Configuring XMLDSIG-Format Signed Approvals (Oracle Waveset 8.1.1 Business Administrator's Guide)

Oracle Waveset 8.1.1 Business Administrator's Guide

Configuring XMLDSIG-Format Signed Approvals

Waveset allows you to add XMLDSIG-format signed approvals, including an RFC 3161-compliant digital timestamp, to the Waveset approval process. When you configure Waveset to use XMLDSIG signed approvals, no changes are visible to approvers unless they view the approval in the audit log. Only the format of the signed approval that is stored in the audit log record is changed.

As with previous signed approvals in Oracle Waveset, an applet is launched on the client machine and the approver is presented with the approval information for signing. They then choose a keystore and a key with which to sign the approval.

After the approver signs the approval, an XMLDSIG document containing the approval data is created. This document is returned to the server which validates the XMLDSIG signed document. If successful, and if RFC 3161 digital timestamps have been configured, a digital timestamp is also generated for this document. The timestamp retrieved from the timestamp authority (TSA) is checked for errors and its certificates are validated. Finally, if successful, Oracle Waveset generates an audit log record that includes the XMLDSIG-format signed approval object in the XML blob column.

Approval Data Format

The format for an XMLDSIG-format approval object is as follows:

<XMLSignedData signedContent="...base64 transaction text ...">
   <XMLSignature>
      <TSATimestamp>
         ...The base64 encoded PKCS7 timestamp token returned by the TSA...
      </TSATimestamp
      <Signature>
        <SignedInfo>...XMLDSIG stuff...</SignedInfo>
        <SignatureValue>...base64 signature value</SignatureValue>
        <KeyInfo>...cert info for signer</KeyInfo>
      </Signature>
   </XMLSignature>
</XMLSignedData>

where:

The base64 approval data consists of the actual approval data text that is presented to the approver in the applet, encoded in base64 format.
The <TSATimestamp> element contains the base64 encoded PKCS7 timestamp response from the Timestamp Authority (TSA).
The entire <Signature> comprises the XMLDSIG signature data.

This XMLDSIG document that is stored in the XML column of the audit log approval record.

Installation and Setup

The installation and setup requirements for using XMLDSIG signed approvals are the same as those described in To Enable Server-Side Configuration for Signed Approvals, with one additional step. You must sign the xmlsec-1.4.2.jar file in addition to signing the ts2.jar file.

Approval Configuration

You can use system configuration attributes to:

Choose the SignedData format or the XMLSignedData format. Note that you can configure only one format at a time, although administrators can change this setting as needed.
Include a digital timestamp retrieved from a configured RFC 3161 Timestamp Authority (TSA).
Specify a URL, in HTTP only, from which to fetch this timestamp.

To edit these attributes, use the Waveset debug pages to edit the system configuration object. These attributes are all located under security.nonrepudiation, along with other signed approval attributes.

The XMLDSIG attributes include:

security.nonrepudiation.useXmlDigitalSignatures is a boolean value that enables XMLDSIG signatures.
security.nonrepudiation.timestampXmlDigitalSignatures is a boolean value that includes RFC 3161 digital timestamps in XMLDSIG signatures.
security.nonrepudiation.timestampServerURL is a string value where the URL points to the HTTP-based TSA from which to fetch timestamps.

Note –

You must first set the existing useSignedApprovals attribute to true for any of the preceding attributes to have an effect.
Waveset does not support multiple signatures on one approval or signed approvals for more general provisioning requests.