Specification for Client Authorization and Authentication

The SEMI Interface A, also known as Equipment Data Acquisition (EDA), standards are a collection of SEMI standards to improve and facilitate communication between IC Maker’s data gathering software applications and the factory Equipment. E132 defines two related security features for Interface A messaging, Client Authentication and Client Authorization. Client Authentication determines how the client establishes a session before it can do anything else. Client Authorization manages what the client can access after the session is established. The Equipment must provide a Security Admin, a utility that provides administrative configuration, for setting up the Client Authentication and Authorization after installation in the fab. SEMI standard E132.1 Provisional Specification for SOAP Binding for Equipment Client Authentication and Authorization (ECA) maps the E132 standard into a specific SOAP/XML implementation.

Download the complete Cimetrix white paper on the SEMI EDA Standards.

SEMI Standard E132 Session Establishment and Authentication

Session Establishment

In order for an Interface A Client to establish a session where it may use E125 or E134 service requests, the client must provide credentials and be authenticated and the Equipment must be in the ALLOWED Session Establishment state. Credentials include a client ID, an encrypted session key and an encrypted client ID proof-of-identity key. Any attempts to use services requested before the authentication are rejected. Once the session is established, the client authorization becomes effective based upon the client's credentials.

Session Authentication

E132 Session Manager Interface

E132 defines the SessionManager interface which includes the following client-initiated operations. The equipment must implement this interface.

EstablishSession Request to establish a new authenticated session and to set the client endpoint, the consumer for all notifications from the equipment.
PersistSession Request the Equipment to maintain the session, even after shutting down the Equipment.
SessionPing A check to see if the Equipment is still active.
CloseSession Request to terminate the session.

Authorization is configured using the Access Control List (ACL). An ACL is a collection of entries, each of which gives the client access permission to take some action in the interface. The E132 standard uses the terms principal, defined as a client specified in the ACL, and privilege, defined as permission to use an operation or to access specific data.

In practice, the easiest way to set up the ACL is by defining what E132 calls roles and then assigning clients to one or more roles. For example, it might be convenient to define "Operator", "Technician", and "Manufacturer" roles. Then Interface A client applications can be assigned to these roles to give them access the appropriate access level.

Each time a client sends a privileged E125 and E134 service request, the Equipment must check whether or not the client is authorized. The ACL assigned to the client determines the set of available E125, E132, and E134 operations, the set of available MetaData, and the access level to data collection plans defined by other clients.

E132 Session Client Interface

E132 defines the SessionClient interface which includes some equipment-initiated operations for consuming clients. Each client must implement this interface.

SessionPing Used by the equipment to check if the client is still active.
SessionFrozen Notification to the client that the session will be frozen.
SessionClosed Used by the equipment to close an active session.


E132 Security Admin Interface

E132 also defines the SecurityAdmin interface which includes the following operations. Only one active Security Admin session is allowed at a time. The equipment must implement this interface.

GetDefinedPrivileges Request the list of all defined privileges.
GetACL Request the list of all defined Access Control List entries
AddACLEntry Add a new ACL entry
DeleteACLEntry Delete an existing ACL entry
GetActiveSessions Request the list of information on all active sessions
SetMaxSessions Sets the maximum number of active sessions
GetMaxSessions Requests the maximum number of active sessions