SealSign DSS installation and configuration

[email protected]

elevenpaths.com

ElevenPaths, radical and disruptive innovation in security solutions

SealSign DSS (Digital Signature Services)

Installation and Configuration guide

SealSign DSS (Digital Signature Services) Installation and Configuration guide

V.3.2 – October 2016

2016 © Telefónica Digital España, S.L.U. All rights reserved.. of 23

Table of content

1 Introduction ................................................................................................................ 3

2 SealSign DSS installation requirements ........................................................................ 5

2.1 Application Server Role ............................................................................................................ 5

2.2 Web Server Role (IIS) ................................................................................................................ 6

3 Pre-configuring the Environment ................................................................................. 8

3.1 Configuring the IIS 7 or IIS 7.5 Application Pool ....................................................................... 8

3.2 Creating the database .............................................................................................................. 9

3.2.1 SQL Server .................................................................................................................................. 9

3.2.2 Oracle ....................................................................................................................................... 11

4 Installing SealSign DSS modules.................................................................................. 12

4.1 DSS Service Module (Electronic Signature) ............................................................................ 12

4.1.1 Installing the DSS Service Module ............................................................................................ 12

4.1.2 Configuring the DSS Service Module ........................................................................................ 13

4.2 DSS Web Module (administration and configuration) ........................................................... 15

4.2.1 Installing the DSS Web Module ................................................................................................ 15

4.2.2 Configuring the DSS Web Module ............................................................................................ 16

4.3 DSS TSA Module...................................................................................................................... 17

4.3.1 Installing the TSA DSS Module .................................................................................................. 17

4.3.2 Configuring the DSS TSA Module.............................................................................................. 18

5 Installation troubleshooting ....................................................................................... 19

5.1 Error 80070005 ....................................................................................................................... 19

5.2 Error 80040154 ....................................................................................................................... 20

6 Index of images .......................................................................................................... 21

7 Resources .................................................................................................................. 22




1 Introduction

SealSign DSS (Digital Signature Services) is a product designed to facilitate the integration of the electronic signature with corporate applications. The product consists of a series of modules whose installation systems are based on MSI 3.0 technology. These modules are independent of each other but interrelated.

Installing one or more modules will depend on your needs; the DSS Service module is the only one whose installation is mandatory, since it is the tool used by all other modules.

Figure 01: SealSign modules.

If you choose to install several of them, the installation order is unimportant, since there are no dependencies of any kind between them. However, it is easier to first install the DSS Service module, since the other modules have to refer to it during their setup. You can uninstall each of them from the Microsoft Windows Control Panel as just another program.

The following is an overview of the features of each module.

SDK Module: This module includes all components required for clients to use the server platform and to integrate the rest of the modules on third-party applications.

DSS Web Module (administration and configuration): This module is the configuration and administration web tool of the SealSign DSS solution and it is used to manage all other modules (except for the Revoke module). Therefore, its installation is essential if you wish to install any other module.

CKC Module (Central Key Control): This module is a tool to centrally control the use of digital certificates in an organization. It also adds an extra layer of authentication when using the certificate private keys.




DSS Frontend Module: This module incorporates interfaces to access the signature functionality distributed by the SOAP 1.1 specification (BasicHttpBinding). This module is maintained in pursuit of compatibility with earlier versions.

DSR Module (eArchive): The purpose of this module is to ease the integration of a secure document storage system. It has multiple objectives and functionalities, but always focusing on the protection of documents and ensuring their veracity.

DSS Service Module (electronic signature): This module incorporates the electronic signature engine and SOA (Service Oriented Architecture) interfaces of the web service required to access its functionality. Installation is mandatory.

Revoke Module: This module is the certificate validation authority. It centralizes certificate validations, is completely independent of the others and also has its own management console.

DSS TSA Module (time stamp issuance): This module incorporates the time stamp authority and should only be installed if time stamps are going to be issued. The TSA module uses the DSS Service module for its configuration and the DSS Web module for its administration.

Due to the nature of the product, its installation is possible only in Microsoft Windows operating systems, and before installing it you must carry out some basic preliminary steps that cannot be ignored.

In this guide you will find these preliminary steps and the actual installation guide of the DSS modules, as well as their configuration. Installation and configuration of the SealSign modules that are not DSS (CKC, DSR and Revoke) are addressed in other guides.

Texts as well as images used in this guide are based on a Microsoft Windows 2012 operating system, although any system administrator can install the product on other versions.




