AEM 6.4 Forms Guide
Release Notes
- Release Notes
- New features summary
- Deprecated features
Getting Started
- Introduction to AEM Forms
- Introduction to authoring adaptive forms
- Introduction to Interactive Communications
- Introduction to managing forms
- Tutorial: Create your First Adaptive Form
- Tutorial: Create your First Interactive Communication
- AEM Forms Reference Collaterals
Install and configure AEM Forms
- Architecture and deployment topologies for AEM Forms
- Choosing a persistence type for an AEM Forms installation
- Install AEM Forms on OSGi
- Install AEM Forms on JEE
- Configure AEM Forms
Upgrade AEM Forms
- Available upgrade paths
- Upgrade AEM Forms on OSGi
- Upgrade AEM Forms on JEE
Manage AEM Forms
- AEM Forms on OSGi Groups and Privileges
- Create new folders to categorize forms
- Searching for forms and assets
- Manage form metadata
- Download an XFA or a PDF form template
- Deleting forms and related resources
- Getting XDP and PDF documents in AEM Forms
- Importing and exporting assets to AEM Forms
- Supporting new locales for adaptive forms localization
- Handling user data
- Hardening AEM Forms Environment
Form Data Model
- Introduction to AEM Forms Data Integration
- Configure data sources
- Microsoft Dynamics Odata configuration
- Create form data model
- Work with form data model
- Use form data model
Adaptive Forms - Basic Authoring
- Best practices for working with adaptive forms
- Creating an adaptive form
- Adaptive form fragments
- Configuring the Submit action
- Using CAPTCHA in adaptive forms
- Adaptive forms keywords
- Tables in adaptive forms
- Auto-save an adaptive form
- Configuring redirect page
- Creating accessible adaptive forms
- Creating forms with repeatable sections
- Embed an adaptive form or interactive communication in AEM sites page
- Embed adaptive form in external web page
- Inline styling of adaptive form components
- Introduction to multi-step form sequence
- Layout capabilities of adaptive forms
- Placeholder text in AEM Forms
- Previewing a form
- Reusing adaptive forms
- Separator component in adaptive forms
- Apply electronic signatures to a form using scribble signatures
- AEM Forms Keyboard Shortcuts
- Associating submission reviewers with a form
- Authoring in-context help for form fields
Adaptive Forms - Advanced Authoring
- Creating adaptive forms using JSON Schema
- Creating adaptive forms using XML Schema
- Using Acrobat Sign in an adaptive form
- Creating and using themes
- Adaptive forms rule editor
- API to invoke form data model service from adaptive forms
- Asynchronous submission of adaptive forms
- Create an adaptive form using a set of adaptive forms
- Adaptive Form Templates
- Adaptive Form Expressions
- Generate Document of Record for adaptive forms
- Improve performance of large forms with lazy loading
- Prefill adaptive form fields
- Using SOM expressions in adaptive forms
- Adding information from user data to form submission metadata
- XFA support in XDP-based adaptive forms
- Changing Page Zero content in Designer
- Grant rule editor access to select user groups
- Using AEM translation workflow to localize adaptive forms and document of record
- Automate testing of adaptive forms
- Styling constructs for adaptive forms
- Synchronizing Adaptive Forms with XFA Form Templates
- Integrate Acrobat Sign with AEM Forms
- Creating and managing reviews for assets in forms
- Standard validation error messages for adaptive forms
Interactive Communications
- Introduction to Interactive Communication authoring UI
- Create an Interactive Communication
- Using charts in Interactive Communications
- Texts in Interactive Communications
- Conditions in Interactive Communications
- Prepare and send Interactive Communication using the Agent UI
- Print channel and web channel
- Interactive Communications configuration properties
Workflows
- Forms-centric workflow on OSGi
- Forms-centric workflow on OSGi - Step Reference
- Dynamically select a user or group for AEM Forms-centric workflow steps
- Actions and capabilities of Form-centric AEM Workflows on OSGi and AEM Forms JEE workflows
- Initiate Document Services APIs from AEM Workflow
AEM Forms Workspace
- Introduction to AEM Forms workspace
- Working with AEM Forms workspace
- AEM Forms Workspace Architecture
- Features of AEM Forms workspace not available in Flex workspace
- Features of Flex workspace not available in AEM Forms workspace
- Backbone interaction
- Description of reusable components
- Document details for renderer
- Integrating AEM Forms workspace components in web applications
- New render and submit service
- Understanding the folder structure
- Integrating third-party applications in AEM Forms workspace
- AEM Forms workspace JSON object description
