...
Ceremony description | RA Ceremony CA Ceremony (Key Change Over) RA Merger RA Move |
---|
Date and time for the ceremony |
|
---|
Status for the ceremony | Status |
---|
| Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
|
---|
Date and time for the activation, switchover and revoke |
|
---|
Status for the activation, switchover and revoke | Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
|
|
---|
References |
|
---|
Resources bank and TSP:
Role | Name | Contact information |
---|
Key custodian |
|
|
Other |
|
|
Resources
...
BankID:
Role | Name | Contact information |
---|
Coordinator |
|
|
PKI |
|
|
App |
...
Definitions:
StepResponsible | Task | Deadline | Status | Documents and notes | 1) BITS Approval | The respective TSP or Bank will require BITS approval for the following move or merger before ordering an RA ceremony. | TSP or Bank | Ceremony | The physical meeting with all necessary participants. This is when the new RA certificate is created in red zone. |
Activation | When the new certificate is activated on BankID side. This is usually done at another time than the ceremony. |
Switchover | When the traffic is switched from the old CA to the new CA. This is usually done within 24 hours from the activation, but can also be done separately. |
Before the ceremony:
Step | Description | Responsible | Task | Deadline | Status | Documents and notes |
---|
1) Set up internal routines |
- Need to be describe from TSP/Bank side
- Send it to: as@bits.no
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
| 2) Internal steps | The respective TSP or Bank will require to have in place internal routines for move or merger of RA's. |
Such as | TSP or Bank | Decide the following: - How to deal with the OTP tokens
- End user impact
- Information to end users
- How to deal with logs and how/who to archive (admin logs for certificates)
Note that the TSP |
or Bank/Bank is responsible for handling the end user certificates through the whole process, including revoke of old certificates. |
| |
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
|
|
2) BITS Approval | The respective TSP or Bank will require BITS approval for the following move or merger before ordering an RA ceremony. | TSP or Bank | |
| | Information from BITS about the process: View file |
---|
name | BankID - Migrering - Prosess for migrering av bank til ny CA.pdf |
---|
height | 150 |
---|
|
|
Status |
---|
colour | Green |
---|
title | completed VippsBankID | The respective TSP or Bank have to create and send a formal order to |
Vipps. Either on a signed or BankID as an electronically signed document, signed by TSP or Bank. | TSP or Bank | This order should contain: New RA: - Detailed information about the CA
- Approval from BITS (from step 2)
Move or merger of RA: - The purpose of the move or merger of the
|
mention - mentioned RA
- Detailed move or merger from and to what CA
|
TSP or Bank- Approval from BITS (from step 2)
Sign it electronically and create a ticket here with the signed document attached. |
| |
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed Order VippsBankID | The respective TSP or Bank have to fill out required order forms and send it to |
Vipps BankID signed before or during the RA ceremony. A copy must be sent before the RA ceremony. |
Order forms templates can be found here: Order forms and information
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
- TSP/Bank fills out the required order form.
- Send a copy before the RA ceremony by creating a ticket here.
|
| | Order form templates can be found here: Misc forms for BankID Support |
Status |
---|
colour | Green |
---|
title | completed |
5) Make sure that the prerequisites are in order |
RA XML request and Primary CAO token "Dongle" |
The RA XML request must be created on the TSP system, for example through HAT tool. Primary CAO token is normally stored in a safe at the respective TSP (CA responsible). |
The respective Key Custodian for the TSP is responsible to carry and bring the RA XML request and the Primary CAO token "dongle" to the RA ceremony. | Key custodian for TSP | - Create an RA XML request on the TSP system, for example through HAT tool.
- Make sure that the USB stick is new and
|
IdentificationVipps recommend - Make sure that the Key Custodian
|
always bring a new and unused USB stick and - have approved identification such as a passport or driver license
|
. If Key custodian for TSP | - (if the Key Custodian is a non-Norwegian citizen, they must bring their passport
|
. Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
|
6) RA ceremony coordination |
Vipps the following everything is in place and coordinate the ceremony and switchover with all stakeholders. | BankID | Check that the following is in place |
, before going further: - BITS approval - If not provided by the TSP or Bank, contact BITS and verify
- Formal
|
Order Order - Signed order forms
- Signed - Naming of RA (Required)
- Signed - Revoke RA XML Request (Optional)
- TSPs Primary CAO token
- TSPs/Bank RA XML Request
If all is in place |
: , all stakeholders align and agree on date and time for the following: |
RA ceremony- 1. RA ceremony
- 2. Activation of New RA XML Sign Certificate
|
Switchover - 3. Switchover
- 4. Revoke RA XML (Optional)
Normally step 2, 3 and 4 happens within the same 24h. |
Vipps | statuscolour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
Vipps are to BankID will send out a meeting invite for |
RA ceremony and the Switchover. These the ceremony and the switchover. | BankID | Create and send out the invitation to all stakeholders. The invitation should contain, but not limited to: - Purpose and description
- Date
- Time
- Duration
- Virtual Meeting Link or Address
- Attendees and contact points
- Information on what to bring
|
Vipps | Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
Ceremony:
The Key Custodian for the respective TSPs is on-site with their Primary CAO token and the RA XML sign request.
