PhenixID DocumentationPhenixID Authentication ServicesSolutions Electronic signaturesCustomer preparations before installing Signing and Signing Workflow

Customer preparations before installing Signing and Signing Workflow

About

This document describes the preparation steps the customer needs to carry out, both from a technical but also from a functional point of view, before setting up PhenixID Signing Services and Workflow.

Prepare functional and graphical requirements

Signing Workflow

First page

Select logos, headline text and color for the front page.

 

Internal ("anställd")

Select which data (attributes) about the user should be displayed (userID and email must always be present).
(Data to be presented must be able to lookup from a user database, such as Active Directory.)

Select the labels for each attribute.

External ("medborgare")

Select which data (attributes) about the user should be displayed (email must always be present).

(Data to be presented must be able to lookup from a source, such as Navet (Skatteverket))

Select the labels for each attribute.

Emails

Select from address and footer info.

Signing

Select which logo and headline to be used.

PDF content

Visual signatures

Select header and footer texts, icon, signer info.

Signature certificate content

Select which information about the signers to be part of the certificates.

Prepare infrastructure

Server requirements

The solution requires a minimum of two servers, one running PhenixID Signing Services and one running PhenixID Signing Workflow.

  • PhenixID Signing Services - hardware requirement

 

  • PhenixID Signing Workflow - hardware requirement

DNS

Setup two domains:

- One for PhenixID Signing Services, for example sign.kommun.se

- One for PhenixID Signing Workflow, for example signera.kommun.se

DNS should point to the load balancer / proxy component, see below.

Database

Prepare a database on your SQL server according to https://document.phenixid.net/m/101461/l/1391879-configure-database.

Certificates

Prepare certificates for SSL (http):

Prepare a CA keystore from your PKI and export it as a p12/pfx file with a password.
This CA keystore will be used to issue the certificate that will be used for the signing operation.

Load balancer / proxy

  • Install https-certificates on load balancer
  • DNS records must point to the load balancer
  • External load balancer must terminate SSL and reverse proxy http traffic to the backend servers (ie PhenixID Signing Services and PhenixID Signing Workflow) on backend port 8080

SMTP

Prepare SMTP integration, used to send out notifications.

Please view https://document.phenixid.net/m/101461/l/1391886-how-to-configure-signing-workflow#smtp for detailed info.

Authentication, authorization and signing methods

Authentication, authorization and signing is based on federation. Connect Signing Services and Signing Workflow to your Identity Provider.

  • Signing Workflow
  • Signing Services
    • On your IdP, prepare NameID and SAML attribute profiles to make sure the identity information that is to be added to the signatures is included (according to decisions based on the Signature certificate content, see above).

User directory lookup

Based on the requirments of the Person Search -> Internal and Person Search -> External (see above), one or more user directory lookups are needed:

  • LDAP
    • Prepare LDAP host/ip, port, service account DN, service account password and search base.
  • SQL
    • Prepare SQL jdbc url (driver, ip, port, database name), userID and password to connect to the database. Prepare SQL statements to be executed.
  • Navet (Skatteverket)
    • Prepare keystore, keystore password, organization number and customerID.

 

Communication

Prepare communication access / firewall openings:

  • Web clients -> LB/Proxy 443
  • LB/Proxy -> PhenixID Signing Workflow 8080
  • LB/Proxy -> PhenixID Signing Services 8080
  • PhenixID Signing Workflow -> SMTP-host port 25 / 587 (change to whatever port you use for SMTP)
  • PhenixID Signing Workflow -> PhenixID Signing Services 7443
  • PhenixID Signing Workflow -> SQL Database server port XX (the port used for the sql connection)
  • Based on the user lookup requirements, additional communication access will be needed:
    • If LDAP: PhenixID Signing Services -> LDAP 389/636
    • If SQL: PhenixID Signing Services -> SQL XX
    • If Skatteverket (Navet): PhenixID Signing Services -> Navet endpoint 443