Peepol online WS 2 smp and identifiers

www.peppol.eu

PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974

PEPPOL

Workshop – SMP and

Identifiers

Martin Forsberg, Ecru ConsultingMikael Aksamit, Tickstar AB


The PEPPOL project

Pilot A objective: Enabling EU-wide public eProcurement

50% EU contribution for achieving interoperability

Coordinated by the Norwegian Agency for Public Management

and eGovernment (Difi)

Consortium and scope:

18 beneficiaries from 12 countries

Total budget 30,8 M€

8 work packages, <1.600 person months and 10 M€ on sub-contractors

Project start up: 1 May 2008, duration 48 months*

*Current project duration is 42 months (+6 months extension subject to European Commission's approval)

The PEPPOL project is the result of the European Competitiveness and Innovation Programme (CIP) ICT Policy Support Programme (ICTPSP) 2007 and 2009 Call for Proposals


Any supplier (incl. SMEs) in the EU can communicateelectronically with any European contracting authority for all procurement processes.

The PEPPOL Vision

3


eProcurement


Service Metadata

Publisher and

Identifiers


How does it work (simplified)?

A URL is build based on the receving partipcant’s ID, and the domain of the PEPPOL central locator

A bit simplified:

http://SE5523222312.sml.peppolcentral.org Points towards registry ABC

Andhttp://DK4723222753.sml.peppolcentral.org Points towards registry XYZ

Exactly as http://mail.ecru.se points the our mail server and http://www.ecru.se points to our web server (located and hosted by different providers)

The URL is built using the same mechanism ALL THE TIME

You only need to know the participant’s identifier to retreive the necessary data for the service that receives the documents

http://se5523222312.sml.peppolcentral.org/



http://mail.ecru.se/

http://www.ecru.se/


And the response from the registry

• The receivers identitier

• Type of supported process

• Type of supported messages (and customizations)

• Type of supported transport protocol/profile

• Technical address where to send to


PEPPOL Policy for using Identifiers



Party identifiers

Party Ids in START/SMP

<ParticipantIdentifier scheme="iso6523-actorid-

upis”>0088:4035811991014</ParticipantIdentifier>

Party Ids in Messages

<cac:PartyIdentification>

<cbc:ID schemeID="GLN">4035811991014</cbc:ID>

</cac:PartyIdentification>

0088 and GLN are used as examples. The policy for identifiers

document lists a number of schemes inlcuding VAT-numbers, Company

regitration number, IBAN and DUNS.



Document identifiers

Used in SMP to specify what document type a certain service accepts

Informs about the syntax/format, the customization and a version

urn:oasis:names:specification:ubl:schema:xsd:Invoice-

2::Invoice##urn:www.cenbii.eu:transaction:biicoretrdm010:ver1.0:#urn:w

ww.peppol.eu:bis:peppol4a:ver1.0::2.0



Customization

Used in in CEN/BII to specify the contextualization/customization of a certain

document. A stand alone invoice may differ content-wise from an integrated

procurement invoice.

urn:www.cenbii.eu:transaction:biicoretrdm010:ver1.0:#urn:www.peppol.

eu:bis:peppol4a:ver1.0

urn:oasis:names:specification:ubl:schema:xsd:Invoice-

2::Invoice##urn:www.cenbii.eu:transaction:biicoretrdm010:ver1.0:#urn:w

ww.peppol.eu:bis:peppol4a:ver1.0::2.0

The transaction datamodel (the allowed business terms and rules)

Optional extension to the rules

Version of the customization



Remember this

• The receiving party publishes what documents it supports

• The sender must make sure that the actual instance corresponds to the

supported type

• Many implementations may implement the DocumentIdentifier as a string-

constant without actually using all the ”hidden” information


Service Metadata



Process id

• The CEN/BII profile that is supported


Considerations

when developing a

Service Metadata

Publisher (SMP)


The PEPPOL Infrastructure

Service Metadata Locator (SML)

Central part of the PEPPOL Infrastructure, hosted and

managed by the consortium

DNS-based resolve of participant identifiers, to locate a

participants related SMP, 1-To-1 relation.

