Signature service configuration

The following service configuration properties can be modified for the Signature service. (See Editing service configurations.)

Some of the values are used as default values for operation properties. To override the default values, specify different values for the operation properties.

Execute Document JavaScripts scripts:

Specifies whether to execute Document JavaScript scripts in Acrobat or Adobe Reader during signature operations. By default, the option is selected, which means to execute Document JavaScript scripts during signature operations.

Process Documents with Acrobat 9 Compatibility:

Specifies whether to enable Acrobat 9 compatibility. For example, when this option is selected, Visible Certification in Dynamic PDFs is enabled. By default, the option is selected, which means to allow for Acrobat 9 compatibility.

Embed Revocation Info While Signing:

Specifies whether revocation information is embedded while signing the PDF document. By default, the option is selected, which means that revocation information is embedded when the Signature service operation signs the PDF document.

Embed Revocation Info While Certifying:

Specifies whether the revocation information is embedded while certifying the PDF document. By default, the option is selected, which means that revocation information is embedded when the Signature service signs the PDF document.

Enforce Embedding of Revocation Info for all Certificates During Signing/Certification:

Specifies whether a signing or certification operation fails if valid revocation information for all certificates is not embedded. When a certificate does not contain any Certificate Revocation List (CRL) or Online Certification Server Protocol (OCSP) information, it is considered valid, even if no revocation information is retrieved. By default, the option is not selected, which means that signing and certification operations do not fail regardless of whether revocation information is embedded.

Revocation Check Order:

Specifies the order of mechanisms to use to perform revocation checking. By default, the selected value is OCSPFirst. Select one of the following values:

CRLFirst: Use Certificate Revocation List (CRL) before Online Certificate Status Protocol (OCSP).
OCSPFirst: Use OCSP before CRL.

Maximum Size of Revocation Archival Info:

Specifies the maximum size of the revocation archival info in kilobytes. LiveCycle attempts to store as much revocation information as possible without exceeding the limit. The default value is 10 KB.

Verification Time Option:

Specifies the time of verification of a signer's certificate. By default, the selected value is Signing Time. Select one of the following values:

Signing Time: The time that the signature was applied as given by the signer's computer.
Current Time: The time that the verification operation is being carried out.
Secure Time Else Current Time: The time specified by a trusted time-stamping authority.

Use Revocation Information Archived in Signature During Validation:

Specifies whether the revocation information that is archived with the signature is used for revocation checking. By default, the option is selected.

Use Validation Information Stored in the Document for Validation of Signatures:

Specifies whether to use the validation information that is stored in the PDF document to validate digital signatures. This option is a part of the Long Term Validation support available in Acrobat 9.1 and the Signature service, which creates a Digital Signature Standard (DSS) dictionary in the PDF document. The DSS dictionary stores the validation information for the signatures in the document. The validation information includes certificates, revocation information, and timestamp information. In previous releases of Acrobat and LiveCycle, the validation information was stored as a part of the digital signature.

The option is selected by default, which means to use the validation information that is stored in the PDF document to validate digital signatures.

Maximum Nested Verification Sessions Allowed:

Specifies the maximum number of nested verification sessions that are allowed. The LiveCycle Server uses this value to prevent an infinite loop. Infinite loops can occur while verifying the OCSP or CRL signer certificates when the OCSP or CRL is not set up correctly. The default value is 5.

Maximum Clock Skew for Verification:

Specifies the maximum time, in minutes, that the signing time can be after the validation time. If the clock skew is greater than this value, the signature is not valid. The default value is 65 min.

Certificate Lifetime Cache (In Minutes):

Specifies the lifetime of a certificate, retrieved online or through other means, in the cache. The default value is 1440 min.

Transport Options

Proxy Host:: Specifies the URL of the proxy host. A proxy host is only used when some valid value is provided.
Proxy Port:: Specifies the port to use for the proxy. Valid port number values are 0 – 65535. The default value is 80.
Proxy Login Username:: Specifies the user name to use to log in to the proxy host. This option is used when a valid Proxy Host and Proxy Port are configured.
Proxy Login Password:: Specifies the password to use to log in to the proxy host. This option is used when a valid Proxy Host and Proxy Port are configured.
Maximum Download Limit:: Specifies the maximum amount of data, in megabytes, that can be received per connection. Valid download limit values are 1 MB to 1024 MB. The default value is 16 MB.
Connection Time Out:: Specifies the maximum time to wait, in seconds, for establishing a new connection. Valid time-out values are 1 – 300 sec. The default value is 5.
Socket Time Out:: Specifies maximum time to wait, in seconds, before a socket time-out (while waiting for data transfer) occurs. Valid time-out values are 1 3600– sec. The default value is 30 sec.

