Timestamping Server Configuration Guide Published:December 27, 2017

Size: px

Start display at page:

Download "Timestamping Server Configuration Guide Published:December 27, 2017"

Oliver Wilson
5 years ago
Views:

1 Timestamping Server Configuration Guide Published:December 27, 2017

2 Copyright Version Copyright DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents refer to the DocuSign Intellectual Property page ( on the DocuSign website. All other trademarks and registered trademarks are the property of their respective holders. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of DocuSign, Inc. Under the law, reproducing includes translating into another language or format. Every effort has been made to ensure that the information in this manual is accurate. DocuSign, Inc. is not responsible for printing or clerical errors. Information in this document is subject to change without notice.

3 Table of Contents Table of Contents Application Server Configuration... 4 Secured Audit Logs... 4 Configure HSS Support... 4 Configure Transport Layer Security (TLS) Support... 5 Configure Timestamping... 5 Configure Nonce Usage... 6 Configure NTP Server... 6 Web Server Configuration... 7 Set Up HTTPS Mode Certificates... 7 Deactivate the HTTP Mode of the ds-web-server Interface... 7 Configure the Trust Bank... 8 Maintenance Tasks... 9 Check Providers Initialization at Startup... 9 Timestamping Properties Reference Properties Overview Hierarchical Management of Properties in the Administration Interface Property List Property Reference

4 Timestamping Server Configuration Guide 4 Application Server Configuration This section details the settings that must or can be configured on the application server. It contains the following topics: Secured Audit Logs on page 4. Configure HSS Support on page 4. Configure Timestamping on page 5. Secured Audit Logs The HSS (Hardware Security System) allows you to secure the access to your audit logs by transferring them to an external HSS on a regular basis. With this system, every audit log that is transferred to the HSS is signed then chained in order to ensure its integrity. To secure your audit logs, you must: 1. Configure your HSS (see the HSS Configuration Guide). 2. Set the admin.commons.audit.remote.enabled key to activate the secured audit logs. 3. Set additional properties in /opt/sequoia/jboss/server/ds-admin/conf/dsadmin-commons/ds-admin-commons.properties (see also Table 1.1, secured audit logs configuration properties ). Table 1.1. secured audit logs configuration properties Property admin.commons.audit.remote.dumpdirectory admin.commons.audit.remote.dumpstrategy admin.commons.audit.remote.enabled admin.commons.audit.remote.nominalqueuecapacity admin.commons.audit.remote.onerrorqueuecapacity admin.commons.audit.remote.remoteserverhost admin.commons.audit.remote.remoteserverlaneid admin.commons.audit.remote.remoteserverport admin.commons.audit.remote.waitonerrordelay Audit entries temporary directory. Events triggering the storage of audit entries in the dump directory. Activate/deactivate secured audit log management. Max number of audit operations that can be queued prior to HSS processing. Max number of audit operations that can be queued in the case of an HSS error. HSS host name. Audit log entry identifier. HSS port. Required waiting time after a connection error. Configure HSS Support This section contains the following sub-sections:

5 Timestamping Server Configuration Guide 5 Configure Transport Layer Security (TLS) Support. Configure Transport Layer Security (TLS) Support You can configure Timestamping so that it uses the TLS protocol while communicating with the HSS. Table 1.2, TLS support properties details the properties that must be set in order to configure TLS support. On the other hand you must ensure that remote HSSs are appropriately configured. Note: : only HSS 3.0 and higher supports the Transport Layer Security protocol. For more information about the HSS configuration, see the HSS Configuration Guide. Table 1.2. TLS support properties Property hss.tls.p12password hss.tls.p12path hss.tls.truststorepath commons.cryptoserver.address admin.commons.audit.remote.remoteserverhost Password of the HSS PKCS #12 file. Path to the certificate that is submitted by the HSS in order to authenticate. Path to the certificate of the CA that issued the HSS authentication certificate. HSS server address HSS host name Important: : in TLS mode, the value of commons.cryptoserver.address, and admin.commons.audit.remote.remoteserverhost must match with the HSS FQDN (Fully Qualifier Domain Name). Configure Timestamping Timestamping is a module of the Protect & Sign Suite. Upon a user s request, it provides a timestamp token. Timestamp tokens are delivered by Timestamp Authorities (TA) which, by virtue of a timestamp policy, use one or more Timestamp Units (TU) to sign timestamp tokens. The TA is a legal entity; the TU is a technical entity. Two interfaces are available with the timestamp service: Administration interface: to configure the timestamp service; Timestamp interface: enabling end users to obtain timestamp tokens The following diagram depicts the overall architecture of the timestamp service.