Provides an interface to associate/deassociate participants

with SMPs

Service Metadata Publisher (SMP)

Provides detailed information about participants

- What documents/processes are supported

- To which endpoint (URLs) supported documents should

be propagated

Anyone can host a SMP, but a provider agreement with a

PEPPOL Regional Authority is necessary


SML, a DNS for participants

17

peppolcentral.org. 3600 IN SOA cna-gdwi-1.cna.at. postmaster.brz.gv.at. 2011012776 28800 600 604800 3600 peppolcentral.org. 3600 IN SOA cna-gdwi-1.cna.at. postmaster.brz.gv.at. 2011012776 28800 600 604800 3600 peppolcentral.org. 3600 IN NS cna-gdwi-0.cna.at. peppolcentral.org. 3600 IN NS cna-gdwi-1.cna.at. peppolcentral.org. 3600 IN NS cna-gdwi-2.cna.at.SMP-A.publisher.smk.peppolcentral.org. 60 IN CNAME smp.operator-a.com.SMP-B.publisher.smk.peppolcentral.org. 60 IN CNAME smp.operator-b.com.sml.peppolcentral.org. 3600 IN A 85.158.225.35B-0213d984bf3e26bd8bda07d3f72ce332.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. B-038a6525af983a75f2464b23edaffa4a.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. B-0621fcb1d51291d65457faed865232ab.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-B.publisher.sml.peppolcentral.org. B-0a1bf1d993368464abfb2463c9cbfd16.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-B.publisher.sml.peppolcentral.org. B-0b4ecd34d27d36220157e869b4dda29c.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-B.publisher.sml.peppolcentral.org.

Entries in SML:

Each entry MUST be unique

Participant Identifiers are hashed

SMP must be registered in SML


Locating the SMP

1. Recipient: SE1122334455 (ISO 6523)

2. Participant Identifier: 0007:SE1122334455

3. Form of SMP-Lookup URL:

http://<hash of participant id>.<schema id>.<sml domain>

4. Hash:

0007:SE1122334455 MD5 ae58dc2c699074f5a9372bd4a370a273

5. Actual URL:http://B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org

6. Resolves to:

smp.operator-a.com

...SMP-A.publisher.smk.peppolcentral.org. 60 IN CNAME smp.operator-a.com....B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. ...

http://b-62c82af5bdc937c6fe55c1ff6bea19e1.iso6523-actorid-upis.sml.peppolcentral.org/










Known pitfall with hashing of participants

The MD5 hash-algorithm is case sensitive

0007:se1122334455 produces:

ae58dc2c699074f5a9372bd4a370a273

Correct

0007:SE1122334455 produces:

62c82af5bdc937c6fe55c1ff6bea19e1

Incorrect!

Always use lower case letters in alphanumeric identifiers when

calculating hashes in the PEPPOL infrastructure.


Access of SMP resources

When the location of an SMP has been determined through an

SML-Lookup, the process can then continue by querying the

services provided by the resolved SMP.

SMP Provides:

REST-based interface for retrieving participant information

Two types of services/resources MUST be defined:

ServiceGroup

SignedServiceMetadata

Redirect functionality for multiple associations of a participant


Access of SMP resources

ServiceGroup

URI

/{identifier schema}::{participant identifier}

Request MUST be percent encoded

HTTP GET

e.g.: /iso6523-actorid-upis%3A%3A0007%3ASE1122334455


URI

/{identifier schema}::{participant identifier}/services/{doc type}

Request MUST be percent encoded

HTTP GET

e.g.: /iso6523-actorid-upis%3A%3A0007%3ASE1122334455/services/busdox-docid-

qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3AOrder-

2%3A%3AOrder%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrdm001%3Aver1.0%3A%23urn%3Aw

ww.peppol.eu%3Abis%3Apeppol6a%3Aver1.0%3A%3A2.0


ServiceGroup

The ServiceGroup service provides information about all

services associated with a specific participant identifier that is

handled by the SMP.

Presents a list of references to SignedServiceMetadata resources

Pseudo response:

<ServiceGroupType><ParticipantIdentifier scheme="iso6523-actorid-

upis">0007:SE1122334455</ParticipantIdentifier><ns2:ServiceMetadataReferenceCollection>

<ns2:ServiceMetadataReference href=”..."/><ns2:ServiceMetadataReference href=”..."/>

</ns2:ServiceMetadataReferenceCollection><ServiceGroupType>


ServiceGroup

Actual response:

ServiceMetadataReference URI points to resource for


<ns2:ServiceGroupType xmlns="http://busdox.org/transport/identifiers/1.0/" xmlns:ns2="http://busdox.org/serviceMetadata/publishing/1.0/" xmlns:ns3="http://www.w3.org/2005/08/addressing" xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"><ParticipantIdentifier scheme="iso6523-actorid-upis"> 0007:SE1122334455</ParticipantIdentifier><ns2:ServiceMetadataReferenceCollection>

<ns2:ServiceMetadataReference href="http://B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org/iso6523-actorid-upis%3A%3A0007%3ASE1122334455/services/busdox-docid-qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3AOrder-2%3A%3AOrder%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrdm001%3Aver1.0%3A%23urn%3Awww.peppol.eu%3Abis%3Apeppol6a%3Aver1.0%3A%3A2.0"/>

<ns2:ServiceMetadataReference href="http://B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org/iso6523-actorid-upis%3A%3A0007%3ASE1122334455/services/busdox-docid-qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3AInvoice-2%3A%3AInvoice%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrdm010%3Aver1.0%3A%23urn%3Awww.peppol.eu%3Ab

is%3Apeppol6a%3Aver1.0%3A%3A2.0"/></ns2:ServiceMetadataReferenceCollection>

</ns2:ServiceGroupType>



The SignedServiceMetadata service provides information about

electronic services supported by a recipient. It associates a

participant identifier with the ability to receive a specific

document type over a specific transport protocol.

