Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
MANUAL<br />
PUBLIC<br />
IMO_MAN_0024<br />
Market <strong>Manual</strong> 6<br />
<strong>Participant</strong> <strong>Technical</strong><br />
<strong>Reference</strong> <strong>Manual</strong><br />
Issue 21.1<br />
The “PTRM” provides the technical details for<br />
hardware and software that a participant in the<br />
electricity market may need to interface with the<br />
<strong>IESO</strong><br />
Public
Disclaimer<br />
The posting of documents on this Web site is done for the convenience of market participants and<br />
other interested visitors to the <strong>IESO</strong> Web site. Please be advised that, while the <strong>IESO</strong> attempts to have<br />
all posted documents conform to the original, changes can result from the original, including changes<br />
resulting from the programs used to format the documents for posting on the Web site as well as from<br />
the programs used by the viewer to download and read the documents. The <strong>IESO</strong> makes no<br />
representation or warranty, express or implied that the documents on this Web site are exact<br />
reproductions of the original documents listed. In addition, the documents and information posted on<br />
this Web site are subject to change. The <strong>IESO</strong> may revise, withdraw or make final these materials at<br />
any time at its sole discretion without further notice. It is solely your responsibility to ensure that you<br />
are using up-to-date documents and information.<br />
This document may contain a summary of a particular market rule. Where provided, the summary has<br />
been used because of the length of the market rule itself. The reader should be aware; however, that<br />
where a market rule is applicable, the obligation that needs to be met is as stated in the “Market<br />
Rules”. To the extent of any discrepancy or inconsistency between the provisions of a particular<br />
market rule and the summary, the provision of the market rule shall govern.<br />
Document ID<br />
IMO_MAN_0024<br />
Document Name <strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
Issue Issue 21.1<br />
Reason for Issue Revised for Verizon CA Renewal May 2010.<br />
Effective Date<br />
March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
Document Change History<br />
Document Change History<br />
Issue Reason for Issue Date<br />
For change history prior to Issue 10, see issue 17.0 of the PTRM.<br />
10.0 Issued for baseline 15.1 for changes related to the <strong>IESO</strong> Portal and<br />
Identity Management systems and access to the Cybertrust Entrust<br />
Authority Administration tool used for creation of version 7.1<br />
certificates that are required for TRA users accessing the Portal.<br />
11.0 Issued for Baseline 16.0. To Include new RTUs to the certified list<br />
of devices in section 4.1.2<br />
June 15, 2006<br />
September 13 2006<br />
12.0 Issued for Baseline 16.1 December 6, 2006<br />
13.0 Issued for Baseline 17.0 March 7, 2007<br />
14.0 Issued for Baseline 17.1 June 6, 2007<br />
15.0 Issued for Baseline 18.0 September 12, 2007<br />
16.0 Issued for Baseline 18.1 December 12, 2007<br />
17.0 Issued for Baseline 19.0 March 5, 2008<br />
18.0 Issued for Baseline 19.1 June 4, 2008<br />
19.0 Revised for Baseline 20.0 September 10, 2008<br />
20.0 Revised for Verizon Data Center Move date change from May to<br />
June 2009.<br />
June 5, 2009<br />
21.0 Revised for Baseline 21.0 December 9, 2009<br />
21.1 Revised for Verizon CA Renewal May 2010. March 15, 2010<br />
estimated<br />
Related Documents<br />
Document ID<br />
MDP_RUL_0002<br />
Document Title<br />
Market Rules<br />
Issue 21.1 - March 15, 2010 - estimated<br />
Public
Document Control<br />
IMO_MAN_0024<br />
Public<br />
Issue 21.1 - March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
Table of Contents<br />
Table of Contents<br />
Table of Contents ...................................................................................................... i<br />
List of Figures ....................................................................................................... iiiv<br />
Table of Changes ................................................................................................. ivvi<br />
1. Overview ........................................................................................................... 1<br />
1.1 About this <strong>Manual</strong> .............................................................................................. 1<br />
1.2 Purpose ............................................................................................................. 1<br />
1.3 Scope ................................................................................................................ 1<br />
1.3.1 Out of Scope .......................................................................................... 2<br />
1.4 Limitations ......................................................................................................... 2<br />
1.5 Who Should Use This <strong>Manual</strong> ........................................................................... 2<br />
1.6 Conventions ...................................................................................................... 2<br />
1.7 How This <strong>Manual</strong> is Organized .......................................................................... 3<br />
2. <strong>Participant</strong> Workstation, Network & Security ................................................ 5<br />
2.1 <strong>Participant</strong> Workstation ...................................................................................... 5<br />
2.1.1 Hardware Requirements ........................................................................ 5<br />
2.1.2 Software Requirements .......................................................................... 6<br />
2.2 <strong>Participant</strong> Network ......................................................................................... 33<br />
2.2.1 Internet ................................................................................................. 34<br />
2.2.2 Private Network .................................................................................... 34<br />
2.2.3 Shared Network ................................................................................... 35<br />
2.3 Accounts / Identity Credentials ........................................................................ 36<br />
2.3.1 Identity Management and Certification Authority .................................. 37<br />
2.3.2 Certificates & Keys ............................................................................... 39<br />
2.3.3 Integration of Digital Certificates with <strong>IESO</strong> Web Servers..................... 42<br />
2.3.4 Portal SSO and Identity Management System ..................................... 48<br />
2.3.5 Certificate Lifecycle System & Entrust Authority Administration Tool .... 48<br />
2.3.6 Requirements for Browser and Digital Certificate Software Compatibility50<br />
3. Dispatch Information...................................................................................... 56<br />
3.1 Dispatch Workstations ..................................................................................... 56<br />
3.1.1 Hardware Requirements ...................................................................... 56<br />
3.1.2 Software Requirements ........................................................................ 57<br />
3.2 Dispatch Message Exchange .......................................................................... 58<br />
3.2.1 Overview .............................................................................................. 58<br />
3.2.2 Functional Parts ................................................................................... 59<br />
3.2.3 Dispatch Messaging ............................................................................. 60<br />
Issue 21.1 – March 15, 2010 - estimated Public i
Table of Contents<br />
IMO_MAN_0024<br />
3.2.4 Dispatch Message Structure ................................................................ 61<br />
3.2.5 Dispatch Message Scenarios ............................................................... 62<br />
3.3 Real Time Network .......................................................................................... 65<br />
3.4 Voice Communication Specifications ............................................................... 67<br />
3.4.1 Normal-Priority PATH .......................................................................... 67<br />
3.4.2 High-Priority PATH............................................................................... 67<br />
3.4.3 Security ................................................................................................ 68<br />
3.4.4 Diverse Path ........................................................................................ 68<br />
4. Operational Metering Equipment & AGC ...................................................... 69<br />
4.1 Operational Metering Equipment ..................................................................... 69<br />
4.1.1 Introduction .......................................................................................... 69<br />
4.1.2 Qualified Devices ................................................................................. 69<br />
4.1.3 Field Instrumentation Standards .......................................................... 71<br />
4.1.4 Data Specifications .............................................................................. 72<br />
4.1.5 Power Supply Specification .................................................................. 72<br />
4.1.6 Communications Specification ............................................................. 73<br />
4.1.7 RTU Site Certification .......................................................................... 73<br />
4.2 AGC Operational RTU Specifications .............................................................. 74<br />
5. Market Applications ........................................................................................ 78<br />
5.1 Market Application Systems Information .......................................................... 78<br />
5.1.1 Overview of Dataflow Systems ............................................................ 78<br />
5.1.2 Bidding Application .............................................................................. 79<br />
5.1.3 Settlements Application ....................................................................... 83<br />
5.1.4 Application Interfaces ........................................................................... 86<br />
5.2 Funds Administration ....................................................................................... 87<br />
5.2.1 HTML and Text File Invoices ............................................................... 87<br />
5.2.2 E-mail .................................................................................................. 87<br />
5.2.3 Fund Transfers .................................................................................... 87<br />
Appendix A: Forms ...................................................................................... A–1<br />
Appendix B: List of Commonly Used Acronyms ............................................ 1<br />
<strong>Reference</strong>s ................................................................................................................ 1<br />
ii Public Issue 21.1 - March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
List of Figures<br />
List of Figures<br />
Figure 2-1: Internet Explorer, Internet Options - Advanced ................................................... 9<br />
Figure 2-2: Internet Explorer, Entrust Truepass Applet Security Warning ............................14<br />
Figure 2-3: Internet Explorer, Untrusted Publishers Certificates Listing ...............................15<br />
Figure 2-4: Internet Explorer 6.0, Internet Options - Security – Windows XP .......................16<br />
Figure 2-5: Internet Explorer 7.0, Internet Options - Security - Windows XP ........................17<br />
Figure 2-6: Internet Explorer 7.0, Internet Options - Security - Windows Vista .....................17<br />
Figure 2-7: Internet Explorer 6.0, Internet Options - Custom Security Settings Window ......18<br />
Figure 2-8: Internet Explorer 6.0, Internet Options - Trusted Sites Security .........................19<br />
Figure 2-9: Internet Explorer 6.0, Trusted Sites Security - Web Sites Addition ............ 191920<br />
Figure 2-10: Internet Explorer 7.0, Trusted Sites Security - Web Sites Addition – Windows<br />
Vista .............................................................................................................................20<br />
Figure 2-10: Internet Explorer, Enabling or Disabling Pop-up Blocker ......................... 252526<br />
Figure 2-11: Internet Explorer, Activating Pop-up Blocker Settings .............................. 262627<br />
Figure 2-12: Pop-up Blocker Settings Window Filter Setting for MPI Use .................... 262627<br />
Figure 2-13: Addition of MPI URL to Allow Web Site List for Pop-ups ......................... 272728<br />
Figure 2-14: Java Control Panel Settings .................................................................... 282829<br />
Figure 2-15: Right Mouse Button 'Save Target as ..." Function to Download Java Policy File<br />
............................................................................................................................. 303031<br />
Figure 2-16: File type Selection to Download Java Policy File ..................................... 313132<br />
Figure 2-17: Folder Options, File Types Listing window .............................................. 313132<br />
Figure 2-18: Create New Extension Window ............................................................... 323233<br />
Figure 2-19: Folder Option Window with Detail on 'POLICY' extension shown. ........... 323233<br />
Figure 2-20: Edit File Type Extension Window ............................................................ 333334<br />
Figure 2-21: MPI and MIM API Conceptual Architecture ............................................. 484850<br />
Figure 2-22: <strong>IESO</strong> Portal Conceptual Architecture ...................................................... 545456<br />
Figure 3-1: Message Exchange Interfaces .................................................................. 595962<br />
Figure 3-2: Responsibilities for Telecommunications and Site Readiness for RTUs .... 666669<br />
Figure 3-3: Responsibilities for Telecommunications and Site Readiness for DWS ..... 666669<br />
Figure 4- 1 Block Diagram of Typical AGC Control Arrangement for Generation units With<br />
Remote MW Setpoint Control Capability .............................................................. 767681<br />
Figure 5-1: Overview of Dataflow from the MP to <strong>IESO</strong> systems ................................. 797985<br />
Figure 5-2: Schematic Overview for Settlement Statements and Data Files ................ 858591<br />
Issue 21.1 – March 15, 2010 - estimated Public iii
Table of Changes<br />
IMO_MAN_0024<br />
Table of Changes<br />
<strong>Reference</strong><br />
(Section and<br />
Paragraph)<br />
Section 2.1.2<br />
paragraph 62<br />
Section 2.1.2<br />
paragraph<br />
93,94,95<br />
Section 2.3.6<br />
paragraph 173<br />
Section 4.1.2<br />
Qualified Devices<br />
Description of Change<br />
Updated content of Java Policy File for Verizon CA Update starting in<br />
March 2010<br />
Updated Market <strong>Participant</strong> Firewall configuration content for Verizon<br />
CA Update starting in March 2010<br />
Updated IP addresses and Domain Names for Verizon CA Update starting<br />
in March 2010<br />
Added 2 new Remote Terminal Unit (RTU) to line 266<br />
iv Public Issue 21.1 - March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
1. Overview<br />
1. Overview<br />
1.1 About this <strong>Manual</strong><br />
1 The “<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong>” is comprised of the following<br />
sections:<br />
Section<br />
1.0 Overview<br />
Name of Section<br />
2.0 <strong>Participant</strong> Workstation, Network and Security<br />
3.0 Dispatch Information<br />
4.0 Operational Metering Equipment and AGC<br />
5.0 Market Applications<br />
The content of each is described more fully later in this section.<br />
1.2 Purpose<br />
2 This “<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong>” (“PTRM”) provides the potential<br />
market participants with the necessary general technical standards to participate in the<br />
<strong>IESO</strong>-administered markets. It also provides references to other documents and<br />
information sources for detailed technical specifications required for participating in<br />
the <strong>IESO</strong>-administered markets. This document is not intended to be used as a standalone<br />
technical reference manual for all issues within the realm of electricity<br />
production, distribution, or consumption.<br />
3 Written for market participants, it provides only information relevant to the participant<br />
for communicating with the <strong>IESO</strong> and participating in the electricity market. It provides<br />
more detailed information on the requirements stated in the “Market Rules”.<br />
4 It is intended as a generic guide and the relevance of information in certain sections<br />
will depend on the market requirements of the participant. Market participants are<br />
expected to understand what information they will require for their particular role in the<br />
market and apply the required sections accordingly.<br />
1.3 Scope<br />
5 This document is intended to provide market participants with a description of the<br />
various facilities and interfaces they require to participate in the <strong>IESO</strong>-administered<br />
markets.<br />
6 This document supplements the market rules. It also points to other documents and<br />
information sources that provide installation, set-up, and configuration information for<br />
the various tools and facilities required for participation in the electricity market as a<br />
supplier, transmitters, distributor, generator, or consumer.<br />
Issue 21.1 - March 15, 2010 - estimated Public 1
1. Overview IMO_MAN_0024<br />
7 The material contained in various sections of the PTRM is limited to information that is<br />
relatively stable and not subject to frequent change. <strong>Technical</strong> details that are subject<br />
to change, on a more frequent basis, are posted on the <strong>Technical</strong> Interfaces page of<br />
<strong>IESO</strong>‟s Web site at www.ieso.ca. It is therefore important for market participants to<br />
refer to the specific technical documents on the <strong>Technical</strong> Interfaces page when<br />
reviewing the requirements outlined in the “PTRM”. Specific document references are<br />
included in each of the relevant sections of the “PTRM” as well as in the <strong>Reference</strong>s<br />
table at the rear of the document.<br />
1.3.1 Out of Scope<br />
8 <strong>Technical</strong> requirements for revenue metering are not contained within the “PTRM”.<br />
Details for revenue metering requirements are contained in “Market <strong>Manual</strong> 3:<br />
Metering” which is available on <strong>IESO</strong>‟s Web site.<br />
1.4 Limitations<br />
9 The information in this document is limited to the information available at the time of<br />
publication. It is subject to change as the various technical interfaces and/or market<br />
requirements evolve.<br />
10 The information in this document is based on the market rules provided to the <strong>IESO</strong> by<br />
the Minister of Energy, Science and Technology dated April 15, 1999 and subsequent<br />
updates thereof. Future changes in the “Market Rules” may result in changes in this<br />
document. No warranty is provided that any participant‟s requirements have been<br />
completely or correctly interpreted or that all issues have been identified.<br />
11 The “<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong>” is only a technical specification manual<br />
and does not provide any procedural information. For procedural details please refer to<br />
the relevant user manual and/or guide.<br />
1.5 Who Should Use This <strong>Manual</strong><br />
12 The “PTRM” is meant for all those who wish to participate in the <strong>IESO</strong>-administered<br />
market. These include, but are not limited to, the generators, distributors, wholesale<br />
sellers, wholesale consumers, retailers, transmitters and the financial market<br />
participants.<br />
13 The “PTRM” provides the participants with the technical details and specifications of<br />
the hardware and software as well as other security-related information required by<br />
participants for interfacing and information exchange with the <strong>IESO</strong>.<br />
1.6 Conventions<br />
14 The standard conventions followed for market manuals are as follows:<br />
The word „shall‟ denotes a mandatory requirement;<br />
Terms and acronyms used in this market manual including all Parts thereto that are<br />
italicized have the meanings ascribed thereto in Chapter 11 of the “Market Rules”;<br />
2 Public Issue 21.1 - March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
1. Overview<br />
Double quotation marks are used to indicate titles of legislation, publications, forms<br />
and other documents.<br />
Any procedure-specific convention(s) shall be identified within the procedure<br />
document itself.<br />
1.7 How This <strong>Manual</strong> is Organized<br />
15 This document is organized by specific areas of interest and not by market participant<br />
roles. It is the responsibility of market participants to know what components are<br />
relevant.<br />
16 The “<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong>” is divided into several parts based on<br />
specific areas of interest. A brief description and summary of each part is provided<br />
below:<br />
Section 1.0 - Overview: Contains information about the purpose, scope, limitations<br />
and structure of the manual.<br />
Section 2.0 - <strong>Participant</strong> Workstation, Network and Security: This section contains<br />
the minimum technical specifications for the participant workstation required by<br />
market participants making bids/offer or obtaining information about market<br />
activity. The minimum hardware and software specifications for the participant<br />
network used for interacting with the <strong>IESO</strong> are also described. This part also<br />
provides market participants with information and technical specifications for the<br />
digital certificates. The participants require the digital certificates or User ID<br />
account, identity credentials for purposes of data confidentiality and security.<br />
Section 3.0 - Dispatch Information: This part contains information about the<br />
technical requirement of the dispatch workstation and general information about<br />
dispatch message exchange. The primary audiences for this part are those<br />
participants who will be providing electrical power into or withdrawing electric<br />
energy from the <strong>IESO</strong>-controlled grid and will receive dispatch instructions from<br />
the <strong>IESO</strong>. It includes as well information on the functional aspects of the Dispatch<br />
Message Exchange as well as the message structures & actions. Minimum hardware<br />
and software specifications for the real time network required for acquiring real<br />
time data, dispatch of automatic generation control (AGC) and dispatch messaging<br />
are also provided besides general information on voice communication<br />
specifications and types.<br />
Section 4.0 - Operational Metering Equipment & AGC: This part details<br />
information and technical specifications for the operational metering requirements.<br />
It does not contain information on revenue metering which is provided in the<br />
“Market <strong>Manual</strong> 3: Metering” on the <strong>IESO</strong>‟s Web site.<br />
It also provides technical specifications for the AGC Operational Remote Terminal Units<br />
(RTUs).<br />
Section 5.0 -Market Applications: Provides technical specifications & requirements<br />
for the bidding application, settlement application, invoicing and application<br />
interfaces (MIM API). For viewing templates, validation tables and sample data<br />
files please refer to the <strong>Technical</strong> Interfaces page of <strong>IESO</strong>‟s Web site.<br />
Issue 21.1 - March 15, 2010 - estimated Public 3
1. Overview IMO_MAN_0024<br />
17 The technical specification and requirements contained in the Sections of this <strong>Manual</strong><br />
are authorized under “Appendix 2.2 of the market rules”. Specific references, where<br />
applicable, will be included at the beginning of each section.<br />
– End of Section –<br />
4 Public Issue 21.1 - March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
2. <strong>Participant</strong> Workstation, Network &<br />
Security<br />
18 (For supporting rule references, please refer to “Appendix 2.2, Section 1.4 of the<br />
market rules”)<br />
2.1 <strong>Participant</strong> Workstation<br />
2.1.1 Hardware Requirements<br />
Platform<br />
Processor<br />
19 The client software provided by the <strong>IESO</strong> is designed to be platform independent. The<br />
<strong>IESO</strong> has performed extensive testing of this software on the Windows XP and Vista<br />
operating systems. The software should also function on other versions of the Windows<br />
Operating System (i.e. Windows 98 or higher) but these are no longer formally<br />
supported by the <strong>IESO</strong>. Displays may be rendered incorrectly if a Windows Operating<br />
System is not used. Other operating systems and hardware may be used as long as the<br />
operating system supports the Java 2 Runtime Environment (see java.sun.com). At this<br />
time there are no known issues with the <strong>IESO</strong> Portal and the supported browsers.<br />
20 For Windows XP It is recommended that the client workstation hardware conform to<br />
Microsoft‟s specifications found at:<br />
http://www.microsoft.com/windowsxp/pro/evaluation/sysreqs.mspx<br />
and for Windows Vista at<br />
http://www.microsoft.com/windows/products/windowsvista/editions/systemrequiremen<br />
ts.mspx.<br />
However going forward the <strong>IESO</strong> recommends the following:<br />
21 The minimum recommended processor is a 1 GHz 32 –Bit (X86) or 64-bit (x64) CPU<br />
Memory<br />
22 The minimum recommended system requirements are 1 GB of internal RAM.<br />
Disk<br />
23 The recommended available disk space is a minimum of 15 gigabytes on a 40 GB hard<br />
drive.<br />
Interface Cards<br />
24 A minimum 56Kb modem or faster cable modem or equivalent is strongly<br />
recommended if the market participant is interfacing with the <strong>IESO</strong> over the public<br />
Internet.<br />
Issue 21.1 – March 15, 2010 - estimated Public 5
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Monitor<br />
Printer<br />
25 Support for DirectX 9 graphics and 128 MB of graphics memory (minimum), WDDM<br />
