Dynamic Configuration Signer for Entrust SAM

We believe that complex solutions can be implemented conveniently and without spending your entire budget. This is also the case of the qualified remote signing or sealing compliant with the eIDAS regulation and ETSI standards.

We are enhancing the eIDAS SignServer solution with the Dynamic Configuration Signer that can sign and eventually apply new dynamic configuration for the Entrust SAM.

With this update, the eIDAS SignServer is becoming more configuration friendly and have out-of-the-box integration needed to run the Signature Activation Modules without spending more operational capacities and staying fully compliant.

Dynamic Configuration Signer

The Dynamic Configuration Signer is a special implementation of the Signer that can be used to sign and apply dynamic configuration for the Entrust SAM.

The Dynamic Configuration Signer has the following modes of operation:

  • sign only, in which case the signer will only sign the configuration using the Operation Privileged User private key and return the JWS
  • sign and apply, in which case the signer will sign the configuration using the Operation Privileged User private key and apply the configuration to the Entrust SAM. The Signer will return the JWS of the current configuration.

The dynamic configuration is the part of the SAM’s public configuration that is prone to occasional changes. It can be hot swapped, i.e., changed while the SAM is running; it does not need to be stopped.

Sample configuration

Configuration of the SignServer Worker is easy, see the sample configuration below that can be used as a blueprint to start using the Dynamic Configuration Signer:

# Type of worker
WORKERGENID1.TYPE=PROCESSABLE

# Name for other workers to reference this worker
WORKERGENID1.NAME=EntrustDynamicConfigSigner

# Implementation class and Crypto Token reference
WORKERGENID1.IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.signer.DynamicConfigSigner
WORKERGENID1.CRYPTOTOKEN=PKCS11CryptoToken
# The private key of the Configuration Privileged User
WORKERGENID1.DEFAULTKEY=cpu1

# A name of a crypto token containing private key and user certificate. Will be used to authenticate crypto token to Entrust SAM.
WORKERGENID1.OTHER_SIGNERS=EntrustClientKeyStore
# the private key of the Operation Privileged User
WORKERGENID1.ENTRUST_CLIENT_AUTHENTICATION_KEY_ALIAS=opu1

# Entrust SAM server
WORKERGENID1.ENTRUST_SAM_SERVER=https://213.121.187.216:10462
WORKERGENID1.ENTRUST_TRUST_SELF_SIGNED=true
WORKERGENID1.ENTRUST_CONNECTION_POOL_SIZE=20

eIDAS package for the SignServer

The eIDAS package for the SignServer is a set of modules and implementations that enables eIDAS compliant remote signing on advanced or qualified assurance level. It is everything you need package, which is further developed in time to support various technologies and use cases.

The SignServer comes with a number of out-of-the-box available modules and functionality. eIDAS package builds on top of the SignServer in order to provide additional functionality, such as:

  • SAML 2.0 Authorizer
  • Extended JWS Authorizer
  • AdES Signature Formats
  • AdES Signature Validation
  • QSCD Integration
  • SAM Integration
  • AWS KMS CryptoToken Support
  • Windows KSP Module
  • Dashboarding, Monitoring, Reporting
  • Marketplace

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!