Editing the Electronic Signature configuration file
Integrating Electronic Signature with Gateway and Sentinel
Editing a secure connection between server and browser (TLS)
After you have installed Electronic Signature, some, or all, of the following directories are deployed on the system:
| Directory | Sub-directory | Content |
|---|---|---|
| apps | ui | UI application |
| bin | – | Scripts |
| conf | – | Configuration files |
| data | certs | Secure Relay certificates and the Server SSL certificates |
| ini_letters | PDF initialization letters generated during the initialization step | |
| database | – | Database scripts |
| devKit | inline | Sample code for custom development |
| parser | ||
| exit | ||
| lib | – | All libraries needed by Electronic Signature |
| log | – | Log files |
| mft | Send | Script between EBICS Client and Gateway for Send transfers |
| Fetch | Script between EBICS Client and Gateway for Fetch transfers | |
| Files | Data files transferred | |
| tmp | Script execution logs and temporary files | |
| install/client | Gateway and Transfer CFT settings (object creation) | |
| install/samples | Back-end sample command lines | |
| install/files | Backup for files before send | |
| psr | errors | Payment status requests detected as erroneous |
| done | Payment status requests finished successfully | |
| processing | Ongoing parsing of the payment status requests | |
| incoming | Awaiting payment status requests. Should normally never be cleaned-up | |
| synInstall | – | For the management of Electronic Signature by the Axway Installer (Update, ….) |
| working | errors | EBICS Requests detected as erroneous |
| done | EBICS Requests finished successfully | |
| processing | Ongoing EBICS requests processed by the EBICS Client | |
| incoming | Awaiting EBICS Request. Should normally never be cleaned-up. | |
| <enableTraces> | – | Action enableTraces needs an additional directory that stores all EBICS exchanges. This directory should be used for diagnosis purposes only. This directory should be cleaned-up from time to time. |
The following token types have been tested for use with this version of Electronic Signature:
| Token Type | Client to use |
|---|---|
| SafeNet | SafeNet Authentication Client 8.0 SP2 |
| Certinomis | Gemalto RegTool |
| Keynectis | Gemalto RegTool |
| Ces@mOr | SafeNet Authentication Client 8.0 SP2 |
| Keynectis K.Sign® | Sagem Launcher |
| SWIFT 3Skey | Etoken PKI Client |
Note: On the current version, only one of these token types can be used at a time.
As an alternative to a security token, for example for testing purposes, you can use a PKCS12 file.
The security token configuration file config.cfg is located in <Electronic Signature_install_dir>/apps/ui.
|
cute.applet.callback.appletLoaded=jsAppletReady cute.applet.pinEntry=custom
# LICENSE cute.kernel.license.value=MIIC0wYJKoZI…
# LOGGING cute.kernel.logging.level=debug cute.applet.callback.logger=logging
# SOURCES cute.kernel.sources = capi
# PKCS12 file containing one certificate #cute.kernel.sources=pfx1 #cute.kernel.source.pfx1.type=pkcs12 #cute.kernel.source.pfx1.password=abcdef #cute.kernel.source.pfx1.value=MIIKLAIBAzCCCfYGC…
# PKCS12 file containing a second certificate #cute.kernel.sources=pfx2 #cute.kernel.source.pfx2.type=pkcs12 #cute.kernel.source.pfx2.password=abcdef #cute.kernel.source.pfx2.value=MIIKLAIBAzCC…
# Windows Crypto API # allows to connect all token that have CAPI interface without any specific configuration cute.kernel.source.capi.type=cryptoAPI cute.kernel.source.capi.required=no
#FILTERING cute.filter.certificate.signcert.privateKey=true cute.filter.chain.signchain.ee=signcert ... |
You can edit the contents of the config.cfg file in order to use PKCS12 files instead of a security token. To activate PKCS12 files, perform the following steps:
The Electronic Signature server configuration file configuration.properties is located in <Electronic Signature_install_dir>/conf. This file contains the following configuration information:
The tables below describe most of the parameters included in the configuration.properties file. Some new parameters may have been added since the publication of this documentation. All parameters are commented inside the configuration file.
This section contains all processing directories, network configuration and general internal configuration such as usage of Sentinel or PassPort.
| Parameter | Description | Example |
|---|---|---|
|
server.port |
UI server port |
9090 |
|
server.isOverride |
Should the server address and port be overwritten? If the value is set to true, the address of the server will be different to the real one in all emails sent by Electronic Signature. New values will be server.newDomain and server.newPort. |
false |
|
server.newDomain |
New domain name of the server. This value is used in emails sent by Electronic Signature. |
|
|
server.newPort |
New TCP port of the server. This value is used in emails sent by Electronic Signature. |
|
|
server.sso.port |
Server SSO port. Used only with PassPort AM and the SSO option. Defines the port where users can connect in SSO. |
9091 |
|
server.sso.truststore.path |
Path to the truststore where SSL certificate of passport is used in SSO mode. |
conf/passport/passport_truststore.jks |
|
server.sso.keystore.path |
Keystore holding the private key for mutual SSL authentication to secure connection between Electronic Signature and PassPort in SSO mode. |
conf/passport/es_sso.jks |
|
server.sso.keystore.type |
Type of keystore. |
JKS |
|
server.sso.keystore.encryptedPassword |
Encrypted passwords of the key store |
|
|
server.keystore.file |
Keystore containing certificate and private key for SSL connection |
conf/fex-es.ks |
|
server.keystore.encryptedPassword |
Encrypted password of the SSL key store |
|
| server.keystore.certificate.encryptedPassword | Encrypted password of the key store certificate | |
|
server.usePassPort |
Activate the use of PassPort |
false |
|
server.usePassPortSSO |
Activate the use of SSO with PassPort |
false |
|
server.useSentinel |
Activate the use of Sentinel |
true |
|
server.ssl.disableRenegociation |
Enable or disable renegotiation in SSL. |
false |
| server.readMaxIdleTime | Maximum read idle time in milliseconds, which is the maximum time between some progress is being made on the connection | 60000 [milliseconds] |
This section contains pre-configuration information for the database. For example, to use MySQL you just have to uncomment the MySQL part and comment all others. However, you must specify the user, password, URL for the database and other specific customer system information.
| Parameter | Description | Example |
|---|---|---|
|
jdbc.driver.className |
– | com.mysql.jdbc.Driver |
|
jdbc.url |
– | jdbc:mysql://localhost:3306/fex_signature |
|
jdbc.ConnectionProperties |
– |
|
|
jdbc.DBDictionary |
– | |
|
jdbc.DataCache |
– | true |
|
jdbc.RemoteCommitProvider |
– | sjvm |
|
jdbc.log |
– | log4j |
|
jdbc.username |
– | ElectronicSignat |
|
jdbc.encryptedPassword |
– |
This section contains information relating to the Electronic Signature UI.
| Parameter | Description | Example |
|---|---|---|
|
ui.session.expiration |
The time in minutes when the UI session will expire in case of inactivity | 5 |
This section enables you to add external parsers in order to support additional file formats.
| Parameter | Description | Example |
|---|---|---|
| payLoad.parser.name.1 | Custom parsers you want to integrate with Electronic Signature. | Sample Parser |
| payLoad.parser.class.1 | The parser class contained in the JAR file | com.axway.fex.es.samples.parser.ParserSample |
| external.classpath | Additional classpath for external dependencies. | file:jars/dependency1.jar;file:jars/dependency2.jar |
This section contains information for the email sending service. This service will send an email to all concerned users every time a new payment has been taken into account by the server.
| Parameter | Description | Example |
|---|---|---|
|
email.smtp.host.server |
SMTP server host name |
your_smtp_server |
|
email.smtp.host.port |
SMTP server TCP port number |
25 |
|
email.smtp.user.login |
Login if required - depending on SMTP server |
|
|
email.smtp.user.encryptedPassword |
Password if required - depending on SMTP server |
|
|
email.general.senderAddress |
email address to display for the sent email |
electronic-signature.no-reply@axway.com |
|
email.new_payment_message.template |
Path of the new payment email template properties file |
conf/templates/fr_FR/email_new_payment.template |
|
email.new_payment_without_users_message.template |
Path of the new payment without users email template properties file |
conf/templates/fr_FR/email_new_payment_without_users.template |
|
email.new_user_message.template |
Path of the new user email template properties file |
conf/templates/fr_FR/email_new_user.template |
|
email.new_passport_user_message.template |
Path of the new user email template properties file, for PassPort mode |
conf/templates/fr_FR/email_new_passport_user.template |
|
email.password_reset_message.template |
Path of the user reset password email template properties file |
conf/templates/fr_FR/email_password_reset.template |
|
email.user.enabled |
This option controls whether Signers/Validators receive email when new payments are available |
false |
|
email.admin.enabled |
This option controls whether administrators receive email when new payments do not match any rule |
true |
| Parameter | Description | Example |
|---|---|---|
|
transporter.connector |
Transporter used for importing payments (interchange or gateway) |
gateway |
|
paymentImporter.pollingFrequency |
Frequency of payments scanner |
60000 [milliseconds] |
|
paymentImporter.paymentIndex.directory |
Folder where payment details are stored. This folder needs lot of space to store all payment details. For example, a payment of 70 000 records requires 30 MB. |
./paymentIndex |
|
paymentImporter.detailParsingOnArrivalEnabled |
This option enables you to disable payment detail parsing upon payment import. Default is enabled. Warning: Do not disable this if you use rule with "1 or 2 signature depending on a threshold" |
true |
|
paymentOrderIdImporter.pollingFrequency |
Frequency of order ID scanner for sent payments |
60000 [milliseconds] |
|
paymentScheduler.pollingFrequency |
Frequency of retries on payment to re-submit in case of errors |
60000 [milliseconds] |
This section contains information so that Electronic Signature can connect to Interchange to retrieve payments.
