01-sealsign dss - guía de administración - en - v 3.1 - final

ElevenPaths, radical and disruptive innovation in security solutions

2015 © Telefonica Digital Identity & Privacy, S.L.U. All Rights Reserved. of 19

Table of content

1 Introduction ................................................................................................................ 3

2 Configuration tasks ..................................................................................................... 5

2.1 Management tool ..................................................................................................................... 5

2.2 Configuration of corporate proxy settings ............................................................................... 5

2.3 Managing PKCS#11 Providers ................................................................................................... 5

2.3.1 Consultation of Configured PKCS#11 Providers ......................................................................... 5

2.3.2 Adding a new PKCS#11 provider ................................................................................................ 6

2.3.3 Modifying a PKCS#11 provider ................................................................................................... 6

2.3.4 Removing a PKCS#11 provider ................................................................................................... 6

2.4 Configuration of Certificate Validation Authority .................................................................... 6

2.5 Configuration of Electronic Signature Parameters ................................................................... 8

2.6 Configuration of Electronic Signature Verification Parameters ............................................. 10

2.7 Management of Centralised Keys ........................................................................................... 10

2.7.1 Management of Server Certificates ......................................................................................... 10

2.7.2 Usage rules ............................................................................................................................... 13

2.8 Configuration of the Local Time Stamp Authority .................................................................. 14

2.9 Management of Time Stamp Servers ..................................................................................... 15

2.9.1 Consulting the list of Time Stamp Servers ................................................................................ 15

2.9.2 Adding a New Time Stamp Server ............................................................................................ 15

2.9.3 Modifying the Configuration of a Time Stamp Server .............................................................. 15

2.9.4 Removing a Time Stamp Server ................................................................................................ 16

2.10 Auditing................................................................................................................................... 16

2.10.1 Configuration of Auditing ......................................................................................................... 16

2.10.2 Consulting the Audit Log .......................................................................................................... 16

2.10.3 Removing the Content of the Audit Log ................................................................................... 16

3 Troubleshooting ......................................................................................................... 17

4 Resources .................................................................................................................. 18


1 Introduction

SealSign Digital Signature Services is a product developed entirely by ElevenPaths, designed to facilitate the integration of the electronic signature with corporate applications.

Although the electronic signature procedure is simple in theory (calculation and encoding of the document's hash), there are a multitude of signature profiles/formats and numerous scenarios that can be complex and costly both in terms of process and time. In addition, many of these profiles require the obtaining of elements which are external to the system, such as CRLs or OCSP responses from the certification authorities, third party timestamps, etc. Furthermore, it is more and more common for the document and the signer's private key to be stored separately on remote systems, for example, a user signing a document residing on the server from Internet explorer.

All this means that the adoption of electronic signature processes in corporate applications can be problematic when it comes to managing each and every one of the elements involved in the procedure.

SealSign DSS consists of an electronic signature engine that receives signature operation requests, through various web services, from a multitude of client applications, performing the required operations according to the general parameters configured by the administrator or according to the customised parameters that come in the client's request.

SealSign DSS supports a multitude of signature profiles and is able to access external providers to obtain each and every one of the elements involved in each profile in a manner which is completely transparent to the client application. The current version of SealSign DSS supports the following signature formats: CMS, CAdES, XMLDigSig, XAdES, PDF, PAdES, Microsoft Office and OpenOffice.

One of the advantages that SealSign DSS provides is the distributed signature, which allows these particular scenarios to be resolved in a flexible, simple manner. The distributed signature consists of performing the whole signature process on the server side except for the encoding of the hash which takes place on the client side, where the signer's private key resides. The obtaining of external elements is thus unified and optimised and the amount of information exchanged is drastically reduced.

In addition to signature services, SealSign DSS provides signature validation services using a certificate validation authority (TrustID Revoke Server) which allows the status of any certificate to be obtained by connecting to a multitude of certificate providers external to the organisation in a centralised manner which is configurable by the administrator.

One of the problems in the electronic signature processes is the management of the certificates and keys for the signing of documents. In order to resolve this, SealSign DSS provides certificate and key storage within its configuration database. Furthermore, SealSign DSS is able to use certificates stored externally, both in Windows certificate stores and stores accessible through PKCS#11 modules, both in signature processes on the server and distributed signature processes on client devices.

