The following service configuration properties can be modified
for the Signature service. (See
Editing service configurations
.)
Some of the values are used as default values for operation properties.
To override the default values, specify different values for the
operation properties.
-
Execute Document JavaScripts scripts:
-
Specifies whether to execute Document JavaScript scripts
in Acrobat or Adobe Reader during signature operations. By default,
the option is selected, which means to execute Document JavaScript
scripts during signature operations.
-
Process Documents with Acrobat 9 Compatibility:
-
Specifies whether to enable Acrobat 9 compatibility. For
example, when this option is selected, Visible Certification in
Dynamic PDFs is enabled. By default, the option is selected, which means
to allow for Acrobat 9 compatibility.
-
Embed Revocation Info While Signing:
-
Specifies whether revocation information is embedded while
signing the PDF document. By default, the option is selected, which
means that revocation information is embedded when the Signature
service operation signs the PDF document.
-
Embed Revocation Info While Certifying:
-
Specifies whether the revocation information is embedded
while certifying the PDF document. By default, the option is selected,
which means that revocation information is embedded when the Signature
service signs the PDF document.
-
Enforce Embedding of Revocation Info for all Certificates
During Signing/Certification:
-
Specifies whether a signing or certification operation fails
if valid revocation information for all certificates is not embedded.
When a certificate does not contain any Certificate Revocation List
(CRL) or Online Certification Server Protocol (OCSP) information,
it is considered valid, even if no revocation information is retrieved.
By default, the option is not selected, which means that signing
and certification operations do not fail regardless of whether revocation information
is embedded.
-
Revocation Check Order:
-
Specifies the order of mechanisms to use to perform revocation
checking. By default, the selected value is OCSPFirst. Select one
of the following values:
-
Maximum Size of Revocation Archival Info:
-
Specifies the maximum size of the revocation archival info
in kilobytes. AEM forms attempts to store as much revocation information
as possible without exceeding the limit. The default value is
10
KB.
-
Verification Time Option:
-
Specifies the time of verification of a signer's certificate.
By default, the selected value is Signing Time. Select one of the
following values:
-
Signing Time:
The time that
the signature was applied as given by the signer's computer.
-
Current Time:
The time that the verification operation
is being carried out.
-
Secure Time Else Current Time:
The time specified
by a trusted time-stamping authority.
-
Use Revocation Information Archived in Signature During
Validation:
-
Specifies whether the revocation information that is archived
with the signature is used for revocation checking. By default,
the option is selected.
-
Use Validation Information Stored in the Document for
Validation of Signatures:
-
Specifies whether to use the validation information that
is stored in the PDF document to validate digital signatures. This
option is a part of the Long Term Validation support available in
Acrobat 9.1 and the Signature service, which creates a Digital Signature
Standard (DSS) dictionary in the PDF document. The DSS dictionary
stores the validation information for the signatures in the document.
The validation information includes certificates, revocation information,
and timestamp information. In previous releases of Acrobat and AEM forms,
the validation information was stored as a part of the digital signature.
The
option is selected by default, which means to use the validation
information that is stored in the PDF document to validate digital
signatures.
-
Maximum Nested Verification Sessions Allowed:
-
Specifies the maximum number of nested verification sessions
that are allowed. The AEM forms Server uses this value to prevent
an infinite loop. Infinite loops can occur while verifying the OCSP
or CRL signer certificates when the OCSP or CRL is not set up correctly. The
default value is
5
.
-
Maximum Clock Skew for Verification:
-
Specifies the maximum time, in minutes, that the signing
time can be after the validation time. If the clock skew is greater
than this value, the signature is not valid. The default value is
65
min.
-
Certificate Lifetime Cache (In Minutes):
-
Specifies the lifetime of a certificate, retrieved online
or through other means, in the cache. The default value is
1440
min.
Transport Options
-
Proxy Host:
-
Specifies the URL of the proxy host. A proxy host is only
used when some valid value is provided.
-
Proxy Port:
-
Specifies the port to use for the proxy. Valid port number
values are
0
–
65535
. The default
value is
80
.
-
Proxy Login Username:
-
Specifies the user name to use to log in to the proxy host.
This option is used when a valid Proxy Host and Proxy Port are configured.
-
Proxy Login Password:
-
Specifies the password to use to log in to the proxy host.
This option is used when a valid Proxy Host and Proxy Port are configured.
