Docstoc

Technical Specification ESB MOIP MPCC Deployment Guide TD IE MP

Document Sample
Technical Specification ESB MOIP MPCC Deployment Guide TD IE MP Powered By Docstoc
					                              ESB MOIP
                        MPCC Deployment Guide

                       TD-IE-MP- 4.05 Version 1.3




                    Origin/Author   :         ESB MOIP
                                                th
                    Revision Date   :         15     Dec 2004




                      0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
Printed: 01/02/12
                                        Page 1 of 28
Contents
1.       Background                                                                                        4
2.       Purpose                                                                                           4
3.       Terms of Reference                                                                                4
3.1      Within Scope                                                                                       4
3.2      Outside Scope                                                                                      4
4.       MPCC Package Components                                                                           5
4.1      MPCC                                                                                               5
4.2      MPCC WebForms                                                                                      5
5.       Hardware                                                                                          5
6.       Deployment Pre-requisites                                                                         5
7.       MPCC & WebForms Deployment Options                                                                6
7.1      MPCC with CGI component behind Firewall on trusted network                                         6
7.2      MPCC with CGI component within DMZ network                                                         7
7.3      MPCC behind Firewall on trusted network with Apache Server and CGI component within DMZ network    8
7.4      WebForms Deployment Options                                                                        9
8.       Security                                                                                          10
8.1      Key Management                                                                                    10
8.2      Apache                                                                                            10
8.3      Firewall Configuration                                                                            10
9.       Minimum Security Configuration                                                                    12
9.1      Hardware                                                                                          12
9.2      Use of MPCC Machine                                                                               12
9.3      Firewall                                                                                          12
9.4      Network                                                                                           12
9.5      Passwords                                                                                         12
9.6      Key Management                                                                                    12
9.7      Apache                                                                                            12
9.8      AntiVirus                                                                                         12
10.      MPCC Installation                                                                                 13
10.1     MPCC Initialisation Package                                                                       13
10.2     MPCC Licensing                                                                                    13
10.3     Communication Mode                                                                                13
11.      Connectivity Testing                                                                              13
12.      MPCC Test Environment                                                                             14
12.1     Hardware                                                                                          14
12.2     Security                                                                                          14
12.3     MPCC & MPCC WebForms                                                                              14
12.4     Digital Certificates                                                                              14
12.5     URL                                                                                               14
       12.5.1 ESB URL                                                                                      14
       12.5.2 Market Participant URL                                                                       14
13.      Digital Certificates                                                                              15
13.1     MPCC SSL Certs                                                                                    15
13.2     S/MIME Certificate Generation                                                                     15



                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                 Page 2 of 28
       13.2.1   Overview                                                                             15
       13.2.2   Requesting your certificate                                                          15
       13.2.3   Picking up the certificate                                                           16
       13.2.4   Generating the PKCS#12 Private Certificate                                           16
       13.2.5   Generating the PKCS#7 Public Certificate                                             19
       13.2.6   Placing Certificates on MPCC                                                         21
14.      Production Configuration                                                                    23
14.1     Prerequisites                                                    Error! Bookmark not defined.23
14.2     Clearing down directories                                                                    23
14.3     Clearing down Logs                                                                           23
14.4     Clearing down Access Database                                                                23
14.5     Configuring MPCC to point at Production Market Gateway                                       23
14.6     Installing & Configuring S/MIME & SSL Keys                                                   24
APPENDICES                                                                                           25
Appendix A: Document Control                                                                         26
Appendix B: Abbreviations                                                                            26
Appendix C: Registration Details Form                                                                27
Appendix D: Password Controls                                                                        28

Figure 1 MPCC Deployment Option 1                                                                     6
Figure 2 MPCC Deployment Option 2                                                                     7
Figure 3 MPCC Deployment Option 3                                                                     8
Figure 4 Firewall Configuration                                                                      11
Figure 5 Picking up the Certificate                                                                  16
Figure 6 Exporting Private Key                                                                       17
Figure 7 Export File Format                                                                          18
Figure 8 Generating PKCS#7 Public Certificate                                                        19
Figure 9 Cryptographic Message Syntax Standard                                                       20
Figure 10 eXpressway Configuration Manager                                                           21
Figure 11 Pass Phrase                                                                                22




