All pages
Powered by GitBook
1 of 1

Protocol for Management Services

X-Road: Protocol for Management Services

Technical Specification

Version: 1.15 Doc. ID: PR-MSERV

Table of Contents

License

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/.

1 Introduction

Management services are services provided by the X-Road governing organization to manage security servers and security server clients. They are called by security servers to register in central server the configuration changes made by the security server administrator. The management services are the following:

  • clientReg – registering an X-Road subsystem as a client of the security server;

  • clientDeletion – removing a client from the security server;

  • authCertReg – adding an authentication certificate to the security server;

  • authCertDeletion – removing an authentication certificate from the security server.

  • ownerChange - changing the owner member of the security server.

This protocol builds on existing transport and message encoding mechanisms. Therefore, this specification does not cover the technical details and error conditions related to making HTTPS requests together with processing MIME-encoded messages. These concerns are discussed in detail in their respective standards.

This specification does not include option for partially implementing the protocol – the conformant implementation must implement the entire specification.

1.1 Terms and abbreviations

1.2 References

  • [REQUIREMENT] Key words for use in RFCs to Indicate Requirement Levels. Request for Comments 2119, Internet Engineering Task Force, March 1997.

  • [WSDL] Web Services Description Language (WSDL) 1.1. World Wide Web Consortium. 15 March 2001.

  • [DER] DER encoding. ITU-T X.690. July 2002.

2 Format of the Messages

2.1 clientReg - Security Server Client Registration

The client registration service is invoked by the security server when a new client is added to the server.

The body of the client registration message (request or response) contains the following fields:

  • client – identifier of the subsystem to be added to the security server;

  • server – identifier of the security server where the client is added;

The XML Schema fragment of the client registration request body is shown below. For clarity, documentation in the schema fragment is omitted.

<xsd:complexType name="ClientRequestType">
    <xsd:sequence>
        <xsd:element name="server" type="id:XRoadSecurityServerIdentifierType"/>
        <xsd:element name="client" type="id:XRoadClientIdentifierType"/>
        <element name="requestId" type="tns:RequestIdType" minOccurs="0"/>
    </xsd:sequence>
</xsd:complexType>

The request is sent using HTTP POST method. The content type of the request MUST be multipart/related and the request must contain the following MIME parts.

  1. X-Road SOAP request message. The message MUST contain the regular X-Road headers and the two data fields (server, client). The content type of this part MUST be text/xml.

  2. Signature of the member that owns the subsystem to be registered as a security server client. The MIME part must contain signature of the SOAP request message, created with the private key corresponding to a signing certificate of the subsystem's owner. The content type of this part must be application/octet-stream. Additionally, the part MUST include header field signature-algorithm-ID that identifies the signature algorithm. Currently supported signature algorithms are SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withRSAandMGF1, SHA384withRSAandMGF1, and SHA512withRSAandMGF1.

  3. Signing certificate of the subsystem's owner that was used to create the second MIME part. The content type of this part MUST be application/octet-stream.

  4. OCSP response certifying that the signing certificate was valid at the time of creation of the request. The content type of this part MUST be application/octet-stream.

The response echoes back the client and the server fields of the request and adds the field requestId.

2.2 clientDeletion - Security Server Client Deletion

The clientDeletion service is invoked by the security server when a client is unregistered.

The body of the client deletion message (request or response) contains following fields:

  • client – identifier of the subsystem to be removed from the security server;

  • server – identifier of the security server where the client is removed;

The XML Schema fragment of the client deletion request body shown below.

<xsd:complexType name="ClientRequestType">
    <xsd:sequence>
        <xsd:element name="server" type="id:XRoadSecurityServerIdentifierType"/>
        <xsd:element name="client" type="id:XRoadClientIdentifierType"/>
        <element name="requestId" type="tns:RequestIdType" minOccurs="0"/>
    </xsd:sequence>
</xsd:complexType>

The response echoes back the client and the server fields of the request and adds the field requestId.

2.3 authCertReg - Security Server Authentication Certificate Registration

The authCertReg service is invoked by the security server when a new authentication certificate is added to the server.

