The following configurations related to Data Encryption Key (DEK) and client secret which can be configured within the Client Manager by clicking on the Advanced Settings tab.  

This service allows client applications (e.g. Ascertia SigningHub or any third party application) to use a KEK managed by ADSS Server within its HSM. Note the KEK is only used to encrypt/decrypt Data Encryption keys (DEKs). The DEKs themselves are used directly by the client application to encrypt/decrypt data e.g. SigningHub documents. The benefits of this approach are that client applications do not need to integrate directly with an HSM themselves but can rely on this key management service offered by ADSS Server

The client secret is a secret known only to the business application (e.g. ADSS Signing Service or Go>Sign Mobile SDK) and the authorization server e.g. ADSS RAS Service. The business application provides the client ID and Client secret to the authorisation server for authentication.

Clicking on the Advanced Settings link at the top of the page shows the following screen:



The configuration items are as follows:

Item

Description

Allow this client to access the DEK encryption

Checking this checkbox allows the client to access the DEK encryption/decryption service of ADSS Server.

Key Encryption Key (KEK)

Configure the relevant Key Encryption Key (KEK) which is to be accessible to this client. Note the KEKs are identified in the ADSS Server Key Manager and may have been created in software or HSM. 

Client Secret

Generate and configures the client secret for the relevant client by clicking on the generate button.

Once the secret is generated using the generate button, the operator need to copy that secret because once operator leave this page the client secret will be masked with asterisks for security reason and cannot be copied again.


Redirect URI

It is a Business Application URI where the user will be redirected by RAS Service after authenticating it using OAuth2 mechanism. 

Client Type

If the operator is using E-Passport solution, then the field Client Type will also be available on the screen. This field is used whenever a CVCA certificate is rekeyed. The drop-down field will enable the operator to select the required client type. List of client types are given as: 

  • SPOC: This client type should be selected at a CVCA instance. When this client type is selected, CVCA will send its rekeyed certificate on Redirect URI of all the SPOCs who are registered as clients at CVCA instance. This is done to ensure the distribution of rekeyed CVCA certificates to all the countries\states.   
  • Document Verifier (DV): This client type should be selected at a SPOC instance. When this client type is selected, the received rekeyed CVCA certificate is forwarded to all clients who are registered as foreign SPOCs and domestic DVCAs at SPOC instance.
  • Inspection System: This client type should be selected at DVCA instance. When this client type is selected, the received rekeyed CVCA certificate is forwarded to all the clients who are registered as Inspection Systems (IS) at DVCA instance.


See also

Signing Service

Verification Service
Certification Service
XKMS Service
LTANS Service
Decryption Service
Go-Sign Service
RA Service
RAS Service
SAM Service
CSP Service

HMAC Service
SPOC Service
NPKD Service
Advanced Settings