Advanced Settings
The following Advanced Settings screen is shown within the signing profile configurations, each option is discussed in the table below:
The configuration items are as follows:
| Steps | Description |
| Signature Dictionary Size | The signature dictionary size is the allocated signature dictionary that is used to embed signature in the PDF document. Default size is 40 KB, however, user can change it accordingly based on the signature size. |
| Allow document conversion |
By enabling this checkbox in a PDF Signing profile, non-PDF documents are first converted into PDF and then signed, possible supported PDF-A formats are:
Note: You must enable the Font settings on Signature Settings tab |
| Key Usage | By enabling this checkbox, it is possible to check that the signing certificate’s Key Usage extension contains digital signature and/or non-repudiation in order to be accepted under this signing profile. If the certificate’s Key Usage extension does not match this setting it will not be allowed to be used for signing purposes in this profile. |
| Basic Constraints extension | Enable this checkbox to place a further restriction that the document signing certificate must be an end-entity certificate rather than a CA certificate. |
| Authorisation Profile |
Authorisation profiles are used to specify the list of authorisers (i.e. registered end-users) who can provide authorisation to sign one or more documents using a specific document signing key held within the ADSS Server database or HSM.
Authorised signing is especially effective when used to protect or provide lawful act when signing with a high trust qualified certificate or Adobe rooted certificate held within an HSM connected to ADSS Server. This also provides strong internal audit evidence of sign-off and approval for signing of important documents and assures the documents have not changed from the first to the last authorising signature.
For the details on how to configure an Authorisation Profile, see the section Global Settings > Authorisation Profiles.
Note: Authorisation signing requests are only supported using web-services and DSS protocols; it is not supported when using HTTP mode.
|
| PDF Protection Options | Use these Permission settings in order to increase the flexibility of your document security. By customizing the permission settings, you can enable or disable users from performing certains actions (such as printing, editing the document, or copying text). |
| Use a permissions pass phrase |
Enable this option to set the document level permissions on PDF files as defined in ISO 32000 specification.
Note: These permission settings are not supported for PAdES-LTV signatures. |
| Permissions Passphrase | Type a passphrase that will be set on the PDF document to change the permissions of this document. |
| Allow printing | The user is permitted to print the document. |
| Allow content to be modified | The user is permitted to modify the contents e.g. to change the content of a page, or insert or remove a page. |
| Allow copying and extraction of content |
The user is permitted to insert, remove, and rotate pages and add bookmarks.
Note: The content of a page can’t be changed unless the permission Allow content to be modified is granted too. |
| Allow document assembly | The user is permitted to copy or otherwise extract text and graphics from the document, including using assistive technologies i.e. screen readers or other accessibility devices. |
| Enable text access for the visually impaired | The user is permitted to extract text and graphics for use by accessibility devices. |
| Only allow filling of form fields | The user is permitted to fill form fields (for 128-bit encryption only). |
| Allow commenting | The user is permitted to add or modify text annotations and interactive form fields. |
| Check signer certificate revocation before signing |
Select this option if you wish to check the revocation of signer certificate (up to registered CA) before signing.
Note: This option will only be configurable if any of the following signature type is selected on the Signature Settings page.
While for other advanced signature types this option will be enabled and grayed out by default.
|
| Compute Hash at Signing Time |
If this option is selected then Signing Service computes the hash of the given data during signing operation. If this option is disabled then Signing Service only signs the given hash value. |
| Hashing Algorithm |
The selected hashing algorithm is used within the signature generation process to compute the hash of the given data. These algorithms are supported:
|
| Enable Remote Signing | This section defines the configuration required for requests forwarding to another ADSS Signing Server or ADSS RAS Service. |
| Forward signing request to ADSS RAS/Signing Service |
Enable this will make this ADSS Server to act as a proxy server. This proxy ADSS Server will locally hold the document and will only send the signatures structure to the eSeals creation system (i.e. ADSS Signing Server) for signing or it can be use to support Authorize remote signing via ADSS RAS service. Communication for both interfaces will either be:
Note: The whole signing process works in synchronous mode in case if ADSS Server act as a proxy server and in case of communicating with RAS service remote signing will be done in asynchronous mode.
|
| Remote Service Address | Use this field to add eSeals creation system (i.e. ADSS Signing Server) or RAS service address(es). |
| List of Remote Service Addresses | This field shows the available eSeals creation system (i.e. ADSS Signing Server) address(es) that can be used to create the end user signatures or RAS service address(es) use for remote authorise signing. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism. |
| Profile ID | Specify the Signing profile of the eSeals creation system (i.e. ADSS Signing Server) to be used for creating end user signatures or RAS profile to be used for remote authorise signing. |
| Client ID |
Specify the name of Client ID that is registered in the eSeals creation system (i.e. ADSS Signing Server) or RAS service.
Note: Client ID is optional when 'Forward signing request to a remote ADSS Signing Service' option is selected in Remote Signing Settings.
|
| Client Secret |
Provide the Client Secret generated against above configured Client when it was registered.
Note: Don’t share the Client Secret with anyone. Once the client secret is configured then operator cannot see it because once operator leave this page the client secret will be masked with asterisks for security reason and cannot be seen again.
|
| Use TLS Client Authentication |
After enabling ADSS Server is required to communicate with the eSeals creation system or RAS Service over TLS Client Authentication, then Select the TLS Client Certificate which pre-exists in the Key Manager.
Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose.
|
If E-Passport LDS will be selected as Signature Type on General tab, the Advanced Settings tab will display the following options only:
The configuration items are as follows:
| Steps | Description |
| Revocation Settings | In this section, the operator can select if the revocation of the Document Signer certificate needs to be checked before signing the LDS by marking the 'Check signer certificate revocation before signing' checkbox. |
| LDS Signing Settings |
This section explains the following: |
| Hashing Algorithm |
The selected hashing algorithm is used within the signature generation process to compute the hash of the given data. These algorithms are supported:
|
| Document Security Object Version | This field shows the version of LDS security object. Current supported versions are v0 and v1. |
| Add Document Signer certificate to signature |
This field will only be displayed if v0 is selected in the above drop-down. The inclusion of Document Signer certificate in the CMS is optional in v0 and mandatory in v1. Hence in case of v0, the option to add Document Signer certificate or not will be provided to operator.
|
| Overridable | This checkbox will be used to override the profile settings related to this option. If this option is enabled, then the server will use the direction provided by client applications in request whether to add the certificate or not. |
| Remote Signing Settings | This section explains the following: |
| Enable Remote Signing |
This checkbox enables the operator to define the configuration required for requests forwarding to another ADSS Signing Server.
|
| Forward signing request to ADSS Signing Service |
Enabling this will make this ADSS Server to act as a proxy server. This proxy ADSS Server will locally hold the data and will only send the hash of data to a backend Signing Service for signing. Communication for both interfaces will either be:
|
| Service Address | Use this field to add backend Signing Service address(es). |
| List of Service Addresses | This field shows the list of all the addresses added by the operator. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism. |
| Signing Profile | Specify the Signing profile of the backend ADSS Signing Server to be used for creating the signatures. |
| Client ID |
Specify the name of Client ID that is registered in the backend ADSS Signing Server.
|
| Use TLS Client Authentication |
If it is required to communicate with backend ADSS Signing Server over TLS Client Authentication, then Select the TLS Client Certificate which pre-exists in the Key Manager.
Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose.
|
See also