Introduction

The purpose of this guide is to provide a comprehensive understanding of the functionality and management processes of SIGNIUS Seal Client, which will enable effective and safe use of the product in your daily work. By detailing the user interface, configuration, and best practices, this guide is an essential resource for anyone who wants to fully leverage the potential of SIGNIUS Seal Client in their organization.

Scope

The 'Administrator's Guide' documentation is a comprehensive source of knowledge on procedures related to Administrator activities (SIGNIUS Seal Client Configuration) of the SIGNIUS Seal Client product. This guide describes in detail the installation, configuration and comprehensive system management processes. Particular attention was paid to adapting the settings to the user's individual needs, which allows for optimization of work with SIGNIUS Seal.

In addition, the documentation contains practical examples of process configurations that have been specially developed for various electronic seal use scenarios.

Architecture

description

The system, presented in the diagram, consists of two main domains: the Client Domain and the SIGNIUS Domain. The diagram illustrates the process by which a customer uses a business application to generate a digital seal using services provided by SIGNIUS.

Client Domain

Components:

• Driving/Business Application - a business application used by the client to initiate the process of sealing documents.

• SIGNIUS Seal Client - a client of the SIGNIUS system responsible for communication with the SIGNIUS server and processing data necessary for sealing documents.

• Network folder - a network folder where documents to be sealed are stored.

Flow:

• The client's business application transmits data to the SIGNIUS Seal Client. SIGNIUS Seal Client generates a document hash (DocHash), which is sent to the SIGNIUS server via REST API secured with the HTTPS protocol.

SIGNIUS domain

Components:

• GlobalSign API Server - GlobalSign's API server that receives the document hash and initiates the sealing process.

• Remote QTSP (Qualified Trust Service Provider) - a remote trust service provider service that provides a qualified timestamp and validation.

• QSCD (Qualified Signature Creation Device) - a qualified signature creation device that ensures process security.

Process:

• GlobalSign API Server receives the document hash via the REST API and forwards it to the remote QTSP. QTSP generates a qualified timestamp which is then used to validate the seal on the document. QSCD provides a qualified seal, completing the process.

Security and communication

Communication between the client and the SIGNIUS server and between the SIGNIUS server and the remote QTSP is secured using HTTPS, which ensures the confidentiality and integrity of transmitted data. The use of the HTTPS protocol and trusted components such as QTSP and QSCD guarantees a high level of security in the process of document verification and sealing.

The system is a comprehensive solution for generating and verifying digital seals, integrating the client's business applications with advanced cryptographic services provided by SIGNIUS and external partners such as GlobalSign.

System requirements

Operating system

• Windows Server 2012 or newer

• CentOS 7 or newer

• Debian 9 or newer

• Fedora 32 or newer

• Red Hat Enterprise Linux 7

• SUSE Enterprise Linux (SLES) 12 SP2 or newer

Database

• MS-SQL, Oracle, PostgreSQL, DB2

Host

• 4 GB RAM

• 3 GHz 4 Core CPU

• 5 GB HDD

Performance

Although the SIGNIUS SEAL server performance is super-fast, the overall results might be dependend on other factors:

• Network latency

• File size

• QSCD Performance

• RSA/ECC key length

Software

• .NET runtime version 6.0.26 or another 6.x series

• ASP.NET 6.0.0 Core - Shared Framework or other 6.x series

• Microsoft Windows Desktop Runtime – 6.0.26 or other 6.x series

SIGNIUS Seal Client installation

Preparing the Environment

Make sure the required versions of .NET are installed on your computer:

• .NET runtime version 6.0.26 or another 6.x series

• ASP.NET 6.0.0 Core - Shared Framework or other 6.x series

• Microsoft Windows Desktop Runtime – 6.0.26 or other 6.x series

SIGNIUS Seal Client installation

• Download the SIGNIUS Seal Client installer from the official website or using the link provided by the manufacturer.

• Run the downloaded installer and follow the steps displayed. Ensure that all required components are installed and configured according to the instructions.

License activation

• After installation is complete, open the SIGNIUS Seal Configuration application.

• Then go to the "License" tab.

• In the "License" tab, find and copy the Hardware ID using the option available by left-clicking the mouse.

License generation

• Go to the "License" tab in the SIGNIUS Seal Configuration application and send the copied Hardware ID to the software supplier (Vendora) to generate a license

• Once you have received your license, please follow the provider's instructions to activate SIGNIUS Seal Client.

License installation

• After receiving the license file, return to the SIGNIUS Seal Configuration application.

