3-Heights™ Signature Creation and Verification
Contents
1. TOOLS COM VPDEIA Premium PDF Technology 3 Heights Signature Creation and Verification Service Version 4 5 User Manual Contact pdfsupport pdf tools com Owner PDF Tools AG Kasernenstrasse 1 8184 Bachenb lach Switzerland http www pdf tools com Copyright 2001 2015 3 Heights Signature Creation and Verification Service Version 4 5 Page 2 of 10 July 2 2015 1 Table of Content 1 Table of Content 2 Introduction 2 1 Overvlew ee 3 2 2 ul S ocn E E E E E eieiadeleiededeeacietee 3 ele Ke EE 3 WEE TT 3 Restricted Intranet Access nianasaiasainsainsnininnminuninnnnnain 3 RODUSINESS 00 ccccceecccccceeeecee eee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeseeeeeeseaeeeesaaeseesseeseesanaeses 3 3 Installation and Configuration 4 S NNN e E E EE A Operating system RT A PKCS 11 Cryptography Provider 4 Client Software uuuuesssesnssssenennnennnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnennnn 4 3 2 Installaton cece cece cece cee cee eeeeeaeeeeeeeeeeeeeeaseeeeeeaeeeeeeeeeeeeeeaeeeeeseeeeseeeseeeseesaeeseetsaeaseeeanaases 4 3 3 Service Configuration ussssss4nnnennnnnnnnnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnrennnnsnnnnnnnnnrnnnnnnnnnnnnn 5 ele Te we 5 3 4 Client c nfiguration 4 4 4435sieheeesrnenrennnnsnenenenan ENEE EE E ETE 6 3 5 Service Exvecutton ccc ecceccccccccccceeeesecccceeeecaeseeseceeceeeeeaasenscceeeeseeaaseseeeeeeeseeeaseeeeceeeeee2. For this a token can be used with a ProviderString configuration of the Microsoft Crypt API provider The default for which is the empty string ProviderString Clients using the Crypt API token must set the provider session property MessageDigestAlgorithm to SHA 1 Special care must be taken that the 3 Heights Signature Creation and Verification Service a session and under a user that has access to the signing certificate see chapter 5 4 3 Heights Signature Creation and Verification Service Version 4 5 Page 10 of 10 July 2 2015 Service Execution Error Codes and Possible Reasons SIG_E_SESSION 0x8A130001 PKCS 11 library e g DLL not found The library does not have a PKCS 11 interface Initialization of the library failed due to too many applications and or threads access the library concurrently Die slot number is invalid Die PIN is incorrect SIG_E_STORE 0x8A130002 This error does not occur in combination with PKCS 11 MS CryptAPI only SIG_E_CERT 0x8A130003 No certificate found in the defined slot number SIG_E_OCSP 0x8A130004 SIG_E_TSP 0x8A130005 Failed to establish an HTTP connection see requirements The server of the issuer is not available SIG_E_PRIVKEY 0x8A130006 The private key is not installed in the slot number or does not match the certificate Die PIN is incorrect The signature algorithm in the certificate is unknown The message digest algorithm sent by the client
3. TSP With the 3 Heights Signature Creation and Verification Service these functions are centralized on a server and are not performed by the client any more Thus internet access is not required by the client computers and may be restricted to a dedicated server Robustness The fact that the signature creation and verification is done in a separate process greatly increases the robustness of the client application If the cryptographic middleware produces a crash only the respective worker process is terminated The 3 Heights Signature Creation and Verification Service and the client application remain untouched 3 Heights Signature Creation and Verification Service Version 4 5 Page 4 of 10 July 2 2015 3 Installation and Configuration 3 1 Requirements Operating system The 3 Heights Signature Creation and Verification Service is available for the following operating systems e Windows XP Vista 7 8 8 1 32 and 64 bit e Windows Server 2003 2008 2008 R2 2012 2012 R2 32 and 64 bit PKCS 11 Cryptography Provider The middleware of the cryptographic infrastructure USB Token HSM must be installed on the same computer as where the 3 Heights Signature Creation and Verification Service runs The middleware also installs a DLL for the PKCS 11 interface The name of the library e g cryptoki dll and the path on the file system must be known for the configuration of the signature software The following provid
4. is not supported by the token PDF_E_SIGVAL 0x85410002 The provider name is invalid when starting the session
5. d manually however Upon un installation the service is stopped and removed 3 3 Service Configuration Configuration files The service configuration of the 3 Heights Signature Creation and Verification Service is done by editing the configuration files TokenConfig xml and SignatureService exe config The files must reside in the same directory where the executable SignatureService exe is The first file is used to configure the cryptographic tokens and the latter to configure the properties of the service itself XML structure of TokenConfig xml e lt configuration gt o ID The unique identifier of the cryptographic provider o ProviderString A string to identify and access a cryptographic token The attributes in the provider string are separated by a semicolon The attributes are location of the PKCS 11 interface DLL slot number user PIN o Password The password which is used by the client software to access the token Example of TokenConfig xml lt xml version 1 0 encoding utf 8 gt lt configuration gt lt add ID 0001 ProviderString c Program Files x86 SafeNet Protect Toolkit C SDK bin sw cryptoki d11 0 123456 Password pass01 gt lt add ID 0002 ProviderString cvp11 d11 1 123456 Password pass02 gt lt configuration gt 1 A more detailed description of the ProviderString can be found in the manual of the 3 Heights PDF Security API in the description of the property Pr