                                   0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                  Page 3 of 28
1.    Background
Full opening of the Republic of Ireland electricity market is scheduled for February 2005. Currently, industry
functions and market participants are developing and implementing processes and systems to enable the market
to operate successfully when opened.
ESB has a key role in the development and implementation of standards and systems to perform industry
functions such as Distribution System Operator (DSO), Meter Operator, and Metering & Registration System
Operator (MRSO). ESB is also involved, across all business areas, in the implementation & enhancement of
systems to enable:
 Interaction with the industry functions and processes.
 Implementation of additional functionality to enable more effective operation in a competitive market.
 Compliance with Business Separation requirements.
ESB are currently developing and amending a range of systems to manage the opening of the electricity market.
As part of this project ESB are developing a package which provides a mechanism for the Market Participants to
send and receive market messages via the Internet to the ESB Market Gateway. This software component is
referred to as the Market Participant Communication Component (MPCC) (also known as the ‘ Black-Box’)
package.

2.    Purpose
The purpose of this document is to provide the Market Participants with sufficient information to deploy the
MPCC. This document details the deployment options and minimum security configuration for the MPCC on the
Market Participants’ environments.

3.    Terms of Reference

3.1 Within Scope
The following areas are in the scope of this document:
    Deployment options for the MPCC
    Minimum security configuration


3.2 Outside Scope
The following areas are currently outside the scope of this document:
    Design of the Market Participant infrastructure.
    Installation instructions for the MPCC – these will be detailed in the installation documentation provided to
         the market participants as part of the installation process.
    Support processes – pre and post golive
    Upgrade processes – pre and post golive




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                Page 4 of 28
4.    MPCC Package Components
The MPCC contains two elements. The MPCC WebForms, which are used to create, amend and view Market
Messages and the core element, which looks after the signing, encryption, wrapping and communication between
the MPCC and the Market Gateway.

4.1 MPCC
The MPCC includes the following components:
 Apache 1.3.29 with mod_ssl module;
 Seebeyond e*Gate 4.5.3.


4.2 MPCC WebForms
The MPCC WebForms includes the following components:
 Java Applets;
 Java Runtime Environment v1.4.2_04.


5.    Hardware
The MPCC has been designed to run on a Windows 2000 machine. MOIP have issued a document detailing the
minimum specification for this machine - IEX-MP-3.01 MP Environment Minimum Requirements.


6.    Deployment Pre-requisites
The following items must be in place in advance of the MPCC installation onto the Market Participant’s machine
and are the responsibility of the Participant.

a) A dedicated machine must be available. The minimum specification is detailed in IEX-MP-3.01 MP
    Environment Minimum Requirements.

b) Provision of a contract with an ISP for Internet connectivity. This link can be permanent or dial-up. Provision
    of any necessary hardware, cabling and software to support the link.

c) Provision of a HTTP URL with a static IP address and resolvable domain name e.g.
    <http://127.0.0.1/mpcc.cgi> and <http://www.mp.ie/mpcc.cgi>

d) Provision and configuration of a firewall – please refer to section 8.3 below for more details.

e) Completion and return of the Market Participant Registration Details form, included in Appendix C.




                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                 Page 5 of 28
7.    MPCC & WebForms Deployment Options
MOIP will provide a CD containing the MPCC package and the associated installation scripts and instructions.
See section 10 below for more details.

The install script will load the MPCC components onto the MPCC machine. The Market Participants can then
manually configure the MPCC as described below.

There are three MPCC deployment options available to the Market Participant:

Option 1 MPCC with CGI component behind Firewall on trusted network
Option 2 MPCC with CGI component within DMZ network
Option 3 MPCC behind Firewall on trusted network with Apache Server and CGI component within DMZ network

Note Option 3 is a variation on the recommended installation and will not be supported by the Vendor or ESB.