Path Validation Options

Require Explicit Policy:: Specifies whether the path must be valid for at least one of the certificate policies that is associated with the trust anchor of the signer certificate. By default, this value is not selected, which means that no certificate policy is required to be associated with the trust anchor of the signer certificate.
Inhibit ANY Policy:: Specifies whether the policy object identifier (OID) must be processed if it is included in a certificate. By default, the option is not selected, which means that the OID does not need to be processed.
Inhibit Policy Mapping:: Specifies whether policy mapping is allowed in the certification path. By default, the option is not selected, which means that policy mapping is not allowed in the certification path.
Check All Paths:: Specifies whether all paths must be validated or validation stops after finding the first valid path. By default, the option is deselected, which means that validation stops after the first valid path.
LDAP Server:: Specifies the URL or path of the LDAP server used to look up certificates for path validation. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port.
Follow URIs in Certificate AIA:: Specifies whether Uniform Resource Identifiers (URIs) in Certificate Authority Information Access (AIA) are processed during path discovery. By default value, the option is not selected, which means that during path discovery, do not process URIs in the AIA.
Basic Constraints Extension Required in CA Certificates:: Specifies whether the certificate authority (CA) Basic Constraints certificate extension must be present for CA certificates. Some early German certified root certificates (7 and earlier) are not compliant to RFC 3280 and do not contain the basic constraint extension. If it is known that a user's EE certificate chains up to such a German root, deselect this option. By default, the option is selected, which means that the CA Basic Constraints certificate must be present.
Require Valid Certificate Signature During Chain Building:: Specifies whether the chain builder requires valid signatures on certificates used to build chains. When this option is selected, the chain builder does not build chains with invalid Digital Signature Algorithm (DSA) signatures on certificates. For example, in a chain CA > ICA > EE where the signature for EE is not valid, the chain building stops at ICA. EEs are not included in the chain. This setting does not affect DSA signatures. By default, the option is deselected, which means the full three-certificate chain is produced.

Timestamp Provider Options

TSP Server URL:

Specifies the URL of the default timestamp provider. This option is not used when no value is provided.

TSP Server Username:

Specifies user name to use to access the timestamp provider. This option is used when a value is provided for the TSP Server URL option.

TSP Server Password:

Specifies the password to use to access the timestamp server. This option is used when a value is provided for the TSP Server Username and TSP Server URL options.

Request Hash Algorithm:

Specifies the hashing algorithm to use while creating the request for the timestamp provider. Select one of the following values:

SHA1: (Default) The Secure Hash Algorithm that has a 160-bit hash value.
SHA256: The Secure Hash Algorithm that has a 256-bit hash value.
SHA384: The Secure Hash Algorithm that has a 384-bit hash value.
SHA512: The Secure Hash Algorithm that has a 512-bit hash value.
RIPEMD160: The RACE Integrity Primitives Evaluation Message Digest that has a 160-bit message digest algorithm and is not FIPS-compliant.

Revocation Check Style:

Specifies the revocation-checking style used for determining the trust status of the timestamp provider's certificate from its observed revocation status. Select one of the following values:

NoCheck: Does not check for revocation.
BestEffort: Checks for revocation of all certificates when possible.
CheckIfAvailable: (Default) Checks for revocation of all certificates only when revocation information is available.
AlwaysCheck: Checks for revocation of all certificates.

Send Nonce:

Specifies whether a nonce is sent with the request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameters are intended to limit or prevent the unauthorized replay or reproduction of a file. By default, the option is selected, which means that a nonce is sent with the request.

Use Expired Timestamps During Validation:

Specifies whether to use a timestamp that has expired. The default is selected, which means to use the time present in expired timestamps during validation of the signature.

TSP Response Size:

Specifies the estimated size, in bytes, of the timestamp server (TSP) response. This value represents the maximum size of the timestamp response that the configured timestamp provider can return. Configuring an undersized value can cause the operation to fail and errors to be seen the server logs; however, configuring an oversized value causes the size to be larger than necessary. It is recommended that this value is not modified unless the timestamp server requires a response size to be less than 4096 bytes. Do not change this value unless you are certain what to change the value to. Valid response sizes are 60B to 10240B. The default value is 4096B.

Certificate Revocation List Options

Consult Local URI First:

Specifies whether the Certificate Revocation List (CRL) location is provided in Local URI for CRL Lookup. The Local URI must have preference over any location specified within a certificate for revocation checking. By default, the option is deselected, which means the locations are specified in the certificate before using the local URI.

Local URI for CRL Lookup:

Specifies the URL of the local CRL provider. This value is only used when the Consult Local URI First setting is selected.

Revocation Check Style:

Specifies the revocation-checking style used for determining the trust status of the CRL provider's certificate from its observed revocation status. Select one of the following values:

NoCheck: Does not check for revocation.
BestEffort: (Default) Checks for revocation of all certificates when possible.
CheckIfAvailable: Checks for revocation of all certificates only when revocation information is available.
AlwaysCheck: Checks for revocation of all certificates.

LDAP Server for CRL Lookup:

Specifies the URL or path of the Lightweight Directory Access Protocol (LDAP) server used to retrieve information about the certificate revocation list (CRL). The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280, section 4.2.1.14. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port.

Go Online:

Specifies whether to access the network to retrieve CRL information. CRL information is cached for optimal usage of the network. When the option is deselected, it means not to go online. By default, the option is selected, which means to access the network.

