Customer preparations before installing Signing and Signing Workflow
About
This document describes the preparation steps the customer needs to carry out, both from a technical but also from a functional point of view, before setting up PhenixID Signing Services and Workflow.
Prepare functional and graphical requirements
Signing Workflow
First page
Select logos, headline text and color for the front page.
Person search
Internal ("anställd")
Select which data (attributes) about the user should be displayed (userID and email must always be present).
(Data to be presented must be able to lookup from a user database, such as Active Directory.)
Select the labels for each attribute.
External ("medborgare")
Select which data (attributes) about the user should be displayed (email must always be present).
(Data to be presented must be able to lookup from a source, such as Navet (Skatteverket))
Select the labels for each attribute.
Emails
Select from address and footer info.
Signing
Select which logo and headline to be used.
PDF content
Visual signatures
Select header and footer texts, icon, signer info.
Signature certificate content
Select which information about the signers to be part of the certificates.
Prepare infrastructure
Server requirements
DNS
Setup two domains:
- One for PhenixID Signing Services, for example sign.kommun.se
- One for PhenixID Signing Workflow, for example signera.kommun.se
DNS should point to the load balancer / proxy component, see below.
Database
Prepare a database on your SQL server according to this instruction.
Certificates
Prepare certificates for SSL (http):
Prepare a CA keystore from your PKI and export it as a p12/pfx file with a password.
This CA keystore will be used to issue the certificate that will be used for the signing operation.
Load balancer / proxy
- Install https-certificates on load balancer
- DNS records must point to the load balancer
- External load balancer must terminate SSL and reverse proxy http traffic to the backend servers (ie PhenixID Signing Services and PhenixID Signing Workflow) on backend port 8080
SMTP
Prepare SMTP integration, used to send out notifications.
Please view https://document.phenixid.net/searches?utf8=%E2%9C%93&text=PhenixID+AND+Signing+AND+Workflow+AND+%22how+to+configure+signing+workflow%22&commit=Search and browse to the SMTP part for detailed info.
Authentication, authorization and signing methods
Authentication, authorization and signing is based on federation. Connect Signing Services and Signing Workflow to your Identity Provider.
- Signing Workflow
- Prepare a key and corresponding certificate for securing saml messages. Key should be in unencrypted DER format. Certificate in PEM format.
- On your IdP, prepare NameID and SAML attribute profiles to match https://document.phenixid.net/searches?utf8=%E2%9C%93&text=PhenixID+AND+Signing+AND+Workflow+AND+%22how+to+configure+signing+workflow%22&commit=Search -> SAML attribute mapping.
- Signing Services
- On your IdP, prepare NameID and SAML attribute profiles to make sure the identity information that is to be added to the signatures is included (according to decisions based on the Signature certificate content, see above).
User directory lookup
Based on the requirments of the Person Search -> Internal and Person Search -> External (see above), one or more user directory lookups are needed:
- LDAP
- Prepare LDAP host/ip, port, service account DN, service account password and search base.
- SQL
- Prepare SQL jdbc url (driver, ip, port, database name), userID and password to connect to the database. Prepare SQL statements to be executed.
- Navet (Skatteverket)
- Prepare keystore file (in p12 or pfx format), keystore password, organization number and customerID.
To order this functionality against Skatteverket, the name of the item is Direktåtkomst (web serviceses – e-persondata)
- Prepare keystore file (in p12 or pfx format), keystore password, organization number and customerID.
Communication
Prepare communication access / firewall openings:
- Web clients -> LB/Proxy 443
- LB/Proxy -> PhenixID Signing Workflow 8080
- LB/Proxy -> PhenixID Signing Services 8080
- PhenixID Signing Workflow -> SMTP-host port 25 / 587 (change to whatever port you use for SMTP)
- PhenixID Signing Workflow -> PhenixID Signing Services 7443
- PhenixID Signing Workflow -> SQL Database server port XX (the port used for the sql connection)
- Based on the user lookup requirements, additional communication access will be needed:
- If LDAP: PhenixID Signing Services -> LDAP 389/636
- If SQL: PhenixID Signing Services -> SQL XX
- If Skatteverket (Navet): PhenixID Signing Services -> Navet endpoint 443