This page will describe what is needed to be done and what information exists when a new company / participant should be connected to BoB Metadata (i.e. the administrative body)
Table of contents
How to get a PID?
A PID is a participant id, every organisation that wants to issue or sell BoB-tickets must have a registered PID. All registered participants are found at BoB participant metadata key registration status.
To ask for a pid, send a mail to bobsupport@samtrafiken.se with organisation name, information about contact person and other relevant information. We will most likely give you the next number in sequence at the above list and reply with that information.
Metadata key exchange process
The purpose of key exchange is to ensure that each party can confidently identify the sender and receiver of the participant's metadata key. More information is found in BoB Manual chapter 5 Key Management.
- The prerequisite is a reserved/registered PID at Samtrafiken to which the participants public key and its metadata can be tied to.
- The complete list of PIDs are found at BoB participant metadata key registration status.
- The metadata keys must be in JWK format. Every key must have a kid, for more information, see MTS5.
- The key exchange process varies depending on whether it's for BoB Metadata Test or BoB Metadata Production environment.
- Test
- Key exchange can be done directly from a Participant or system vendor on behalf of the Participant.
The key must be sent by mail to bobsupport@samtrafiken.se in a password protected ZIP-file. The password must be created by Samtrafiken.
- Key exchange can be done directly from a Participant or system vendor on behalf of the Participant.
- Production
- Key exchange request has to be performed by the Participant.
The key must be sent by mail to bobsupport@samtrafiken.se in a password protected ZIP-file. The password must be created by Samtrafiken.
- Key exchange request has to be performed by the Participant.
- Test
- Samtrafiken will provide Samtrafiken's public keys (primary and fallback) to the Participant. HTTPS responses from BoB Metadata endpoints have signatures that must be validated by the Participant using these public keys.
JSON Web Key (JWK) is described by RFC 7517.
What shall a client implement?
A Participant Metadata client is used to retrieve information about a participant that you want to communicate with. By calling the Participant Metadata service you get metadata information such as endpoints, auth token public keys, mtb public keys, etc for each participant. There is one method that retrieves all information about all participants and there are several methods to get specific data for one participant. There are also methods for updating your own information.
It is each participant's responsibility to keep their own information up to date.
The BoB Metadata service implements the interface https://bitbucket.org/samtrafiken/bob-api-participant-metadata/src/master/participantMetadata.yaml (can be viewed in http://editor.swagger.io/#/, easier at BoB Participant Metadata v2 OpenAPI)
One must implement a REST-client that calls the API above and interprets the responses.
Relevant documentation is MTS4 and MTS5, found at https://bitbucket.org/account/user/samtrafiken/projects/BOBS
Samtrafiken has implemented the BoB Metadata service in Java and we choose to use jose4j as library/framework, https://bitbucket.org/b_c/jose4j/wiki/Home, for JWT/JWS/...-support.
Programming language and library/framework is of course up to you to choose!
Support and forum
Please see the BoB Support page for more information.