...
In this guide will be described how import SWS appliance into VirtualBoxVMWare workstation player.
Architectural Elements
SWS is the service machine which is supposed to be closed to the applications that need the signature and verification services. Applications requiring the signature connect and switch the entire file to SWS. SWS calculates the file track and asks for the RSA RAW type signature to the FRA signature system which is in the Namirial management boundaries. FRA is the system who drives HSM and uses RSA signature.
...
- For signing operations it needs to contact the RAW signature services (PKCS#1 format) at https://fra.firmacerta.it
- For timestamp operations it must be able to contact the Timestamping Authority (TSA) set in the call. In this case the protocols that can be used are HTTP and HTTPS. In the details, Namirial TSA can be reached at http://timestamp.firmacerta.it and at https://timestamp.firmacerta.it
- For signing verifications it must be able to contact the CA that issued the signer's certificate to prove its validity
- Update TLS (TrustedList) contacting periodically every EC national agencies that supervises the Certification Authority (in Italy is AgID).
...
Operation | Description | Frequency | Protocol | Ports | TCP/UDP | Address | SWS Environment |
---|
Signature | Send a request to Namirial server for sign the hash | Every call | HTTPS | 443 | TCP | fra.firmacerta.it | PROD |
TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTP | 80 | TCP | timestamp.firmacerta.it | PROD |
TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTPS | 443 | TCP | timestamp.firmacerta.it | PROD |
Verification OCSP | For validate the certificate send request to OCSP for check the certificate | Every call (whenever possible) | OCSP | 80 | TCP | It depends on the CA issued the certificate used for the signature. For Namiriai is: "ocsp.firmacerta.it" | PROD |
Signature | This operation send a request to Namirial server for sign the hash | Every call | HTTPS | 443 | TCP | fra.test.firmacerta.it | TEST |
TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTP | 80 | TCP | timestamp.test.firmacerta.it | TEST |
TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTPS | 443 | TCP | timestamp.test.firmacerta.it | TEST |
Verification OCSP | For validate the certificate send request to OCSP for check the certificate | Every call (whenever possible) | OCSP | 80 | TCP | It depends on the CA issued the certificate used for the signature. For Namiriai is: "ocsp.firmacerta.it" | PROD |
Verification CRL | For validate the signature certificate check the serial number into CRL |
| HTTP/LDAP | 80, 389 | TCP | It depends on the CA issued the certificate used for the signature. For Namiriai is: "crl.firmacerta.it" | PROD |
Verification | At startup SWS download all European Trusted Root from European supervisory agenciences |
| HTTPS | 443 | TCP | ec.europa.eu (the full link is: https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml) | TEST, PROD |
Updates and Monitoring | Used for receive automatic updates and receive | Always | JABBER, HTTP, HTTPS | 5222, 443, 80 | TCP | scm.firmacerta.it | TEST, PROD |
NTP sync | synchronize date and time | Always | NTP | 123 | UDP |
|
|
Outbound communications to the Namirial FRA service are in HTTPS with a mutual authentication and they take place via an unique TLS certificate that Namirial distributes to every applicant, in order to identify the VA SWS caller.
Here is table with incoming protocols:
Service | Description | Protocol | Port | TCP/UDP | SWS Environment |
---|
Web Services | Web services interfacing | HTTP | 8080 | TCP | TEST, PROD |
Web Services | Web services interfacing | AJP | 8009 | TCP | TEST, PROD |
High Reliability Implementation
The RAW signature service (PKCS#1) is high reliability provided. The HSM and the FRA element are functional purpose redundants. The VA SWS high reliability can be achieved operating as you usually do for a generic web server: run the VA SWS setup (2 or more) and display the web services via a load balancer. Since SWS does not handle any application session, it is enough to set a load balancer policy with a same-weight Round-Robin type.
Using Apache as Reverse Proxy
A possible configuration consists in using Apache Web Server as reverse proxy and load balancer for SWS. Here is an indication related to the configuration to use:
Code Block |
---|
language | bash |
---|
title | Apache Reverse Proxy |
---|
|
<Proxy balancer://sws>
BalancerMember ajp://sws1.localdomain:8009
BalancerMember ajp://sws2.localdomain:8009
</Proxy>
<VirtualHost *:443>
ServerName sws.mydomain.it
SSLEngine on
LogLevel warn
ErrorLog logs/sws/ssl_error_log
CustomLog logs/sws/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteEngine on
RewriteRule !^/SignEngineWeb/(.*)$ /SignEngineWeb/ [L,PT]
ProxyPass /SignEngineWeb balancer://sws/SignEngineWeb
ProxyPassReverse /SignEngineWeb balancer://sws/SignEngineWeb
</VirtualHost> |
Deploy and test
Here are some information about some information for the Appliance deploy via some of the most popular virtualization systems. The virtual machine is released in the Open Virtualization Format (OVF) where the HD are in the VMDK format. In the deploy areas, it is recommended the installation of VA in environment VMware Vsphere*.
*Namirial S.p.A. does not provide any support for the virtualization areas on which the VA SWS will be installed.
How obtain OVF virtual appliance
You can obtain the OVF at this link:
https://cms.firmacerta.it/download/sws_2.x.zip
Default Credentials
After download and import the OVF the default credentials are:
USER: sws
PASSWORD: sws2015