Another of the elements involved in electronic signature processes is the use of timestamps that record the exact time at which a signature takes place. When managing the generation of timestamps,


SealSign DSS allows both the creation of stamps through the use of a local authority and the invoking of time stamp authorities that are external to the organisation.

Finally, SealSign has a configurable auditing service that allows all signature, validation and timestamping operations performed by the server to be tracked.


2 Configuration tasks

Information about licensing is detailed in the document "SealSign - Licensing.pdf"

2.1 Management tool The management/setup of SealSign DSS is centralised through the management website. In order to open the management website the user simply has to open Internet Explorer and go to the address http://servername:portnumber/SealSignDSSWeb.

When executing the management tool, by default, only users who are member of the server's SealSignDSS Admins group may manage the setup of SealSign DSS. Therefore, the first task that an administrator must perform before they can manage the server is to add the appropriate user accounts to said group.

2.2 Configuration of corporate proxy settings

In order to comply with the requirements of the different types of signature, SealSign DSS's server may need to communicate with external providers that provide various services such as, for example, timestamping or certificate validation services.

If communication with the exterior takes place through a proxy server, the administrator will need to configure the corporate proxy settings on the SealSign management website. In order to perform the configuration of the proxy settings on SealSign's server, the following steps can be taken:

1. Open the SealSign DSS management website.

2. On the main page select the Configure corporate proxy settings link from the Tasks Related to the General Configuration of the Platform group or otherwise select the Proxy Configuration link from the menu on the left-hand side.

3. The proxy configuration parameters page will appear.

4. Click on the Use Proxy field to enable the rest of the parameters on the page.

5. Configure the values in the Host Name and Port fields. If the proxy is authenticated a User account and Password must be configured.

6. Finally, click Save to update the server settings.

2.3 Managing PKCS#11 Providers

When accessing external certificate containers, SealSign DSS may use other PKCS#11 modules developed by third parties in addition to the cryptographic service providers (CSPs). In order to do so, in addition to the installation of the provider on the server, the list of PKCS#11 providers that SealSign DSS should handle must be configured.

2.3.1 Consultation of Configured PKCS#11 Providers In order to see the list of PKCS#11 providers configured on the server the following steps can be taken:


http://www.slideshare.net/elevenpaths/sealsign-product-licenses


2. On the main page select the Manage registration of PKCS#11 providers link from the Tasks Related to the General Configuration of the Platform group or otherwise select the PKCS#11 Providers link from the menu on the left-hand side.

3. A list of all the PKCS#11 providers configured on the server will appear.

2.3.2 Adding a new PKCS#11 provider To add a new PKCS#11 provider, the following steps can be taken:

1. On the main page of the Management website select the Register new PKCS#11 provider link from the Tasks Related to the General Configuration of the Platform group. There is also a link from the list of PKCS#11 providers consulted in the previous section.

2. Specify the provider's configuration parameters:

a. The Name field is obligatory and serves as a label by which to recognise the provider in question.

b. The Library field is the complete path for the PKCS#11 provider's dynamic link library (DLL). In order for it to function correctly the administrator must ensure that the provider is correctly installed on all the SealSign DSS servers.

3. Click Insert.

2.3.3 Modifying a PKCS#11 provider To change the configuration of a PKCS#11 provider, the following steps can be taken:

1. Access the List of PKCS#11 providers, to do this, on the main page, select the Manage registration of PKCS#11 Providers link from the Tasks Related to the General Configuration of the Platform group or otherwise select the PKCS#11 Providers link from the menu on the left-hand side.

2. In the list of PKCS#11 providers select the link of the provider you wish to modify.

3. Make the desired changes.

4. Click Save.

2.3.4 Removing a PKCS#11 provider To remove a PKCS#11 provider, the following steps can be taken:

1. Access the List of PKCS#11 providers, to do this, on the main page, select the Manage registration of PKCS#11 Providers link from the Tasks Related to the General Configuration of the Platform group or otherwise select the PKCS#11 Providers link from the menu on the left-hand side.