Ignore Validity Dates:

Specifies whether to ignore the response’s thisUpdate and nextUpdate times, which prevents any negative effect times have on response validity. The thisUpdate and nextUpdate times are external sources that are retrieved through HTTP or LDAP and can be different for each revocation information. When this option is selected, it means to ignore the thisUpdate and nextUpdate times. By default, this option is deselected, which means to use the thisUpdate and nextUpdate times.

Require AKI Extension in CRL:

Specifies whether the Authority Key Identifier (AKI) extension must be present in the CRL. The AKI extension can be used for CRL validation. When the option is selected, it means that the AKI extension must be present. By default, the option is deselected, which means that the AKI extension does not have to be present.

Online Certificate Status Protocol Options

OCSP Server URL:

Specifies the local URL, which is the location of the Online Certificate Status Protocol (OCSP) server, which is the location of the configured OCSP server. The value is only used when the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult Option.

URL To Consult Option:

Specifies the list and order of the OCSP servers used to perform the revocation check. Select one of the following values:

UseAIAInCert: Use the URL of an online certificate status protocol server specified in the Authority Information Access (AIA) extension in the certificate.
LocalURL: Use the specified URL for the OCSP server specified in the OCSP Server URL option.
UseAIAIfPresentElseLocal: Use the URL of the OCSP server specified in the AIA extension in the certificate if present. If the certificate is not present, use the URL configured in the OCSP Server URL.
UseAIAInSignerCert: (Default) Use the URL of the OCSP server specified in the AIA extension in the OCSP request of the signer certificate.

Revocation Check Style:

Specifies the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of the following values:

NoCheck: Does not check for revocation.
BestEffort: Checks for revocation of all certificates when possible.
CheckIfAvailable: (Default) Checks for revocation of all certificates only when revocation information is available.
AlwaysCheck: Checks for revocation of all certificates.

Send Nonce:

Specifies whether a nonce is sent with the request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameters are intended to limit or prevent the unauthorized replay or reproduction of a file. When the option is deselected, a nonce is not sent with the request. By default, the option is selected, which means a nonce is sent with the request.

Max Clock Skew Time:

Specifies the maximum allowed skew, in minutes, between response time and local time. The minimum value is 0 and the maximum value is 2147483647 min. The default value is 5 min.

Response Freshness Time:

Specifies the maximum time, in minutes, for which a preconstructed OCSP response is considered valid. Valid response freshness times are 1 – 2147483647 min. The default value is 525600 min. (one year).

Sign OCSP Request:

Specifies whether the OCSP request must be signed. When the option is selected, it means that the OCSP request must be signed. By default, the option is deselected, meaning that the OCSP request is not required to be signed.

Request Signer Credential Alias:

Specifies the trust store credential alias to use for signing the OCSP request if signing is enabled. The alias is used if the Sign OCSP Request option is selected.

Go Online:

Specifies whether to access the network to retrieve OCSP information. Embedded and cached OCSP responses are used on the server to reduce the amount of network traffic generated due to OCSP checking. When the option is deselected, OCSP information is not retrieved from the network and only embedded and cached OCSP information is used. By default, the option is selected, which means to access the network for OCSP information.

Ignore the Response’s thisUpdate and nextUpdate Times:

Specifies whether to ignore the response’s thisUpdate and nextUpdate times, which prevents any negative effect times have on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP and can be different for each revocation information. When the option is selected, it means to ignore the thisUpdate and nextUpdate times. By default, the option is deselected, which means to use the thisUpdate and nextUpdate times.

Allow OCSPNoCheck Extension:

Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s certificate to prevent infinite loops from occurring during the validation process. When the option is deselected, it means that the OCSPNoCheck extension is not allowed. By default, the option is selected, which means the OCSPNoCheck extension is allowed.

Require OCSP ISIS-MTT CertHash Extension:

Specifies whether a certificate public key hash extension must be present in OCSP responses. This extension is required for SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Select this option when processing for SigQ compliance and supported OCSP responders. When the option is selected, it means that the certificate public key hash extension must be present. By default, the option is deselected, which means that the presence of a certificate public key extensions is not required.

Error Handling Options for Debugging

Purge Certificate Cache on Next API Call:: Use this option for debugging purposes in a non-production environment. Specifies whether to purge the certificate cache when the next Signature service operation executes. When the option is selected, it means that the certificate cache on the LiveCycle Server is purged. By default, the option is deselected, which means that the certificate cache is not purged. After the first Signature operation executes, the option becomes deselected.
Purge CRL Cache on Next API Call:: Use this option for debugging purposes in a non-production environment. Specifies whether to purge the Certificate Revocation List (CRL) cache when the next Signature service operation executes. When the option is selected, it means that the CRL Cache on the LiveCycle Server is purged. By default, the option is deselected, which means that the CRL cache on the LiveCycle Server is not purged. After the first Signature operation executes, the option becomes deselected.
Purge OCSP Cache on Next API Call:: Use this option for debugging purposes in a non-production environment. Specifies whether to purge the Online Certification Server Protocol (OCSP) cache when the next Signature service operation executes. When the option is selected, it means that the OCSP Cache on the LiveCycle Server is purged. By default, the option is deselected, which means that the OCSP cache is not purged. After the first Signature operation executes, the option becomes deselected.