The body of the authentication certificate registration message (request or response) contains the following fields:

  • server – identifier of the security server where the authentication certificate is added;

  • address – DNS address of the security server;

The XML Schema fragment of the authentication certificate registration request body is shown below. For clarity, documentation in the schema fragment is omitted.

<xsd:complexType name="AuthCertRegRequestType">
    <xsd:sequence>
        <xsd:element name="server" type="id:XRoadSecurityServerIdentifierType"/>
        <xsd:element name="address" type="string" minOccurs="0"/>
        <xsd:element name="authCert" type="base64Binary"/>
        <element name="requestId" type="tns:RequestIdType" minOccurs="0"/>
    </xsd:sequence>
</xsd:complexType>

Unlike the other requests, the authentication certificate registration request cannot be sent as a regular X-Road request. This is caused by a bootstrapping problem – sending an X‑Road message requires that the authentication certificate of the security server is registered at the central server. However, the certificate is registered only as a result of invoking this service. Therefore, another mechanism is needed.

The authentication certificate registration request is sent to the central server directly via HTTPS. When making the HTTPS connection the client MUST verify that the server uses the TLS certificate that is given in the global configuration.

If the central server encounters an error, it responds with a SOAP fault message.

The request is sent using HTTP POST method. The content type of the request MUST be multipart/related and the request must contain the following MIME parts.

  1. X-Road SOAP request message. The message MUST contain the regular X-Road headers and the three data fields (server, address, authCert). The content type of this part MUST be text/xml.

  2. Proof of possession of the authentication key. The MIME part must contain signature of the SOAP request message (the body of the first MIME part). The signature MUST be given using the private key corresponding to the authentication certificate that is being registered (authCert field of the SOAP message). The content type of this part must be application/octet-stream. Additionally, the part MUST include header field signature-algorithm-ID that identifies the signature algorithm. Currently supported signature algorithms are SHA256withRSA, SHA384withRSA, and SHA512withRSA.

  3. Signature of the security server's owner. The MIME part must contain signature of the SOAP request message, created with the private key corresponding to a signing certificate of the security server's owner. The content type of this part must be application/octet-stream. Additionally, the part MUST include header field signature-algorithm-ID that identifies the signature algorithm. Currently supported signature algorithms are SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withRSAandMGF1, SHA384withRSAandMGF1, and SHA512withRSAandMGF1.

  4. Authentication certificate that is being registered (authCert field of the SOAP message). The content type of this part MUST be application/octet-stream.

  5. Signing certificate of the security server's owner that was used to create the third MIME part. The content type of this part MUST be application/octet-stream.

  6. OCSP response certifying that the signing certificate was valid at the time of creation of the request. The content type of this part MUST be application/octet-stream.

The central server sends responds with X-Road response message (content type MUST be text/xml). The response echoes back the three fields of the SOAP request and adds the field requestId.

2.4 authCertDeletion - Security Server Authentication Certificate Deletion

The authCertDeletion service is invoked by the security server when an authentication certificate is deleted from the server. The body of the authentication certificate deletion message (request or response) contains the following fields:

  • server – identifier of the security server where the authentication certificate is removed;

  • authCert – contents (in DER encoding) of the authentication certificate that is removed from the security server;

The XML Schema fragment of the authentication certificate deletion request body is shown below.

<xsd:complexType name="AuthCertDeletionRequestType">
    <xsd:sequence>
        <xsd:element name="server" type="id:XRoadSecurityServerIdentifierType"/>
        <xsd:element name="authCert" type="base64Binary"/>
        <element name="requestId" type="tns:RequestIdType" minOccurs="0"/>
    </xsd:sequence>
</xsd:complexType>

The response echoes back the client and the server fields of the request and adds the field requestId.

2.5 ownerChange - Security Server Owner Change

The owner change service is invoked by the security server when the owner member of the security server is changed.

The body of the owner change message (request or response) contains the following fields:

  • server – identifier of the security server where the owner is changed;

  • client – identifier of the new owner member of the security server;

The XML Schema fragment of the client registration request body is shown below. For clarity, documentation in the schema fragment is omitted.

<xsd:complexType name="ClientRequestType">
    <xsd:sequence>
        <xsd:element name="server" type="id:XRoadSecurityServerIdentifierType"/>
        <xsd:element name="client" type="id:XRoadClientIdentifierType"/>
        <element name="requestId" type="tns:RequestIdType" minOccurs="0"/>
    </xsd:sequence>
</xsd:complexType>

The request is sent using HTTP POST method. The content type of the request MUST be multipart/related and the request must contain the following MIME parts.

  1. X-Road SOAP request message. The message MUST contain the regular X-Road headers and the two data fields (server, client). The content type of this part MUST be text/xml.

  2. Signature of the new owner member of the security server. The MIME part must contain signature of the SOAP request message, created with the private key corresponding to a signing certificate of the new owner member. The content type of this part must be application/octet-stream. Additionally, the part MUST include header field signature-algorithm-ID that identifies the signature algorithm. Currently supported signature algorithms are SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withRSAandMGF1, SHA384withRSAandMGF1, and SHA512withRSAandMGF1.

  3. Signing certificate of the new owner member that was used to create the second MIME part. The content type of this part MUST be application/octet-stream.

  4. OCSP response certifying that the new owner member's signing certificate was valid at the time of creation of the request. The content type of this part MUST be application/octet-stream.

The response echoes back the server and the client fields of the request and adds the field requestId.

Annex A. Example messages

A.1 clientReg

Request message

--jetty113950090iemuz6a3
Content-Type: text/xml; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:id="http://x-road.eu/xsd/identifiers"
        xmlns:xroad="http://x-road.eu/xsd/xroad.xsd">
    <SOAP-ENV:Header>
        <xroad:client id:objectType="MEMBER">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
        </xroad:client>
        <xroad:service id:objectType="SERVICE">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
            <id:serviceCode>clientReg</id:serviceCode>
        </xroad:service>
        <xroad:id>8770348d-c5f1-4f23-989e-7dd91fb59eff</xroad:id>
        <xroad:protocolVersion>4.0</xroad:protocolVersion>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <xroad:clientReg>
            <xroad:server id:objectType="SERVER">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>GOV</id:memberClass>
                <id:memberCode>TS1OWNER</id:memberCode>
                <id:serverCode>TS1</id:serverCode>
            </xroad:server>
            <xroad:client id:objectType="SUBSYSTEM">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>COM</id:memberClass>
                <id:memberCode>client</id:memberCode>
                <id:subsystemCode>subsystem</id:subsystemCode>
            </xroad:client>
        </xroad:clientReg>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
--jetty113950090iemuz6a3
Content-Type: application/octet-stream
signature-algorithm-id: SHA512withRSA
 
[SUBSYSTEM OWNER SIGNATURE BYTES]
--jetty113950090iemuz6a3
Content-Type: application/octet-stream
 
[SUBSYSTEM OWNER CERTIFICATE BYTES]
--jetty113950090iemuz6a3
Content-Type: application/octet-stream
 
[SUBSYSTEM OWNER CERTIFICATE OCSP RESPONSE BYTES]
--jetty113950090iemuz6a3--

Response message

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:id="http://x-road.eu/xsd/identifiers"
        xmlns:xroad="http://x-road.eu/xsd/xroad.xsd">
    <SOAP-ENV:Header>
        <xroad:client id:objectType="MEMBER">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
        </xroad:client>
        <xroad:service id:objectType="SERVICE">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
            <id:serviceCode>clientReg</id:serviceCode>
        </xroad:service>
        <xroad:id>8770348d-c5f1-4f23-989e-7dd91fb59eff</xroad:id>
        <xroad:protocolVersion>4.0</xroad:protocolVersion>
        <xroad:requestHash
                algorithmId="http://www.w3.org/2001/04/xmlenc#sha512">
            LGxmFNQhkhehCsbrrBgX4w64N0Z+knazghehKDYwJzSmVwf8tyVCYHyD8Vp5eSNNMtm0
            XDBzMOkqQ3uSDfNrLw==
        </xroad:requestHash>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <xroad:clientRegResponse>
            <xroad:server id:objectType="SERVER">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>GOV</id:memberClass>
                <id:memberCode>TS1OWNER</id:memberCode>
                <id:serverCode>TS1</id:serverCode>
            </xroad:server>
            <xroad:client id:objectType="SUBSYSTEM">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>COM</id:memberClass>
                <id:memberCode>client</id:memberCode>
                <id:subsystemCode>subsystem</id:subsystemCode>
            </xroad:client>
            <xroad:requestId>394</xroad:requestId>
        </xroad:clientRegResponse>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

A.2 clientDeletion

Request message

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:id="http://x-road.eu/xsd/identifiers"
        xmlns:xroad="http://x-road.eu/xsd/xroad.xsd">
    <SOAP-ENV:Header>
        <xroad:client id:objectType="MEMBER">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
        </xroad:client>
        <xroad:service id:objectType="SERVICE">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
            <id:serviceCode>clientDeletion</id:serviceCode>
        </xroad:service>
        <xroad:id>0e0d804a-b4e2-4f56-b5a0-2c32e4288f7d</xroad:id>
        <xroad:protocolVersion>4.0</xroad:protocolVersion>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <xroad:clientDeletion>
            <xroad:server id:objectType="SERVER">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>GOV</id:memberClass>
                <id:memberCode>TS1OWNER</id:memberCode>
                <id:serverCode>TS1</id:serverCode>
            </xroad:server>
            <xroad:client id:objectType="SUBSYSTEM">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>COM</id:memberClass>
                <id:memberCode>client</id:memberCode>
                <id:subsystemCode>subsystem</id:subsystemCode>
            </xroad:client>
        </xroad:clientDeletion>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Response message

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:id="http://x-road.eu/xsd/identifiers"
        xmlns:xroad="http://x-road.eu/xsd/xroad.xsd">
    <SOAP-ENV:Header>
        <xroad:client id:objectType="MEMBER">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
        </xroad:client>
        <xroad:service id:objectType="SERVICE">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
            <id:serviceCode>clientDeletion</id:serviceCode>
        </xroad:service>
        <xroad:id>0e0d804a-b4e2-4f56-b5a0-2c32e4288f7d</xroad:id>
        <xroad:protocolVersion>4.0</xroad:protocolVersion>
        <xroad:requestHash algorithmId="http://www.w3.org/2001/04/xmlenc#sha512">
            KHe7PMAcYgNzcS7/4KImaYZxpLry0l+1zkFgzKXVkmzkYXg9IjBgX7CP6wDXwYT0qVON
            6NiF74LvlSwpPupO5A==
        </xroad:requestHash>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <xroad:clientDeletionResponse>
            <xroad:server id:objectType="SERVER">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>GOV</id:memberClass>
                <id:memberCode>TS1OWNER</id:memberCode>
                <id:serverCode>TS1</id:serverCode>
            </xroad:server>
            <xroad:client id:objectType="SUBSYSTEM">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>COM</id:memberClass>
                <id:memberCode>client</id:memberCode>
                <id:subsystemCode>subsystem</id:subsystemCode>
            </xroad:client>
	     <xroad:requestId>395</xroad:requestId>
        </xroad:clientDeletionResponse>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

A.3 authCertReg

Request message

--jetty113950090iemuz6a3
Content-Type: text/xml; charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:id="http://x-road.eu/xsd/identifiers"
        xmlns:xroad="http://x-road.eu/xsd/xroad.xsd">
    <SOAP-ENV:Header>
        <xroad:client id:objectType="MEMBER">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
        </xroad:client>
        <xroad:service id:objectType="SERVICE">
            <id:xRoadInstance>EE</id:xRoadInstance>
            <id:memberClass>GOV</id:memberClass>
            <id:memberCode>TS1OWNER</id:memberCode>
            <id:serviceCode>authCertReg</id:serviceCode>
        </xroad:service>
        <xroad:id>9a82c2d1-27d6-4053-85a7-f37327c6dba7</xroad:id>
        <xroad:protocolVersion>4.0</xroad:protocolVersion>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <xroad:authCertReg>
            <xroad:server id:objectType="SERVER">
                <id:xRoadInstance>EE</id:xRoadInstance>
                <id:memberClass>GOV</id:memberClass>
                <id:memberCode>TS1OWNER</id:memberCode>
                <id:serverCode>TS1</id:serverCode>
            </xroad:server>
            <xroad:address>192.168.74.202</xroad:address>
            <xroad:authCert>
                MIIDtzCCAp+gAwIBAgIIaAPFaI/REfAwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UE
                AwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0Uw
                HhcNMTUxMDA1MTEyNzQzWhcNMTcxMDA0MTEyNzQzWjAuMQswCQYDVQQGEwJFRTEM
                MAoGA1UECgwDR09WMREwDwYDVQQDDAhUUzFPV05FUjCCASIwDQYJKoZIhvcNAQEB
                BQADggEPADCCAQoCggEBAIkX6/b/yUNSIvZatpFDqUDJ4l+igH+z8/kyLlu92VL6
                H7hkCL6ggn7qsHOTGaxOupXQBKx/EDMOt+cpbhQlQCSoU2LmXYklv9FEGXTUBt5U
                VlT1mZXQkfPVT2ozWQeGEOe7RLApaldgfFgg6AklsuOTe0FgJTfqXrnjVy84MRht
                56nw0V6SnujGMVxQJR1IJC13I5wRbVbkyOxX52vqJ7Kh/2GWtNj2AgY9VbZA6/8S
                3fMVHWQUbVtFV/2LyjQ0OrwPm0VXsrqRnlh0tln3AtgNOiPgmg72aWNPwlPx7+rE
                02t+0O+KieC3IZppY2044tC699ui5/nOZPrlIqC1XcCAwEAAaOBzzCBzDBNBggrB
                gEFBQcBAQRBMD8wPQYIKwYBBQUHMAGGMWh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9la
                mJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwHQYDVR0OBBYEFCB7AE2wTs7iLMMxG
                tilpSg8bShnMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUdy2JLgO2/fjSZTkxN
                SLQRhro0gkwDgYDVR0PAQH/BAQDAgO4MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrB
                gEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEATCbKukYbOV5R4I/ivhEXIJAA8azeJ
                NONWg0+74v9hdInDSDuXreJkkpJNz0pZaaDnbsWFF+LGcB8UDTc6jOGOaH1b2iSh
                qzq/jL+Le9iSi8V26aWmKJipt5fsU5E/OJAA0KMnNjhtq5FDdP7gCD7+pPVq2FwE
                Wf9nsNtAq8uETc5f9PNGxE6PrDl2Gy2K3m4T/0kvQIiMFsk1z054/9rW/w+dQSSs
                xHhYHOPzwbSEsoeSw3UEqeKdaYUspFs+eGD4b3dexwEe5M0oZAwL/+/56eTcOhne
                nP9A+8jF1vlXnP/m+tThaftcMZa/NTvpceLx36TDUIwB222ddkyN2Offw==
            </xroad:authCert>
        </xroad:authCertReg>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
--jetty113950090iemuz6a3
Content-Type: application/octet-stream
signature-algorithm-id: SHA512withRSA

[AUTHENTICATION CERTIFICATE SIGNATURE BYTES]
--jetty113950090iemuz6a3
Content-Type: application/octet-stream
signature-algorithm-id: SHA512withRSA

[SECURITY SERVER OWNER SIGNATURE BYTES]
--jetty113950090iemuz6a3
Content-Type: application/octet-stream

[AUTHENTICATION CERTIFICATE BYTES]
--jetty113950090iemuz6a3
Content-Type: application/octet-stream

[SECURITY SERVER OWNER CERTIFICATE BYTES]
--jetty113950090iemuz6a3
Content-Type: application/octet-stream

[SECURITY SERVER OWNER CERTIFICATE OCSP RESPONSE BYTES]
--jetty113950090iemuz6a3--

Response message

A.4 authCertDeletion

Request message

Response message

A.5 ownerChange

Request message

Response message

Annex B WSDL File for Management Services