signservice
Signature Service Configuration
This page helps you understand how to configure a SignService application. The settings documented here assume that the configuration of a SignService application is made using properties, or Yaml-files.
In order to get the full, and even more detailed, picture, check each handler configuration. This is documented in each modules README.md file, and the hierarchy starts at the SignService GitHub root page.
Note: All settings are given in “Kebab case” (words separated by dashes). However, “Camel case” will also work.
Application Configuration
The documentation for the signservice-config module describes how a SignService factory is set up and supplied with a configuration object in order to create a SignService engine manager. This manager is the only bean a SignService application needs to use. All SignService logic is encapsulated in this object.
Below follows a description of the configuration object that is supplied to the SignService factory.
| Property | Description | Default value |
|---|---|---|
signservice.domain |
The domain under which the SignService is running. | Mandatory. No default value. |
signservice.base-url |
The “base URL” of the SignService, i.e., the protocol, domain and context path (if set to something other than ‘/’). Must not end with a ‘/’. | Mandatory. No default value. |
signservice.default-sign-service-id |
The default SignService ID. May be overridden in engine configurations (see Engine Configuration below). | - |
signservice.default-credential.* |
Configuration for the SignService default credential that will be used for signing responses. By setting this, several engine configurations may share the same credential. See Credential Configuration. | - |
signservice.validation-config.* |
Configuration settings for validation of messages (application wide). See Validation Configuration below. | The default values as described in Validation Configuration. |
signservice.common-beans.* |
The configuration for some handlers, and also some other beans, normally do not differ between different engines (clients). It is not very efficient if every engine instance instantiates their own beans (for handlers or other base components). Instead the engine configuration can point to an already existing bean. This configuration properties class defines the configuration for components that may be “common”. See Common Beans Configuration. Note: If your application should only serve one client (engine), there is no point in using this setting. |
- |
signservice.default-handler-config.* |
Shared, or default, configuration properties that may be merged into the engine configuration. The idea is to enter common values for the different handlers used in the engine configurations in order to avoid repeating the same configuration values. For example, a SAML-SP configuration may be identical between different clients except for its entityID and assertion consumer service URL. In these cases all engine configurations may all point at the same “default settings” and only configure what is unique for a given engine. See Shared Handler Configuration below. Note: If your application should only serve one client (engine), there is no point in using this setting. |
- |
signservice.system-audit.* |
Configuration for the system (application) audit logger. Note that each engine also has its own audit logger. The system audit logger logs entries that has to do with the actual application (start-up, shutdown, fatal errors, …). See Audit Logger Configuration below. |
Mandatory. No default value. |
signservice.message-replay-checker-bean-name |
Refers to a MessageReplayChecker bean that will be used by the application to detect message replay attacks. | If no bean is specified a DefaultMessageReplayChecker instance will be created (it will use the below property to access a replay checker storage container). |
signservice.replay-checker-storage-container-bean-name |
Only relevant if message-replay-checker-bean-name has not been set. In these cases a DefaultMessageReplayChecker will be created an supplied with a ReplayCheckerStorageContainer instance. This setting refers to this bean. |
If no bean is specified a InMemoryReplayCheckerStorageContainer will be created. This is not advisable in a distributed application setup (i.e., when several instances of the SignService application is running). |
signservice.engines[].* |
A list of engine configurations. Each engine configuration handles one SignService client. See Engine Configuration below. |
Mandatory. At least of engine configuration must be given. |
Engine Configuration
A SignService engine instance is running in a SignService application and is servicing the requests from one, and only one, SignService client. A SignService application is configured with one, or more engines.
