Scheme created) 5. Created user log in with credential. 6. User verifies Scheme's parameters. 7. Several options: a) User accepts or refuse request for inclusion of Services from TSP. User may himself include Services of other TSP available on the platform. b) User compares his Scheme to another Scheme and eventually synchronizes. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 7 / 24

8 4. Administering Trust Service Provider When you log In with your credential and choose the TSP Operator you will arrive on a page displaying the list of TSP on which you have some rights. From this page, you are also able to Change your Password. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 8 / 24

9 4.1. Adding new services A user with a Role TSP Operator creates new services by choosing Add Services in the left menu. In this Pilot implementation, it is only possible to register two types of services: Certification Authority issuing public key Certificates; Certification Authority issuing Qualified Certificates; The following information is required. Service: See in ETSI TS V Digital Identity: See in ETSI TS V Browse to the X509 certificate of the CA. This Field is Optional: Service Definition URN: See in ETSI TS V Important Remark: for the current implementation we choose to allow modification of these parameters, even after the service has been included in a Scheme. This means that TSP could modify content of TSLs without Scheme Operator agreement. This of course would not be the case in a Production Environment : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 9 / 24

10 4.2. Requesting inclusion of a service in a Scheme The TSP Administrator, once a service has been successfully created may request from the Scheme Operator to include his service in his Scheme. This will send an to the Scheme Operator address to alert him he must include or refuse the inclusion of the service in his Scheme. m this page, the TSP Administrator may also see the Status of his requests. Fro : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 10 / 24

11 5. Administering Scheme Operator You will only have access to this part of the site if the Member State chooses to issue his own TSL. After Log In, a user choosing the Role Scheme Operator is presented the list of Scheme he has access to. Clicking on the Scheme name will forward the user to a page with details of the Scheme and Scheme Operator, while clicking on the link Services will forward the user to a page allowing him to add or modify services included in this Scheme. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 11 / 24

12 5.1. View / Update Scheme Choosing a Scheme in the list of Scheme or clicking on Details in the left menu show you the content specific for this scheme. The first time you will edit your Scheme, you should see that the information has already been filled by the EBGCA Administrator with information in English sent by MS. Scheme: See in ETSI TS V This is the Scheme name of the scheme. It can't be modified. The following information is modifiable but required. Nevertheless we advise not to change any of this information. If you modify the scheduling properties, you will probably have a transition period 2 valid TSLs or no valid TSL. Information URN: See in ETSI TS V This field should point on a page on the EBGCA portal. It shouldn't be modified. If you change the URI, old TSL already issued will always keep the previous URI. This means, if you change this URI, the previous one still need to be accessible. Scheme Operator See and in ETSI TS V Part of Scheme Operator Address. During the Pilot, the EBGCA Portal also uses this address to send some alert concerning the scheme. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 12 / 24

13 Remark this is an official Address published in TSL and to be used to contact the Scheme Operator, not the address of any particular 'operator'on the system. Street: See and in ETSI TS V Part of Scheme Operator Address. Locality: See and in ETSI TS V Part of Scheme Operator Address. Postal Code: See and in ETSI TS V Part of Scheme Operator Address. Country: See and in ETSI TS V Part of Scheme Operator Address. TSL Generation Starting Time is the time at which TSL are issued at each N day interval. The pilot only implement a simplified scheduler responsible of issuing TSLs. TSL are issued at fixed time in the day and are valid for (TSL Interval) days + (TSL Next Generation Delay). If you modify this field, next TSL will be issued at the new time. TSL Interval (Days) is the number of day a TSL is valid. The value must be in the range 1 through 30. TSL Next Generation Delay (Seconds) is a number of seconds between the time at which a new TSL has normally already been issued (at TSL Generation Starting Time) and the end of validity of the previous TSL (at TSL Generation Starting Time + TSL Next Generation Delay (Seconds)) In addition to these fields which are necessary to create a new Scheme, before being able to generate any TSL, it is necessary to provide a KeyStore containing the private key and certificate to sign the TSL. The certificate in the KeyStore needs to be signed under a trusted CA of the member state, the goal being to allow tools to verify a TSL using their current national PKI. This optional information may be present: Territory: See in ETSI TS V A 2 letter code should be explicitly entered. Legal Notice: Actual text form. See in ETSI TS V : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 13 / 24

14 Before issuing a TSL, ensure that you included some TSP/services (see next chapter). The Flag 'Generate TSL'control if the TSL is automatically issued at fixed time by the Scheduler. The button 'Force immediate TSL Generation'allows forcing the immediate issuance of a TSL. This for instance allows viewing immediately the result in the TSL of a change in the Scheme. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 14 / 24

15 5.2. Managing included Services The Scheme Operator has access to the current list of included Services, and Services for which inclusion has been requested. The Scheme Operator may include any Service registered on the Portal in his Scheme. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 15 / 24

16 5.3. Compare Schemes The Scheme Operator Role has the possibility to compare his Schemes to any other Scheme registered on the EBGCA portal. To do this, after having chose Scheme from the list of his Schemes, click on 'Compare To Scheme'in the left menu. Chose the Scheme you want to compare to. You should get a page similar to this: From this page you may access the parameters of the Services listed. Only the Services present in your Scheme or the Scheme you are comparing are listed. Services are also listed if they have been submitted for inclusion. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 16 / 24