- Introduction to Customizing AEM form workspace
- Generic steps for AEM Forms workspace customization
- Changing the locale of AEM Forms workspace user interface
- Creating a new login screen
- Customizing error dialogs
- Customizing tabs for a task
- Customizing the task details page
- Customizing the listing of process instances
- Customizing Task Actions
- Displaying additional data in ToDo list
- Getting Task Variables in Summary URL
- Customize images used in route actions
- Minification of the JavaScript files
- Customize tracking tables
- Updating the link to the documentation
- Working with Formsets in AEM Forms workspace
- APIs used in AEM Forms workspace
- Initiating a new process with existing process data in AEM Forms workspace
- Hosting two AEM Forms workspace instances on one server
- Changing the color scheme of the interface
- Changing the font on the interface
- Changing the organization logo for branding
- Displaying information in the Task Summary pane
- Displaying the user avatar
- Getting started with AEM Forms workspace
- Managing tasks in an organizational hierarchy using Manager View
- Starting processes
- Tracking processes
- Single Sign On and timeout handlers
- Using an adaptive form in HTML Workspace
- Integrating AEM forms workspace with Microsoft Office SharePoint Server
- Working with To-do lists
- Troubleshooting guidelines for AEM Forms workspace
AEM Forms app
- Introduction to AEM Forms app
- Set up environment for AEM Forms app
- Set up the Xcode project and build the iOS app
- Building a secure AEM Forms app for iOS
- Set up the Visual Studio project and build the Windows app
- Set up the Android studio project and build the Android app
- Build the AEM Forms Android app
- Distribute AEM Forms app
- Gesture customization
- Branding Customization
- Theme Customization
- Logging in to AEM Forms app
- Home screen
- Synchronizing the app
- Working with a Form
- Working with Startpoints
- Opening a task
- Saving a task or form as a draft
- Using autosave in AEM Forms app
- Save forms as templates
- Adding attachments
- Working in the offline mode
- Updating general settings
- Troubleshoot AEM Forms app
HTML5 Forms
- Introduction to HTML5 forms
- Getting started with HTML5 forms
- Architecture of HTML5 forms
- Feature differentiation between HTML5 forms and PDF forms
- Frequently asked questions (FAQ) for HTML5 forms
- Designing form templates for HTML5 forms
- Best practices for HTML5 forms
- Designing accessible HTML5 forms
- Generate HTML5 preview of an XDP form
- Rendering form template for HTML5 forms
- Enabling attachments for an HTML5 form
- HTML5 forms service proxy
- Optimizing HTML5 forms
- Screen readers for HTML5 forms
- Creating a custom profile for HTML5 forms
- Right-to-left languages in HTML5 forms
- Integrating Form Bridge with custom portal for HTML5 forms
- Create custom appearances in HTML5 forms
- Changing default styles of HTML5 forms
- Picture clause support for HTML5 forms
- Create accessible complex tables in HTML5 forms
- Creating CSS styles for HTML5 forms
- Customizing error messages for HTML5 forms
- Saving an HTML5 form as a draft
- Enable logging for HTML5 forms
- Debugging HTML5 forms
- Scripting support for HTML5 forms
- Form set in AEM Forms
Letters and Correspondences
- Correspondence Management Overview
- Layout Design
- Data Dictionary
- Document Fragments
- Create Letter
- Create Correspondence
- Remote functions in Expression Builder
- Manage agent signature images
- Post processing of letters and interactive communications
- Add custom action to the Asset Listing view
- Add custom action/button in Create Correspondence UI
- Add custom properties to Correspondence Management assets
- Customize create correspondence UI
- Customize text editor
- Correspondence Management: Troubleshooting
- APIs to access letter instances
- Integrating Create Correspondence UI with your custom portal
- Custom special characters in Correspondence Management
- Custom watermark in letter PDF preview
- Configuring a Correspondence Management solution
- Inline condition and repeat in Interactive Communications and letters
- Document Fragments
- Correspondence Management Configuration Properties
Integrate AEM Forms with Experience Cloud solutions
- Create targeted experiences in AEM Forms
- Measure and improve effectiveness and conversion of forms
- Configuring analytics and reports
- View and understand AEM Forms analytics reports
- Create and manage A/B test for adaptive forms
Publish and process AEM Forms
- Introduction to publishing forms on a portal
- Sample for integrating drafts & submissions component with database
- Configuring storage services for drafts and submissions
- Manage Forms applications and tasks in AEM Inbox
