This section provides instructions on configuring your environment to take advantage of the digital signature support provided with the Identity Manager User Application.
Digital signature support is available on JBoss only The User Application can be configured to support digital signatures on JBoss only. Digital signatures are not supported on WebSphere or WebLogic.
In release 4.0.2, the User Application provides support for the digital signature as a service model. The digital signature as a service model is very easy to configure and manage. In most environments, you should use this model, unless you are not ready to upgrade from an older digital signature implementation, or require the ability to read digital signature cards, since this support is not available with digital signature as a service.
IMPORTANT:We strongly encourage you to use the digital signature as a service support, since it is the most reliable and easy-to-use configuration for managing digital signatures.
WARNING:You must use Novell Identity Audit (or Sentinel) to preserve documents that you digitally sign. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must enable logging to preserve these documents.
This section includes the following topics:
Create the user certificates using iManager.
Log in as an administrator.
Under
, select .Select the users for whom you want to create certificates and click
.You can use the Object Selector or Object History to pick the users.
Select the server and specify the certificate nickname. Specify
as the creation method and click .Specify a key size of 1024 or 2048 bits, depending on which size suits your requirements. Set the key type to
. Leave other settings as is and click .If you’re using the default configuration, leave the certificate parameters as is and click
.To enable certificate revocation list (CRL) support, select Custom and check the CRL signing check box.
For complete details on CRL configuration, see the Novell Certificate Server documentation.
Click
.Log out.
Export the user certificate as a PFX file that contains the private key.
Log in as the user for whom you want to export a certificate.
Under
, select .Select a certificate and click the
button.In the Export Certificate Wizard, click
to indicate that you want to export the private key with the certificate. Then click .Enter a password to protect the private key and click
.Select
if you do not have a card reader. Otherwise, click on the link that says .You can also import to the browser later. Therefore, you might want to click on
to import to a different browser.Click
to save the file rather than opening it.Click
.If you’re using a smart card, install the smart card reader driver.
Install the software needed to transfer certificate information to the smart card.
Import the key pair (certificate) to the smart card:
If you are planning to use browser certificate support, rather than the smart card, you can skip steps 3 through 5 above. Certificates can be imported into a browser using iManager or the browser certificate management user interface.
To configure the application server, follow these steps:
Download the vaas.war and xmlsigner.war files from a third-party component provider. Contact your sales representative to get a referral to a third-party provider.
For details on configuring the vaas.war file, see the third-party documentation.
To deploy to JBoss, copy the vaas.war and xmlsigner.war files to the JBOSS_HOME/server/IDMProv/deploy directory.
Export the trusted root and all intermediate certificates (using iManager) and import them into the key store specified in your system’s local configuration using the keytool command.
For example, for JBoss:
keytool -import -trustcacerts -file certFile
The certFile is a fully qualified path to the certificate file.
If you’re using the Novell Certificate Server, you do not need to export the trusted root.
(Not Required for Digital Signature as a Service) Start the User Application Configuration utility by running the configupdate script (configupdate.bat on Windows or configupdate.sh on Linux/Solaris).
(Not Required for Digital Signature as a Service) Click
.(Not Required for Digital Signature as a Service) Under changeit.
, type the path to the certificate file in the . Also, type your password in the field. The default password isThe Trusted Key Store contains all trusted signers’ certificates used to validate digital signatures.
NOTE:For JBoss, if you’re using the Novell Certificate Server, you can simply paste the complete string (for example, C:\Program Files\Java\jdk1.6.0_31\jre\lib\security\cacerts) from the
field under to the under . You can also paste the to the field.(Not Required for Digital Signature as a Service) If you are using OCSP, under
, type the URI for OCSP in the field. This value is used to update the status of trusted certificates online. The URI points to the access point for the Online Certificate Status Protocol server.To enable logging of digital signatures, you need to configure the logging Platform Agent. The Platform Agent is required on any client that reports events to Novell Identity Audit or Sentinel. You configure the platform agent through the logevent configuration file. This file provides the configuration information that the platform agent needs to communicate with the Novell Identity Audit server.
IMPORTANT:If you are logging events that include digital signatures, it is critical that the value of the LogMaxBigData parameter be large enough to handle the data being logged.
For details on logging configuration, see Section 3.0, Setting Up Logging.
To configure digital signature support for the User Application:
Open the sys-configuration-xmldata.xml file:
This file is in the conf folder on JBoss. For example: /opt/novell/idm/rbpm/jboss/server/IDMProv/conf.
Add the mapping to the vaas.war that you received from a third-party component provider in the sys-configuration-xmldata.xml before the </properties> element.
Here is the format:
<property> <key>com.novell.dss.vaas.uri</key> <value>http(s)://%server%:%port%/vaas/verify</value> </property>
For example:
<property> <key>com.novell.dss.vaas.uri</key> <value>http://myserver.novell.com:8180/vaas/verify</value> </property>
Configure the Digital Signature Service for the User Application. To do this, you need to use the Section 8.2.2, Configuring the Digital Signature Service.
page on the within the User Application. For details, seeLog out of the User Application.
Stop the application server.
Complete the rest of the steps outlined by the documentation provided by the third-party component provider to configure and deploy the xmlsigner.war and vaas.war files.
Restart the application server.
You can use Designer for Identity Manager to configure digital signature support for your provisioning request definitions.
To configure a provisioning request definition to support digital signatures, you need to:
Indicate whether a digital signature is required to initiate the provisioning request.
Indicate whether a digital signature is required for each approval step within the workflow. Because each approval step might have more than one outgoing link, you need to specify whether a digital signature is required for each link.
After you have indicated whether a digital signature is required to initiate a request or perform an approval step, you need to also specify the following for each request or approval step where a digital signature is required:
Table 2-1 Digital Signature Settings
Setting |
Description |
---|---|
Digital Signature Type |
Specifies whether the digital signature uses data or form as its type:
WARNING:You must use Novell Identity Audit (or Sentinel) to preserve documents that you digitally sign. Digital signature documents are not stored with workflow data in the User Application database, but are stored in the logging database. You must enable logging to preserve these documents. |
Digital Signature Declaration |
Specifies a digital signature confirmation string that confirms the user’s signature. |
For details on configuring provisioning request definitions in Designer, see the Identity Manager User Application: Design Guide.