-
Maximum Download Limit:
-
Specifies the maximum amount of data, in megabytes, that
can be received per connection. Valid download limit values are
1
MB
to
1024
MB. The default value is
16
MB.
-
Connection Time Out:
-
Specifies the maximum time to wait, in seconds, for establishing
a new connection. Valid time-out values are
1
–
300
sec.
The default value is
5
.
-
Socket Time Out:
-
Specifies maximum time to wait, in seconds, before a socket time-out
(while waiting for data transfer) occurs. Valid time-out values
are
1 3600
– sec. The default value is
30
sec.
Path Validation Options
-
Require Explicit Policy:
-
Specifies whether the path must be valid for at least one
of the certificate policies that is associated with the trust anchor
of the signer certificate. By default, this value is not selected,
which means that no certificate policy is required to be associated
with the trust anchor of the signer certificate.
-
Inhibit ANY Policy:
-
Specifies whether the policy object identifier (OID) must
be processed if it is included in a certificate. By default, the
option is not selected, which means that the OID does not need to
be processed.
-
Inhibit Policy Mapping:
-
Specifies whether policy mapping is allowed in the certification
path. By default, the option is not selected, which means that policy mapping
is not allowed in the certification path.
-
Check All Paths:
-
Specifies whether all paths must be validated or validation stops
after finding the first valid path. By default, the option is deselected,
which means that validation stops after the first valid path.
-
LDAP Server:
-
Specifies the URL or path of the LDAP server used to look
up certificates for path validation. For example, you can type
www.ldap.com
for the
URL or
ldap://ssl.ldap.com:200
for the path and
port.
-
Follow URIs in Certificate AIA:
-
Specifies whether Uniform Resource Identifiers (URIs) in
Certificate Authority Information Access (AIA) are processed during
path discovery. By default value, the option is not selected, which
means that during path discovery, do not process URIs in the AIA.
-
Basic Constraints Extension Required in CA Certificates:
-
Specifies whether the certificate authority (CA) Basic Constraints
certificate extension must be present for CA certificates. Some
early German certified root certificates (7 and earlier) are not
compliant to
RFC 3280
and do not contain the basic
constraint extension. If it is known that a user's EE certificate
chains up to such a German root, deselect this option. By default,
the option is selected, which means that the CA Basic Constraints
certificate must be present.
-
Require Valid Certificate Signature During Chain Building:
-
Specifies whether the chain builder requires valid signatures
on certificates used to build chains. When this option is selected,
the chain builder does not build chains with invalid Digital Signature
Algorithm (DSA) signatures on certificates. For example, in a chain
CA > ICA > EE where the signature for EE is not valid, the
chain building stops at ICA. EEs are not included in the chain.
This setting does not affect DSA signatures. By default, the option
is deselected, which means the full three-certificate chain is produced.
Timestamp Provider Options
-
TSP Server URL:
-
Specifies the URL of the default timestamp provider. This option
is not used when no value is provided.
-
TSP Server Username:
-
Specifies user name to use to access the timestamp provider.
This option is used when a value is provided for the TSP Server
URL option.
-
TSP Server Password:
-
Specifies the password to use to access the timestamp server.
This option is used when a value is provided for the TSP Server
Username and TSP Server URL options.
-
Request Hash Algorithm:
-
Specifies the hashing algorithm to use while creating the
request for the timestamp provider. Select one of the following values:
-
SHA1:
(Default) The Secure Hash Algorithm that has
a 160-bit hash value.
-
SHA256:
The Secure Hash Algorithm that has a 256-bit
hash value.
-
SHA384:
The Secure Hash Algorithm that has a 384-bit
hash value.
-
SHA512:
The Secure Hash Algorithm that has a 512-bit
hash value.
-
RIPEMD160:
The RACE Integrity Primitives Evaluation
Message Digest that has a 160-bit message digest algorithm and is
not FIPS-compliant.
-
Revocation Check Style:
-
Specifies the revocation-checking style used for determining
the trust status of the timestamp provider's certificate from its observed
revocation status. Select one of the following values:
-
NoCheck:
Does not check for revocation.
-
BestEffort:
Checks for revocation of all certificates
when possible.
-
CheckIfAvailable:
(Default) Checks for revocation
of all certificates only when revocation information is available.
-
AlwaysCheck:
Checks for revocation of all certificates.
