Network Computingwww.networkcomputing.com

From an applications point of view, order requests are typically transmitted via HTTP over SSL (Secure Sockets Layer). In terms of the content and format, requests and responses are formatted based on--surprise!--the ANSI X.12 format for a standard purchase order. In terms of integration with the existing systems, many compani es approach the problem of business-to-business e-commerce by creating a front end to their existing MRP/ERP (manufacturing resource planning/enterprise resource planning) or financial systems.

One thing is certain: The adoption of e-commerce is an accurate indication of an organization's Internet maturity and the robustness of its other internal systems (see "Internet Adoption Is Predictable," below). Here, we describe successful Internet-based e-commerce efforts of a handful of diverse American businesses.

Business Law 101 Meets X.509
There is no doubt that both consumer and business-to-business Internet-based commerce are taking off. As a network manager, your task is to provide the necessary infrastructure in terms of bandwidth redundancy, vendor management and security.

Because the whole point is that e-commerce rides the same infrastructure as the rest of your IP infrastructure, e-commerce holds no huge surprises for network managers. The main intersection w ith the network space is in security, and many managers define networks as being inherently unsecure and push security concerns to the application.

The most common denominator is the SSL protocol, which is used to secure communications on the Internet or intranet. X.509 digital certificates are used for authenticating users and servers. Certificates should be in the forefront of your strategy to support the electronic market.

Legally binding contracts must be signed. When not negotiated offline, they need signatures. Many states have modified their contract laws to accept certificate authority X.509 signatures to authenticate documents. However, certificates can be hard for the average user to understand and impossible for the average user to set up. Therefore, they are used when necessary and usually indicate a more formal, long-lasting relationship because both sides have to go through the administrative setup to use CAs (certificate authorities). As such they provide several advantages: They prove originator, recipient, and document integrity (see "Managing Digital Keys," at www.NetworkComputing.com/822/822f1.html and "Bridging the Business-to-Business Authentication Gap," at www.NetworkComputing.com/813/813f2.html).

Briefly, you need to identify which transactions require CA services and which will not. You need to evaluate your internal security infrastructure and determine if it meets your external needs. In addition, you and your trading partners need to agree on a security hierarchy.

Several scenarios describe the level of formality and, therefore, when businesses interact with each other over the Internet. The most casual are unregistered visitors to the site. Typically, the visitor usually will browse the static, informational portions of the site. If any sale occurs, the visitor will agree to terms and conditions, or license and pay by credit card. SSL addresses security concerns. A registered customer is one who has agreed to terms and con ditions previously stated, who uses data and tools at the site on an ongoing basis and who pays offline on a net-30 basis. These customers typically start to access confidential information, such as custom pricing, which means audit trails become more important. For these customers, certificates become the norm. Finally, there is a key account, which is a high-volume customer. This key account will typically have face-to-face presales support and receive customized pricing, promotions and support. These users start to interact with in-house MRP or inventory systems, and cross-populate catalog information between buyer and seller. VPN (virtual private network) tunneling protocols and directory-driven access lists come into play here.

www.bpa.gov Todd Kochheiser, project manager at the Bonneville Power Administration, an agency of the U.S. Department of Energy based in Portland, Ore., relies on CyberGuard Corp.'s TradeWave CA. The federal government has mandated that BPA and other utilities open their tran smission facilities as part of deregulation. A consortium of utilities maintains sites to let power generators reserve transmission facilities. Obviously, these sites require high levels of security and have detailed audit requirements. Users wishing to reserve transmission facilities unlock a certificate that is valid for eight hours and lets the user access any of the government's OASIS (Offsite Access to Service and Intranet Solutions) sites with a single login. This was the BPA's first experience with CAs and its greatest obstacle was registering users. Once that was accomplished, the TradeWave software proved to be stable and transparent. Kochheiser describes the process of getting users registered with the CA as "not nirvana, by any means. It's still a lot of work."

At the top of Kochheiser's business wish list is a desire to outsource the local registration authority process to the CA, thus relieving the consortium of the responsibility of confirming, installing and configuring every user.