Step 2 - Configuring SAM Profile
To make it easier for business applications to request management of users, keys and devices along with signing operations, the ADSS SAM Service uses SAM Profiles. A SAM profile defines the format and characteristics of the keys (e.g. which public key algorithm and key length to be used) and define characteristics of user devices (e.g. which public key algorithm and key length to be used, device has bio-metric support) that will be used when this profile is referenced in a user keys generation, device registration and signing request from a client application.
To create or edit a SAM Profile click on SAM Profiles and the following screen is shown:
A new profile can be created by clicking the New button. An existing profile can be edited by clicking the Edit button. If you want to create a new profile by copying large part of an existing profile then click Make a Copy. The following screen is shown:
The configuration items are as follows:
| Item | Description |
| Status | A SAM profile may be marked Active or Inactive. Note: An inactive profile will not be used to process requests generated by client application. |
| Profile ID | A mandatory field which provides a system-defined unique identifier for this profile. |
| Profile Name | A mandatory unique name defined by the ADSS Server Administrator for easier recognition of the profile within the ADSS Operator Console. |
| Profile Description | This can be used to describe the profile in more detail (e.g. in which circumstances will this SAM profile be used). This is for information purposes only. |
| User Signature Key Pair Settings | This section defines the configurations that control User key pair generation and signature generation mechanism. |
| Crypto Profile | Select whether to generate and store the user key/certificate within the ADSS Server database (software mode), Azure Key Vault or to store the key/certificate on a hardware security module (HSM) pre-configured within ADSS Server Key Manager. When a configured hardware crypto profile is marked Not Available in the ADSS Server Key Manager (i.e. record is shown with orange highlighting) then the relevant crypto profile will not be available here for configurations.
|
| Key Algorithm | Defines the key algorithm to be used for generating User Key Pairs. These algorithms are supported:
Note: The default value is RSA.
|
| Key Length |
Defines the key length to be used for generating User Key Pairs. These key lengths are supported:
Note: The default value is 2048 for RSA and 256 for ECDSA.
|
| KAK Algorithm |
Defines the key length to be used for generating User Key Authorisation Key (KAK) Pair. These key lengths (bits) are supported:
Note: The default value is 2048.
|
| KAK Legnth | Defines the key length to be used for generating User Key Authorisation Key (KAK) Pair. These key lengths (bits) are supported:
Note: The default value is 2048.
|
| Padding Scheme |
Defines which signature padding scheme to be used for generating user's signature. These padding schemes are supported:
Note: The default value is PKCS1.
|
| Compute hash at signing time |
Enable this option if the Business Application is sending the data for signing instead of a hash. In this case, SAM Service will compute the hash using the algorithm selected in Hash Algorithm drop-down.
Keep this option unchecked if Business Application is sending the hash instead of data. In this case, SAM Service does not need to compute any hash.
Note: By default, input data is not hashed and this option is unchecked. |
| Hashing Algorithm |
Sets the hash algorithm to use if the input data is to be hashed. These algorithms are supported:
Note: The default value is SHA256.
|
| Enable bulk signing |
If selected then bulk signing is allowed. The input data may contain one or more hash values up to the limit specified below. Note: The default is not to allow bulk signing. Set value 0 for unlimited. |
| Number of hashes allowed to sign |
Define the maximum number of hash values allowed in a single input data message. This option is only available if bulk signing is enabled.
Note: The default value is 0 and this allows an unlimited number of hash values. |
| User Authorisation Key Pair Settings |
This section defines the configurations that control authorisation key pair generation and authorisation mechanism. |
| Key Algorithm |
Defines the key algorithm to be used for generating authorisation Key Pairs. These algorithms are supported:
Note: The default value is ECDSA.
|
| Key Length |
Defines the key length to be used for generating authorisation Key Pairs. These key lengths are supported:
Note: The default value is 256 for ECDSA and 2048 for RSA.
|
| Hashing Algorithm |
Defines the hash algorithm to be used for signing the Authorisation Request Message on the User Device. These algorithms are supported:
Note: The default value is SHA256.
|
| Device must have biometric recognition capability |
Sets the requirement that the user must use biometric authentication on their User Device to sign an Authorisation Request Message. Note: The default option is to not require this. |
| Device must have secure element |
Sets the requirement that the user must have a Secure Element/Enclave on their User Device which will be used to generate authorisation keypair and for signing an Authorisation Request Messages. Note: The default option is to not require this. |
The table of SAM profiles can be sorted in either Ascending or Descending order by selecting a table column from the drop down list. The list can be sorted by SAM Profile ID, SAM Profile Name, Created At time or Status.
Click on the Search button on SAM Profiles main page will display following screen:
This helps to locate a particular SAM profile the ADSS SAM Service may have configured. The SAM signing profile can be searched based on Status, SAM Profile ID, SAM Profile Name, Key Algorithm, Key Length and Crypto Profile. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.
If "_" character is used in the search then it will act as wildcard.
The Duplicate profile will be created without the Name and Description of the selected Profile. The Unique ID generates automatically or the next available ID will be assigned to the Profile.
See also