- Watched folder in AEM Forms
- Drafts and submissions component
- Embedding link component in a page
- Publishing and unpublishing forms and documents
- Listing forms on a web page using APIs
- Accessing and filling published forms
- Sending a form submission acknowledgement via email
- Create or Configure a watched folder
- Use custom email templates in an Assign Task step
- Use metadata in an email notification
Forms Portal
- Customizing templates for forms portal components
- Enabling forms portal components
- Creating a forms portal page
- APIs to work with submitted forms on forms portal
- Custom storage for drafts and submissions component
Document Services
- Overview of AEM Document Services
- Forms Service
- Output Service
- ConvertPDF Service
- Barcoded Forms Service
- Using Assembler Service
- Use HSM to digitally sign or certify documents
- Using AEM Document Services Programmatically
- Using the sendToPrinter API
Document Security
- Document security offerings
- Enable AEM to search document security protected PDF documents
- Reader extending policy-protected PDF documents using Portable Protection Library
- Enable AEM to search document security protected PDF and Microsoft Office documents
- Protect a document on behalf of another user
Forms Designer
- Using Designer
- Designer Quick Start Tutorials
- Designer Samples
- Designer Scripting Basics
- Designer Scripting Reference
- Designer FormCalc Reference
- Using Scribble Signature in HTML5 forms
Customize AEM Forms
- Appearance framework for adaptive and HTML5 forms
- Creating a custom adaptive form template
- Creating custom layout components for adaptive forms
- Adding custom action on form lister items
- Customize layout and positioning of error messages of an adaptive form
- Creating a custom toolbar action
- Customizing form event tracking
- Create custom appearances for adaptive form fields
- Customizing Draft and Submission data services
- Dynamically populating drop-down lists
- Writing custom Submit action for adaptive forms
- Creating custom toolbar layout
- Displaying components based on the template used
- Creating custom adaptive form themes
Transaction Reports
- Transaction Reports Overview
- Viewing and Understanding Transaction Reports
- Transaction Reports Billable APIs
- Record a transaction for custom implementations
Administrator help for AEM Forms on JEE
- Get Started
  - General AEM Forms settings
  - Update the license type for the deployment
- Setting up and managing domains
  - Adding domains
  - Delete a domain
  - Configure account-locking settings
  - Editing and converting existing domains
  - Configuring authentication providers
  - Synchronizing directories
  - Configuring directories
- Configuring User Management
  - Change the order of evaluation for authentication
  - Configure the LDAP bind password
  - Configure AEM forms to prefetch domain information
  - Configuring certificate-based authentication
  - Configure SAML service provider settings
  - Enabling single sign-on in AEM forms
  - Configure User Management for an SSL-enabled LDAP server
  - Importing and exporting the configuration file
  - Configure advanced system attributes
  - Preventing CSRF attacks
- Setting up and organizing users
  - Adding and configuring users
  - Just-in-time user provisioning
  - Creating and configuring groups
  - Search for a user or group
  - Creating and configuring roles
- Connecting to a content management system
  - Configuring Connector for EMC Documentum
  - Configuring Connector for IBM FileNet
  - Configuring Connector for IBM Content Manager
  - Configuring Connector for Microsoft SharePoint
- Managing certificates and credentials
  - Adding and removing user name and password credentials
  - Managing certificate revocationlists
  - Basics of managing certificates and credentials
  - Managing certificates
  - Managing HSM credentials
  - Managing local credentials
- Importing and managing applications and archives
  - Change the number of items displayed on the Applications and Services pages
  - Import and manage archives
  - Import and manage applications
- Managing Services
  - Configure service settings
  - Starting and stopping services
- Managing Endpoints
  - Adding, enabling, modifying, or removing endpoints
  - Configuring email endpoints
  - Configuring Remoting endpoints
  - Configuring watched folder endpoints
  - Configuring Task Manager endpoints
  - Types of endpoints
- Configuring Acrobat Reader DC extensions
  - Certificate types used by Acrobat Reader DC extensions
  - Recognizing valid and expired certificates in PDF documents
  - Configuring Acrobat Reader DC extensions for data capture
  - Review credential use information