In the SignService application above the engine configurations are prefixed using signservice.engines[x] where
x is the list order for the specific engine configuration.
| Property | Description | Default value |
|---|---|---|
name |
The name of this engine. It is recommended to use a name that refers to the client it is serving. This name will be used in log entries. | Mandatory. No default value. |
sign-service-id |
The ID that the SignService identifies itself as when processing requests for this engine. | If no value is given the signservice.default-sign-service-id (above) is used. |
credential |
The credential (key and certificate) that the SignService uses to sign SignResponse messages when processing requests for this engine. See Credential Configuration |
If no value is given the signservice.default-credential setting is used. |
processing-paths[] |
A list of processing paths for this engine. The paths are relative to the application’s context path and must start with a / . A processing path is typically the path on which the engine accepts SignRequest messages.Note: When configuring several engines make sure that the paths for the different engines are unique. The SignService engine manager that is responsible of dispatching incoming requests will hand a request over to the first engine whose processing paths match the incoming request. |
Mandatory. At least one path is required. No default value. |
client.client-id |
The unique client ID for the SignService client that this engine serves. | Mandatory. No default value. |
client.trusted-certificates[] |
A list of X.509 certificates that the engine “trusts” when it comes to verifying signatures on SignRequest messages from the client. | No default value. Depending on the protocol requirements, i.e., whether the SignService protocol requires requests to be signed or not, the setting may be mandatory. |
client.response-urls[] |
A list of registered URLs on which the client may received SignResponse messages. | No default value. Depending on the protocol requirements, i.e., whether the SignService protocol requires a pre-registered response URL or not, the setting may be mandatory. |
protocol.* |
SignService protocol configuration for this engine. See Protocol Configuration below. | If not given, and one (not several) protocol bean has been configured (see Common Beans Configuration below) this value will be used. |
authn.* |
Authentication configuration for this engine. See Authentication Configuration below. | Mandatory. No default value. |
sign.* |
Signature handler configuration for this engine. See Signature Handler Configuration below. | If not given, and one (not several) signature handler bean has been configured (see Common Beans Configuration below) this value will be used. |
cert.* |
Configuration for this engine’s key and certificate handler, i.e., the handler that generates the signing key and signing certificate. See Key and Certificate Handler Configuration below. | If not given, and one (not several) key and certificate bean has been configured (see Common Beans Configuration below) this value will be used. |
audit.* |
Configuration for the engine (client) audit logger. This audit logger will log events that are specific for the client (for example successful and failed signature operations). See Audit Logger Configuration below. |
Mandatory. No default value. |
Common Beans Configuration
The configuration for some handlers, and also some other beans, normally do not differ between different engines (clients). It is not very efficient if every engine instance instantiates their own beans (for handlers or other base components). Instead the engine configuration can point to an already existing bean. This configuration properties class defines the configuration for components that may be “common”.
The following configuration may appear under the signservice.common-beans property.
All settings have a property, bean-name, that tells under which name the common bean should be registered, and
how it should be loaded by references in the engine configuration.
| Property | Description |
|---|---|
protocol.* |
Configuration for a common protocol handler bean. See Protocol Configuration below. |
sign.* |
Configuration for a common signature handler bean. See Signature Handler Configuration below. |
key-provider.* |
The configuration for a PkiCredentialContainer object that later may be referenced in a Key and Certificate Handler Configuration. See CredentialContainerConfiguration. |
cert.* |
Configuration for a common key and certificate handler bean. See Key and Certificate Handler Configuration. |
saml.metadata-provider.* |
A signature service normally has the same SAML metadata provider for all of its clients, and a provider instance is pretty expensive to create, or rather, it spawns threads that download SAML metadata periodically. Having X clients doing the same task is completely unnecessary. Therefore it is possible to create a stand-alone MetadataProvider bean that is referenced by all the client SAML handlers. See MetadataProviderConfiguration. |
Shared Handler Configuration
In SignService setups that has more than one engine (client) it is likely that the different engines are configured with handlers that are unique for the engine (client) but still has many settings that are shared between the instances.
So, shared, or default, configuration properties can be used to avoid repeating configuration settings. For example, a SAML-SP configuration may be identical between different clients except for its entityID and assertion consumer service URL. In these cases all engine configurations may all point at the same “default settings” and only configure what is unique for a given engine.
The following settings may be used as “shared settings”. Note that these configurations are never mapped to handler objects themselves, so a configuration does not have to be “complete”.
| Property | Description |
|---|---|
protocol.* |
Shared SignService protocol configuration. See Protocol Configuration below. |
authn.* |
Shared authentication configuration. See Authentication Configuration below. |
sign.* |
Shared signature handler configuration. See Signature Handler Configuration below. |
cert.* |
Shared configuration for a key and certificate handler. See Key and Certificate Handler Configuration below. |
audit.* |
Shared configuration for audit loggers. See Audit Logger Configuration below. |
Handler Configuration
A SignService engine is instantiated with a set of different handlers, one of each type. Handler configuration is standardized and described in the documentation for the signservice-core module.
