PhenixID DocumentationPhenixID Authentication ServicesSolutionsElectronic signaturesCustomer preparations before installing Signing and Signing Workflow

Customer preparations before installing Signing and Signing Workflow


This document describes the preparation steps the customer needs to carry out, both from a technical but also from a functional point of view, before setting up PhenixID Signing Services and Workflow.

Prepare functional and graphical requirements

Signing Workflow

First page

Select logos, headline text and color for the front page.


Internal ("anställd")

Select which data (attributes) about the user should be displayed (userID and email must always be present).
(Data to be presented must be able to lookup from a user database, such as Active Directory.)

Select the labels for each attribute.

External ("medborgare")

Select which data (attributes) about the user should be displayed (email must always be present).

(Data to be presented must be able to lookup from a source, such as Navet (Skatteverket))

Select the labels for each attribute.


Select from address and footer info.


Select which logo and headline to be used.

PDF content

Visual signatures

Select header and footer texts, icon, signer info.

Signature certificate content

Select which information about the signers to be part of the certificates.

Prepare infrastructure

Server requirements

The solution requires a minimum of two servers, one running PhenixID Signing Services and one running PhenixID Signing Workflow.

  • PhenixID Signing Services - hardware requirement


  • PhenixID Signing Workflow - hardware requirement


Setup two domains:

- One for PhenixID Signing Services, for example

- One for PhenixID Signing Workflow, for example

DNS should point to the load balancer / proxy component, see below.


Prepare a database on your SQL server according to this instruction.


Prepare certificates for SSL (http):

Prepare a CA keystore from your PKI and export it as a p12/pfx file with a password.
This CA keystore will be used to issue the certificate that will be used for the signing operation.

Load balancer / proxy

  • Install https-certificates on load balancer
  • DNS records must point to the load balancer
  • External load balancer must terminate SSL and reverse proxy http traffic to the backend servers (ie PhenixID Signing Services and PhenixID Signing Workflow) on backend port 8080


Prepare SMTP integration, used to send out notifications.

Please view and browse to the SMTP part for detailed info.

Authentication, authorization and signing methods

Authentication, authorization and signing is based on federation. Connect Signing Services and Signing Workflow to your Identity Provider.

User directory lookup

Based on the requirments of the Person Search -> Internal and Person Search -> External (see above), one or more user directory lookups are needed:

  • LDAP
    • Prepare LDAP host/ip, port, service account DN, service account password and search base.
  • SQL
    • Prepare SQL jdbc url (driver, ip, port, database name), userID and password to connect to the database. Prepare SQL statements to be executed.
  • Navet (Skatteverket)
    • Prepare keystore file (in p12 or pfx format), keystore password, organization number and customerID.
      To order this functionality against Skatteverket, the name of the item is Direktåtkomst (web serviceses – e-persondata)



Prepare communication access / firewall openings:

  • Web clients -> LB/Proxy 443
  • LB/Proxy -> PhenixID Signing Workflow 8080
  • LB/Proxy -> PhenixID Signing Services 8080
  • PhenixID Signing Workflow -> SMTP-host port 25 / 587 (change to whatever port you use for SMTP)
  • PhenixID Signing Workflow -> PhenixID Signing Services 7443
  • PhenixID Signing Workflow -> SQL Database server port XX (the port used for the sql connection)
  • Based on the user lookup requirements, additional communication access will be needed:
    • If LDAP: PhenixID Signing Services -> LDAP 389/636
    • If SQL: PhenixID Signing Services -> SQL XX
    • If Skatteverket (Navet): PhenixID Signing Services -> Navet endpoint 443