  - Configuring credentials for use with Acrobat Reader DC extensions
  - Review the usage rights of a PDF file
  - Enabling online commenting for Adobe Reader web browser plug-in
  - Setting timeout values for use with Acrobat Reader DC extensions
- Working with PDF Generator
  - Introduction to working with PDF Generator
  - Enabling multi-threaded file conversions
  - Configuring Adobe PDF settings
  - Configuring security settings
  - Configuring file type settings
  - Importing and exporting PDF Generator configuration files
  - Enable PDF/A support
  - Setting up a PDFG Network Printer (Windows only)
  - Configuring fallback fonts
  - Modifying the PDF Export conversion settings
  - Converting files using PDF Generator
- Configuring SSL
  - Overview of configuring SSL
  - Configuring SSL for JBoss Application Server
  - Configuring SSL on Windows Vista
  - Configuring SSL for WebLogic Server
  - Configuring SSL for WebSphere Application Server
- Working with document security
  - About document security
  - High-volume secure information delivery
  - Configuring client and server options
  - Managing invited and local user accounts
  - Controlling access to policy-protected documents
  - Monitoring events
  - Creating and managing policies
  - Using the document security webpages
  - Creating and managing policy sets
  - Registering as a User
- Configuring Forms
  - Basics of configuring forms
  - Setting internationalization options
  - Configuring caching for Forms
  - Specifying XCI configuration options
  - Configuring form output
  - Specifying fonts to embed
  - Configuring locations for Forms
  - Specifying security settings
  - Configuring validation messages
- Configuring Output
  - Overview of output service
  - Change the character set
  - Specify XCI configuration options
  - Configuring caching for Output
  - Specify file locations for Output
  - Make fonts available
  - Specify fonts to embed
  - Specify security settings
- Configuring forms workflow
  - About administration and process terminology
  - Managing Processes
  - Configuring Business Calendars
  - Overview of Forms workflow
  - Configuring Out of Office Settings
  - Searching for process instances
  - Configuring Server Settings
  - Working with stalled operations and branches
  - Configuring Shared Queues
  - Working with tasks
- Configuring Workspace
  - Overview of Workspace
  - Importing and exporting global settings
  - Setting the message of the day
  - Customizing search templates
  - Managing the categories displayed in Workspace
- Health Monitor
  - Overview of Health Monitor
  - Fine-tuning Health Monitor performance
  - View statistics related to Work Manager
  - View system information
  - Purge records from the Job Manager database
- Maintaining AEM forms
  - Log files
  - User Management
  - Monitoring AEM forms deployments
  - Work Manager and throttling
  - Running AEM forms in maintenance mode
- Maintaining the AEM forms Database
  - DB2 database: Running a process weekly
  - Oracle database maximum open cursors threshold
  - IBM DB2 database: Running commands for regular maintenance
  - Purging process data
  - Microsoft SQL Server database: Fine-tuning the configuration
  - Tips for minimizing database growth
- Maintaining the Application Server
  - Application server websites
  - Global document storage directory
  - Considerations when running AdministrationConsole
  - Starting and stopping WebLogic Server
  - Enhancing application server performance
  - Starting and stopping WebSphere Application Server
- AEM forms Backup and Recovery
  - Backing up and recovering the EMC Documentum repository
  - Enabling and disabling safe backup mode
  - Backing up the AEM forms data
  - Files to back up and recover
  - Backup and recovery strategy for AEM forms
  - PDF Generator backup limitations
  - Backup strategies for watched folders
  - Recovering the AEM forms data
  - Backup strategy for Connector for EMC Documentum users
  - Strategy for backup and restore in a clustered environment
- System information service
  - Set up the System information service
  - System information Service APIs
Process Reporting
- Introduction to Process Reporting
- Getting Started with Process Reporting
- How Process Reporting Works
- Pre-defined reports in Process Reporting
- Custom Reports in Process Reporting
- Ad-hoc Queries in Process Reporting
- Troubleshooting Process Reporting
Developer Reference
- Developer basics
- HTML Template Language
- AEM plug-in to debug adaptive forms
- AEM Forms Java API Reference
- AEM Forms on JEE Java API Reference
- Form Bridge APIs for HTML5 forms
- JavaScript Library API reference for Adaptive Forms
- Assembler Service and DDX Reference
- Workbench Help
- Programming with AEM Forms on JEE

