Security within the PASI Core is managed at 3 levels.

1. PASI Client Authentication
2. Role Based Authorization
3. Student Association

All levels are supported with the use of client certificates and the submission of Caller Information. Before any system can connect to the PASI Core, a valid digital certificate must be registered with the PASI Core. Registration of a certificate enables a PASI Client to:

• Access a specific set of PASI Core Environments (e.g. Beta, Conformance, or Production),
• Represent a specific set of Organizations, typically a specific School Authority or School, and
• Access specific services based on role assignments.

To request or register a security certificate, the following steps must be performed:

1. Security Certificate Request
2. Security Certificate Approval and Generation
3. Security Certificate Download and Installation

All requests for new security certificates or to register an existing security certificate must be done using Alberta Education’s extranet Certificate Registration site. To access this site use the following URL:

https://extranet.education.alberta.ca/Ae.CertificateRequest/

There are two options that can be used to request a new security certificate or register an existing security certificate. Chose the option based on the user’s organization:

• Submit PASI Client certificate request and registration for Software Provider
• Submit PASI Client certificate request and registration for School or School Authority

Once the above selection has been made, security certificate request details must be specified. Details include:

Once the above details have been entered, the request is submitted and an automated email is sent to PASI Business support team notifying them that a security certificate request has been submitted and is waiting for approval.

For detailed security certificate request instructions see the following document: https://extranet.education.alberta.ca/Ae.CertificateRequest/Content/Alberta%20Education%20-%20Client%20Certificate%20Request%20and%20Registration%20Guide.pdf

The review, approval, and generation of all security certificate requests must be done using Alberta Education’s extranet Certificate Approval site. The PASI Business Support team will review all security certificate requests and contact the security certificate requestor to determine required and allowed PASI service functionality (roles). Once roles have been determined, the PASI Business Support team will forward the approved request to the PASI Technical Support team. The Technical Support team will setup the new security certificate using information contained within the emailed security certificate request including the following:

• Certificate Type (Software Vendor, School/School Authority)
• Requestor/Client Name
• Requestor/Client Description
• Certificate Effective and Expiry Dates
• Certificate Details
• Allowed Roles
• Provider Associations

Once the security certificate has been setup, the security certificate request will be approved. The PASI Technical Support team will then send an approved security certificate email to the security certificate requestor . The approved security certificate will be attached to the email.

Installation of approved security certificates can be done using the following Alberta Education certificate installation site. To access this site use the following URL:

• [http://education.alberta.ca/pki/]

There are three steps in the security certificate installation process.

1. Copy the approved Certificate to the required machine(s). Approved security certificate will be attached to the email received from the PASI Technical team.
2. Configure the machine(s) to accept Alberta Education security certificates using installation wizards:
   • Alberta Education Root Authority Certificate
   • Trusted Root Certificate Authorities
3. Install the approved certificate.

For detailed security certificate installation instructions, see the following document: [https://extranet.education.alberta.ca/Pasi.CertificateRequest/PASI%20Client%20Certificate%20Installation%20Guide.pdf]

Every time a PASI Client requests to use a PASI Core service, they must provide their digital certificate (and other information) as part of the request. The PASI Core will review the digital certification to ensure the PASI Client has been registered and that the digital certificate is still valid. This is done by looking at the Issuer and Serial Number of the certificate passed in the HTTP Headers from the load balancer. If PASI doesn't find this combination in the PASI database the request will be rejected* with one of the following rules.

The following validation rules (by rule number) are used in the authentication of a PASI Client:

• Rule 1001 - Certificate Not Registered
• Rule 1002 - Certificate Disabled
• Rule 1003 - PASI Client Disabled
• Rule 1004 - Invalid Certification Information
• Rule 1006 - Invalid IP Address
• Rule 1007 - No Access to Service Requested
• Rule 1008 - Invalid Organization Code

* Ministry systems that integrate with PASI have the option to have their certificate automatically renew instead of doing this manually once per year like external consumers. This is done by the calling system using functionality in the Ae.dll. The Ae.dll uses the client certificate associated to the application identity. The system must register the certificate so the Ae.dll logs the first time per environment with PASI. When this certificate expires Ae.dll requests a new certificate from the GOA Certificate Authority server and uses this to call the PASI services. If PASI doesn't find the Issuer and Serial number combination registered in its database it will look at the certificate issuer authority on the request if this authority is a white-listed certificate authority. If the new certificate is not from a white-listed certificate authority the request will be rejected. If it is a white-listed certificate authority PASI will look for a matching DigitalCertificate record for the Subject name (CN), white-listed authority and it is marked as “AutoRewable”. If this combination is found PASI will register the new certificate in the DigitalCertificate table and allow the request through. The list of white-listed certificate authorities can be found in the web.config.

Once reviewed, the PASI Core can be reasonably sure that the system requesting to use a PASI Core service is a system that is known to the PASI Core.

Each certificate is assigned a series of Roles when the certificate is registered. These roles identify which service the particular PASI Client is allowed to call. For example, there are a number of services that can only be used by other Alberta Education systems.

The PASI Core will determine if the certificate being used, entitles the PASI Client that is using it to access the requested service. If the PASI Client does not have access, the request will fail based on validation rule 1007.

The PASI Core contains personal information about every ECS to Grade 12 student within the province of Alberta. As a result, access to this information needs to be limited. Just because a PASI Client has access to use a service within the PASI Core, doesn’t mean they have access to use it for every student. A Student Association between the PASI Client and the student needs to be established before many of the PASI Core services can be used.

• PASI Core does not call PASI Clients. All communication with PASI Clients is initiated by the client.
• PASI Client presents a client certificate when calling a PASI Core service. This certificate must have been previously registered with PASI Core and expires after 14 months.
• The public key length of the client certificate issued by Alberta Education is 1024 bits but may be increased in the request by modifying the .inf request file.
• Communication between the PASI Client and PASI Core application server is through the BIG-IP Load Balancer (BIG-IP). Clients can not connect directly to a PASI Core server.
• Communication between the PASI Client and BIG-IP is over HTTPS.
• Communication between BIG-IP and the PASI Core application server is over HTTP. BIG-IP is responsible for checking the validity of the certificate (Alberta Education root certificate is installed in the BIG-IP certificate bundle). Certificate information is passed from BIG-IP to PASI Core via HTTP headers (PASI only trusts this information from BIG-IP)
• Based on the certificate information PASI determines what services and data the client may access. If a client does not have access to a service PASI Core will reject the request. If the client attempts to access data on a service that it has access to but does not have access to the specific data the request will be rejected.
• If the client has access to the service and data being requested PASI Core will return a response with the data specific for that called service.