Print

SecPKI-Server

SecPKI-Server constitutes a central server component for several SecCommerce products. SecPKIServer supports multi-client functionality for user certificate, access right and trust center service administration. SecPKIServer connects to relevant trust center services (CRL, OCSP, TSP) and offers interfaces for signature creation and verification supporting data and signature encryption.

Specifically, SecPKIServer offers

  • Signature verification and signature evidence preservation by means of its long term hash tree archive including signed data, OCSP responses and time stamps. In particular, SecPKI-Server validates electronic signatures:
    • for scanned paper documents from SecArchiveClient,
    • for signed electronic documents from workflow scenarios involving SecSigner,
    • for sent and received e-mails,
    • for signatures created with other tools
  • An ArchiSig conformal long term hash tree archive in accordance with audit requirements and German social law (SGB 4). Evidentiary signature values are preserved by means of hash tree creation and qualified time stamp over signature procedures, signatures and respective data. All algorithms applied meet required long-term security standards with respect to German signature laws (cf. qualified cryptographic algorithm list published by the German Federal Network Agency). Thus, integrity and creatorship for signed electronic documents can be proven at any given time.
  • Automatic server signature creation using smart cards or software keys:
    • E-mails: SecPKI-Server may open an SMTP port and accept e-mails from standard e-mail clients such as Thunderbird or Microsoft Outlook, or from ERP software (e.g. for electronic invoices). E-Mails are marked for signing according to the specific user configuration. Signed e-mails are sent to a configured SMTP server.
    • Documents from local file systems: SecPKI-Server may monitor local file systems and subsequently sign files in specified directories. Specific smart cards or software keys may be used for specific directories. Specific signature formats may be created for specific directories.
    • Documents provided by SecPKI-API (JavaAPI or SOAP). The signature requests may specify smart cards or software keys may be and signature formats.
  • Supported signature formats are:
    • CMS (PKCS#7) SignedData
    • XML-DSig
    • Adobe PDF signatures

SecPKI Overview about Details
 

  • Time stamp services: SecPKIServer may request and verify time stamps using TSP. Time stamp requests are subject to the specific user configuration.
  • Encryption: SecPKIServer allows for the encryption of signed and unsigned data:
    • E-mails: mails: SecPKI-Server may open an SMTP port and accept E-mails from standard e-mail clients such as Thunderbird or Microsoft Outlook, or from ERP software (e.g. for electronic invoices). E-Mails are marked for encryption according to the specific user configuration, e.g. the recipient's e-mail address.
    • Documents from local file systems: SecPKI-Server may monitor local file systems and subsequently encrypt documents or signatures in specified directories. Specific encryption certificates may be used for specific directories.
    • Documents provided by SecPKI-API (JavaAPI or SOAP). The encryption requests specify encryption certificates.
  • Decryption: SecPKI-Server recognizes encrypted documents or signatures automatically and decrypts the given data for further processing, provided that SecPKIServer has access to the respective software key or smart card.
  • Certificate based user and role management. Users correspond to X.509 certificates. The Java-Applet SecPKISignOn may be used by future users to sign onto the system. Subsequently, a SecPKI-Server administrator may activate a user and assign the new users to specific user groups (related to access rights).
  • Access validation for SecRouter. SecPKI-Server checks the user's group membership(s) to verify if a user may access the relevant web portal and specifies the corresponding URLs accessible for that user.
  • Trust center service administration: SecPKIServer updates all CA certificates and revocation list URLs for relevant trust centers. For this purpose, certificate stacks signed by SecCommerce employees are distributed. Client specific trust center data may be added. 
  • Time controlled process execution: SecPKI-Server may execute processes according to user specific configurations, e.g.:
    • Certificate revocation list download
    • User certificate check
    • Time stamp request for hash tree over signature
    • Consistency check for hash trees and over signatures
    • Certificate stack download
    • E-mail signature
    • Signature of documents in local file systems
    • Verification of signatures in local file systems

The following graphic depicts SecPKI-Server's  core functions:

SecPKIApi

SecPKIApi may be used to integrate SecPKI-Server's services into external client or server applications. SecArchiveApi offers functionality such as server signature creation, signature verification, and user and access right administration. Example calls are being provided along with SecPKI-Server. Furthermore, a WSDL description is generated by SecPKIServer for SOAP calls.

SecPKIApi may be called

  • as a Java-API and/or
  • using SOAP requests

SecPKIApi calls are subject to TLS encryption. SecPKI-Server and the corresponding Java-API support:

  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Exclusively the following secure modes (Ciphersuites) are being support:

  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • RSA_3DES_EDE_CBC_SHA

SecPKI-Server accepts SecPKIApi calls only if the corresponding access right has been assigned to the caller. Caller authentication is realized by means of TLS client authentication using an X.509 certificate or name and  password.

SecPKI architecture

SecPKI constitutes a multi-layer system centered around the SecPKIServer component. SecPKIServer is connected to the client's relational data base using JDBC. SecPKIServer is administered by means of Java applet supplied on a web server in the intranet. An administrator uses this SecPKIAdmin applet to set up SecPKIServer and supply master data. The SecPKIAdmin applet connects to SecPKIServer directly using a proprietary TLS connection.

The following graphic depicts a typical use case including the optional component SecRouter for secure web portal access:

SecPKI Overview and SecRouter

Please contact info[at]seccommerce.de for further information