6 Timestamping Server Configuration Guide 6 Figure 1.1. Overall architecture of Timestamping Client m achine 1. Tim e-st am p request 2. Response (t im e-st am p t oken) Tim e-stam p Interface Adm inistration Int erface Tim estam ping TSP Server & Tim e-stam ping Units In order to use the Timestamping service on behalf of a customer, you must first define a workspace. A workspace is a logical domain offering a service on the shared timestamp system, which is affiliated with a single TA. Next, you must enroll the TU(s) that will be used to sign the timestamp tokens of the TA affiliated with the workspace. A timestamp token request can only be processed if the TU issuing the token is enrolled in the workspace. This section contains the following sub-sections: Configure Nonce Usage. Configure NTP Server. Configure Nonce Usage See server.tsp.noncerequired on page 26 key if you want to include a "nonce" in the TSP request. Configure NTP Server The NTP server must have a stratum of 5 or less.

7 Timestamping Server Configuration Guide 7 Web Server Configuration This section shows the configuration tasks that can be performed on the web server. It tackles the following topics: Set Up HTTPS Mode Certificates on page 7. Deactivate the HTTP Mode of the ds-web-server Interface on page 7. Configure the Trust Bank on page 8. Set Up HTTPS Mode Certificates If you want to configure the access to the web server in HTTPS mode you must set the certificate and the private key of both the administration interface and the signature interface. Table 2.1. certificates prerequisites File Target Directory ds-web-admin.crt ds-web-server.crt ds-web-admin.key ds-web-server.key ds-web-adminchain.pem ds-web-serverchain.pem /opt/sequoia/httpd/ds/ssl/ ssl.crt/ /opt/sequoia/httpd/ds/ssl/ ssl.crt/ /opt/sequoia/httpd/ds/ssl/ ssl.key/ /opt/sequoia/httpd/ds/ssl/ ssl.key/ /opt/sequoia/httpd/ds/ssl/ ssl.crt/ /opt/sequoia/httpd/ds/ssl/ ssl.crt/ Server certificate (PEM format) of the administration interface. Server certificate (PEM format) of the server interface. Private key (PEM format) of the administration interface server certificate. Private key (PEM format) of the server interface server certificate. File to be created (PEM format) that concatenates the CA certificates compounding the trust chain of the administration interface certificate. File to be created (PEM format) that concatenates the CA certificates compounding the trust chain of the web server certificate. Deactivate the HTTP Mode of the ds-web-server Interface The ds-web-server interface supports by default the HTTP and HTTPS mode. You can deactivate the HTTP mode as follows: 1. Edit /opt/sequoia/httpd/ds/ds.conf. 2. Comment the HTTPD configuration line as follows:

8 Timestamping Server Configuration Guide 8 #Include /opt/sequoia/httpd/ds/http/ds-web-server.conf The HTTPS mode is now deactivated on the ds-web-server interface. Configure the Trust Bank The web server must be aware of the CAs that signed the user certificates of both the administration and the signature interface. Otherwise, users will not be able to access the targeted interface. Proceed as follows to specify the trusted authorities of user certificates: 1. Drop the trusted authorities (PEM format with the.crt extension) of the web server trust bank in /opt/sequoia/httpd/ds/ssl/ssl.cacert/ 2. Run the following commands: [root@feds ~]# cd $HTTPD_DS_HOME/ssl/ssl.cacert/ [root@feds ~]# chmod 755 *.crt [root@feds ~]#./calink.sh

9 Timestamping Server Configuration Guide 9 Maintenance Tasks This section contains information that can be useful for the maintenance of Timestamping. Check Providers Initialization at Startup An exhaustive list of providers is initialized in a specific order when Timestamping is started. If the providers are loaded in a distinct order than required, then Timestamping may not work properly. The DS.Server.Attributes.ProviderListOperation JMX indicator displays the list of providers in the order they are loaded when Timestamping is started. If Timestamping is not working properly, then you must first check the DS.Server.Attributes.ProviderListOperation indicator and ensure that the providers are loaded in the expected order.

