Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

Introduction

CoLT API v3 is a multitenancy web service. A tenant is an instance that is isolated from other instances and has its own data and configuration.

Endpoints are URLs providing access to the web services allowing certificate enrollment and issuance.

Homologation endpoint

https://homo-panel.certisur.com:5443/<tenant>/api/v3

Production endpoint

https://panel.certisur.com:5443/<tenant>/api/v3

The API is designed to establish a communication channel via SSL Client Authentication, so when establishing the HTTPS channel, you must present a valid client certificate as part of the authentication mechanism.

Additionally, the user and password must be presented. The values assigned have the following format (ask CertiSur for the values assigned to your company)

Operations and notation

Every operation is accessed via a specific URL. The endpoint contains a <tenant> value.

  • Each organization that uses this service will access its own proprietary console via its <tenant>. Please, ask CertiSur for the value assigned to your organization. Eg <tenant>="acme"

List of <operations>

  • sessions

  • individuals

  • requests

  • passcodes

  • revokes

  • certificates

Example: https://homo-panel.certisur.com:5443/acme/api/v3/individuals/

where “acme” is the name of the tenant.

The following sections describe in detail each operation, along with its input and output parameters.

Authentication

User authentication

POST

<tenant>/api/v3/auth/sign_in/

Input parameters

BODY

{
    "email":"{{colt_be_admin_user}}",
    "password":"{{colt_be_admin_password}}"
}

Response

HEADER

access-token

client

uid

Each new request to the WS requires to include in the headers those parameters returned as HTTP response headers during the authentication with email and password.

New HTTP response headers are returned with each order, and those headers should be used as an authentication mechanism in the next request.

You can find additional information on managing tokens in Appendix I – Authentication Token

Individuals

Obtain data from an individual. A parameter is passed to it and it returns all the individuals that match the indicated parameter. If no parameter is passed, it returns all the individuals.

POST

<tenant>/api/v3//individuals/search

Input parameters

It is possible to search by null and use wildcards (%) to retrieve a specific set of individuals. Ej

BODY

individual: {
   first_name: "%ri%",
   company_attributes: { name: "Musim%"  }
}

All the possible fields:

:individual = (
     :national_number, 
     :national_number_type, 
     :first_name, 
     :last_name, 
     :email, 
     :company_attributes: {
         :name,
         :national_number
      },
      :birthdate, 
      :address, 
      :country, 
      :phone
  )

Response

BODY

Individual Data

Index (GET)

url = <endpoint>/individuals/ (GET)

USE: Obtain a list of the last 10 individuals loaded.

Params:

Params = none

+:authentication_header

Return:

List of the last 10 loaded individuals

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

Create (POST)

url = <endpoint>/individuals/ (POST)

USE: Individuals creation

Params:

Params = 
  :national_number, 
  :national_number_type, 
  :first_name, 
  :last_name, 
  :email, 
  :birthdate,
  :address, 
  :country, 
  :phone, 
  :company_attributes:{:name,:national_number}, 
  :field_0
  …
  field_5

+:authentication_header

Required fields: 
  :national_number, 
  :national_number_type, 
  :first_name, 
  :last_name, 
  :email

national_number_type values accepted: DNI, CI, etc. depending on tenant configuration.

Return:

Return = The individual is created and is returned its associated data

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

Example:

individual[first_name]=Ruben&
individual[last_name]=Garcia&
individual[national_number]=20987390&
individual[national_number_type]=DNI&
individual[email]=rhgarcia%40example.com

Obs.: If a user exists with the same "national_number_type" and "national_number" an error with code 5105 returns:

{
    "code": "5105",
    "description": "Ya existe un individuo con este número y tipo de identificador"
}

Requests

Create (POST)

url = <endpoint>/requests/ (POST)

USE: Create requests for the individuals.

Params:

"individual" = {
    "id", 
    "national_number_type", 
    "national_number", 
    "first_name", 
    "last_name", 
    "email",
    "birthdate", 
    "address", 
    "country", 
    "phone"
  )

"request" = {
    "field_1", 
    "field_2", 
    "channel_policy_id", 
    "approve"
  }

"policy" = {
    "name"
  }

+:authentication_header

The individual parameters work in the same way as the individuals search.

The content of field_1 is CUIT number with no dashes.

