|
LiveCycle uses the PKCS#11 JCE providers to support PKCS#11-compliant
HSM-based signing support.
Note: On 64-bit Windows platform, the 64-bit JRE from Sun and
IBM do not ship with the above mentioned PKCS#11 JCE providers.
You can take advantage of HSM-based signing support by using
the web services based IPC/RPC mechanism. This method has an added
advantage wherein the LiveCycle server can use HSM installed on
a remote machine. To use this functionality, install the web service
on the remote machine where HSM is installed. See Configuring HSM support using Sun JDK on
Windows 64-bit platform (cpsid_80835) for more information.
Unlike the CORBA-based IPC mechanism, this mechanism does not support
online creation of HSM profiles or status checks. However, there
are two ways to create HSM profiles and perform status checks: Create a LiveCycle client credential by passing it the Signer’s
Certificate. Follow the steps mentioned in Configuring HSM support using Sun JDK on
Windows 64-bit platform (cpsid_80835). The web service location
is passed in as a Credential property. Offline HSM profiles created
either using certificate DER or certificate SHA-1 hex is also supported.
However, if you have upgraded from an earlier version of LiveCycle,
make client changes as the credential carries certificate and web
service information.
Web Service location is specified in the Administration Console
for Signatures service. Here the client only carries the alias of
the HSM profile in the Trust Store. You can use this option seamlessly
without any client changes, even if you have upgraded from an earlier
version of LiveCycle. This option does not support HSM profiles
created using certificate SHA-1. Note: If the web service is configured,
then the BMC route is not followed.
|
|
|