Use HSM to digitally sign or certify documents

CAUTION

AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our technical support periods. Find the supported versions here.

Hardware security modules (HSM) and etokens are dedicated, hardened, and tamper-resistance computing devices designed to securely manage, process, and store digital keys. These devices are directly attached to a computer or a network server.

Adobe Experience Manager Forms can use credentials stored on an HSM or etoken to eSign or apply server-sided digital signatures to a document. To use an HSM or etoken device with AEM Forms:

Enable the DocAssurance service.
Set up certificates for Reader extension.
Create an alias for the HSM or etoken device in AEM Web Console.
Use the DocAssurance Service APIs to sign or certify the documents with digital keys stored on the device.

Before you configure the HSM or etoken devices with AEM Forms

Install AEM Forms add-on package.
Install and configure HSM or etoken client software on the same computer as AEM server. The client software is required to communicate with the HSM and etoken devices.
(Microsoft Windows only) Set the JAVA_HOME_32 environment variable to point to the directory where the 32-bit version of Java 8 Development Kit (JDK 8) is installed. The default path of the directory is C:\Program Files(x86)\Java\jdk<version>
(AEM Forms on OSGi only) Install the root certificate in the trust store. It is required to verify the signed PDF

NOTE

On Microsoft Windows, only 32-bit LunaSA or EToken clients are supported.

Enable the DocAssurance service

By default, the DocAssurance service is not enabled. Perform the following steps to enable the service:

Stop the Author instance of your AEM Forms environment.
Open the [AEM_root]\crx-quickstart\conf\sling.properties file for editing.

NOTE

If you have used the [AEM_root]\crx-quickstart\bin\start.bat file to start the AEM instance, then open the [AEM_root]\crx-quickstart\sling.properties file for editing.

Add or replace the following properties to the sling.properties file:

sling.bootdelegation.sun=sun.*,com.sun.*,sun.misc.*
sling.bootdelegation.ibm=com.ibm.xml.*,com.ibm.*
sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.*
sling.bootdelegation.class.org.bouncycastle.jce.provider.BouncyCastleProvider=org.bouncycastle.*

Save and close the sling.properties file.
Restart the AEM instance.

Set up certificates for Reader extensions

Perform the following steps to setup certificates:

Log in to AEM Author instance as an administrator.
Click Adobe Experience Manager on Global Navigation Bar. Go to Tools > Security > Users.
Click the name field of the user account. The Edit User Settings page opens.
On the AEM Author instance, certificates reside in a KeyStore. If you have not created a KeyStore earlier, click Create KeyStore and set a new password for the KeyStore. If the server already contains a KeyStore, skip this step.
On the Edit User Settings page, click Manage KeyStore.
On KeyStore Management dialog, expand the Add Private Key from Key Store file option and provide an alias. The alias is used to perform the Reader Extensions operation.
To upload the certificate file, click Select Key Store File and upload a .pfx file.
Add the Key Store Password, Private Key Password, and Private Key Alias that is associated with the certificate to the respective fields. Click Submit.

NOTE

To determine the Private Key Alias of a certificate, you can use the Java keytool command: keytool -list -v -keystore [keystore-file] -storetype pkcs12

NOTE

In the Key Store Password and Private Key Password fields, specify the password provided with the certificate file.

NOTE

For AEM Forms on OSGi, to verify the signed PDF, the root certificate installed in the Trust Store.

NOTE

On moving to production environment, replace your evaluation credentials with production credentials. Ensure that you delete your old Reader Extensions credentials, before updating an expired or evaluations credential.

Create an alias for the device

The alias contains all the parameters that an HSM or etoken requires. Perform the instructions listed below to create an alias for each HSM or etoken credential that eSign or Digital Signatures uses :