6. eeaas 7 4 Glossary 8 4 1 Technical Terms ana 8 DC RE ee le EE 8 5 Trouble Shooting 9 5 1 Additional Documentation 9 5 2 HTTP Access Proxy Server Firewall ccccccccccccccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeetes 9 HTTP Access nnnnnnnnnnnennnnnennnesernnesrnrersrrrrtnritssrtrtstnriar rrr Sn rrrne rrr Se Arrn n nnram Ennen nnee nne 9 We 9 Firewall RER E DEE DEER ENNEN 9 5 3 Usage of certificates from the Windows Certificate Store nennen nennen 9 5 4 Error Codes and Possible Heasons 10 SIGUE SESSION OXIA OQO T eebe 10 SIG E STORE 0X8A 130002 raus 10 SIGE CERT OX8A130003 una ae 10 SIG_E_OCSP 0x8A130004 GIG E TSP 0x8A130005 nennen 10 SIG_E_PRIVKEY s 20006 10 PDF_E_SIGVAL 0x85410002 uuaanannenaennenneennnnennennennennnnnennnnnnennnnnnnnnnnnnnnennn 10 3 Heights Signature Creation and Verification Service Version 4 5 Page 3 of 10 July 2 2015 2 Introduction 2 1 Overview The 3 Heights Signature Creation and Verification Service provides HTTP protocol based remote access to cryptographic providers such as smartcards USB tokens and other cryptographic infrastructure such as HSMs By means of this service the tokens can be hosted centrally and used by any client computer which has access to the service The service is configurable to handle multiple tokens and is secured via credentials While the service is running on a Windows computer its clients can access i
7. ers have been tested for interoperability with the 3 Heights Signature Creation and Verification Service e SafeNet Protect Server cryptoki dll e SafeNet Luna cryptoki dll e SafeNet Authentication Client eTPKCS11 dll e CryptoVision cvp11 dll e Siemens CardOS e IBM OpenCrypTokl opencryptoki dll Client Software The 3 Heights Signature Creation and Verification Service can be used by any signature aware 3 Heights client software in particular with the following client software e 3 Heights Security Tool e 3 Heights PDF to PDF A Converter e 3 Heights Document Converter 3 2 Installation Two Windows Installer kits are available for 32 bit and 64 bit systems Select the kit that matches your platform architecture The following steps apply to the 64 bit and are similar for the 32 bit variant 1 Download the ZIP archive e g SIGSVC450x64 zip from your download account at www pdf tools com 2 Extract the file 3 Heights TM Signature Creation and Verification Service x64 msi from the ZIP archive 3 Double click the MSI file to start the installation wizard 4 Follow the installation wizard There are no installation options 3 Heights Signature Creation and Verification Service Version 4 5 Page 5 of 10 July 2 2015 The installation automatically adds the 3 Heights Signature Creation and Verification Service and sets it to automatic start After the installation the service must be starte
8. ovider of the interface PdfSignature 3 Heights Signature Creation and Verification Service Version 4 5 Page 6 of 10 July 2 2015 XML structure of SignatureService exe config e lt configuration gt lt appSettings gt o add Add a key value pair to the property bag The following keys are supported Port The IP port number on which the service is listening MaxResponseLenght The maximum buffer size for response data RequestBufferSize The buffer size for receiving request chucks LogFile The path to a verbose log which is written by the service If empty logging is disabled TokenConfigFile The path to the XML configuration file If empty the server looks for a file named TokenConfig xml in the installation directory Example of SignatureService exe config lt xml version 1 0 encoding utf 8 gt lt configuration gt lt appSettings gt lt add key Port value 8080 gt lt add key MaxResponseLength value 20000 gt lt add key RequestBufferSize value 4096 gt lt add key LogFile value gt lt add key TokenConfigFile value gt lt appSettings gt lt configuration gt 3 4 Client configuration Once you have the service configured and running it can be accessed from any signature capable 3 Heights product by specifying a provider string of the form http server mydomain com 8080 0001 pass01 e server mydomain com is the network name of
