TSL-Editor: SMP workflow (for configurations management, powered by e-SENS)

1. Introduction

Under the "File" option in the menu bar, you can find the "SMP" option, which will open a new window where you can perform all tasks related to the new central services based on Service Metadata Publishing (SMP).

In this new window, you'll be able to:

Generate SMP files signed by the scheme operator from a previously created TSL file (green rectangle in the picture below);
Upload SMP files signed by a scheme operator to an SMP server (yellow rectangle in the picture below).

2. Generate SMP files signed by the scheme operator from a previously created TSL file

To generate signed SMP files from a TSL file you should:

Choose the previously created TSL file;
Choose the XML file of the International Search Mask of your country;
Choose the folder where SMP files will be stored;
Check the "Sign SMP files" checkbox;
Choose a keystore (JKS file) and provide its password;
Enter the alias and password of the private key that will be used to sign the files;
Click on the "Transform" button.

A confirmation dialog will pop-up, prompting the scheme operator to confirm that he wants to apply his signature (ideally, a QES) to the content of the different SMP files:

Note: Currently, only XML Digital Signatures are supported. Further discussion/development is needed before being able to apply a XaDES.

After confirmation, the files will be generated. As a result, a folder named CC (with "CC" being the uppercase two-letter country code of your country, e.g., LU for Luxembourg, MT for Malta, etc) can now be found under the chosen output folder, containing the SMP files for the services declared by the TSL file. Following is a list of possible files that may be found, depending on the TSL file configuration:

Identity_Provider_CC.xml
International_Search_Mask_CC.xml
Order_Service_CC.xml
Patient_Identification_Service_CC.xml
Patient_Service_CC.xml
VPN_Gateway_A_CC.xml
VPN_Gateway_B_CC.xml
Consent_Service_Put_CC.xml
Consent_Service_Discard_CC.xml
Dispensation_Service_Initialize_CC.xml
Dispensation_Service_Discard_CC.xml

The signature that is applied is the scheme operator's and it is stored under the Endpoint/Extension element of the file. So, even if those SMP files contain a Signature element, they are not SignedServiceMetadata but just ServiceMetadata (see following sample file). The SignedServiceMetadata will be created when the SMP server applies its signature to the uploaded file.