-
Send Nonce:
-
Specifies whether a nonce is sent with the request. A
nonce
is
a parameter that varies with time. These parameters can be a timestamp,
a visit counter on a web page, or a special marker. The parameters
are intended to limit or prevent the unauthorized replay or reproduction
of a file. By default, the option is selected, which means that
a nonce is sent with the request.
-
Use Expired Timestamps During Validation:
-
Specifies whether to use a timestamp that has expired. The
default is selected, which means to use the time present in expired
timestamps during validation of the signature.
-
TSP Response Size:
-
Specifies the estimated size, in bytes, of the timestamp server
(TSP) response. This value represents the maximum size of the timestamp response
that the configured timestamp provider can return. Configuring an undersized
value can cause the operation to fail and errors to be seen the
server logs; however, configuring an oversized value causes the
size to be larger than necessary. It is recommended that this value
is not modified unless the timestamp server requires a response
size to be less than 4096 bytes. Do not change this value unless
you are certain what to change the value to. Valid response sizes
are
60B
to
10240B
. The default
value is
4096B
.
Certificate Revocation List Options
-
Consult Local URI
First:
-
Specifies whether the Certificate Revocation List (CRL) location
is provided in Local URI for CRL Lookup. The Local URI must have preference
over any location specified within a certificate for revocation checking.
By default, the option is deselected, which means the locations
are specified in the certificate before using the local URI.
-
Local URI for CRL Lookup:
-
Specifies the URL of the local CRL provider. This value is
only used when the Consult Local URI First setting is selected.
-
Revocation Check Style:
-
Specifies the revocation-checking style used for determining
the trust status of the CRL provider's certificate from its observed revocation
status. Select one of the following values:
-
NoCheck:
Does
not check for revocation.
-
BestEffort:
(Default) Checks for revocation of all
certificates when possible.
-
CheckIfAvailable:
Checks for revocation of all certificates
only when revocation information is available.
-
AlwaysCheck:
Checks for revocation of all certificates.
-
LDAP Server for CRL Lookup:
-
Specifies the URL or path of the Lightweight Directory Access
Protocol (LDAP) server used to retrieve information about the certificate
revocation list (CRL). The LDAP server searches for CRL information using
the distinguished name (DN) according to the rules specified in
RFC
3280
, section 4.2.1.14. For example, you can type
www.ldap.com
for
the URL or
ldap://ssl.ldap.com:200
for the path
and port.
-
Go Online:
-
Specifies whether to access the network to retrieve CRL information.
CRL information is cached for optimal usage of the network. When
the option is deselected, it means not to go online. By default,
the option is selected, which means to access the network.
-
Ignore Validity Dates:
-
Specifies whether to ignore the response’s thisUpdate and
nextUpdate times, which prevents any negative effect times have
on response validity. The thisUpdate and nextUpdate times are external
sources that are retrieved through HTTP or LDAP and can be different
for each revocation information. When this option is selected, it
means to ignore the thisUpdate and nextUpdate times. By default,
this option is deselected, which means to use the thisUpdate and
nextUpdate times.
-
Require AKI Extension in CRL:
-
Specifies whether the Authority Key Identifier (AKI) extension
must be present in the CRL. The AKI extension can be used for CRL validation.
When the option is selected, it means that the AKI extension must
be present. By default, the option is deselected, which means that
the AKI extension does not have to be present.
Online Certificate Status Protocol Options
-
OCSP
Server URL:
-
Specifies the local URL, which is the location of the Online Certificate
Status Protocol (OCSP) server, which is the location of the configured OCSP
server. The value is only used when the LocalURL or UseAIAIfPresentElseLocal
values are in URL To Consult Option.
-
URL To Consult Option:
-
Specifies the list and order of the OCSP servers used to perform
the revocation check. Select one of the following values:
-
UseAIAInCert:
Use the URL of an online certificate
status protocol server specified in the Authority Information Access
(AIA) extension in the certificate.
-
LocalURL:
Use the specified URL for the OCSP server
specified in the OCSP Server URL option.
-
UseAIAIfPresentElseLocal:
Use the URL of the OCSP
server specified in the AIA extension in the certificate if present.
If the certificate is not present, use the URL configured in the
OCSP Server URL.
-
UseAIAInSignerCert:
(Default) Use the URL of the OCSP
server specified in the AIA extension in the OCSP request of the
signer certificate.
-
Revocation Check Style:
-
Specifies the revocation-checking style used for verifying
the trust status of the CRL provider’s certificate from its observed revocation
status. Select one of the following values:
-
NoCheck:
Does
not check for revocation.
