ERCOT API Security Changes Leo Angele ERCOT IT ERCOT Public May

ERCOT API Security Changes Leo Angele ERCOT IT ERCOT Public May 14, 2019

Agenda Infrastructure upgrades in ERCOT Production environment Security updates for API communication PUBLIC 2

Introduction This presentation will answer the following questions: PUBLIC – Who is affected by these changes? – What is changing in relation to API Security? – How is the handshake level Client Digital Certificate used in API communication? – What is the timeline for the API Security change? – What steps do Market Participants need to take for API access? – What are the risks of not preparing prior to the API Security change? 3

Target Audience Who is affected by these changes? – All Application Programmatic Interfaces (API’s) connecting to ERCOT environments for ERCOT’s External Web Services (EWS), including submissions and Get List/Report functionality, and access to the MarkeTrak API PUBLIC 4

What API Security Changes? What is changing in relation to API security? – ERCOT has identified a configuration issue that is causing the system to not validate that API communication is being submitted with a valid ERCOT issued Client Digital Certificate at the handshake level – ERCOT will implement a configuration change to ensure that API communication is being sent with a handshake level valid ERCOT issued Client Digital Certificate as well as having each message signed with a valid ERCOT issued Client Digital Certificate – Market Participants that are not currently submitting API communication with a valid ERCOT issued Client Digital Certificate will see a disruption in service if not corrected PUBLIC 5

API communication The diagram below explains API communication and the use of Client Digital Certificates within the handshake PUBLIC 6

Timeline What is the timeline for the Upgrade? – ERCOT’s MOTE/RMTE URLs were configured on March 7, 2018 to facilitate Market Participant testing – ERCOT has provided testing time in MOTE/RMTE to ensure all Market Participants had adequate time to prepare for the production migration – All API’s connecting to ERCOT’s Production External Web Services will need to have the API security changes in place prior to May 29, 2019 @ 3:30 PM CDT PUBLIC 7

Preparation for May 29, 2019 What do Market Participants need to do to prepare? – Ensure that API communication is being sent with a handshake level valid ERCOT issued Client Digital Certificate as well as having each message signed with a valid ERCOT issued Client Digital Certificate prior to May 29, 2019 @ 3:30 PM CDT PUBLIC 8

Validate Existing API Communication ERCOT can validate an MP’s readiness for May 29th – Provide your ERCOT Account Manager with the following information: DUNS API EmployeeID Approximate time of API communication to ERCOT – PUBLIC ERCOT will inspect API communication for handshake-level Client Digital Certificate 9

May 29, 2019 Risks What are the risks of not preparing prior to the described changes? – PUBLIC Failure to ensure that API communication is being sent with a handshake level valid ERCOT issued Client Digital Certificate before May 29, 2019 will affect the availability of: Programmatic communication – External Web Services (EWS) – Application Programmatic Interface (API) submissions – Get List/Report functionality Access to the MarkeTrak API 10

Questions and Answers Do I have to revoke/reissue all of my user’s Digital Certificates? – No, ERCOT is just enforcing that a valid Client Digital Certificate is being presented during the handshake. Does this affect everyone? – No, only applications currently connecting to ERCOT’s EWS API system and applications receiving ERCOT issued API Notifications. Access to ERCOT’s secure UI’s will not be affected by these changes. As an IMRE type MP, do we need to take any action on this? – IMRE’s typically don’t use an API to query/download data and they do not make submissions. What needs to be changed on our side? – You must ensure that the API communication to ERCOT is being sent with a handshake level valid ERCOT issued Client Digital Certificate. I tried connecting to MOTE/RMTE but I could not connect. Do I need any certificate to connect to this environment? If so how do I get it? – Yes, you need a MOTE/RMTE certificate to test in the MOTE/RMTE environment (testmisapi.ercot.com or testmisapi.wan.ercot.com if you are a WAN user). Your USA can issue an appropriate user or API certificate for you. ERCOT has been making a lot of changes to the API. Are there any other changes coming? – PUBLIC Yes, ERCOT is currently evaluating the inclusion of TLS 1.2 and the deprecation of the SSLv3, TLS1.1 and TLS1.0 protocols. 11

Additional Security Changes ERCOT’s production EWS API currently only supports 3 security protocols for secure communication. – TLS1.1 – TLS1.0 – SSLv3 Deprecation of SSLv3 security protocol coming in June 2019 Inclusion of TLS1.2 security protocol also coming in June 2019 ERCOT’s MOTE/RMTE EWS & MarkeTrak API’s are currently configured for testing with TLS1.2 and without SSLv3. PUBLIC 12

Discussion PUBLIC 13