2. In the list of PKCS#11 providers, click on the Cross to the left of the provider you wish to remove.

2.4 Configuration of Certificate Validation Authority

With the introduction of the digital signature into companies and organisms in addition to the needs arising in terms of taking advantage of the use of certificates in systems and applications, more and more problems arise when it comes to integrating and managing the certificates issued by certification service providers that are external to the organisation.


These problems range from the dependency of the external CSP when checking the validity of the certificates, the revocation list publication times and the availability of connectivity with their infrastructure (including from each of the organisation's machines) to the need to wait for a user to notify the CSP when their certificate has been compromised if the organisation works with personal certificates such as the Spanish Electronic ID Card or the CERES certificates of the FNMT (the Royal Spanish Mint).

On SealSign DSS this validation problem can be resolved in two ways:

1. Using Windows' CryptoAPI modules which offer the ability to perform online consultations to external CSPs but, given the general nature of this library, are not able to resolve some problems such as access to the FNMT's CRLs or the police department's OCSP Responder to validate Spanish Electronic ID Cards or access to secondary servers when the main servers are not accessible.

2. Using the local digital certificate validation authority, TrustID® Revoke Server, which allows multiple external CSPs to be integrated with the organisation thus maintaining control of the validation process, centralising revocation checks and providing auditing, caché, CRL download and OCSP response functions and local revocation lists.

The recommended method to perform validation on SealSign DSS is the integration of TrustID® Revoke Server since it is able to resolve all the problems in a simple, centralised manner. For more information please refer to the TrustID® Revoke Server documentation.

In order to perform the configuration of the validation authority parameters on SealSign's server, the following steps can be taken:


2. On the main page, select the Validation Authority link from the menu on the left-hand side.

3. By selecting the Use Revoke Server as certificate validation authority field the use of TrustID® Revoke Server is enabled as the certificate validation authority. By deselecting said field, the use of CryptoAPI is enabled to address the issue of validation.

4. If the use of TrustID® Revoke Server is enabled you will need to configure the following fields:

a. The URL of Revoke Server service field indicates the address where the Revoke server is installed. It will normally have the format http://server_name:port/revocation.asmx where server_name and port will indicate the name of the server and the port on which the TrustID® Revoke Server is installed.

b. The User field will indicate a user name if authenticated access to the TrustID® Revoke Server has been enabled or an empty string if access is anonymous.

c. The Password field will indicate the password for access to the server if authenticated access to the TrustID® Revoke Server has been enabled or an empty string if access is anonymous.



2.5 Configuration of Electronic Signature Parameters

SealSign DSS allows the general, centralised configuration of certain electronic signature parameters. In order to configure these parameters the administrator can take the following steps:


2. On the main page, select Manage electronic signature parameters from the Tasks Related to Electronic Signatures and Verification group or otherwise select Signature Parameters from the menu on the left-hand side.

3. The following values can be configured on the signature parameters page:

a. General Signature Parameters:

I. The Check Certification String of Signing Certificate field indicates if the server should build the certificate string corresponding to the signature certificate received, so that if the string is not valid and trusted on the SealSign server, the server will return an error in the signature process.

II. The Check Revocation Status field indicates if the server should verify if the signature certificate received has been revoked or not, so that if the certificate has been revoked, the server will return an error in the signature process.

III. The Default Time Stamp Server field allows you to select, from the list of time stamp servers configured on SealSign, which of these will be used in signing operations that require timestamps.

b. Signing of XML Documents (XAdES):

I. The Add Signature Removal XPath Transformation field indicates if the server will apply the XPath transformation template for the removal of previous signatures before signing an XML document.

II. The Type 2 XAdES-X Signature field allows you to specify that signatures with the XAdES-X and XAdES-XL profile must comply with type 2 of the XAdES-X standard instead of being type 1 (default value).

c. Signing of CMS Messages (CAdES):

I. The Type 2 CAdES-X Signature field allows you to specify that signatures with the CAdES-X and CAdES-XL profile must comply with type 2 of the CAdES-X standard instead of being type 1 (default value).

d. Signing of PDF Documents (PAdES Basic):

I. The Include Timestamp field allows you to specify if a timestamp will be included when signing PDF documents.

II. The Include Revocation Information field indicates if the CRLs or OCSP responses related to the certificates involved in the process will be included within the signature.