2 SealSign DSS installation requirements

SealSign DSS is a server solution that publishes its functionality through an SOA interface. Said solution is designed for corporate environments which must satisfy the following requirements:

Microsoft Windows operating system. Although in specific scenarios, SealSign DSS can be installed on client operating systems, we recommend installing the product on one of the following operating systems, in either the 32 or 64-bit versions: WS 2003 SP1, WS 2003 R2, WS 2008, WS 2008 R2, WS 2012 or WS 2012 R2.

.NET Framework 3.5 SP1.

IIS 6 or higher. If the installation is based on version 7.0 you need to install compatibility with IIS 6.0. The necessary provider must be installed depending on the type of authentication required to access the services.

Database manager (SQL Server or Oracle): SealSign DSS's configuration, auditing, cache, etc. data is stored in the database. SealSign DSS configuration data, audit, cache, etc. are stored in a database. Although free versions of these databases can be used in certain scenarios, the use of full versions of SQL Server (SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 or SQL Server 2012 R2) or Oracle 11g R2 is recommended.

SealSign DSS architecture is based on the application services of the Microsoft platform, so the addition of the application server role and the web server role (IIS) through the server management tool is required. The following sections elaborate on which options must be configured on these servers.

2.1 Application Server Role

In this role you need to add the .NET Framework 3.5 functionality and check the HTTP Activation option in it. For this, you must click on the Features menu.

Figure 02: Activation of the HTTP Activation option in the Features menu.




In this same window, you need to check the Web Server (IIS) Support option in the Role Services menu.

Figure 03: Activation of the Web Server (IIS) Support option in the Role Services menu.

Once you have done this, the application server role will be configured.

2.2 Web Server Role (IIS)

In this role, and due to Microsoft Windows installation service requirements, you need to check the IIS 6 Metabase Compatibility option in the Role Services menu.

Figure 04: Activation of the IIS 6 Metabase Compatibility option in the Role Services menu.

In this same Role Services menu you must click on the Security option to activate the authentication systems necessary for its use. Activation of the Windows Authentication option is required, and activation of the rest of the options is optional (although recommended).




Figure 05: Activation of security systems.

After installing these configurations, the web server should look like the following figure. Now it is ready and optimized for the installation of the DSS product.

Figure 06: Final appearance after configuring the server role.




3 Pre-configuring the Environment

Once you have installed the items listed in the previous section, you need to configure them. To install the final product, you need to conduct the following steps correctly.

3.1 Configuring the IIS 7 or IIS 7.5 Application Pool

This article shows the necessary steps to create a website with IIS 7 in case you do not have one available, or you want to create a new one specifically for SealSign DSS.

You can create a new Application Pool specifically for the product, but you can also use an existing one as long as it has the settings that are displayed in this section.

From the IIS 7.0 version, the default Application Pools are run with virtual accounts and it is recommended to keep this configuration, unless it is strictly necessary to use an existing account. Using virtual accounts is a security mechanism as these accounts have limited permissions. In this case, the virtual account that will be used is the default one: ApplicationPoolIdentity.

IIS Application Pools are created from the IIS management console, the IIS Manager, specifically from the context menu of the Application Pool section. The name of the Application Pool is unimportant (in this case, SealSignAppPool), but it should be run with the .NET v.2.0.50727 version. It is also recommended to choose the Integrated integration mode (see figure below).

Figure 07: Creating a new Application Pool.

Once you have an Application Pool, you need to configure it and modify certain values; this requires access to the Application Pool advanced options through the context menu:

https://technet.microsoft.com/en-us/library/cc772350%28v=ws.10%29.aspx




In the Identity option you will establish the account that will be used to run the Application Pool. The virtual account is called ApplicationPoolIdentity and it is the recommended option although, as mentioned, it is possible to choose another one available.

You must necessarily set the True value for the Load User Profile option. This is because the DSS product performs operations that, given the very nature of Microsoft Windows, are stored in a certificate store in the Microsoft Windows registry. To access this certificate store, the Application Pool should be able to load the user profile.

Figure 08: Advanced options of the created Application Pool.

3.2 Creating the database

As previously noted, the use of a database is required to store information required by the product. This section elaborates on the required configurations for the SQL Server and Oracle databases.

