Trusted Central Signing Service - PhenixID Document Signing Web Application

Add PhenixID Document Signing Web Application module

- Login to PhenixID Authentication Services - Configuration manager

- Click on the tab Advanced

- Click on the pen to the right of Modules

- Append these modules


{
        "name": "com.phenixidentity~phenix-prism",
        "enabled": "true",
        "config": {
            "display_name": "PhenixID Document Signing",
            "base_url": "/signapp",
            "auth_redirect_url": "/signapp/authenticate/signapp",
            "module_refs": "signappMod"
        },
        "id": "signapp_1"
    },
    {
        "name": "com.phenixidentity~phenix-prism-signingclient~2.2.0",
        "enabled": "false",
        "config": {
            "display_name": "PhenixID Document Signing",
            "base_uri": "signapp",
            "pipeID": "SignAppDocSignPipe",
            "verifyPipeID": "SignAppDocVerifyPipe"
        },
        "id": "signappMod"
    }

- Click Stage Changes and Commit Changes

 

- Click on the pen to the right of System nodes

- Add the module "signapp_1" to module_refs.

 

Add LDAP Connection

- Logon to Configuration Manager

- Click on Scenarios

- Click Connectios

- Click + next to LDAP and configure your LDAP connection.

- When done, click the Advanced tab

- Expand Database Connections

- Copy the id value of the database (ldap) object created. This will be used in later steps.

Add authenticator for PhenixID Document Signing Web Application

First of all, decide which authenticator(s) to be used from this list of available authenticators for PhenixID web apps authentication.

- Click on the pen to the right of Authentication - HTTP

- Add your authenticator(s) via the step-by-steps described here.
Make sure the successURL is /signapp/.

 

In this example, a simple username and password authenticator is used.

{
		"alias": "signapp",
		"name": "PostUidAndPassword",
		"configuration": {
			"pipeID": "pipeSignAppAuth",
			"successURL": "/signapp/",
			"translationKey": "login.messages.information.body.enduser",
			"headingtranslationKey": "login.messages.information.header.enduser",
			"title": "login.messages.information.title.enduser",
			"allowLanguageChange": "true"
		},
		"created": "2017-07-03T14:36:43.869Z",
		"id": "signapp"
	}

- Click Stage changes and Commit changes

- Click on the pen to the right of Pipes - HTTP

- Add this pipe configuration. Change connection_ref to the id value fetched in previous step. Change base_dn and filter_template to suit your environment.

{
		"id": "pipeSignAppAuth",
		"valves": [
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "2283cb81-04e4-4fc5-a776-f4258fa9be4b",
					"base_dn": "DC=bjorken,DC=local",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "(uid={{request.username}})",
					"attributes": ""
				}
			},
			{
				"name": "LDAPBindValve",
				"config": {
					"connection_ref": "2283cb81-04e4-4fc5-a776-f4258fa9be4b",
					"password_param_name": "password"
				}
			}
		]
	}

- Click Stage changes and Commit changes

Add execution flows (pipe) for sign

- Click on the pen to the right of Pipes

- Add this pipe. The configuration in this pipe will fetch the logged-in user attributes from the LDAP store and use these attributes to populate the self-signed certificate. The self-signed certificate will then be used to perform the signing operation of the incoming PDF file.

Please note that this might not suit your environment. Valves can be replaced, removed or added based on your needs. Please view the documentation to get a list of available valves.

 

Change these values to suit your environment:

- LDAPSearchValve: connection_ref, base_dn, filter, attributes

- CertificateGeneratorValve: cert_subject_dn

- SMTPValve: smtp_username, smtp_password.

 

 

{
		"id": "SignAppDocSignPipe",
		"description": "Sign document",
		"valves": [
			
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "2283cb81-04e4-4fc5-a776-f4258fa9be4b",
					"base_dn": "dc=example,dc=org",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "uid={{request.userid}}",
					"attributes": "givenName,sn,mail,displayName"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "b64",
					"value": "{{request.body}}"
				}
			},
			{
				"name": "PropertyBase64DecoderValve",
				"config": {
					"source": "b64",
					"dest": "temporary"
				}
			},
			{
				"name": "CertificateGeneratorValve",
				"enabled": "true",
				"config": {
					"dest": "keystore",
					"keystore_alias": "key",
					"cert_subject_dn": "CN={{item.displayName}},OU=Demo,O=PhenixID",
					"cert_key_usage": "true,true"
				}
			},
			{
				"name": "PDFSignWithUserKey",
				"config": {
					"sourceDataAttribute": "temporary",
					"targetDataAttribute": "document",
					"keyProperty": "keystore",
					"certificateAlias": "key"
				}
			},
			{
				"name": "ScriptEvalValve",
				"config": {
					"mime_type": "application/javascript",
					"script": "var array = flow.getParameter('filename').split('.');var fileExt = array.pop();var fileName = array.join('.');flow.items().get(0).replaceProperty('filename', fileName);flow.items().get(0).replaceProperty('filext', fileExt);"
				}
			},
			{
				"name": "PropertyRemoveValve",
				"config": {
					"name": "b64"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "filename_to_attach",
					"value": "signed_{{item.filename}}.pdf"
				}
			},
			{
				"name": "SMTPValve",
				"config": {
					"userid_param_name": "userid",
					"smtp_username": "[email protected]",
					"smtp_password": "{enc}xxxxxxxxxxxxxxxxxxxxxxxxxxx",
					"mail_param_name": "{{item.mail}}",
					"attachment_param_name": "document",
					"attachment_name_param_name": "filename_to_attach",
					"message_subject": "Your signed document attached",
					"message_body": "Signing procedure completed! Please find the signed document attached"
				}
			}
		]
	}

- Click Stage changes and Commit changes

Add execution flows (pipe) for verify

- Click on the pen to the right of Pipes

- Add this pipe. The configuration in this pipe will validate the signature to make sure the data has not been altered.

Please note that this might not suit your environment. Valves can be replaced, removed or added based on your needs. Please view the documentation to get a list of available valves. Please also view this document to see how the certificates can be extracted from the signatures (in order to validate the certificates using this valve).

{
		"id": "SignAppDocVerifyPipe",
		"description": "Verify pdf document signature(s)",
		"valves": [
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.userid}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "b64",
					"value": "{{request.body}}"
				}
			},
			{
				"name": "PropertyBase64DecoderValve",
				"config": {
					"source": "b64",
					"dest": "temporary"
				}
			},
			{
				"name": "PDFVerifySignature",
				"config": {
					"sourceDataAttribute": "temporary"
				}
			}
		]
	}

- Click Stage changes and Commit changes

Test

  1. Browse to https://<phenix_server>:<phenix_server_http_port>/signapp/
  2. You should be redirected to https://<phenix_server>:<phenix_server_http_port>/signapp/authenticate/signapp
  3. Authenticate
  4. You should now be logged in to the PhenixID Document Signing Web application
  5. Upload a pdf document and click Sign
  6. Verify that a signed pdf document was sent to your mail box
  7. Download the signed pdf document
  8. Upload the signed pdf document and click Verify.
  9. Signature validation should result in a successful (green bar) response

Troubleshooting

Check server.log file.