Exchange Network FAQ

From Exchange Network Wiki

Contents 1 Exchange Network General 1.1 What is the Exchange Network? 1.2 What are the benefits of the Exchange Network? 1.3 How do I participate in the Exchange Network? 1.4 How do I connect my Agency and its data to the Network? 1.5 What tools and resources are available to simplify my node development project? 1.6 What is the Node Test Tool? 1.7 What is a DNC (Demonstrated Node Configuration)? 1.8 What Different Clients are available and how do I get one? 1.9 My question is not answered anywhere in the Exchange Network FAQ. Who can help Me? 2 Security 2.1 What is the Network Authentication Authorization Service (NAAS)? 2.2 Why should I use NAAS? How does my node benefit from it? 2.3 Can I use my security model in conjunction with NAAS? 2.4 How does the NAAS Authentication Service work? What are the possible scenarios? 2.5 How does Authorization work? What do I need to do to take advantage of Authorization? 2.6 How do I get a userId? 2.7 How do I get an administrator account? 2.8 I need to get a Secure Sockets Layer (SSL) certificate for my Node. Which one should I get? Where can I get one? 3 Dataflows 3.1 What is a dataflow? 3.2 Which dataflows are currently supported by the EPA CDX Node? 3.3 What steps do I take to put a flow into production? 3.4 What is an FCD? 3.5 What is the document header and how is it used?

Exchange Network General

What is the Exchange Network?

The Environmental Information Exchange Network (Exchange Network) is a secure, Internet-based approach to exchanging data among partners (e.g., states and EPA). Using eCommerce technologies, data standards and agreed-upon templates for packaging data, Exchange Network participants control and manage their own data, while making it available to partners via requests over a secure Internet connection.

You may also want to read some history about what is known today as the Environmental Information Exchange Network here.

There are a number of documents and presentations that were created to answer this question in detail, such as the Exchange Network Blueprint Report and Exchange Network Nodes at a Glance. Although some of these documents are dated, due to specification changes, they can still be a valuable resource in understanding the evolution of the Exchange Network.

The diagram below depicts the basic structure of the Exchange Network

What are the benefits of the Exchange Network?

The short- and long-term benefits of the Exchange Network are described in a presentation given at the Spring 2003 Network Knowledge Meetings. The benefits are summarized here: Allows access to more current information Sets the stage for the broader exchange of information to include non-regulatory partners Provides for more timely, reliable, standardized and consistent data exchanges between Partners Provides an opportunity to reduce current reporting burden Enhances potential for data integration Gives agencies more control over their own data, and ability to tailor other’s data to their use. Trading Partners select and maintain their own web service infrastructure

How do I participate in the Exchange Network?

Participation in the Exchange Network is focused primarily on the sharing of data among trusted partners through an electronic connection. States can build an electronic connection to the Network (or "node") to publish or retrieve data necessary to support environmental protection and safeguard public health. Technical, policy and support activities have been organized to support building out this new way of exchanging data among EPA, states and others.

How do I connect my Agency and its data to the Network?

The Network relies on an emerging technology called web services to foster the seamless exchange of data. While web services rely on many technical components to achieve these exchanges - including XML and schema - it also requires States and EPA to have a sophisticated connection to the Network called a "Node." A node is a web server that facilitates the interface between back-end database systems and the Network. It is an entity's "point of presence" on the Exchange Network.

States and EPA building the Network strongly recommend that participating states and others in the Network build a "node" which can both request (or "consume") data from the Network as well as "publish" data to the Network in response to requests from other Network nodes. However, some states have chosen to begin with a simpler version called a node client, or "client" before moving to a "node" later. A client can request data from other nodes but it does not actively listen and respond on its own to requests for data from other nodes or clients on the Network. It can still push data to the Network but that activity would be driven internally rather than at the request of other Network partners' nodes or clients.

States and EPA have developed several node and client configurations (see client and demonstrated node configurations below). As other states develop successful configurations, we will make an effort to publish them and make them available for download as well. The CDX and Exchange Network technical teams strongly advise all node builders to take advantage of these configurations because they are free, they are proven solutions and they will further your progress (and cost savings!) greatly whether you have chosen to develop a node or just start with a client.

What tools and resources are available to simplify my node development project?

What is the Node Test Tool?

The test tool, which is also referred to as the test site, is a Web site used for testing your node before connecting it to the Exchange Network. The test site is part of the Exchange Network tool box found at the Exchange Network Web site. . If you wish to test your node, contact the Network Help Desk at nodehelpdesk@csc.com>nodehelpdesk.net to obtain a user ID and password to access the site. Once you gain access, the test site will prompt you through a series of tests to confirm your node’s readiness to go live on the Exchange Network.

What is a DNC (Demonstrated Node Configuration)?

DNC stands for Demonstrated Node Configuration. The team that built EPA's Central Data Exchange Node, a fully functional node on the Exchange Network, has developed DNCs, which contain a reusable web services tier that can be used by other Node builders to quickly establish Node communication.

What Different Clients are available and how do I get one?

My question is not answered anywhere in the Exchange Network FAQ. Who can help Me?

The CDX/Network Help Desk is available for any Network or Node- building question. By telephone, call our toll-free line between the hours of 8:00 a.m. and 6:00 p.m.EST at 888-890-1995 (Select Option 2). By e-mail, send support requests to nodehelpdesk@csc.com

We will either answer your question directly or put you in touch with someone who can help you.