Note: If Shared Handler Configuration is used, a template configuration may be
referenced in the handler configuration using the setting default-config-ref. By including a reference using the
setting that follows after signservice.default-handler-config, for example authn.saml, these properties are
used for the handler configuration and we only have to configure common settings in one place, but still get our
own handler instance. See Configuration Example below.
Note 2: If a customized handler, for a specific type, is to be used it is possible to tell the configuration system
to use another HandlerFactory that what is default by using the factory-class
property that points at the factory class for your customized handler. See Configuration of Handlers.
Below follows the main configuration entry points for each type of handler.
Audit Logger Configuration
An AuditLogger instance is configured using the following configuration where one, and only one, setting should be supplied.
| Property | Description |
|---|---|
external.bean-name |
A bean name for an externally created handler bean. |
file.* |
File-based audit logging, see FileAuditLogger. |
log-system.* |
Audit-logging that uses an underlying log system, via Slf4j, to produce audit log entries. See LogSystemAuditLogger. |
callback.* |
Audit-logging that uses callbacks to a configured AuditLoggerListener object. See CallbackAuditLogger. |
actuator.* |
For Spring Boot only. Uses Spring Boot’s Actuator to publish audit log entries. See ActuatorAuditLogger. |
Protocol Configuration
A ProtocolHandler instance is configured using the following configuration where one, and only one, setting should be supplied.
| Property | Description |
|---|---|
external.bean-name |
A bean name for an externally created handler bean. |
dss.* |
A protocol handler implementation according to the extensions of OASIS DSS 1.1 (https://docs.swedenconnect.se/technical-framework/). See DssProtocolHandler. |
Authentication Configuration
An AuthenticationHandler instance is configured using the following configuration where one, and only one, setting should be supplied.
| Property | Description |
|---|---|
external.bean-name |
A bean name for an externally created handler bean. |
saml.* |
Configuration for a SAML-based authentication handler. See DefaultSamlAuthenticationHandler and SwedenConnectSamlAuthenticationHandler. |
mock.* |
Configuration for a mocked authentication handler. May be useful during development and testing. See MockedAuthenticationHandlerConfiguration. |
Signature Handler Configuration
A SignatureHandler instance is configured using the following configuration where one, and only one, setting should be supplied.
| Property | Description |
|---|---|
external.bean-name |
A bean name for an externally created handler bean. |
default-handler.* |
Configuration for a default signature handler. See DefaultSignatureHandler. |
Key and Certificate Handler Configuration
A KeyAndCertificateHandler instance is configured using the following configuration where one, and only one, setting should be supplied.
| Property | Description |
|---|---|
external.bean-name |
A bean name for an externally created handler bean. |
cmc.* |
Configuration for a key and certificate handler that uses the CMC API to communicate with a CA. See CMCKeyAndCertificateHandler. |
built-in-ca.* |
Configuration for a key and certificate handler that uses a built in CA (i.e., a CA that is configured as part of the SignService application). See SimpleKeyAndCertificateHandler. |
Other Configuration
Credential Configuration
Credentials for different purposes are used in the SignService configuration. They are all configured in the
same way. One, and only one, of the following properties must be set to configure a PkiCredential object.
bean-reference - A string that contains a registered bean name referring to an already created PkiCredential
object. This setting is used when the application code creates the credential object outside of the SignService
configuration.
props.* - Configuration of the PkiCredential object using property values. See 3.3.2 for the credentials-support repository.
cred - Assignment of an already instantiated PkiCredential. This setting is not possible to use when
configuring the application using properties files, only when a programmatic setup is made.