3.2.1 SQL Server When using SQL Server you must create a new database for SealSign DSS. The name of the database is unimportant (in this case, SealSignDSS), and later it will be used in connection strings. After creating the database you must perform the following actions:

Running the table creation script. An sql file for SQL Server is included in the product installation package. You must execute this file on the created database and all the elements needed by the product to properly function will be generated in it.




Figure 09: Running the sql file on the created database.

Configuring access permissions to the database. If you use integrated security to access the database, you must grant writing (datawriter) and reading (datareader) permissions to the user login that will run the IIS Application Pool containing the applications. The following Microsoft guide elaborates how to perform this configuration. If you do not use integrated security, you must also have a user with said permissions.

As mentioned above, the use of a virtual account to run the IIS Application Pool (in this case, ApplicationPoolIdentity) is recommended, and therefore, the use of this same account to access the database is also recommended. According to the nomenclature used internally by Microsoft, this account is called IIS APPPOOL. Hence the name of the login, IIS APPPOOL\Application Pool Name.

http://msdn.microsoft.com/en-us/library/ff647396.aspx

http://msdn.microsoft.com/en-us/library/ff647396.aspx




Figure 10: Configuring the Login name.

3.2.2 Oracle When using Oracle, you must create a new tablespace for SealSign DSS (as with SQL Server, the name of the tablespace is unimportant). You also need an account with reading and writing permissions on the tablespace tables.

After creating the tablespace, you must conduct the following actions:

Installing the Oracle Data Access Components (ODAC) component for Microsoft Windows, including the Oracle Data Provider for .NET 2 module.

Granting running permissions on the dbms_crypto Oracle cryptography package for the tablespace user.

Running the table creation script. An sql file for Oracle is included in the installation package of the product. This file must be run on the created tablespace, and all the elements required by the product for its proper operation will be generated in it.

When these configurations are completed, the system will be ready to install the necessary SealSign DSS modules.

http://www.oracle.com/technetwork/topics/dotnet/downloads/index.html




4 Installing SealSign DSS modules

4.1 DSS Service Module (Electronic Signature)

As already mentioned, this module installs a set of web services. These will rely on both the IIS and the database to perform their task. That is why it must be configured after its installation in order to use these services.

4.1.1 Installing the DSS Service Module The module is installed with the help of a wizard, as is the case with many Microsoft Windows programs.

During installation, you must choose from the list of available websites the one in which you wish to install the digital signature service SealSign DSS, the virtual directory name and the application Application Pool that was configured in the IIS (in this case, SealSignAppPool).

Figure 11: Configuration during the DSS Service module installation.

After the installation, it has been added as just another program to the program list in the Control Panel, and it will be displayed in the IIS as a web application.




Figure 12: module already integrated as a web application in IIS.

4.1.2 Configuring the DSS Service Module Once the module is installed, you need to configure it to use correctly both the database and the IIS.

4.1.2.1 Configuring the connection to the database This configuration is performed in the connectionStrings.config configuration file. You can find this file in the SealSignDSSService directory of the website where the product was installed. This file includes the connection string to the database created earlier in SQL Server (SealSignDSS):

<connectionStrings>

<add name="SealSignDSSConnectionString"

connectionString="Data Source=localhost;

Initial Catalog=SealSignDSS;

Trusted_Connection=Yes;

persist security info=False;

TrustServerCertificate=True" />

</connectionStrings>

If the database used is SQL Server, you just need to modify the above shown parameters to adapt them to the settings previously configured in the database. You can get information on creating connection strings in SQL Server on this website.

If the database is Oracle, you need to modify the following parameters:

http://msdn.microsoft.com/en-us/library/ms254500.aspx




You have to change the value of the FactoryProvider key and set it to System.Data.OracleClient in the web.config file, located in the same directory where the connectionStrings.config file is.

You also have to configure the connection string to access Oracle in the connectionStrings tag. You can get information on creating connection strings in Oracle on this website.

You have to change the connectionString attribute in the add tag, and set it with the following format: Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=XXX)(HOST=XXX)(PORT=XXX))

(CONNECT_DATA=(SID=XXX)));User Id=identificadorUsuario;Password=Contraseña;

A connection example could be as follows:

web.config file: ...

<appSettings>

<add key="FactoryProvider" value="System.Data.OracleClient" />

...

