DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Similar documents
SELF SERVICE INTERFACE CODE OF CONNECTION

SMKI Code of Connection

APPENDIX XXX SELF-SERVICE INTERFACE DESIGN SPECIFICATION

APPENDIX XXX SELF-SERVICE INTERFACE DESIGN SPECIFICATION

APPENDIX XXX SELF-SERVICE INTERFACE DESIGN SPECIFICATION SEC SUBSIDIARY DRAFT

SMKI Repository Interface Design Specification TPMAG baseline submission draft version 8 September 2015

Threshold Anomaly Detection Procedures (TADP)

R1.4 - DCC DRAFT - SEC 5.x Appendix AH. Version AH 1.0. Appendix AH. Self-Service Interface Design Specification

Error Handling Strategy. DCC Guidance Document

REGISTRATION DATA INTERFACE SPECIFICATION

Error Handling Strategy

REGISTRATION DATA INTERFACE SPECIFICATION

Smart Meters Programme Schedule 2.1

Managing Certificates

REGISTRATION DATA INTERFACE SPECIFICATION

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

CERTIFICATE POLICY CIGNA PKI Certificates

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

Security and Certificates

SSL Certificates Certificate Policy (CP)

The Information Technology (Certifying Authority) Regulations, 2001

NIELSEN API PORTAL USER REGISTRATION GUIDE

SecureDoc Disk Encryption Cryptographic Engine

Security Assertions Markup Language

Odette CA Help File and User Manual

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

Configuring SSL. SSL Overview CHAPTER

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

FedLine Web Certificate Retrieval Procedures

CSE 565 Computer Security Fall 2018

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

Microsoft ADFS Configuration

Apple Inc. Certification Authority Certification Practice Statement

Identity Provider for SAP Single Sign-On and SAP Identity Management

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Configuring SSL CHAPTER

Security Cooperation Information Portal

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

e-authentication guidelines for esign- Online Electronic Signature Service

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Electricity Registration Data Interface Specification

Configuring SSL. SSL Overview CHAPTER

ADP Federated Single Sign On. Integration Guide

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Digital Certificates Demystified

Public Key Infrastructures

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

CertAgent. Certificate Authority Guide

About FIPS, NGE, and AnyConnect

Certificate Management in Cisco ISE-PIC

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Encryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018

Genesys Security Deployment Guide. What You Need

SEC Appendix AG. Deleted: 0. Draft Version AG 1.1. Appendix AG. Incident Management Policy

BIG-IP System: SSL Administration. Version

OpenIAM Identity and Access Manager Technical Architecture Overview

APNIC Trial of Certification of IP Addresses and ASes

FIPS Management. FIPS Management Overview. Configuration Changes in FIPS Mode

How to use the MESH Certificate Enrolment Tool

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

VSP18 Venafi Security Professional

Comodo Certificate Manager

BIG-IP System: SSL Administration. Version

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Smart Metering Implementation Programme SMKI and Repository Testing Approach

Electronic Seal Administrator Guide Published:December 27, 2017

Help file application for authorisations and approval of auditors. Table of contents

Managed Access Gateway. User Guide

Public Key Enabling Oracle Weblogic Server

SignCloud. Remote Digital Signature System

Qualys SAML & Microsoft Active Directory Federation Services Integration

VSP16. Venafi Security Professional 16 Course 04 April 2016

X.509 Certificate Policy for the New Zealand Government PKI RSA Individual - Software Certificates (Medium Assurance)

Manage Certificates. Certificates Overview

This Security Policy describes how this module complies with the eleven sections of the Standard:

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

Category: Informational January 2010 ISSN:

OTP Issuance/Use Manual

Cisco Desktop Collaboration Experience DX650 Security Overview

Managed Access Gateway. User Guide

Managed Access Gateway Third-Party Credential User Guide August 2017

msis Security Policy and Protocol

Certification Practice Statement

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Remote Access. Application Viewer User Guide

MyClinic. Password Reset Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

SAML-Based SSO Configuration

Validation Working Group: Proposed Revisions to

TABLE OF CONTENTS. ICANN Pre- Delegation Testing System. A User s Guide. Version

How to Set Up External CA VPN Certificates

Apple Inc. Certification Authority Certification Practice Statement

Configuring the Cisco APIC-EM Settings

Manage Certificates. Certificate Management in Cisco ISE. Certificates Enable Cisco ISE to Provide Secure Access

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

NCP Secure Enterprise macos Client Release Notes

Transcription:

