A Service Plan is a collection of allowed services and certificate types that are assigned to an Enterprise. A service plan may specify but not limited to the following:


  • To control the issuance of server-side keys
    • Simple
    • Remote Authorisation


  • To control the issuance of client-side key
    • Certifying a CSR
    • Generating a key pair on client side (e.g. in a PKCS#11 device) using ADSS Go>Sign Desktop


  • Multi-factor authentication (optional)
    • At the time of system login
    • At the time of sending certificate revocation request
    • At the time of sending certificate renewing request


  1. A service plan (s) can be assigned to enterprises only. You cannot assign a Service Plan to the users directly.
  2. Based on your business requirements you can create multiple service plans to offer different set of certification services to different enterprises.
  3. You can configure one service plan in multiple enterprises but it is a good practice to create separate service plans for each enterprise if you are a service provider and there are many enterprises registered in the ADSS Web RA application. 


Create a Service Plan


  1. Click Service Plans from the left menu.
  2. Click  from the grid header. 



  1. A dialog wizard will appear to configure the service plan details. The wizard consists of 4 sequential screens, i.e.:


    1. Basic Information


Basic Information

Field

Description

Name

Specify a unique name for this service plan, i.e. My Service Plan. The service plans are used in the configuration of Enterprise Accounts. 

Description

Specify any description related to this service plan for your record.

Active

Tick this check box to make this service plan active. Inactive service plans cannot be configured in the Enterprise Accounts.



    1. Profile Settings - Two screenshots are added to display all Key Stores:


Profiles Settings

Field

Description

Key Stores > Profiles for requesting certificates with CSR

This field will list all the active ADSS Certification Service Profiles that have been created to issue certificates by submitting users' CSRs. Specify the ones to be used by ADSS Web RA to process such certificate requests.

If the check box Enable client keys is checked in the profile then the profile will be shown in Profile for requesting certificate with CSR drop down where operator can configure it in service plan.


In case of specifying multiple profiles here, the ADSS Web RA end user will have the option to choose the one before sending a CSR based certificate request.

If no profile is specified, the enterprises registered with this service plan will not be able to request CSR based certificates.

Key Stores > Profiles for creating keys on smartcards/tokens

This field will list all those active ADSS Certification Service Profiles that have been created to issue signing keys and certificates on smart cards and tokens, i.e. the profiles in which the "Smartcard/Token Profile" field is enabled. Specify the one to be used by ADSS Web RA to process such certificate requests.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a local certificate request to Admin RA.

If no profile is specified, the enterprises registered with this service plan will not be able to request the local signing keys and certificates.

Key Stores > Profiles for server-side keys & certificates 

This field will list all those active ADSS Certification Service Profiles that have been created to issue remote/ server-side signing keys and certificates. The remote keys will be generated and held in the ADSS Server. Specify the ones to be used by ADSS Web RA to process such certificate requests.

If the check box Enable client keys is unchecked in the profile then the profile will be shown in Profile for server-side keys & certificates drop down where operator can configured it in service plan.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a server-side certificate request.

If no profile is specified, the enterprises registered with this service plan will not be able to request the remote/ server-side signing keys and certificates.

Services > CSP Profile

This field will list all those active ADSS CSP Service Profiles that have been created to issue Remote Authorised Signing (RAS) certificates. Specify the one to be used by ADSS Web RA to process such certificate requests.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a RAS certificate request.

If no profile is specified, the Enterprises registered with this service plan will not be able to request the RAS certificates.

Services > Device Enrolment Profile 

This section lists down all configured profiles to create certificates for SCEP (Simple Certificate Enrolment Protocol), Certificate Management Protocol (CMP) Automatic Certificate Management Environment (ACME) and Enrolment Over Secure Transport (EST). On selection of SCEP or CMP profile in a service plan, the device enrolment option appears on ADSS Web RA user's portal.

Services > SigningHub Connector

This shows the list of all configured SigningHub connectors that can be used for ADSS Web RA integration.

Services > Default certificate profile for SigningHub

This shows the list of all configured certification profiles which can be used for default certificate generation for Remote Authorisation Signing under integrated app.

If None is selected then no default certificate will be generated  under integrated app for enterprise account at registration time.





    1. Notification 


Notification

Field

Description

SMS Gateway

This shows all the configured SMS gateway connectors that can be selected to receive OTP via SMS. Additionally, OTP length and retry interval can also be set.

Email Gateway

This shows the list of configured SMTP connectors that can be selected to receive email notifications.

The selected email gateway will be used from Service Plan for email communication. However, if there is no email gateway configured under service plan then the one which is configured under Configurations > Default Settings will be used to send all email notifications.




    1. Advance Settings - On this screen, you can set primary and secondary authentications for a service plan.


Advance Settings

Field

Description

Login Authentications > Primary Authentication Profiles

Primary authentication configured as login authentication that allows an enterprise RAO to login on ADSS Web RA User Portal. An operator can set multiple primary authentication profiles for users in an enterprise. 

Default Primary Authentication Profile

One of the available Primary Authentication profiles must be selected by default for a new service plan.

Secondary Authentication Profiles 

Secondary authentication configured as login authentication that allows an Enterprise RAO to login to ADSS Web RA User Portal.

Default Secondary Authentication Profile 

One of the available Secondary Authentication profiles must be selected by default for a new service plan.

Enterprise Registration > Enable vetting to approve enterprise registration

This enables the vetting on new enterprise account registrations, if enabled then the list of vetting forms appears to select a vetting form that has to be shown while registering an enterprise either through ADSS Web RA admin or ADSS Web RA web.

When "None" is selected under vetting form list, then no vetting form appears to be filled and only the new enterprise registration has to be approved by Admin RAO.



  1. Specify the details of each screen accordingly and click Next to proceed further. Click "Create". A new service plan will be saved and displayed in the list. You may also edit and delete this service plan as required, see details. 
  2. Click "Publish Changes" from the top right corner, to make these configurations effective. 


A user can configure the following authentication mechanisms in a service plan:


SAML Authentication


When creating a service plan for SAML authentication, a user will b required to fill some basic information, profile settings, notification and advanced settings. The Advanced Settings screen will display a drop down named as 'Login Authentications', which will require all the primary authentications that are to be configured in the system. Once the user completes the configuration, the primary settings will include Email/Password authentication and SAML authentication. Here, user can select the SAML authentication profile configured previously with name as SAML Authentication using Azure. 


Active Directory Authentication 


When creating a service plan, a user will be required to fill in some basic information, profile settings, notification and advance settings. The Advanced Settings screen will display a drop down named as 'Login Authentications', which will require all the primary authentications that are to be configured in the system. Here, the user can select the Active Directory Authentication Profile configured previously with the name Active Directory authentication. 


One Time Password (OTP)


When creating a service plan, a user will be required to fill in some basic information, profile settings, notification and advance settings. The Advanced Settings screen will display a drop down named as 'Login Authentications', which will require all the primary authentications that are to be configured in the system. Here, the user can select the OTP configuration previously with the name as OTP authentication. 


Once you create a service plan, configure it to an enterprise.