Advance Settings

The following configurations related to Data Encryption Key (DEK) and client secret which can be configured within the Client Manager by clicking on the Advanced Settings tab.

This service allows client applications (e.g. Ascertia SigningHub or any third party application) to use a KEK managed by ADSS Server within its HSM. Note the KEK is only used to encrypt/decrypt Data Encryption keys (DEKs). The DEKs themselves are used directly by the client application to encrypt/decrypt data e.g. SigningHub documents. The benefits of this approach are that client applications do not need to integrate directly with an HSM themselves but can rely on this key management service offered by ADSS Server

The client secret is a secret known only to the business application (e.g. ADSS Signing Service or Go>Sign Mobile SDK) and the authorization server e.g. ADSS RAS Service. The business application provides the client ID and Client secret to the authorisation server for authentication.

Clicking on the Advanced Settings link at the top of the page shows the following screen:

The configuration items are as follows:

Item

Description

Allow this client to access the DEK encryption

Checking this checkbox allows the client to access the DEK encryption/decryption service of ADSS Server.

Key Encryption Key (KEK)

Configure the relevant Key Encryption Key (KEK) which is to be accessible to this client. Note the KEKs are identified in the ADSS Server Key Manager and may have been created in software or HSM.

Client Secret

Generate and configures the client secret for the relevant client by clicking on the generate button.

Once the secret is generated using the generate button, the user need to copy that secret because once user leave this page the client secret will be masked with asterisks for security reason and cannot be copied again.

Redirect URI

It is a Business Application URI where the user will be redirected by RAS Service after authenticating it using OAuth2 mechanism.