Provides details about service

Means of redirection is another SMP handles this service

Response contains a private signature

Pseudo response:<SignedServiceMetadataType>

<ServiceMetadata><ServiceInformation>

<ParticipantIdentifier /><DocumentIdentifier /><ProcessList>

<Process/></ProcessList>

</ServiceInformation></ServiceMetadata><Signature />

</SignedServiceMetadataType>


SignedServiceMetadata - ServiceMetadataType

<ServiceMetadata><ServiceInformation><ParticipantIdentifier scheme="iso6523-actorid-upis">0007:SE1122334455</ParticipantIdentifier><DocumentIdentifier scheme="busdox-docid-qns">urn:oasis:names:specification:ubl:schema:xsd:Order-

2::Order##urn:www.cenbii.eu:transaction:biicoretrdm001:ver1.0:#urn:www.peppol.eu:bis:peppol6a:ver1.0::2.0</DocumentIdentifier>

<ProcessList><Process><ProcessIdentifier scheme="cenbii-procid-ubl">urn:www.cenbii.eu:profile:bii06:ver1.0</ProcessIdentifier><ServiceEndpointList><Endpoint transportProfile="busdox-transport-start"><EndpointReference><Address>https://startap-operator-a.com/accesspointService</Address>

</EndpointReference><RequireBusinessLevelSignature>false</RequireBusinessLevelSignature><MinimumAuthenticationLevel>1</MinimumAuthenticationLevel><ServiceActivationDate>2010-12-18Z</ServiceActivationDate><ServiceExpirationDate>2012-12-31Z</ServiceExpirationDate><Certificate>MII...</Certificate><ServiceDescription>Operator A PEPPOL Start AP</ServiceDescription><TechnicalContactUrl>[email protected]</TechnicalContactUrl><TechnicalInformationUrl>http://www.operator-a.com</TechnicalInformationUrl>

</Endpoint></ServiceEndpointList>

</Process></ProcessList>

</ServiceInformation></ServiceMetadata>


SignedServiceMetadata - SignatureType

<Signature><SignedInfo>...</SignedInfo><SignatureValue>MLU...</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=SMP,O=Operator_A,C=SE</X509SubjectName><X509Certificate>MII...</X509Certificate>

</X509Data></KeyInfo>

</Signature>

ServiceMetadataType

Endpoint Certificate refers to expected public key at AP

SignatureType

Authenticates the SMP response

The certificate itself is also signed


Regular SMP-Lookup sequence


SMP supports redirects

SML can only have one entry per participant identifier

The SMP in the SML is the “owner” of the participant

A participant can be associated to multiple SMPs

SML does not track this

Owning SMP needs to know all other SMPs

Owning SMP redirects requests to relevant SMP

Only one degree of redirect allowed


SMP supports redirects

SMP Redirect in SignedServiceMetadata response:

<SignedServiceMetadata>

<ServiceMetadata>

<Redirect xmlns="http://busdox.org/serviceMetadata/publishing/1.0/"

href="http://smp.operator-b.com/iso6523-actorid-

upis%3A%3A0007%3ASE1122334455/services/busdox-docid-

qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%

3Axsd%3AOrder-

2%3A%3AOrder%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrd

m001%3Aver1.0%3A%23urn%3Awww.peppol.eu%3Abis%3Apeppol6a%3Ave

r1.0%3A%3A2.0">

<CertificateUID>PID:9208-2001-3-279815395</CertificateUID>

</Redirect>

</ServiceMetadata>

<Signature />

</SignedServiceMetadata>


SMP-Lookup sequence with redirect


SMP HTTP Codes

ServiceGroup

HTTP 200, for all successful requests

HTTP 404, if participant does not exist in SMP

HTTP 500, for internal server errors


HTTP 200, for all successful requests

HTTP 404, if participant does not exist in SMP

HTTP 500, for internal server errors

HTTP 3XX for redirects should not be used. Use SMP redirect

element in response.


Hosting of SMP

SMP service MUST resolve to a valid hostname

SMP/Hostname MUST be registered in SML

SMP service MUST be deployed in root web context

SMP service MUST run on port 80

SMP service MUST NOT use TLS or SSL


Questions…

PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974www.peppol.eu

eProcurementwithout borders in Europe

www.peppol.eu

Peepol online WS 2 smp and identifiers

Technology

Transcript of Peepol online WS 2 smp and identifiers