Introduction
The purpose of this document is to describe the installation, configuration and management procedures about the Virtual Appliance (VA) named SignEngineWeb (SWS). The VA SWS was created to be manageable and ready-to-use. You should import this virtual machine (".ovf") in her infrastucture and setup (for example set the proxy). With VA SWS is possible to sign, apply timestamp and verify the signature. SWS support different type of signature devices:
- Automatic signature
- Remote signature
- Disposable
- Lean Disposable
- eSeal (electronic seal)
The types of signature permits are:
- CAdES
- PAdES
- XAdES
- RAW signature (PKCS#1)
And is possible to set the different levels of signature like B, T, LT, LTV ecc... this details are described in the documentation about integration with SWS.
The timestamp applyed are in accordance with RFC 3161 and RFC 5544 standards.
During the verification of the signatures are used certificates issued by all accredited Certification Authority in the Countries of the European Community, is possible to verify signature CAdES, PAdES and XAdES
In this guide will be described how import SWS appliance into VMWare workstation player.
Architectural Elements
SWS is the service machine which is supposed to be closed to the applications that need the signature and verification services. Applications requiring the signature connect and switch the entire file to SWS. SWS calculates the file track and asks for the RSA RAW type signature to the FRA signature system which is in the Namirial management boundaries. FRA is the system who drives HSM and uses RSA signature.
Assuming SWS is inside the LAN (the same LAN hosting the applications requiring the signature services) the documents are exchanged inside a private network. We have the confidentiality of the information contained in the hash that SWS has transmitted to FRA and a low impact on the Internet bandwidth. For each signature between SWS and FRA are used 7KB, regardless of the document size. In the case of submissions of merged requests, the bandwidth usage decreases thanks to TCP, HTTPS and SOAP lower impacts.
Inflows and Outflows
SWS exposes its services via SOAP.
On the other hand, it operates as a client in the following ways:
- For signing operations it needs to contact the RAW signature services (PKCS#1 format) at https://fra.firmacerta.it
- For timestamp operations it must be able to contact the Timestamping Authority (TSA) set in the call. In this case the protocols that can be used are HTTP and HTTPS. In the details, Namirial TSA can be reached at http://timestamp.firmacerta.it and at https://timestamp.firmacerta.it
- For signing verifications it must be able to contact the CA that issued the signer's certificate to prove its validity
- Update TLS (TrustedList) contacting periodically every EC national agencies that supervises the Certification Authority (in Italy is AgID).
Minimum Requirements
Allocated Resources to the Virtual Machine
For proper operation it is necessary that the virtual machine has assigned, at least, the following resources:
- 4 GB RAM (8 GB are suggested)
- 40 GB Hard Disk
- 2 core
- 1 network interface
Ports and Protocols Usages (firewall rules)
Below the list of port and protocol used by SWS:
| Operation | Description | Frequency | Protocol | Ports | TCP/UDP | Address | SWS Environment |
|---|---|---|---|---|---|---|---|
| Signature | Send a request to Namirial server for sign the hash | Every call | HTTPS | 443 | TCP | fra.firmacerta.it | PROD |
| TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTP | 80 | TCP | timestamp.firmacerta.it | PROD |
| TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTPS | 443 | TCP | timestamp.firmacerta.it | PROD |
| Verification OCSP | For validate the certificate send request to OCSP for check the certificate | Every call (whenever possible) | OCSP | 80 | TCP | It depends on the CA issued the certificate used for the signature. For Namiriai is: "ocsp.firmacerta.it" | PROD |
| Signature | This operation send a request to Namirial server for sign the hash | Every call | HTTPS | 443 | TCP | fra.test.firmacerta.it | TEST |
| TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTP | 80 | TCP | timestamp.test.firmacerta.it | TEST |
| TimeStamp | Send a request to Namirial server for apply the timestamp to the hash | Every call | HTTPS | 443 | TCP | timestamp.test.firmacerta.it | TEST |
| Verification OCSP | For validate the certificate send request to OCSP for check the certificate | Every call (whenever possible) | OCSP | 80 | TCP | It depends on the CA issued the certificate used for the signature. For Namiriai is: "ocsp.firmacerta.it" | PROD |
| Verification CRL | For validate the signature certificate check the serial number into CRL | HTTP/LDAP | 80, 389 | TCP | It depends on the CA issued the certificate used for the signature. For Namiriai is: "crl.firmacerta.it" | PROD | |
| Verification | At startup SWS download all European Trusted Root from European supervisory agenciences | HTTPS | 443 | TCP | ec.europa.eu (the full link is: https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml) | TEST, PROD | |
| Updates and Monitoring | Used for receive automatic updates and receive | Always | JABBER, HTTP, HTTPS | 5222, 443, 80 | TCP | scm.firmacerta.it | TEST, PROD |
| NTP sync | synchronize date and time | Always | NTP | 123 | UDP |
Outbound communications to the Namirial FRA service are in HTTPS with a mutual authentication and they take place via an unique TLS certificate that Namirial distributes to every applicant, in order to identify the VA SWS caller.