7.1 MPCC with CGI component behind Firewall on trusted network
 Firewall policy will include a rule to allow HTTPS (TCP 443) inbound requests from the IP address of the
   Market Gateway only to the Market Participants registered public IP address for the MPCC (resolvable URL).
 Static Network Address Translation & static routing on the Firewall will route this traffic to the private IP
   address for the MPCC on the trusted (internal) network. The MPCC will communicate with the Market
   Participants relevant back-end systems locally within the trusted network.
 The statefullness of the Firewall will allow outbound HTTP session responses (over SSL) e.g. HTTP 200
   messages - response okay etc.
 The Firewall policy will also include a rule to allow HTTPS requests outbound to the IP address of the Market
   Gateway only from the private IP address for the MPCC on the trusted (internal) network. This will support
   outbound connections to the Gateway from the MPCC.




      MARKET                                                                        MARKET
     GATEWAY                                                                      PARTICIPANT
                                          HTTP / SSL
                                                                                                    XML
               RosettaNet                                         RosettaNet                         File
                                                                                                  Interface


                        Firewall                       Firewall
      Server                                                                   MPCC Server
                                                                                incl. CGI



                                                                                                WebForms
                                                                                                 Interface


Figure 1 MPCC Deployment Option 1




                                   0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                  Page 6 of 28
7.2 MPCC with CGI component within DMZ network

 Firewall policy will include a rule to allow HTTPS (TCP 443) inbound requests from the IP address of the
   Market Gateway only to the Market Participant’s registered public IP address for the MPCC (resolvable URL).
 Static Network Address Translation & static routing on the Firewall will route this traffic to the private IP
   address for the MPCC on the DMZ network.
 The Firewall policy will also include a rule to allow FTP (It is recommended that SSH or Secure FTP is used)
   into the DMZ to the private IP address for the MPCC in order to transfer Market Participants messages to the
   MPCC from the MP systems on the trusted network. This rule will also allow HTTP (TCP 80) requests to the
   same IP address in order to allow user interaction with the MPCC Apache Server which hosts the Webforms.
 The statefullness of the Firewall will allow HTTP responses to the user sessions and FTP control data back
   into the trusted network.
 The Firewall policy will also include a rule to allow HTTPS requests outbound to the IP address of the Market
   Gateway only from the private IP address for the MPCC on the DMZ network. This will support outbound
   connections to the Gateway from the MPCC.




                                                                MARKET




                                                                                          Se TP
                                                              PARTICIPANT




                                                                                            cu
                                                                                             F
                                                                                XML




                                                                                               re
                             HTTP / SSL
                                                                                 File
                                                                              Interface
          RosettaNet                                 RosettaNet



                  Firewall                Firewall                                           Firewall   USER / APP
 Server                                                           MPCC
                                                                  Server
                                                                   incl.
                                                                   CGI

                                                                            WebForms
                                                                             Interface


Figure 2 MPCC Deployment Option 2




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                Page 7 of 28
7.3   MPCC behind Firewall on trusted network with Apache Server and CGI component
within DMZ network
 Firewall policy will include a rule to allow HTTPS (TCP 443) inbound requests from the IP address of the
   Market Gateway only to the Market Participant’s registered public IP address for the MPCC (resolvable URL).
 Static Network Address Translation & static routing on the Firewall will route this traffic to the private IP
   address for the Apache Server on the DMZ network.
 A rule will also exist to allow TCP 3500 outbound requests from the Apache server in the DMZ network to the
   MPCC on trusted network.
 The statefullness of the Firewall will allow for TCP responses from the server. The remaining components of
   the MPCC will sit on a server within the trusted network and will communicate with the Market Participants
   relevant back-end systems locally within the trusted network.
 The Firewall policy will also include a rule to allow HTTPS requests outbound to the IP address of the Market
   Gateway only from the private IP address for the MPCC Server on the trusted network. This will support
   outbound connections to the Gateway from the MPCC.