10 Timestamping Server Configuration Guide 10 Timestamping Properties Reference To configure Timestamping and its administration interface you must set specific properties. This section lists the available properties and the configuration files where they must be set. Properties Overview on page 10. Property Reference on page 12. Properties Overview A property is a parameter that comes as a [key]=[value] pair configured in a dedicated file. Properties allow you to configure services such as the HSS or the administration interface default settings. For example, the mail.smtp.host property of the dscommons.properties file allows you to configure the mail server and can be set to smtp as follows: mail.smtp.host=smtp. Table 4.1, available property files lists the available property files. Files prefixed with dscommons must be set on both the Timestamping server (ds-server) and the administration server (ds-admin). Ensure that the ds-commons properties are set accordingly to the characteristics of the server. Table 4.1. available property files ds-commons.properties File /opt/sequoia/jboss/ server/ds-admin/conf/ ds-admin-commons/ /opt/sequoia/jboss/ server/ds-admin/conf/ ds-commons/ Includes customization parameters of the administration interface. Contains the parameters of the HSS, HSM, notifications, cache management, etc. ds-admincommons.properties ds-servertsp.properties /opt/sequoia/jboss/ server/ds-server/conf/ ds-commons/ /opt/sequoia/jboss/ server/ds-server/conf/ ds-server-tsp/dsserver-tsp.properties Contains Timestamping parameters. Hierarchical Management of Properties in the Administration Interface Timestamping provides now a new management mode for properties. Instead of setting properties in a configuration file, they can now be configured in the Administration Interface.

11 Timestamping Server Configuration Guide 11 Property List Table 4.2. Timestamping property list Property admin.commons.audit.remote.dumpdirectory admin.commons.audit.remote.dumpstrategy admin.commons.audit.remote.enabled admin.commons.audit.remote.nominalqueuecapacity admin.commons.audit.remote.onerrorqueuecapacity admin.commons.audit.remote.remoteserverhost admin.commons.audit.remote.remoteserverlaneid admin.commons.audit.remote.remoteserverport admin.commons.audit.remote.waitonerrordelay admin.commons.supervisor.config.global.verifyhsmhaskey commons.cryptoserver.address hss.tls.p12password hss.tls.p12path hss.tls.truststorepath kazmon.agent.application kazmon.agent.environment kazmon.agent.url Audit entries temporary directory. Events triggering the storage of audit entries in the dump directory. Activate/deactivate secured audit log management. Max number of audit operations that can be queued prior to HSS processing. Max number of audit operations that can be queued in the case of an HSS error. HSS host name. Audit log entry identifier. HSS port. Required waiting time after a connection error. Deactivate HSM key verification when the Supervisor is generating the reports HSS server address Password of the HSS PKCS #12 file Path to the certificate that is submitted by the HSS in order to authenticate Path to the certificate of the CA that issued the HSS authentication certificate Sets the value of the 'application' property that is included in the events sent by Protect and Sign to Kazmon Sets the value of the 'environment' property that is included in the events sent by Protect and Sign to Kazmon URL address of the KazMon agent that receives the Protect and Sign events