DCCKI Interface Design Specification and DCCKI Repository Interface Design Specification 1 INTRODUCTION Document Purpose 1.1 Pursuant to Section L13.13 of the Code (DCCKI Interface Design Specification), this document is the DCCKI Interface Design Specification, which: specifies the technical details of the DCCKI Service Interface; includes the protocols and technical standards that apply to the DCCKI Service Interface which are based on open standards; and, pursuant to Section L13.28 of the Code (DCCKI Repository Interface Design Specification), is also the DCCKI Repository Interface Design Specification, which: (d) specifies the technical details of the DCCKI Repository Interface; and includes the protocols and technical standards that apply to the DCCKI Repository Interface. 2 INTERFACE DEFINITION Submission of DCCKI Certificate Signing Requests and Issuance of DCCKI Infrastructure Certificates 2.1 In order to request Issuance of a DCCKI Infrastructure Certificate, a Party or RDP that is a DCCKI Eligible Subscriber shall follow the processes defined in the DCCKI RAPP. 2.2 The DCC shall ensure that all DCCKI Certificate Signing Requests are required to 1

be formatted in accordance with the PKCS #10 standard as set out in section 5 of the DCCKI RAPP. The structure of a DCCKI CSR is defined in section 3. 2.3 No further provision is made in this document in relation to requesting and obtaining DCCKI Infrastructure Certificates. Submission of User Personnel Authentication Certificate Applications and Issuance of User Personnel Authentication Certificates 2.4 Prior to submitting an initial request for Issuance of a User Personnel Authentication Certificate (but not for any subsequent request), a Party that is an Eligible Subscriber in respect of User Personnel Authentication Certificates shall submit an SSI Administration User Credentials Request via the approved mechanisms set out in the DCCKI RAPP. 2.5 The DCC shall make available a User Personnel Credentials Interface accessible via the Self Service Interface for the purpose of accessing DCCKI Services in order to obtain a User Personnel Authentication Certificate. The DCC shall ensure that: (d) (e) (f) (g) (h) the User Personnel Credentials Interface uses the HTTP protocol; the User Personnel Credentials Interface uses Java 7, update 6 (or greater); the User Personnel Credentials Interface supports JavaScript, CSS and images; access to the User Personnel Credentials Interface via the Self Service Interface is secured by mutual authentication using TLS1.2 between the PEP being used by the DCCKI Eligible Subscriber and the DCC s PEP; DCCKI Infrastructure Certificates are used for the TLS authentication; access to the User Personnel Credentials Interface is denied without a valid credential for Authentication; initial access to the User Personnel Credentials Interface will be authorised through use of username and single use password, the provision of which shall be detailed in the DCCKI RAPP; and User Personnel are provided with the means to view and update their password and user account information as set out in the DCCKI Interface Code of Connection. 2

Issuance of User Personnel Authentication Certificates to SSI Administration Users Initial Issuance of a User Personnel Authentication Certificate to SSI Administration Users 2.7 In order to obtain an initial User Personnel Authentication Certificate, an SSI Administration User shall log onto the User Personnel Credentials Interface via the Self Service Interface using the supplied username, and single use password as provided in accordance with the DCCKI RAPP. 2.8 Upon initial login, the SSI Administration User shall be required to: change the password for the user account from that provided; and provide answers to security questions that will subsequently be used to confirm the identity of that SSI Administration User if their password is forgotten, their User Personnel Authentication Certificate has expired or the Smart Card Token provided to that SSI Administrator is lost or stolen. 2.9 On successful change of the user account password, the SSI Administration User shall be able to request initialisation of the Smart Card Token which will result in a User Personnel Authentication Certificate Application. 2.10 In order to initialise the Smart Card Token, the SSI Administration User shall: connect the Smart Card Token to the system that the SSI Administration User is using to access the User Personnel Credentials Interface. The system shall be configured in accordance with clauses 2.5 and above; and request initialisation of the Smart Card Token by following the instructions displayed on the User Personnel Credentials Interface. 2.11 Following a successful request for initialisation of the Smart Card Token the DCC shall ensure that, where the Smart Card Token generates a User Personnel Authentication Certificate Application, this shall automatically be submitted to the UI DCCKICA. 2.12 The SSI Administration User shall be notified via the User Personnel Credentials Interface as soon as reasonably practicable of the Issuance of a User Personnel 3