Step | Description | Responsible | Task | Deadline | Status | Documents and notes |
---|
8) Pre RA ceremony check | BankID will greet the participants and check that all is OK for moving on with the ceremony. | BankID | - Participants need to sign in and out
- All necessary resources are in place
- Key Custodian ID check is done by the SO
- USB virus scan is done manually before High secure room (USB stick that contains the RA XML Sign request)
- All required documentation is in place
- Note that RA naming order forms are to be stored in the BankID High secure room
|
Important that it is the original document (not scan or copies) If the - . When the documentation is signed
|
with electronic signing then that are - the document is to be stored
|
in the BankID high secure roomVipps Status |
---|
colour | Yellow |
title Status |
---|
colour | Green |
---|
title | completed |
---|
|
In progress | Issue New BankID is to perform the RA ceremony | BankID | BankID will guide the key custodian through issuing of the new RA XML/SSL certificate(s) on |
New Vipps. Key custodian will need to oversee that the changes made are according to the documentation. |
| |
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
After the ceremony:
Step | Description | Responsible | Task | Deadline | Status | Documents and notes |
---|
10) Request activation |
Request activation | TSP/Bank need to send a request to BankID | TSP and Bank | - Write a request for activation of New RA XML Sign certificate(s) in BankID
|
COI.- .
- The request needs to contain the following:
- Time for the activation
- Which originator(s) to activate
- Which CA it concerns
- Create a ticket here
|
TSP and Bank Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
11) Activation |
|
11) Activation and switchover coordination | BankID will coordinate the switchover with all stakeholders. | BankID | BankID will coordinate with the required resources. If not already set, agree on the date and time for: - 1. Activation of New RA XML Sign Certificate
- 2. Switchover
- 3. Revoke RA XML (Optional)
Normally happens within the same 24h. |
| |
|
12) Activation | BankID is to activate the new certificates |
Activation of New RA XML Sign certificate(s) in BankID COI. This is normally done during the same day as the Switchover. |
VippsBankID | Activate the new RA XML Sign certificate(s) in BankID. Performed by AO with PKI involved. |
| |
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
12) Switchover |
|
13) Certificate check | Check that the certificate is working | TSP and Bank | TSP/Bank needs to check that the new activated certificate is working towards ODS. Check that the new certificate have access to display the existing certificates on the old CA. |
| |
|
14) Switchover and revoke | Plan and implement the switchover and revoke. | TSP, Bank and BankID | - TSP/Bank: Write a request for
|
Order - switchover issuing CA in BankID
|
COI Run - . Include the time wanted for this. Create a ticket here
- BankID:
- Do the switchover
- Those who perform the switchover will inform the TSP/Bank by phone when it has been done
- TSP/Bank: Run test case sets
|
to - to verify
- TSP/Bank: If successful, move to the next step
- BankID: If unsuccessful, investigate and resolve then move to next step
- BankID: if unsuccessful, not possible to fix, do a rollback
- Bank/TSP: When rollback is done, run
|
to verify
- (optional. If not done, the certificate will be active on the old CA until it expires) Bank/TSP: Send an order for
|
Order - revoke of old RA XML Sign certificate in BankID
|
COI - by creating a ticket here
- (optional)
|
This is normally done at midnight 00:00.
TSP, Bank and Vipps | - BankID: Revoke the old certificate
|
|
Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
13) Renewals (End users, merchants etc)Order form templates can be found here: Misc forms for BankID Support |
15) Renewals | Renewals of end users, merchants etc. As decided in step 1. | TSP and Bank | - Bank renew end user BankID certificates
- Bank asks merchants to renew merchant BankID's using HAT
- Possible change of OTP Service by adding a new and then removing the old
|
for each Banklagret BankID
This is best done outside of peak hours to reduce the risk of latencies. |
TSP and Bank Status |
---|
colour | Yellow |
---|
title | In progress |
---|
|
Status |
---|
colour | Green |
---|
title | completed |
---|
|
Input fra Knut Erik?