</appSettings>

...

connectionStrings.config file: <connectionStrings>


connectionString="Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)

(HOST=172.54.110.112)(PORT=1521))(CONNECT_DATA=(SID=orcl)));

User Id=SealSignDSS; Password=1234546;” />


4.1.2.2 Configuring the IIS Module When accessing the web service, you need to have the permissions required. Both the web application and the server require Windows integrated security (Windows Authentication) to function properly. This means that to enable this type of authentication is mandatory. Anonymous authentication (Anonymous Authentication) is enabled by default and should not be disabled, it needs to stay enabled. To enable basic authentication (Basic Authentication), on the other hand, is optional (but recommended depending on the scenario). Thanks to this, users with technologies other than those of Microsoft Windows (iOS, Android, Java, Linux, etc.) can use this web service and therefore use the product.

Figure 13: Configuring the DSS Service module permissions in IIS.

If you enable basic authentication, the use of SSL is highly recommended.

http://docs.oracle.com/html/E10927_01/featConnecting.htm#i1006259




4.2 DSS Web Module (administration and configuration)

As previously noted, this module installs an administration tool with web application format that is used by all other modules, so its installation is mandatory. This module relies on IIS to perform its task, so after installing it, you must configure it to use that service.

Once the installation and configuration are completed, you should grant permission to a user on the system to administer SealSign. The fact that you can carry out the installation and configuration processes does not imply that you will have access to the web administration.

4.2.1 Installing the DSS Web Module The module is installed with the help of a wizard, as is the case with many Microsoft Windows programs. The process is the same as the previously conducted when installing the DSS Service module.

During installation, you must choose from the list of available websites the one in which you wish to install the administration web service, the virtual directory and the application Application Pool that was configured in the IIS (in this case, SealSignAppPool).

Figure 14: Configuration during the DSS Web module installation.

After the installation, it has been added as just another program to the program list in the Control Panel, and on the IIS it will be displayed as a web application.





4.2.2 Configuring the DSS Web Module For this module to function properly, it should have the DSS Service module referenced and you need to change the IIS authentication.

4.2.2.1 Configuring the reference to the DSS Service Module This configuration is performed in the connectionStrings.config configuration file. You can find this file in the SealSignDSSService directory of the website where the product was installed. This file includes, among other settings, the URLs of three web services provided by the DSS Service. More specifically, these are the administration web service (AdminService.svc), audit (AuditService.svc) and document secure storage (SecureStorage.svc).

In case the conducted service installation is the one set by default, modifying this file will not be necessary.

<client>

<endpoint address="http://localhost/SealSignDSSService/AuditService.svc"

...

</endpoint>

<endpoint address="http://localhost/SealSignDSSService/AdminService.svc"

...

</endpoint>

<endpoint address="http://localhost/SealSignDSRService/SecureStorage.svc"

...

</endpoint>

</client>

You can get information on the parameters displayed on this website.

http://msdn.microsoft.com/en-us/library/ms733932.aspx




4.2.2.2 Configuring the module in the ISS For the web administration application to function properly it is necessary to modify the authentication in the IIS. This requires disabling access for anonymous users (Anonymous Authentication) and enable Windows-based authentication (Windows Authentication).

Figure 16: Configuring DSS Web module permissions in the IIS.

4.3 DSS TSA Module

As already mentioned, this module installs the time stamp authority. As with the other modules, you need to configure the connection string to the database once the installation is completed.

4.3.1 Installing the TSA DSS Module The module is installed with the help of a wizard, as is the case with many Microsoft Windows programs. The process is the same as the previously conducted when installing the DSS Service and the DSS Web modules.

Figure 17: Configuring the DSS TSA module during installation.




After the installation, it has been added as just another program to the program list in the Control Panel, and on the IIS it will also be displayed as a web application, along with the DSS Service and the DSS Web.


4.3.2 Configuring the DSS TSA Module This configuration is performed in the connectionStrings.config configuration file. You can find this file in the SealSign DSS TSA directory of the website where the product was installed. This file includes the connection string to the database created earlier in SQL Server (SealSignDSS).

<connectionStrings>


connectionString="Data Source=localhost;

Initial Catalog=SealSignDSS;

Trusted_Connection=Yes;

persist security info=False;

TrustServerCertificate=True" />


The connection string configuration is exactly the same as that conducted earlier in the DSS Service module. The administrator must follow the steps explained in this section to set the appropriate connection in SQL Server or Oracle.




5 Installation troubleshooting

The electronic signature services installation process includes SealSign DSS's own error monitoring and tracking system. Therefore any errors, warnings and information messages are registered in its own application Log integrated into Microsoft Windows. In the event that any problem is identified in the services we recommend checking the SealSign DSS log.

