Configure PDF validate app, without authentication

Prerequisites

- PAS 4.1 or higher installed

- The reader of this document should have some basic knowledge about PhenixID Server.

- Changes will be made to the file phenix-store.json, so please make sure to have a backup  of this file.

- If any customization is being done, make sure to have a backup of any file being changed.

Add PhenixID Document Validation Web Application module

- Login to PhenixID Authentication Services - Configuration manager

- Click on the tab Advanced

- Click on the pen to the right of Modules

- Append these modules.
IMPORTANT: With base_url/base_uri that is different than your signing app.

{
        "name": "com.phenixidentity~phenix-prism",
        "enabled": "true",
        "config": {
            "display_name": "PhenixID Document Validation",
            "base_url": "/validate",
            "auth_redirect_url": "/validate/authenticate/NoAuth",
            "module_refs": "validateMod"
        },
        "id": "validate_1"
    },
    {
        "name": "com.phenixidentity~phenix-prism-signingclient",
        "enabled": "false",
        "config": {
            "display_name": "PhenixID Document Validation",
            "base_uri": "validate",
            "verifyPipeID": "SignAppDocVerifyPipe"
        },
        "id": "validateMod"
    }

- Click Stage Changes and Commit Changes

 

- Click on the pen to the right of NODE_GROUPS

- Add the module "validate_1" to module_refs.

- Click Stage Changes and Commit Changes

Add authenticator for PhenixID Document Validation Web Application

Since we don't want authentication on this app, we will use "PipeAuthenticator".

- Click on the pen to the right of Authentication - HTTP

- Add the authenticator according to the example below.
Make sure the successURL is /validate/.

- When done, click Stage changes and Commit changes

{
		"alias": "NoAuth",
		"name": "PipeAuthenticator",
		"configuration": {
			"successURL": "/validate/",
			"pipeID": "authPipe"
		},
		"id": "NoAuth"
	}

Add pipe for the authenticator

We need one pipe for the authenticator, as seen below.

- So, click on the pen to the right of Pipes

- Add the "authPipe" according to the example. The value set for "dest_id" will be seen in the upper right corner when going to /validate.

Please note that this might not suit your environment. Valves can be replaced, removed or added based on your needs. Please view the documentation to get a list of available valves. 

- Click Stage changes and Commit changes

{
		"id": "authPipe",
		"valves": [
			{
				"name": "ItemCreateValve",
				"enabled": "true",
				"config": {
					"dest_id": "Document"
				}
			}
		]
	},

Add pipe for verify

This pipe corresponds to the value set on the module earlier.

- Create a jks trust store file

- Add all the CAs you trust to issue certificates to sign PDFs

- Place the jks file in a folder (example: C:/Program Files/PhenixID/SigningService/custom/trustedcas.jks)

- Click on the pen to the right of Pipes

- Add the below pipe

- Click Stage changes and Commit changes

{
		"id": "SignAppDocVerifyPipe",
		"description": "Verify pdf document signature(s)",
		"valves": [
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.userid}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "b64",
					"value": "{{request.body}}"
				}
			},
			{
				"name": "PropertyBase64DecoderValve",
				"config": {
					"source": "b64",
					"dest": "temporary"
				}
			},
         {
				"name": "PDFSignatureStatusValve",
				"enabled": "true",
				"config": {
					"pdfSource": "{{item.b64}}",
              "trustStorePath": "C:/Program Files/PhenixID/SigningService/custom/trustedcas.jks",
			     "trustStorePassword": "secret (change this to your jks file pwd)"
				}
			}
		]
	}

Remove tab for Signing

Since we will only use this app for validation of PDF, the tab for signing should be removed.
This is done in the file tabs.hbs, in folder:
mods/com.phenixidentity~phenix-prism-signingclient<version>/templates
Please adjust it according to this example:

<div class="signingservice">
        <ul class="tabs above">
            <li>
                <a class="verify" data-event="tab-selected" data-tab="verify">
                    {{translate "signingclient.tabs.verify.title"}}
                </a>
            </li>
        </ul>
        <div class="tab-view">
            <div class="tab verify">
                {{> tabs.verify}}
            </div>
            <div class="tab hidden show">
                {{> tabs.show}}
            </div>
        </div>
    </div>

NOTE: If both Signing and Verify should be used, a separate module can be configured to only display the  Verify tab.
Where the original module will still use authentication and display both tabs.
Example on how to create a separate module reference can be found here.

Test

  1. Browse to https://<phenix_server>:<phenix_server_http_port>/validate/
  2. You should be redirected to the validation page with no authentication
  3. Upload a pdf document and click Validate
  4. Verify that the signature is valid and that document has not been changed since the signing

Troubleshooting

Check server.log file.

Customization

NOTE: Make sure to have backup of any file(s) being changed.

1. Logo is set with the file phenix.png, in folder:
mods/com.phenixidentity~phenix-prism~<version>/web/images

2. Text is set on the module, "display_name": "PDF VALIDATION"

3. Tabs are handled in the file tabs.hbs, see information in the step "Remove tab for Signing" above

4 and 5. Text is set in the respective translation file in folder:
mods/com.phenixidentity~phenix-prism-signingclient~<version>/web/locales
where 5 can be removed completely by setting an empty value