The following Advanced Settings screen is shown within the signing profile configurations, each option is discussed in the table below:

The configuration items are as follows:

Items

Description

Signature Dictionary Size

The signature dictionary size is the allocated signature dictionary that is used to embed signature in the PDF document. Default size is 40 KB, however, user can change it accordingly based on the signature size. 

Allow document conversion

By enabling this checkbox in a PDF Signing profile, non-PDF documents are first converted into PDF and then signed, possible supported PDF-A formats are:

  • 1a
  • 1b
  • 2a
  • 2b
  • 3b

Note: You must enable the Font settings on Signature Settings tab 

Key Usage

By enabling this checkbox, it is possible to check that the signing certificate’s Key Usage extension contains digital signature and/or non-repudiation in order to be accepted under this signing profile. If the certificate’s Key Usage extension does not match this setting it will not be allowed to be used for signing purposes in this profile.

Basic Constraints extension

Enable this checkbox to place a further restriction that the document signing certificate must be an end-entity certificate rather than a CA certificate.

Authorisation Profile

Authorisation profiles are used to specify the list of authorisers (i.e. registered end-users) who can provide authorisation to sign one or more documents using a specific document signing key held within the ADSS Server database or HSM. 

Authorised signing is especially effective when used to protect or provide lawful act when signing with a high trust qualified certificate or Adobe rooted certificate held within an HSM connected to ADSS Server. This also provides strong internal audit evidence of sign-off and approval for signing of important documents and assures the documents have not changed from the first to the last authorising signature.

For the details on how to configure an Authorisation Profile, see the section Global Settings > Authorisation Profiles

Note: Authorisation signing requests are only supported using web-services and DSS protocols; it is not supported when using HTTP mode

PDF Protection Options

Use these Permission settings in order to increase the flexibility of your document security. By customizing the permission settings, you can enable or disable users from performing certain actions (such as printing, editing the document, or copying text).

Lock the Document After Signing

This checkbox enables the user to lock the PDF document after the final signature, preventing any further changes such as digital signing, form-filling, or annotations.

Note: This option is not available for PAdES-B-LT, PAdES-B-LTA and PAdES-E-LTV signature types.

Use a permissions pass phrase

Enable this option to set the document level permissions on PDF files as defined in ISO 32000 specification. 

Note: These permission settings are not supported for PAdES-LTV signatures

Permissions Passphrase

Type a passphrase that will be set on the PDF document to change the permissions of this document.

Allow printing

The user is permitted to print the document.

Allow content to be modified

The user is permitted to modify the contents e.g. to change the content of a page, or insert or remove a page.

Allow copying and extraction of content

The user is permitted to insert, remove, and rotate pages and add bookmarks. 

Note: The content of a page can’t be changed unless the permission Allow content to be modified is granted too.

Allow document assembly

The user is permitted to copy or otherwise extract text and graphics from the document, including using assistive technologies i.e. screen readers or other accessibility devices.

Enable text access for the visually impaired

The user is permitted to extract text and graphics for use by accessibility devices.

Only allow filling of form fields

The user is permitted to fill form fields (for 128-bit encryption only).

Allow commenting

The user is permitted to add or modify text annotations and interactive form fields.

Check signer certificate revocation before signing

Select this option if you wish to check the revocation of signer certificate (up to registered CA) before signing. 

Note: This option will only be configurable if any of the following signature type is selected on the Signature Settings page.

  • AdES BES
  • AdES T
  • Standard PDF Signature
  • PDF signature with embedded timestamp

While for other advanced signature types this option will be enabled and grayed out by default.

Compute Hash at Signing Time

If this option is selected then Signing Service computes the hash of the given data during signing operation. If this option is disabled then Signing Service only signs the given hash value.

Hashing Algorithm

The selected hashing algorithm is used within the signature generation process to compute the hash of the given data. These algorithms are supported: 

  • SHA1
  • SHA2 (SHA224, SHA256, SHA384, SHA512)
  • SHA3 (SHA224, SHA256, SHA384, SHA512)

Enable Remote Signing

This section defines the configuration required for requests forwarding to another ADSS Signing Server or ADSS RAS Service.

Note: If RAS Service is configured here and Signing Service is operating in load-balanced mode, then sticky sessions must be used in load-balancers to keep track of the pending requests.

Forward signing request to ADSS RAS/Signing Service

Enable this will make this ADSS Server to act as a proxy server. This proxy ADSS Server will locally hold the document and will only send the signatures structure to the eSeals creation system (i.e. ADSS Signing Server) for signing or it can be use to support Authorize remote signing via ADSS RAS service. Communication for both interfaces will either be: 

  • Plain HTTP
  • TLS Server Authentication
  • TLS Client Authentication

Note: The whole signing process works in synchronous mode in case if ADSS Server act as a proxy server and in case of communicating with RAS service remote signing will be done in asynchronous mode.

Remote Service Address

Use this field to add eSeals creation system (i.e. ADSS Signing Server) or RAS service address(es).

List of Remote Service Addresses

This field shows the available eSeals creation system (i.e. ADSS Signing Server) address(es) that can be used to create the end user signatures or RAS service address(es) use for remote authorise signing. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism.

Profile ID

Specify the Signing profile of the eSeals creation system (i.e. ADSS Signing Server) to be used for creating end user signatures or RAS profile to be used for remote authorise signing.