Figure 19: Microsoft Windows Event Viewer.

The most common problems that can take place during the SealSign DSS installation are caused by licensing, and their identifier is 3011.

In the “SealSign Monitoring Guide” all the details on how to monitor the health of the platform and see the potential errors that can take place during its use are included.

5.1 Error 80070005

This error generally occurs when the user used to configure the Application Pool does not have permissions to operate the licence management component. Said component is registered on the machine during the installation process. This is the message displayed:

An error has ocurred obtaining license information: Retrieving the COM class factory for component with CLSID {554A6D3B-2FEF-4C2F-B34C-AF6185EB2759} failed due to the following error: 80070005. at SealSignDSSLibrary.SealSignDSSLicense.InitializeLicense(String licenseFile)

In order to give activation permissions to the Application Pool user you can use the DCOMCNFG.EXE tool and look for the LicProtector Server component:

Figure 20: DCOMCNFG.EXE tool.

http://es.slideshare.net/elevenpaths/sealsign-monitoring-guide-include-dss-bss-ckc-y-dsr




When clicking on the right button you access these item’s properties. There you will find the Security tab, from which you will be able to grant permissions to the user of the Application Pool.

Figure 21: Permission.

5.2 Error 80040154

This error generally occurs in 64-bit environments when the activation configuration of the license management component has been modified or deleted. Said component is registered on the machine during the installation process.

This is the message displayed:

An error has ocurred obtaining license information:

Retrieving the COM class factory for component with CLSID {554A6D3B-2FEF-4C2F-B34C-AF6185EB2759} failed due to the following error: 80040154. at SealSignDSSLibrary.SealSignDSSLicense.InitializeLicense(String licenseFile)

To recreate the component's activation configuration, execute the DllSurrogate.reg file containing the installation modules.




6 Index of images

Figure 01: SealSign modules. .......................................................................................................................... 3

Figure 02: Activation of the HTTP Activation option in the Features menu. .................................................. 5

Figure 03: Activation of the Web Server (IIS) Support option in the Role Services menu. ............................. 6

Figure 04: Activation of the IIS 6 Metabase Compatibility option in the Role Services menu. ...................... 6

Figure 05: Activation of security systems. ...................................................................................................... 7

Figure 06: Final appearance after configuring the server role. ...................................................................... 7

Figure 07: Creating a new Application Pool. ................................................................................................... 8

Figure 08: Advanced options of the created Application Pool. ...................................................................... 9

Figure 09: Running the sql file on the created database. .............................................................................10

Figure 10: Configuring the Login name. ........................................................................................................11

Figure 11: Configuration during the DSS Service module installation. .........................................................12

Figure 12: module already integrated as a web application in IIS. ...............................................................13

Figure 13: Configuring the DSS Service module permissions in IIS. ..............................................................14

Figure 14: Configuration during the DSS Web module installation. .............................................................15


Figure 16: Configuring DSS Web module permissions in the IIS. ..................................................................17

Figure 17: Configuring the DSS TSA module during installation. ..................................................................17


Figure 19: Microsoft Windows Event Viewer. ..............................................................................................19

Figure 20: DCOMCNFG.EXE tool. ..................................................................................................................19

Figure 21: Permission. ...................................................................................................................................20




7 Resources

For information about the different SealSign services available, please go to this address:

https://www.elevenpaths.com/technology/sealsign/index.html

Also, on the ElevenPaths blog you can find interesting articles and innovations regarding this product.

You can find more information about Eleven Paths products on YouTube, on Vimeo and on Slideshare.

https://www.elevenpaths.com/technology/sealsign/index.html

http://blog.elevenpaths.com/

https://www.youtube.com/user/ElevenPaths

http://vimeo.com/elevenpaths

http://www.slideshare.net/elevenpaths/




The information disclosed in this document is the property of Telefónica Digital España, S.L.U. (“TDE”) and/or any other entity within Telefónica Group and/or its licensors. TDE and/or any Telefonica Group entity or TDE’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information in this document is subject to change at any time, without notice.

Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDE.

This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.

TDE shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.

TDE and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks.

PUBLICATION:

October 2016

At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.

Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.

Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.

IF YOU WISH TO KNOW MORE ABOUT US, PLEASE CONTACT US AT:

elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths

SealSign DSS installation and configuration

Technology

Transcript of SealSign DSS installation and configuration