8.3 Configuring the Digital Signature Service

This section provides details on configuring the Digital Signature Service.

To configure the Digital Signature Service:

  1. Select the Provisioning tab.

  2. Select Digital Signature Service from the left navigation menu.

    The user interface displays the Digital Signature Service panel:

  3. Perform these steps to configure the Digital Signature Service:

    1. Select the Enable Digital Signature Support check box.

      If this check box is not selected, users will see an error message when they try to access any provisioning resource that requires a digital signature.

      Before enabling digital signature support, make sure all of the required JARs are present. If any of the JARs are missing, you will see an error message when you select the check box. For details on which JARs are required for digital signatures, see Section 2.3, Digital Signature Configuration.

    2. Select the Use XML Signature check box if you want to use an XML Signature. (This option is required if you are using cryptovision.).

    3. Optionally select the Enable Signed Document Preview to allow users to preview signed documents.

    4. Type the name of the class for your digital signature service in the Class Name field.

      For details on using cryptovision as your signature verification provider, see http://www.cryptovision.com/idmdigsig.html.

    5. Optionally specify an entity key in the Alternative Certificate Subject Virtual Entity Key field. The entity key maps to an entity defined in the data abstraction layer. The entity provides a calculated attribute that can be used instead of the LDAP common name to ensure that only authorized users can perform digital signing. In the Designer, you define the entity, giving the key any name you like. On the Digital Signature Service configuration panel, you specify the key for the entity you defined. The alternative subject is an optional feature that you can use to add an extra layer of protection.

    6. Optionally select the Certificate Authorization check box to ensure that the authenticated user matches the user associated with the selected user certificate. When Certificate Authorization is enabled, the current user is not permitted to use a certificate on the smart card (or browser) that has been given to a different user.

    7. Optionally select the Enable Revocation Check check box to cause the application to check the certificate revocation list (CRL) before using a certificate to be sure that it is still valid. A certificate might be revoked for several reasons. For example, the certificate authority might determine that a particular certificate was improperly issued. Alternatively, the certificate might be revoked if the private key for the certificate has been lost or stolen.

    8. Optionally select the Enable OCSP Query check box to perform a query against an Online Certificate Status Protocol (OCSP) server before using a certificate. OCSP is an alternative to certificate revocation lists that addresses problems associated with using CRLs in a public key infrastructure (PKI). The OCSP access point for the server is specified in the User Application Configuration utility.

  4. To view the settings for a previously configured applet, select the applet from the Signature Applet dropdown list.

    For details on configuring the cryptovision applet, see http://www.cryptovision.com/idmdigsig.html.

  5. Perform these steps to add a new signature applet configuration:

    1. Click Add.

      The user interface makes the fields in the Signature Applet panel editable.

    2. Provide a name for this applet configuration in the Display Name field.

    3. Specify the class ID for the applet in the Class ID field.

    4. Specify the entry of the JAR that contains the applet in the Archive Name field.

    5. Specify <context root path> of the Web application that contains the applet archive for the Context Root. (If the context root points to a different application, always start it with a “/” character.)

    6. Specify the callback name in the Callback Name field.

    7. Specify the XML declaration string in the Declaration Template field.

    8. Specify the invocation string in the Invocation Template field.

    9. Specify the callback function in the Callback Function Template field.

    10. Select the browser type (for example, IE 6.0) in the Browser Type select list.

  6. Click Save to save your settings.