driver, Pixel Shader 2.0 in hardware and 32 bits per pixel.<br />
26 If connecting to the <strong>IESO</strong> through an internal network over the web, then the<br />
appropriate participant network equipment will be required.<br />
27 The supported monitor must be SVGA with a resolution capability of 800 x 600 pixels<br />
or greater.<br />
28 It is recommended that a printer with high resolution of at least 600 dpi and that<br />
supports multiple fonts be used.<br />
Other Components<br />
29 Additional components that should be included with your system are a compatible twobutton<br />
mouse, keyboard, and 1.44 MB high-density floppy disk drive.<br />
30 A Smartcard and reader are highly recommended options.<br />
31 DVD-ROM drive<br />
2.1.2 Software Requirements<br />
Operating System<br />
32 The recommended operating system is Windows XP SP2 or Vista as shown on the<br />
<strong>IESO</strong> Supported Client Platform web page at :<br />
http://www.ieso.ca/imoweb/ti/ti_Supported-Client-Platform.asp .<br />
Previous versions of Windows are no longer supported by the <strong>IESO</strong>. The operating<br />
system must have support for the TCP/IP protocol.<br />
Note: When Windows is used as the operating system, the preferred Short Date format is<br />
yyyy/mm/dd. Other Short Date formats may be used provided the year placement is set to<br />
yyyy. Go to the Control Panel Regional Settings to make this adjustment. The delivery dates<br />
used by the Internet Explorer browser in the submission of bids are generated from this date<br />
setting and value.<br />
Browser<br />
33 All <strong>IESO</strong> applications within the MPI are fully tested with the supported OS /Browser<br />
and JRE combinations.<br />
34 128-bit encryption is standard with the Internet Explorer browser and this can be<br />
verified under the 'Help' menu and then the 'About Internet Explorer' menu selection.<br />
<strong>IESO</strong> secure web sites also have been configured to work with SSL 3.0 or higher which<br />
requires this level of encryption.<br />
35 The viewing resolution must be 800 x 600 pixels or higher in view maximized mode.<br />
6 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Firewall<br />
36 Internet Explorer has been tested with the Notice of Disagreement (NOD) and Meter<br />
Trouble Reporting (MTR) applications. MTR and NOD will function as expected with<br />
the supported Microsoft OS, Internet Explorer combinations<br />
37 The <strong>IESO</strong> Portal is accessible with the supported Microsoft OS, Internet Explorer<br />
combinations as well as Netscape 7.2 or 8.0 or Mozilla Firefox 1.0, 1.5 or 2.0.1 or<br />
Safari 2.0. These specifications are provided by the <strong>IESO</strong>‟s Portal vendor.<br />
38 Browser requirements as recommended by Entrust for the Entrust Authority<br />
Administration Services tool for the <strong>IESO</strong> desktop digital IDs (EPF files) are as shown<br />
on the <strong>IESO</strong> Supported Client Platform web page.<br />
However see http://www.entrust.com/pki/admin_services/specs.htm for complete<br />
information<br />
39 It is recommended that the each Market <strong>Participant</strong> ensure that each participant<br />
workstation is protected by an appropriate firewall for the network and workstations<br />
being used. The choice of the technology to be employed is up to the Market<br />
<strong>Participant</strong>.<br />
Issue 21.1 – March 15, 2010 - estimated Public 7
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Microsoft Internet Explorer Configuration for MPI and Portal<br />
40 For the supported versions of Microsoft Internet Explorer to work properly with the Market<br />
<strong>Participant</strong> Interface and Portal there are a number of configuration settings that should be<br />
made. This includes configuration items in both the Advanced and Security tabs under<br />
Internet Options menu selection in Internet Explorer. It is important to note that the settings<br />
are unique to each user profile for IE on a workstation. Therefore, if multiple users with<br />
separate logins share a workstation, settings will need to be checked and altered as required<br />
for each user. It is also important to recognize that Internet Explorer 6.0 has differences in<br />
configuration settings between Windows XP SP1 and SP2 and so does Internet Explorer<br />
7.0 between Windows XP SP1 and SP2 and Vista. These differences are documented by<br />
the <strong>IESO</strong> as required.<br />
41 The browser settings are essentially the same for IE 6.0 and 7.0 with minor differences<br />
when using Windows XP–SP2 and Vista. However under Vista, Internet Explorer 7.0 is<br />
using the new Protected Mode capability for the various security zones as described at:<br />
http://msdn2.microsoft.com/en-us/library/bb250462.aspx. The recommendation at this<br />
time is to put the MPI, Portal and <strong>IESO</strong> corporate web site URL‟s into the „Trusted sites‟<br />
zone when using Vista and turn off Protected Mode for this zone only. The MPI will not<br />
function correctly at this time with Protected Mode turned on and logout will not function<br />
correctly from the MPI unless the <strong>IESO</strong> corporate web site in included in the same zone as<br />
the MPI. Vista enforces the opening of a new browser window every time the security zone<br />
changes<br />
Internet Options - Advanced<br />
42 A number of parameters may need to be set for Advanced Internet Options. To do this:<br />
1. Under the IE Tools menu select Internet Options<br />
2. Select the Advanced tab. See Figure 2-1. (IE / Windows XP shown)<br />
8 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-1: Internet Explorer, Internet Options - Advanced<br />
3. Choose the following settings as shown in Table 2-1 for the appropriate Windows / IE<br />
combination and then click on the 'Apply' button. Depending on the user's workstation<br />
software environment, specific options may need to be altered from the settings<br />
recommended here for proper function of Internet Explorer under all circumstances<br />
with other non-<strong>IESO</strong> applications.<br />
Table 2-1 : Internet Explorer Advanced Internet Options with Windows XP-SP2 and Vista<br />
Advanced Internet Option<br />
Parameter<br />
Accessibility Parameters – all<br />
Value (blank means<br />
no check) IE 6.0 –<br />
XP-SP2<br />
IE 7.0 – XP-SP2<br />
IE 7.0 – Vista<br />
Always expand ALT text for images No stipulation No stipulation No stipulation<br />
Move system caret with<br />
focus/selection changes<br />
Reset text size to medium for new<br />
windows and tabs<br />
Reset text size to medium while<br />
zooming<br />
Reset Zoom level to 100% for new<br />
windows and tabs<br />
Browsing Parameters<br />
No stipulation No stipulation No stipulation<br />
N/A No stipulation No stipulation<br />
N/A No stipulation No stipulation<br />
N/A No stipulation No stipulation<br />
Always send URLs N/A N/A<br />
Issue 21.1 – March 15, 2010 - estimated Public 9
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Advanced Internet Option<br />
Parameter<br />
Automatically check for Internet<br />
Explorer updates<br />
Close unused folders in History and<br />
Favorites<br />
Value (blank means<br />
no check) IE 6.0 –<br />
XP-SP2<br />
IE 7.0 – XP-SP2<br />
IE 7.0 – Vista<br />
No stipulation No stipulation No stipulation<br />
Disable script debugging No stipulation N/A N/A<br />
Disable script debugging ( Internet<br />
Explorer)<br />
N/A No stipulation No stipulation<br />
Disable script debugging (Other) N/A No stipulation No stipulation<br />
Display a notification about every<br />
script error<br />
No stipulation No stipulation No stipulation<br />
Enable folder view for FTP sites N/A N/A<br />
Enable FTP folder view (outside of<br />
Internet Explorer)<br />
Enable install on demand (Internet<br />
Explorer)<br />
N/A <br />
No stipulation N/A N/A<br />
Enable install on demand (Other) N/A N/A<br />
Enable offline items to be<br />
synchronized on a schedule<br />
No stipulation N/A N/A<br />
Enable page transitions No stipulation No stipulation No stipulation<br />
Enable Personalized Favorites menu No stipulation No stipulation No stipulation<br />
Enable third-party browser extensions<br />
(requires restart)<br />
Enable visual styles on buttons and<br />
controls in web pages<br />
Force offscreen compositing even<br />
under Terminal Server (requires<br />
restart)<br />
<br />
<br />
Notify when downloads complete No stipulation No stipulation No stipulation<br />
Reuse windows when launching<br />
shortcuts<br />
No stipulation No stipulation No stipulation<br />
Show friendly HTTP error messages <br />
Show friendly URLs N/A N/A<br />
Show Go button in Address bar N/A N/A<br />
Show Internet Explorer on the<br />
desktop<br />
No stipulation N/A N/A<br />
Underline links Always Always Always<br />
Use inline AutoComplete No stipulation No stipulation No stipulation<br />
10 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Advanced Internet Option<br />
Parameter<br />
Use most recent order when switching<br />
tabs with Ctrl+Tab<br />
Use Passive FTP (for firewall and<br />
DSL modem compatibility)<br />
Value (blank means<br />
no check) IE 6.0 –<br />
XP-SP2<br />
IE 7.0 – XP-SP2<br />
IE 7.0 – Vista<br />
N/A No stipulation No stipulation<br />
No stipulation No stipulation No stipulation<br />
Use smooth scrolling <br />
HTTP 1.1 Settings<br />
Use HTTP 1.1 <br />
Use HTTP 1.1 through proxy<br />
connections<br />
International<br />
No stipulation No stipulation No stipulation<br />
Always show encoded addresses N/A No stipulation No stipulation<br />
Send IDN Server Names N/A No stipulation No stipulation<br />
Send IDN server names for<br />
Intranet addresses<br />
N/A No stipulation No stipulation<br />
Send UTF-8 URLs N/A No stipulation No stipulation<br />
Show Information Bar for encoded<br />
addresses<br />
N/A No stipulation No stipulation<br />
Use UTF-8 for mailto links N/A No stipulation No stipulation<br />
Java(Sun)<br />
Use Java 2 v1.5.0_xx for <br />
((requires restart) (If shown)<br />
Microsoft VM<br />
Java Console enabled No stipulation No stipulation N/A<br />
Java logging enabled No stipulation No stipulation N/A<br />
JIT compiler for virtual machine<br />
enabled<br />
Multimedia<br />
Don't display online media content in<br />
the media bar (if shown)<br />
N/A<br />
No stipulation N/A N/A<br />
Always use ClearType for HTML N/A No stipulation No stipulation<br />
Enable automatic image resizing <br />
Enable Image Toolbar (requires<br />
restart)<br />
No stipulation N/A N/A<br />
Play animations in web pages No stipulation No stipulation No stipulation<br />
Play sounds in web pages No stipulation No stipulation No stipulation<br />
Issue 21.1 – March 15, 2010 - estimated Public 11
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Advanced Internet Option<br />
Parameter<br />
Value (blank means<br />
no check) IE 6.0 –<br />
XP-SP2<br />
IE 7.0 – XP-SP2<br />
Play videos in web pages No stipulation N/A N/A<br />
IE 7.0 – Vista<br />
Show image download placeholders No stipulation No stipulation No stipulation<br />
Show pictures No stipulation No stipulation No stipulation<br />
Show image dithering No stipulation No stipulation No stipulation<br />
Printing<br />
Print backgrounds colors and images No stipulation No stipulation No stipulation<br />
Search from the Address bar No stipulation No stipulation No stipulation<br />
Security<br />
Allow active content from CD to run<br />
on My Computer<br />
Allow active content to run in files on<br />
My Computer<br />
Allow software to run or install even<br />
if the signature is invalid<br />
Check for Publishers certificate<br />
revocation<br />
Check for server certificate revocation<br />
(requires restart)<br />
Check for signatures on downloaded<br />
programs<br />
No stipulation No stipulation No stipulation<br />
No stipulation No stipulation No stipulation<br />
No stipulation No stipulation No stipulation<br />
<br />
<br />
<br />
Do not save encrypted pages to disk No stipulation No stipulation No stipulation<br />
Empty Temporary Internet Files<br />
folder when browser is closed<br />
Enable Integrated Windows<br />
Authentication (requires restart)<br />
No stipulation No stipulation No stipulation<br />
No stipulation No stipulation No stipulation<br />
Enable Profile Assistant No stipulation N/A N/A<br />
Enable memory protection to help<br />
mitigate online attacks<br />
N/A N/A No stipulation<br />
Enable native XMLHTTP support <br />
Phishing Filter N/A Turn on<br />
automatic<br />
website checking<br />
Use SSL 2.0<br />
Use SSL 3.0 <br />
Turn on<br />
automatic<br />
website<br />
checking<br />
Use TLS 1.0 No stipulation No stipulation No stipulation<br />
12 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Advanced Internet Option<br />
Parameter<br />
Value (blank means<br />
no check) IE 6.0 –<br />
XP-SP2<br />
IE 7.0 – XP-SP2<br />
Warn about invalid site certificates <br />
Warn if changing between secure and<br />
not secure mode<br />
Warn if forms submittal is being<br />
redirected<br />
Warn if Post submittal is redirected to<br />
a zone that does not permit posts<br />
<br />
N/A N/A<br />
N/A <br />
IE 7.0 – Vista<br />
Browser Settings for Entrust Authority Administration Tool<br />
43 The browser settings for compatible browsers for accessing the Entrust Authority<br />
Administration Tool available at the Cybertrust Certification Authority at:<br />
https://ccip.idm.cybertrust.com/AdminServices/ are as follows.<br />
Table 2-2 Entrust Authority Administration Tool – Browser Settings<br />
Browser Setting name Setting Location Comment<br />
Netscape<br />
Navigator 7.0<br />
Microsoft<br />
Internet<br />
Explorer 5.x<br />
Microsoft<br />
Internet<br />
Explorer 6.x<br />
and 7.0<br />
Enable all cookies<br />
Ask me before<br />
storing a cookie<br />
Enable Java<br />
Enable JavaScript<br />
for Navigator<br />
Allow per-session<br />
cookies<br />
(not stored)<br />
Active Scripting<br />
Scripting of Java<br />
applets<br />
Enable<br />
Enable<br />
Enable<br />
Enable<br />
Enable or Prompt<br />
Enable or Prompt<br />
Enable or Prompt<br />
First Party Cookies Accept or Prompt Tools/Internet<br />
Options/Privacy<br />
/Advanced<br />
Allow per-session<br />
cookies<br />
(not stored)<br />
Enable or Prompt<br />
Tools/Internet<br />
Options/Privacy<br />
/Advanced<br />
Active Scripting Enable or Prompt Tools/Internet<br />
Options/Securit<br />
y/Internet/Custo<br />
m Level<br />
Scripting of Java<br />
applets<br />
Enable or Prompt<br />
Tools/Internet<br />
Options/Securit<br />
Make settings after selecting<br />
overall privacy setting to<br />
medium, medium high etc.<br />
Make settings after selecting<br />
overall privacy setting to<br />
medium, medium high etc.<br />
Make setting for the internet<br />
or trusted sites zones as<br />
req‟d<br />
Make setting for the internet<br />
or trusted sites zones as<br />
Issue 21.1 – March 15, 2010 - estimated Public 13
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Browser Setting name Setting Location Comment<br />
y/Internet/Custo<br />
m Level<br />
Third party Cookies Block Tools/Internet<br />
Options/Privacy<br />
/Advanced<br />
Microsoft VM -<br />
Java Permissions<br />
Medium - (cannot<br />
be disable Java)<br />
Tools/Internet<br />
Options/Securit<br />
y Settings ( all<br />
zones)<br />
req‟d<br />
Make settings after selecting<br />
overall privacy setting to<br />
medium, medium high etc.<br />
Disabling Microsoft VM<br />
Java in the Security settings<br />
will disable use of the<br />
Entrust Authority system<br />
applet.<br />
These settings will need to be considered for other third party applications/systems the Market<br />
<strong>Participant</strong> may be using. SSL version 3.0 for https is also required and this should be set<br />
appropriately. All communications to the CA Entrust Authority system is done over port 443<br />
via the Entrust XAP protocol.<br />
44 The Entrust Authority Admin Tool uses a small java based applet. It is also a digitally<br />
signed applet that the user needs to allow to run by accepting the first time prompt if<br />
displayed (as shown below) when navigating to the Entrust Authority Administration<br />
website. If the user inadvertently chose the Never run software from Entrust Limited the<br />
Entrust Authority Administration tool will not work. The user should choose Always run<br />
software from Entrust Limited or Ask me every time. See Figure 2-2. The choice is stored<br />
on the user‟s workstation in Internet Explorer.<br />
Figure 2-2: Internet Explorer, Entrust Truepass Applet Security Warning<br />
45 If the user does inadvertently choose Never run software from Entrust Limited, it will<br />
need to be changed. This can be done by going to the IE menu selection - Tool/Internet<br />
Options/Content/Certificates/Publisher and then select the Untrusted Publishers tab. See<br />
Figure 2-3. In this location, the Entrust Limited certificate can be seen. The user will need<br />
to highlight it and click on remove. Then on the next attempted login to the Entrust<br />
Authority Administration tool, the user must choose the Always run software from Entrust<br />
Limited selection which will install the certificate in IE in the Trusted Publishers location.<br />
14 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-3: Internet Explorer, Untrusted Publishers Certificates Listing<br />
Internet Explorer - Internet Options - Security<br />
46 A number of security configuration settings may need to be made in order for<br />
proper functioning of the browser with various <strong>IESO</strong> web sites. The market<br />
participant can choose to define and place the MPI and Portal URLs for the<br />
Production and Sandbox environments into the Trusted Sites zone under IE<br />
Security or leave those URLs in the Internet zone by default for Windows XP.<br />
If the URLs are left in the Internet zone by default then it is recommended that<br />
the Security settings for that zone be configured as defaulted (medium security<br />
level) except where noted. However for Windows Vista is important that the<br />
URLs be placed in the „Trusted sites‟ zone as well as the <strong>IESO</strong> corporate site as<br />
discussed previously.<br />
47 When the URL's are included in the 'Trusted Sites' zone for XP then it is<br />
recommended that the Security settings be configured as Medium-low instead<br />
of the default Low. This provides reasonable security but eliminates most<br />
prompts. For Vista, the default is medium and this can be left as is.<br />
48 However the market participant's IT security people should be involved in<br />
deciding the appropriate settings and implement based on their own rules and<br />
policies, which may take precedence over the settings recommended here. The<br />
choice is in the end, up to each market participant.<br />
Internet Zone Security Settings<br />
49 When leaving the <strong>IESO</strong> MPI and Portal URLs by default in the IE 'Internet'<br />
zone for XP it is recommended the following settings be made:<br />
4. Under the Tools menu select Internet Options<br />
Select the Security tab. See Figure 2-4 and Figure 2-5. (IE / Windows XP shown). For<br />
Windows Vista some additional security has been added in the form of Protected Mode as<br />
mentioned above. This can be turned on or off for each security zone. It is required under<br />
Vista for the MPI web sites that Protected Mode is turned off. This can be done in the<br />
Issue 21.1 – March 15, 2010 - estimated Public 15
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Security tab via the check box at the bottom of the Internet Options window as shown in<br />
Figure 2-6.<br />
Figure 2-4: Internet Explorer 6.0, Internet Options - Security – Windows XP<br />
16 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-5: Internet Explorer 7.0, Internet Options - Security - Windows XP<br />
Figure 2-6: Internet Explorer 7.0, Internet Options - Security - Windows Vista<br />
5. Click on the Internet zone icon to specify its security settings. The default level for the<br />
Internet zone in IE is 'Medium'. Most of the settings should be left as is unless security<br />
policies for the Market <strong>Participant</strong> require something else.<br />
6. Click on the 'Custom Level' button to activate the Security Settings configuration<br />
window. See Figure 2-7. (IE / Windows XP shown)<br />
7. Verify default settings are as per Table 2-2 and Table 2-3 when <strong>IESO</strong> MPI and Portal<br />
URLs are by default in the Internet zone. If conflicts occur for other IE operations with<br />
other web sites modify as required for optimal and secure operation of Internet<br />
Explorer.<br />
8. Click on the "OK" button to accept all changes.<br />
Issue 21.1 – March 15, 2010 - estimated Public 17
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Figure 2-7: Internet Explorer 6.0, Internet Options - Custom Security Settings Window<br />
Trusted Sites Security Settings<br />
50 When including the <strong>IESO</strong> MPI and Portal URLs in the IE 'Trusted Sites' zone it<br />
is recommended the following configuration settings be made<br />
1. Under the Tools menu select Internet Options<br />
2. Select the Security' tab. See Figures 2-4 to 2.6 above.<br />
3. Click on the Trusted Sites zone icon to specify its security settings. The default level for<br />
the Trusted Sites zone in IE is 'Low' for XP and Medium for Vista. It is recommended<br />
to change this 'Medium-low' for XP and leave as default for Vista. Notice that the<br />
'Sites' button is now active.<br />
4. Click on the 'Sites' button to activate the 'Trusted Sites' entry window. See Figure 2-8<br />
5. Type in the address(es) of the trusted sites for the <strong>IESO</strong>'s Production and Sandbox MPI<br />
and Portal environments and use the 'add' button to add them. See Figure 2-9.<br />
6. When using Vista the MPI logout transition to the <strong>IESO</strong> home page will work only<br />
within the same browser window provided that both “sites” (https://mos.ieso.ca ( or<br />
https://moswebh.ieso.ca for Sandbox) and http://www.ieso.ca) are in the same security<br />
zone. It appears that Vista enforces the opening of a new browser window every time<br />
the security zone changes. Maintaining the same browser window can be accomplished<br />
with the proper wildcard in the Trusted Sites list. See Figure 2-11. In this way, the<br />
logout redirect to the <strong>IESO</strong> home page stays within the Trusted Sites zone.<br />
18 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-8: Internet Explorer 6.0, Internet Options - Trusted Sites Security<br />
Figure 2-9: Internet Explorer 6.0, Trusted Sites Security - Web Sites Addition<br />
Issue 21.1 – March 15, 2010 - estimated Public 19
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Figure 2-10: Internet Explorer 7.0, Trusted Sites Security - Web Sites Addition – Windows<br />
Vista<br />
7. Click on the "Require Server Verification (https) for all sites in this zone" option check<br />
flag if all sites entered here are https sites like the <strong>IESO</strong>'s MPI or Portal.<br />
8. Click on the 'OK' button.<br />
9. Click on the 'Custom Level' button to activate the Security Settings configuration<br />
window.<br />
10. Verify settings as per Table 2-3 when <strong>IESO</strong> MPI and/or Portal URLs are in the Trusted<br />
Sites zone for and the appropriate Windows and Internet Explorer combination. If<br />
conflicts occur for other IE operations with other web sites modify as required for<br />
optimal and secure operation of Internet Explorer. Note that choosing the 'Prompt'<br />
parameter value will require more user overhead than 'Enable'.<br />
Note: The user can use the right mouse click and then on 'What's This' on each item in IE 'Security<br />
Settings' for an explanation of each item.<br />
20 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Table 2-3: IE Internet Options, Security Settings – Windows XP-SP2 and Vista<br />
Parameter<br />
General Security<br />
Level for zone<br />
.NET Framework<br />
.NET Frameworkreliant<br />
components<br />
Active X Controls<br />
and Plug-ins<br />
Allow Previously<br />
unused ActiveX<br />
controls to run without<br />
prompting<br />
MPI and Portal<br />
URLs in<br />
'Internet' zone by<br />
default for XP-<br />
SP2 and IE 6.0<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 6.0<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 7.0<br />
Medium Defaults Medium-Low Medium Medium<br />
No stipulation on<br />
all settings<br />
No stipulation on<br />
all settings<br />
No stipulation on<br />
all settings<br />
No stipulation on<br />
all settings<br />
No stipulation<br />
on all settings<br />
No stipulation<br />
on all settings<br />
N/A N/A Enable Enable<br />
When <strong>IESO</strong>,<br />
MPI and Portal<br />
URLs added to<br />
'Trusted Sites'<br />
zone in Vista<br />
and IE 7.0<br />
No stipulation on<br />
all settings<br />
No stipulation on<br />
all settings<br />
Allow Scriptlets N/A N/A No stipulation No stipulation<br />
Automatic prompting<br />
for ActiveX controls<br />
Binary and script<br />
behaviors<br />
Display video and<br />
animation on a<br />
webpage that does not<br />
use external media<br />
player<br />
Download Signed<br />
ActiveX Controls<br />
Download Unsigned<br />
ActiveX Controls<br />
Initialize and script<br />
ActiveX controls not<br />
marked as safe<br />
Run ActiveX controls<br />
and plug-ins<br />
Enable Enable Enable No stipulation<br />
Enable Enable Enable Enable<br />
N/A N/A No stipulation No stipulation<br />
Prompt Enable Enable Enable<br />
Prompt Prompt Prompt Prompt<br />
Disable (prompt<br />
acceptable)<br />
Enable (prompt<br />
acceptable)<br />
Disable (prompt<br />
acceptable)<br />
Disable (prompt<br />
acceptable)<br />
Enable<br />
Enable Enable Enable<br />
Script ActiveX Enable (prompt Enable Enable Enable<br />
Issue 21.1 – March 15, 2010 - estimated Public 21
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Parameter<br />
controls marked as<br />
safe<br />
MPI and Portal<br />
URLs in<br />
'Internet' zone by<br />
default for XP-<br />
SP2 and IE 6.0<br />
acceptable)<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 6.0<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 7.0<br />
When <strong>IESO</strong>,<br />
MPI and Portal<br />
URLs added to<br />
'Trusted Sites'<br />
zone in Vista<br />
and IE 7.0<br />
Downloads<br />
Automatic prompting<br />
for file downloads<br />
Enable Enable Enable Enable<br />
File Download Enable Enable Enable Enable<br />
Font Download<br />
Microsoft VM<br />
Enable (prompt<br />
acceptable)<br />
Enable Enable Enable<br />
Java Permissions High Safety Medium Safety Medium Safety<br />
Java VM<br />
Java permissions High Safety Medium safety Medium safety N/A<br />
Miscellaneous<br />
Access data sources<br />
across domains<br />
Allow META<br />
REFRESH<br />
Allow scripting of<br />
Internet Explorer Web<br />
browser control<br />
Allow script initiated<br />
windows without size<br />
or position constraints<br />
Allow web pages to<br />
use restricted<br />
protocols for active<br />
content<br />
Allow websites to<br />
open windows without<br />
addresses or status<br />
