Step 7 - Using the Service Manager
After making configuration changes within the ADSS Verification Service, the service must be restarted for the changes to take effect. The verification service manager module allows operators to start, stop or restart the verification service and also make changes to service related configurations. Click on the "Service Manager" button and this screen is shown:
If operator selects the Enable Gateway Mode option then following screen is shown:
The configuration items are as follows:
Items |
Description |
Service Address |
The address of the verification service being controlled from this Service Manager. Ensure the address points to the correct service URL, i.e. if you are running the service on multiple machines in a load-balanced configuration then check that the name is correct for the particular instance that needs to be started/stopped/restarted.By default it will be that of the local machine. |
Start |
Start the service. Status will change to “Running” after a successful start. |
Stop |
Stop the service. Status will change to “Stopped” after the service is stopped. |
Restart |
Stop and then start the service in one go, Status will change to “Running” after a successful restart. |
Verification Service Mode |
This section defines the configuration required for the Verification Service to entertain requests directly or behaving as gateway server for backend Verification Service |
Enable Service Mode |
When this option is enabled then Verification Service handles all the requests and responds accordingly. Note: Service Mode is enabled by default. |
Response Signing Certificate |
All verification response messages are signed so that client applications can trust the ADSS Server responses. To specify the signing certificate (and private key) use the drop-down menu labelled Verification Response Signing Certificate. If such a key has not been generated and/or certified then do this via the Key Manager. |
Hashing Algorithm |
Hash algorithm would be used to digest verification response signing data to maintain the response integrity. Default value is SHA256.
|
Client request messages must be signed |
Select this check box to enforce the requirement that service request messages must be signed by the business application. The service checks the signature on the request message using the client’s certificate (registered within the Client Manager module) in order to authenticate the client application otherwise authentication fails and the request is rejected. |
Store input and output documents in the transactions log |
The ADSS Server administrator can select this checkbox to store the document to be verified/enhanced within the service request log record and the verified/enhanced document within the response log record. By default this option is disabled. Note: This option must be used with care! Depending on the size and volume of documents being verified/enhanced setting this option could dramatically increase the size of the ADSS Server log records and hence the database size requirements. Note: We do not support to Store input and output documents in the transactions log when gateway mode is enabled. |
Use local System Clock |
All verification response messages include a time stamp. If this radio button is selected then the timestamp is based on the system clock of the ADSS Server machine. |
Use RFC3161 timestamp |
If this radio button is selected then the verification response message will include a cryptographically protected timestamp token issued by a TSA. |
Verification Service Mode |
This section defines the configuration required for requests forwarding to back-end Verification Service. |
Enable Gateway Mode |
If enabled, this instance of the Verification Service will function as a Gateway for the back-end Verification Server. The gateway checks the request structure and validates the client. If successful, it forwards the request to the back-end Verification Server using the configurations outlined below. If unsuccessful, it sends an error message back to the requesting application. |
Verification Service Address |
Use this field to add Verification Service address(es). |
List of Verification Service Address |
This field shows the Verification Service addresses that can be used to forward requests to the back-end Verification Server. Multiple service addresses can be added. Test button checks that the service is available. The Remove button deletes a configured service address. |
Verification Profile |
Optionally specifies the Verification profile to be used for back-end Verification Service request. Note: If not configured then request will be forwarded to back-end Verification service without Verification profile and the back-end Verification Server will use the default Verification profile configured against the Client in Client Manager. |
Client ID |
Define the Client ID registered in back-end Verification Service. Verification Service will use this Client ID while communicating with back-end Verification Service. The back-end Verification service verifies that this is a registered Client ID within the Client Manager module before granting access to the service. |
Use TLS Client Authentication |
If this option is enabled then Verification Service will communicate with back-end Verification Service using TLS client authentication. Note: By default it is disabled. |
Certificate |
Select the client TLS certificate which pre-exists in the Key Manager. Note: It is required to register the Issuer CA of the client TLS certificate in Trust Manager with the purpose CA for verifying TLS client certificates. |
Enable Document Confidentiality |
To achieve document confidentiality, it must be ensured that the document does not travel to back-end service for signature verification. When this checkbox is enabled, instead of a complete document, only the signatures and the hash data will travel to the back-end Verification Service. This rule will also apply in cases where a single document contains multiple signatures. Note: While operating with the Enable Document Confidentiality checkbox, the following points must be kept in mind:
|
Enable Remote Signing |
This checkbox becomes available to the operator when the 'Enable Document Confidentiality' checkbox is enabled. By enabling this checkbox, the response received from the Verification Service will be signed on the DSS interface and then sent back to the client. |
Response Signing Certificate |
The Verification response messages in the case of the Document Confidentiality feature are signed so that the end user can trust the ADSS Verification Service responses. To specify the signing certificate (and private key), use the drop-down menu labelled Response Signing Certificate. If such a key has not been generated and certified then do this via the ADSS Key Manager as explained in Step 1. |
Hash Algorithm |
The selected hashing algorithm is used to sign the generated Verification responses. The available options are SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, and RipeMD160. |
Ensure all the changes are saved by clicking the Save button and restart the service to take changes effect. |
See also
Step 1 - Generating Keys and Certificates
Step 2 - Registering CAs
Step 3 - Configuring CRL Monitor
Step 4 - Configuring Verification Profile
Step 5 - Configuring Signature Quality
Step 6 - Registering Business Application