The content of field_2 is CONDITION

The content of the channel_policy_id field contains the identifier number of the Policy Keystore to assign to the request.

approve=true => Approves the Request in one step. Otherwise, it is left pending to approve manually through the Administration Panel

If the policy_name is not sent, the request is created without associated policy

Return:

The request is created for the individual and the data with which it was created is returned

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

Example:

individual[last_name]=Gimenez%20Zapiola&
individual[email]=gomugomu%40example.com&
requests[field_1]=30707894435&
requests[approve]=true&
policy[name]=bolsas_comercio_g2

Request + Mechanism

Create

POST

<tenant>/api/v3/requests/

Input parameters

It works the same way as the creation of normal requests but with the addition of the following parameters:

BODY

"request": {
    ...
    "mechanism":"onboarding" | "autoenroll",
    "mobile_number":"+nnnnnnnnnnnnn"
    "approve": "true" | "false"
}

Response

It returns, if successful a normal request, with the addition of an origin_request in this way:

BODY

{
    "id",
    "request": { ... },
    "app_name",
    "origin_request_id",
    "onboarding_request_id",
    "onboarding_status",
    "token",
    "mobile_number",
    "first_name",
    "last_name",
    "enroll_url"
}

with origin_request_id the id to be used by other requests, mobile_number first_name, last_name can change in the OnBoarding process and those returns will have precedence.

enroll_url is the URL to redirect the user in order to enroll for his certificate.

Show (GET)

It returns a request along with its data for origin_requests the same way as returned by CREATE.

GET

<tenant>/api/v3/requests/{{origin_request_id}}

Update (PUT)

url = <endpoint>/onboardingrequests/ (PUT)

USE: It sends the result of the onboarding process in order to approve or reject a request.

Params:

:origin_request = (
    :id,
    :onboarding_request_id,
    :onboarding_status,
    :first_name,
    :last_name,
    :mobile_number,
    :national_number_type,
    :national_number
  )
  
+:authentication_header

id it’s the origin_request_id sent to identify the request.
onboarding_request_id it’s the OnBoarding id returned by the start request,
onboarding_status could be "autenticado" or "no autenticado"
first_name the individual first name that could have been changed.
last_name the individual last name that could have been changed.
mobile_number mobile phone number,
national_number_type document type (it doesn’t change),
national_number document number (it doesn’t change)

Passcodes

Create (POST)

url = <endpoint>/passcodes/ (POST)

USE: Create Passcodes associated with a Request (request) for an Individual. When making a new invocation, it will generate a new Passcode no matter than the previous one is still enabled and without use.

Params:

:request=(:id)

+:authentication_header

Return:

The passcode tied to the request is created and the associated passcode data is returned.

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

NOTE: If the request is executed two or more times on the same request (: id), it will generate a new pair of keys associated with each request

{
"passcode_status": "enabled",
"pin_postal": "PHBXFE8H",
"pin_email": "ZK99NUY4"
}

Revokes

Create (POST)

url = <endpoint>/revokes/ (POST)

USE: Create a certificate revocation request

Params:

:certificate=(:serial),
:policy=(:name),
:revoke=(:revocation_reason, :approve),
:individual=(
    :id, 
    :national_number_type, 
    :national_number, 
    :first_name, 
    :last_name, 
    :email, 
    :birthdate, 
    :address, 
    :country, 
    :phone
  )
  
+:authentication_header

All the parameters are optional. The system will look for the certificates that match all the provided filters. It is recommended to send more than one parameter to limit the response to the specific individual and desired certificate.

Alternative values for revocation_reason:

  • ‘Replace’

  • 'Key compromise'

  • 'CA compromise'

  • 'Affiliation changed'

  • 'Superseded'

  • 'Cessation of operation'

  • 'Certificate hold'

  • 'Remove from CRL'

  • 'Privilege withdrawn'

  • 'AA compromise'

  • 'Unspecified'

Return:

If there is only one valid and non-expired certificate matched with the applied filters, a revocation request is created and returned. When success, the revoke created is returned along with HTTP code 200

Return = {:id, :revocation_reason, :status, :policy_name, :individual_name, 
          :certificate{:serial,:data}}

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

Example:

In case of error code ERROR_CREATE_REVOKE (5106) is returned along with an HTTP code 400:

Return = { "code": "5106", "description": "..." }

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

Possible description values:

  • No certificate has been found matching the filter provided

  • More than one certificate match the filter provided

  • Not enough privileges to revoke a certificate belonging to the policy <policy_name>

  • There is already an open revoke

If you have more than one valid certificate matching the filter provided, the method returns an error description stating that several certificates comply with the filter. You must refine your search.