Security

What is the Network Authentication Authorization Service (NAAS)?

The Network Authentication Authorization Service (NAAS) is a set of security web services that the Central Data Exchange (CDX) centrally hosts and that is remotely administered by the State and EPA Node Network Administrators. The NAAS provides free security services for identity management, user authentication, user authorization, and access control policy management.

Why should I use NAAS? How does my node benefit from it?

One of the most important tasks in developing a Network node is to make sure it is secure. Web services is a powerful and flexible technology for exchanging information on the Internet, but it has some of the same security risks and requirements that all web-based applications have. Our experience shows that developing a security subsystem for a Network node requires more than 50% of total project resources. By using NAAS, you can leverage your resources and focus on node-specific functions, like mapping your data to schemas. The CDX and Exchange Network technical team strongly advise all node builders to take advantage of the NAAS, because it is free, it is a proven solution, and will make your node capable of much greater functionality, including such features as single sign-on. The NAAS will also greatly simplify the process of upgrading Node Security as needed and will in many cases require node builders to make little or no modifications themselves.

Can I use my security model in conjunction with NAAS?

Yes. A node can choose any other security model or existing security infrastructure to authenticate a user. This is very similar to local authentication or authorization where users can only access resources provided by a single node. However, in order to perform data exchanges with other nodes in the Network, a Network node must be capable of validating security tokens issued by NAAS. In many situations, a user may simply login at NAAS and then use the obtained security token to conduct data exchanges with other nodes. NAAS simplifies the authentication process and facilitates single sign-on (SSO) in the Exchange Network.

How does the NAAS Authentication Service work? What are the possible scenarios?

NAAS supports two authentication models: Direct Authentication and Delegated Authentication. In the direct authentication model, a user authenticates using NAAS and obtains a security token. The user then uses the token to access a Network node. The Network node performs a requested operation only after the security token is validated using NAAS.

In the delegated authentication model, the user sends an authentication message to a Network node. The node delegates the authentication request to NAAS for processing. Upon successful verification of user identity and credential, NAAS returns a security token to the Network node, and the token is eventually sent back to the caller.

The advantage of the delegated authentication is that the user doesn't need to know anything about NAAS at all, but incurs a small performance penalty because the message is relayed to NAAS by the Network node.

How does Authorization work? What do I need to do to take advantage of Authorization?

In order to take advantage of Network authorization, a Network node must send a Validate message to NAAS when a request is received, and the Validate message must contain a ResourceURI parameter, which identifies the requested resources. (Please see the Network Security Specifications for the format of the ResourceURI parameter). Contact the Network Help Desk for assistance (nodehelpdesk@csc.com).

The authorization process determines Who (the subject) can do What (the operation), where (the resource) based on policies put in place by each Node administrator for their own node. NAAS makes decisions based on these policies.

Note that NAAS will not be able to make authorization decisions if the ResourceURI parameter is not provided.

How do I get a userId?

You can get an account by contacting your state/EPA node administrator. Each node has one or more administrators who can create user accounts for that particular node. Although a user account is associated with a Network node, it may be used to access other nodes if authorized.

NAAS provides simple tools to node administrators for managing user account information. When an account is established, it belongs to the node that the administrator controls, and it cannot be changed or deleted by any other node administrators. Node administrators should refer to the Node Administrator's Guide for further information.

How do I get an administrator account?

Contact the Exchange Network help desk at nodehelpdesk@csc.com to establish an administrative account.

I need to get a Secure Sockets Layer (SSL) certificate for my Node. Which one should I get? Where can I get one?

For SSL operations, you should get a server certificate for your Network node. You can obtain an SSL certificate from either the Exchange Network Certificate Authority or a commercial Certificate Authority (CA). SSL certificates issued by the Exchange Network CA are free. Certificates from a commercial CA can be costly. To get an SSL certificate from the Exchange Network CA, send the following information to the help desk:

• State Name
• Locality (City Name)
• Organization Name
• Organization Unit
• Common Name (The server fully qualified domain name, i.e., naas.epacdxnode.net)
• Phone Number

The CA will issue an X.509 server certificate when the information is verified.

Dataflows

What is a dataflow?

A dataflow is the Exchange Network terminology for a data collection, such as, but not limited to, the Facility Registry System (FRS), Air Quality System (AQS), or National Environmental Inventory (NEI).

Which dataflows are currently supported by the EPA CDX Node?

What steps do I take to put a flow into production?

What is an FCD?

The Network Flow Configuration Document (FCD) Template identifies and standardizes the minimum information needed by Trading Partners to execute a Flow. Several FCD documents, which adapt the template to specific scenarios, are under development. For instance, a Flow Configuration Document that describes the technical configuration and business processes used to exchange data between the Michigan NPDES/DMR database and the EPA PCS system is currently in draft form. Another FRS-specific FCD is also under development. Check the Exchange Network Web site for periodic updates.

What is the document header and how is it used?

The document header provides information to identify the contents of a data payload. It was developed to further automate the data exchange process so that data can be more readily identified during transport and at its processing destination. Currently, the NEI dataflow supports use of the header, but the generic header format can be extended by modifying or adding elements for use with other data flows.

The document header can describe what a data payload contains, who submitted it and when, as well as instructions on processing payload contents, such as whether the contents are additions, deletions, or updates. The header is independent of payload contents, so no data schema changes are necessary, and header usage by Network Nodes is optional-pass through can be employed.