                                                                     MARKET
                                                                   PARTICIPANT
                                   HTTP / SSL
                                                                                                                   XML
                                                                                                                    File
                RosettaNet                            RosettaNet          TCP/IP              TCP/IP             Interface



                        Firewall           Firewall                                Firewall
       Server                                                Apache Server +                       MPCC Server
                                                               CGI ONLY

                                                             Resolvable URL

                                                                                                                 WebForms
                                                                                                                  Interface




Figure 3 MPCC Deployment Option 3




                                   0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                  Page 8 of 28
7.4 WebForms Deployment Options
The WebForms may be separated from the MPCC. Note: They do not have the same operating system
environment limitations as the MPCC.

The MPCC installation script will deploy the MPCC WebForms on the Apache web server that is used by the
MPCC. A client-side installation script must be run to set the security policies that the applets will operate under;
this script will be located on the Apache web server.

The WebForms may be deployed on another web server other than the Apache server that is included with the
MPCC. In the event that a Market Participant wishes to load the WebForms onto another server they must carry
out the following steps:

Step 1: Copy the Applets (incl. directory structure) from the MPCC Apache web server to the new server.
Step 2: Configure the new web server to allow the Java Applets to be served

The Market Participant can load the WebForms onto any machine running the following operating systems:

 Windows 2000
 Windows XP
 Windows 2003




                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                 Page 9 of 28
8.    Security
Due to the commercially sensitive data, security measures will be necessary to guarantee confidentiality and
ensure data integrity. This is achieved through encryption of data passing between systems and the use of digital
signatures attached to each file transferred for authentication. In addition external unauthorised access will be
prevented by the use of firewalls.

It is the responsibility of the Market Participant to ensure that the MPCC environment is secure. If the MPCC
sever at a client site is compromised due to participant miss-configuration or negligence, ESB will not be held
responsible for the breach.


8.1 Key Management
The MPCC requires a PKI infrastructure for encrypting and signing messages. MOIP are responsible for the
procurement and management of the PKI infrastructure and digital certificate distribution.

See section 13 Digital Certificates below for details on the procurement of keys.


8.2 Apache
The Apache HTTP Server will be packaged and delivered with the MPCC.

Apache will be setup with basic authentication i.e. a default User ID and Password. This will be included in the
MPCC software package. The installation instructions provided will include details on any steps that the Market
Participant has to carry out as part of the installation.

There will be a default user ID and password provided with the MPCC. The MP must change the user ID and
password immediately following installation..

Strong password controls are required to sustain MPCC and Market security. Refer to the password controls
section in Appendix D. The Market Participant may implement more stringent access control to the web server if
they feel that this is required. Instructions are provided on the Apache website -
http://httpd.apache.org/docs/howto/auth.html.


8.3 Firewall Configuration
Market Participants must include a firewall at their own sites to provide levels of protection in line with their own
security policies and the security policies of the Retail Market trading environment.

If the firewall is pre-installed on delivery of the MPCC server then all pre-set management passwords must be
changed on start up. The firewall should be configured as an IP packet filter with the ports open as described in
Figure 4.




                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                Page 10 of 28
Figure 4 Firewall Configuration




                              0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                            Page 11 of 28
9.    Minimum Security Configuration
The Market Participants must adhere to the standards detailed in this section.


9.1 Hardware
Any unnecessary hardware options must be removed from the system prior to the installation of the operating
system. This ensures that the operating system installation process will not install unnecessary drivers which
themselves can expose the system to vulnerability.


9.2 Use of MPCC Machine
The MPCC must be installed on a dedicated machine. This machine must not be used to run any other
applications.

This machine must not be used to access the Internet via a dial-up connection, aside from use by the MPCC.


9.3 Firewall
The MPCC machine must be protected by a firewall as detailed in 8.3 above.


9.4 Network
Access to the machine must be restricted to the nominated MP authorised users only.


9.5 Passwords
The MPCC machine must be securely protected by a User ID and Password. Passwords should be setup and
managed as per password Controls outlined in Appendix.