bars<br />
Change from<br />
Disable to Prompt<br />
or Enable<br />
Enable<br />
Change from<br />
Disable to Prompt<br />
or Enable<br />
Enable<br />
Prompt or<br />
Enable<br />
Prompt or Enable<br />
No stipulation No stipulation No stipulation No stipulation<br />
No stipulation No stipulation No stipulation No stipulation<br />
No stipulation No stipulation No stipulation No stipulation<br />
N/A N/A No stipulation No stipulation<br />
Display mixed content Prompt Enable Enable Enable<br />
Don't prompt for client<br />
certificate selection<br />
when no certificates or<br />
Disable (may be<br />
changed to enable<br />
if only one <strong>IESO</strong><br />
Enable Enable Enable<br />
22 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Parameter<br />
only one certificate<br />
exists - (i.e. automatic<br />
certificate<br />
presentation)<br />
Drag and drop or copy<br />
and past files<br />
Include local directory<br />
path when uploading<br />
files to a server.<br />
Installation of desktop<br />
items<br />
Launching<br />
applications and<br />
unsafe files<br />
Launching programs<br />
and files in an<br />
IFRAME<br />
Navigate sub-frames<br />
across different<br />
domains<br />
Open files based on<br />
content, not file<br />
extension<br />
Software channel<br />
permissions<br />
Submit non-encrypted<br />
form data<br />
MPI and Portal<br />
URLs in<br />
'Internet' zone by<br />
default for XP-<br />
SP2 and IE 6.0<br />
certificate for the<br />
profile has been<br />
imported and<br />
automatic<br />
presentation is<br />
desired)<br />
Enable (prompt<br />
acceptable)<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 6.0<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 7.0<br />
Enable Enable Enable<br />
N/A N /A Enable Enable<br />
Prompt Prompt Prompt Prompt<br />
N /A N /A Prompt Prompt<br />
Prompt Prompt Prompt Prompt<br />
Enable Enable Enable Enable<br />
Enable Enable Enable Enable<br />
When <strong>IESO</strong>,<br />
MPI and Portal<br />
URLs added to<br />
'Trusted Sites'<br />
zone in Vista<br />
and IE 7.0<br />
Medium Safety Medium Safety Medium Safety Medium Safety<br />
Enable (prompt<br />
acceptable)<br />
Enable Enable Enable<br />
Use Phishing Filter N/A N/A Enable Enable<br />
Use Pop-up blocker No Stipulation No Stipulation No Stipulation No Stipulation<br />
User data persistence Enable Enable Enable Enable<br />
Web sites in less<br />
privileged web content<br />
zone can navigate into<br />
this zone<br />
Scripting<br />
Enable Enable Enable Enable<br />
Issue 21.1 – March 15, 2010 - estimated Public 23
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Parameter<br />
MPI and Portal<br />
URLs in<br />
'Internet' zone by<br />
default for XP-<br />
SP2 and IE 6.0<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 6.0<br />
When MPI and<br />
Portal URLs<br />
added to<br />
'Trusted Sites'<br />
zone in XP-SP2<br />
and IE 7.0<br />
Active scripting Enable Enable Enable Enable<br />
Allow paste operations<br />
via script<br />
Allow programmatic<br />
clipboard access<br />
Allow status bar<br />
updates via script<br />
Allow websites to<br />
prompt for<br />
information using<br />
scripted windows<br />
Scripting of Java<br />
applets<br />
User Authentication<br />
Logon<br />
Enable Enable N/A N/A<br />
N/A N/A Prompt Prompt<br />
N/A N/A Enable Enable<br />
N/A N/A Enable Enable<br />
Enable Enable Enable Enable<br />
Automatic logon<br />
only in Intranet<br />
zone<br />
Automatic logon<br />
only in Intranet<br />
zone<br />
When <strong>IESO</strong>,<br />
MPI and Portal<br />
URLs added to<br />
'Trusted Sites'<br />
zone in Vista<br />
and IE 7.0<br />
Internet Explorer Pop-up Blocker with Windows XP-SP2 / Vista and the MPI and<br />
Portal<br />
51 With the release of Windows XP-SP2, pop-up blocker functionality has been<br />
enabled within Internet Explorer 6.0. This can have some beneficial and some<br />
detrimental effects depending on the needs of the browser user. When enabled<br />
with just default settings, the IE pop-up blocker affects the functionality of the<br />
MPI and Portal. The MPI System Messages and Market Status windows for<br />
example do not activate and properly display when pop-up blocking is active<br />
and not disabled for the MPI web site. It is recommended that IE configuration<br />
settings for pop-up blocking be set so that MPI functionality is not affected.<br />
52 This functionality continues as is with Internet Explorer 7.0 under Windows XP<br />
and Vista. The directions included here apply to all the combinations of<br />
Windows XP and IE 6.0 and 7.0 and Windows Vista and IE 7.0.<br />
Internet Explorer Turn Pop-up Blocker On or Off<br />
53 In order to turn off (or on) the IE pop-up blocker function:<br />
1. Under the Tools menu select the Pop-Up Blocker menu option<br />
24 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
2. A submenu list will display. If the pop-up blocker is enabled the first submenu option<br />
will indicate Turn Off Pop-up Blocker. If it is disabled the first submenu option will<br />
indicate Turn On Pop-up Blocker. This option works as a toggle to enable or disable<br />
the pop-up blocker. See Figure 2-10.<br />
Figure 2-10: Internet Explorer, Enabling or Disabling Pop-up Blocker<br />
Internet Explorer Configure Pop-up Blocker Settings<br />
54 In order to access pop-up blocker settings and set up the pop-up blocker filter<br />
parameters to allow the proper functioning of MPI:<br />
1. Under the Tools menu select the Pop-Up Blocker menu option<br />
2. A submenu list will display. Select the Pop-up Blocker settings submenu option when<br />
the pop-up blocker has been toggled on. See Figure 2-11.<br />
3. The Pop-up Blocker Settings windows will activate See Figure 2-12<br />
4. Select the desired Filter setting (e.g. 'Low: Allow pop-ups from secure sites' as an option<br />
if pop-ups are required to be blocked from all sites except those sites protected by SSL).<br />
It is up to the discretion of the market participant to choose the required filter level for<br />
their needs. The low setting will allow all MPI windows as the MPI URL is a secure<br />
site.<br />
5. Enter in the URL addresses of the Sandbox and Production MPI and Portal sites in the<br />
address of Web site to allow and use the Add button (see Figure 2-13). This will allow<br />
the proper functioning of MPI and Portal, no matter what the filter level setting.<br />
Issue 21.1 – March 15, 2010 - estimated Public 25
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Figure 2-11: Internet Explorer, Activating Pop-up Blocker Settings<br />
Figure 2-12: Pop-up Blocker Settings Window Filter Setting for MPI Use<br />
26 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-13: Addition of MPI URL to Allow Web Site List for Pop-ups<br />
Sun Java Runtime Environment<br />
55 Please refer to the <strong>IESO</strong> Supported Client Platform web page for the required<br />
Java runtime environment Obtaining this software from the Sun Java web site<br />
and its installation on the workstation is detailed in the Identity Management<br />
Operations Guide. It does not need to be set as the default for the browser<br />
however in either the Java control panel or IE Internet Options.<br />
56 Only a user with administrative rights may be able to set the default use of the<br />
JRE Plug-in with IE or not.<br />
57 The JRE should be installed on the workstation properly configured to enable<br />
the MPI applet to function when the user navigates to in Internet Explorer.<br />
These can be checked under the Java control panel. See Figure 2-14 below.<br />
58 Ensure the setting „Place Java icon in system tray‟ is checked in the Java<br />
control panel. This will allow access to the Java console via the right mouse<br />
button.<br />
59 Ensure that „Enable logging‟ is checked under Debugging in the Java control<br />
panel.<br />
60 Ensure that „Hide console‟ is checked under Java Console in the Java control<br />
panel. This will prevent the Java console from always activating when a user<br />
navigates to the MPI or uses Internet Explorer.<br />
61 Ensure that „SSL 3.0‟ is checked under Security in the Java control panel. Also,<br />
ensure that all other boxes under Security are checked except for „Use SSL 2.0‟<br />
and „Use TLS 1.0‟ unless the user has other java applications that need these<br />
security protocols. If SSL 3.0 is not checked, a Java general exception error<br />
Issue 21.1 – March 15, 2010 - estimated Public 27
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
happens when the user navigates to the MPI in Internet Explorer and clicks on<br />
the Browse button.<br />
Figure 2-14: Java Control Panel Settings<br />
28 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
<strong>IESO</strong> Java Policy File<br />
62 A special <strong>IESO</strong> Java, policy file with the file name “.java.policy" (note the dot at the<br />
beginning of the filename) is required for successful <strong>IESO</strong> PKI and MPI processing on<br />
the workstation when using Internet Explorer as the browser for the MPI. It is not<br />
required for use with the MIM IDK or <strong>IESO</strong> Portal. This is a simple text-format file<br />
available from the <strong>IESO</strong> <strong>Technical</strong> Interfaces page. It must be installed in each user's<br />
"C:\Documents and Settings\userID" (e.g. C:\Documents and Settings\smithj) directory<br />
on the workstation where userID represents the login ID for the user. As of release<br />
19.0the Verizon CA update in early March, this file will be updated to include the new<br />
Verizon CA domain names for its replacement CA servers to handle the May 2010<br />
issuing CA certificate replacement, to simplify the content and improve MPI login<br />
performance while maintaining java security. Users can, if desired, still use the<br />
original java policy file which is available on the <strong>Technical</strong> Interfaces, Software<br />
downloads page. This version of the Java policy file has few security restrictions but<br />
high login performance. The edited latest version of the .java.policy file has the<br />
following content for java permissions:<br />
grant {<br />
permission java.lang.RuntimePermission "getProtectionDomain";<br />
permission java.security.SecurityPermission "removeProvider.IAIK";<br />
permission java.security.SecurityPermission "insertProvider.IAIK";<br />
permission java.security.SecurityPermission "putProviderProperty.IAIK";<br />
permission java.security.SecurityPermission "removeProvider.Entrust";<br />
permission java.security.SecurityPermission "insertProvider.Entrust";<br />
permission java.security.SecurityPermission "putProviderProperty.Entrust";<br />
permission java.io.FilePermission "", "read, write";<br />
permission java.util.PropertyPermission "*", "read, write";<br />
permission java.lang.RuntimePermission "queuePrintJob";<br />
permission java.net.SocketPermission "ccica1.idm.cybertrust.com", "connect,resolve";<br />
permission java.net.SocketPermission "ccipdir.idm.cybertrust.com", "connect,resolve";<br />
permission java.net.SocketPermission "ccica2.idm.cybertrust.com", "connect,resolve";<br />
permission java.net.SocketPermission "ccipdir2.idm.cybertrust.com", "connect,resolve";<br />
permission java.net.SocketPermission "cdp1.public-trust.com", "connect,resolve";<br />
permission java.net.SocketPermission "crl.globalsign.net", "connect,resolve";<br />
};<br />
Without this java policy file with the above content in the home directory location for each user,<br />
the MPI applet PKI java code will not function correctly when attempting to login. Under such<br />
circumstances an "applet not inited" error on the browser status line at the bottom may display<br />
and/or a dialogue box with an error message "Login failed: access denied<br />
(java.security.SecurityPermission removeProvider.IAIK)".<br />
63 To download the file from the <strong>Technical</strong> Interfaces page the user can right mouse<br />
button click on the file's POL link on the web-site and choose to save to the required<br />
location as show in Figure 2-15. This will activate the typical Windows "Save As"<br />
window to allow the user to choose the directory location to save the file to.<br />
Issue 21.1 – March 15, 2010 - estimated Public 29
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Figure 2-15: Right Mouse Button 'Save Target as ..." Function to Download Java Policy File<br />
64 The file type 'policy' is not a normal registered file type and this is not required for<br />
successful download of the <strong>IESO</strong> '.java.policy' file. To download the file, the user must<br />
choose the 'Save as type' option "All Files" and choose the appropriate C:\Documents<br />
and Settings\UserID directory path. The file name must not be changed. See Figure 2-<br />
16. Once this has been done login to the MPI with IE should be successful.<br />
30 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-16: File type Selection to Download Java Policy File<br />
65 Prior or after download, Windows XP and Vista users (or administrators) may create a<br />
'policy' document file type, extension to make the purpose of the file more explicit. To<br />
do so, after opening Windows Explorer (or any window), select the 'Tools' menu, then<br />
'Folder Options…' and then the 'File Types' tab selection. See Figure 2-17 for the<br />
resultant window.<br />
Figure 2-17: Folder Options, File Types Listing window<br />
Issue 21.1 – March 15, 2010 - estimated Public 31
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
66 Click in the 'New' button to activate the 'Create New Extension' window as shown in<br />
Figure 2-18 and type in 'POLICY' in the file extension field and leave the Associated<br />
File Type as . Click on the OK button.<br />
Figure 2-18: Create New Extension Window<br />
67 The Folder Options window will now typically indicate some details for the 'POLICY'<br />
extension and that files of the 'POLICY" extension are of type FT000001, (or<br />
FT000002 and so on if other customized file extensions have been created previously,<br />
Windows creates the numbered file types automatically). See Figure 2-19 for an<br />
example.<br />
Figure 2-19: Folder Option Window with Detail on 'POLICY' extension shown.<br />
Click on the 'Advanced' button in order to activate the 'Edit File Type' window as shown in<br />
Figure 2-20.<br />
32 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Figure 2-20: Edit File Type Extension Window<br />
Replace the 'FT00001 entry (or FT000002..FT000003 etc.), with the term 'Java Policy File" for<br />
ease of identification of the file type and thenm click on the 'OK' button. Ensure that the correct<br />
file type for the 'POLICY' extension is being changed and not some other file type.<br />
Correct file extension editing will let the user see that the '.java.policy' file is of the 'Java Policy<br />
File' type in folder windows.<br />
Internet Connection<br />
68 For market participants planning to connect to the <strong>IESO</strong> through the public Internet,<br />
the market participant must have an established Internet connection. This may be in the<br />
form of either a dial-up link to an ISP (Internet Service Provider) or through an internal<br />
Web-gate or proxy server. The speed of this Internet connection will directly affect<br />
application performance.<br />
2.2 <strong>Participant</strong> Network<br />
69 Market participants will submit bids/offers, access market, settlements, and metering<br />
information through the use of the <strong>IESO</strong> participant network.<br />
70 There are three methods for a market participant to connect to the <strong>IESO</strong>. These are<br />
defined as PUBLIC over the Internet or as PRIVATE through a facility contracted by<br />
the market participant with a telecommunications service provider, or SHARED over<br />
the <strong>IESO</strong> provided frame relay switched network. Market participants who require high<br />
performance or reliability may wish to consider the PRIVATE or SHARED network<br />
alternatives.<br />
Issue 21.1 – March 15, 2010 - estimated Public 33
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
71 Regardless of the method chosen, failure of the telecommunications network can occur.<br />
Market participants should take this into consideration and establish alternate paths or<br />
contingency plans, as required.<br />
2.2.1 Internet<br />
72 The connectivity bandwidth should be at least 28.8-Kbps but higher speeds are<br />
recommended to maintain optimal performance.<br />
73 Market participants will access the <strong>IESO</strong> using <strong>IESO</strong> digital certificates. To<br />
authenticate to the <strong>IESO</strong> Web site the market participant will present an <strong>IESO</strong> digital<br />
certificate to the <strong>IESO</strong> Web Server MOSMIM (a.k.a. MOSWEB). If the <strong>IESO</strong><br />
certificate is valid, the user will be granted access to selected systems. Market<br />
participants must register for <strong>IESO</strong> digital certificates. Certificate registration will be<br />
performed as specified in the Identity Management Operations Guide (see <strong>Technical</strong><br />
Interfaces page of <strong>IESO</strong>‟s Web site).<br />
74 Secure Sockets Layer (SSL) is used to encrypt the messages between the client system<br />
at the market participant and the Web Server at the <strong>IESO</strong>. SSL uses a combination of<br />
asymmetric (public and private keys) and symmetric keys (shared secret) to negotiate<br />
the secure session between the market participant system and the <strong>IESO</strong> Web Servers.<br />
This is a standard technology developed originally by Netscape and used extensively<br />
by Internet web servers to establish secure connections between two systems.<br />
2.2.2 Private Network<br />
75 The Private Network option is recommended to market participants concerned about<br />
having direct control over the performance of telecommunications with the <strong>IESO</strong> for<br />
commercial purposes. As the name implies, the market participant privately arranges<br />
this service with a commercial telecommunications service provider. The quality of<br />
service is subject to the contract between the market participant and the service<br />
provider. All associated costs will be borne by the market participant.<br />
76 The <strong>IESO</strong> enables this option, by permitting the telecommunications service provider to<br />
establish a point of presence at the <strong>IESO</strong>‟s main and backup operating centers. The<br />
<strong>IESO</strong> also will provide space and a physically and electrically secure environment for<br />
the premises equipment.<br />
77 Market participant is expected to terminate its point-of-presence at the <strong>IESO</strong>‟s<br />
premises with routers, supplied by the market participant, located at the <strong>IESO</strong>‟s main<br />
and backup operating centers. The actual demarcation point is the Ethernet connection<br />
to the router. The market participant is solely responsible for the management of its<br />
telecommunications facilities.<br />
78 In the interest of manageability, a list of preferred telecommunications service<br />
providers has been established. These are listed below. As the list may be revised<br />
periodically, it is recommended that the market participant check the latest version of<br />
this document. Also, the <strong>IESO</strong> is prepared to review on a case-by-case basis if the<br />
market participant prefers a telecommunications service provider not in the list.<br />
79 The current list of preferred telecommunications carriers consists of the following:<br />
Allstream, Bell Canada, Hydro One Telecommunications, and Sprint.<br />
34 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
2.2.3 Shared Network<br />
80 The Frame Relay network will be maintained through AT&T with <strong>IESO</strong> having<br />
responsibility for connectivity up to the Frame Relay Access Device (FRAD) or Router<br />
located on the market participant site. Static routing will be used across the interfaces<br />
between <strong>IESO</strong> and the market participant’s network. Reserved internal TCP/IP<br />
addresses may not be accepted due to possible conflicting addressing schemes on the<br />
network. An incremental cost sharing agreement must be agreed to with the <strong>IESO</strong> and<br />
the proportionate cost will be borne by the market participant.<br />
81 The market participant must provide the <strong>IESO</strong> with a registered TCP/IP Ethernet<br />
address for the Ethernet port that connects to the market participant’s internal network.<br />
82 RFC 1918 IP addressing will be accepted under certain conditions. Please contact the<br />
<strong>IESO</strong> prior to your installation.<br />
83 To arrange for a Frame Relay connection, contact the <strong>IESO</strong> (see www.<strong>IESO</strong>.ca).<br />
Connecting to the Supplied Ethernet Port<br />
84 A network connection will need to be established between the Ethernet Port on the<br />
FRAD and the market participant’s Internal Network.<br />
85 If distance between the Ethernet Port on the FRAD and the market participant’s<br />
Internal Network is an issue, then a recommended solution will be to deploy an<br />
Ethernet Repeater or “Ethernet Extender.” Ethernet Repeaters can effectively increase<br />
the distance of typical 10BASE-T Ethernet connections from around 182 meters (600<br />
feet) to over 7,300 meters (24,000 feet) using existing ordinary copper telephone wires.<br />
86 The IEEE 802.3 10BASE-T standard requires that 10BASE-T transceivers be able to<br />
transmit over a 100-meter (328 feet) link-using 24AWG unshielded twisted pair wire.<br />
Due to cable delay, the maximum link length is nearly always limited to about 200<br />
meters (656 feet), regardless of the cable type.<br />
87 As a general rule, links up to 150 meters (492 feet) long are achievable for unshielded<br />
and shielded twisted pair cable, with a maximum 200 meters (656 feet) due to cable<br />
delay. For each connector or patch panel in the link, subtract 12 meters (39.4 feet) from<br />
the 150-meter limit. This will allow for links of up to 126 meters (413.4 feet) using<br />
standard 24 AWG UTP wire and two patch panels within the link. Higher quality low<br />
attenuation cables may be required when using links greater than 126 meters.<br />
Traffic Aggregation<br />
88 The <strong>IESO</strong> will preserve the predictable response time of the Real Time network for<br />
market participants who chose to use the Frame Relay Network to submit bids, offers,<br />
and access market settlements and metering information over the Frame Backbone.<br />
89 Separate Permanent Virtual Circuits (PVC‟s) will be established with an appropriate<br />
Committed Information Rate (CIR) for each specific type of function. For example:<br />
Browser based HTTP traffic will be allocated its own Frame Relay PVC. The CIR<br />
value will be adjusted to accommodate the individual bandwidth requirements of each<br />
market participant. The incremental cost of this will be charged to the market<br />
participant.<br />
Issue 21.1 – March 15, 2010 - estimated Public 35
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Market <strong>Participant</strong> Firewall Configuration<br />
90 Web based network communications will be secured using SSL. Depending on the<br />
market participant’s internal network configuration, changes may have to be made to<br />
allow a SSL connection if firewalls are used.<br />
91 Changes to the market participant’s firewall configuration will be dependent upon the<br />
type of firewall in use. TCP Ports 80, 389, 443 and 829 will need to be open. Verizon<br />
Entrust systems are also configured for ports 636, 709, 710 but these are not used at<br />
this time by the <strong>IESO</strong>. See section 2.3.6 for specific IP address and port information for<br />
Certification Authority systems.<br />
92 In cases where FTP is required by a market participant, TCP Ports 20 & 21 will need to<br />
be open.<br />
93 Prior to the Verizon June 2009 data center move, tThe market participant’s firewall<br />
configuration will needmust to ensure e-mail can be received from the Cybertrust<br />
Certification Authority's data centre from IP address 212.162.235.5. E-mail for<br />
production certificate activation codes from this location should not be blocked by e-<br />
mail gateways or spam filters. E-mail will arrive from domain "CYBERTRUST.NET"<br />
regarding production certificate activation codes.<br />
94 After the Verizon June 2009 data center move The market participant’s firewall<br />
configuration will need to ensure e-mail can be received from the Cybertrust<br />
Certification Authority's data center(s) from IP addresses<br />
US – Mail Relays<br />
64.18.28.50 - Mailhost.us.betrusted.net<br />
64.18.28.51 - Mailhost.us.betrusted.net<br />
UK - Mail Relays<br />
195.217.199.19 (source domain name is @cybertrust.com)<br />
195.217.199.20 (source domain name is @cybertrust.com)<br />
95 Firewall changes – The <strong>IESO</strong> PKI service vendor, Verizon is planning implementing<br />
for a Cybertrust datacenter movereplacement CA system in early June March 201009<br />
to handle the transition from the existing CA system on which the CA issuing<br />
certificate is expiring May 13, 2010. The <strong>IESO</strong> will apprise all market participants<br />
appropriately and in a timely manner as discussion with Verizon proceeds on the<br />
finalized scheduling of the implementation and transition. Firewall rule changes will<br />
need to be made accordingly by market participants well before Juneas soon as<br />
possible, starting in March to account for changes to the primary and failovernew IP<br />
addresses for the associatedand Cybertrust CA domain names for communications<br />
between API, MPI and CLS workstations and CA systems. Section 2.3.6 details the IP<br />
address changes. Firewall rules must be implemented prior forto the Verizon IP address<br />
changes to allow a smooth transition when the data center move is conductedfrom the<br />
existing CA certificates over to the replacement ones during March and April 2010.<br />
2.3 Accounts / Identity Credentials<br />
96 The market rules requires that the <strong>IESO</strong> implement access control protocols to protect<br />
the unauthorized disclosure of confidential information transmitted by electronic<br />
36 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
communications. The use of X.509 version 3, medium level assurance, digital<br />
certificates and User ID account identity credentials allows the <strong>IESO</strong> to fulfill the<br />
appropriate market rules governing confidentiality. Additionally, digital certificate<br />
identity credentials can be used to establish authentication, authorization, integrity and<br />
non-repudiation while User ID account identity credentials in conjunction with SSL<br />
protocols can be used to establish authentication, authorization and integrity.<br />
97 Canadian legislation regarding digital certificates and digital signatures also exists<br />
within Bill C6 (Personal Information Protection and Electronic Documents Act) that<br />
may have applicable sections or those that may become applicable in time and is<br />
available for review and consideration at :<br />
www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_3/C-6_cover-E.html<br />
98 The <strong>IESO</strong>, in conjunction with ABB, Santa Clara, developed the PKI code within its'<br />
MPI and MIM API based market applications for creating, managing and using X.509<br />
version 3, digital certificates. The PKI enabled application code used at the <strong>IESO</strong>,<br />
underwent multiple formal independent reviews by Entrust prior to market opening to<br />
ensure it conformed to industry standard PKI coding practices. Any deficiencies found<br />
were corrected to the satisfaction of Entrust, Scotiabank (the original CA) and the<br />
<strong>IESO</strong>. Entrust, a major PKI systems provider worldwide, is the supplier of the Entrust<br />
Java Toolkit, which was used by the <strong>IESO</strong> and ABB to develop the PKI enabled<br />
applications. The Entrust web site is available at: http://www.entrust.com.<br />
99 The <strong>IESO</strong> utilizes a commercial PKI package, „TruePass‟ from Entrust to provide PKI<br />
authentication and management services using X.509 version 3, digital certificates in<br />
conjunction with its Portal. The <strong>IESO</strong> Portal is based on commercial products from<br />
BEAOracle.<br />
100 User ID account identity credentials used with the <strong>IESO</strong> Portal are authenticated and<br />
managed for identity management and Single Sign on by a combination of commercial<br />
products from Oracle and Microsoft.<br />
2.3.1 Identity Management and Certification Authority<br />
101 The current Certification Authority, Cybertrust has been providing CA services since<br />
February 28, 2004. Prior to that date, the original Certification Authority (CA), e-Scotia<br />
or Scotiabank (formerly e-Scotia Incorporated), handled all external management<br />
aspects of the PKI (Public Key Infrastructure) and digital certificates.<br />
102 The Cybertrust Certification Authority‟s (now owned by Verizon) version of the<br />
Entrust PKI for use with the <strong>IESO</strong> MPI and Portal is 7.2. Where a user has both Portal<br />
and MPI account privileges, the same version 7.2 digital certificate profile is usable<br />
with both systems. Where some users possess multiple digital certificates for MPI use<br />
to act on behalf of multiple market participants, only one of those certificates will be<br />
usable or needed to login to the Portal. <strong>IESO</strong> Market Entry will work with those users<br />
under such circumstances to identify which digital certificate shall be used for Portal<br />
use.<br />
103 <strong>IESO</strong> Identity Management Officers (formerly known as LRA (Local Registration<br />
Authority Officers) (a.k.a. Market Coordinators), handle all internal <strong>IESO</strong> management<br />
aspects of the PKI and other Identity Management processes and coordinate their<br />
efforts with both market participants and the Certification Authority. Access to the<br />
Issue 21.1 – March 15, 2010 - estimated Public 37
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
<strong>IESO</strong> secure web servers requires the use of digital certificates or User ID account<br />
identity credentials for authentication and authorization.<br />
104 Administration activities for digital certificates and User ID account identity credentials<br />
include:<br />
Registration<br />
Identification<br />
Approval<br />
Creation and system access privileges assignment<br />
Identity credential Revocation and removal of system access privileges<br />
Change of system access privileges<br />
Certificate Revocation & Re-issue<br />
Certificate Recovery<br />
User ID password reset<br />
Certificate Update<br />
Certificate Name or USERID Extension Change<br />
Activation Code Expiration<br />
105 Individual Subscriber refers to a person at the market participant or agent of such.<br />
Application Subscriber refers to an application at the market participant or agent of<br />
such. Either can be referred to as Credential Subscribers. Market <strong>Participant</strong><br />
Registration Officers who request certificates or User ID account identity credentials<br />
for themselves shall be considered Individual Subscribers when dealing with their own<br />
certificates or User ID account identity credentials. Each Individual Subscriber,<br />
Application Subscriber must be identified by one of three identification models (see<br />
“Identity Management Operations Guide” which is available on the <strong>Technical</strong><br />
Interfaces page of <strong>IESO</strong>‟s Web site):<br />
1) <strong>IESO</strong> Identity Management Officer Model<br />
2) Market <strong>Participant</strong> Registration Officer Model<br />
3) Notary Public Model<br />
The different models dictate the way different administrative activities are completed.<br />
In all cases where digital certificates are involved, the <strong>IESO</strong> will archive the<br />
“Certificate Subscriber Agreement” (see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web<br />
site) and for all credentials, all instances of “Certificate Subscriber Request Form”<br />
(Section 1). From the “Certificate Subscriber Request Form” (Section 1), the <strong>IESO</strong> can<br />
identify what action (issue, recover, revoke, revoke & re-issue or name or extension<br />
change) the market participant would like to take. User ID account password reset is<br />
handled by direct communication with <strong>IESO</strong> Customer Relations and does not involve<br />
the request form.<br />
The Certification Authority is responsible for issuing X.509 digital certificates, secure<br />
initialization of the digital certificates and associated key maintenance and updates. The<br />
Certification Authority is also responsible for maintaining digital certificate history for<br />
each user over time (for audit and recovery purposes). The <strong>IESO</strong> Identity Management<br />
Officer is responsible for issuing and maintaining User ID account identity credentials.<br />
38 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
106 The ABB provided software coding for PKI for the Internet Explorer 6.X and 7.0<br />
browser and updated MIM IDK the software coding for PKI is based on the<br />
Entrust/Java Toolkit, 7.2 as supplied by Entrust. The digital certificates provided by the<br />
Certification Authority are X.509 version 3 certificates. The certificates and software in<br />
combination provide for:<br />
Confidentiality – The encrypted transmission of messages and proprietary<br />
information;<br />
Access Control – Allowing access to information based on a given set of rules;<br />
Authentication – The verification of the identity of a person or process sending and<br />
receiving a message and information;<br />
Data Integrity – Verification that a message sent is the message received and has<br />
not been altered in transit etc. from that sent; and<br />
Non-Repudiation (Digital Signatures) – A sender shall not be able to deny later that<br />
he sent a message.<br />
107 The Entrust provided TruePass software for the Portal PKI is a java based package that<br />
provides:<br />
Confidentiality – The encrypted transmission of messages and proprietary<br />
information;<br />
Access Control – Allowing access to information based on a given set of rules;<br />
Authentication – The verification of the identity of a person or process sending and<br />
receiving a message and information;<br />
Data Integrity – Verification that a message sent is the message received and has<br />
not been altered in transit etc. from that sent; and<br />
Non-Repudiation (Digital Signatures) – A sender shall not be able to deny later that<br />
he sent a message.<br />
2.3.2 Certificates & Keys<br />
108 Each certificate will be registered to an individual person or custodian<br />
(Individual Subscriber, Application Subscriber).<br />
109 For the Individual Subscriber, two types of certificates will be generated. These include<br />
a „verification‟ or „signing‟ certificate (associated with the private signing key) and an<br />
„encryption‟ certificate (associated with the private decryption key). Each type of<br />
certificate has a private and public key associated with it. Individuals using the MPI<br />
web browser interface will use these certificates and keys in the two file formats (EPF<br />
and P12) while the Portal and MPI API use just one format (EPF). The verification and<br />
encryption certificates are encapsulated within an Entrust Profile File (EPF file<br />
extension) which is presented by the user along with the user generated password for<br />
the EPF file when prompted by the MPI applet login or the Portal‟s TruePass applet<br />
login. The verification certificate and signing key is also encapsulated within a<br />
PKCS#12 format file (P12 file extension) for the MPI. The P12 certificate content must<br />
be imported into the browser certificate database for the appropriate browser user<br />
profile prior to attempting any login to the <strong>IESO</strong> MPI secure web servers. The<br />
password chosen by the user at the time of creation of the EPF and P12 files must be<br />
used to import the P12 file contents into the browser (this is not required for using the<br />
imported certificates within the browser).<br />
Issue 21.1 – March 15, 2010 - estimated Public 39
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
110 Since it is possible for users to share workstations, it is recommended by the <strong>IESO</strong> that<br />
separate browser profiles be created for each user where the workstation is shared and<br />
that the certificate database within each profile be protected by a password. The<br />
browser has the capability of password protecting the certificate database it uses for<br />
each user profile. It is up to the market participant to determine and use a password for<br />
each user profile certificate database, which is completely independent of the EPF and<br />
P12 files password.<br />
111 For the Application Subscriber, two types of certificates will be generated in one file<br />
format. A verification (associated with the private signing key) certificate and an<br />
encryption certificate (associated with the private decryption key). Each type of<br />
certificate has a private and public key associated with it. Applications using the MIM<br />
API Application will use these types of certificates and keys. The verification and<br />
encryption certificates are encapsulated within an Entrust Profile File (EPF file<br />
extension).<br />
112 The “Certificate Subscriber Agreement”, signed by an Authorized Signatory at the<br />
market participant, governs the certificate modes of use, accountability and<br />
responsibility.<br />
113 The private signing keys within the EPF and P12 files are never backed up by the CA.<br />
This ensures that only the owner has access to them. Only the individual or application<br />
subscriber should have access to the private keys assigned to them. Messages and data<br />
signed will be verified as authentic with a corresponding verification public key<br />
registered to the Certificate Subscriber.<br />
114 In order to comply with the ”Certificate Subscriber Agreement”, the <strong>IESO</strong> recommends<br />
the market participant store all private keys (in the EPF and P12 files) on secure media.<br />
The <strong>IESO</strong> strongly suggests, if and when available, the use of Smartcard technology to<br />
secure the certificate/private keys EPF and P12 files. Smartcard use will benefit the<br />
market participant in key management, non-repudiation and portability between<br />
servers and workstations. The <strong>IESO</strong> will announce when provision for Smartcards can<br />
be deployed. Until then, the <strong>IESO</strong> does not recommend placing private keys in a<br />
publicly accessible directory on the hard drive of any system. Private keys placed on<br />
unsecured hard drives are highly vulnerable to password attacks. These private keys<br />
allow designated individuals‟ access to sensitive, proprietary information, and in some<br />
cases, allow for submission of bids and offers. Bids and offers are signed with these<br />
private keys. If private keys are stolen undetected, and this act is not reported to the<br />
<strong>IESO</strong> LRA, it is possible to submit counterfeit bids and offers. Successfully stolen<br />
private keys could also be used by competitors to gain a market advantage by passively<br />
watching transactions. Market participants are solely responsible for protecting their<br />
private keys and are required under the provisions of the "Certificate Subscriber<br />
Agreement" to report immediately to the <strong>IESO</strong> LRA any suspicious act regarding such<br />
that may have taken place.<br />
115 The <strong>IESO</strong> suggests at a minimum, market participants provide for storage of keys on a<br />
floppy disk, secured directory on a workstation or network drive or, some other form of<br />
secure media for operational use (e.g. user controlled USB memory card or equivalent).<br />
This should be combined with normal backup practices for the most current EPF and<br />
P12 files to provide for disaster recovery purposes and to ensure reasonable continuity<br />
of access to the <strong>IESO</strong> secure web servers. If and where the EPF and P12 files are stored<br />
on network servers, the <strong>IESO</strong> recommends that secure individual directories for each<br />
user be created and used, rather than a single common directory for all certificate files<br />
40 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
used at a market participant. The access to each user's directory must be limited to the<br />
user/owner of the certificate files stored within each directory and, where required, to<br />
authorized administrative personnel. The management of certificates is up to the market<br />
participant within the restrictions of the "Certificate Subscriber Agreement". This does<br />
not imply that lost or corrupt EPF and P12 files will result in critical loss of service<br />
since the <strong>IESO</strong> and its CA can securely enable recovery or re-creation of any<br />
Certificate Subscriber‟s certificates as per the procedures documented in the "Identity<br />
Management Operations Guide". However, there is a procedural time component for<br />
„recovery‟ or re-creation, which may result in longer loss of access time than<br />
anticipated for the user.<br />
116 Each current EPF file must be stored in one and only one location to prevent potential<br />
automatic update conflict problems when used within the MPI or Portal. Multiple<br />
copies of an EPF file spread over and actively used at several workstations will result<br />
in problems when automatic update is required and will result in de-activation of the<br />
certificates until recovery is requested and achieved.<br />
117 The certificate user (i.e. an individual person, computer application) must have<br />
read/write access to their certificate EPF and P12 files for access and create/update<br />
purposes, but no access to another user's certificate files. As discussed, this can be a<br />
local floppy drive, a secure network directory location or other form of secure<br />
read/write capable media etc. Read/write access to the files is required only by the<br />
market participant user (or in the case of certificates used for access to the market<br />
systems via the MIM API, the application/custodian) who 'owns' them. This read/write<br />
access does not provide outside parties, such as the <strong>IESO</strong> or the <strong>IESO</strong>'s Certification<br />
Authority, access to the market participant's certificates, servers or workstations<br />
through the MPI, Portal or API except those privileges granted by the user during login<br />
for downloading the applet etc. All communications between the market participant's<br />
systems accessing the <strong>IESO</strong> secure servers is encrypted within a SSL v3 session for<br />
each user.<br />
118 Only a small, limited amount of disk space is required for storage of digital certificate<br />
files. Each EPF file typically takes about 10 to 15KB initially upon creation, while the<br />
P12 file takes about 4KB in size. Over time, with each updating event, these files will<br />
grow as they will contain key and certificate update history. A reasonable storage space<br />
requirement for certificate files in any directory / media location is about 100 KB for a<br />
single user. Any change to this is easily manageable.<br />
119 MOSMIM and/or the Portal‟s identity management components will check for data<br />
integrity, authenticity, and authorization. When bids or offers are uploaded to<br />
MOSMIM or an application hosted in the Portal, the Individual or Application<br />
Subscriber digitally signs (via the Internet Explorer browser and MIM MPI Applet,<br />
TruePass applet or the MIM Programmatic API Application) and submits the bid/offer<br />
data and the associated unique digital signature of the data to the <strong>IESO</strong>. Upon receipt of<br />
the uploaded bid/offer data the MOSMIM Web Server or Portal Truepass component<br />
takes the data and re-computes the hash of the data. MOSMIM or the Portal hosted<br />
application then takes the received digital signature created automatically by user with<br />
their private signing key and the MPI Applet, TruePass applet or MIM API and<br />
recreates the hash of the data from the signature (a signature is just an encrypted one<br />
way hash) using the Individual or Application Subscriber‟s public verification key. If<br />
the two independently derived hashes agree, this ensures the data sent and received is<br />
identical and was not tampered with in transit. For the MPI and MIM API to ensure the<br />
signer is the authenticated user, the user is identified from the SSL (Secure Socket<br />
Issue 21.1 – March 15, 2010 - estimated Public 41
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Layer) session logon established with the certificate presented to the server from the<br />
browser certificate database. This is inherent in the Portal‟s TruePass component<br />
functionality. This successfully accomplishes data integrity checking, authenticity and<br />
authorization of the user.<br />
120 The ABB provided software helps to make the use of certificates as transparent and<br />
user friendly as possible.<br />
121 Entrust supports the following Digital Signature Algorithms:<br />
RSA<br />
DSA<br />
ECDSA<br />
The current choice for the <strong>IESO</strong> is RSA.<br />
122 Entrust supports the following Hashing Algorithms:<br />
SHA-1<br />
MD5<br />
MD2<br />
RIPEMD-160<br />
The current choice by the <strong>IESO</strong> is SHA-1.<br />
2.3.3 Integration of Digital Certificates with <strong>IESO</strong> Web Servers<br />
MIM MPI (Market <strong>Participant</strong> (Graphical User) Interface) Applet<br />
(Browser Based Solution)<br />
123 All market participants must have the ability to use the browser-based solution.<br />
124 Market participants can download the “Identity Management Operations Guide”, the<br />
“Market <strong>Participant</strong> Graphical User Interface User’s Guide” and “Portal User<br />
Interface User’s Guide” ( see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site) for<br />
instructions on browser interface use.<br />
125 The MIM MPI Applet is automatically downloaded after an individual browses to the<br />
<strong>IESO</strong> secure MPI Web site URL and presents their authentic digital certificate from<br />
the browser certificate database and establishes an SSL session.<br />
126 To enable access to the <strong>IESO</strong> MOSMIM Web Server, the <strong>IESO</strong> and ABB developed a<br />
Java Applet that uses <strong>IESO</strong> Digital Certificates and keys. To use the browser interface,<br />
certificates and keys must also be available within the browser certificate database.<br />
Browser based keys and certificates are generated by exporting a set of signing keys<br />
and certificate from the Entrust Profile file (EPF) into a file format the browser can<br />
understand (for example in the <strong>IESO</strong> environment, the PKCS#12 file format). Periodic<br />
certificate and key updates to the EPF and P12 files shall require re-importing of the<br />
certificates from the P12 file into the browser certificate database. When a market<br />
participant browses to the <strong>IESO</strong> MOSMIM Web Server, a SSL (Secure Socket Layer)<br />
session is started. The market participant uses the <strong>IESO</strong> digital certificate to<br />
authenticate to the <strong>IESO</strong>. The user is then logged in to the <strong>IESO</strong> Web site based on the<br />
individual “REGISTRATION profile” (see below for REGISTRATION Profile<br />
42 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
information). Figure 2-19 illustrates the conceptual architecture for the PKI / digital<br />
certificate solution.<br />
127 For Internet Explorer browser users, during the SSL handshake, and after the user has<br />
manually or automatically presented an <strong>IESO</strong> issued and valid browser based<br />
certificate, the MOSMIM Web Server identifies itself and requests that certain access<br />
permissions are granted by the user to enable downloading of the MIM MPI Applet<br />
and the running of that software. This means that the MOSWEB server requires that<br />
the user present his or her certificate previously imported into the Internet Explorer<br />
browser certificate database. The server will verify that the client certificate within<br />
Internet Explorer is a valid certificate issued by the <strong>IESO</strong>‟s Certification Authority<br />
through comparison with the CA certificate installed on the <strong>IESO</strong>‟s web server. In fact<br />
this happens to a large extent automatically and the user can only present <strong>IESO</strong> issued<br />
client certificates to the MOSWEB server. The client certificate information within the<br />
Internet Explorer browser presented for logon must also correspond in version,<br />
validity dates, and content with the EPF file to be used in the next step or logon will<br />
not be permitted.<br />
128 After establishment of an SSL session, the MIM MPI Applet is downloaded to user‟s<br />
workstation and the market participant user is taken to a main Web site where he/she<br />
is required to enter the name and path of an EPF file and the Passphrase (a string of<br />
words and characters that one types in to authenticate) for the EPF. The user at EPF<br />
creation with the <strong>IESO</strong> CLS application chose this passphrase. This gives the<br />
individual, rights to the necessary areas of the Web site. The process works like this;<br />
an End Entity at the market participant presents their digital certificate (encapsulated<br />
in an EPF) to the Certification Authority system via the MPI applet. The MPI applet<br />
completes some checks. A critical check is the validity check of the client‟s <strong>IESO</strong><br />
digital certificate. To perform this check the MPI applet PKI code downloaded from<br />
the MOSMIM Web Server checks a current CRL (Certificate Revocation List) that<br />
resides on a X.500 directory at the Certification Authority under normal online mode<br />
operation. If the digital certificate passes the checks, a USERID value is parsed from<br />
the certificate and is used to allow access to predefined web sites. If the user‟s<br />
certificates require updating due to reaching the rollover point of the encryption or<br />
signing keys the EPF and P12 files shall be updated by the MPI applet PKI code and<br />
the keys and certificates will be renewed automatically upon login.<br />
129 The <strong>IESO</strong> may choose to operate the MPI in certificate offline mode if the need arises<br />
due to service outages at the Certificate Authority. The probability of this occurring is<br />
likely to be minimal and of short duration. The <strong>IESO</strong> maintains total control over the<br />
mode of operation, online or offline. Under such circumstance the Market <strong>Participant</strong><br />
users will still be able to login to the Market systems and conduct business. No<br />
configuration changes are required on the part of Market <strong>Participant</strong>s for the mode of<br />
MPI operation and it will be completely transparent. Under such circumstances the<br />
<strong>IESO</strong> issued certificates will not undergo CRL checks during login but will go through<br />
all other backend security checks as they do now. This does not impact the technical<br />
requirements for normal communications to the CA systems.<br />
130 The layout of the USERID is the REGISTRATION User Login Name, concatenated<br />
with an @ symbol, and finished with the REGISTRATION market participant<br />
Constant Shortname. See the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site for details<br />
on how the REGISTRATION User Login Name and REGISTRATION market<br />
participant Constant Shortname are created. Below is an example of the syntax of the<br />
UserID:<br />
Issue 21.1 – March 15, 2010 - estimated Public 43
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
REGISTRATION_User_Login_Name@REGISTRATION_MP_Shortname<br />
The required “REGISTRATION Profile” (Registration Profile) is accessed via the<br />
UserID. The UserID is stored in a non-critical extension in the digital certificate. In<br />
this instance the extension is an optional (“non-critical”) information storage place in<br />
the digital certificate. An important aspect of an extension is an OID (Object<br />
Identifier). The OID uniquely identifies the USERID (known as an “attribute type”).<br />
The OID for this <strong>IESO</strong> specific “attribute type” for the Cybertrust issued digital<br />
certificates is 1.3.6.1.4.1.6334.2.1.2.5.x.<br />
131 When an End Entity at the market participant authenticates, the USERID is parsed<br />
from the correct certificate and is used to fetch the “REGISTRATION Profile” from the<br />
MIM Netscape Directory Server. The “REGISTRATION Profile” is the access<br />
permissions given to the UserID by a specified, responsible individual at the market<br />
participant. For more information on the use of the REGISTRATION system please<br />
see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site.<br />
132 See the Certificate Lifecycle System (below) for details on how keys and digital<br />
certificates are generated.<br />
133 The users, as noted previously, must have read/write access to their own digital<br />
certificate files (EPF and P12), wherever they are stored at the time of login to the<br />
MPI. Individual subscriber (person) certificates contained in the EPF and P12 files,<br />
when used on a consistent basis for login to the MPI applet via the Internet Explorer<br />
browser will be automatically updated by the MPI PKI code when required.. The<br />
update schedule for encryption and signing keys is currently every 12 months based<br />
on date of creation for each user. The triggering point for update is about 110 days<br />
before expiry. If the automatic update is successful, a dialogue window in the MPI<br />
will inform the user. The use of the Certificate Lifecycle System (CLS) is not<br />
required for update of certificates for users logging onto the MPI on a regular basis. If<br />
read/write access to the EPF and P12 files is not enabled, certificate updates, when<br />
triggered, will not complete successfully and access to the <strong>IESO</strong> secure systems by the<br />
user will be lost until certificate key recovery can be processed between the market<br />
participant and <strong>IESO</strong> LRA. The CLS is still required for initial certificate creation,<br />
P12 file export and recovery purposes. The CLS can be used for manual certificate<br />
update if it is known by the user that their certificate has passed its update trigger point<br />
and login to the MPI has not been done recently, is not required for some time, or will<br />
not occur until after certificate expiry.<br />
134 Bids and offers may be submitted via the browser in two ways: Template and HTML<br />
Form. When the bid or offer is submitted in the browser, the bid or offer data is signed<br />
with the private signing key from the EPF file of the individual that has been<br />
authenticated during the SSL session and a unique digital signature of the data is<br />
created in the process and stored with the unique transaction ID on the <strong>IESO</strong> systems.<br />
The transaction ID binds the submitted bids and offers to the signature as it is also<br />
embedded within the signature as well as the MIM database.<br />
135 The browser is also used to verify the digital signatures of Templates and HTML<br />
Forms.<br />
136 The MIM MPI Applet requires communications access 'via' the following ports to the<br />
PKI servers: 389 (LDAP protocol), 443 (SSL protocol) and 829 (PKIX-CMP protocol).<br />
Market participants with firewalls must have these ports open appropriately for<br />
communication with the <strong>IESO</strong> and its CA. Port 829 for communications with the<br />
44 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
appropriate CA Manager is extremely critical for certificate updates as secure PKI<br />
communications for certificate management is processed via this port.<br />
Portal TruePass Applet<br />
(Browser Based Solution)<br />
137 Market participants can download the “Identity Management Operations Guide” and<br />
the “Portal User Interface User‟s Guide” (see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>)<br />
for instructions on browser interface use.<br />
138 The small TruePass Applet is automatically downloaded after an individual browses to<br />
the <strong>IESO</strong> Portal Web site URL, chooses to login with a digital certificate (instead of a<br />
User ID / Password) and presents their authentic digital certificate EPF file to login to<br />
the Portal.<br />
139 To enable digital certificate access to the <strong>IESO</strong> Portal, the <strong>IESO</strong> employs the Entrust<br />
TruePass Java Applet that uses <strong>IESO</strong> Digital Certificates and keys held in the EPF file.<br />
Periodic certificate and key updates to the EPF is handled by the TruePass product.<br />
When a market participant browses to the <strong>IESO</strong> Portal and chooses to login, a SSL<br />
(Secure Socket Layer) session is started. The market participant can then choose to<br />
login with a digital certificate instead of the standard User ID / password and uses the<br />
<strong>IESO</strong> digital certificate to authenticate to the <strong>IESO</strong> Portal. The user is then logged in to<br />
the <strong>IESO</strong> Portal based on the individual‟s access profile and authorization level”.<br />
140 After establishment of an SSL session when the user chooses to login with a digital<br />
certificate the TruePass Applet is automatically downloaded to user‟s workstation and<br />
the market participant user is taken to a web page where he/she is required to enter the<br />
name and path of an EPF file and the password for the EPF. The user at EPF creation<br />
with the Entrust Authority Administration tool chose this password. Once authenticated<br />
this gives the individual, rights to the authorized areas of the Portal web site. A critical<br />
check is the validity check of the client‟s <strong>IESO</strong> digital certificate. To perform this check<br />
the TruePass applet PKI code downloaded from the <strong>IESO</strong> Portal server checks a current<br />
CRL (Certificate Revocation List) that resides on a X.500 directory at the Certification<br />
Authority. If the digital certificate passes the checks, the user is logged in to the Portal<br />
with their authentication passed through to the Portal Identity Management system and<br />
Portal. If the user‟s certificates require updating due to reaching the rollover point of<br />
the encryption or signing keys the EPF file shall be updated by the TruePass applet and<br />
the keys and certificates will be renewed automatically upon login.<br />
141 The users, as noted previously, must have read/write access to their own digital<br />
certificate EPF file, wherever they are stored at the time of login to the Portal.<br />
Individual subscriber (person) certificates contained in the EPF file, when used on a<br />
consistent basis for login to the Portal via browser will be automatically updated by the<br />
TruePpass PKI code when required. The update schedule for encryption and signing<br />
keys is currently every 12 months based on date of creation for each user. The<br />
triggering point for update is about 110 days before expiry. If the automatic update is<br />
successful, a TruePass dialogue window / page will inform the user. If read/write<br />
access to the EPF file is not enabled, certificate updates, when triggered, will not<br />
complete successfully and access to the <strong>IESO</strong> Portal by the user will be lost until<br />
certificate key recovery can be processed between the market participant and <strong>IESO</strong><br />
Identity Management Officer. The web based Entrust Authority Administration tool is<br />
still required for initial certificate creation and recovery purposes for digital certificates<br />
used with the <strong>IESO</strong> Portal.<br />
Issue 21.1 – March 15, 2010 - estimated Public 45
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
142 The Portal TruePpass applet only requires communications access 'via' port 443 (SSL<br />
protocol) to the <strong>IESO</strong> Portal server. Except for communications to the CA‟s web based<br />
Entrust Authority Administration tool, the <strong>IESO</strong> server based TruePass components<br />
proxy all communications between the Certification Authority systems and the market<br />
participant workstation.<br />
143 The <strong>IESO</strong> Portal User Interface User’s Guide should be referenced for Portal login<br />
procedures.<br />
MIM Programmatic API Application (Application Based Solution)<br />
144 Market participants can choose to use the application based MIM programmatic API<br />
solution.<br />
145 The MIM API Application can be downloaded from the <strong>IESO</strong> Web site as a part of the<br />
IDK (<strong>IESO</strong> Development Kit) (see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site).<br />
146 An alternative route for accessing the MOSMIM Web Server is via the MIM<br />
programmatic API with a Market <strong>Participant</strong> custom application. This MIM<br />
programmatic API uses the same underlying code set as the MIM MPI Applet. There<br />
are two differences between the MIM programmatic API and the MIM MPI Applet.<br />
First, the MIM programmatic API does not need a browser-based certificate. This<br />
means no exporting and importing of the PKCS#12 browser based file format is<br />
required. (See MIM MPI Applet above for references to exporting and importing).<br />
Secondly, only Template based bids and offers may be submitted using the MIM<br />
programmatic API. HTML Form data cannot be submitted using the MIM<br />
programmatic API Application because HTML Form data is browser based and the<br />
MIM programmatic API Application is not using a browser.<br />
147 See MIM MPI Applet section for SSL Handshake details.<br />
148 See MIM MPI Applet section for UserID details.<br />
149 See MIM MPI Applet section for REGISTRATION Profile details.<br />
150 See MIM MPI Applet section for key generation reference.<br />
151 See MIM MPI Applet section for key storage recommendations.<br />
152 To enable access to the MOSMIM Web Server, the <strong>IESO</strong> & ABB developed a Java<br />
MIM programmatic API Application that uses <strong>IESO</strong> Digital Certificates. When a<br />
market participant uses the MIM programmatic API Application to access the <strong>IESO</strong><br />
Web Server MOSMIM, a SSL (Secure Socket Layer) is session is started. The market<br />
participant uses an <strong>IESO</strong> digital certificate to authenticate to the <strong>IESO</strong>. The End Entity<br />
is able to automatically navigate the <strong>IESO</strong> site based on the End Entity‟s<br />
“REGISTRATION Profile.” Figure 2-21 illustrates the conceptual architecture for the<br />
PKI / digital certificate solution.<br />
153 Bids and offers may be submitted using the MIM programmatic API Application in<br />
Template form only. The bid or offer is signed with the private signing key of the End<br />
Entity that has been authenticated during the SSL session.<br />
154 See MIM MPI Applet for signature verification.<br />
155 The MIM programmatic API Application requires access to the following ports: 389<br />
(LDAP), 443 (SSL) and 829 (Entrust based CA). Market participants with firewalls<br />
46 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
must have these ports open for communication with the <strong>IESO</strong> and its CA. Port 829 for<br />
the appropriate CA Manager is extremely critical for certificate updates as secure PKI<br />
communications for certificate management is processed via this port. The “<strong>IESO</strong><br />
Developer's Toolkit (IDK), Implementation <strong>Manual</strong>” should also be referenced for<br />
information on defining communications with the CA Manager.<br />
156 The <strong>IESO</strong> shall choose to control the mode that the API utilizes a certificate, as of<br />
September 2004 for enabling web access continuity. If and when the need arises due to<br />
service outages at the Certificate Authority, the <strong>IESO</strong> is able to set certificate use to<br />
offline mode. The probability of this occurring is likely to be minimal and of short<br />
duration. The <strong>IESO</strong> shall maintain total control over the mode of operation, online or<br />
offline. Under such circumstance the Market <strong>Participant</strong> users will still be able to login<br />
to the Market systems with the API and conduct business. In general this is centrally<br />
controlled by the <strong>IESO</strong> so that no configuration changes are required on the part of<br />
Market <strong>Participant</strong>s for the mode of API operation and it shall be transparent. Under<br />
such circumstances the <strong>IESO</strong> issued certificates do not undergo CRL checks during<br />
login but will go through all other backend security checks as they do now. This does<br />
not impact the technical requirements for normal communications to the CA systems.<br />
157 „Application‟ (i.e. used by a computer application) certificates contained in the EPF<br />
file, when used only for login with the programmatic MIM API, can be updated<br />
automatically by the API. This will only occur if the appropriate CA Manager IP<br />
address and port is specified by the market participant as described in the “<strong>IESO</strong><br />
Developer's Toolkit (IDK), Implementation <strong>Manual</strong>”. The custodian of the certificates<br />
must manually update the certificates using the CLS, if the CA Manager IP address<br />
information is not specified. The management of such is up to the market participant.<br />
Issue 21.1 – March 15, 2010 - estimated Public 47
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
<strong>IESO</strong> Conceptual Architecture<br />
for Secure Web Server<br />
Connectivity<br />
Client Custom<br />
Software<br />
EPF File<br />
Market <strong>Participant</strong><br />
Users<br />
MIM programmatic API Application uses<br />
an EPF to authenticate and authorize End<br />
Entities to the site as well as sign bids<br />
and offers.<br />
Cybertrust CA<br />
Certification<br />
Authority<br />
Certificate<br />
Database<br />
CA<br />
X. 500<br />
Directory<br />
Server<br />
MIM<br />
Programmatic<br />
API<br />
MIM MPI<br />
Applet<br />
Internet<br />
Browser<br />
Certificate<br />
Client<br />
Browser<br />
MIM MPI Applet uses a<br />
browser certificate to authenticate and<br />
uses an EPF based certificate to authorize<br />
and sign bids and offers.<br />
SSL (Secure Socket Layer)<br />
Server and Client communications<br />
to Certification Authority and to<br />
the <strong>IESO</strong>.<br />
Firewall<br />
DMZ<br />
Thawte Web<br />
Server<br />
Certificate<br />
CA Parent<br />
Certificate<br />
MOSMIM MPI<br />
Web Server<br />
PLC<br />
Web Server<br />
Thawte Web<br />
Server<br />
Certificate<br />
Secure redirection and<br />
secure establishment of<br />
new SSL session<br />
Firewall<br />
Internal<br />
PLC User Profile is in<br />
this directory<br />
MIM Server<br />
(& Netscape<br />
Directory Server)<br />
Figure 2-21: MPI and MIM API Conceptual Architecture<br />
2.3.4 Portal SSO and Identity Management System<br />
158 In addition to Entrust digital certificates, Portal users can login with a User ID account<br />
credential where transactional read/write access privileges are not required. Any user<br />
who needs access for read–only purposes to confidential information can apply, register<br />
for and utilize a User ID account identity credential with the Portal.<br />
159 The Portal is protected by Oracle and Microsoft technologies. These components<br />
provide for single-sign-on, authentication, authorization and in conjunction with SSL<br />
protocols confidentiality and integrity of communications.<br />
160 All Portal identity management components for User ID account credentials are server<br />
based and only a web browser is required by the market participant, as specified in this<br />
document, to access the Portal with this type of identity credential.<br />
161 The <strong>IESO</strong> Portal User Interface User’s Guide should be referenced for Portal login<br />
procedures.<br />
2.3.5 Certificate Lifecycle System & Entrust Authority<br />
Administration Tool<br />
162 The Certificate Lifecycle System can be downloaded from the <strong>IESO</strong> Web site (see the<br />
<strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site).<br />
48 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
163 The Entrust Profile File (EPF) and P12 File for use with the MPI or MIM API (but not<br />
the Portal) are initially created by the end user using the Certificate Lifecycle System<br />
(CLS). The CLS is a Java software application supplied by ABB. The code used in the<br />
MIM MPI Applet and MIM programmatic API Application is the same underlying<br />
code set used in the CLS. The CLS lets the End Entity (i.e. user) interface with the<br />
Certification Authority for initialization, recovery, viewing and testing of EPF‟s. The<br />
CLS is a platform independent application, meaning it may be run on any operating<br />
system that supports a Java 2 Runtime Environment.<br />
164 To initialize or recover an EPF and P12 using the CLS, the end Entity needs Activation<br />
Codes. The Activation Codes consist of a <strong>Reference</strong> Number and an Authorization<br />
Code, which are good for a one-time use and for a limited time of 14 days. The<br />
<strong>Reference</strong> Number is e-mailed directly to the End Entity by the Certification Authority<br />
after the End Entity has been registered or recovered (see the <strong>Technical</strong> Interfaces Page<br />
of <strong>IESO</strong>‟s Web site for digital certificate registration information). The Authorization<br />
Code is sent from a designated officer at the <strong>IESO</strong> (i.e. a Local Registration Authority<br />
Officer (LRA Officer) (a.k.a. Market Coordinator) to the End Entity via a secure<br />
channel (ex: in person or via secure courier).<br />
165 The process of initialization employs the CLS in conjunction with the Activation<br />
Codes. New keys and certificates are created through secure Internet communications<br />
with the PKI infrastructure and stored in the chosen, secured media at the market<br />
participant. The keys are secured by entering a Passphrase meeting the required<br />
content rules within the CLS. The Passphrase is determined and set by the Individual<br />
Subscriber or Application Subscriber Custodian and only they and other formally<br />
authorized individuals at the market participant as applicable should know it. Please<br />
reference the Certificate Subscriber Agreement regarding market participant<br />
obligations regarding this.<br />
166 Recovery uses the CLS in conjunction with the Activation Codes. The Recovery<br />
function of the CLS application allows certificates and Encryption/Decryption keys to<br />
be recovered and stored with new Signing/Verification keys and certificate on the<br />
chosen, secured media at the market participant. The keys are secured by entering a<br />
Passphrase meeting the required content rules within the CLS. The original Passphrase<br />
can be changed at the time of recovery.<br />
167 The CLS requires access to be provided by the MP „to‟ the following ports at the<br />
Certification Authority: 389 (for the CA Directory Server LDAP calls), and 829 (for<br />
Entrust CA Manager functions). Market participants with firewalls must have these<br />
ports open for the specific Certification Authority IP addresses for communication with<br />
the <strong>IESO</strong> and its CA. The domain names, IP addressees for all test and production PKI<br />
systems are included in section 2.3.6 below.<br />
Installing & Operating the Certificate Lifecycle System<br />
168 An “Identity Management Operations Guide” has been provided on the <strong>IESO</strong> Web site<br />
(see the <strong>Technical</strong> Interfaces Page of <strong>IESO</strong>‟s Web site). This guide describes<br />
recommended procedures for an on-site System Administrator or End Entity to perform<br />
initial installation and operation of the CLS.<br />
Operating the Entrust Authority Administration Tool<br />
169 The “Identity Management Operations Guide” guide describes recommended<br />
procedures for an on-site System Administrator or End Entity to access and use the<br />
Issue 21.1 – March 15, 2010 - estimated Public 49
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Certification Authority‟s web based “Entrust Authority Administration” tool which<br />
must be used for creating or recovering digital certificate EPF files used with the <strong>IESO</strong><br />
Portal.<br />
2.3.6 Requirements for Browser and Digital Certificate Software<br />
Compatibility<br />
Workstation Platform for MPI Browser Client<br />
170 The browser clients recommended by the <strong>IESO</strong> for the MPI are Internet Explorer 6.0<br />
SP2, and Internet Explorer 7.0 on Windows XP-SP2 and Internet Explorer 7.0 on Vista.<br />
Workstation Platform for Portal Browser Client<br />
171 The browser client recommended by the <strong>IESO</strong> portal vendor (BEA) and supported by<br />
the <strong>IESO</strong> is as shown on the “<strong>IESO</strong> Supported Client Platform” web page.<br />
Recommended by the Portal vendor but not supported by the <strong>IESO</strong> is: :<br />
Internet Access<br />
Netscape 7.1, or 7.2, or<br />
Mozilla Firefox 1.0, 1.5 or 2.0.1<br />
Safari 2.0<br />
Any of these will work. The “<strong>IESO</strong> Supported Client Platform” web page shows the<br />
recommended OS/Browser /JRE combination for the Portal‟s “Entrust TruePass”<br />
component. Not supported but compatible are:<br />
Netscape Navigator 7.0 in combination with the Sun JVM 1.4.2<br />
Mozilla FireFox 1.0 in combination with Sun JVM 1.4.2<br />
172 Internet access is required for all market participants even those using the Private or<br />
Shared Network as described earlier in this document. For basic functionality and full<br />
utilization of the key management functionality of the Entrust PKI products,<br />
communication between the client (CLS, MIM MPI Applet, or MIM programmatic<br />
API Application) and the CA is necessary. The CLS, MIM MPI Applet and MIM<br />
programmatic API Application use calls to the CA Server and LDAP Servers that allow<br />
access to the MOSMIM Web Server and/or allow for digital signing of bids and offers.<br />
Certification Authority IP Addresses and Domain Names<br />
173 The Certification Authority system IP Addresses applicable are as follows:<br />
MPI/MIM Sandbox / Production Environments Prior to June May 13, 201009 Verizon<br />
Datacenter MoveIssuing CA Expiry<br />
Cybertrust Production System CA Manager - version 7.2<br />
Primary IP Address = 195.217.198.65 TCP ports 829<br />
Failover IP Address = 64.18.29.140 TCP ports 829<br />
Primary IP Address = 64.18.21.69 port 829<br />
50 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Failover IP Address = 64.18.29.140 port 829<br />
Domain name = ccica1.idm.cybertrust.com<br />
Cybertrust Production System Directory Server - version 7.2<br />
Primary IP Address = 195.217.199.14 TCP ports 389<br />
Failover IP Address = 64.18.29.142 TCP ports 389<br />
Primary IP Address = 64.18.22.34 port 389<br />
Failover IP Address = 64.18.29.142 port 389<br />
Domain name = ccipdir.idm.cybertrust.com<br />
Production Root Certification Authority CRL Locations - version 7.2<br />
Globalsign Root Certificate CRL site URL : http://64.18.25.38/ port 80<br />
Domain name equivalent : http://crl.globalsign.net/ port 80<br />
The CRLs root.crl (http://64.18.25.38/root.crl and http://64.18.25.38/root_cat.crl<br />
at this location needs to be available to MPI and MIM IDK workstations through the<br />
firewall.<br />
MPI /MIM Production Environment After June 2009 For Replacement Verizon<br />
Datacenter MoveCA Servers – Starting early March 2010<br />
Cybertrust Production System CA Manager - version 7.2<br />
Primary IP Address = 195.217.198.67 195.217.198.65 TCP ports 829<br />
Failover IP Address = 64.18.29.140 TCP ports 829<br />
Domain name = ccica21.idm.cybertrust.com (no change)<br />
Cybertrust Production System Directory Server - version 7.2<br />
Primary IP Address = 195.217.199.26 195.217.199.14 TCP ports 389<br />
Failover IP Address = 64.18.29.142 TCP ports 389<br />
Domain name = ccipdir2.idm.cybertrust.com (no change)<br />
Production Root Certification Authority CRL Locations - version 7.2<br />
Globalsign Omniroot Root Certificate CRL site URL : http:// 64.18.30.7/ 64.18.25.38/<br />
port 80 (no change) and http:// http:// 64.18.30.8/ port 80<br />
Domain name equivalent : http:// www.public-trust.com crl.globalsign.net/ port 80<br />
(no change)<br />
The CRLs - http://cdp1.public-trust.com/cgi-bin/CRL/202501/cdp.crl root.crl<br />
(http://64.18.25.38/root.crl and http://64.18.25.38/root_cat.crl<br />
at this location needs to be available to MPI and MIM IDK workstations through the<br />
firewall.<br />
Portal Sandbox/ Production Environments Prior to May 13, 2010 Verizon Issuing CA<br />
Expiry<br />
Cybertrust Production System CA Manager Domain - version 7.2<br />
Domain name = ccip.idm.cybertrust.com<br />
Issue 21.1 – March 15, 2010 - estimated Public 51
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Access is transparently handled via https through <strong>IESO</strong> portal servers as all certificate<br />
management communication (except for creation and recovery) is proxied through the<br />
<strong>IESO</strong> to Verizon / Cybertrust. The <strong>IESO</strong> administers all IP address configuration for the<br />
Certification Authority systems used with the Portal. Therefore no changes are required<br />
on the part of the Market <strong>Participant</strong> for portal PKI capability to handle the Verizon<br />
Cybertrust data center move. Only the <strong>IESO</strong> needs to make the required changes on its<br />
servers.<br />
Portal Sandbox/ Production Environments for Replacement Verizon CA Servers –<br />
Starting early March 2010<br />
Cybertrust Production System CA Manager Domain - version 7.2<br />
Domain name = ccica2.idm.cybertrust.com<br />
Access is transparently handled via https through <strong>IESO</strong> portal servers as all certificate<br />
management communication (except for creation and recovery) is proxied through the<br />
<strong>IESO</strong> to Verizon / Cybertrust. The <strong>IESO</strong> administers all IP address configuration for the<br />
Certification Authority systems used with the Portal. Therefore no changes are required<br />
on the part of the Market <strong>Participant</strong> for portal PKI capability to handle the Verizon<br />
Cybertrust data center move. Only the <strong>IESO</strong> needs to make the required changes on its<br />
servers.<br />
Ports<br />
174 Port 443 must be open to allow access over SSL (Secure Socket Layer). Market<br />
participants with firewalls must have this port open for communication with the <strong>IESO</strong><br />
systems and its Certification Authority.<br />
175 Port 389 must be open to allow access to the <strong>IESO</strong>'s Certification Authority's LDAP<br />
Servers (Directory Server Domain) for the MPI. For the <strong>IESO</strong> Portal‟s TruePass<br />
component all CA directory communications are routed through the <strong>IESO</strong> systems via<br />
port 443 (https/SSL). LDAP Servers contain the following and more:<br />
Certificate Revocation Lists (CRL‟s)<br />
The CA's credentials<br />
The policy certificates<br />
The attribute certificates (if applicable)<br />
User Certificates<br />
Market participants with firewalls must have this port open for communication with the <strong>IESO</strong><br />
Certification Authority.<br />
176 Port 829 must be open to allow access to the identified Certification Authority Manager<br />
(CA Manager Domain) systems. Market participants with firewalls must have this port<br />
open for the specific IP addresses/domains for communication with the <strong>IESO</strong> CA for<br />
the Certificate Management Protocol. This provides for automatic or manual updating<br />
of certificate files upon imminent expiry of certificate keys. Automatic certificate<br />
updates will be processed by the MPI (Market <strong>Participant</strong> Graphical User Interface) or<br />
MIM API and manual updates can be accomplished with the CLS. For the <strong>IESO</strong><br />
Portal‟s TruePass component all CA management communications are routed through<br />
52 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
the <strong>IESO</strong> systems via port 443 (https/SSL). See Figure 2-22 Portal Conceptual<br />
Architecture<br />
177 Ports 20 & 21 should be open for market participants using FTP.<br />
Issue 21.1 – March 15, 2010 - estimated Public 53
2. <strong>Participant</strong> Workstation, Network & Security IMO_MAN_0024<br />
Conceptual Architecture for<br />
Secure Portal Web Server Communications<br />
Cybertrust Entrust Authority version 7.2<br />
CA Directory<br />
Entrust<br />
Security<br />
Manager<br />
Entrust<br />
Authority<br />
Adminstratiion<br />
tool<br />
HTTP/HTTPS<br />
Port 443<br />
Web browser<br />
Entrust Truepass<br />
applet<br />
Client workstation<br />
User ID/<br />
password<br />
EPF File<br />
PKIX CMP<br />
LDAP Port 829<br />
Port 389<br />
HTTP/HTTPS<br />
Port 443<br />
Internet<br />
LDAP<br />
Port 389<br />
PKIX CMP<br />
Port 829<br />
HTTP/HTTPS<br />
Port 443<br />
Firewall<br />
Truepass<br />
Session<br />
Validation<br />
Module<br />
<strong>IESO</strong> Portal Web Server<br />
Web<br />
Server<br />
COREid<br />
Webgate<br />
Web server<br />
COREid<br />
Webgate<br />
<strong>IESO</strong> DMZ –<br />
Zone 2<br />
Session<br />
Authentication<br />
COREid<br />
WebPass<br />
Thawte<br />
Server<br />
Certificate<br />
Firewall<br />
<strong>IESO</strong> DMZ –<br />
Zone 3<br />
Application<br />
Server<br />
Application<br />
Server<br />
Entrust<br />
Truepass<br />
Servlets<br />
Plumtree<br />
Portal<br />
Server<br />
<strong>IESO</strong> Portal Server<br />
MS IIS 6.0<br />
COREid<br />
Webgate<br />
COREid<br />
Access<br />
Server<br />
COREid<br />
Identity<br />
Server<br />
Secure<br />
LDAP<br />
Microsoft<br />
Active Directory<br />
<strong>IESO</strong> AD Server<br />
<strong>IESO</strong> Application Web<br />
Server<br />
COREid<br />
WebPass<br />
COREid<br />
Access<br />
Manager<br />
LDAP<br />
Microsoft<br />
ADAM<br />
<strong>IESO</strong> IDM Server<br />
<strong>IESO</strong> AD Server<br />
Firewall<br />
<strong>IESO</strong> Internal<br />
Zones<br />
Application<br />
<strong>IESO</strong> Application<br />
Backend Server<br />
Database<br />
<strong>IESO</strong> SQL Server Database Server<br />
Figure 2-22: <strong>IESO</strong> Portal Conceptual Architecture<br />
54 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
Other Documentation<br />
178 The relevant <strong>IESO</strong>/ABB, Market <strong>Participant</strong> Interface, <strong>IESO</strong> Portal and MIM<br />
programmatic API manuals should be referred to when appropriate.<br />
– End of Section –<br />
Issue 21.1 – March 15, 2010 - estimated Public 55
3.Dispatch Information<br />
IMO_MAN_0024<br />
3. Dispatch Information<br />
179 (For supporting rule references, please refer to “Appendix 2.2, Sections 1.1 &<br />
1.3 of the market rules” )<br />
3.1 Dispatch Workstations<br />
180 This section provides description of the dispatch workstations required by<br />
market participants injecting into or withdrawing electrical power from the<br />
<strong>IESO</strong>-controlled grid or will receive and transmit information to the <strong>IESO</strong>.<br />
3.1.1 Hardware Requirements<br />
Platform<br />
181 The client software provided by the <strong>IESO</strong> is designed to be platform independent. The<br />
<strong>IESO</strong> has performed extensive testing of this software on the Windows XP and Vista<br />
operating systems. The software will also function on other versions of the Windows<br />
Operating System (i.e. Windows 98 or higher) but these are no longer formally<br />
supported by the <strong>IESO</strong>. Displays may be rendered incorrectly if a Windows Operating<br />
System is not used.<br />
182 For Windows XP, it is recommended that the client workstation hardware conform to<br />
Microsoft‟s specifications found at:<br />
http://www.microsoft.com/windowsxp/pro/evaluation/sysreqs.mspx<br />
and for Windows Vista at<br />
http://www.microsoft.com/windows/products/windowsvista/editions/systemrequiremen<br />
ts.mspx.<br />
For Windows 98 or NT, the following provides the minimum hardware requirements:<br />
Processor<br />
183 The minimum required processor speed is 300 MHz PII or equivalent,<br />
however 500MHz, PIII or equivalent is recommended.<br />
Memory<br />
184 The PC must have a minimum of 256 megabytes of internal RAM. For<br />
better performance however, 512 megabytes RAM is recommended.<br />
Hard Disk<br />
185 The PC must have at least four gigabytes of available disk space.<br />
Interface Cards<br />
186 The network card must support a high-speed (10 Mbps or greater)<br />
network, as it will be required to communicate over Ethernet to an<br />
<strong>IESO</strong> supplied router at the market participant site. The wiring<br />
between the dispatch workstation and the router is the responsibility of<br />
56 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
3. Dispatch Information<br />
Monitor and Graphic Card<br />
Sound Card<br />
the market participant. The <strong>IESO</strong> supplied router will communicate<br />
over private network (frame relay) to the <strong>IESO</strong>.<br />
187 The supported monitor must be SVGA with a graphic card that is<br />
configurable to 1024 x 768 pixels with „small font‟ and 65536 colors<br />
at a minimum. A higher resolution of 1280 x 1024 pixels is however,<br />
recommended.<br />
188 The PC must include an appropriate sound card and speakers for<br />
receiving audible alarms.<br />
Printer<br />
189 The recommended printer is high resolution with at least 600 dpi and<br />
supports multiple fonts.<br />
Other Components<br />
3.1.2 Software Requirements<br />
Operating System<br />
Internet Browser<br />
Connectivity<br />
Power Supply<br />
190 Additional components that should be included with your PC are a<br />
compatible two-button mouse, keyboard, and 1.44 MB high-density<br />
floppy disk drive.<br />
191 The PC should be operating with Windows XP or Vista however it will run on<br />
Windows 98 / NT 4.0 with support for TCP/IP protocol. It is recommended that<br />
the latest operating system patches be maintained.<br />
192 For WEB based message exchange the PC should include the IE6 SP2 or IE 7<br />
browser. For older versions of Windows the minimum browser version is IE<br />
5.5.<br />
193 All dispatch workstations must maintain a live connection that will allow<br />
workstations to receive, send, and acknowledge the messages with the<br />
minimum throughput established by the <strong>IESO</strong>.<br />
194 Given its importance, it is strongly recommended that the market participant(s)<br />
provide an Uninterruptible Power Supply (UPS) to power the dispatch<br />
workstation.<br />
Issue 21.1 – March 15, 2010 - estimated Public 57
3.Dispatch Information<br />
IMO_MAN_0024<br />
3.2 Dispatch Message Exchange<br />
3.2.1 Overview<br />
195 Market participants using a dispatch workstation will be integrating directly<br />
with the EMS systems at the <strong>IESO</strong> and will require interaction with the<br />
Message Exchange system. Market participants that require this module will be<br />
receiving the client software from the <strong>IESO</strong> via the network and will be<br />
instructed on its installation and application.<br />
196 Message Exchange information will be stored in the <strong>IESO</strong> Operations Database<br />
(ODB), for use by the Compliance Monitor. This verifies that the requested<br />
dispatch actually takes place based on the measurement availability.<br />
197 The market participant will:<br />
acknowledge receipt of the message;<br />
accept or refuse the dispatch request; and<br />
perform the requested control action.<br />
198 The Message Exchange function is used by the <strong>IESO</strong> to send dispatch<br />
instructions to the market participants. This function is triggered by the<br />
dispatch request of an application (such as energy dispatch) to issue a message<br />
either automatically by Inter-Control Center Communications Protocol (ICCP)<br />
or by WEB-based Message Exchange or manually (off-line by telephone or fax)<br />
by the Exchange Coordinator to a market participant.<br />
199 The Message Exchange function sends dispatch instruction to the <strong>IESO</strong> market<br />
participants using ABB‟s ICCP Block 4 capabilities or the WEB-based<br />
Message Exchange facilities.<br />
200 In order to interface with the Message Exchange using ICCP the market<br />
participants must also have ICCP Block 4 configured on their dispatch<br />
workstations and have specialized software to interpret and manage the ICCP<br />
block 4 messages.<br />
201 WEB-based Message Exchange is an alternative facility made available to the<br />
<strong>IESO</strong> market participants that can be use to support the Message Exchange<br />
requirements. The WEB-based Message Exchange adds additional capability to<br />
the existing Message Exchange functionality. WEB-Based Message Exchange<br />
permits dispatch instructions to be sent to the market participants using<br />
browser compatible user interface and application programming interface.<br />
These interfaces will be included with the delivery of this product. WEB-Based<br />
Message Exchange will be simpler to deploy than the ICCP-based Message<br />
Exchange and more cost effective for the market participants, however this<br />
may be a less reliable approach.<br />
58 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
3. Dispatch Information<br />
202 Interfaces (see figure below) shows the relationship that Message Exchange<br />
(ME) has with other parts of the system. Most of the functions are internal to<br />
<strong>IESO</strong> however on the right of the diagram is the interface with the market<br />
participants.<br />
Resource<br />
Dispatch<br />
Operator ME<br />
Overview<br />
P<br />
A<br />
Interchange<br />
Scheduler<br />
Message<br />
Exchange<br />
ICCP<br />
Interface<br />
R<br />
T<br />
I<br />
C<br />
Application X<br />
Compliance<br />
Monitor<br />
WEB interface<br />
I<br />
P<br />
A<br />
N<br />
T<br />
Figure 3-1: Message Exchange Interfaces<br />
203 Specifics of ICCP Block 4 are discussed in the ICCP guidelines, which can be<br />
ordered from EPRI – Report TR-107176 over the Internet.<br />
204 A WEB-Based Message Exchange user guide has been posted on the <strong>IESO</strong><br />
Web site. The user guide provides information on message displays, user<br />
actions and contract management message displays, etc. Market participants<br />
are encouraged to consult the Web site for further details and latest updates to<br />
the user guide.<br />
3.2.2 Functional Parts<br />
205 Message Exchange (ME) consists of several independent functional parts:<br />
a. An ICCP Server responsible for establishing and maintaining the communication between<br />
utilities using the ICCP protocol and maintains the communication parameters and status<br />
for each link.<br />
b. A Web Server (Servlet or Application Server) responsible for establishing and maintaining<br />
communication between market participants using the https protocol and managing user<br />
logins, client requests, publishing client response to SCADA (Supervisory Control and Data<br />
Acquisition), subscribing to & performing action requests from SCADA and publishing<br />
results of action requests to SCADA.<br />
Issue 21.1 – March 15, 2010 - estimated Public 59
3.Dispatch Information<br />
IMO_MAN_0024<br />
c. A Web Client providing user interface for the WEB-Based Message Exchange java applet.<br />
The software as shown on the “<strong>IESO</strong> Supported Client Platform” web page is required in<br />
order to execute the Message Exchange Applet.<br />
d. The ME Database Server is responsible for storing and retrieving the messages and their<br />
status. This database will support both WEB & ICCP.<br />
e. The ME Application Server will co-ordinate the message exchange between different<br />
functions. It is responsible for message scheduling and tracking (both WEB and ICCP).<br />
3.2.3 Dispatch Messaging<br />
206 The dispatch messages are generated automatically by the dispatch algorithm<br />
every five minutes. The Exchange Coordinator (EC) monitors the dispatches<br />
and the EC can prevent the messages from being sent out in the event of a<br />
system disturbance while activating operating reserve.<br />
207 The availability and reliability of the supporting facilities must be such that the<br />
following criteria is met:<br />
a. The Exchange Coordinator (<strong>IESO</strong> BES Control Room Operator), in not more than sixty<br />
seconds after issuance of the dispatch message, must receive the acknowledgement and<br />
compliance indication after issuance of the dispatch instruction.<br />
b. The acknowledgement of receipt of a dispatch message is automatically performed by the<br />
Client application (either <strong>IESO</strong> provided or market participant). The compliance is a<br />
manual action by the market participant to accept or reject the instruction.<br />
c. The <strong>IESO</strong> shall manage and/or control the ICCP and Web-Based communications facilities<br />
that support the transmission of dispatch instructions to the market participants’ dispatch<br />
agent at the point of system injection.<br />
d. Failure of any of the facilities such that the dispatch message and/or the reply are not<br />
sent/received is alarmed through monitoring software to the Exchange Coordinator upon<br />
detection. The alarm is displayed within the message dispatch tool and it will be logged in<br />
the systems control log. The alarm indicates the actual, or most likely, reason for the failure.<br />
e. An outage to any of the supporting message dispatch facilities must be addressed with the<br />
highest priority.<br />
Dispatches Processed Through Message Exchange<br />
Energy Dispatch<br />
208 The <strong>IESO</strong> issues dispatch instructions for each registered facility, other than a<br />
boundary entity and an hour-ahead dispatchable load facility, prior to each<br />
dispatch interval, indicating for that dispatch interval:<br />
• The target energy level to be achieved (in MW) by the facility at the end of the dispatch interval<br />
at a rate, in the case of a dispatchable load, equal to the rate provided by the market participant<br />
as dispatch data, and in the case of a generation facility equal to the most limiting of:<br />
• The last dispatch instruction and offered ramp rate: or<br />
• Actual MW output and the generations facility’s effective ramp rate<br />
Reserve Dispatch<br />
60 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
3. Dispatch Information<br />
Reserve Activation<br />
209 The <strong>IESO</strong> will process reserve dispatches through the Message Exchange.<br />
Reserve dispatches are targets for capacity, in the reserve class specified that<br />
are available from a market participant‟s resource after acceptance of the<br />
dispatch instruction.<br />
210 The <strong>IESO</strong> will process reserve activation dispatches through the Message<br />
Exchange. Energy dispatches are target energy output or load reduction from a<br />
market participant‟s resource. The market participant‟s resource is expected to<br />
follow the emergency ramp rate specified during registration of the resource<br />
and be at the target within the timeframe specified by the operating reserve<br />
market for which the dispatchable generation/load facility was scheduled.<br />
Automatic Generation Regulation Activation<br />
211 The <strong>IESO</strong> will specify AGC obligations of a resource through the Message<br />
Exchange. The AGC obligations include the Regulation Range and may<br />
include a specified Base Point that the market participant‟s resource is required<br />
to support for a specified period of time.<br />
Voltage Regulation Dispatch<br />
Invoking the Call Option<br />
212 <strong>IESO</strong> will be installing the capability to specify voltage regulation dispatches<br />
for Load and Generator market participants through the Message Exchange.<br />
Currently the <strong>IESO</strong> continues to manage the voltage regulation dispatches<br />
manually. Voltage regulation dispatches can be specified in terms of terminal<br />
voltage set point or MVAR output. Voltage regulation dispatches are targets<br />
for terminal voltage and MVAR output for a market participant‟s resource that<br />
should be reached within 5 minutes of acceptance of the dispatch instruction.<br />
213 <strong>IESO</strong> will be installing the capability to inform market participants that they<br />
are required for Must Run or Voltage Support through the Message Exchange.<br />
Currently the <strong>IESO</strong> continues to inform market participants, manually, that<br />
they are required for Must Run or Voltage Support. The Call dispatch will<br />
identify the dispatch period that the market participant‟s resource is required<br />
for. The market participant is expected to bid/offer into the market as define in<br />
the “Market Rules”, for the specified dispatch period.<br />
3.2.4 Dispatch Message Structure<br />
General Structure of All Dispatch Messages<br />
214 Dispatch messages are composed of a message header and a message b3.2ody.<br />
The content of messages is not „case sensitive‟.<br />
215 The message header identifies the message and is a common format for all<br />
messages.<br />
216 The HEARTOUT, HEARTIN, ACCEPT, REJECT, RECEIPT,<br />
CONFIRMATIONOK, AND CONFIRMATIONNOTOK only include the<br />
header information.<br />
Issue 21.1 – March 15, 2010 - estimated Public 61
3.Dispatch Information<br />
IMO_MAN_0024<br />
217 AGC dispatch messages may be sent in one of two forms:<br />
(1) Dispatch Message Body – Regulation with Range Dispatch Only: will include<br />
the following fields:<br />
Persistent Resource<br />
DISPATCH_TYPE = „RGR‟<br />
Startstop = „Start‟<br />
RESOURCE_ID<br />
REGULATION_RANGE = The regulation range in MW expected<br />
from the resource.<br />
DELIVERY_START_TIME<br />
DELIVERY_STOP_TIME<br />
(2) Dispatch Message Body – Regulation with Range and Fixed Base-Point<br />
Dispatch: will include the following fields:<br />
Persistent Resource<br />
DISPATCH_TYPE = „RGS‟<br />
Startstop = „Start‟<br />
RESOURCE_ID<br />
AMOUNT = The fixed base point in MW that the unit will operate at<br />
while on AGC.<br />
REGULATION_RANGE = The regulation range in MW expected<br />
from the resource.<br />
DELIVERY_START_TIME<br />
DELIVERY_STOP_TIME<br />
218 For details of the Dispatch Message Structures and sample examples of all the<br />
message types, please refer to the “Web Based Message Exchange – Market<br />
<strong>Participant</strong>‟s Guide” document, which is available on <strong>IESO</strong>‟s web site (see the<br />
<strong>Technical</strong> Interfaces page of <strong>IESO</strong>‟s web site).<br />
3.2.5 Dispatch Message Scenarios<br />
219 Heart beat messages are sent by the <strong>IESO</strong> to determine whether the market<br />
participant is able to receive dispatch instructions from the <strong>IESO</strong>.<br />
<strong>IESO</strong> – Action MP –Response Comment<br />
HEARTOUT HEARTIN The <strong>IESO</strong> will send a HEARTOUT message<br />
every 60s to check for an active MP message<br />
exchange client. If the <strong>IESO</strong> does not receive<br />
the HEARTIN response from the client with a<br />
specified period of time (currently configured<br />
to 10s) the MP client is considered out of<br />
service and the Exchange Coordinator be<br />
informed of the problem.<br />
62 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
3. Dispatch Information<br />
220 The following scenario demonstrates the Based on the bids and dispatch<br />
scheduling optimizer (DSO) dispatches GENERIC-LT.G2 to 268MW at<br />
2000/08/30 9:05 with the expectation that that the instruction will be met at<br />
2000/08/30 9:10. The dispatch MP accepts the dispatch and complies with the<br />
instruction.<br />
ENERGY DISPATCH:<br />
<strong>IESO</strong> – Action MP – Response Comment<br />
RESOURCE_ID=GENERIC-LT.G2<br />
DISPATCH_TYPE=ENG<br />
AMOUNT=268<br />
DELIVERY_DATE=2000/08/30<br />
DELIVERY_HOUR=10<br />
DELIVERY_INTERVAL=2<br />
RECEIPT<br />
The MP client should immediately send a<br />
RECEIPT message back to the <strong>IESO</strong><br />
acknowledging that the message has been<br />
received.<br />
CONFIRMATIONOK<br />
ACCEPT<br />
The MP client should send an ACCEPT<br />
message to inform the <strong>IESO</strong> that they intend to<br />
comply with the dispatch.<br />
The <strong>IESO</strong> receives the ACCEPT message and<br />
initiates compliance monitoring of the<br />
requested dispatch.<br />
The COMFIRMATIONOK message is sent to<br />
confirm that the ACCEPT message was<br />
received and acknowledged by the <strong>IESO</strong>.<br />
221 The following scenario demonstrates what will happen when the market<br />
participant rejects a dispatch message.<br />
Issue 21.1 – March 15, 2010 - estimated Public 63
3.Dispatch Information<br />
IMO_MAN_0024<br />
ENERGY DISPATCH:<br />
<strong>IESO</strong> – Action MP – Response Comment<br />
RESOURCE_ID=GENERIC-LT.G2<br />
DISPATCH_TYPE=ENG<br />
AMOUNT=268<br />
DELIVERY_DATE=2000/08/30<br />
DELIVERY_HOUR=10<br />
DELIVERY_INTERVAL=2<br />
RECEIPT<br />
The MP client should immediately send a<br />
RECEIPT message back to the <strong>IESO</strong><br />
acknowledging that the message has been<br />
received.<br />
CONFIRMATIONOK<br />
REJECT<br />
The MP should send a REJECT message to<br />
inform that they do not intend to comply with<br />
the dispatch.<br />
The Exchange Coordinator is informed that the<br />
dispatch was rejected.<br />
The COMFIRMATIONOK message is sent to<br />
confirm that the REJECT message was<br />
received and acknowledged by the <strong>IESO</strong>.<br />
The Exchange Coordinator will assess the<br />
impact of the REJECT and choose alternate<br />
resources as required.<br />
The Exchange Coordinator will request<br />
additional information from the market<br />
participant to explain the reasoning behind the<br />
REJECT of the dispatch instruction.<br />
ENERGY DISPATCH:<br />
222 The following scenario demonstrates what will happen if the market participant<br />
does not respond to a dispatch instruction.<br />
<strong>IESO</strong> – Action MP – Response Comment<br />
RESOURCE_ID=GENERIC-LT.G2<br />
DISPATCH_TYPE=ENG<br />
AMOUNT=268<br />
DELIVERY_DATE=2000/08/30<br />
DELIVERY_HOUR=10<br />
DELIVERY_INTERVAL=2<br />
The MP client should immediately send a<br />
RECEIPT message back to the <strong>IESO</strong><br />
acknowledging that the message has been<br />
received. If the RECEIPT message is not<br />
received within 20s the Exchange Coordinator<br />
will be made aware of the problem.<br />
If a response to the dispatch instruction is not<br />
received within 60 seconds, the dispatch<br />
instruction is considered to be in a timeout<br />
state, which locks out the MP client from<br />
further accepting or rejecting the dispatch<br />
instruction. If, within 30 seconds after a<br />
dispatch instruction has timed out, market<br />
participants call and request the <strong>IESO</strong> to<br />
manually accept or reject the dispatch<br />
instruction, the <strong>IESO</strong> will attempt to do so on<br />
their behalf. If, within those 30 seconds, the<br />
market participants do not request the <strong>IESO</strong> to<br />
manually accept or reject the dispatch<br />
instruction, the <strong>IESO</strong> will consider that the<br />
market participants have rejected the dispatch<br />
instruction.<br />
64 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
3. Dispatch Information<br />
3.3 Real Time Network<br />
223 The Real Time Network will be used for:<br />
a. Real time data acquisition of power system data required by the <strong>IESO</strong> to operate the power<br />
system;<br />
b. Dispatch of automatic generation control (AGC) control commands; and<br />
c. Dispatch messaging.<br />
224 Function (a) and (b) above are typically executed by an RTU, and function (c)<br />
by a dispatch workstation.<br />
225 Real-time network communication with the <strong>IESO</strong> Control Center is via a Frame<br />
Relay communications network, except for dispatch messaging which will also<br />
use the Web as an alternative. This real-time network will be made available by<br />
the <strong>IESO</strong> to the market participant. In some cases, where the size and the<br />
location of the market participant’s electrical plant warrants, a secondary<br />
communications system for increased reliability will also be made available.<br />
226 The connection to the Real Time Network for an RTU or a functionally<br />
equivalent device e.g. PML meter, requires the market participant to provide<br />
the following:<br />
a. Access for the communications carrier to the market participant site to install a local loop<br />
and other customer premises equipment such as the DSU and FRAD.<br />
b. A dedicated dial-up telephone line connected to the FRAD to enable remote maintenance.<br />
c. Space to house the customer premises equipment in a suitable environment (e.g. dry, clean,<br />
0 – 40 C, free of Electro-Magnetic interference, etc.)<br />
d. A suitable power source for the customer premises equipment (typically a reliable source of<br />
120V ac, 60 Hz – usually from a UPS with a total load capacity of 500 Watts) with at least<br />
8 hours of survivability after loss of commercial power.<br />
e. Access for maintenance personnel as needed.<br />
f. Connectivity from the market participant equipment to the customer premises equipment as<br />
stated for the particular device.<br />
g. A point of contact (a person and telephone number) to enable the <strong>IESO</strong> to request repairs by<br />
the market participant for telemetry failures.<br />
Issue 21.1 – March 15, 2010 - estimated Public 65
3.Dispatch Information<br />
IMO_MAN_0024<br />
Dial-up telephone line<br />
Local<br />
Telco<br />
Office<br />
Local<br />
Loop<br />
Telecom<br />
Isolating<br />
Device<br />
Telecom<br />
Internal Wiring<br />
DSU<br />
FRAD<br />
Telecom<br />
Room<br />
UPS<br />
UPS<br />
Interconnect<br />
Cable<br />
RTU<br />
Market <strong>Participant</strong>’s Premises<br />
Equipment Room<br />
(Legend: <strong>IESO</strong> responsibility Market <strong>Participant</strong> responsibility )<br />
Figure 3-2: Responsibilities for Telecommunications and Site Readiness for RTUs<br />
227 The connection to the Real Time Network for a dispatch workstation requires<br />
the market participant to provide the following:<br />
a. Access for the communications carrier to the market participant site to install a local loop<br />
and other customer premises equipment.<br />
b. A dedicated dial-up telephone line connected to the Router to enable remote maintenance.<br />
c. Space to house the customer premises equipment (Router) in a suitable environment (e.g.<br />
dry, clean, 0 – 40 C, free of Electro-Magnetic interference, etc.)<br />
d. A suitable power source for the customer premises equipment, typically a reliable source of<br />
120V ac, 60 Hz.<br />
e. Access for maintenance personnel as needed.<br />
Local<br />
Telco<br />
Office<br />
Local<br />
Loop<br />
Telecom<br />
Isolating<br />
Device (if<br />
required)<br />
Telecom<br />
Room<br />
Dial-up Telephone Line<br />
Telecom<br />
Internal Wiring<br />
Router<br />
Interconnect<br />
Cable<br />
DWS<br />
RTU<br />
Market <strong>Participant</strong>’s Premises<br />
(Legend: <strong>IESO</strong> responsibility Market <strong>Participant</strong> responsibility )<br />
Figure 3-3: Responsibilities for Telecommunications and Site Readiness for DWS<br />
66 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
3. Dispatch Information<br />
3.4 Voice Communication Specifications<br />
228 Voice communications are broken into two categories:<br />
Normal-priority path market participants; and<br />
High-priority path market participants.<br />
229 The determination for whether a market participant requires a High Priority<br />
path is defined in the “Market Rules” Appendix 2.2. Regardless of the status of<br />
the market participant, all calls will be „caller identified‟ and handled through<br />
confidential links between sites. All calls involving <strong>IESO</strong> operations will be<br />
recorded by the <strong>IESO</strong> and must be responded to as set out in the market rules.<br />
230 In either category, voice communications between the <strong>IESO</strong> and market<br />
participants is critical for reliable and secure operations of the high-voltage<br />
electrical grid and is required by the “Market Rules” (Chapter 5, Section 12.2).<br />
1. The <strong>IESO</strong> uses MSAT telephone and data services. MSAT satellite telephone<br />
service is considered to be a High Priority path in that it does not use the Public<br />
Switched Telephone Network to complete calls between MSAT callers. It is<br />
therefore capable of providing an independent communication function between the<br />
<strong>IESO</strong> and new market participants. Other satellite telephone services are not<br />
considered because they require Public Switched Telephone Network links to<br />
either complete a call or to interconnect with <strong>IESO</strong> MSAT communications<br />
3.4.1 Normal-Priority PATH<br />
231 A normal priority path will be of a type and capacity that allows unblocked<br />
communication with the <strong>IESO</strong>. This will be the primary path used during the<br />
normal conduct of business between a market participant and the <strong>IESO</strong>. It may<br />
consist of a dedicated telephone number on the Public Switched Telephone<br />
Network (PSTN) to be used by the <strong>IESO</strong> only or an extension of a private<br />
network or Virtual Private Network (VPN) from either party. This path may<br />
involve connection to an <strong>IESO</strong> approved or administered network. Whatever<br />
mode is used this circuit will:<br />
a. provide inherent privacy for the users with the ability to add other parties by invitation only;<br />
b. interface with the <strong>IESO</strong> through the normally available PSTN facilities. Where available,<br />
caller identification will be available on this line. Such a facility shall be exempt from<br />
restriction by Line Load Control and/or have Priority Access for Dialing status; and<br />
c. not be routed by the market participant into an answering machine or Voice Mail that<br />
impedes or delays an immediate interactive conversation with a live person in attendance at<br />
the facility.<br />
3.4.2 High-Priority PATH<br />
232 A High Priority circuit will be of a type that provides backup communication<br />
between facilities. It must be „hardened‟ against failure due to loss of<br />
commercial power at any point (MSAT Synchronous satellite communication<br />
facilities may be considered as „hardened‟ facilities but are not desired as<br />
primary operating facilities due to the delay time involved in conversing over<br />
Issue 21.1 – March 15, 2010 - estimated Public 67
3.Dispatch Information<br />
IMO_MAN_0024<br />
the link). In addition to the normal priority path requirements these facilities<br />
will:<br />
a. continue to operate for a minimum of eight hours after the loss of commercial power at any<br />
point;<br />
b. be protected against loss of service that may result from overload of the common carrier‟s<br />
public facilities; and<br />
c. be a circuit with physically diverse path from the Normal Priority path to eliminate any<br />
common point of failure.<br />
233 An „autoringdown‟ circuit and other similar dedicated facilities may be<br />
considered as High Priority and „hardened‟ depending on location.<br />
234 Connection to an <strong>IESO</strong> approved, administered, or operated network may also<br />
be considered acceptable as a High Priority path. The MSAT network is a<br />
presently approved network. Other satellite networks are not approved due to<br />
reliance on PSTN connectivity being required to either complete a call or to<br />
interconnect with MSAT telephones.<br />
235 All conversations between a market participant and the <strong>IESO</strong> are confidential<br />
and will ordinarily connect only the two concerned parties. Other parties may<br />
join the conversation by invitation only.<br />
236 The <strong>IESO</strong> will record all calls involving <strong>IESO</strong> operations. For all other cases, if<br />
a market participant desires call recording, it is the responsibility of that market<br />
participant to record the call.<br />
3.4.3 Security<br />
3.4.4 Diverse Path<br />
237 All communications between the <strong>IESO</strong> and the market participant are<br />
considered confidential and therefore it is recommended that unencrypted radio<br />
frequency transmitters, such as cellular phones and other wireless technologies,<br />
not be used for communications<br />
238 A diverse path will not use either the same physical path or equipment between<br />
sites. This does not include the end user devices.<br />
– End of Section –<br />
68 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
4. Operational Metering Equipment & AGC<br />
4. Operational Metering Equipment &<br />
AGC<br />
239 (For supporting rule references, please refer to “Appendix 2.2, Section 1.2 of<br />
the market rules”)<br />
4.1 Operational Metering Equipment<br />
4.1.1 Introduction<br />
240 This section covers operational metering requirements. It does not cover<br />
specific revenue metering requirements.<br />
241 Real-time operational information from market participants is required by the<br />
<strong>IESO</strong> for the operation of the high voltage electricity system. Market<br />
participants provide this information by using appropriate monitoring<br />
equipment that they supply. The information is sent to the <strong>IESO</strong> over <strong>IESO</strong><br />
provided Real Time Network.<br />
242 Specifics for the types of monitoring equipment required by the <strong>IESO</strong> are<br />
detailed in the “Market Rules”, Chapter 4. The requirements in terms of<br />
quantities measured and performance for operational metering are mainly based<br />
on the facility ratings.<br />
243 Remote real-time data can be provided to the <strong>IESO</strong> by the market participants<br />
using two standard data transfer protocols:<br />
a. Distributed Network Protocol (DNP), and/or<br />
b. Inter Control Center Protocol (ICCP).<br />
4.1.2 Qualified Devices<br />
244 The standard device for collecting real-time information is the Remote<br />
Terminal Unit (RTU). Real-time information about the disposition of the<br />
market participants’ facility is collected from the market participant supplied<br />
RTU‟s and forwarded on a regular basis to the <strong>IESO</strong> Control Center. The<br />
Energy Management System (EMS) at the <strong>IESO</strong> Control Center polls the RTUs<br />
for information every two to four seconds. Total data latency must not exceed<br />
four seconds.<br />
245 The EMS communicates with the RTUs using the DNP 3.0 protocol. The<br />
Binary Input Data are Object 1, Qualifier 01, Variation 1 (normal) and<br />
Variation 2 (not normal). The Analog Input Data are Object 30, Qualifier 01,<br />
Variation 4 (normal) and Variation 2 (not normal) with Application Confirm<br />
Request. All data must show Data Quality Flags when not normal, such as Off<br />
Line, Restart, Communication Lost, Local/Remote Forced, Over-range. If data<br />
are derived from some intermediate devices, these flags must indicate any<br />
manual manipulation or failure of these data in these devices. Pseudo data do<br />
not require any Data Quality Flags.<br />
Issue 21.1 – March 15, 2010 - estimated Public 69
4. Operational Metering Equipment & AGC IMO_MAN_0024<br />
246 DNP (Distributed Network Protocol) is an open, standards-based protocol used<br />
in the electric utility industry to address interoperability between substation<br />
computers, RTUs, IEDs (Intelligent Electronic Devices) and master stations.<br />
This protocol is based on the standards of the International Electrotechnical<br />
Commission (IEC). DNP 3.0 is the recommended practice by the IEEE C.2<br />
Task Force for RTU to IED communications.<br />
247 The document "DNP 3.0 Subset Definitions" is available to DNP User Group<br />
members at the DNP User Group Web site (http:/www.dnp.org). This<br />
document will help DNP implementers to identify protocol elements that<br />
should be implemented.<br />
248 The following RTU manufacturers using the DNP 3.0 protocol have been<br />
qualified for use by the <strong>IESO</strong>:<br />
249 Vendor Name: GE Energy / GE Harris<br />
250 Device Name: D20, D200, and D25 RTUs,<br />
251 Vendor Name: Quindar<br />
252 Device Name: XPPQ and Scout RTUs,<br />
253 Vendor Name: PML<br />
254 Device Name: 7330, 7500, 7600, 7700 and 8500<br />
255 Vendor Name: Cybectec<br />
256 Device Name: SMP Gateway<br />
257 Vendor Name: Schneider Electric<br />
258 Device Name: Quantum PLC System with a DNP3 Processor,<br />
259 Vendor Name: Bow Networks<br />
260 Device Name: Advantech Industrial PC Part # UNO-2160-IDA0<br />
261 Vendor Name: Schweitzer Engineering Laboratories, Inc.<br />
262 Device Name: SEL-3332 Intelligent Server.<br />
263 Vendor Name: Telvent<br />
264 Device Name: Sage 3030 Substation Automation Platform.<br />
265 Vendor Name: Schweitzer Engineering Laboratories, Inc.<br />
266 Device Name: SEL-3351, 3354 & 3530 System Computing Platform.<br />
267 Vendor Name: ABB<br />
268 Device Name: ABB RTU560<br />
269 Vendor Name: Subnet Solutions Inc.<br />
270 Device Name: SEL/SUBNET 1102<br />
271 Further information on additional qualified devices or assistance on RTU set-up<br />
and configuration is available from the <strong>IESO</strong>.<br />
70 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
4. Operational Metering Equipment & AGC<br />
272 The <strong>IESO</strong> may add qualified devices from other manufacturers. Market<br />
participants should contact the <strong>IESO</strong> to get information on the current set of<br />
qualified devices.<br />
273 If the market participant wishes to use more than one meter at a location for the<br />
transmission of real-time data to the <strong>IESO</strong>, the <strong>IESO</strong> requires that the data be<br />
combined to one data concentrator such as an RTU so that only one<br />
telecommunications connection is required. The data from a failed meter or<br />
device must show the Offline and Communication Lost Flags.<br />
274 If ICCP (Inter Control Center Protocol) is used for real-time data transfer to the<br />
<strong>IESO</strong>, the market participants will provide their own ICCP server and software.<br />
Co-ordination with the <strong>IESO</strong> is necessary to establish the communication link<br />
between the market participant and the <strong>IESO</strong> Control Centers.<br />
275 The overall requirements for reliability and performance of the monitoring and<br />
control equipment are specified in Chapter 4 of the “Market Rules”.<br />
4.1.3 Field Instrumentation Standards<br />
276 The field instrumentation standard focuses on overall accuracy of the<br />
measurements being reported to the <strong>IESO</strong>. The accuracy requirement is for an<br />
overall end-to-end measurement error no greater than two percent of full scale.<br />
277 This measurement error is the sum of all the errors in the measurement chain.<br />
Typically the measurement chain is comprised of:<br />
a. primary conversion by potential and/or current transformers;<br />
b. secondary conversion by transducers; and<br />
c. report by the RTU.<br />
278 Any load meter reading must accurately reflect the quantity being measured<br />
regardless of load balance across the phases. For generation, a minimum of 2<br />
metering elements is required.<br />
Issue 21.1 – March 15, 2010 - estimated Public 71
4. Operational Metering Equipment & AGC IMO_MAN_0024<br />
279 As a guideline to the market participants, the anticipated errors in the<br />
measurement chain described above are:<br />
a. Primary conversion 0.5% of full scale<br />
b. Secondary conversion (transducers) 0.5% of full scale<br />
c. Report by the RTU, comprising analogue to digital<br />
conversion by the RTU and quantification errors<br />
1.0% of full scale<br />
280 The above accuracy standards are expected to be met by all new installations.<br />
However, for existing installations, the existing instrumentation transformers<br />
and burdens will be accepted by the <strong>IESO</strong>, for the life of the instrumentation<br />
transformers, except where their accuracy is insufficient for monitoring<br />
quantities that affect the system limits of the <strong>IESO</strong> controlled electricity<br />
network. It is up to the market participant to ascertain with the <strong>IESO</strong>, during<br />
facility registration, whether the accuracy of their instrumentation transformers<br />
would have such impact.<br />
4.1.4 Data Specifications<br />
Analogue Points<br />
Status Points<br />
281 The specific data that needs to be made available to the <strong>IESO</strong> depends not only<br />
on the electrical capacity of the market participant facility and its participation<br />
in the market, but also on other factors that influence the safe operation of the<br />
<strong>IESO</strong>-controlled grid. The detailed requirements are available in Chapter 4 and<br />
associated Appendices of the “Market Rules” and through consultation with the<br />
<strong>IESO</strong>.<br />
282 In a generic sense, the data monitored falls into two classes – analogue and<br />
status.<br />
283 These are continuously varying measurements such as watts, volts and amps.<br />
Typically the measurements are derived from a primary conversion device such<br />
as potential or current transformer and a transducer. This measurement chain<br />
scales down the actual electrical value that the RTU can report, for example, 0<br />
– 100 MW to an analogue representation of 4-20 mA or 0-1 mA. Market<br />
participants may contact the <strong>IESO</strong> for more detailed information.<br />
284 Status points are typically discreet, binary values such as the open or closed<br />
status of a switch. This information is presented to the RTU by a contact whose<br />
state is representative of the state of the device being monitored. Market<br />
participants should check the RTU vendors‟ literature for available options in<br />
status monitoring.<br />
4.1.5 Power Supply Specification<br />
285 As the data received from the RTU is an integral piece to the operation of the<br />
electricity grid, the RTU and associated communications equipment requires<br />
72 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
4. Operational Metering Equipment & AGC<br />
connection to a secure source of power. Therefore the RTUs must be powered<br />
from an industrial grade uninterruptible Power Supply (UPS) or from<br />
continuously charged batteries. In case of a power failure, sufficient battery<br />
capacity must be provided to permit ongoing operation of the RTU for a<br />
minimum of eight hours.<br />
286 The RTUs must be operated in an environment of –40°C to +80°C and 95%<br />
non-condensing relative humidity.<br />
4.1.6 Communications Specification<br />
287 The RTUs can communicate with the <strong>IESO</strong> using either a serial port (operating<br />
in the range of 4.8 - 19.2 kbps) or an Ethernet port (10 Mbps) using IP - please<br />
check with the <strong>IESO</strong> at the time of your installation. Ethernet (IP) connections<br />
must comply with the specifications outlined by the DNP Users Group in the<br />
document entitled, “Transporting DNP3 over Local and Wide Area Networks."<br />
The communications port will be connected to the Real Time Network supplied<br />
by the <strong>IESO</strong> located at the market participant's facilities.<br />
288 The Real Time Network‟s customer premises equipment (FRAD and DSU)<br />
require a secure source of power supplying 115 Vac. The use of an inverter,<br />
backed with at least 8 hours of battery power, will normally provide this<br />
reliability. The inverter may also supply power to the RTU. If required, the<br />
<strong>IESO</strong> can recommend a dedicated inverter and a bypass-switch for powering<br />
the telecommunications equipment. In this case, the primary source of power<br />
will be a market participant provided dc supply to the inverter in the range of<br />
100-280 Vdc capable of supplying the load for at least 8 hours and a secondary<br />
115V ac source connected to the bypass switch.<br />
289 For the <strong>IESO</strong> supplied telecommunications equipment, the acceptable<br />
environment is 0°C to +40°C and 5% - 90% non-condensing relative humidity.<br />
4.1.7 RTU Site Certification<br />
290 The certification of an RTU site is composed of the following activities:<br />
a. Field Instrumentation Accuracy Audit;<br />
b. Environment Audit;<br />
c. Telecommunications connection; and<br />
d. RTU Check-In Service.<br />
291 Upon the successful completion of the site certification process by the <strong>IESO</strong>,<br />
the RTU Site is certified as acceptable for market use. Each of the above<br />
certification activities is described in more detail below.<br />
292 Field Instrumentation Accuracy Audit, which is the verification of all the errors<br />
in the measurement chain, may be required by the <strong>IESO</strong>. The market<br />
participant should be able to demonstrate that the overall measurement error is<br />
no greater than two percent of full scale. An acceptable method would involve a<br />
combination of manufacturers‟ specifications and calibration records.<br />
293 Environment Audit may be required to verify the physical and electrical<br />
environment for the RTU and <strong>IESO</strong> installed telecommunications equipment.<br />
Issue 21.1 – March 15, 2010 - estimated Public 73
4. Operational Metering Equipment & AGC IMO_MAN_0024<br />
The market participant may be required to demonstrate that the electrical power<br />
supplies meet the requirements. Also, the market participant may be required to<br />
demonstrate that the environment in which the RTU and telecommunications<br />
equipment is installed meets the manufacturer‟s environmental requirements.<br />
294 A telecommunication connection must be established between the market<br />
participant and <strong>IESO</strong>. Market participants will grant access to their premises to<br />
<strong>IESO</strong> staff or <strong>IESO</strong> designated staff to establish the required telecommunication<br />
connection.<br />
295 The work involved in establishing this connection typically includes:<br />
a. installation of a local loop between the RTU location and a telecommunications service<br />
provider;<br />
b. installation of telecommunication equipment at the market participant’s premises. Typically<br />
this equipment is comprised of three small modules, the Frame Relay Access Device<br />
(FRAD), the Digital Service Unit (DSU) and the dial-up modem; and<br />
c. verifying that the telecommunication connection is working properly.<br />
296 RTU Check-In Service is the final step in RTU Site Certification. This involves<br />
the verification of the accuracy of the RTUs database to ensure a proper<br />
correspondence between the actual field device such as a breaker or<br />
measurement and the representation in the RTU. The proper operation of the<br />
RTU with <strong>IESO</strong>‟s Energy Management System (EMS) and the verification of<br />
the RTU database being transmitted to the <strong>IESO</strong> will also be verified. Details of<br />
the check-in-service process are available from the <strong>IESO</strong>.<br />
4.2 AGC Operational RTU Specifications<br />
297 Automatic generation control (AGC) is a contracted ancillary service used by<br />
the <strong>IESO</strong> to fine-tune the match between generation and load. Specific details<br />
of implementation will be determined during the contracting process.<br />
298 The actual control of generators under AGC is accomplished by control signals<br />
sent directly by the <strong>IESO</strong> to the plant controller or RTU installed for data<br />
gathering and control. The <strong>IESO</strong> can send either pulse commands to raise or<br />
lower generation or it can send MW setpoint commands to change the<br />
current generation. The type of signal the sent to a specific unit that is<br />
providing AGC is determined by the <strong>IESO</strong> and is also dependent on the<br />
design of the unit’s governor system which controls the power input to the<br />
generator. A number of associated data inputs, such as generator status,<br />
generator output, etc. must also be telemetered by the RTU to the <strong>IESO</strong> Control<br />
Center.<br />
299 The control signals from the plant controller or RTU will issue raise/lower<br />
pulses using an output relay. These can be dry or wet contacts depending on the<br />
configuration. The pulses typically are one second in length. On receipt of a<br />
raise/lower pulse, the generating units under AGC control are expected to<br />
change their output MW by a pre-determined amount.<br />
300 Units which do not have remote MW setpoint capability in their governors will<br />
execute a power change based on the pulse width (time that the pulse is active)<br />
of the raise or lower pulse provided by the <strong>IESO</strong>’s AGC controller. The pulse<br />
74 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
4. Operational Metering Equipment & AGC<br />
width is used to change the position of the unit‟s power control device – usually<br />
a hydraulic gate or a steam turbine governor valve. The resulting power change<br />
may not be exactly what was intended by the AGC controller. During the next<br />
pass of the AGC controller (typically every 2 seconds) the error will be detected<br />
and a further adjustment made by the AGC controller to all the units<br />
participating in AGC.<br />
301 Units which have MW controllers with remote MW setpoint capability can<br />
choose to use either a pulse width to raise or lower the MW setpoint value or<br />
they can chose to use a direct MW setpoint value provided by the <strong>IESO</strong>’s AGC<br />
controller. A direct MW setpoint value is preferred because it eliminates any<br />
error in converting the pulse width into a MW value. This specification applies<br />
to those units that have a MW controller with remote MW setpoint capability.<br />
A typical block diagram of the entire AGC control loop is shown in Figure 4-1<br />
below.<br />
Issue 21.1 – March 15, 2010 - estimated Public 75
4. Operational Metering Equipment & AGC IMO_MAN_0024<br />
Figure 4- 1 Block Diagram of Typical AGC Control Arrangement for Generation units With<br />
Remote MW Setpoint Control Capability<br />
302 The information necessary to control the generation facility under the terms and<br />
conditions of the AGC contract will reside and operate in the EMS according to<br />
the existing control schemes.<br />
303 It is the market participant’s responsibility to protect their equipment from<br />
damage due to erroneous pulses or spurious signals that may cause the<br />
equipment to operate beyond its designed parameters, regardless of how these<br />
signals were generated or transmitted.<br />
304 Two models of RTU have been qualified for use by the <strong>IESO</strong> for AGC. These<br />
are GE models D20/200 and D25 RTUs.<br />
76 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
4. Operational Metering Equipment & AGC<br />
Issue 21.1 – March 15, 2010 - estimated Public 77
5. Market Applications IMO_MAN_0024<br />
5. Market Applications<br />
5.1 Market Application Systems Information<br />
5.1.1 Overview of Dataflow Systems<br />
305 The figure below provides an overview of the dataflow from the market<br />
participants to the <strong>IESO</strong> systems. The following paragraphs also provide<br />
technical details of various market applications and application interfaces. It is<br />
not intended to provide procedural information, being outside the purview of<br />
this document. Procedural information is available in the relevant market<br />
manuals.<br />
78 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
5. Market Applications<br />
Energy Bids & Offers (Gen, Ld, Imp, Exp)<br />
Energy Schedules (Int, Slf, NonD)<br />
Bilaterals<br />
Operating Reserve Offers (Gen, Imp, Load)<br />
Standing Bids for Energy, OR & Sched<br />
SUBMIT, REVISE, DELETE, REVIEW<br />
Revenue Metering System<br />
Market <strong>Participant</strong>s<br />
Market Results:<br />
Accepted Amounts<br />
Clearing Prices<br />
Acceptance of Submission<br />
Transaction Code<br />
Errors if any<br />
Invoices<br />
CR- Reports<br />
HandOff for MV-Star<br />
Data Requests<br />
Energy Bids & Offers<br />
OR Offers<br />
Schedules<br />
Contracts<br />
MIS System<br />
Financial Bids & Offers<br />
Standing Bids<br />
SUBMIT, REVISE, DELETE, REVIEW<br />
Interface System (MIM*)<br />
Accepted Amounts<br />
Clearing Prices & Volumes<br />
Constraints<br />
Shadow Prices?<br />
Accepted Amounts<br />
Schedules?<br />
EMS System<br />
Public Information<br />
System Forecasts<br />
System Status<br />
Market Prices & Volumes<br />
MIS Constraints<br />
FEM Schd & Prc<br />
RTEM Schd & Prc<br />
OR Schd & Prc<br />
CR Schd & Prc<br />
BIlaterals<br />
RTEM Prc Crvs<br />
OR Prc Crvs<br />
RTEM Zonal Prc<br />
OR Zonal Prc<br />
Invoices<br />
CR Reports<br />
Commercial Reconciliation<br />
Market <strong>Participant</strong>s<br />
&<br />
Public Info<br />
Figure 5-1: Overview of Dataflow from the MP to <strong>IESO</strong> systems<br />
5.1.2 Bidding Application<br />
306 The Market Information Management (MIM) system at the <strong>IESO</strong> is responsible<br />
for receiving market participant bids and schedules, and then publishing market<br />
results. Commercial settlement reports and invoices may be downloaded via the<br />
<strong>IESO</strong> Reports Web Server. The market participant may communicate with the<br />
system using three mechanisms:<br />
a. Through a Default <strong>IESO</strong> provided GUI using Web Page based Forms;<br />
b. Through a Default <strong>IESO</strong> provided GUI by uploading and downloading ASCII data files;<br />
and/or<br />
c. Through a programmatic interface via an <strong>IESO</strong> provided API (IDK).<br />
Issue 21.1 – March 15, 2010 - estimated Public 79
5. Market Applications IMO_MAN_0024<br />
Bidding Templates<br />
Template Format<br />
Template File Structure<br />
307 There will be upwards of 25 data template file formats for submitting and<br />
downloading data. All template files are simple Comma Separated Text (CST)<br />
files containing only ASCII characters with no hidden formatting information.<br />
308 These CST files will be subject to validation. The extension of the file is NOT<br />
important as the file format described in the data template and validation rule<br />
documents, which are located on the <strong>Technical</strong> Interfaces page of <strong>IESO</strong>‟s Web<br />
site, determines whether the file is accepted. Three types of validation rules are<br />
recognized, which consist of: syntax validation, technical feasibility checks,<br />
and commercial acceptability checks. Invalid data will be rejected with the<br />
appropriate error messages being posted to the sender.<br />
309 A single transmission file may contain one or more bids. The entire file will be<br />
considered as one transaction. Each file must have a file header with<br />
information common to the entire file. The file header can be followed by one<br />
or more bids. Each bid begins with a bid header followed by one bid body. The<br />
file header defines the application process and in some cases the market process<br />
and the data that is common to bids that belong to the transaction. Data<br />
associated with a bid is entered into a data template in a predefined structure.<br />
Rules for Submitting Data & Using Template Files<br />
310 Except where otherwise mentioned, the following rules are common to all the<br />
data template files:<br />
a. A template file is a simple comma separated text file containing only ASCII characters. No<br />
hidden formatting information is allowed.<br />
b. PM keyword in the file header indicates that the transaction is targeted for the physical<br />
market. The FM keyword in the file header indicates that the transaction is targeted for the<br />
Financial Market.<br />
c. RTEM, SCHEDULE, BILATERAL, OPER_RESV or CAP_RESV keyword in the<br />
transaction header of PM template file indicates that the transaction is targeted for the realtime<br />
energy market, real-time schedule market, bilateral contract market, operating reserve<br />
market or the capacity reserve market respectively. The DAEFM keyword in the transaction<br />
header of FM template file indicates that the transaction is targeted for the day-ahead<br />
financial market. The above markets may contain all 24 hours data or data for a range of<br />
hours or just the data for a particular hour.<br />
d. The Bid_Type field describes the type of resource submitting the bid/offer. The following<br />
keywords, and their assigned definitions, are used within the context of these templates:<br />
GENERATOR: A generation resource located within the <strong>IESO</strong>-controlled grid in<br />
Ontario.<br />
LOAD: A load located within the <strong>IESO</strong>-controlled grid in Ontario.<br />
INJECTION: A generation resource located outside Ontario. Can also be considered as<br />
imports by <strong>IESO</strong>.<br />
80 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
5. Market Applications<br />
OFFTAKE: A load located outside Ontario. Can also be considered as exports by<br />
<strong>IESO</strong>.<br />
e. Standard time will be used for the date fields. There will be no 23-hour short days and no<br />
25-hour long days. All days will have 24 hours.<br />
f. Blank lines are permitted in the data files, and are ignored. White space is also ignored.<br />
Comma is used as the only data field separator.<br />
g. Comment lines must begin with \\. Comments can also be added at the end of a data line but<br />
it must be preceded by \\. Any text following \\ will be interpreted as comment and will be<br />
ignored. Comments cannot extend past across multiple lines unless each line begins with a<br />
\\.<br />
h. A semi-colon is a record terminator. It will be used as a file header, bid header, and bid<br />
body delimiter. The record terminator is not needed for those records that are comment<br />
lines. A data record must be on a single line. There is no maximum length for a line in an<br />
incoming file so long as a record terminator is specified for record termination. The record<br />
terminator signals the end of the record instead of the end-of-line character.<br />
i. The asterisk character is used to separate multiple bids/offers in a single file. The asterisk<br />
character should be used before and after each bid, which can contain up to 24 hours of<br />
data.<br />
j. All data information in a given template must be included in exactly the same order as<br />
listed. Any additional information or omissions will be considered as an error and will be<br />
rejected.<br />
k. An optional field can have a value or null. If a value has been entered, it will take<br />
precedence over the default value. All fields are mandatory if not specified otherwise.<br />
Optional fields are denoted with field names enclosed within [square brackets] in the<br />
template definitions.<br />
l. All mandatory fields must have values entered. If there is no data for a particular field then<br />
NULL value should be submitted. For example, „value1,,value2‟ contains a NULL value<br />
between value1 and value2.<br />
m. Each tuplet of data, as in the case of (Price, Quantity) or (RampBreakQuantity, RampUp,<br />
RampDown) must be enclosed within parentheses. The entire set of tuplets, i.e. the curve<br />
itself, must be enclosed within curly brackets. For the RTEM, the Price/Quantity data for<br />
an hour or range of hours can have up to 20 tuplets of values with a minimum of two<br />
tuplets. For Energy Ramp Rate tuplets, the maximum is 5 tuplets with a minimum of 1<br />
tuplet. Whatever the number of tuplets is, the data must be included first within parenthesis<br />
and then within curly brackets. As an example „1, {(23.50,0), (23.50,70)}‟ means that the<br />
price curve for 1AM has a two P, Q pairs.<br />
n. A shorthand notation can be used for specifying bid data that does not change across a<br />
contiguous range of hours. The format of the shorthand notation is „x-y‟ for an hour field<br />
and „{(p1, q1), (p20, q20)}‟ for a price curve, where x and y are the start and end hours that<br />
have the same value or the same curve. As an example, the shorthand notation „1-5, 70‟<br />
implies that the value 70 is valid for all hours from 1 AM through 5AM. This shorthand<br />
notation is valid for incoming bids. This data, once received, will be stored on a per hour<br />
basis. This also implies that outgoing data will be given on an hourly basis.<br />
o. When using shorthand notation the hours must be in ascending order only. If there are any<br />
overlaps the records are invalid and will be rejected. As an example<br />
Issue 21.1 – March 15, 2010 - estimated Public 81
5. Market Applications IMO_MAN_0024<br />
1-5<br />
7-10<br />
2-3 will be rejected<br />
1-5<br />
7-10<br />
6 will be rejected<br />
p. Rejected records will be identified to the market participant through a report created at the<br />
end of the transmission, identifying the rejected records and the reason for rejection.<br />
q. Output data templates may use the letters 'N/A' to indicate that the data value is not<br />
available.<br />
r. Data that is in the form of text strings must be entered within double quotes (i.e. “ ”). Such<br />
data cannot have double quotes embedded within it. For example field „other_reason‟,<br />
which is a text string should be submitted within double quotes (i.e. “ ”).<br />
s. All bid submission templates can be used for download purposes also. The valid bid data<br />
that will be downloaded will be in a similar format as it is during an upload. As mentioned<br />
above, hour ranges will not be used to download data but on a per hour basis. The<br />
downloaded data can be updated/modified, if needed, and then resubmitted without having<br />
to make any formatting changes.<br />
Bid Data Validation<br />
311 There is no sequence, template files can be submitted at any time. Submissions<br />
are checked for date and all other validations. Submissions for bids in the<br />
mandatory window must be made not later than 10 minutes before the<br />
mandatory hour closing.<br />
312 Data coming in to the Market Operating System (MOS) is subject to validation.<br />
Three types of validation rules are recognized: syntax validation, technical<br />
feasibility checks, and commercial acceptability checks. Invalid data will be<br />
rejected with the appropriate error messages being posted to the sender.<br />
313 Bids/offers submitted during the mandatory or restricted window will require<br />
<strong>IESO</strong> operator approval/rejection. In case of acceptance of a bid/offer that is<br />
submitted during the mandatory/restricted window and which exceeds the<br />
change tolerances, the <strong>IESO</strong> operator will communicate the decision to the<br />
market participant as a system log message. This bid/offer will then also be<br />
included in the valid bid report. If the bid is rejected by the Exchange<br />
Coordinator, the decision is communicated to the market participant via a<br />
system log message.<br />
Template Description and Samples<br />
314 All sample data templates (described below) and associated data sample files<br />
are provided at the <strong>IESO</strong> Web site under <strong>Technical</strong> Interfaces (Market<br />
<strong>Participant</strong> Submissions) for viewing or downloading. Comment lines may be<br />
included within the template to explain its structure. Comments are not<br />
required in the actual templates. Data values are included to illustrate the<br />
structural characteristics. Since these values were randomly chosen, there may<br />
not be a logical consistency across the data fields. In addition, some data, such<br />
as Market participant ID and Resource ID have been edited for confidentiality<br />
reasons.<br />
82 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
5. Market Applications<br />
The Energy Template is used to specify the bids or offers for various resources like generators,<br />
loads, off-takes and injections. This template can be used for data submission in any window<br />
and can be used to view the energy data. These will be version sensitive and new versions<br />
will be available to all Market participants when available. Older versions cannot be used<br />
when a new version is issued.<br />
The Bilateral Contract Template is used to specify the hourly amount exchanged between<br />
two Market participants. This template can also be used to view the bilateral contract data.<br />
Real Time Energy Schedule Template is used to specify the schedules for various<br />
resources. Market participants will use this template to send their schedule data to the <strong>IESO</strong>.<br />
This template can also be used to view the schedule data. This template can be used by<br />
market participants that are:<br />
Self-scheduling generators, or<br />
Intermittent generators<br />
Operating Reserve Template is used by market participants to send their bid/offer data to<br />
the <strong>IESO</strong>. It can also be used to view the operating reserve data. All operating reserve<br />
ancillary service data loading use the same template. There are 3 types of Reserves<br />
supported and they are 10-min Non-Spin Reserve, 10-min Spin Reserve & 30-min Reserve.<br />
The Capacity Reserve Bid Template is used to send bid/offer data to <strong>IESO</strong>. This template<br />
can also be used to view the bid/offer data.<br />
Note: The Capacity Reserve Market is not yet implemented.<br />
Public Market Information, which is available on the <strong>Technical</strong> Interfaces page of <strong>IESO</strong>‟s<br />
Web site, is used by Market participants to view the public market information and/or the<br />
market results.<br />
Private Market <strong>Participant</strong> Information, which is available via through the MPI or API is<br />
used by market participants to view their dispatch information.<br />
315 Although the <strong>IESO</strong> is not bound to rigorously follow any particular ISO<br />
standard it recognizes the benefit of taking some of them into account. ISO<br />
9001 regulations are considered in the attempt for achieving quality interfaces.<br />
5.1.3 Settlements Application<br />
316 The current Commercial Reconciliation system produces settlement statements.<br />
The <strong>IESO</strong> Funds Administration (FA) applications group produces invoices.<br />
Market participants have the ability to review and/or download the invoices<br />
through the <strong>IESO</strong> Reports web server. Settlement statements are similarly<br />
available through the <strong>IESO</strong> Reports web server.<br />
317 Detailed information regarding the precise format of settlement statement files<br />
and supporting data files is detailed on the <strong>Technical</strong> Interfaces page of <strong>IESO</strong>‟s<br />
Web site.<br />
318 Further information regarding charge type calculations may be found on the<br />
<strong>Technical</strong> Interfaces page of the <strong>IESO</strong>‟s Web site.<br />
Issue 21.1 – March 15, 2010 - estimated Public 83
5. Market Applications IMO_MAN_0024<br />
Settlement Statement Files<br />
319 The settlement statement files and supporting data files contain settlement<br />
amounts and the underlying data used in those calculations for a market<br />
participant. The data included mostly pertains to a particular trading date (the<br />
primary trade date), but it may also contain missing charges from prior trading<br />
dates. Content, field usage, and format are detailed, in “Format Specification<br />
for Settlement Statement Files and Data Files”, and may be found on the<br />
<strong>Technical</strong> Interfaces page of the <strong>IESO</strong>‟s Web site.<br />
320 Some general notes about the statement files are listed below:<br />
Market participants will download the files through the <strong>IESO</strong> Reports web server.<br />
The timeline for generating the preliminary and final statements for the financial and physical<br />
markets is detailed in the “Settlement <strong>Manual</strong>”. In general terms however, their issuance is<br />
based on a business day timeline rather than on a calendar day timeline and is specifically<br />
governed by:<br />
The <strong>IESO</strong> Settlement Schedule & Payment Calendar (“Market Rules” Ch. 9 Section 6.2,<br />
“Market <strong>Manual</strong> 5: Settlements Part 5.1: Settlement Schedule and Payment Calendars<br />
(SSPCs)”); and<br />
Any emergency procedures that may have to be invoked by the <strong>IESO</strong> under the <strong>IESO</strong><br />
“Market Rules”.<br />
The companion data files are issued following the same timeline as the Statement Files.<br />
84 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
5. Market Applications<br />
RT Preliminary<br />
Settlement<br />
Statement<br />
EFM/TR<br />
Preliminary<br />
Settlement<br />
Statement<br />
RT<br />
Preliminary<br />
Settlement<br />
Statement<br />
File<br />
RT<br />
Preliminary<br />
Data File<br />
EFM/TR<br />
Preliminary<br />
Settlement<br />
Statement<br />
File<br />
RT Final<br />
Settlement<br />
Statement<br />
EFM/TR Final<br />
Settlement<br />
Statement<br />
RT Final<br />
Settlement<br />
Statement<br />
File<br />
RT Final<br />
Data File<br />
EFM/TR<br />
Final<br />
Settlement<br />
Statement<br />
File<br />
Real-time Market Settlement Statements and Data Files<br />
Energy Forward Market Settlement Statements and Data Files<br />
(including TR auction settlement)<br />
Figure 5-2: Schematic Overview for Settlement Statements and Data Files<br />
321 The preliminary settlement statement provides each market participant with an<br />
opportunity to review all settlement amounts that have been calculated for a<br />
particular trading day and raise a notice of disagreement if necessary. After a<br />
predetermined notice of disagreement period, a final statement is generated.<br />
322 Information regarding the format of the settlement statement files and<br />
supporting data files is provided in, “Format Specification for Settlement<br />
Statement Files and Data Files”.<br />
Settlement Statement Supporting Data Files<br />
323 The timeline for issuing the preliminary and final data files for a given trading<br />
date are detailed in the “Settlement <strong>Manual</strong>”. In general terms however, their<br />
issuance is based on a business day timeline rather than on a calendar day<br />
timeline and is specifically governed by:<br />
The <strong>IESO</strong> Settlement Schedule & Payment Calendar (“Market Rules” Ch. 9 Section 6.2,<br />
“Market <strong>Manual</strong> 5: Settlements Part 5.1: Settlement Schedule and Payment Calendars<br />
(SSPCs)”); and<br />
Any emergency procedures that may have to be invoked by the <strong>IESO</strong> under the <strong>IESO</strong><br />
“Market Rules”.<br />
Issue 21.1 – March 15, 2010 - estimated Public 85
5. Market Applications IMO_MAN_0024<br />
With each set of settlement statement files, each market participant will receive a data file.<br />
Each data file will correspond to a statement, and will have the same settlement statement<br />
ID.<br />
The data contained in the supporting data file provides each market participant supporting<br />
data that is used in calculating the preliminary settlement for a particular trading date in the<br />
physical market. The final settlement data file contains the supporting data that is used in<br />
calculating the final settlement.<br />
5.1.4 Application Interfaces<br />
324 The Market Information Management (MIM) site is one of the Web sites that<br />
allow the market participant to interface with the <strong>IESO</strong>. Specifically, the MIM<br />
represents the secure internet-based client gateway to functionality provided by<br />
the <strong>IESO</strong> energy bidding system.<br />
325 The market participants can interact with the MIM using the following two<br />
methods:<br />
Internet Explorer browser. The browser is GUI based and interprets tag languages such as<br />
HTML. It allows client interaction through the keyboard/mouse; and<br />
MIM Client API (IAPI). The API emulates the functions of the browser. It allows Clients<br />
programmatic access to the MIM functionality using third party applications.<br />
326 Application Interface (API) code will allow market participants to customize<br />
their interface to interact with the <strong>IESO</strong>. Using the Java interface, these API‟s<br />
provide access to MIM. They act as wrappers to validate and normalize<br />
parameters passed to the MIM system through Java class libraries. It is these<br />
same class libraries that also run within the Communicator browser<br />
environment and are fetched when the secure MIM site is first visited. These<br />
library routines provide the following functionality:<br />
Template Upload;<br />
Template Download;<br />
System Message Download; and<br />
Market Status Download; and<br />
327 To support platform independence, as of IDK 1.46 a Java interface is supported<br />
by the <strong>IESO</strong>. To download the latest version of the IDK visit the <strong>Technical</strong><br />
Interfaces page of the <strong>IESO</strong>‟s Web site.<br />
328 Also, client-side certificates will be required to access the MIM. An API, such<br />
as SSL, will be necessary to establish the SSL session with the MIM Web<br />
server.<br />
329 In summary the following hardware/software recommendations are made :<br />
Minimum 128 MB of system memory;<br />
Intel based PC running Windows XP SP2, or higher;<br />
Java 2 Runtime Environment at a minimum as shown on the “<strong>IESO</strong> Supported Client<br />
Platform” Web Page. This contains the required JVM and runtime classes;<br />
Internet Explorer to download the IAPI bundle; and<br />
86 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
5. Market Applications<br />
Client-side digital certificates and the software to establish a secure (e.g. SSL) session with<br />
the MIM server.<br />
330 Detailed information on these functions can be found in the “<strong>IESO</strong> Developer's<br />
Toolkit (IDK), Implementation <strong>Manual</strong>” which is available at on the <strong>Technical</strong><br />
Interfaces page of <strong>IESO</strong>‟s Web site. It provides details of the following six<br />
functions:<br />
Login to MIM;<br />
Upload Bids;<br />
Download Bids;<br />
Download System Messages; and<br />
Download Market Status Information.<br />
5.2 Funds Administration<br />
5.2.1 HTML and Text File Invoices<br />
5.2.2 E-mail<br />
331 Invoices will be distributed to the market participants via XML, HTML or text<br />
files hosted on the <strong>IESO</strong> Reports web server The market participant using any<br />
standard web browser over the web can view these XML, HTML or text files.<br />
The market participant can also download and save the XML, HTML or text<br />
file and print the invoice.<br />
332 Descriptions of the XML and text file invoice may be found in the technical<br />
interface document entitled, “Text File Invoice Format Specification”.<br />
333 Emailing of invoices and statements will not be available as an option.<br />
5.2.3 Fund Transfers<br />
334 Banks used by the market participants must have electronic funds transfer<br />
capability. Electronic funds transfer is a computerized mode for payment and<br />
withdrawal used in transferring funds from the market participant’s bank<br />
account to the <strong>IESO</strong> and vice versa.<br />
335 There are 3 types of electronic funds transfer used by banks including EDI,<br />
Wire Transfers, and pay-only electronic funds transfer (Direct Deposit). The<br />
amount of information passed to the <strong>IESO</strong> with each of these types of payment<br />
is different. The short time frame within which the <strong>IESO</strong> is required to remit<br />
payment to the credit side of the market makes it important to identify the<br />
source and relevant invoices associated with payments made to the <strong>IESO</strong> as<br />
quickly as possible. The EDI and Wire transfer approaches to electronic funds<br />
transfer provide the <strong>IESO</strong> with sufficient detail to make identification possible.<br />
Pay-only electronic funds transfer (Direct Deposit), however, can not provide<br />
the <strong>IESO</strong> with the needed information. The <strong>IESO</strong> is therefore requesting market<br />
Issue 21.1 – March 15, 2010 - estimated Public 87
5. Market Applications IMO_MAN_0024<br />
participants using pay-only electronic funds transfer to send a fax to the <strong>IESO</strong><br />
Finance Department with the details of the payment provided (market<br />
participant name, invoice number(s), amount of payment).<br />
– End of Section –<br />
88 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
Appendix A: Forms<br />
Appendix A: Forms<br />
This appendix contains a list of the forms and agreements associated with <strong>Participant</strong> <strong>Technical</strong><br />
<strong>Reference</strong> <strong>Manual</strong>. These are available on the <strong>IESO</strong> public Web site on the Market Entry Page. The<br />
forms and agreements included are as follows:<br />
Form Name<br />
<strong>IESO</strong> Certificate Subscriber Request Form<br />
<strong>IESO</strong> Certificate Subscriber Registration Officer Request<br />
Form<br />
<strong>IESO</strong> Certificate Subscriber Agreement<br />
Form Number<br />
IMO_FORM_1276<br />
IMO_FORM_1277<br />
IMP_AGR_0016<br />
– End of Section –<br />
Issue 21.1 – March 15, 2010 - estimated Public A–1
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
Appendix B: List of Commonly Used Acronyms<br />
Appendix B: List of Commonly Used<br />
Acronyms<br />
ANSI<br />
AGC<br />
API<br />
BES<br />
BOC<br />
Bps<br />
DAEFM<br />
DMI<br />
DSU<br />
EDI<br />
EMS<br />
FIS<br />
GUI<br />
ICCP<br />
ICG<br />
IEEE<br />
<strong>IESO</strong><br />
IP<br />
ISO<br />
IT<br />
KB<br />
Kbps<br />
LAN<br />
MB<br />
Mbps<br />
MIM<br />
MMP<br />
MPI<br />
MSP<br />
MW<br />
NERC<br />
OS<br />
PC<br />
PSTN<br />
PKI<br />
PLC<br />
RTU<br />
RTEM<br />
SCADA<br />
American National Standards Institute<br />
Automatic generation control<br />
Application Program Interface<br />
Bulk Electricity System<br />
Backup Operating Center<br />
Bits per second<br />
Day Ahead Energy Financial Market<br />
Desktop Management Interface<br />
Digital Service Unit<br />
Electronic Data Interchange<br />
Energy Management System<br />
Financial Information Systems<br />
Graphical User Interface<br />
Inter Control Center Protocol<br />
<strong>IESO</strong>-Controlled Grid<br />
Institute of Electrical and Electronics Engineers<br />
Independent Electricity System Operator<br />
Internet Protocol<br />
International Standards Organization<br />
Information Technology<br />
Kilobytes<br />
Kilobits per second<br />
Local Area Network<br />
Megabytes<br />
Megabits per second<br />
Market Information Management<br />
Metered Market <strong>Participant</strong><br />
Market <strong>Participant</strong> Interface<br />
Meter Service Provider<br />
megawatts<br />
North American Electric Reliability Council<br />
Operating Systems<br />
Personal Computer (IBM compatible)<br />
Public Switched Telephone Network<br />
Public Key Infrastructure<br />
<strong>Participant</strong> Life Cycle or Registration System<br />
Remote Terminal Unit<br />
Real-Time Energy Market<br />
Supervisor Control and Data Acquisition<br />
Issue 21.1 – March 15, 2010 - estimated Public B–1
Appendix B: List of Commonly Used Acronyms<br />
IMO_MAN_0024<br />
TCP<br />
UPS<br />
URL<br />
VAr<br />
Transmission Control Protocol<br />
Uninterruptible Power Supply<br />
Uniform Resource Locator<br />
Volt-Ampere-Reactive<br />
– End of Section –<br />
B–2 Public Issue 21.1 – March 15, 2010 - estimated
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
<strong>Reference</strong>s<br />
<strong>Reference</strong>s<br />
DNP 3.0 Subset Definitions<br />
Java 2 Runtime Environment<br />
Market Rules<br />
Document Name<br />
Market <strong>Manual</strong> 3: Metering; Part 3.0: Metering Overview<br />
Market <strong>Manual</strong> 1: Market Entry, Maintenance & Exit; Part<br />
1.3: Identity Management Operations Guide<br />
Format Specifications for Settlement Statement Files and<br />
Data Files<br />
Market <strong>Manual</strong> 5: Settlements Part 5.0: Settlements<br />
Overview<br />
Market <strong>Manual</strong> 5: Settlements Part 5.1: Settlement Schedule<br />
and Payment Calendars (SSPCs)<br />
Market <strong>Participant</strong> Graphical User Interface User‟s Guide<br />
<strong>IESO</strong> Portal User Interface User‟s Guide<br />
<strong>IESO</strong> Developer's Toolkit (IDK), Implementation <strong>Manual</strong><br />
Web Based Message Exchange – Market <strong>Participant</strong>‟s Guide<br />
Document ID<br />
Non-<strong>IESO</strong> (www.dnp.org)<br />
Non-<strong>IESO</strong> (http://java.sun.com/)<br />
MDP_RUL_0002<br />
MDP_MAN_0003<br />
IMP_GDE_0088<br />
IMP_SPEC_0005<br />
MDP_MAN_0005<br />
MDP_PRO_0031<br />
IMO_GDE_0003<br />
<strong>IESO</strong>_GDE_0209<br />
IMO_MAN_0023<br />
IMP_MAN_0031<br />
– End of Document –<br />
Issue 21.1 – March 15, 2010 - estimated Public <strong>Reference</strong>s–1