Open AEM console. The default URL of AEM console is https://<host>:<port>/system/console/configMgr
Open the HSM Credentials Configuration Service and specify values for the following fields:
- Credential Alias: Specify a string used to identify the alias. This value is used as a property for some Digital Signatures operations, such as the Sign Signature Field operation.
- DLL Path: Specify the fully qualified path of your HSM or etoken client library on the server. For example, C:\Program Files\LunaSA\cryptoki.dll. In a clustered environment, this path must be identical for all servers in the cluster.
- HSM Pin: Specify the password required to access the device key.
- HSM Slot Id: Specify a slot identifier of type integer. The slot ID is set on a client-by-client basis. If you register a second machine to a different partition (for example, HSMPART2 on the same HSM device), then slot 1 is associated with the HSMPART2 partition for the client.
Note: While configuring Etoken, specify a numeric value for the HSM Slot Id field. A numeric value is required to get the Signatures operations working.
- Certificate SHA1: Specify SHA1 value (thumbprint) of the public key (.cer) file for the credential you are using. Ensure that there are no spaces used in the SHA1 value. If you are using a physical certificate, then it is not required.
- HSM Device Type: Select the manufacturer of the HSM (Luna or other) or eToken device.
Click Save. The hardware security module is configured for AEM Forms. Now, you can use the hardware security module with AEM Forms to sign or certify documents.

Use the DocAssurance Service APIs to sign or certify a document with digital keys stored on the device

The following sample code uses an HSM or etoken to sign or certify a document.

/*************************************************************************
 *
 * ADOBE CONFIDENTIAL
 * ___________________
 *
 * Copyright 2014 Adobe Systems Incorporated
 * All Rights Reserved.
 *
 * NOTICE:  All information contained herein is, and remains
 * the property of Adobe Systems Incorporated and its suppliers,
 * if any.  The intellectual and technical concepts contained
 * herein are proprietary to Adobe Systems Incorporated and its
 * suppliers and are protected by trade secret or copyright law.
 * Dissemination of this information or reproduction of this material
 * is strictly forbidden unless prior written permission is obtained
 * from Adobe Systems Incorporated.
 **************************************************************************/
package com.adobe.docassurance.samples;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;

import javax.jcr.Binary;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;

import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.jcr.resource.JcrResourceResolverFactory;

import com.adobe.aemfd.docmanager.Document;
import com.adobe.fd.docassurance.client.api.DocAssuranceException;
import com.adobe.fd.docassurance.client.api.DocAssuranceService;
import com.adobe.fd.docassurance.client.api.DocAssuranceServiceOperationTypes;
import com.adobe.fd.docassurance.client.api.SignatureOptions;
import com.adobe.fd.signatures.client.types.exceptions.InvalidArgumentException;
import com.adobe.fd.signatures.pdf.inputs.CredentialContext;
import com.adobe.fd.signatures.pdf.inputs.DSSPreferences;
import com.adobe.fd.signatures.pdf.inputs.DSSPreferencesImpl;
import com.adobe.fd.signatures.pdf.inputs.PDFSignatureAppearenceOptions;
import com.adobe.fd.signatures.pdf.inputs.UnlockOptions;
import com.adobe.fd.signatures.pdf.inputs.PDFSignatureAppearenceOptions.PDFSignatureAppearanceType;
import com.adobe.fd.signatures.pdf.inputs.PDFSignatureAppearenceOptions.TextDirection;
import com.adobe.fd.signatures.pki.client.types.common.HashAlgorithm;
import com.adobe.fd.signatures.pki.client.types.common.RevocationCheckStyle;
import com.adobe.fd.signatures.pki.client.types.prefs.CRLPreferences;
import com.adobe.fd.signatures.pki.client.types.prefs.CRLPreferencesImpl;
import com.adobe.fd.signatures.pki.client.types.prefs.GeneralPreferencesImpl;
import com.adobe.fd.signatures.pki.client.types.prefs.PKIPreferences;
import com.adobe.fd.signatures.pki.client.types.prefs.PKIPreferencesImpl;
import com.adobe.fd.signatures.pki.client.types.prefs.PathValidationPreferences;
import com.adobe.fd.signatures.pki.client.types.prefs.PathValidationPreferencesImpl;

/**
 * Digital signatures can be applied to PDF documents to provide a level of security. Digital signatures, like handwritten signatures, provide a means by which signers
 * identify themselves and make statements about a document. The technology used to digitally sign documents helps to ensure that both the signer and recipients are clear
 * about what was signed and confident that the document was not altered since it was signed.
 *
 * PDF documents are signed by means of public-key technology. A signer has two keys: a public key and a private key. The private key is stored in a user's credential that
 * must be available at the time of signing. The public key is stored in the user's certificate that must be available to recipients to validate the signature. Information
 * about revoked certificates is found in certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP) responses distributed by Certificate Authorities (CAs).
 * The time of signing can be obtained from a trusted source known as a Timestamping Authority.
 *
 * The following Java code example digitally signs a PDF document that is based on a PDF file.
 * The alias that is specified for the security credential is secure, and revocation checking is performed.
 * Because no CRL or OCSP server information is specified, the server information is obtained from the certificate used to
 * digitally sign the PDF document
 *
 * PreRequisites - Digital certificate for signing the document has to be uploaded on Granite Key Store
 */