9.6 Key Management
The Market Participants must set-up and manage the keys as described in section 8.1 above.


9.7 Apache
Discussion is currently ongoing around the application of patches to the Apache. The outcome will be detailed in
the Retail Market Support procedures.


9.8 AntiVirus
The MPCC machine must be loaded with a recognised commercial AntiVirus package. The AV software must be
kept up-to-date with the latest virus definition files.

The handling of Virus threats will be detailed in the Retail Market Support procedures.




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                               Page 12 of 28
10. MPCC Installation

10.1 MPCC Initialisation Package
Market Participants will receive an initialisation package from MOIP. The package will include the following:

 MPCC CD-ROM containing MPCC software and installation script;
 Installation Instructions;


10.2 MPCC Licensing
The MPCC package includes the licences for the included components i.e. Seebeyond eXpressway.

The Market Gateway is structured in such a way that communications to participants are targeted at particular
Participants Ids. The MPCC can only be installed on one instance for a Market Participant. The Market
Participants must complete and return the form included in Appendix C to the Market Gateway Licence Manager
in advance of the installation. If any of the details change then the form should be amended and re-submitted.


10.3 Communication Mode
The Market Participant can use the MPCC to communicate with the Market Gateway in one of two modes:
 Automated Upload/Download
 Manual Upload/Download

Automate Upload/Download
 Automatically sends/receives market messages.
 Errors written to an error directory on the MPCC.

Manual Upload/Download
 Requires manual intervention to send/receive market messages.
 Provides an online view of the message transmission status.

The Market participant should select the mode that is most appropriate for their requirements.

The Market Participant must notify the Market Gateway Licence Manager of their intended communication mode
using the form included in Appendix C of this document.

11. Connectivity Testing
A function will be provided as part of the MPCC that will enable the user to test the connectivity between the
MPCC and the Market Gateway. See TD-IE-MP-4.07 MPCC Connectivity Test Plan for details of this function
and the associated processes around Connectivity Testing.




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                               Page 13 of 28
12. MPCC Test Environment
ESB are putting in place two Market Gateways:
    Production;
    Test.

The Test market Gateway will be used for market testing

It is recommended that the MPs setup separate MPCC environments for communication with the 2 Market
Gateways.

This section describes all of the configuration changes to be applied to the MPCC Test Environment.

12.1 Hardware
The machine hosting the MPCC should be as defined in the document TD-IE-MP.3.01 MP Environment Minimum
Requirements.


12.2 Security
The Test Machine should have the same security configuration as the production MPCC i.e. hardened, password
protected, protected by a firewall etc. see section 9 above.


12.3 MPCC & MPCC WebForms
The standard installation as documented in the installation instructions will apply.


12.4 Digital Certificates
A separate set of digital certificates will be provided for the Test MPCC. This will ensure that test and production
messages do not end up in the wrong location.


12.5 URL
12.5.1 ESB URL
The Test MPCC will be configured to point to the Test Market Gateway. ESB will provide the MPs with the
information to make the necessary configuration changes.

12.5.2 Market Participant URL
The MPs will provide ESB with a URL for the Test MPCC machine.




                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                Page 14 of 28
13. Digital Certificates
Certificates are required for the Market Gateway and the MPCC

Market Gateway
    SSL : Secure authenticated and encrypted channel
    S/MIME : Digital signatures for non-repudiation

MPCC
   SSL : Secure authenticated and encrypted channel
   S/MIME : Digital signatures for non-repudiation

ESB will generate the Market Gateway certificates and will issue the public keys to the Market Participants.


13.1 MPCC SSL Certs
The Market Participants will be responsible for generating the MPCC SSL Certs. To generate the certs they will
have to carry out the following activities:
    MP to register with a commercial CA
    Create CSR and send to CA. CSR can be created on MPCC machine using the openssl included with
        Apache.
    MP will receive public certificate from CA
    MP to save private key (PEM-encoded) on MPCC
    MP to send public certificate to MOIP
    MP to backup private key securely

In the event that a participant is not registered with a CA in time for go-live MOIP will issue a temporary
production MPCC SSL certificate for that participant.