12 Timestamping Server Configuration Guide 12 Property p12.password, p12.path server.tsp.acceptedhashalgorithms server.tsp.accuracy server.tsp.enablenonceunicity server.tsp.include.accuracy server.tsp.noncerequired truststore.path url usekazmon Password bound to the certificate used to authenticate on the server that processes qualified signatures Path to the certificate used to authenticate on the server that processes qualified signatures Algorithm(s) that is/are accepted to build the hash of the timestamped document Indicates the time-stamping accuracy (in seconds) Ensures that the nonce included in the time-stamping request is unique Specifies if the time-stamping accuracy is mentionned in the response of the request Indicates whether the signature server requires a nonce to be included in the TSP request Path to the certificate of the Certificate Authority (CA) that issues the certificates used to authenticate on the server that processes qualified signatures Adress of the server dedicated to qualified signatures Activate/deactivate the dispatch of Protect and Sign events to the KazMon agent Property Reference This reference lists all the available properties in alphabetical order. Each element of the reference is structured as follows: detailed description of the property; supported value(s); property default value; location of the property file(s); related properties.

13 Timestamping Server Configuration Guide 13 admin.commons.audit.remote.dumpdirectory Directory that temporarily stores audit entries when HSS communication error occurs. Any valid path to an existing directory. /opt/sequoia/ds/audit/admin/logs /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay. admin.commons.audit.remote.dumpstrategy Determines in which cases the audit entries are stored on the dump directory.

14 Timestamping Server Configuration Guide 14 This property supports one of the following value: ALWAYS always use the dump directory. ON_ERROR only when an error occurs while communicating with the HSS. ON_EXIT if system stops. ON_EXIT /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay. admin.commons.audit.remote.enabled Activate/deactivate secured management of the audit log. If activated, then the audit log is sent to the HSS that signs it in returns and chains it with previous log entries. Boolean (true / false) true

15 Timestamping Server Configuration Guide 15 Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay. admin.commons.audit.remote.nominalqueuecapacity Maximum number of audit operations that can be stored in the queue waiting to be sent to the HSS. Any positive integer. 500 /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy,

16 Timestamping Server Configuration Guide 16 admin.commons.audit.remote.enabled, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay. admin.commons.audit.remote.onerrorqueuecapacity Maximum number of audit operations that can be stored in the queue when the HSS is unavailable. Any positive integer. 50 /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay.

17 Timestamping Server Configuration Guide 17 admin.commons.audit.remote.remoteserverhost Host name of the remote HSS server. Any valid host name. Important: : if the Protect & Sign Suite is configured to communicate with the HSS server through the TLS protocol, then the value of admin.commons.audit.remote.remoteserverhost must match with the HSS FQDN (Fully Qualifier Domain Name). hss /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay.

18 Timestamping Server Configuration Guide 18 admin.commons.audit.remote.remoteserverlaneid Identifier for log entries on the remote HSS server. Important: : the selected identifier must also be set in the HSS configuration. For more information, see the HSS Configuration Guide. Any string. DsAdmin /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverport, admin.commons.audit.remote.waitonerrordelay.

19 Timestamping Server Configuration Guide 19 admin.commons.audit.remote.remoteserverport TCP port number of the remote HSS server. Valid port number /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.waitonerrordelay. admin.commons.audit.remote.waitonerrordelay Required waiting time after a connection error Waiting time (in milliseconds) between 2 connection attempts to the remote HSS server when the first connection attempt failed.

20 Timestamping Server Configuration Guide 20 Any positive integer (in milliseconds). For example, equals to milliseconds or 50 seconds Secured Audit Logs on page 4. admin.commons.audit.remote.dumpdirectory, admin.commons.audit.remote.dumpstrategy, admin.commons.audit.remote.enabled, admin.commons.audit.remote.nominalqueuecapacity, admin.commons.audit.remote.onerrorqueuecapacity, admin.commons.audit.remote.remoteserverhost, admin.commons.audit.remote.remoteserverlaneid, admin.commons.audit.remote.remoteserverport. admin.commons.supervisor.config.global.verifyhsmhaskey Checks that the key is inside the HSM when the Supervisor is generating the reports. true/false. false /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties /opt/sequoia/jboss/server/ds-admin/conf/ds-admin-commons/ds-admincommons.properties