Certificate for that SSI Administration User. Subsequent Issuance of a User Personnel Authentication Certificate to SSI Administration Users 2.13 Prior to the expiry of a User Personnel Authentication Certificate Issued to an SSI Administration User, that SSI Administration User: may logon to the User Personnel Credentials Interface via the Self Service Interface, using their Smart Card Token, username and password; and reinitialise the Smart Card Token by following the steps set out in clause 2.10, which will result in the Issuance of a new User Personnel Authentication Certificate. 2.14 In the event that a User Personnel Authentication Certificate Issued to an SSI Administration User has expired prior to their obtaining a new User Personnel Authentication Certificate, that SSI Administration User may logon to the User Personnel Credentials Interface via the Self Service Interface and obtain a new User Personnel Authentication Certificate by: (i) (ii) using their SSI Administration User username and password; and providing answers to the security questions as selected when obtaining their initial User Personnel Authentication Certificate; and reinitialise the Smart Card Token by following the steps outlined in clause 2.10 which will result in the Issuance of a new User Personnel Authentication Certificate. 2.15 In the event that the Smart Card Token is lost or stolen, an SSI Administration User may: obtain a new Smart Card Token from their DCCKI ARO; logon to the User Personnel Credentials Interface via the Self Service 4

Interface: (i) (ii) using the SSI Administration User s username and password; and providing answers to the security questions as selected when obtaining their initial User Personnel Authentication Certificate; and initialise the Smart Card Token by following the steps outlined in clause 2.10 which will result in the Issuance of a new User Personnel Authentication Certificate. Issuance of User Personnel Authentication Certificates to other User Personnel Initial Issuance of a User Personnel Authentication Certificate to other User Personnel 2.16 The initial Issuance of a User Personnel Authentication Certificate to a User Personnel shall be via the User Personnel Credentials Interface following the creation of an account for that User Personnel by an SSI Administration User. 2.17 In order to provide Authentication credentials to User Personnel, (which shall comprise a single use password and a username) an SSI Administration User may: log onto the Self Service Interface using their Smart Card Token, username and password in accordance with the Self Service Interface Specification and Self Service Interface Code of Connection; create additional user accounts for other User Personnel; and provide details to those User Personnel including a username and single use password that allows them to log onto the User Personnel Credentials Interface via the Self Service Interface. 2.18 In order to obtain an initial User Personnel Authentication Certificate, User Personnel of a DCCKI Eligible Subscriber, shall log onto the User Personnel Credentials Interface via the Self Service Interface using the agreed username and single use password, as established by the relevant SSI Administration User. 2.19 Upon first login, those User Personnel shall be required to: 5

change the password for their account; and provide answers to security questions that will subsequently be used to confirm the identity of that individual if the password is forgotten, their User Personnel Authentication Certificate has expired or their User Personnel Authentication Certificate is destroyed or otherwise becomes permanently out of reach. 2.20 Upon successful login, the User Personnel shall be able to submit a User Personnel Authentication Certificate Application by following the instruction displayed on the User Personnel Credentials Interface. 2.21 Following a User Personnel Authentication Certificate Application request: (d) the User Personnel shall be requested to create a password in accordance with the instruction displayed on the User Personnel Credentials Interface, to protect the credentials to be generated by the DCCKICA and transferred to the User Personnel s browser; the DCCKI Eligible Subscriber shall ensure that the systems of its User Personnel are configured to allow the credentials to be transferred to the User Personnel s browser and in accordance with 2.5 and above ; the DCCKICA shall generate the credentials consisting of a Key Pair along with a User Personnel Authentication Certificate that is specific to that User Personnel and the systems that User Personnel is using to access the User Personnel Credentials Interface and shall make it available to the browser in the form of a PKCS#12 file protected using the password created by the User Personnel; and the User Personnel shall download the PKCS#12 file when requested by the User Authentication Credentials Interface. Subsequent Issuance of a User Personnel Authentication Certificate to other User Personnel 2.22 Prior to the expiry of a User Personnel Authentication Certificate assigned to a member of User Personnel, in order to obtain a new User Personnel Authentication 6

Certificate, that individual: may logon to the User Personnel Credentials Interface via the Self Service Interface, using their existing User Personnel Authentication Certificate, username and password; and follow the steps outlined in clause 2.20 and 2.21. 2.23 In the event that their User Personnel Authentication Certificate has expired prior to obtaining a new User Personnel Authentication Certificate, a member of User Personnel may: logon to the User Personnel Credentials Interface via the Self Service Interface: (i) (ii) using their username and password; and provide answers to the security questions as selected when obtaining their initial User Personnel Authentication Certificate; and follow the steps outlined in clause 2.20 and 2.21. Use of DCCKI Repository Interface 2.24 Pursuant to Section [L13.27] of the Code (DCCKI Repository Interface Design Specification), the DCCKI Repository Interface is a web portal interface designed to allow communications to be received by the DCCKI Repository for the purposes of the DCCKI Repository Service. 2.25 The DCCKI Repository shall only be accessible via a DCC Gateway Connection. 2.26 The DCC shall make the DCCKI Repository Interface available to: all Parties which are Users; and RDPs and using a DCC Gateway Connection via anonymous access (that is, without requiring authentication). 7