13.2 S/MIME Certificate Generation
13.2.1 Overview
The MPCC uses S/MIME to sign and encrypt market messages. To do these functions there are two certificate
types that must be created. A public certificate in the PKCS#7 format and a private certificate in the PKCS#12
format. GeoTrust has been chosen to provide a facility for market participants to generate these certificates. The
follow steps should be followed to create the certificates.

13.2.2 Requesting your certificate
* IMPORTANT - This task creates and stores your private key in the Windows registry. This machine will be
required to complete the certificate generation process which may take place over a number of days.

       The ESB portal can be reached from the following URL:
        https://services.geotrust.com/tcenroll/sep.do?ccpid=30396375230356768376
       There are two options: Request and Pick-up. Select the Request option.
       You are asked to provide some details. The email address will be used to notify you when then the public
        certificate is ready to be picked up. The PIN number is a password to protect your private key in the
        registry.
       The 'first-name / last-name' fields can be any name - for example 'Prod Cert / Market Gateway'. The
        names will be visible on the certificate but they have no technical function.
       Finally, read and accept the agreement checkbox. Then use the Submit button to send the request. You
        will be contacted by email when your certificate is ready.



                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                Page 15 of 28
13.2.3 Picking up the certificate
* IMPORTANT - You must use the same machine as the one used in section 13.2.2.

   You will receive a notification message when the certificate has been authorised by GeoTrust. The email will
    contain a pin number and instructions to get your certificate.
   The certificate is installed directly on the machine. You can use Internet Explorer to view the certificate.
    Select the Tools menus from Internet Explorer; then select Internet Options menu; on the Internet Options
    go to the Content tab and click the certificates button. You should see your certificate in the Personal list; it
    will have the 'first-name / last-name' name that was entered during the certificate request.




                                        Figure 5 Picking up the Certificate



13.2.4 Generating the PKCS#12 Private Certificate
The PKCS#12 Certificate contains the private key that is used to digitally sign and decrypt the messages. It is
created as follows:
 Go to Internet Explorer and select the Tools menus; next select Internet Options menu; on the Internet
    Options go to the Content tab and click the certificates button. You should see your certificate in the
    Personal list; it will have the 'first-name / last-name' name that was entered during the certificate request.
 Click on your certificate in the box and click the Export button. See Figure 5.
 Click Next for the initial wizard screen to move to the next screen: 'Export Private Key'.



                                  0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                Page 16 of 28
   On the 'Export Private Key' screen select the Yes, export the private key option. Then click on the Next
    button. See Figure 6.




                                        Figure 6 Exporting Private Key




                                0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                              Page 17 of 28
   On the 'Export File Format' screen select the Personal Information Exchange option and ensure that ALL
    checkboxes are NOT ticked. See Figure 7.




                                         Figure 7 Export File Format



   Click Next to open the Password screen. Type in a password and confirm the password. This will be used in
    the MPCC so it MUST be remembered. Click Next.
   On the 'File to Export' screen provide a file name and location. Set the filename to mpprivcert.p12. Click
    Next.
   Finally click Finish to create the PKC12 file.
   This file should be kept in a secure location as it will be used by the MPCC.




                                0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                              Page 18 of 28
13.2.5 Generating the PKCS#7 Public Certificate
The PKCS#7 Certificate contains the public key that is used to verify digital signatures and encrypt the messages
sent to the Hub. It is created as follows:
 Go to Internet Explorer and select the Tools menus; next select Internet Options menu; on the Internet
    Options go to the Content tab and click the certificates button. You should see your certificate in the
    Personal list; it will have the 'first-name / last-name' name that was entered during the certificate request.
 Click on your certificate in the box and click the Export button. See Figure 5.
 Click Next for the initial wizard screen to move to the next screen: 'Export Private Key'.
 On the 'Export Private Key' screen select the No, do not export the private key option. Then click the Next
    button. See Figure 8.