Example:

Search (POST)

url = <endpoint>/revokes/search (POST)

USE: return revoked certificates data

Params:

:from_date=(:fecha_desde),
:to_date=(:fecha_hasta),

+:authentication_header

from_date and to_date fields format is: AAAA-MM-DD example: “2019-02-26”

Return:

Return = :id, :revocation_reason, :status, :policy_name, :individual_name, :certificate(:serial)

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

NOTE: The verification of the revocation status for a specific certificate must be done through the Certificates search

Alternative values for revocation_reason:

  • 'Replace'

  • 'Key compromise'

  • 'CA compromise'

  • 'Affiliation changed'

  • 'Superseded'

  • 'Cessation of operation'

  • 'Certificate hold'

  • 'Remove from CRL'

  • 'Privilege withdrawn'

  • 'AA compromise'

  • 'Unspecified'

{"revoke":{
      "id":1,
      "revocation_reason":"Unspecified",
      "status":"enabled",
      "policy_name":"bolsas_cereales_g2",
      "individual_name":"Juan Vinsmoke", 
      "serial":"3BCDBA3H7QWMM8B962607"
   }
}

Certificates

Search (POST)

url = <endpoint>/certificates/search (POST)

USE: returns Individual certificate data

Params:

:certificate= (:serial, :id, :from_date, :to_date),

:policy=(:name),

:individual=(:id, :national_number_type, :national_number, :first_name, :last_name, :email, :birthdate, :address, :country, :phone)

+:authentication_header

from_date and to_date fields format is: AAAA-MM-DD example: “2019-02-26”

Return:

= Certificate data

Return = headers(:access_token, :token_type, :client, :expiry, :uid)


{"certificates": [
    {
      "id": 20,
      "serial": "22190A2193BCE48A3D05B9CA67911094",
      "subject_dn": "/O=Bolsa de Comercio de Rosario/OU=ROSARIO G2/OU=  Empresa - 2017031705/OU=Documento – DNI16000000/CN=BCR Blanco/emailAddress=bcrblanco@bcr.com.ar",
      "issuer_dn": "/C=AR/O=Bolsa de Comercio de Rosario/OU=Symantec Trust Network/OU=FOR TEST PURPOSES ONLY/CN=TEST Autoridad Certificante Bolsa de Comercio de Rosario – G2",
      "not_before_date": "2017-09-17T00:00:00Z",
      "not_after_date": "2018-09-17T23:59:59Z",
      "individual_id": 4,
      "policy_id": 2,
      "created_at": "2017-09-17T20:33:23Z",
      "status": "valid"
    }
  ]
}

Alternative values for “status”: ‘R’evoked, ‘E’xpired, ‘V’alid

Index (Get)

url = <endpoint>/certificates/ (GET)

USE: Returns the last 20 issued certificates

Return:

Data of the last 20 certificates issued

Return = headers(:access_token, :token_type, :client, :expiry, :uid)

Authentication Description

The following information can be useful to understand the protocol used to authenticate each endpoint.

​Appendix I – Authentication Token

The Web Services authentication process is based on the token management documentation published in:

GitHub - lynndylanhurley/devise_token_auth: Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth.

About token management

Tokens should be invalidated after each request to the API. The following diagram illustrates this concept:


During each request, a new token is generated. The access-token header that should be used in the next request is returned in the access-token header of the response to the previous request. The last request in the diagram fails because it tries to use a token that was invalidated by the previous request.

The only case where an expired token is allowed is during batch requests.

About batch requests

By default, the API updates the auth token for each request. But sometimes it's necessary to make several concurrent requests to the API, for example:

Batch request example

$scope.getResourceData = function() {

  $http.get('/api/restricted_resource_1').success(function(resp) {
    // handle response
    $scope.resource1 = resp.data;
  });
  $http.get('/api/restricted_resource_2').success(function(resp) {
    // handle response
    $scope.resource2 = resp.data;
  });

};


In this case, it's impossible to update the access-token header for the second request with the access-token header of the first response because the second request will begin before the first one is complete. The server must allow these batches of concurrent requests to share the same auth token. This diagram illustrates how batch requests are identified by the server:


The "5 second" buffer in the diagram is the default used this API.

The following diagram details the relationship between the client, server, and access tokens used over time when dealing with batch requests:

Note that when the server identifies that a request is part of a batch request, the user's auth token is not updated. The auth token will be updated for the first request in the batch, and then that same token will be returned in the responses for each subsequent request in the batch (as shown in the diagram).

  • No labels