2.27 A Party or RDP shall access the DCCKI Repository via a web browser. 2.28 The DCC shall ensure that the DCCKI Repository Interface: uses the HTTP protocol; supports JavaScript, CSS and images; and is provided at Uniform Resource Locators (URLs) in accordance with the DCCKI Repository Code of Connection. 2.29 The DCC shall make the EII DCCKI CRL and the DCCKI ARL available via the DCCKI Repository Interface in accordance with the DCCKI Certificate Policy. 8

2.30 A Party or RDP shall: use the DCCKI Repository Interface to access the DCCKI Repository, in order to obtain the information listed in Section [L13.17] of the Code (The DCCKI Repository); and in accessing the DCCKI Repository, ensure that their web browser has JavaScript enabled. Availability and Service Continuity 2.31 The DCC shall ensure that the DCCKI Service Interface is available, in accordance with Section [L13.12] of the Code (the DCCKI Service Interface). 2.32 The DCC shall ensure that the DCCKI Repository Interface is available in accordance with Section [L13.25] of the Code (the DCCKI Repository Interface). 2.33 The DCC shall notify Parties and RDPs in advance of any planned outages of the DCCKI Repository Interface or the DCCKI Service Interface. 3 DCCKI CERTIFICATE SIGNING REQUEST STRUCTURE Information to be contained within DCCKI Certificate Signing Requests 3.1 A DCCKI Certificate Signing Request in respect of a DCCKI Infrastructure Certificate for the purpose of signing SAML assertions to the DCC shall contain the information set out in the table immediately below: Subject Attributes Values Version V3 (as per RFC 2986) Subject Organisation Identifier Party Signifier Subject Public Key Public Key Algorithm RSA Info Subject Public Key (2048 bits) Public Key value Key Usage Criticality True Key Usage digitalsignature Signature Algorithm rsa-with-sha256 9

3.2 A DCCKI Certificate Signing Request in respect of a DCCKI Infrastructure Certificate for the purpose of establishing TLS communications to the DCC shall contain the information set out in the table immediately below: Subject Attributes Values Version V3 (as per RFC 2986) Subject Common Name Fully Qualified Domain Name configured on the Policy Enforcement Point Organisation Identifier Party Signifier or RDP Signifier Subject Public Key Public Key Algorithm RSA Info Subject Public Key (2048 bits) Public Key value Key Usage Criticality True Key Usage digitalsignature keyencipherment keyagreement Signature rsa-with-sha256 Algorithm Encryption Algorithm id-aes128-gcm DCCKI Certificate Signing Request format 3.3 DCCKI Certificate Signing Request requests shall be formatted according to PKCS #10, Base64 encoded. 3.4 The standard format shall be ASN.1 DER, including one of the immediately following two styles of PEM header: -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----; or -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- 10

Acceptable DCCKI Certificate Signing Request variants 3.5 The DCC shall accept the following PKCS#10 variants: Base64 all in one line; Base64 with line breaks at 64 or 76 characters; and If line breaks are used the \n and \r\n are both acceptable. Signing the DCCKI Certificate Signing Request using a Private Key associated with a SMKI Organisation Certificate 3.1 Following the creation of the DCCKI Certificate Signing Request in accordance with clause 3.3, the DCCKI Eligible Subscriber shall Digitally Sign the DCCKI Certificate Signing Request with a private key associated with a SMKI Organisation Certificate for which it is a Subscriber. 3.2 The DCCKI Eligible Subscriber shall ensure that the digital signature shall: a) use, as the digital signature technique, Elliptic Curve Digital Signature Algorithm (ECDSA) (as specified in Federal Information Processing Standards Publications (FIPS PUB) 186-4) in combination with the curve P- 256 (as specified in FIPS PUB 186-4 at Section D.1.2.3) and SHA-256 as the Hash function; b) be applied to the entirety of the PKCS#10 file, including header and footer; and c) be converted to Base64 and appended to the footer within the PKCS#10 file itself with a preceding, separator. 3.3 Prior to digitally signing the DCCKI CSR, the DCCKI Eligible Subscriber shall: append to the footer of the PKCS#10 file, the certificate issuer and certificate serial number of the SMKI Organisation Certificate with preceding, separators; and ensure that all line termination characters in the PKCS#10 file, except the line termination characters in the footer, shall be normalised to 0x0A. 11

12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback