TSL support for OFTP2

Activator supports communities that use Trust-service Status Lists (TSLs) for trading via OFTP2. The following topics describe TSLs and how they are used.

Related topics

• About TSLs
• How a community uses TSL
• Configure TSL for a community
• TSL support for OFTP2

About TSLs

A TSL is an XML document that contains entries for the certificates issued by certificate authorities (CAs). A certificate entry can contain an intermediate or root CA certificate. When an entry contains an intermediate CA certificate, it also contains the remainder of the certificate chain up to and including the root CA certificate. A TSL also contains a large amount of metadata about the list itself, including:

• The name of the list
• A version identifier for the list
• A sequence number of the list
• The date and time the list was issued
• The date and time the list is scheduled be updated

Odette publishes three files for each TSL:

• An XML file containing the TSL itself
• A text file containing the date and time the TSL was last updated
• A text file containing the policy for the certificates in the TSL

Each TSL is signed using the XML digital signature mechanism to ensure the authenticity and integrity of the TSL. The signature verification certificate is included in the digital signature. Odette also publishes its TSL signature verification certificates in the file http://www.odette.org/TSL/TSL_signing.P7B.

How a community uses TSL

Activator treats a TSL simply as a source of trusted certificates for a community. These are the certificates that are seen in the Trusted root certificates and Trusted SSL root certificates tabs of a community's Certificates page.

You must get end-entity certificates from the CAs whose certificates are in the TSL and then import the acquired certificates to Activator. When a community is configured to use a TSL, it gets its trusted root and intermediate certificates solely from the TSL. You cannot change (delete from or add to) the community's trusted certificates.

When a TSL contains an intermediate CA certificate, the community is configured to trust that intermediate CA certificate and not the root CA certificate. This is different from the standard certificate trusting behavior within Activator where the root certificate is trusted. This is because many of the intermediate CA certificates in a TSL may share a common root CA certificate, and trusting the root CA certificate could resulting in trusting more certificates than intended.

A TSL does not contain a mechanism for indicating the intended usage (signing, encryption, TLS server authentication or TLS client authentication) of certificates issued by the CA certificates in the TSL. Because of this, all CA certificates in the TSL are put in both the community's Trusted root certificates and Trusted SSL root certificates.

Configure TSL for a community

Use this procedure to configure a community to use TSL.

1. Click Certificates in the navigation graphic at the top of a community summary page. This opens the Certificates page.
2. If you review the Trusted root certificates tab and Trusted SSL root certificates tab and any certificates are listed, these certificates are replaced by TSL certificates after you complete the next steps. TSL root and intermediate certificates supplant any non-TSL root and intermediate certificates a community may have.
2. Click the task Manage use of Trust-service Status List (TSL) near the bottom of the page. This opens the Manage use of Trust-service Status List (TSL) page.

Choose a TSL

3. Type one of the following values in the Select TSL field. These are the names of TSLs that Odette has been publishing. If one or more of these TSLs are already used by another community, you can select a name from the drop-down list. If not present, you must type the name. The names are not case sensitive. A community can use only one TSL at a time.
   • OFTP2– This is generally the TSL to use if your community is engaged in production trading.
   • Basic – This is a superset of the OFTP2 TSL.
   • Test – This TSL is only intended for testing purposes.
4. Odette manages these lists and could decide to expand or reduce the number of lists it publishes.
4. Click Save changes to add the specified TSL. Activator connects to Odette and downloads the most recent list.
5. Details of the TSL are displayed on the Manage use of Trust-service Status List (TSL) page. The URL field links to an XML file that contains the TSL. The Policy URL field links to a text file that describes the policies for using the certificates in the TSL. If you cannot open the links, you may have to adjust your browser to connect though a proxy managed by your network.
6. Activator checks randomly for newer versions of TSLs to download. To check instantly for a new list, click the task Update the TSL being used by this community.
7. If Activator cannot connect to download the TSL, it may be because your network requires routing outbound connections through a proxy. For more information see TSL support for OFTP2.

Verify TSL download

5. Do the following to verify the TSL has been downloaded:
   1. Click Certificates in the navigation graphic at the top of the page.
   2. Select the Trusted root certificates tab or the Trusted SSL root certificates tab to display lists of certificates in the TSL. Notice the user interface does not provide the option to untrust any of the certificates.
6. You also can examine TSL certificates by selecting System management > Manage certificates. This opens a page that allows searching for, and viewing details of, all X.509 certificates in the certificate store.

Stop updating TSL certificates

6. To unlink a community from a TSL, click the task Stop getting this community's trusted certificates from a TSL on the Manage use of Trust-service Status List (TSL) page. Click OK to confirm.
7. When the TSL is turned off, the trusted root certificates for the community remain the same, but are no longer updated automatically. Additionally, when you go to the Trusted root certificates tab and Trusted SSL root certificates tab on the Certificates page for the community, the certificates can be untrusted.

Related topics

• Choose a TSL
• Verify TSL download
• Stop updating TSL certificates

Configure TSL retrieval

Use this procedure to configure Activator to download TSL files through an HTTP proxy. Only one proxy can be configured. Activator downloads all TSLs through the proxy. (This proxy does not apply to viewing of downloaded TSLs in a browser.)

1. Select System management on the toolbar to open the System management page.
2. Click the task Configure TSL retrieval to open the Configure Trust-service Status List (TSL) retrieval page.
3. Select an option:
   • None – Retrieval through a proxy is turned off.
   • Local – Retrieval is through the proxy configured on this page.
4. If you select Local, complete the following fields.
   • Host – The name or IP address of the proxy server to use when retrieving TSLs via HTTP.
   • Port – The port number of the proxy server to use when retrieving TSLs via HTTP.
   • This proxy requires a user name and password – Select if a user name and password are required to connect to the proxy server. Type the authentication information in the user name and password fields.
5. Click Save changes.

Related topic

• Configure TSL for a community