2.4 Digital Signature Configuration

This section provides instructions on configuring your environment to take advantage of the digital signature support provided with the Identity Manager User Application.

Digital signature support is available on JBoss only The User Application can be configured to support digital signatures on JBoss only. Digital signatures are not supported on WebSphere or WebLogic.

In release 4.0.2, the User Application provides support for the digital signature as a service model. The digital signature as a service model is very easy to configure and manage. In most environments, you should use this model, unless you are not ready to upgrade from an older digital signature implementation, or require the ability to read digital signature cards, since this support is not available with digital signature as a service.

IMPORTANT:We strongly encourage you to use the digital signature as a service support, since it is the most reliable and easy-to-use configuration for managing digital signatures.

WARNING:You must use Novell Identity Audit (or Sentinel) to preserve documents that you digitally sign. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must enable logging to preserve these documents.

This section includes the following topics:

2.4.1 Setting Up the User Certificates

  1. Create the user certificates using iManager.

    1. Log in as an administrator.

    2. Under Novell Certificate Server, select Create User Certificate.

    3. Select the users for whom you want to create certificates and click Next.

      You can use the Object Selector or Object History to pick the users.

    4. Select the server and specify the certificate nickname. Specify Custom as the creation method and click Next.

    5. Specify a key size of 1024 or 2048 bits, depending on which size suits your requirements. Set the key type to Signature. Leave other settings as is and click Next.

    6. If you’re using the default configuration, leave the certificate parameters as is and click Next.

      To enable certificate revocation list (CRL) support, select Custom and check the CRL signing check box.

      For complete details on CRL configuration, see the Novell Certificate Server documentation.

    7. Click Finish.

    8. Log out.

  2. Export the user certificate as a PFX file that contains the private key.

    1. Log in as the user for whom you want to export a certificate.

    2. Under Novell Certificate Access, select View My Certificates.

    3. Select a certificate and click the Export button.

    4. In the Export Certificate Wizard, click Yes to indicate that you want to export the private key with the certificate. Then click Next.

    5. Enter a password to protect the private key and click Next.

    6. Select Export the certificate into the browser if you do not have a card reader. Otherwise, click on the link that says Save exported certificate to a file.

      You can also import to the browser later. Therefore, you might want to click on Save exported certificate to a file to import to a different browser.

    7. Click Save to Disk to save the file rather than opening it.

    8. Click Close.

  3. If you’re using a smart card, install the smart card reader driver.

  4. Install the software needed to transfer certificate information to the smart card.

  5. Import the key pair (certificate) to the smart card:

If you are planning to use browser certificate support, rather than the smart card, you can skip steps 3 through 5 above. Certificates can be imported into a browser using iManager or the browser certificate management user interface.

2.4.2 Configuring the Application Server

To configure the application server, follow these steps:

  1. Download the vaas.war and xmlsigner.war files from a third-party component provider. Contact your sales representative to get a referral to a third-party provider.

  2. For details on configuring the vaas.war file, see the third-party documentation.

  3. To deploy to JBoss, copy the vaas.war and xmlsigner.war files to the JBOSS_HOME/server/IDMProv/deploy directory.

  4. Export the trusted root and all intermediate certificates (using iManager) and import them into the key store specified in your system’s local configuration using the keytool command.

    For example, for JBoss:

    keytool -import -trustcacerts -file certFile
    

    The certFile is a fully qualified path to the certificate file.

    If you’re using the Novell Certificate Server, you do not need to export the trusted root.

  5. (Not Required for Digital Signature as a Service) Start the User Application Configuration utility by running the configupdate script (configupdate.bat on Windows or configupdate.sh on Linux/Solaris).

  6. (Not Required for Digital Signature as a Service) Click Show Advanced Options.

  7. (Not Required for Digital Signature as a Service) Under Trusted Key Store, type the path to the certificate file in the Trusted Store Path. Also, type your password in the Keystore Password field. The default password is changeit.

    The Trusted Key Store contains all trusted signers’ certificates used to validate digital signatures.

    NOTE:For JBoss, if you’re using the Novell Certificate Server, you can simply paste the complete string (for example, C:\Program Files\Java\jdk1.6.0_31\jre\lib\security\cacerts) from the Keystore Path field under eDirectory Certificates to the Trusted Store Path under Trusted Key Store. You can also paste the Keystore Password to the Trusted Store Password field.

  8. (Not Required for Digital Signature as a Service) If you are using OCSP, under Miscellaneous, type the URI for OCSP in the OCSP URI field. This value is used to update the status of trusted certificates online. The URI points to the access point for the Online Certificate Status Protocol server.

2.4.3 Configuring Logging

To enable logging of digital signatures, you need to configure the logging Platform Agent. The Platform Agent is required on any client that reports events to Novell Identity Audit or Sentinel. You configure the platform agent through the logevent configuration file. This file provides the configuration information that the platform agent needs to communicate with the Novell Identity Audit server.

IMPORTANT:If you are logging events that include digital signatures, it is critical that the value of the LogMaxBigData parameter be large enough to handle the data being logged.

For details on logging configuration, see Section 3.0, Setting Up Logging.

2.4.4 Configuring the User Application

To configure digital signature support for the User Application:

  1. Open the sys-configuration-xmldata.xml file:

    This file is in the conf folder on JBoss. For example: /opt/novell/idm/rbpm/jboss/server/IDMProv/conf.

  2. Add the mapping to the vaas.war that you received from a third-party component provider in the sys-configuration-xmldata.xml before the </properties> element.

    Here is the format:

    <property>
          <key>com.novell.dss.vaas.uri</key>
          <value>http(s)://%server%:%port%/vaas/verify</value>
    </property>
    

    For example:

    <property>
          <key>com.novell.dss.vaas.uri</key>
          <value>http://myserver.novell.com:8180/vaas/verify</value>
    </property>
    
  3. Configure the Digital Signature Service for the User Application. To do this, you need to use the Digital Signature Service page on the Administration within the User Application. For details, see Section 8.2.2, Configuring the Digital Signature Service.

  4. Log out of the User Application.

  5. Stop the application server.

  6. Complete the rest of the steps outlined by the documentation provided by the third-party component provider to configure and deploy the xmlsigner.war and vaas.war files.

  7. Restart the application server.

2.4.5 Configuring the Provisioning Request Definitions

You can use Designer for Identity Manager to configure digital signature support for your provisioning request definitions.

To configure a provisioning request definition to support digital signatures, you need to:

  1. Indicate whether a digital signature is required to initiate the provisioning request.

  2. Indicate whether a digital signature is required for each approval step within the workflow. Because each approval step might have more than one outgoing link, you need to specify whether a digital signature is required for each link.

After you have indicated whether a digital signature is required to initiate a request or perform an approval step, you need to also specify the following for each request or approval step where a digital signature is required:

Table 2-1 Digital Signature Settings

Setting

Description

Digital Signature Type

Specifies whether the digital signature uses data or form as its type:

  • Data: Specifies that the XML signature serves as the user agreement. When Data is selected, the XML data is written to the audit log. The user can preview XML data before submitting a signature.

  • Form: Specifies that a PDF document that includes the digital signature declaration be generated. This document serves as the user agreement. The user can preview the generated PDF document before submitting a request or approval. When Form is selected, the PDF document (encapsulated in XML) is written to the audit log.

WARNING:You must use Novell Identity Audit (or Sentinel) to preserve documents that you digitally sign. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must enable logging to preserve these documents.

Digital Signature Declaration

Specifies a digital signature confirmation string that confirms the user’s signature.

For details on configuring provisioning request definitions in Designer, see the Identity Manager User Application: Design Guide.