9. t also from other platforms such as UNIX PKCS 11 is a widely used standard for providing extensive support in the area of digital signatures including cryptographic algorithms and storage for certificates and keys The 3 Heights Signature Creation and Verification Service relies on the PKCS 11 infrastructure for creating and verifying digital signatures It constitutes the preferred infrastructure when dealing with hardware tokens and hardware security modules HSMs 2 2 Advantages Using the 3 Heights Signature Creation and Verification Service has several advantages over the direct use of client software Hosted Tokens By means of the 3 Heights Signature Creation and Verification Service personal tokens of employees may be hosted in a secure location and can be used remotely from any client computer which has access to the service by using individual credentials The tokens may also be stored in a hardware security module HSM Platform support The 3 Heights Signature Creation and Verification Service uses a HTTP interface This enables signature support for platforms that are otherwise not supported by the cryptographic infrastructure Restricted Intranet Access The creation of a digital signature requires access to the servers of the certificate authority CA to be able to query the status of a certificate OCSP or CRL and optionally access to the servers of a time stamp authority TS to create trusted time stamps
10. t in the form of a cryptographic message CMS PKCS 7 A certificate is an electronic confirmation of the identity of a natural or legal person The certificate contains a public key for the verification of the signature The public key must match a private key which is used for the creation of the signature The private key is used to create the digital signature It is contained on a cryptographic token and is protected against unauthorized access A container part of HSM USB stick smart card etc that contains cryptographic objects such as certificates and private keys which are protected against unauthorized access A logical address of a USB Token or a plug in position inside the HSM that holds a token The Token must not be physically present instead it may be part of the HSM A secret number which is required to access the token There are User PINs and Administrator PINs The first allows for creating digital signatures and the latter for managing the cryptographic objects in the token 4 2 Abbreviations CA CMS CRL CSP HSM OCSP PKCS QES TSA TSP PIN Certification Authority Cryptographic Message Syntax Certificate Revocation List Cryptographic Service Provider Hardware Security Module Online Certificate Status Protocol Public Key Cryptography Standard Qualified Electronic Signature Time Stamp Authority Time Stamp Protocol Personal Identification Number 2 2 5 3 3 Heights Signat
11. the computer hosting the service e 8080 designates the TCP IP port that is configured the SignatureService exe config file e 0001 designates the ID entry in the TokenConfig xmi file for the selected token e pass01 stands for the password that is configured for the selected token 3 Heights Signature Creation and Verification Service Version 4 5 Page 7 of 10 July 2 2015 3 5 Service Execution The service is registered as a Windows service during installation However there is no obligation to execute the service as a Windows service It can also run in a command line window Either way has its advantages and disadvantages depending on the following criteria e Console you can easily verify that the smartcard infrastructure is available This may be quite difficult in the service environment Also you can easily monitor the activities of the service e Service the service will automatically start up when the computer is started without the need to perform an interactive login When deciding for interactive use change the startup mode of the windows service to manual or disabled 3 Heights Signature Creation and Verification Service Version 4 5 Page 8 of 10 July 2 2015 4 Glossary 4 1 Technical Terms Signature Certificate Public Key Private Key Token Slot PIN Cryptographic procedure to ensure the integrity and or authenticity of a document The signature may be embedded in the PDF documen
12. ure Creation and Verification Service Version 4 5 Page 9 of 10 July 2 2015 Trouble Shooting Additional Documentation There are two technical notes which cover the following special topics e Technical Note on HSMs www pdf tools com public downloads manuals TechNoteHSM pdf e Technical Note on PKCS 11 www pdf tools com public downloads manuals TechNotePKCS11 pdf HTTP Access Proxy Server Firewall HTTP Access For the application of a time stamp or an online verification of certificates the signature software requires access to the server of the issuer e g http ocsp quovadisglobal com or http platinum qualified g2 ocsp swisssign net via HTTP The URL for verification is stored in the certificate the URL for time stamp services is provided by the issuer In case these functions are not configured no access is required Proxy Server In organizations where a web proxy is in used it must be ensured that the required MIME types are supported These are application ocsp request application ocsp response application timestamp query application timestamp reply Firewall In case no web proxy server is used it must be ensured the HTTP requests and responses can pass the firewall Usage of certificates from the Windows Certificate Store Soft certificates and other certificates stored in the Windows Certificate Store can be used with the 3 Heights Signature Creation and Verification Service as well
Download Pdf Manuals
Related Search