Here is table with incoming protocols:
| Service | Description | Protocol | Port | TCP/UDP | SWS Environment |
|---|---|---|---|---|---|
| Web Services | Web services interfacing | HTTP | 8080 | TCP | TEST, PROD |
| Web Services | Web services interfacing | AJP | 8009 | TCP | TEST, PROD |
High Reliability Implementation
The RAW signature service (PKCS#1) is high reliability provided. The HSM and the FRA element are functional purpose redundants. The VA SWS high reliability can be achieved operating as you usually do for a generic web server: run the VA SWS setup (2 or more) and display the web services via a load balancer. Since SWS does not handle any application session, it is enough to set a load balancer policy with a same-weight Round-Robin type.
Using Apache as Reverse Proxy
A possible configuration consists in using Apache Web Server as reverse proxy and load balancer for SWS. Here is an indication related to the configuration to use:
<Proxy balancer://sws>
BalancerMember ajp://sws1.localdomain:8009
BalancerMember ajp://sws2.localdomain:8009
</Proxy>
<VirtualHost *:443>
ServerName sws.mydomain.it
SSLEngine on
LogLevel warn
ErrorLog logs/sws/ssl_error_log
CustomLog logs/sws/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteEngine on
RewriteRule !^/SignEngineWeb/(.*)$ /SignEngineWeb/ [L,PT]
ProxyPass /SignEngineWeb balancer://sws/SignEngineWeb
ProxyPassReverse /SignEngineWeb balancer://sws/SignEngineWeb
</VirtualHost>
Deploy and test
Here are some information about some information for the Appliance deploy via some of the most popular virtualization systems. The virtual machine is released in the Open Virtualization Format (OVF) where the HD are in the VMDK format. In the deploy areas, it is recommended the installation of VA in environment VMware Vsphere*.
*Namirial S.p.A. does not provide any support for the virtualization areas on which the VA SWS will be installed.
How obtain OVF virtual appliance
You can obtain the OVF at this link:
Default Credentials
After download and import the OVF the default credentials are:
USER: sws PASSWORD: sws2015
How import OVF into VMware Workstation Player
- For import the OVF, you can follow this step:
- Download VMware workstation player from this link: https://www.vmware.com/products/workstation-player.html
- Install VMware workstation player and open
- Go to: File → Play → Open → select the OVF just downloaded
Menu Console (MC)
After the import has been completed, you start the virtual machine and configure the parameters via "Menu Console".
This menu permits to set parameters like proxy, NTP ecc. The options of this menu are:
- Register: VA registration to our centralized update system (SCM)
- Config: IP ADDRESS, GATEWAY, DNS and ROOT PASSWORD configuration
- Update: Updates installation (system and push updates)
- Proxy: proxy configuration NTLM and port
- Restart_jboss: restart of the application server SWS
- Restart_osad: restart of sync module VA/SCM
- Reboot: VA restart
- Shutdown: VA shutdown
- Logout: exit from Menu Console
- Exit: go to Bash shell*
*This option must be selected under the monitoring of a Namirial operator. Namirial doesn’t give any support about modifications executed without WEB interface or Console Menù
SCM Registration and Updates
The VA SWS has the possibility of being associated to an updates released centralized system. The update modes will be released in two different modes:
- Channel Updates (updates available for all the VA who has signed in)
- Push Updates (updates sent directly to the specified VA)
The registration system provides the VA restart and the resulting hostname changing with the following scheme: NomeDelCertificatoDiFirma_ultime4cifreMacAddress. The maintenance of the hostname* is a prerogative to use the updates centralized systems (SCM).
Changing the hostname will not allow to the SCM system nor release the Push Updates service nor keep track of SWS releases and packs changes inside the VA. It is strongly discouraged to vary this parameter.
From MC it will be possible to launch the operation.
Functional Verification