III. The Display Signature Widget field indicates if the resulting PDF document after signing will show the signature display (Widget) with the information for such.


IV. The Position Widget Automatically field indicates if the signature display will be positioned automatically or if the values provided in the following two fields should be used. If the Widget is positioned automatically it will appear in the top right-hand corner of the resulting PDF document.

V. The Position of Widget - X Coordinate field allows the configuration of the X coordinate for the position of the Widget in pixels from the bottom left-hand corner of the page.

VI. The Position of Widget - Y Coordinate field allows the configuration of the Y coordinate for the position of the Widget in pixels from the bottom left-hand corner of the page.

VII. The Automatic Resizing of Widget field indicates if the signature display will automatically resize or if the values provided in the following two fields should be used.

VIII. The Widget Height field allows the configuration, in pixels, of the height of the signature display.

IX. The Widget Width field allows the configuration, in pixels, of the width of the signature display.

X. The Widget Rotation field allows the angle of rotation for the signature display to be selected. The possible values are 0º, 90º, 180º and 270º.

XI. The Include Widget on All Pages field indicates if the signature display will be shown on all pages of the document.

XII. The Only Include Widget on Page Number field indicates the page number on which the signature display will be shown.

XIII. The Include Background Image field allows you to configure the inclusion of an image in the signature Widget.

XIV. The Background Image field allows you to select a file with the image that will be shown as a background for the Widget. It is important to mention that the file must be in JPEG 2000 format and that a normal JPEG file is not valid as a background image.

XV. The Image Height field allows the configuration, in pixels, of the height of the image selected in the previous field.

XVI. The Image Width field allows the configuration, in pixels, of the width of the image selected in the Background Image field.

XVII. The Autoadjust Image field indicates if the background image will be stretched to cover the width of the signature display.



2.6 Configuration of Electronic Signature Verification Parameters

SealSign DSS allows the configuration of certain parameters that will govern the electronic signature verification process. In order to configure these parameters the administrator can take the next steps:


2. On the main page, select the Manage electronic signature verification parameters link from the Tasks Related to Electronic Signatures and Verification group or otherwise select the Verification Parameters link from the menu on the left-hand side.

3. The following values can be configured on the signature verification parameters page:

a. The Check Certification String of Signing Certificate field indicates if the server should build the certificate string corresponding to the signature certificate, so that if the string is not valid and trusted on the SealSign server, the server will return an error in the verification process.

b. The Check Revocation Status field indicates if the server should verify if the signature certificate has been revoked or not, so that if the certificate has been revoked, the server will return an error in the verification process.

c. The Include extended timestamp information field indicates if the information corresponding to each of the timestamps and their signatures will be included in the verification process response.

d. The Only include document-type signatures in PDF files field indicates if the PDF document verification process should include all extended signatures (PDF encryption signatures for example) or only document-type signatures (user signatures).


2.7 Management of Centralised Keys

Among the features provided by SealSign DSS is the possibility of performing the electronic signing of documents with certificates stored on the server. SealSign DSS's server certificates may reside within the signature platform or reference external Windows and PKCS#11 stores. The administrator must specify which server certificates will be available for use and who will have access to each one for the signature operations performed by the platform.

2.7.1 Management of Server Certificates In this menu in the management tool the administrator can add references to both internal and external certificates which will then be available for the creation of Usage Rules for said certificates.

2.7.1.1 Consulting the List of Server Certificates In order to see the list of available server certificates the following steps can be taken:


2. On the main page, select the Manage server certificates link from the Tasks Related to Server Certificates group or otherwise select the Server certificates link from the menu on the left-hand side called Centralised Keys.

3. A list of all the server certificates that can be used in signature processes will appear.


2.7.1.2 Adding a New Server Certificate To add a new server certificate to the list, the following steps can be taken:

1. On the main page of the Management website select the Import new server certificate link from the Tasks Related to Server Certificates group. There is also a link from the list of server certificates consulted in the previous section.