<?xml version="1.0" encoding="UTF-8"?><ServiceMetadata xmlns="http://busdox.org/serviceMetadata/publishing/1.0/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ids="http://busdox.org/transport/identifiers/1.0/" xmlns:ns="urn:esens:smp" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <ServiceInformation>
      <ids:ParticipantIdentifier scheme="ehealth-actorid-qns">urn:ehealth:pt:ncpb-idp</ids:ParticipantIdentifier>
      <ids:DocumentIdentifier scheme="ehealth-resid-qns">urn::epsos##services:extended:epsos::52</ids:DocumentIdentifier>
      <ProcessList>
         <Process>
            <ids:ProcessIdentifier scheme="ehealth-procid-qns">urn:epsosConsentService::Discard</ids:ProcessIdentifier>
            <ServiceEndpointList>
               <Endpoint transportProfile="urn:ihe:iti:2013:xdr">
                  <wsa:EndpointReference>
                     <wsa:Address>https://qaepsos.min-saude.pt:8443/epsos-ws-server/services/XDR_Service</wsa:Address>
                  </wsa:EndpointReference>
                  <RequireBusinessLevelSignature>false</RequireBusinessLevelSignature>
                  <MinimumAuthenticationLevel>urn:epSOS:loa:1</MinimumAuthenticationLevel>
                  <ServiceActivationDate>2016-06-06T11:06:51.000+02:00</ServiceActivationDate>
                  <ServiceExpirationDate>2026-06-06T11:06:51+02:00</ServiceExpirationDate>
                  <Certificate>MIID7jCCA1egAwIBAgICA+YwDQYJKoZIhvcNAQENBQAwOjELMAkGA1UEBhMCRlIxEzARBgNVBAoMCklIRSBFdXJvcGUxFjAUBgNVBAMMDUlIRSBFdXJvcGUgQ0EwHhcNMTYwNjAxMTQzNTUzWhcNMjYwNjAxMTQzNTUzWjCBgzELMAkGA1UEBhMCUFQxDDAKBgNVBAoMA01vSDENMAsGA1UECwwEU1BNUzENMAsGA1UEKgwESm9hbzEOMAwGA1UEBRMFQ3VuaGExHTAbBgNVBAMMFHFhZXBzb3MubWluLXNhdWRlLnB0MRkwFwYDVQQMDBBTZXJ2aWNlIFByb3ZpZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eN4qPSSRZqjVFG9TlcPlxf2WiSimQK9L1nf9Z/s0ezeGQjCukDeDq/Wzqd9fpHhaMMq+XSSOtyEtIr5K/As4kFrViONUUkG12J6UllSWogp0NYFwA4wIqKSFiTnQS5/nRTs05oONCCGILCyJNNeO53JzPlaq3/QbPLssuSAr6XucPE8wBBGM8b/TsB2G/zjG8yuSTgGbhaZekq/Vnf9ftj1fr/vJDDAQgH6Yvzd88Z0DACJPHfW1p4F/OWLI386Bq7g/bo1DUPAyEwlf+CkLgJWRKki3yJlOCIZ9enMA5O7rfeG3rXdgYGmWS7tNEgKXxgC+heiYvi7ZWd7M+/SUwIDAQABo4IBMzCCAS8wPgYDVR0fBDcwNTAzoDGgL4YtaHR0cHM6Ly9nYXplbGxlLmloZS5uZXQvcGtpL2NybC82NDMvY2FjcmwuY3JsMDwGCWCGSAGG+EIBBAQvFi1odHRwczovL2dhemVsbGUuaWhlLm5ldC9wa2kvY3JsLzY0My9jYWNybC5jcmwwPAYJYIZIAYb4QgEDBC8WLWh0dHBzOi8vZ2F6ZWxsZS5paGUubmV0L3BraS9jcmwvNjQzL2NhY3JsLmNybDAfBgNVHSMEGDAWgBTsMw4TyCJeouFrr0N7el3Sd3MdfjAdBgNVHQ4EFgQU1GQ/K1ykIwWFgiONzWJLQzufF/8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQENBQADgYEAZ7t1Qkr9wz3q6+WcF6p/YX7Jr0CzVe7w58FvJFk2AsHeYkSlOyO5hxNpQbs1L1v6JrcqziNFrh2QKGT2v6iPdWtdCT8HBLjmuvVWxxnfzYjdQ0J+kdKMAEV6EtWU78OqL60CCtUZKXE/NKJUq7TTUCFP2fwiARy/t1dTD2NZo8c=</Certificate>
                  <ServiceDescription>This is the epSOS Consent Service Discard of the PT NCP</ServiceDescription>
                  <TechnicalContactUrl>licinio.mano@spms.min-saude.pt</TechnicalContactUrl>
                  <TechnicalInformationUrl>licinio.mano@spms.min-saude.pt</TechnicalInformationUrl>
                  <Extension><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>XsO4xndDzhkLVWWlG8mbPMkeV3KaIkAvSJUmKs5vXCs=</DigestValue></Reference></SignedInfo><SignatureValue>eLm+Zd9hAqkrvX9TUXmD3gmDRtk2PXNvfLKswA9nkAJguZuvks4Iky+kRGVG9Fu5bDybRYPh2ydG
X0EyQmfPFa43lfDQcSExUGuYNNyH4zlDyWpPErrW8+tHPqjqOQ7DVsGjgozvWSXDd8rFTGK5ZQQX
jwy9v56BGD91URrRkYOl9IT39mUiEfv7CBjxBPxiGm1IyN8u3hjbjy1TbXhbOZQFcCijhn3KfzZI
stO0LPgjBsgW8+S6vjMvUjSpillCAqQLN1pYFA2bcVQ5DlisrKD5X2/Q+xwhTkZG4ef0xfDH24Ay
PhCj31nq0OhfhN0HlraxZOT7ZN070PHB/k88Nw==</SignatureValue><KeyInfo><X509Data><X509SubjectName>2.5.4.12=#130d4e4350205369676e6174757265,CN=qaepsos.min-saude.pt,2.5.4.4=#130543756e6861,2.5.4.42=#13044a6f616f,OU=SPMS,O=MoH,C=PT</X509SubjectName><X509Certificate>MIIFfjCCA2agAwIBAgIJANRiin1jp/saMA0GCSqGSIb3DQEBDQUAMIGWMQswCQYDVQQGEwJQVDEO
MAwGA1UECAwFUG9ydG8xDjAMBgNVBAcMBVBvcnRvMQwwCgYDVQQKDANNb0gxDTALBgNVBAsMBFNQ
TVMxHTAbBgNVBAMMFHFhZXBzb3MubWluLXNhdWRlLnB0MSswKQYJKoZIhvcNAQkBFhxqb2FvLmN1
bmhhQHNwbXMubWluLXNhdWRlLnB0MB4XDTE2MDUzMTA4MTQzMloXDTE3MDUzMTA4MTQzMlowgYAx
CzAJBgNVBAYTAlBUMQwwCgYDVQQKEwNNb0gxDTALBgNVBAsTBFNQTVMxDTALBgNVBCoTBEpvYW8x
DjAMBgNVBAQTBUN1bmhhMR0wGwYDVQQDExRxYWVwc29zLm1pbi1zYXVkZS5wdDEWMBQGA1UEDBMN
TkNQIFNpZ25hdHVyZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOUtgZmteNoj8wiV
VUiJkm3UW4zHuzcMFFlLNi+x8CXOPbH6k7EtDSt0GPi5zeyjmptrT4XlQ/8qbCnhbO3HkI2IbobL
AU2YCX2xChyZj9CYfpkil5zu5/qnUY8O7Ion7xURv8QGMISG0P+7U45jJACO8gny+VMFdkjsD7Ti
1ue186t3DCe/3XinXUqXErp+8PEo2OlVmdPlwfi5GwqzPHx3/zthSWwuvi+FYWrOGWImxzHamoGr
qoFwVpD/QSR0J43QCn1E0797WS+ZDcN3tOEw5FuKhJeSjB+kMA82ZrBBOk9qLA/51blDB2P3cHu1
aIWPAfjP+t/toe8BHJs2HQMCAwEAAaOB4jCB3zAnBgNVHREEIDAegRxqb2FvLmN1bmhhQHNwbXMu
bWluLXNhdWRlLnB0MA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBTLgIXwVzdhy0m0xLyIkVrO
zAHS3zAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRCLmoQP604l7tdAmhM/E3JM9qehDA+BgNVHR8E
NzA1MDOgMaAvhi1odHRwczovL2dhemVsbGUuaWhlLm5ldC9wa2kvY3JsLzY0My9jYWNybC5jcmww
FgYDVR0gBA8wDTALBgkrBgEEAbA8CgIwDQYJKoZIhvcNAQENBQADggIBAKGh81RBxSq99c91HAnp
ajnRpfgYUqo+B5DQvqB1W5G/AltCy5TOnNZrZZkcksd6RXSiE9KAWTVuCu1rit6Msqx8mC2B+ohE
GLIz/14073x7FAb8YjU//dL0qrh3RBmq9p2gahNRQHTKgRVarSJti1/ES4tK4PexAn3OifuiXaYh
LV6jL27by90Q4FGI0STB1SnFW0oR62jOljwhw5LBm95jH2JGm8G3flfwSNbHpKUfAEoa8to+de3r
CFqO4Efp/FduT/xfWssTZVGeyEucG3pA21QBg5VgtzWywsEI5Xow4rueywRGeA/+z/K080d0s0E4
4isPgYS1bb+KPb5jxV3epjWIxV+bdJqKx2dKXDLySngiXwU46AwLK3+Y8VIG/PSXCn8n62yNcNfI
Csk+eNCNUeUdQY6eypq2f958dSdS7ERFs2JqWqWZHlyUJExk5q4yib57WuFb9fg18s8cjdImNRjO
uZvsf6BxSCjwV9yokwmXNQJcK64M6i0FwlOeNdo2BelUXiDGv8cb/QJIwuReXhHpYJMPmOikey6A
uGeZ2tuxNW0tnk/aEqSrmeSA8fuq95VNLvj9/VY+pAyrfGOl4VL2kyhZHmqYi78gNnt/u9T/l4oV
lMnlCv9IyWwfrILBQxs5D8nK0KPXKYjDXv/Sf2GhefCm7boJiMmXjzie</X509Certificate></X509Data></KeyInfo></Signature></Extension>
               </Endpoint>
            </ServiceEndpointList>
         </Process>
      </ProcessList>
   </ServiceInformation>
</ServiceMetadata>