Validation Configuration
The ValidationConfiguration class defines generic
settings used during validation of messages. This object is also accessible using the getValidationConfig method of the AbstractHandlerFactory class.
| Property | Description | Default value |
|---|---|---|
allowed-clock-skew |
Duration telling the clock skew that we accept during checks of time stamps. | 30 seconds |
max-message-age |
Duration telling the maximum amount of time that has passed since a message we are receiving, and processing, was sent. This is based on the message’s “created-at” property (or similar). | 3 minutes |
Configuration Example
As part of the SignService repository will supply a demo SignService application. It is configured using the settings documented on this page. We include the demo application configuration (YAML-file) below with comments that point out the features of the configuration system.
The demo application is configured with two clients (engines).
signservice:
domain: localhost
base-url: https://${signservice.domain}:${server.port}
default-sign-service-id: https://localhost.swedenconnect.se/signservice
system-audit:
actuator:
name: "SignService System Audit Logger"
principal: "SignService"
default-credential:
props:
name: SignService
resource: classpath:signservice.jks
alias: signservice
type: JKS
password: secret
key-password: secret
validation-config:
allowed-clock-skew: PT30S
max-message-age: PT3M
#
# Configuration for common beans used by several engine configurations
#
common-beans:
# Configuration for a common protocol handler bean
protocol:
bean-name: signservice.DssProtocolHandler
dss:
include-assertion: true
include-request-message: false
# Configuration for a common signature handler bean
sign:
bean-name: signservice.DefaultSignatureHandler
default-handler:
name: DefaultSignatureHandler
tbs-processors:
- type: xml
strict-processing: false
include-issuer-serial: true
- type: pdf
# Configuration for a common key and certificate handler bean
cert:
bean-name: signservice.BuiltInCa
built-in-ca:
base-url: ${signservice.base-url}
ca-credential:
props:
resource: classpath:ca/test-ca.jks
type: JKS
password: secret
alias: test-ca
key-password: secret
ca-signing-algorithm: http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
key-provider:
security-provider: BC
cert-validity: P365D
crl-validity: P2D
crl-dp-path: /sign/signca/signca.crl
crl-file-location: ${SIGNSERVICE_HOME}/signca/signca.crl
default-value-policy-checker:
default-reply: false
rules:
- attribute-type: rdn
ref: "2.5.4.6"
allowed-values:
- SE
# Configuration for a shared SAML metadata provider
saml:
metadata-provider:
bean-name: signservice.SamlMetadataProvider
url: https://eid.svelegtest.se/metadata/mdx/role/idp.xml
backup-location: ${SIGNSERVICE_HOME}/sandbox-metadata.xml
validation-certificate: classpath:sandbox/sandbox-metadata.crt
fail-fast: true
#
# Both engines use SAML as the authentication handler, and even though each engine
# is its own SAML SP, they share most of the configuration. So set up a shared
# configuration for a SAML authentication handler.
#
default-handler-config:
authn:
saml:
saml-type: sweden-connect
sp-paths:
base-url: ${signservice.base-url}
#
# References the common MetadataProvider bean. Will be loaded when the
# handler is created.
#
metadata-provider-ref: signservice.SamlMetadataProvider
signature-credential:
props:
name: SignService SAML Signing
resource: classpath:sandbox/saml-sp.jks
alias: sign
type: JKS
password: secret
key-password: secret
decryption-credential:
props:
name: SignService SAML Decryption
resource: classpath:sandbox/saml-sp.jks
alias: encrypt
type: JKS
password: secret
key-password: secret
sign-authn-requests: true
require-encrypted-assertions: true
require-signed-assertions: true
message-replay-checker-ref: signservice.MessageReplayChecker
metadata:
entity-categories:
- http://id.elegnamnden.se/st/1.0/sigservice
- http://id.elegnamnden.se/ec/1.0/loa3-pnr
- http://id.swedenconnect.se/ec/sc/uncertified-loa3-pnr
- http://id.elegnamnden.se/ec/1.0/eidas-naturalperson
- http://id.elegnamnden.se/st/1.0/public-sector-sp
- http://id.swedenconnect.se/contract/sc/sweden-connect
- http://id.swedenconnect.se/contract/sc/eid-choice-2017
- http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding
- http://id.swedenconnect.se/general-ec/1.0/accepts-coordination-number
requested-attributes:
- name: urn:oid:1.2.752.29.4.13
required: false
- name: urn:oid:1.2.752.201.3.4
required: false
service-names:
- "sv-SignService Demo"
- "en-SignService Demo"
ui-info:
display-names:
- "sv-Sweden Connect Demo SignService"
- "en-Sweden Connect Demo SignService"
descriptions:
- "sv-Sweden Connect Underskriftstjänst för test och demonstration"
- "en-Sweden Connect SignService for test and demonstration"
logos:
- path: /images/logo.svg
height: 56
width: 280
- path: /images/logo-notext.svg
height: 256
width: 256
organization:
names:
- "sv-Sweden Connect"
- "en-Sweden Connect"
display-names:
- "sv-Sweden Connect"
- "en-Sweden Connect"
urls:
- "en-https://www.swedenconnect.se"
contact-persons:
support:
company: "Sweden Connect"
email-address: operations@swedenconnect.se
technical:
company: "Sweden Connect"