| Parameter | Description | Example |
|---|---|---|
|
interchange.url |
Interchange HTTP URL to connect to webservice |
http://localhost:6080 |
|
interchange.user |
Login of Interchange user |
admin |
|
interchange.encryptedPassword |
Password (encrypted) of Interchange user |
|
|
interchange.transitionTimeOverlap |
Overlap time used for requesting payments to Interchange. |
10 [milliseconds] |
|
interchange.sessionRenewal |
Time in minutes when the webservice session will be renewed. Must be less than the session expiration time. |
10 [minutes] |
This section contains information about downloading and storing PSR.
| Parameter | Description | Example |
|---|---|---|
|
psr.monitoring.directory |
Incoming directory for PSR files |
./psr/incoming |
|
psr.processing.directory |
Processing directory for PSR files |
./psr/processing |
|
psr.error.directory |
Error directory. |
./psr/errors |
| psr.done.directory | Processed directory | ./psr/done |
|
psr.scan.interval |
Scan interval of the incoming directory |
10 [seconds] |
|
psr.thread.pool.size |
Size of the thread pool used for PSR parsing |
10 |
|
psr.queue.size |
Size of the PSR parsing queue |
10 |
|
psr.purge.expirationDays |
Expiration time of PSR records |
30 [days] |
This section contains information for the PassPort AM connection such as hostname, port number or SSL data.
| Parameter | Description | Example |
|---|---|---|
|
passport.server.address |
PassPort server address |
localhost |
|
passport.server.port |
PassPort main SSL/TLS port |
6453 |
|
passport.truststore.path |
Path to PassPort Truststore (to be changed if PassPort SSL server certificate changes) |
conf/passport/passport_truststore.jks |
|
passport.api.keystore.path |
Path for Electronic Signature PassPort API certificate |
conf/passport/passport_es_keystore.jks |
|
passport.api.keystore.password |
Keystore password |
|
|
passport.api.tmp.private.key.path |
Path to Electronic Signature PassPort private key |
conf/passport/passport_es_pkey.p8 |
|
passport.api.certificateRequestID.path |
Path to Electronic Signature PassPort certificate request ID |
conf/passport/passport_csr.id |
|
passport.api.shared.secret |
PassPort Shared Secret (set by installer) |
|
|
passport.csd.path |
Path to the Electronic Signature PassPort CSD |
conf/passport/es_csd.xml |
|
passport.es.key.alias |
Key alias to use for Electronic Signature PassPort certificate |
ES certificate |
|
passport.instance.id |
Electronic Signature PassPort Instance ID |
default |
|
passport.component.version |
Electronic Signature version (must match CSD) |
2.6.1 |
|
passport.user.useCache |
Enable or disable a local cache for retrieving users from PassPort |
false |
|
passport.user.cacheTimeout |
Time when the local users cache will be flushed |
5 [minutes] |
|
passport.locale.forced |
Forced locale. For SSO mode only. If this is set, Electronic Signature does not read or set user preferences for locales. This is useful when using external user store, as PassPort does not provide exit APIs for preferences. |
This section contains information for the connection with Sentinel.
