SignServer
Search signserver.org for:

Installation Guide

Quick start demo guide

This is a quick start guide to quickly get you setup with a demo Time Stamp service (TSA according to RFC3161). It will let you quickly get a feeling how the structure of the SignServer works, so you can move on to more advanced features described in the manual.

This quick start guide assumes you are using JBoss and are running everything on localhost.

  1. Make sure you are using Sun JDK 1.6 Update 10 or later. Update 10 is needed for the ODF Signer and atleast update 04 is needed for using JAX-WS 2.1 that is used for WebServices.
    By disabling WebServices and not using the ODF Signer it is possible to use update 03 or earlier. This is described below.
  2. Unzip JBoss to a new directory and set the APPSRV_HOME environment variable to point to this location. Ex:
    # export APPSRV_HOME=/home/user/jboss-4.2.3
  3. set the environment variable SIGNSERVER_NODEID
    # export SIGNSERVER_NODEID=node1
  4. Copy build configuration sample file:
    # cp signserver_build.properties.sample signserver_build.properties
  5. Configure the signserver web properties:
    # vi signserver_build.properties
    - set: j2ee.web-nohttps=true
    You can use Sun Java 1.6.0_03 or earlier if you set the property:
    signserverws.enabled=false
  6. Build and deploy SignServer to JBoss:
    # ant clean; ant deploy
  7. Start JBoss:
    # cd $APPSRV_HOME/bin
    # ./run.sh
    - verify that startup was ok. Tables have now been created in your database.
  8. Deploy the Timestamp demo module and notice the worker ID (in this example 1):
    # bin/signserver.sh module add dist-server/tsa.mar demo
  9. Verify the configuration with:
    # bin/signserver.sh getconfig 1
  10. Finally activate the configuration with:
    # bin/signserver.sh reload 1
  11. You can check the configuration with:
    # bin/signserver.sh getstatus complete all
  12. Run the test-client to see that everything is up.
    # cd dist-client/timestampclient
    # java -jar timeStampClient.jar http://localhost:8080/signserver/process?workerName=TSA
    The message "TimeStampRequest Validated" should appear once a second. Also check JBOSS_HOME/server/default/log/server.log that successful messages appear.

If you run into problems at any stage after JBoss has been started, check the JBoss server log in $JBOSS_HOME/server/default/log/server.log for error messages. Usually errors like database connection problems, or wrong path to the timestamp keystore will be clearly visible.

PDF signer

To install the PDF signer you can issue the following commands (either instead of the TSA or in addition to the TSA).

  1. Deploy the PDF signer demo module and notice the worker ID (in this example: 2):
    # bin/signserver.sh module add dist-server/pdfsigner.mar demo
  2. Verify the configuration with:
    # bin/signserver.sh getconfig 2
  3. Finally activate the configuration with:
    # bin/signserver.sh reload 2

You can now, with your web browser, access the url http://127.0.0.1:8080/signserver/pdfsign.html to get PDF documents signed.

OOXML signer

To install the OOXML signer you can issue the following commands

  1. Deploy the OOXML signer demo module and notice the worker ID (in this example: 3):
    # bin/signserver.sh module add dist-server/ooxmlsigner.mar demo
  2. Verify the configuration with:
    # bin/signserver.sh getconfig 3
  3. Finally activate the configuration with:
    # bin/signserver.sh reload 3

You can now, with your web browser, access the url http://127.0.0.1:8080/signserver/ooxmlsign.html to get any Open Office XML documents signed (ex: MS Office 2007 word document, excel document, power point presentation...).

ODF signer

To install the ODF signer you can issue the following commands

  1. Deploy the ODF signer demo module and notice the worker ID (in this example: 4):
    # bin/signserver.sh module add dist-server/odfsigner.mar demo
  2. Verify the configuration with:
    # bin/signserver.sh getconfig 4
  3. Finally activate the configuration with:
    # bin/signserver.sh reload 4

You can now, with your web browser, access the url http://127.0.0.1:8080/signserver/odfsigner.html to get any Open Document Format documents signed (ex: word or spreadsheet document produced with Open Office 3.1).

