The ADSS Server Signature Activation Module (SAM) Service has been carefully designed to provide high-trust Qualified Remote Signature services.  It meets the requirements defined in the ETSI EN 419 241-1 standard and ETSI EN 419 241-2 Protection Profile and thus, ensures that an end-user's private signing key and Qualified Certificate can only be used under the sole control of the Signer, and only used for the intended purpose.  Level 2 sole control is supported as a standard feature, interacting with the user's Go>Sign Mobile App on their smartphone. It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.It is possible to allow Level 1 sole control so that the same high-trust SAM Service environment can be used for non-qualified certificates.  

ADSS SAM Service offers a REST API over TLS v1.2 and TLS v1.3 that is called by the ADSS RAS Service. Read the ADSS RAS Service description to further understand the authorisation process.

ADSS SAM Service manages registered users and their unique signing keys.   In addition, it manages the connection to the hardware security modules and manages key backup and restore.

In Qualified mode this must be an EN 419 221-5 certified HSM. The following HSMs are currently being supported: 

  • Utimaco CryptoServer CP5 (PCIe HSM held in the ADSS SAM appliance) 
  • Thales Luna K7 Cryptographic Module.
  • nCipher nShield Solo XC Cryptographic Module.

In non-qualified mode a range of other HSMs are supported:

  • Utimaco CP5 network connected HSMs - uses all the same functionality except this architecture is not covered by the formal CC EAL 4+ Target of Evaluation
  • Utimaco CP5 emulator software - useful for test and development systems.
  • All other supported PKCS#11 HSMs and HSM Services, e.g Azure Key Vault - useful to provide Level 2 sole control for centrally held user (e.g. AATL) signing keys and certificates.


The following image shows ADSS SAM Service sub-modules, details of which are given in the next sections:




See also

ADSS Server Knowledge Base

Welcome
Getting Started
Concepts & Architecture
ADSS RA Service
ADSS Certification Service
ADSS Signing Service
ADSS Go>Sign Service
ADSS RAS Service
ADSS CSP Service
ADSS TSA Service
ADSS Verification Service
ADSS OCSP Monitor
ADSS OCSP Service
ADSS SCVP Service
ADSS XKMS Service
ADSS LTANS Service
ADSS HMAC Service
ADSS Decryption Service
ADSS OCSP Repeater Service
ADSS NPKD Service
ADSS SPOC Service
Manage CAs
Key Manager
Trust Manager
ADSS CRL Monitor
Global Settings
Access Control
Client Manager
System Log Viewer
Server Manager
Approval Manager
Operational Management
Advanced Configuration