                                Figure 8 Generating PKCS#7 Public Certificate




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                               Page 19 of 28
   On the Export File Format screen select the Cryptographic Message Syntax Standard option. See Figure
    9.




                              Figure 9 Cryptographic Message Syntax Standard



   On the 'File to Export' screen provide a file name and location. Set the filename to mppubcert.p7b. Click
    Next.
   Finally click Finish to create the PKC7 file.
   This file should be kept in a secure location as it will be used by the MPCC.




                                0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                              Page 20 of 28
13.2.6 Placing Certificates on MPCC
Only the private PKCS#12 is used by the MPCC; the PKCS#7 will be given to the Market Gateway to secure
messages that are sent to you. Follow the instructions below to install the PKCS#12.
 Copy the mpprivcert.p12 file created in section 13.2.3 to the c:\mpccCerts\MP\SMIME folder.
 On the Windows desktop click the eXpressway Configuration to open the configuration tool.
 Select the SME Connectivity option to open the certificates tab.
 You need to change the Decryption PKCS12 PassPhrase to the PKCS#12 password you set in section
   13.2.3. See Figure 10.




                              Figure 10 eXpressway Configuration Manager




                              0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                            Page 21 of 28
   Next click on the Digital Signature tab.
   You need to change the Signature PKCS12 PassPhrase to the PKCS#12 password you set in section
    13.2.3. See Figure 11.




                                            Figure 11 Pass Phrase

   Click OK to save the settings. The MPCC is now set-up with the new certificate.




                                0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                              Page 22 of 28
14. Production Configuration
This section includes instructions for clearing down the MPCC in preparation for go-live and describes the
configuration tasks that must be carried out on the MPCC to connect to the Production Market Gateway.


14.1 Clearing down the Production MPCC
The market participants must clear down the MPCC production environment in advance of sending and receiving
production market messages. This section outlines the items that must be deleted.

There are a number of assumptions:
 Latest version of the MPCC software is installed on the MPCC server;
 ESB have been contacted with details of the MPCC production URL;
 MPCC has been stopped using the stop_eXpressway.cmd located in the eXpressway directory.

14.1.1 Clearing down directories
The following directories must be cleared down.

       C:\MPCC\Archive\MM\Inbound
       C:\MPCC\Archive\MM\Outbound
       C:\MPCC\Archive\RAW\Inbound
       C:\MPCC\Archive\RAW\Outbound
       C:\MPCC\Archive\Retrieve\RAW_OUT
       C:\MPCC\Archive\Error

14.1.2 Clearing down Logs
Delete the contents of the C:\eXpressway\Client\logs folder.

14.1.3 Clearing down Access Database
Goto the Access database (RNStateData.mdb) located in the following directory:

C:\eXpressway\Server\registry\repository\eXpressway\runtime\ThirdParty\MSAccess

Run the Queries
    deleteMessageTracking
    deleteState


14.2 Configuring MPCC to point at Production Market Gateway
MOIP will provide a script via email which will automatically reconfigure the MPCC to point at the Production
Market Gateway.




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                               Page 23 of 28
14.3 S/MIME & SSL Keys

ESB will provide the Market Participants with a script to load keys onto the MPCC server. This script will be
distributed via email.

The following table details the location of the encryption and signing keys used by the MPCC.

 Type                 Location                        Instructions

 Market Gateway       C:\mpccCerts\Hub\SMIME          ESB will provide the key to the MP via a script which will
 S/MIME public                                        copy the SMIME key to the correct folder on the MPCC.
 key
 Market Gateway       C:\Program Files\Apache         ESB will provide the key to the MP via a script which will
 SSL public key       Group\Apache\conf\ssl           copy the SSL key to the correct folder on the MPCC.

 MPCC S/MIME          C:\mpccCerts\MP\SMIME           The Market Participants will have generated the request for
 key                                                  this key using the instructions provided in section 13.

