This presentation was used during the second online training/workshop held on the 4:th of April. The workshop was led by Martin Forsberg and Mikael Aksamit.
1. PEPPOLWorkshop – SMP and Identifiers Martin Forsberg, Ecru Consulting Mikael Aksamit, Tickstar AB
2. The PEPPOL project The PEPPOL project is the result of the European Competitiveness and Innovation Programme (CIP) ICT Policy Support Programme (ICTPSP) 2007 and 2009 Call for Proposals Pilot A objective: Enabling EU-wide public eProcurement 50% EU contribution for achieving interoperability Coordinated by the Norwegian Agency for Public Management and eGovernment (Difi) Consortium and scope: 18 beneficiaries from 12 countries Total budget 30,8 M€ 8 work packages, <1.600 person months and 10 M€ on sub-contractors Project start up: 1 May 2008, duration 48 months* *Current project duration is 42 months (+6 months extension subject to European Commission's approval)
3. Any supplier (incl. SMEs) in the EU can communicateelectronically with any European contracting authority for all procurement processes. The PEPPOL Vision 3
6. How does it work (simplified)? A URL is build based on the receving partipcant’s ID, and the domain of the PEPPOL central locator A bit simplified: http://SE5523222312.sml.peppolcentral.orgPoints towards registry ABC Andhttp://DK4723222753.sml.peppolcentral.org Points towards registry XYZ Exactly as http://mail.ecru.se points the our mail server and http://www.ecru.se points to our web server (located and hosted by different providers) The URL is built using the same mechanism ALL THE TIMEYou only need to know the participant’s identifier to retreive the necessary data for the service that receives the documents
12. PEPPOL Policy for using Identifiers Page 9 Party identifiers Party Ids in START/SMP <ParticipantIdentifier scheme="iso6523-actorid-upis”>0088:4035811991014</ParticipantIdentifier> Party Ids in Messages <cac:PartyIdentification> <cbc:ID schemeID="GLN">4035811991014</cbc:ID></cac:PartyIdentification> 0088 and GLN are used as examples. The policy for identifiers document lists a number of schemes inlcuding VAT-numbers, Company regitration number, IBAN and DUNS.
13. PEPPOL Policy for using Identifiers Page 10 Document identifiers Used in SMP to specify what document type a certain service accepts Informs about the syntax/format, the customization and a version urn:oasis:names:specification:ubl:schema:xsd:Invoice-2::Invoice##urn:www.cenbii.eu:transaction:biicoretrdm010:ver1.0:#urn:www.peppol.eu:bis:peppol4a:ver1.0::2.0
14. PEPPOL Policy for using Identifiers Page 11 urn:oasis:names:specification:ubl:schema:xsd:Invoice-2::Invoice##urn:www.cenbii.eu:transaction:biicoretrdm010:ver1.0:#urn:www.peppol.eu:bis:peppol4a:ver1.0::2.0 Customization Used in in CEN/BII to specify the contextualization/customization of a certain document. A stand alone invoice may differ content-wise from an integrated procurement invoice. urn:www.cenbii.eu:transaction:biicoretrdm010:ver1.0:#urn:www.peppol.eu:bis:peppol4a:ver1.0 The transaction datamodel (the allowed business terms and rules) Optional extension to the rules Version of the customization
15.
16. The sender must make sure that the actual instance corresponds to the supported type
17.
18.
19.
20. To which endpoint (URLs) supported documents should be propagated Anyone can host a SMP, but a provider agreement with a PEPPOL Regional Authority is necessary
21. SML, a DNS for participants 17 Entries in SML: Each entry MUST be unique Participant Identifiers are hashed SMP must be registered in SML peppolcentral.org. 3600 IN SOA cna-gdwi-1.cna.at. postmaster.brz.gv.at. 2011012776 28800 600 604800 3600 peppolcentral.org. 3600 IN SOA cna-gdwi-1.cna.at. postmaster.brz.gv.at. 2011012776 28800 600 604800 3600 peppolcentral.org. 3600 IN NS cna-gdwi-0.cna.at. peppolcentral.org. 3600 IN NS cna-gdwi-1.cna.at. peppolcentral.org. 3600 IN NS cna-gdwi-2.cna.at. SMP-A.publisher.smk.peppolcentral.org. 60 IN CNAME smp.operator-a.com. SMP-B.publisher.smk.peppolcentral.org. 60 IN CNAME smp.operator-b.com. sml.peppolcentral.org. 3600 IN A 85.158.225.35 B-0213d984bf3e26bd8bda07d3f72ce332.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. B-038a6525af983a75f2464b23edaffa4a.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. B-0621fcb1d51291d65457faed865232ab.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-B.publisher.sml.peppolcentral.org. B-0a1bf1d993368464abfb2463c9cbfd16.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-B.publisher.sml.peppolcentral.org. B-0b4ecd34d27d36220157e869b4dda29c.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-B.publisher.sml.peppolcentral.org.
22. Locating the SMP Recipient: SE1122334455 (ISO 6523) Participant Identifier: 0007:SE1122334455 Form of SMP-Lookup URL: http://<hash of participant id>.<schema id>.<sml domain> Hash: 0007:SE1122334455 MD5 ae58dc2c699074f5a9372bd4a370a273 Actual URL: http://B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org Resolves to: smp.operator-a.com ... SMP-A.publisher.smk.peppolcentral.org. 60 IN CNAME smp.operator-a.com. ... B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org. 60 IN CNAME SMP-A.publisher.sml.peppolcentral.org. ...
