We are happy to announce that the eIDAS SignServer is fully integrated with the Entrust Signature Activation Module (SAM). This is another important step to achieve secure and convenient qualified remote signing using the solution that can act both as Signature Creation and Signing Application.
We are improving features of the eIDAS SignServer every day and with the Entrust SAM this is no different. You can start providing the remote signing service literally in a few days.
Remote signing with the SignServer
Remote signing using with the SCAL2 and the SignServer is possible by integrating the SAM and the signing back-end of the remote signing solution. We call it SAMCryptoToken. It is a special implementation of the of the CryptoToken for the SignServer, which contains necessary functions and interfaces to communicate with the SAM and the user’s device.
What is happening when user would like to sign the data within the context of the SignServer and SCAL2? The typical signature process is as follows:
- Request to sign the data is triggered from the client
- Signer prepares the Data To Be Signed and asks the signing back-end to confirm by the user
- User confirms the Data To Be Signed and activates the private key for the signing operation
- QSCD + SAM verifies the request and produces the signature
- Signer completes the operation and provides the result
Entrust SAM Crypto Token
The SignServer acts as a Signing Service Privileged User (SSPU) and can invoke service function of the Entrust SAM administratively.
The implementation of Entrust SAM Crypto Token contains all required attributes to establish connection with the Entrust SAM interface and start consuming the SAM services.
Following is a typical configuration of the EntrustSAMCryptoToken:
# Type of worker WORKERGENID1.TYPE=PROCESSABLE # Name for other workers to reference this worker WORKERGENID1.NAME=EntrustSAMCryptoToken # EntrustSAMCryptoToken must only be used in conjunction with EntrustSAMCryptoWorker WORKERGENID1.IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.EntrustSAMCryptoWorker WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.EntrustSAMCryptoToken # A name of a crypto token containing private key and user certificate. Will be used to authenticate crypto token to # Entrust SAM. WORKERGENID1.OTHER_SIGNERS=EntrustClientKeyStore # Entrust SAM server url WORKERGENID1.ENTRUST_SAM_SERVER=https://220.127.116.11:10462 WORKERGENID1.ENTRUST_TRUST_SELF_SIGNED=true WORKERGENID1.ENTRUST_CONNECTION_POOL_SIZE=20 WORKERGENID1.SAD_PROVIDER_IMPLEMENTATION_CLASS=company.threekey.signserver.module.entrustsam.sad.RestSAMSadProvider WORKERGENID1.SAD_PROVIDER_URL=https://entrustsam-simulator.3key.company/v1/sad/buildSad WORKERGENID1.SAD_PROVIDER_AUTH_TYPE=BASIC WORKERGENID1.SAD_PROVIDER_USERNAME=****** WORKERGENID1.SAD_PROVIDER_PASSWORD=******
About Entrust SAM
The Entrust Signature Activation Module (SAM) is used to deploy a server-side endpoint that will be used by the server signing applications to get data signed (a document hash). The SAM receives the signer authentication data, the signer’s signing key, and the data to be signed through a Signature Activation Protocol (SAP). It interacts with the Entrust nShield® Connect XC CC eIDAS (called cryptographic module or CM) to return the encrypted data with the signing key.
The design of the Entrust SAM is based on the Trustworthy Systems Supporting Server Signing (TW4S) architecture described in the CEN EN 419 241 standards. It implements the CEN EN 419 241-2 standard to be integrated with the Server Signing Application (SSA) as described in CEN EN 419 241-1.
Entrust keeps the world moving safely by enabling trusted identities, payments and data protection around the globe. Today more than ever, people demand seamless, secure experiences, whether they’re crossing borders, making a purchase, or accessing corporate networks. With our unmatched breadth of digital security and credential issuance solutions, it’s no wonder the world’s most entrusted organizations trust us.