17 5.4. Modify Service's Scheme parameters Clicking on any Service allows you to set the status of the Service in your Scheme. There are two different statuses: Approval Status: You have the choice between: 1. Requested: The TSP requested inclusion of the service in your Scheme. You should Approve or Reject the inclusion. 2. Approved: The Service will be included in next TSL. In this case, the Validity Status is important. 3. Rejected: You rejected the inclusion of this Service in your Scheme. 4. Removed: Do not Use. Validity Status: This Status has no signification if the Approval Status is not '2=Approved'. This Status is described in in ETSI TS V To interpret correctly this status, it is necessary to also take into account the value of the Status determination Approach. In this Pilot, t has been decided to limit ourself to the the 'passive approval'approach. In addition, the Scheme Operator may also fill the optional parameter Scheme service definition URN (See in ETSI TS V1.1.1.) : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 17 / 24

18 6. The public portal Browsing to allow also access to a public section of the EBGCA portal. In this section, it is only possible to view the content of Schemes and TSPs Downloading TSL From the public interface, it is possible to download TSL and save them locally as a tsl.xml file on the client platform. This will allow next to open this file in the TSL viewer. Choose first the entity (Member State) under which the Scheme is registered and click on TSLs link for the Scheme that interest you. If there is no Scheme listed for an entity (Member State), this might mean that the Member State chooses to not manage his own Scheme. 7. Administration of EBGCA Pilot Portal Note: You may skip this part of the manual. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 18 / 24

19 7.1. Creation of Entities An Entity is a domain under which TSPs, Schemes and Credentials are registered. Entities are typically Member State. Only EBGCA Administrator is supposed to create Entities. After Log In, chose the Role Administrator.. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 19 / 24

20 7.2. Creation of Scheme (including Scheme Operator) Scheme is created by the EBGCA Administrator. After Log In, and choosing Administrator Role, Add Scheme in left menu, the interface looks like this: The following information is required. This information should be communicated in English by Member State if they decide to have their own National Scheme. Scheme: See in ETSI TS V This is the Scheme name of the scheme. Information URN: See in ETSI TS V This field should point on a page on the EBGCA portal. Scheme Operator See and in ETSI TS V Part of Scheme Operator Address. During the Pilot, the EBGCA Pilot Portal also uses this address to send some alert concerning the scheme. Remark this is an official Address published in TSL and to be used to contact the Scheme Operator, not the address of any particular 'operator'on the system. Street: See and in ETSI TS V Part of Scheme Operator Address. Locality: See and in ETSI TS V Part of Scheme Operator Address. Postal Code: See and in ETSI TS V Part of Scheme Operator Address. Country: See and in ETSI TS V Part of Scheme Operator Address. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 20 / 24

21 TSL Generation Starting Time is the time at which TSL are issued at each N day interval. The pilot only implement a simplified scheduler responsible of issuing TSLs. TSL are issued at fixed time in the day and are valid for (TSL Interval) days + (TSL Next Generation Delay) TSL Interval (Days) is the number of day a TSL is valid. The value must be in the range 1 through 30. TSL Next Generation Delay (Seconds) is a number of seconds between the time at which a new TSL has normally already been issued (at TSL Generation Starting Time) and the end of validity of the previous TSL (at TSL Generation Starting Time + TSL Next Generation Delay (Seconds)) In addition to these fields which are necessary to create a new Scheme, before being able to generate any TSL, it is necessary to provide a KeyStore containing the private key and certificate to sign the TSL. The certificate in the KeyStore needs to be signed under a trusted CA of the member state. The goal is to allow tools validation of a TSL using their current national PKI. This optional information may be present: Territory: See and in ETSI TS V A 2 letter code should be explicitly entered. Legal Notice: Actual text form. See and in ETSI TS V : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 21 / 24

22 7.3. Creation of TSP New TSP is created by the EBGCA Administrator. After Log In, choosing Administrator Role, Add Scheme in left menu, the UI looks like this: The following information is required. This information should be communicated in English by MS for each TSP they want to include in a TSL. Trust Service Provider: See in ETSI TS V This is the TSP name. Information URN: See in ETSI TS V This field should point on a page on the EBGCA portal. Operator See and in ETSI TS V Part of TSP Address. During the Pilot, the EBGCA Pilot Portal also uses this address to send some alert concerning the scheme. Remark this is an official Address published in TSL and to be used to contact the Trust Service Provider, not the address of any particular 'operator'on the system. Street: See and in ETSI TS V Part of TSP Address. Locality: See and in ETSI TS V Part of TSP Address. Postal Code: See and in ETSI TS V Part of TSP Address. Country: See and in ETSI TS V Part of TSP Address. The following Optional Information in TSL is not included in this Pilot: TSP trade name. See in ETSI TS V : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 22 / 24

23 7.4. Creation of Credential : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 23 / 24

24 7.5. Granting of Role to users Once you created a credential you can assign Roles on resources to this credential. Role need to be granted after creation of the Scheme or TSP. : EBGCA-DEL EBGCA Pilot Platform_User_Manual Page: 24 / 24