Older versionPhenixID Signing Service version 1.2ConfigurationTrusted Central Signing Service - PhenixID Document Seal Web Application

Trusted Central Signing Service - PhenixID Document Seal Web Application

Prerequisites

- Add the seal certificate (keystore) to PhenixID Authentication Server (as a Keystore)

- Get the keystore ID value of the seal certificate

Add PhenixID Document Seal Web Application module

- Login to PhenixID Authentication Services - Configuration manager

- Click on the tab Advanced

- Click on the pen to the right of Modules

- Append these modules


{
		"name": "com.phenixidentity~phenix-prism",
		"enabled": "true",
		"config": {
			"base_url": "/sealapp",
			"auth_redirect_url": "/sealapp/authenticate/sealapp",
			"module_refs": "sealappmod",
			"display_name": "PhenixID Document Seal"
		},
		"created": "2017-06-14T09:03:58.923Z",
		"id": "sealapp"
	},
	{
		"name": "com.phenixidentity~phenix-prism-signingclient~2.2.0",
		"enabled": "false",
		"config": {
			"display_name": "PhenixID Document Seal",
			"base_uri": "sealapp",
			"pipeID": "SealAppDocSignPipe",
			"verifyPipeID": "SignAppDocVerifyPipe"
		},
		"created": "2017-06-14T09:03:58.751Z",
		"id": "sealappmod"
	}

- Click Stage Changes and Commit Changes

 

- Click on the pen to the right of System nodes

- Add the module "sealapp" to module_refs.

-Click Stage Changes and Commit Changes

 

Add LDAP Connection

- Logon to Configuration Manager

- Click on Scenarios

- Click Connectios

- Click + next to LDAP and configure your LDAP connection.

- When done, click the Advanced tab

- Expand Database Connections

- Copy the id value of the database (ldap) object created. This will be used in later steps.

Add authenticator for PhenixID Document Seal Web Application

First of all, decide which authenticator(s) to be used from this list of available authenticators for PhenixID web apps authentication.

- Click on the pen to the right of Authentication - HTTP

- Add your authenticator(s) via the step-by-steps described here.
Make sure the successURL is /sealapp/.

 

In this example, a simple username and password authenticator is used. 

{
		"alias": "sealapp",
		"name": "PostUidAndPassword",
		"configuration": {
			"pipeID": "pipeSealAppAuth",
			"successURL": "/sealapp/",
			"translationKey": "login.messages.information.body.enduser",
			"headingtranslationKey": "login.messages.information.header.enduser",
			"title": "login.messages.information.title.enduser",
			"allowLanguageChange": "true"
		},
		"created": "2017-07-03T14:39:45.829Z",
		"id": "sealapp"
	}

- Click Stage changes and Commit changes

- Click on the pen to the right of Pipes - HTTP

- Add this pipe configuration. Change connection_ref to the id value fetched in previous step. Change base_dn and filter_template to suit your environment.

{
		"id": "pipeSealAppAuth",
		"valves": [
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "2283cb81-04e4-4fc5-a776-f4258fa9be4b",
					"base_dn": "DC=bjorken,DC=local",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "(uid={{request.username}})",
					"attributes": ""
				}
			},
			{
				"name": "LDAPBindValve",
				"config": {
					"connection_ref": "2283cb81-04e4-4fc5-a776-f4258fa9be4b",
					"password_param_name": "password"
				}
			}
		]
	}

- Click Stage changes and Commit changes

Add execution flows (pipe) for seal

- Click on the pen to the right of Pipes

- Add this pipe. The configuration in this pipe will fetch the keystore from the config, sign the pdf and email the signed (seal) pdf to the logged-in user.

Please note that this might not suit your environment. Valves can be replaced, removed or added based on your needs. Please view the documentation to get a list of available valves.

 

Change these values to suit your environment:

- LDAPSearchValve: connection_ref, base_dn, filter, attributes

- PDFSign: keystore (change to keystore ID to be used, see Prerequisites)

- SMTPValve: smtp_username, smtp_password.

 

 

{
		"id": "SignAppDocSignPipe",
		"description": "Sign document",
		"valves": [
			
			{
				"name": "LDAPSearchValve",
				"config": {
					"connection_ref": "2283cb81-04e4-4fc5-a776-f4258fa9be4b",
					"base_dn": "dc=example,dc=org",
					"scope": "SUB",
					"size_limit": "0",
					"filter_template": "uid={{request.userid}}",
					"attributes": "givenName,sn,mail,displayName"
				}
			},
			
{
				"name": "PropertyAddValve",
				"config": {
					"name": "b64",
					"value": "{{request.body}}"
				}
			},
			{
				"name": "PropertyBase64DecoderValve",
				"config": {
					"source": "b64",
					"dest": "temporary"
				}
			},
			{
				"name": "PDFSign",
				"config": {
					"sourceDataAttribute": "temporary",
					"targetDataAttribute": "document",
					"keyStore": "PhenixID_Demo_SEAL.p12"
				}
			},
			{
				"name": "ScriptEvalValve",
				"config": {
					"mime_type": "application/javascript",
					"script": "var array = flow.getParameter('filename').split('.');var fileExt = array.pop();var fileName = array.join('.');flow.items().get(0).replaceProperty('filename', fileName);flow.items().get(0).replaceProperty('filext', fileExt);"
				}
			},
			{
				"name": "PropertyRemoveValve",
				"config": {
					"name": "b64"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "filename_to_attach",
					"value": "sealed_{{item.filename}}.pdf"
				}
			},
			{
				"name": "SMTPValve",
				"config": {
					"userid_param_name": "userid",
					"smtp_username": "[email protected]",
					"smtp_password": "{enc}XXXXXXXXXXXXXXXXXX",
					"mail_param_name": "{{item.mail}}",
					"attachment_param_name": "document",
					"attachment_name_param_name": "filename_to_attach",
					"message_subject": "Your sealed document attached",
					"message_body": "Seal procedure completed! Please find the sealed document attached!"
				}
			}
		]
	}

- Click Stage changes and Commit changes

Add execution flows (pipe) for verify

- Click on the pen to the right of Pipes

- Add this pipe. The configuration in this pipe will validate the signature to make sure the data has not been altered.

Please note that this might not suit your environment. Valves can be replaced, removed or added based on your needs. Please view the documentation to get a list of available valves. Please also view this document to see how the certificates can be extracted from the signatures (in order to validate the certificates using this valve). 

{
		"id": "SignAppDocVerifyPipe",
		"description": "Verify pdf document signature(s)",
		"valves": [
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.userid}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "b64",
					"value": "{{request.body}}"
				}
			},
			{
				"name": "PropertyBase64DecoderValve",
				"config": {
					"source": "b64",
					"dest": "temporary"
				}
			},
			{
				"name": "PDFVerifySignature",
				"config": {
					"sourceDataAttribute": "temporary"
				}
			}
		]
	}

- Click Stage changes and Commit changes

Test

  1. Browse to https://<phenix_server>:<phenix_server_http_port>/sealapp/
  2. You should be redirected to https://<phenix_server>:<phenix_server_http_port>/signapp/authenticate/sealapp
  3. Authenticate
  4. You should now be logged in to the PhenixID Document Seal Web application
  5. Upload a pdf document and click Sign
  6. Verify that a signed pdf document was sent to your mail box (ie, with a seal)
  7. Download the signed pdf document
  8. Upload the signed pdf document and click Verify.
  9. Signature validation should result in a successful (green bar) response

 

Troubleshooting

Check server.log file.