Digital Signatures Configuration

This page details the pre-requisites and configuration options which can be set before using Digital Signatures.

Please note that these instructions should be performed by a system administrator and assume a moderate level of technical knowledge.

Pre-Requisites

To use Digital Signatures you must have your own Digital Signatures server, which will be set up by Tribal. These instructions assume this has already been set up and you have the URL for the server.

You should also download the files for the Authentication Module from here, which allows you to restrict digital signing of documents to web users who have a permission set to do so.

If you wish to use Digital Signatures on a secure protocol (i.e. https) through Maytas Hub, you will need a valid SSL certificate installed on the Digital Signatures server which is bound to the following websites:

• SIGNificant Web Signing Interface
• SIGNificant Workstep Controller Process
• SIGNificant Workstep Controller Management
• SIGNificant Workstep Designer

Please contact Maytas Support for more information.

Document Signing Authentication

You can optionally configure authentication so that when a user attempts to sign a document, they must login with their Maytas Hub web user credentials. If the login details are correct and the user has the permission set to allow them to sign documents, they can then proceed to sign. To configure this, you must first install the Authentication Module on the Digital Signatures server:

1. Extract the Authentication Module installation files.
2. Open a command prompt as an administrator and browse to the extracted files.

3. Enter and run the following:

   gacutil /if MaytasAuthenticationModule.dll

4. To check this has worked, check that the folder C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MaytasAuthenticationModule exists.
5. Browse to the website folder for SIGNificant Web Signing Interface, as defined in IIS (you can find the location of a site in IIS by right-clicking it and selecting Explore).
6. Go to the Web folder and open web.config for editing.

7. Under the <system.web> header, add the following (if there is already an authentication setting, replace it with the following rather than adding it separately):

   <authentication mode="None"/>
   <!--Deny non authenticated users-->
   <authorization>
   <deny users="?"/>
   </authorization>

8. Under the <system.webserver> header, add the following:

   <modules>
   <!--Maytas Authentication Module-->
   <add name="MaytasAuthenticationModule" type="MaytasAuthenticationModule.SQLAuthentication, MaytasAuthenticationModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=214aab1591f0454c"/>
   </modules>

9. Under the <configuration> header, locate <connectionStrings /> and replace it with the following (replace server, database and pword with your SQL server, database name and Maytas3 user password respectively):

   <connectionStrings>
   <!--Maytas connection string-->
   <add name="MaytasConnectionString" connectionString="Data Source=server;Initial Catalog=database;User ID=Maytas3;Password=pword" providerName="System.Data.SqlClient" />
   </connectionStrings>

10. Under the <configuration> header, locate <appSettings /> and replace it with the following:

    <appSettings>
    <!--web user Permission to check-->
    <add key="WebUserPermission" value="Digitally Sign Document"/>
    </appSettings>

11. Save and close web.config.

Users can be given permission to sign documents as follows:

1. In Maytas Hub, go to Web User Editor on the toolbar.
2. Search for and select the user to give permissions.
3. Click Permissions.
4. Ensure Digitally Sign Document is ticked.
5. Click Save.

Configuration Options

1. Log into Maytas as a user with access to the System Config Editor.
2. Click the M button at the top-left and select Options.
3. Under the Maytas 5 heading, select Admin.
4. Locate the Signature Server setting in the Digital Signatures section and tick the box next to it.
5. Enter the URL of your Digital Signatures server.
6. If you have changed the workstep controller process site to use basic authentication, you should also complete the User, Password and Domain settings for connecting to the Digital Signatures server. These should be provided to you by Tribal after the server installation.
7. The Adhoc Workstep Config string allows you to modify the options that would normally be in the workstep configuration. The way this works is that when using adhoc signature locations and the word ADHOC is entered into the workstep configuration on the signature definition, this tells Maytas to use the XML in this config instead (see here for details on adhoc signatures). You can view the various options by clicking the textbox and pressing the up and down arrow keys on your keyboard. Due to the number and complexity of these options, please contact Maytas Support if you require assistance in setting them.

8. Signature finish action should be altered to point to the correct service. The default entry is:

   http://service_address/SignatureListenerService.svc/FinishWorkstep/##workstepid##

   Replace service_address with the path to your Maytas data service, which can be found in Maytas Server Manager:

   1. In Server Manager, select your data service and click Edit.

   2. The URL can be found in the External Address field. It will look similar to

      net.tcp://machinename/service

      Copy the folder path - i.e. everything after

      net.tcp://

      In this example, you would copy machinename/service.

   3. Click Cancel when closing the data service.
9. Click OK.

If you need to use a specific port for the listener service, this can be done as follows:

1. Browse to your Maytas Server Manager folder (by default this will be C:\Program Files (x86)\Tribal\Maytas5 Server).
2. Locate and open the config file for your data service. For example, if your data service is called MyService in Server Manager, open MyService.config.

3. Under the <appSettings> header, add the following:

   <add key="RestAddress" value="http://machinename/service:12345" />

   Replace machinename/service with your data service URL (see above for how to find this), and replace 12345 with the port you wish to use.

4. Save and close the config file.

5. The signature finish action URL should then be updated to include the port (see above for instructions). e.g.

   http://machinename/service:12345/SignatureListenerService.svc/FinishWorkstep/##workstepid##

IIS Configuration

When the Xyzmo digital signatures server software is updated, certain settings in IIS are reset. The following should be done after the Xyzmo server software is updated:

1. Open IIS and expand Sites.
2. Select the SIGNificant Workstep Controller Process site and double-click Authentication.
3. If Basic Authentication is set to disabled, right-click it and select Enable.
4. Right-click Anonymous Authentication and select Edit.
5. Select Application pool identity and click OK.
6. Repeat steps 2 to 5 for the SIGNificant Workstep Controller Management site.
7. Select the site on the left and click Restart.