Client ID

Specify the name of Client ID that is registered in the eSeals creation system (i.e. ADSS Signing Server) or RAS service.

Note: Client ID is optional when 'Forward signing request to a remote ADSS Signing Service' option is selected in Remote Signing Settings.

Client Secret

Provide the Client Secret generated against above configured Client when it was registered.

Note: Don’t share the Client Secret with anyone. Once the client secret is configured then operator cannot see it because once operator leave this page the client secret will be masked with asterisks for security reason and cannot be seen again.  

OAuth2 Service Authorization

This drop-down allows the operator to select which OAuth2 authentication mechanism is to be executed i.e. either Client Credentials flow or Authorisation Code Flow, in order to get the required service authorisation.

Note: These settings will only be applicable if OAuth2 authentication is selected in RAS profile.

Use TLS Client Authentication

After enabling ADSS Server is required to communicate with the eSeals creation system or RAS Service over TLS Client Authentication, then Select the TLS Client Certificate which pre-exists in the Key Manager

Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose.

Response URI

The Response URI field is used to define the response URI of the Business Application which receives the request ID processed by the ADSS Signing Service, helping the business application to track the signing request on its end.

Return signature in response URI

If this checkbox is enabled, then in addition to request ID, signature will also be returned in response URI. 

Require authentication (Response URI)

If this checbox is enabled, then signing service will obtain the access token from business application by following the client credential flow. 

Authentication URL

It's the URL where client application can communicate with ADSS RAS Service.

Client ID

Specify the name of Client ID that is registered in the ADSS RAS service

Client Secret

Provide the Client Secret generated against above configured Client when it was registered.

Note: Don’t share the Client Secret with anyone. Once the client secret is configured then operator cannot see it because once operator leave this page the client secret will be masked with asterisks for security reason and cannot be seen again

Enable eSeals Authorisation

If this checkbox is enabled, it will allow the operator to generate eSeals via ADSS RAS/SAM Service. 

Note: This is a License based field, hence it will be only available on the screen if eSeals in enabled in the license.

User ID

Specify the User ID registered in ADSS SAM Service.

Note: This field is overrideable, preference will be given to the parameters received in request.

Key Alias

Specify the Key Alias registered in ADSS SAM Service.

Note: This field is overrideable, preference will be given to the parameters received in request.

Retry Authorisation

If the authorisation is failed due to any reason, this field allows the operator to enter a time limit after which the authorisation request will be sent again. Default value is 120 seconds.

Number of retries

This field allows the operator to define total number of retries that will take place in case of authorisation failure. Default value:  5.

SAD expiry alert (days)

When the SAD is about to expire, this field allows the operator to define the number of days before which an alert can be send to the operator to notify him/her regarding the SAD expiry.

Send reminder

This field allows the operator to define the number the days after which a reminder alert will be send to the operator until SAD expiry.

Send alert (time)

This field allows the operator to set the specific time on which the reminder alert will be send.



E-Passport LDS

If E-Passport LDS will be selected as Signature Type on General tab, the Advanced Settings tab will display the following options only:



The configuration items are as follows:

Items

Description

Revocation Settings

In this section, the operator can select if the revocation of the Document Signer certificate needs to be checked before signing the LDS by marking the 'Check signer certificate revocation before signing' checkbox.

LDS Signing Settings

This section explains the following: 

Hashing Algorithm

The selected hashing algorithm is used within the signature generation process to compute the hash of the given data. These algorithms are supported: 

  • SHA1
  • SHA2 (SHA224, SHA256, SHA384, SHA512)
  • SHA3 (SHA224, SHA256, SHA384, SHA512)

Document Security Object Version

This field shows the version of LDS security object. Current supported versions are v0 and v1.

Add Document Signer certificate to signature

This field will only be displayed if v0 is selected in the above drop-down. The inclusion of Document Signer certificate in the CMS is optional in v0 and mandatory in v1. Hence in case of v0, the option to add Document Signer certificate or not will be provided to operator.

Overridable

This checkbox will be used to override the profile settings related to this option. If this option is enabled, then the server will use the direction provided by client applications in request whether to add the certificate or not.

Remote Signing Settings

This section explains the following:

Enable Remote Signing

This checkbox enables the operator to define the configuration required for requests forwarding to another ADSS Signing Server.

Forward signing request to ADSS Signing Service

Enabling this will make this ADSS Server to act as a proxy server. This proxy ADSS Server will locally hold the data and will only send the hash of data to a back-end Signing Service for signing. Communication for both interfaces will either be:

  • Plain HTTP
  • TLS Server Authentication
  • TLS Client Authentication

Service Address

Use this field to add back-end Signing Service address(es).

List of Service Addresses

This field shows the list of all the addresses added by the operator. Multiple service addresses can be added to handle the Primary and Secondary service addresses as a fallback mechanism

Signing Profile

Specify the Signing profile of the back-end ADSS Signing Server to be used for creating the signatures.

Client ID

Specify the name of Client ID that is registered in the back-end ADSS Signing Server.

Use TLS Client Authentication

If it is required to communicate with back-end ADSS Signing Server over TLS Client Authentication, then Select the TLS Client Certificate which pre-exists in the Key Manager

Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose. 



See also

General Settings
Signature Settings