Configuring Digitally Signed Approvals and Actions

Use the following information and procedures to set up digital signing. You can digitally sign:

• Approvals (including change-approvals)

• Access review actions

• Remediations for compliance violations

The topics discussed in this section explain the server-side and client-side configuration required to add the certificate and CRL to Waveset for signed approvals.

To Enable Server-Side Configuration for Signed Approvals

1. Open the system configuration object for editing and set security.nonrepudiation.signedApprovals=true

   For instructions on editing the system configuration object, see Editing Waveset Configuration Objects.

   If you are using PKCS11 you must also set security.nonrepudiation.defaultKeystoreType=PKCS11

   If you are using a custom PKCS11 Key provider, you must also set security.nonrepudiation.defaultPKCS11KeyProvider=your provider name

   ---

   Note –

   Please refer to the following items in the REF kit for more information on when you need to need to write a custom provider:

   com.sun.idm.ui.web.applet.transactionsigner.DefaultPKCS11KeyProvider (Javadoc) REF/transactionsigner/SamplePKCS11KeyProvider

   The REF (Resource Extension Facility) kit is provided in the /REF directory on your product CD or with your install image.

   ---

2. Add your certificate authority's (CA) certificates as trusted certificates. To do this, you must first obtain a copy of the certificates.

   For example, if you are using a Microsoft CA, follow steps similar to these:

   1. Go to http://IPAddress/certsrv and log in with administrative privileges.

   2. Select Retrieve the CA certificate or certificate revocation list, and then click Next.

   3. Download and save the CA certificate.

3. Add the certificate to Waveset as a trusted certificate:

   1. From the Administrator interface, select Security, and then select Certificates. Waveset displays the Certificates page.

      Figure 6–6 Certificates Page

      
      

   2. In the Trusted CA Certificates area, click Add. Waveset displays the Import Certificate page.

   3. Browse to and then select the trusted certificate, and then click Import.

      The certificate now displays in the list of trusted certificates.

4. Add your CA’s certificate revocation list (CRL):

   1. In the CRLs area of the Certificates page, click Add.

   2. Enter the URL for the CA’s CRL.

      ---

      Note –

      • The certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked or are not valid.

      • The URL for the CA’s CRL may be http or LDAP.

      • Each CA has a different URL where CRLs are distributed; you can determine this by browsing the CA certificate’s CRL Distribution Points extension.

      ---

5. Click Test Connection to verify the URL.

6. Click Save.

7. Sign applets/ts2.jar using jarsigner.

   ---

   Note –

   Refer to http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/tooldocs/windows/jarsigner.html for more information. The ts2.jar file provided with Waveset is signed using a self-signed certificate, and should not be used for production systems. In production, this file should be re-signed using a code-signing certificate issued by your trusted CA.

   ---

To Enable Server-Side Configuration for Signed Approvals Using PKCS12

The following configuration information is for signed approvals using PKCS12. Obtain a certificate and private key, and then export them to a PKCS#12 keystore. For example, if using a Microsoft CA, you would follow steps similar to these:

Before You Begin

Waveset now requires at least JRE 1.5.

1. Using Internet Explorer, browse to http://IPAddress/certsrv and log in with administrative privileges.

2. Select Request a certificate, and then click Next.

3. Select Advanced request, and then click Next.

4. Click Next.

5. Select User for Certificate Template.

6. Select these options:

   1. Mark keys as exportable.

   2. Enable strong key protection.

   3. Use local machine store.

7. Click Submit, and then click OK.

8. Click Install this certificate.

9. Select Run -> mmc to launch mmc.

10. Add the Certificate snap-in:

    1. Select Console -> Add/Remove Snap-in.

    2. Click Add.

    3. Select Computer account.

    4. Click Next, and then click Finish.

    5. Click Close.

    6. Click OK.

    7. Go to Certificates -> Personal -> Certificates.

    8. Right-click Administrator All Tasks -> Export.

    9. Click Next.

    10. Click Next to confirm exporting the private key.

    11. Click Next.

    12. Provide a password, and then click Next.

    13. File CertificateLocation.

    14. Click Next, and then click Finish. Click OK to confirm.

        ---

        Note –

        Note the information that you use in step 10l (password) and 10m (certificate location) of the client-side configuration. You will need this information to sign approvals.

        ---

To Enable Client-Side Configuration for Signed Approvals Using PKCS11

If you are using PKCS11 for signed approvals

1. Refer to the following resources in the REF kit for configuration information:

   com.sun.idm.ui.web.applet.transactionsigner.DefaultPKCS11KeyProvider (Javadoc) REF/transactionsigner/SamplePKCS11KeyProvider

   The REF (Resource Extension Facility) kit is provided in the /REF directory on your product CD or with your install image.