Version: 24.03

Architecture documentation

Certificate Management kit banner

Certificate Management KIT

Introduction and Goals

This architecture documentation should foster an understanding on how to utilize the BPDM certificate management KIT effectively. How to integrate the KIT or mainly the API into the application and make use of it.

This Kit covers various aspects, starting from how utilize the available API Endpoints, the used data models and how to make them available to the Catena-X network.

A solution provider should make the following information available for their customers:

Get all certificates available for a specific BPN - business partner number
Get a specific certificate (certificate type - e.g. IATF) based on the BPN
Get just the simple information whether a provided company based on the BPN is certified for a specific certificate type (true or false)
Get the certificate document (e.g. the PDF file)
Get a list of all available certificate types

A solution provider should be able to receive a certificate by a customer:

Provide certificate data
Provide a new certificate type

Additional Information Material:

Visit BPDM on the official Catena-X Website: bpdm_catenax_website

Goals Overview

The following goals have been established for this system:

Priority	Goal
1	Enable network-based data sharing for business partner certificates to increase overall data quality and reliability
2	Enable also Small and medium-sized Businesses (SMEs) to use the services
3	Provide a change history for business partner certificate data

Requirements Overview

⚠️ Note: Cross-Check with CACs

certificate_management_diagram

Quality Goals

Priority	Quality Goal	Scenario
1	Security	All users and services which access the Application must be authenticated and authorized. Consuming services/users are only allowed to read data. In addition they are only allowed to read the specific data that belongs with this, the Data Sovereignty principles of Catena-X has to be fulfilled
2	Integrity	All changes must be traceable and must be able to be rolled back
3	Legally	No natural persons are allowed to get uploaded and stored. For all other uploaded Business Partner data it is mandatory that users (CX Members) can only see their own uploaded certificate data and that it is not possible to draw conclusions about other business partner relationships
4	Integrity & Correctness	It must be ensured that the data of the certificate record which is created during the process is correct.
5	Reliability	The Golden Record Application is a central foundation in the Catena-X Network. It provides all participants and services, business partner data and the unique Business Partner Number (BPN) as identifier. Therefore the BPDM Certificate Management Service must be always/highly available
6	Functional Stability	Since the Golden Record Application is a central foundation in the Catena-X Network the defined standards of the API and datamodel for the associated Release Version must be fulfilled
7	Sensitivity of data	The uploaded business partner certificate data is highly sensitive, that's why it must be ensured that no unauthorized user/system can access data which does not belong to it. More over it must be guaranteed that no one can see the business partners related to the specific Catena-X Member.

Architecture Constraints

Constraint ID	Constraint	Description
C-1	Software and third party software must be compliant to the Catena-X and Eclipse Foundation Guidelines/Policies eclipse_foundation
C-2	Eclipse Dataspace Connector must be used for data transfer between different legal entities

System Scope and Context

Business Context

The following figure depicts the business context setup for :

Certificate_business_context

The following are the various components of the business context setup:

Master Data Management (Catena-X Member)

A backend system thats operated by a company / sharing member (e.g. Tier-1) which is participating in the Catena-X Ecosystem and consuming digital services or data assets.

Catena-X Portal/Marketplace (CX Portal)

The Portal which provides an entry point for the Catena-X Members, to discover Apps that are offered in Catena-X.

Catena-X BPDM Certificate Management Application

The Application which offers services to Catena-X Members and Catena-X Use Cases for consuming and processing business partner certificate data.

Solution Strategy (High Level Picture)

The following high level view gives a basic overview about Components:

Certificate_business_context

BPDM Certificate Management

The BPDM Certificate Management provides the interfaces for Catena-X Members to manage their business partner certificate data within Catena-X.
For the current reference implementation, multi-tenancy is realized via a 1:1 deployment for each Catena-X Member. This means that every Catena-X Member who shares his business partner certificate data, has its own persistence.

Keycloak Authentication & Autorization Flow

Runtime View

Upload Business Partner Certificate

The diagram below describes the flow of uploading a business partner certificate.

For further information about the different certificate types, please have a look on the Standards CX - 00135 Business Partner Number

Query Certificate by Business Partner Number

Check Certificate availability by Type and Business Partner Number

Deployment View

Applications Deployment without Kubernetes

Single Application Kubernetes Deployment

Crosscutting Concepts

Business Partner Certificate Management Standards

bp_cetificate_management_standards

Logging Behavior

As Spring Boot applications Business Partner Certificate Management employs Spring specific logging behavior

We enhance the default log entries with user request information including the determined user ID and a generated request ID. Not all logs belong to an ongoing user request in which case these entries are empty.

In addition to the Spring standard logs the Business Partner Certificate Management applications keep a log of the following events:

INFO: User requesting resource with resource name and HTTP verb
INFO: Request HTTP response
INFO: Update/Create Business Partners Certificate Types
INFO: Creating Business Partner Certificate
ERROR: Uncaught exceptions occurring in the service logic

Quality Requirements

see: Quality Goals

Risks and Technical Debts

Open EDC Questions

What capabilities will be provided in the future?
How to deal with APIs provided behind an EDC? Swagger documentation cannot be seen by the requesting service?
How can we authorize and authenticate a User/System with individual permissions after it passes the EDC?
Will there by a Proxy EDC concept?
...

Certificate Management KIT​

Introduction and Goals​

Goals Overview​

Requirements Overview​

Quality Goals​

Architecture Constraints​

System Scope and Context​

Business Context​

Master Data Management (Catena-X Member)​

Catena-X Portal/Marketplace (CX Portal)​

Catena-X BPDM Certificate Management Application​

Solution Strategy (High Level Picture)​

BPDM Certificate Management​

Keycloak Authentication & Autorization Flow​

Runtime View​

Upload Business Partner Certificate​

Query Certificate by Business Partner Number​

Check Certificate availability by Type and Business Partner Number​

Deployment View​

Applications Deployment without Kubernetes​

Single Application Kubernetes Deployment​

Crosscutting Concepts​

Business Partner Certificate Management Standards​

Logging Behavior​

Quality Requirements​

Risks and Technical Debts​

Open EDC Questions​