2. The following values can be configured on the server certificates page:

a. The File field allows you to select the .pfx file containing the certificate that will be imported into SealSign's certificate store.

b. In the Password field the password for the file selected in the previous field must be indicated.

c. The Remember Password value will specify if the server should store this file's password so it doesn't request it again each time the certificate is used or if, on the contrary, the user will be required to provide this password every time.

d. The Descriptive Name field allows the option of indicating a more extensive description of the certificate.

e. The Owner Only Admin field enables the owner of the certificate to restrict the management and use of the certificate only to his Windows user. By checking this option, no other user neither administrator can use the certificate.

f. The Owner field indicates the name of the Windows user account which will act as owner of the new certificate and which will therefore have access to such. In addition to the owner it is also possible to create delegates that will also be able to use this certificate. The creation of delegates is done by modifying the settings of the server certificate after adding it for the first time.

g. In the Request SealSign Password value the administrator can force the need to create a specific SealSign password which will be necessary each time the certificate is used within the platform.

h. The password mentioned in the previous field will be configured in the SealSign password field.

3. Click Import to save the certificate within SealSign's certificate store.

2.7.1.3 Adding a Reference to an External Server Certificate When the certificate is stored externally to SealSign's server certificate store you will need to add a reference to such in the server certificate settings. To do so the following steps must be taken:

1. On the main page of the Management website select the Add reference to an external server certificate link from the Tasks Related to Server Certificates group. There is also a link from the list of server certificates consulted in the previous section.

2. The following values can be configured on the server certificate references page:

a. In the Storage Type field the type of storage that contains the certificate should be selected. Specifically the following values are available for selection:

i. WindowsStore for certificates saved in the current user's Windows certificate store.


ii. WindowsSystemStore for certificates saved in the SealSign server's machine certificate store.

iii. PKCS11Store for certificates saved in external stores accessible through a PCKS#11 module.

b. After selecting the type of storage, click Select Certificate. A window will appear which will either show the available certificates (WindowsStore and WindowsSystemStore) or request selection of the PKCS#11 Provider, Slot and Contraseña to access the certificate (PKCS11Store).

c. Once you have selected the certificate, the page will show the Subject, Serial Number, Issuing Entity, Validity Dates and if there is a Password Required by the Store.

d. The Descriptive Name field allows the option of indicating a more extensive description of the certificate.

e. The Owner field indicates the name of the Windows user account which will act as owner of the new certificate and which will therefore have access to such. In addition to the owner it is also possible to create delegates who will also be able to use this certificate. The creation of delegates is done by modifying the settings of the server certificate after adding it for the first time.

f. The Remember Password value is used to specify if the server should store this certificate's password so it doesn't request it again each time it is used or if, on the contrary, the user will be required to provide this password every time.

g. The password for the selected certificate must be entered in the Password field.

h. In the Request SealSign Password value the administrator can force the need to create a specific SealSign password which will be necessary each time the certificate is used within the platform.

i. The password mentioned in the previous field will be configured in the SealSign password field.

3. Click Insert to save the certificate within SealSign's certificate store.

2.7.1.4 Modifying a Server Certificate To change the configuration of a PKCS#11 provider, the following steps can be taken:

1. Access the server certificates, to do so, on the main page, select the Manage server certificates link from the Tasks Related to Server Certificates group or otherwise select the Server certificates link from the menu on the left-hand side.

2. In the list of server certificates select the link of the certificate you wish to modify.

3. When you click Save the certificate's settings will be updated on the server.

2.7.1.5 Removing a Server Certificate To remove a server certificate, the following steps can be taken:

1. Access the server certificates, to do so, on the main page, select the Manage server certificates link from the Tasks Related to Server Certificates group or otherwise select the Server certificates link from the menu on the left-hand side.


2. In the list of server certificates, click on the Cross to the left of the certificate you wish to remove.

2.7.2 Usage rules SealSign DSS allows the association of usage rules to the certificates centralised on the platforms that define who may use them and how.

