Trusted Central Signing Service - API - Document Seal

Prerequisites

- PAS 4.1 installed

- Seal certificate (p12) stored as a resource in PhenixID Autentication Services

- The reader of this document should have some basic knowledge about PhenixID Server.

- Changes will be made to the file phenix-store.json, so please make sure to have a backup  of this file.

Enable HTTP for pipes

- Login to Configuration Manager

- Click Advanced

- Open HTTP Connections (click on the pen)

- Get the ID value of the HTTP Connection (ie, http listening port) you would like to use for pipes (optional). If "Default HTTP connection" is used this line shall be removed.

- Open Modules (click on the pen)

- Add configuration properties to the pipes module. Example:

{
		"name": "com.phenixidentity~phenix-pipes",
		"singleton": "true",
		"config": {
			"http_enabled": "true",
			"http_configuration_ref": "<id_value_fetched_in_previous_step, otherwise remove this line>" 
		},
		"enabled": "true",
		"created": "2017-07-03T11:38:03.057Z",
		"id": "01ffd70e-b5fb-4c06-b040-b61760424bf6"
	}

- Click Stage Changes

- Click Commit Changes

- Restart PhenixID Authentication Services

Add pipe for seal

- Click the Advanced tab

- Open Pipes (Click on the pen)

- Add this pipe.

- AddImageToPDFValve, use this valve if you want to add a picture to the end of the PDF file. Point to the picture that should be used. The position is set with the parameter "imagelocation" and value can be northwest, northeast and so on.

NOTE: AddImageToPDFValve will generate the property "pdfupdated" as seen in the example below:
{{item.pdfupdated}}
If AddImageToPDFValve is removed from the flow, "pdfSourceData", on PADESSignValve needs to be changed to "{{item.temporary}}".

- Change the keyStore value to the ID of the keystore to use to seal the document.

{
"id": "SealAppDocSignPipeAPI",
"description": "Seal document via API ",
"http_enabled": "true",
"http_path_pattern": "PUT:/pipes/seal",
"http_response_content_type": "application/pdf",
"http_response_body_item_property": "document",
"valves": [
        {
          "name": "ItemCreateValve",
          "config": {
              "dest_id": "temp"
        }
},
        {
          "name": "PropertyAddValve",
          "config": {
              "name": "b64",
              "value": "{{request.body}}"
        }
},
{
          "name": "PropertyAddValve",
          "config": {
              "name": "signerID",
              "value": "SEAL"
        }
},
        {
          "name": "PropertyBase64DecoderValve",
          "config": {
              "source": "b64",
              "dest": "temporary"
        }
},
        {
          "name": "AddImageToPDFValve",
          "enabled": "true",
          "config": {
              "pathToImage": "C:/Program Files/PhenixID/sign_image/PhenixID-overlay.png",
              "pdfSource": "{{item.temporary}}",
              "imagelocation": "northwest"
        }
},
        {
          "name": "PADESSignValve",
          "enabled": "true",
          "config": {
            "keyStoreID": "Demo_SEAL.p12",
            "pdfSourceData": "{{item.pdfupdated}}",
            "pdfTarget": "document"
        }
},
        {
          "name": "PropertyRemoveValve",
          "config": {
              "name": "b64"
        }
     },
    {  
         "name":"EventValve",
         "config":{  
            "event_key":"EVT_000052",
            "parameters":[  
               {  
                  "parameter":"duser",
                  "value":"{{item.signerID}}"
               },
               {  
                  "parameter":"msg",
                  "value":"Successfully signed"
               },
               {  
                  "parameter":"phenixIDIdentifier",
                  "value":"SIGN"
               },
               {  
                  "parameter":"proto",
                  "value":"PADES"
               }
            ]
         }
      }
   ]
}

- Click Stage Changes

- Click Commit Changes

Add pipe for verification

- Create a jks trust store file

- Add all the CAs you trust to issue certificates to sign PDFs

- Place the jks file in a folder (example: C:/Program Files/PhenixID/SigningService/custom/trustedcas.jks)

- Click the Advanced tab

- Open Pipes (Click on the pen)

- Add this pipe.

This pipe will only verify the signature(s), not the certificate(s). Please add/remove/change valves to suit your needs. Also, with SigningService additional valves are available.

{
"id": "SealAppVerifyPipeAPI",
"description": "Verify sealed document via API ",
"http_enabled": "true",
"http_path_pattern": "PUT:/pipes/verifyseal",
"valves": [
        {
          "name": "ItemCreateValve",
          "config": {
              "dest_id": "temp"
        }
},
        {
          "name": "PropertyAddValve",
          "config": {
              "name": "b64",
              "value": "{{request.body}}"
        }
},
        {
          "name": "PropertyBase64DecoderValve",
          "config": {
              "source": "b64",
              "dest": "temporary"
        }
},
        {
          "name": "PropertyRemoveValve",
          "enabled": "true",
          "config": {
              "name": "b64"
        }
},
        {
          "name": "PDFSignatureStatusValve",
          "enabled": "true",
          "config": {
              "pdfSource": "{{item.temporary}}",
              "trustStorePath": "C:/Program Files/PhenixID/SigningService/custom/trustedcas.jks",
			     "trustStorePassword": "secret (change this to your jks file pwd)"
        }
},
        {
          "name": "PropertyRemoveValve",
          "enabled": "true",
          "config": {
              "name": "temporary"
        }
     }
   ]
}

- Click Stage Changes

- Click Commit Changes

Create report

Follow this instruction on how to create a report with successful signatures.

Test

Test by using a rest client, such as Google Chrome Postman. Follow this guide.