Accessing TSL and importing certificates from the TSL list

Edit online

Trust-service Status List (TSL) is a signed list of Trusted Services Providers (TSP) and their status on a specified policy. The TSL list contains a list of public keys of certification authorities (CA), authorized by the Odette organization.

In OFTP2 TSL, the digital information that is provided for each TSP is the complete trust chain up to the trusted signer certificate.

The TSL contains a list of all certificate providers or CAs who have requested for inclusion in the Odette TSL list. The Odette organization checks the authenticity of these CAs and their compliance to the agreed terms and criteria. The CAs are added to the TSL list after a successful verification and validation.

To access the TSL and import certificates from the TSL list, configure a business process (BP) and run it. The process of importing involves the following tasks:
  1. Checking the time stamp in the .upd file. The .upd file is a text file that contains information about the date and time of the last update of the TSL.
  2. Verifying and validating the XML signature of the TSL.
The OdetteFTP TSL service performs the preceding tasks. It verifies the time stamp in the .upd file and the last update time in the local database. If the time stamp in the .upd file is greater than the last update time in the local database, it verifies and validates the xml signature of the TSL and then imports the TSL into the local database.
Note: For information about the OdetteFTP TSL service, see the OdetteFTPTSL Service topic in the Services and Adapters M to Z guide.

To update the certificates in the local certificate store regularly, you can schedule the related business process to periodically access the Odette TSL and import new or updated certificates.

Sample Business Process to access the TSL and import certificates

You must have a BP similar to the following BP to access the TSL and import certificates from the TSL:

<process name="OdetteTSLFetchOperation">
<sequence>
 <operation name="HTTP Client Begin Session Service">
      <participant name="HTTPClientBegin"/>
      <output message="HTTPClientBeginSessionServiceTypeInputMessage">
        <assign to="HTTPClientAdapter">HTTPTSLLIST</assign>
        <assign to="RemoteHost">www.odette.org (http://www.odette.org)</assign>		
        <assign to="RemotePort">80</assign>
	    <assign to="." from="*"></assign>
      </output>
      <input message="inmsg">
        <assign to="HTTPClientBeginSessionServiceResults" from="*"></assign>
      </input>
 </operation>

   <!-- GET Service -->
    <operation name="Http Client Get Service">
      <participant name="HTTPGet"/>
      <output message="HTTPClientGetServiceTypeInputMessage">
        <assign to="SessionToken" from="HTTPClientBeginSessionServiceResults
					/SessionToken/text()"></assign>
        <assign to="URI">/TSL/TSL_OFTP2.UPD</assign>
        <assign to="ResponseTimeout">120</assign>
        <assign to="." from="*"></assign>
      </output>
      <input message="inmsg">
        <assign to="." from="*" append="true"/>
      </input>
    </operation>

	<!-- TSL Access.-->
	<operation name="OdetteFTPTSL">
      <participant name="OdetteFTPTSLTest"/>
      <output message="InputMessage">
        <assign to="." from="*"></assign>
      </output>
      <input message="inmsg">
        <assign to="." from="*"></assign>
      </input>
    </operation>

 <!-- GET Service -->
    <operation name="Http Client Get Service">
      <participant name="HTTPGet"/>
      <output message="HTTPClientGetServiceTypeInputMessage">
        <assign to="SessionToken" from="HTTPClientBeginSessionServiceResults
					/SessionToken/text()"></assign>
        <assign to="URI">/TSL/TSL_OFTP2.XML</assign>
        <assign to="ResponseTimeout">120</assign>
        <assign to="." from="*"></assign>
      </output>
      <input message="inmsg">
        <assign to="." from="*" append="true"/>
      </input>
    </operation>

	<operation name="VerifyMessage">
      <participant name="XMLDSigService"/>
      <output message="verifyRequest">
      	<assign to="." from="*"/>
      	<assign to="action">verify</assign>
      <!--  <assign to="certificateIdentifier">test_rsa_pub</assign> -->
      </output>
      <input message="verifyResponse">
        <assign to="." from="*"></assign>
      </input>
    </operation>  

	<!-- TSL Access.-->
	<operation name="OdetteFTPTSL">
      <participant name="OdetteFTPTSLTest"/>
      <output message="InputMessage">
        <assign to="." from="*"></assign>
      </output>
      <input message="inmsg">
        <assign to="." from="*"></assign>
      </input>
    </operation>

    <!-- HTTP Client End Session Service, ends session specified by SessionToken.-->
    <operation name="HTTP Client End Session Service">
      <participant name="HTTPClientEnd"/>
      <output message="HTTPClientEndSessionServiceTypeInputMessage">
        <assign to="SessionToken" from="HTTPClientBeginSessionServiceResults
					/SessionToken/text()"></assign>
        <assign to="." from="*"></assign>
      </output>
      <input message="inmsg">
        <assign to="HTTPClientEndSessionServiceResults" from="*" append="true"/>
      </input>
    </operation>

</sequence>
</process>
The following table lists the fields in the TSL information table (database table OFTP_TSL_INFO):
Field Description Possible Values
TSL_TSP_TRADE_NAME Name of the CA certificate provider. NA
CERT_ID Contains the reference ID from the master table (CA or trusted related table, or both the tables) of a received certificate. NA
TSL_UPDATE_TIME Specifies the time when the TSL xml is updated by Odette organization. NA