2.7.2.1 Consulting the List of Usage Rules To see the list of Usage Rules the following steps can be taken:


2. In the menu on the left-hand side select the Usage Rules link from the Centralised Keys group.

3. A list of all the available usage rules will appear.

2.7.2.2 Adding a new Usage Rule To add a new Usage Rule to the list, the following steps can be taken:

1. Select the Add new usage rule link from the page with the list of usage rules consulted in the previous section.

2. The following values can be configured on the server certificates usage rules page:

a. The Name field allows an identifying key to be assigned to the usage rule.

b. The Owner field indicates the name of the Windows user account which will act as owner of the new usage rule.

c. The Description field allows the option of indicating a more extensive description of the usage rule.

d. The Valid From field indicates from when the usage rule will be valid, thus allowing the use of the certificates associated with such.

e. The Valid Until field indicates until when the usage rule will be valid.

3. Click Insert to save the usage rule.

2.7.2.3 Modifying a Usage Rule To change the configuration of a usage rule, the following steps can be taken:

1. Select the usage rule to be modified from the list of usage rules consulted in the Consulting the List of Usage Rules section. On the editing page of the usage rule the General Parameters that were entered when the usage rule was inserted can be managed as can the Usage Filters.

These filters are divided into the following categories:

a. Certificates: In this section you can manage which certificates are associated to the usage rule.

b. Authorised Users: In this section you can manage which users have access to the usage rule in addition to indicating for how long through the Valid From and Valid Until dates.


c. Machines: In this section you can manage which machines will have access to the usage rule. Using this filter you can specify that a certificate to sign a transaction may only be used from a series of machines specified in the rule. This filter accepts % as a special character.

d. Processes: In this section you can manage which processes (name of the Windows executable) will have access to the usage rule. Using this filter you can specify that a certificate to sign a transaction may only be used from a series of processes specified in the rule. This filter accepts % as a special character.

e. URLs: In this section you can manage which URLs will have access to the usage rule. Using this filter you can specify that a certificate to sign a transaction may only be used from a series of URLs specified in the rule. This filter accepts % as a special character. This filter only applies to the Internet Explorer search engine, i.e., to the iexplore.exe process.

2. Click Save to update the settings of the usage rule.

2.7.2.4 Removing a Usage Rule To remove a usage rule, the following steps can be taken:

1. Access the list of usage rules, to do so, in the menu on the left-hand side select the Usage Rules link from the Centralised Keys group.

2. In the list of usage rules, click on the Cross to the left of the usage rule you wish to remove.

2.8 Configuration of the Local Time Stamp Authority

SealSign DSS allows both the use of a local authority to create the timestamps for electronic signatures and the use of external timestamping providers.

In order to configure SealSign's local time stamp authority the following steps should be taken:


2. On the main page, select the Manage time stamp authority link from the Tasks Related to Timestamping group or otherwise select the Local Authority link from the menu on the left-hand side.

3. The following values can be configured on the local time stamp authority configuration page:

a. The Time Stamp Server Certificate field allows you to select the certificate that will be used to sign timestamps issued by the local authority. This server certificate must have been included in the list of server certificates as explained in the Management of Server Certificates section.

b. The Store Digital Evidences Issued field allows you to configure if the server will save a copy of the timestamps issued or not in case subsequent analysis of such is necessary.



2.9 Management of Time Stamp Servers

In scenarios where you wish to use external time stamp authorities you will need to add the appropriate connection parameters in the configuration of SealSign DSS.

2.9.1 Consulting the list of Time Stamp Servers In order to see the list of available time stamp servers the following steps can be taken:


2. On the main page, select the Manage connections to time stamp authorities link from the Tasks Related to Timestamping group or otherwise select the TSA Servers link from the menu on the left-hand side.

3. A list of all the time stamp servers that can be used in signature processes will appear.

2.9.2 Adding a New Time Stamp Server To add a new time stamp server to the list, the following steps can be taken:

1. On the main page of the Management website select the Add connection to time stamp authority link from the Tasks Related to Timestamping group. There is also a link from the list of time stamp server certificates consulted in the previous section.

2. The following values can be configured on the TSA servers page:

a. The Name field indicates the name you want to give to the new TSA server configured.

b. The URL field indicates the URL of the time stamp server.

c. The Include Server Certificates in the Response value will specify if the server will include the timestamp generation certificates within the response issued.

d. The Include a Nonce in the Request will specify if SealSign's server should include a different nonce within each request to the TSA server.

e. If the time stamp server requires authentication in the HTTP requests, the Use HTTP Authentication field should be enabled and the appropriate values should be configured in the User Account and Password fields.