XML signer

To install the XML signer you can issue the following commands (either instead of the TSA or in addition to the TSA):

  1. Deploy the XML signer module and notice the worker ID (in this example: 1):
    # bin/signserver.sh module add dist-server/xmlsigner.mar demo
  2. Verify the configuration with:
    # bin/signserver.sh getconfig 1
  3. Activate the configuration with:
    # bin/signserver.sh reload 1
  4. The status of the Signer can now be viewed with:
    # bin/signserver.sh getstatus complete DemoXMLSigner

You can now, with your web browser, access the url http://127.0.0.1:8080/signserver/xmlsign.html to get XML documents signed.

XML validator

An XML validator validates the signature of an XML document. It uses a certificate validation service worker for validating the certificate so that worker has to be configured first.

To install a certificate validation service worker issue the following commands:

  1. Load the configuration and notice the worker ID (in this example: 2):
    # bin/signserver.sh setproperties sample-configs/qs_validator_dummy_configuration.properties
  2. Verify the configuration with:
    # bin/signserver.sh getconfig 2
  3. Activate the configuration with:
    # bin/signserver.sh reload 2
  4. The status of the Worker can now be viewed with:
    # bin/signserver.sh getstatus complete CertValidationWorker

Then to install the XML validator you can issue the following commands:

  1. Deploy the XML signer module and notice the worker ID (in this example: 3):
    # bin/signserver.sh module add dist-server/xmlvalidator.mar demo
  2. Verify the configuration with (notice that VALIDATIONSERVICEWORKER is set to "CertValidationWorker"):
    # bin/signserver.sh getconfig 3
  3. Activate the configuration with:
    # bin/signserver.sh reload 3
  4. The status of the Validator can now be viewed with:
    # bin/signserver.sh getstatus complete DemoXMLValidator

Now the SignServer APIs can be used to request XML documents to be validated by the DemoXMLValidator worker.

MRTD SOD signer

The MRTD SOD signer takes as input data group hashes and creates a signed SO(d). This means that the signserver will function as a Document Signer for ePassports.

To install the MRTD SOD signer you can issue the following commands:

  1. Deploy the MRTD SOD signer module and notice the worker ID (in this example: 4):
    # bin/signserver.sh module add dist-server/mrtdsodsigner.mar demo
  2. Verify the configuration with:
    # bin/signserver.sh getconfig 4
  3. Activate the configuration with:
    # bin/signserver.sh reload 4
  4. The status of the signer can now be viewed with:
    # bin/signserver.sh getstatus complete mrtdsodsigner

Now the SignServer APIs can be used to send MRTD SOD sign requests the MRTDSODSigner.
Also you can use the HTML page http://<signserverhost>:8080/signserver/mrtdsodsign.html to enter requests and get the SOD back. This HTML form functions as a sample to show how you can make http requests from the personalisation system to the Document Signer.

*** Production configuration with HSM ***

To install a production signer using an HSM instead of the demo signer you can edit src/module-configs/mrtdsodsigner/hard-part-config.properties and then run: 

ant
bin/signserver.sh module add dist-server/mrtdsodsigner.mar hard
bin/signserver.sh getconfig 4
bin/signserver.sh reload 4
bin/signserver.sh generatecertreq 4 "C=SE,CN=MRTD SOD Signer" SHA256WithRSA mrtdsodsigner.req

Where 4 is the signerId that you got when running the 'module add' command.
This will create a certificate request that you can get signed by your CA. When you have received the response you can import them with. If you have the returned signer certificate as cert.pem and the CA certificate cacert.pem. 

cat cert.pem cacert.pem> certchain.pem
bin/signserver.sh uploadsignercertificate 4 glob cert.pem
bin/signserver.sh uploadsignercertificatechain 4 glob certchain.pem
bin/signserver.sh reload 4

Hint: you can use EJBCA to create keys on a PKCS#11 HSM using clientToolBox.
ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/ETcpsdk/lib/linux-x86_64/libcryptoki.so 2048 DSSignKey 5

Installation Guides

Clustered SignServer 3.0 CentOS 4.4 Installation Guide

Installation guide describing step-by-step how to setup a SignServer cluster on CentOS 4.4. Even if the document is specific for this OS is should be quite easy to adopt it to other environments as well. It can be downloaded here either as PDF or viewed as HTML

Clustered SignServer 2.0 CentOS 4.4 Installation Guide

Version 2.0 of the same documentation.PDF HTML

Copyright © 2007-2010 SignServer team. All rights reserved.