Entrust SAM support in eIDAS SignServer

We are happy to announce that the eIDAS SignServer is fully integrated with the Entrust Signature Activation Module (SAM). This is another important step to achieve secure and convenient qualified remote signing using the solution that can act both as Signature Creation and Signing Application.

We are improving features of the eIDAS SignServer every day and with the Entrust SAM this is no different. You can start providing the remote signing service literally in a few days.

Remote signing with the SignServer

Remote signing using with the SCAL2 and the SignServer is possible by integrating the SAM and the signing back-end of the remote signing solution. We call it SAMCryptoToken. It is a special implementation of the of the CryptoToken for the SignServer, which contains necessary functions and interfaces to communicate with the SAM and the user’s device.

What is happening when user would like to sign the data within the context of the SignServer and SCAL2? The typical signature process is as follows:

  • Request to sign the data is triggered from the client
  • Signer prepares the Data To Be Signed and asks the signing back-end to confirm by the user
  • User confirms the Data To Be Signed and activates the private key for the signing operation
  • QSCD + SAM verifies the request and produces the signature
  • Signer completes the operation and provides the result

Entrust SAM Crypto Token

The SignServer acts as a Signing Service Privileged User (SSPU) and can invoke service function of the Entrust SAM administratively.

The implementation of Entrust SAM Crypto Token contains all required attributes to establish connection with the Entrust SAM interface and start consuming the SAM services.

Following is a typical configuration of the EntrustSAMCryptoToken:

# Type of worker
WORKERGENID1.TYPE=PROCESSABLE

# Name for other workers to reference this worker
WORKERGENID1.NAME=EntrustSAMCryptoToken

# EntrustSAMCryptoToken must only be used in conjunction with EntrustSAMCryptoWorker
WORKERGENID1.IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.EntrustSAMCryptoWorker
WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.EntrustSAMCryptoToken

# A name of a crypto token containing private key and user certificate. Will be used to authenticate crypto token to
# Entrust SAM.
WORKERGENID1.OTHER_SIGNERS=EntrustClientKeyStore

# Entrust SAM server url
WORKERGENID1.ENTRUST_SAM_SERVER=https://213.121.187.216:10462
WORKERGENID1.ENTRUST_TRUST_SELF_SIGNED=true
WORKERGENID1.ENTRUST_CONNECTION_POOL_SIZE=20


WORKERGENID1.SAD_PROVIDER_IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.sad.RestSAMSadProvider
WORKERGENID1.SAD_PROVIDER_URL=https://entrustsam-simulator.3key.company/v1/sad/buildSad
WORKERGENID1.SAD_PROVIDER_AUTH_TYPE=BASIC
WORKERGENID1.SAD_PROVIDER_USERNAME=******
WORKERGENID1.SAD_PROVIDER_PASSWORD=******

Get more detailed information about the Entrust SAM integration with the eIDAS SignServer and all attributes you can configure to start providing the remote signing service.

About Entrust SAM

The Entrust Signature Activation Module (SAM) is used to deploy a server-side endpoint that will be used by the server signing applications to get data signed (a document hash). The SAM receives the signer authentication data, the signer’s signing key, and the data to be signed through a Signature Activation Protocol (SAP). It interacts with the Entrust nShield® Connect XC CC eIDAS (called cryptographic module or CM) to return the encrypted data with the signing key.

The design of the Entrust SAM is based on the Trustworthy Systems Supporting Server Signing (TW4S) architecture described in the CEN EN 419 241 standards. It implements the CEN EN 419 241-2 standard to be integrated with the Server Signing Application (SSA) as described in CEN EN 419 241-1.

About Entrust

Entrust keeps the world moving safely by enabling trusted identities, payments and data protection around the globe. Today more than ever, people demand seamless, secure experiences, whether they’re crossing borders, making a purchase, or accessing corporate networks. With our unmatched breadth of digital security and credential issuance solutions, it’s no wonder the world’s most entrusted organizations trust us.

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!