Technical FAQs

Through the postman collections, you can now test how the dummy party ABC Trucking interacts with the Satellite, Warehouse 13 and the Authorisation Registry! Please don’t forget to also install the Test environment to get the correct variable

Here is a quick walkthrough on using them.

You can find the private keys of ABC Trucking in these Postman collections. Of course, real users should never under any circumstance share private keys of their certificates. In these collections however, it is necessary to share the private keys so that you may impersonate ABC Trucking.

Using OpenSSL to export the certificate from an iSHARE Test certificate file (P12), might result in an error.

Command:

openssl pkcs12 -in infile.p12 -nodes -nokeys -out outfile.pem

Enter Import Password:

Result:

Error outputting keys and certificates

40D2B40002000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Explanation:

This means that the RC2-40-CBC key algorith is not available. Try the following command:

openssl pkcs12 -in infile.p12 -nodes -legacy -nokeys -out outfile.pem

Or try a different workstation to extract the certificate.

Using OpenSSL to export the private key from an iSHARE Test certificate file (P12), might result in an error.

Command:

openssl pkcs12 -in infile.p12 -nocerts -out outfile-key.pem

Enter Import Password:

Result:

Error outputting keys and certificates

40D2B40002000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Explanation:

This means that the RC2-40-CBC key algorith is not available. Try the following command:

openssl pkcs12 -in infile.p12 -legacy -nocerts -out outfile-key.pem

Or try a different workstation to extract the key.

Convert key into RSA key

If you want to convert the key into an RSA key use the following command

openssl rsa -in outfile-key.pem -out outfile-key-rsa.pem

The "aud" parameter should be a single string value with the identifier of the target organization (and not an array).

For example, for i4Trust experiments, the target is the i4Trust satellite, which has the identifer "EU.EORI.NLi4TRUSTSAT".

Therefore, the "aud" parameter is - aud: "EU.EORI.NLi4TRUSTSAT"

For M2M flow, you'll need to obtain an access token by providing a signed iSHARE-JWT at the token endpoint of the service provider.

iSHARE specifications are generic and caters to different possible scenarios, some of them are mentioned in the dev portal. A user may be working for multiple organisations and while using the same identity provider in which case the additional steps of organisation selection are to be followed. If the user only is known for one organisation within IDP then that flow is not necessary.

In the examples, the IDPs are shown as locally hosted components, but it symbolises that they are actually provided by service providers (IDPs) and each organisation has the right to choose its own preferred IDP.

In experiment and in PoC, technically hosting IDP only allows you to demonstrate the concept, however, in production you would use a real IDP which meets the specifications. Due to standardised specifications you do not need to recode when you switch from one provider to another.

The Authorization page (dev portal) explains that user interaction with the service provider can happen in two ways: the service specific or the portal approach. The explanation of these methods describes the difference in the request parameter of the /userinfo endpoint.

For example, if policy contains two different resource-types, can each resource type have its own policy expiration deadline attribute?

Answer - Yes, ideally you should be able to create separate policies for such reasons, however, as far as the reference implementations, this is not yet supported. If you need to use this feature then you may need to make some changes to the code base.

For one delegation evidence there is one defined time limit. There are no time-limit parameters within the "policySets' ' array; which is the array that contains specific policies. You could have many delegation evidences, containing policies with different time limits.

JWT token cannot be hardcoded as it is usually valid only for 30 seconds so you need to generate new one every time.

For creation of policies if you are using iSHARE test AR instance then make sure that you have access to GUI where you can also create policy via GUI apart from API.

For getting access to AR GUI, share a valid EORI number and email ID for a participant who would create policy for that EORI number, so access can be granted. [support@ishare.eu]

Note: one email ID can only be associated with 1 EORI number. Once the details are shared, you should receive an email to setup your account. Even if email is not received, you can go to the https://ar.isharetest.net/admin and use forgot password to setup your account with this email id.

Note, if you get forbidden message after login, then make sure that you are on correct URL.

The GUI for AR can be accessed from here: https://ar.isharetest.net/admin

For the endpoints swagger for AR: https://ar.isharetest.net/swagger/index.html

As specified on the dev portal, it is an array of EORI (ID) of participants which form the path in the delegation chain. There is no example given there, but it is a full list of EORIs which determine the sequence of delegation path to aid Service Provider to traverse through that path for determining the authorisation.

So to explain: If EU.EORI.XX020 is service consumer and EU.EORI.XX002 is the Service Provider and EU.EORI.XX010 is the entitled party who gave rights to EU.EORI.XX0nn where nn > 10 until 20 (assuming that is the delegation path i.e. from 10-->20, just for this example, of course its not real) then the delegation_path array will contain EORIs from EU.EORI.XX010 -> EU.EORI.XX020.

That could be for example: [EU.EORI.XX010, EU.EORI.XX013, EU.EORI.XX016, EU.EORI.XX020] [EU.EORI.XX010, EU.EORI.XX015, EU.EORI.XX020] [EU.EORI.XX010, EU.EORI.XX017, EU.EORI.XX013, EU.EORI.XX016, EU.EORI.XX020]... and the list can go on with any permutations and combinations. However, it could also be that due to privacy reasons, only n-1 delegator id is available, then it would be issuer of the issuer, issuer and subject (service consumer), in which case it's path is not conclusive and Service provider will have to use different mechanisms to traverse through the path (not specified).

When the server time is out of sync with the local time of the computer, this might lead to invalid JWT tokens. Using a leeway can prevent this problem.