 MPCC SSL key         C:\Program Files\Apache         The Market Participant has the option of generating their
                      Group\Apache\conf\ssl           own SSL key using an alternative CA or using SSL keys
                                                      provided by ESB. If they are using the ESB SSLkeys then
                                                      the key will be loaded into the correct area by the script
                                                      otherwise they will to manually move the key to the correct
                                                      folder.




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                               Page 24 of 28
                                           APPENDICES




0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
              Page 25 of 28
Appendix A: Document Control
Version History

 Version    Date                    Comments
                  th
   1.3      15 Dec 2004             Added section 14 on configuring production machine.
             th
   1.2      6          Dec 2004     Amended section 8 – responsibility for security
                                    Amended section 8.1 – removed text and included reference to new
                                    section 13.
                                    Added new section 13 on digital certificates
                  st
   1.1      31 Aug 2004             Added section on MPCC Test Environment
             nd
   1.0      2          July 2004    Issued to Market Participants and CER
             st
   0.4      1 July 2004             Internal MOIP review
             th
   0.3      9 June 2004             Revised draft incorporating review comments .
                                    Renamed document as per current MOIP standards.
   0.2      17 May 2004             Draft issued to Market Participants

Document Distribution

 Name                               Role                          Responsibility
 Priti-Dave Stack                   CER
 TIG Attendees                      .

Document Reviewed By


 Name                               Role                          Responsibility
 MOIP                                                             Approval
 TIG Attendees                                                    Review
 CER                                                              Review



Appendix B: Abbreviations
CER                         Commission for Energy Regulation
DSO                         Distribution System Operator
ESB                         Electricity Supply Board
Market Gateway              Gateway to/from MRSO & DSO.
MP                          Market Participant
MOIEX                       Market Opening Information Exchange Project
MPCC                        Market Participant Communication Component
MRSO                        Meter Registration System Operator
TIG                         Technical Implementation Group




                                        0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                      Page 26 of 28
Appendix C: Registration Details Form

            Irish Retail Market Participant Registration Details
     Part A – Organisation Details

     Organisation:

     Organisation Role:


     Part B – Contact Details

     Contact Name

     Contact Position

     Contact Telephone Number

     Contact Fax Number

     Contact Mobile Number

     Contact E-Mail address


     Part C – Technical Details

     Participant URL

     Participant IP Address (optional)

     Communication Mode (Manual/Automated)


     Part D – Signature

     Signature

     Date


     Once completed send a hard copy of this form, with signature, by fax or post to:

             Cormac Madden,
             Market Gateway Licence Manager,
             Market Opening IT Programme,
             2nd Floor, ESB, Fleet St.,
             Dublin 2, Ireland.




                                   0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                                 Page 27 of 28
Appendix D: Password Controls
Never disclose your authentication details to anyone else, do not write them down, do not display them on
computer keyboards or screens. You should treat them with the same level of care you would your ATM pin,
bank account number or credit card number.

When selecting a password choose one that you will remember and that others will find very difficult to guess.
The following tips may assist you in choosing a strong password.

       Use a combination of letters and numbers. e.g. 24SEC6RET8
       Choose a word, then substitute certain letters with numbers e.g. OPERATION becomes 0P8RAT10N
       Use your bank PIN number together with a word. e.g. 1234OVERDRAFT
       Choose a foreign word, or a combination of foreign words. e.g. KIITOS_GRACI (‘Thank You’ in Finnish
        and Italian combined!)
       Use a combination of words, joined by a hyphen or underscore. e.g. POOR_BOY, DRY_LAND,
        SECRET_WORD
       Use a phrase, with the words run together or joined with hyphens or underscores. e.g. TO-BE-OR-NOT-
        TO-BE, ASPYHASNOFRIENDS
       Use the initial letters of a phrase that is meaningful to you. e.g. NITWOOD (now is the winter of our
        discontent)




                                 0491f1e0-b7c1-4fbd-824b-7c96e78db8dd.doc
                                               Page 28 of 28

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:2/1/2012
language:
pages:28