email-address: operations@swedenconnect.se
#
# OK, the application common settings are done. Let's configure our engines.
#
engines:
#
# Configuration for the "Test my Signature"-client running on localhost.
# See https://github.com/idsec-solutions/signservice-integration.
#
- name: "test-my-signature-localhost"
processing-paths:
- /sign/testmysignature/signreq
client:
client-id: http://sandbox.swedenconnect.se/testmyeid
trusted-certificates:
- classpath:clients/test-my-signature/client.crt
protocol:
# Uses the common ProtocolHandler bean
external:
bean-name: signservice.DssProtocolHandler
authn:
saml:
# By including a reference to the shared SAML configuration we don't have
# to repeat ourselves. The settings are merged into our configuration object,
# and we only have to supply what is specific for our client.
default-config-ref: authn.saml
entity-id: http://sandbox.swedenconnect.se/testmyeid/localsign
sp-paths:
metadata-publishing-path: /sign/testmysignature/saml/metadata
assertion-consumer-path: /sign/testmysignature/saml/sso
metadata:
ui-info:
display-names:
- "en-Test your eID (localhost)"
- "sv-Testa ditt eID (localhost)"
descriptions:
- "en-Application for testing your eID (localhost)"
- "sv-Applikation för att testa ditt eID (localhost)"
sign:
external:
bean-name: signservice.DefaultSignatureHandler
cert:
external:
bean-name: signservice.BuiltInCa
audit:
file:
name: "test-my-signature-audit-logger"
file-name: ${SIGNSERVICE_HOME}/testmysignature/audit.log
#
# Configuration for the "Signature Service Test Application" (https://sig.sandbox.swedenconnect.se/testsp).
# Log in using the user "signserviceuser" with the password "signserviceuser".
#
- name: "signservice-test-localhost"
processing-paths:
- /sign/testapp/signreq
client:
client-id: https://eid2cssp.3xasecurity.com/sign
trusted-certificates:
- classpath:clients/signservice-testapp/eid2cssp.3xasecurity.com.crt
# Note: protocol does not have to be given since a default bean exists.
protocol:
external:
bean-name: signservice.DssProtocolHandler
authn:
saml:
default-config-ref: authn.saml
entity-id: https://localhost.swedenconnect.se/eid2cssp
sp-paths:
metadata-publishing-path: /sign/testapp/saml/metadata
assertion-consumer-path: /sign/testapp/saml/sso
preferred-binding: POST
metadata:
ui-info:
display-names:
- "en-Sweden Connect Localhost Signature Service Test"
- "sv-Sweden Connect test för underskriftstjänster (localhost)"
descriptions:
- "en-Sweden Connect test application for signature services running on localhost"
- "sv-Sweden Connect testapplikation för underskriftstjänster (localhost)"
# Note: sign does not have to be given since a default bean exists.
sign:
external:
bean-name: signservice.DefaultSignatureHandler
# Note: cert does not have to be given since a default bean exists.
cert:
external:
bean-name: signservice.BuiltInCa
audit:
file:
name: "signservice-test-localhost-audit"
file-name: ${SIGNSERVICE_HOME}/signservice-testapp/audit.log
Copyright © 2022-2023, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.