3. Upload SMP files signed by a scheme operator to an SMP server

Before trying to upload SMP files, you need to request the SMP administrator to register your country in the SMP server, providing the following identificator:

ehealth-actorid-qns::urn:ehealth:<cc>:ncpb-idp

<cc> should be replaced by the lowercase two-letter code for your country (e.g., for Malta it'd be like: ehealth-actorid-qns::urn:ehealth:mt:ncpb-idp). Upon request, you'll be provided with your username and password.

It's only possible to upload SMP files representing ServiceMetadata, not SignedServiceMetadata. The latter is created by the SMP server itself by applying its own signature to the file.

To upload the generated SMP files to an SMP server you should:

Choose the folder where the SMP files are stored;
Select the desired SMP files to upload;
Enter the SMP server URL in the form of "http://...";
Provide the username and password of an SMP user with upload privileges;
Click on the "Upload" button.

The current SMP server address is: http://ehealth.smp.e-sens.gr

If the upload is successful, a dialog must be displayed showing the status of the operation as well as URLs pointing to the country's available resources in the SMP server. You'll be provided the following resources:

Service Group: resource that contains the list of service metadata for a country;
Signed Service Metadata: resources that describe each of the services published by a country.

This resources can be retrieved in a RESTful way by means of an HTTP GET operation (you can simply paste the URL in the browser).

The SMP files retrieved from the server MUST have 2 signatures:

1) The remote scheme operator signature (applied in the Endpoint/Extension element);

2) The SMP server signature, applied to the ServiceMetadata (making it a SignedServiceMetadata).