21 Timestamping Server Configuration Guide 21 admin.commons.supervisor.reporting.config. .body, admin.commons.supervisor.reporting.config. .recipients, admin.commons.supervisor.reporting.config. .sender, admin.commons.supervisor.reporting.config. .subject, admin.commons.supervisor.reporting.config. .ziprequired, admin.commons.supervisor.reporting.config.filesystem.subdir, admin.commons.supervisor.reporting.config.filesystem.ziprequired, admin.commons.supervisor.reporting.config.frequency. commons.cryptoserver.address HSS server address. Valid IP address. Important: : if the Protect & Sign Suite is configured to communicate with the HSS server through the TLS protocol, then the value of commons.cryptoserver.address must match with the HSS FQDN (Fully Qualifier Domain Name). None /opt/sequoia/jboss/server/ds-admin/conf/ds-commons/ /opt/sequoia/jboss/server/ds-server/conf/ds-commons/

22 Timestamping Server Configuration Guide 22 hss.tls.p12password Password of the HSS PKCS #12 file. Note: : only set this property if you want to use the Transport Layer Security (TLS) protocol to communicate with the HSS. Plain text password. None Administration Interface Example hss.tls.p12password=1234 hss.tls.p12path, hss.tls.truststorepath. HSS Configuration Guide. hss.tls.p12path Path to the certificate that is submitted by the HSS in order to authenticate. Note: : only set this property if you want to use the Transport Layer Security (TLS) protocol to communicate with the HSS.

23 Timestamping Server Configuration Guide 23 Valid path to a p12 file. None Administration Interface Example hss.tls.p12path=/opt/sequoia/test/hssserver.p12 hss.tls.p12password, hss.tls.truststorepath. HSS Configuration Guide. hss.tls.truststorepath Path to the certificate of the CA that issued the HSS authentication certificate. Note: : only set this property if you want to use the Transport Layer Security (TLS) protocol to communicate with the HSS. Valid path. None. Administration Interface. Example <truststorepath>/opt/sequoia/test/myca.cer</truststorepath>

24 Timestamping Server Configuration Guide 24 hss.tls.p12password, hss.tls.p12path. HSS Configuration Guide. server.tsp.acceptedhashalgorithms List of algorithm(s) that are accepted for hashing the documents specified in the time stamping request. List of comma separated hash algorithms. server.tsp.acceptedhashalgorithms is empty by default. In this case, no algorithm filtering is performed. Database. server.tsp.accuracy, server.tsp.enablenonceunicity, server.tsp.include.accuracyserver.tsp.noncerequired server.tsp.accuracy When server.tsp.include.accuracy is set to true, then server.tsp.accuracy specifies the accuracy (in seconds) of time stamping.

25 Timestamping Server Configuration Guide 25 Positive integer strictly greater than zero. For example, equals to 1 second and 500 milliseconds. 1 Database. server.tsp.acceptedhashalgorithms, server.tsp.enablenonceunicity, server.tsp.include.accuracy, server.tsp.noncerequired. server.tsp.enablenonceunicity Checks that the "nonce" included in the time stamping request is unique. If set to true then the Timestamping module ensures that the nonce included in the request will not be used in the next submitted requests. true / false false Database server.tsp.acceptedhashalgorithms, server.tsp.accuracy, server.tsp.include.accuracy, server.tsp.noncerequired.

26 Timestamping Server Configuration Guide 26 server.tsp.include.accuracy Indicates if the time stamping accuracy is specified in the response to the time stamping request. true / false false Database server.tsp.acceptedhashalgorithms, server.tsp.accuracy, server.tsp.enablenonceunicity, server.tsp.noncerequired. server.tsp.noncerequired Indicates whether the signature server requires a nonce to be included in the TSP request. true: any request that does not contain a nonce will be refused by the signature server with the TSP error noncerequired. false: all requests, regardless of whether they contain a nonce, will be processed by the signature server.

27 Timestamping Server Configuration Guide 27 None /opt/sequoia/jboss/server/ds-server/conf/ds-server-tsp/ds-servertsp.properties database server.tsp.acceptedhashalgorithms, server.tsp.accuracy, server.tsp.enablenonceunicity, server.tsp.include.accuracy.