3. When you click Insert the configuration of the new time stamp server will be added to SealSign.

2.9.3 Modifying the Configuration of a Time Stamp Server In order to see the list of available time stamp servers the following steps can be taken:

1. Access the list of time stamp servers, to do so, on the main page, select the Manage connections to time stamp authorities link from the Tasks Related to Timestamping group or otherwise select the TSA Servers link from the menu on the left-hand side.

2. In the list of time stamp servers select the link of the server you wish to modify.

3. Make the corresponding changes.

4. Click Save to update the server settings.


2.9.4 Removing a Time Stamp Server To remove a time stamp server the following steps can be taken:

1. Access the list of time stamp servers, to do so, on the main page, select the Manage connections to time stamp authorities link from the Tasks Related to Timestamping group or otherwise select the TSA Servers link from the menu on the left-hand side.

2. In the list of TSA servers, click on the Cross to the left of the server you wish to remove.

2.10 Auditing

SealSign DSS has an auditing system that will allow the administrator to see what operations are carried out in the system, who requests them and the result of such. This section describes how to configure and view SealSign DSS's auditing.

2.10.1 Configuration of Auditing In order to configure SealSign DSS's auditing service, the following steps should be taken:

1. On the main page select the Configure auditing parameters link from the Tasks Related to Auditing group or otherwise select the Auditing Configuration link from the menu on the left-hand side.

2. Select the appropriate options according to whether you wish the auditing to include the responses with an error status or those with a correct status.

3. Click Save.

2.10.2 Consulting the Audit Log To see the content of the audit log the following steps should be taken:

1. On the main page select the View audit log link from the Tasks Related to Auditing group or otherwise select the Audit Log link from the menu on the left-hand side.

2. A table will appear with the audit logs included in the system to the current date.

3. There are filter fields at the top of the page that the administrator can use to refine the search results. In order to do this the administrator must enter/select the appropriate values in the filter fields and click Search.

4. The arrows at the bottom of the table of results can be used to browse through the search result pages.

2.10.3 Removing the Content of the Audit Log In order to remove the content of all the entries in the audit log the following steps can be taken:

1. On the main page select the View audit log link from the Tasks Related to Auditing group or otherwise select the Audit Log link from the menu on the left-hand side.

2. Click the Delete all audit log entries link which can be found below the search results.


3 Troubleshooting

During the SealSign installation process, a specific log, called SealSign DSS, will be created in each server's event viewer. If an error occurs in server operations, in addition to being reported in the product audit, events will be included as they occur with the complete description of the error in the log created for this purpose.

Information about monitoring is detailed in the document "SealSign - Monitoring.pdf"

http://www.slideshare.net/elevenpaths/sealsign-monitoring-guide-include-dss-bss-ckc-y-dsr


4 Resources

For information about the different SealSign services available, please go to this address:

https://www.elevenpaths.com/es/tecnologia/sealsign/index.html

Also, on the ElevenPaths blog you can find interesting articles and innovations regarding this product.

You can find more information about Eleven Paths products on YouTube, on Vimeo and on Slideshare.

https://www.elevenpaths.com/es/tecnologia/sealsign/index.html

http://blog.elevenpaths.com/

https://www.youtube.com/user/ElevenPaths

http://vimeo.com/elevenpaths

http://www.slideshare.net/elevenpaths/


The information disclosed in this document is the property of Telefónica Digital Identity & Privacy, S.L.U. (“TDI&P”) and/or any other entity within Telefónica Group and/or its licensors. TDI&P and/or any Telefonica Group entity or TDI&P’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information is this document is subject to change at any time, without notice.

Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDI&P.

This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.

TDI&P shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.

TDI&P and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks. All rights reserved.

PUBLICATION:

October 2015

At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.

Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.

Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.

IF YOU WISH TO KNOW MORE ABOUT US, PLEASE CONTACT US AT:

elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths

01-sealsign dss - guía de administración - en - v 3.1 - final

Technology