23. Known pitfall with hashing of participants Page 19 The MD5 hash-algorithm is case sensitive 0007:se1122334455 produces: ae58dc2c699074f5a9372bd4a370a273 Correct 0007:SE1122334455 produces: 62c82af5bdc937c6fe55c1ff6bea19e1 Incorrect! Always use lower case letters in alphanumeric identifiers when calculating hashes in the PEPPOL infrastructure.
24. Access of SMP resources Page 20 When the location of an SMP has been determined through an SML-Lookup, the process can then continue by querying the services provided by the resolved SMP. SMP Provides: REST-based interface for retrieving participant information Two types of services/resources MUST be defined: ServiceGroup SignedServiceMetadata Redirect functionality for multiple associations of a participant
25. Access of SMP resources Page 21 ServiceGroup URI /{identifier schema}::{participant identifier} Request MUST be percent encoded HTTP GET e.g.: /iso6523-actorid-upis%3A%3A0007%3ASE1122334455 SignedServiceMetadata URI /{identifier schema}::{participant identifier}/services/{doc type} Request MUST be percent encoded HTTP GET e.g.: /iso6523-actorid-upis%3A%3A0007%3ASE1122334455/services/busdox-docid-qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3AOrder-2%3A%3AOrder%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrdm001%3Aver1.0%3A%23urn%3Awww.peppol.eu%3Abis%3Apeppol6a%3Aver1.0%3A%3A2.0
26. ServiceGroup Page 22 The ServiceGroup service provides information about all services associated with a specific participant identifier that is handled by the SMP. Presents a list of references to SignedServiceMetadata resources Pseudo response: <ServiceGroupType> <ParticipantIdentifier scheme="iso6523-actorid-upis">0007:SE1122334455</ParticipantIdentifier> <ns2:ServiceMetadataReferenceCollection> <ns2:ServiceMetadataReference href=”..."/> <ns2:ServiceMetadataReference href=”..."/> </ns2:ServiceMetadataReferenceCollection> <ServiceGroupType>
27. ServiceGroup Page 23 Actual response: ServiceMetadataReference URI points to resource for SignedServiceMetadata <ns2:ServiceGroupType xmlns="http://busdox.org/transport/identifiers/1.0/" xmlns:ns2="http://busdox.org/serviceMetadata/publishing/1.0/" xmlns:ns3="http://www.w3.org/2005/08/addressing" xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"> <ParticipantIdentifier scheme="iso6523-actorid-upis"> 0007:SE1122334455</ParticipantIdentifier> <ns2:ServiceMetadataReferenceCollection> <ns2:ServiceMetadataReference href="http://B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org/iso6523-actorid-upis%3A%3A0007%3ASE1122334455/services/busdox-docid-qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3AOrder-2%3A%3AOrder%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrdm001%3Aver1.0%3A%23urn%3Awww.peppol.eu%3Abis%3Apeppol6a%3Aver1.0%3A%3A2.0"/> <ns2:ServiceMetadataReference href="http://B-ae58dc2c699074f5a9372bd4a370a273.iso6523-actorid-upis.sml.peppolcentral.org/iso6523-actorid-upis%3A%3A0007%3ASE1122334455/services/busdox-docid-qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3AInvoice-2%3A%3AInvoice%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiicoretrdm010%3Aver1.0%3A%23urn%3Awww.peppol.eu%3Abis%3Apeppol6a%3Aver1.0%3A%3A2.0"/> </ns2:ServiceMetadataReferenceCollection> </ns2:ServiceGroupType>
28. SignedServiceMetadata Page 24 The SignedServiceMetadataservice provides information about electronic services supported by a recipient. It associates a participant identifier with the ability to receive a specific document type over a specific transport protocol. Provides details about service Means of redirection is another SMP handles this service Response contains a private signature Pseudo response: <SignedServiceMetadataType> <ServiceMetadata> <ServiceInformation> <ParticipantIdentifier /> <DocumentIdentifier /> <ProcessList> <Process/> </ProcessList> </ServiceInformation> </ServiceMetadata> <Signature /> </SignedServiceMetadataType>
30. SignedServiceMetadata - SignatureType Page 26 ServiceMetadataType Endpoint Certificate refers to expected public key at AP SignatureType Authenticates the SMP response The certificate itself is also signed <Signature> <SignedInfo>...</SignedInfo> <SignatureValue>MLU...</SignatureValue> <KeyInfo> <X509Data> <X509SubjectName>CN=SMP,O=Operator_A,C=SE</X509SubjectName> <X509Certificate>MII...</X509Certificate> </X509Data> </KeyInfo> </Signature>
32. SMP supports redirects Page 28 SML can only have one entry per participant identifier The SMP in the SML is the “owner” of the participant A participant can be associated to multiple SMPs SML does not track this Owning SMP needs to know all other SMPs Owning SMP redirects requests to relevant SMP Only one degree of redirect allowed
35. SMP HTTP Codes Page 31 ServiceGroup HTTP 200, for all successful requests HTTP 404, if participant does not exist in SMP HTTP 500, for internal server errors SignedServiceMetadata HTTP 200, for all successful requests HTTP 404, if participant does not exist in SMP HTTP 500, for internal server errors HTTP 3XX for redirects should not be used. Use SMP redirect element in response.
36. Hosting of SMP Page 32 SMP service MUST resolve to a valid hostname SMP/Hostname MUST be registered in SML SMP service MUST be deployed in root web context SMP service MUST run on port 80 SMP service MUST NOT use TLS or SSL