• In the "License" tab, paste the received license and save the changes.

appsettings.json configuration

After successful installation of the SIGNIUS Seal Client application, an important step is to properly set the application operating parameters in the appsettings.json configuration file. This file contains all necessary information regarding connections, communication protocols and details about certificates and API keys. Below is detailed information about the configuration of this file and tips that will allow for a smooth transition from the installation process to launching and using the application.

The appsettings.json file contains key configurations for the SIGNIUS Seal Client application, including settings for ports and protocols used to communicate with external services.

appsettings.json structure

The configuration file consists of various sections that describe both local and remote processes, as well as logging and debugging details.

• localRest: Enables REST API support on the local server.

• localHost: The localhost address, usually 127.0.0.1.

• localPort: The port on which the local REST API server listens, default is 8089. This is the port to use when querying from external tools and application servers

• localUseHttps: Specifies whether the connection to the local server should use HTTPS.

• localCertificate and localCertificatePassword: Path and password for the certificate (P12/PFX) used for the HTTPS connection.

Login and Debug Settings

• FullDebug: Enables full logging for debugging purposes.

• Serilog: Serilog logging configuration, including logging levels and targets to which logs are written.

Notes

Configuring the SIGNIUS Seal Client Connection

This documentation describes the process of configuring a connection to the SIGNIUS Seal Client digital signing service. Depending on the software version, the user can choose between many service providers. Below are the detailed configuration steps for the GlobalSign provider.

Go to the "Connection settings" tab

After pasting the license, the user goes to the Connection settings tab to enter the necessary information to connect to the selected digital signature service provider.

Choosing a service provider

From the Provider Type drop-down list, the user selects providers.

Enter the supplier's URL

In the Provider URL field, the user enters the URL address that will be used for communication and sending queries to the provider.

Entering the API key and API secret

In the following fields, the user enters the API key (API-Key) and API secret, which are required for authentication and communication with the service

Loading the client certificate

The user must also specify the path to the client certificate file with the extension .pfx in the Client certificate filename field and enter the certificate password in the Client certificate password field, if required.

Establishing a connection

Po wprowadzeniu wszystkich wymaganych informacji, użytkownik finalizuje proces klikając przycisk "Connect".

Przykładowa konfiguracja:

After completing the above steps, the user will be configured to connect to the selected digital signature service provider. This is necessary to use the signing functions offered by SIGNIUS Seal Client within the application.

Configuration of the REST-based XAdES process

This documentation is intended to describe the configuration of the digital signature process using the SIGNIUS Seal Client application. Below is an example of process configuration for a REST-based XAdES signature.

Creation of a New Process

After connecting to the service, the user is automatically transferred to the Processes tab. To create a new process, click the green plus button.

Assigning a Process Name

In the process name field, enter XAdES, which will mean the process for signing .XML files.

Choosing a Communication Method

From the drop-down list in the form API field, we select REST, which means that communication with the signature service will take place via REST API.

Selecting the Signature Format

In the Signature format section, we select XAdES_BES from the drop-down menu, which is the signature format intended for .XML files.

Signature Detached selection

The signature is not built directly into the document, but is stored separately.

Saving the Process

After entering all the data, the process is saved using the floppy disk-shaped button.

Starting the Process

Go to the "Service Status" tab and run the service, which will allow you to sign documents.

Below is an example configuration for the XAdES process with the above data:

Configuration of the PAdES process based on FILESYSTEM

This documentation is intended to describe the configuration of the digital signature process using the SIGNIUS Seal Client application. Below is an example of process configuration for the PAdES signature based on FILESYSTEM (file system).

Creating a new process

Similarly to the XAdES configuration, we start from the Processes tab and create a new process by clicking the green plus button.

Assigning a Process Name

In the process name field, enter XAdES, which will mean the process for signing .PDF files.

Choosing a Communication Method

From the drop-down list in the form API field, select FILESYSTEM, which means that communication with the signature service will take place through the local file system (exchange directory)

Selecting the Signature Format

In the Signature format section, we select PAdES_BES from the drop-down menu, which is the signature format intended for .PDF files.

Specifying the Location for the Share Folder

We create a directory C:/tmp/PAdES on the system drive, which will serve as a shared folder for the signing process. (any location, for example such a folder was created)

Saving the Process

The process is saved using a diskette-shaped button.

Starting the Process

Go to the "Service Status" tab and start the process.

Below is an example configuration for the PADES process with the above data:

Testing the PAdES Process

Launch of the Website

After starting the website, we go to a previously defined location, e.g. C:\tmp\PAdES

Preparation of the Document

Select the document with the .pdf extension to sign.

Using Signature Folders

The .pdf document is placed in the in folder. After a short time, the document disappears from the in folder and appears signed in the out folder. In case of errors during the signing process, the document will appear in the "err" folder