-
BestEffort:
Checks for revocation of all certificates
when possible.
-
CheckIfAvailable:
(Default) Checks for revocation
of all certificates only when revocation information is available.
-
AlwaysCheck:
Checks for revocation of all certificates.
-
Send Nonce:
-
Specifies whether a nonce is sent with the request. A
nonce
is
a parameter that varies with time. These parameters can be a timestamp,
a visit counter on a web page, or a special marker. The parameters
are intended to limit or prevent the unauthorized replay or reproduction
of a file. When the option is deselected, a nonce is not sent with
the request. By default, the option is selected, which means a nonce
is sent with the request.
-
Max Clock Skew Time:
-
Specifies the maximum allowed skew, in minutes, between response
time and local time. The minimum value is
0
and
the maximum value is
2147483647
min. The default
value is
5
min.
-
Response Freshness Time:
-
Specifies the maximum time, in minutes, for which a preconstructed
OCSP response is considered valid. Valid response freshness times
are
1
–
2147483647
min. The default
value is
525600
min. (one year).
-
Sign OCSP Request:
-
Specifies whether the OCSP request must be signed. When the
option is selected, it means that the OCSP request must be signed.
By default, the option is deselected, meaning that the OCSP request
is not required to be signed.
-
Request Signer Credential Alias:
-
Specifies the trust store credential alias to use for signing
the OCSP request if signing is enabled. The alias is used if the
Sign OCSP Request option is selected.
-
Go Online:
-
Specifies whether to access the network to retrieve OCSP
information. Embedded and cached OCSP responses are used on the
server to reduce the amount of network traffic generated due to
OCSP checking. When the option is deselected, OCSP information is
not retrieved from the network and only embedded and cached OCSP
information is used. By default, the option is selected, which means
to access the network for OCSP information.
-
Ignore the Response’s thisUpdate and nextUpdate Times:
-
Specifies whether to ignore the response’s thisUpdate and
nextUpdate times, which prevents any negative effect times have
on response validity. The thisUpdate and nextUpdate times are retrieved
from external sources by using HTTP or LDAP and can be different
for each revocation information. When the option is selected, it means
to ignore the thisUpdate and nextUpdate times. By default, the option
is deselected, which means to use the thisUpdate and nextUpdate
times.
-
Allow OCSPNoCheck Extension:
-
Specifies whether the OCSPNoCheck extension is allowed in
the response signing certificate. An OCSPNoCheck extension can be
present in the OCSP Responder’s certificate to prevent infinite loops
from occurring during the validation process. When the option is deselected,
it means that the OCSPNoCheck extension is not allowed. By default, the
option is selected, which means the OCSPNoCheck extension is allowed.
-
Require OCSP ISIS-MTT CertHash Extension:
-
Specifies whether a certificate public key hash extension
must be present in OCSP responses. This extension is required for
SigQ validation. SigQ compliance requires the CertHash extension
to be in the OCSP responder certificate. Select this option when
processing for SigQ compliance and supported OCSP responders. When
the option is selected, it means that the certificate public key
hash extension must be present. By default, the option is deselected,
which means that the presence of a certificate public key extensions
is not required.
Error Handling Options for Debugging
-
Purge Certificate
Cache on Next API Call:
-
Use this option for debugging purposes in a non-production
environment. Specifies whether to purge the certificate cache when
the next Signature service operation executes. When the option is
selected, it means that the certificate cache on the AEM forms Server
is purged. By default, the option is deselected, which means that
the certificate cache is not purged. After the first Signature operation
executes, the option becomes deselected.
-
Purge CRL Cache on Next API Call:
-
Use this option for debugging purposes in a non-production
environment. Specifies whether to purge the Certificate Revocation
List (CRL) cache when the next Signature service operation executes. When
the option is selected, it means that the CRL Cache on the AEM forms Server
is purged. By default, the option is deselected, which means that
the CRL cache on the AEM forms Server is not purged. After the first
Signature operation executes, the option becomes deselected.
-
Purge OCSP Cache on Next API Call:
-
Use this option for debugging purposes in a non-production
environment. Specifies whether to purge the Online Certification
Server Protocol (OCSP) cache when the next Signature service operation executes.
When the option is selected, it means that the OCSP Cache on the
AEM forms Server is purged. By default, the option is deselected,
which means that the OCSP cache is not purged. After the first Signature
operation executes, the option becomes deselected.
|
|
|