| Parameter | Description | Example |
|---|---|---|
|
sentinel.server.address |
Host name of the Sentinel server |
localhost |
| sentinel.trackedObjectName | Sentinel object to be tracked | XFBTransfer |
| sentinel.trackedObjectVersion | Sentinel object version to be tracked | 3.9 |
|
sentinel.server.port |
TCP port of the Sentinel server (HTTP/QLT server tracker for XNTF/XML data type) |
13554 |
|
sentinel.overFlowFile.path |
Overflow file path to be used by Sentinel |
C:/Temporary/Folder |
|
sentinel.overFlowFile.size |
Overflow file size |
10 [MB] |
This section contains information related to the sizing of the internal queue or thread pools. These values have a direct impact on performance.
| Parameter | Description | Example |
|---|---|---|
|
cache.size.paymentDetail |
Size of the payment detail cache. This cache is used to keep in memory some payment details instead of reading them from paymentImporter.paymentIndex.directory. |
30 [number of payment files] |
|
pool.parsers.size |
Number of payment files that can be processed in parallel to create payment details. |
5 |
| Parameter | Description | Example |
|---|---|---|
|
exit.pollingFrequency |
Frequency of exit scanner |
60000 [milliseconds] |
|
exit.reject.classname |
Name of the implementation class of the reject exit |
|
|
exit.reject.classpath |
Classpath with all the dependencies of the reject exit. |
|
|
exit.reject.thread.pool.size |
Size of the thread pool used for reject exit processing |
2 |
|
exit.sign.classname |
Name of the implementation class of the sign exit |
|
|
exit.sign.classpath |
Classpath with all the dependencies of the sign exit |
|
|
exit.sign.thread.pool.size |
Size of the thread pool used for sign exit processing |
5 |
|
exit.useReject |
Activate the reject exit post-processing |
false |
|
exit.useSign |
Activate the sign exit post-processing |
false |
| Parameter | Description | Example |
|---|---|---|
|
command.line.port |
Command line tcp port |
7091 |
|
conf.enable.secureRelay.proxy |
Use Secure Relay for DMZ proxying |
false |
|
conf.secureRelay.path |
Secure Relay configuration location |
./conf/secureRelayConf.xml |
|
conf.httpConnection.connectionTimeout |
Timeout value until the HTTP connection is established. Can be any value not equal to 0. |
30000 [milliseconds] |
|
conf.httpConnection.soTimeout |
Socket timeout |
60000 [milliseconds] |
|
conf.httpConnection.tcpNoDelay |
Determines whether Nagle's algorithm is to be used. |
true |
|
conf.allowAllCerts |
Allow all server SSL certificates. This should only be used for testing |
false |
Check that Sentinel monitoring is activated in the configuration file located in <Electronic Signature_install_dir>/bin. The exact name of this file depends on your platform:
| Platform | Configuration file |
|---|---|
| UNIX | bin/config |
| Windows | bin\config.bat |
Open the config file in a text editor. Check the values and modify them if necessary.
| Parameter | Description | Example |
|---|---|---|
| JAVA_HOME |
mandatory Path to the JAVA home directory. This JRE must be set with "Unrestricted Policies" |
c:\Program Files\Java\jdk1.6xxxx |
| GTW_HOME |
mandatory Path to the Gateway installation directory |
c:\Axway\Gateway |
| SENTINEL |
Usage of Axway Sentinel
This parameter must be set to TRUE if you intend to track the transfer behavior with Sentinel. Parameters TRKHOME and TRKCONF must match the Sentinel configuration, namely the Universal Agent directory and the connection configuration file. |
TRUE |
| TRKHOME | Path to the home of trkapi | c:\Axway\trkapi |
| TRKCONF | Path to the trkapi conf file | %TRKHOME%\conf\trkapi.cfg |
| MODE |
Used to perform EBICS transaction in test mode. If unused, or if value is different from "test", the transfer is a real transfer. This value is case-sensitive. |
test |
| FILE_ROUTING |
Used to send back the fetched file to the back-end application via Gateway (using a Model) ROUTE = transfer If "ROUTE=", in other words empty, no transfer is triggered to the back-end application. The file is kept in the Gateway temporary directory. |
ROUTE |
The Electronic Signature log file is located in: conf/log4j.properties.
The usage of TLS is mandatory for Electronic Signature to secure the connection between the server and the web browser. It is delivered with a default certificate and private key, used by the TLS server. This section explains how to replace the default certificate with your own certificate.
Prerequisite: Your certificate and private key are available as a PKCS#12 file. If you have another format, refer to the keytool documentation.
Encrypt your keystore password and modify the Electronic Signature configuration file as follows:
Overview of Axway Electronic Signature
Installing Electronic Signature
Controlling Electronic Signature
Extending support to other formats
Developing exits for Electronic Signature