@Component
@Service(value=Sign.class)
public class Sign{
 @Reference
 private DocAssuranceService docAssuranceService;

 @Reference
    private SlingRepository slingRepository;

 @Reference
    private JcrResourceResolverFactory jcrResourceResolverFactory ;

 /**
  *
  * @param inputFile - path to the pdf document stored at JCR node
  * @param outputFile - path to the pdf document where the output needs to be stored
  * @throws IOException
  * @throws RepositoryException
  * @throws InvalidArgumentException
  * @throws DocAssuranceException
  */
 public void signExtend(String inputFile, String outputFile, String alias) throws IOException, RepositoryException, InvalidArgumentException, DocAssuranceException{

  Document inDoc = new Document(inputFile);
  Document outDoc = null;

  Session adminSession = null;
        ResourceResolver resourceResolver = null;
        try {

          /** resourceResolver with admin privileges to be passed to SignatureServiceAPI and Reader Extensions
          the resource resolver for signature options has to be corresponding to the user who has the signing certificate in his granite key store
          the resource resolver for signature options has to be corresponding to the user who has the credential for reader extension in his granite key store
          here we are using the same resource resolver
          */
          adminSession = slingRepository.loginAdministrative(null);
             resourceResolver = jcrResourceResolverFactory.getResourceResolver(adminSession);

             //retrieve specifications for each of the services, you may pass null if you don't want to use that service
             //as we don't want encryption in this case, passing null for Encryption Options
             //for encrypted document pass Unlock Options - see the method getUnlockOptions() below
    outDoc = docAssuranceService.secureDocument(inDoc, null, getSignatureOptions(alias,resourceResolver),null,null);
        }
  catch(Exception e){
   e.printStackTrace();
  }
        finally{
            /**
             * always close the PDFDocument object after your processing is done.
             */
            if(inDoc != null){
                inDoc.close();
            }
            if(adminSession != null && adminSession.isLive()){
                if(resourceResolver != null){
                    resourceResolver.close();
                }
                adminSession.logout();
            }
        }

        //flush the output document contents to JCR Node
  flush(outDoc, outputFile);

 }

 /**
  *
  * @param rr resource resolver corresponding to the user with the access to signing credential for the
  * given alias "allcertificatesanypolicytest11ee_new" in this case
  * @return SignatureOptions
  */
 private SignatureOptions getSignatureOptions(String alias, ResourceResolver rr){

  //create an instance of SignatureOptions
  SignatureOptions signatureOptions = SignatureOptions.getInstance();

  //set the operation you want to perform - SIGN/CERTIFY
  signatureOptions.setOperationType(DocAssuranceServiceOperationTypes.SIGN);

  //field to sign
  String fieldName = "Signature1" ;

        //Hash Algo to be used to compute digest the PDF document
        HashAlgorithm algo = HashAlgorithm.SHA384;

        //Reason for signing/certifying
        String reason = "Test Reason";

        //location of the signer
        String location = "Test Location";

        //contact info of the signer
        String contactInfo = "Test Contact";

        //Create a PDFSignatureAppearanceOptions object
        //and show date information
        PDFSignatureAppearenceOptions appOptions = new PDFSignatureAppearenceOptions(
                PDFSignatureAppearanceType.NAME, null, 1.0d, null, true, true,
                true, true, true, true, true, TextDirection.AUTO);

        signatureOptions.setSignatureFieldName(fieldName);
        signatureOptions.setAlgo(algo);
        signatureOptions.setContactInfo(contactInfo);
        signatureOptions.setLocation(location);
        signatureOptions.setSigAppearence(appOptions);
        signatureOptions.setReason(reason);
        signatureOptions.setDssPref(getDSSPreferences(rr));
        signatureOptions.setCredential(new CredentialContext(alias, rr, true));
  return signatureOptions;
 }

 private DSSPreferences getDSSPreferences(ResourceResolver rr){
  //sets the DSS Preferences
        DSSPreferencesImpl prefs = DSSPreferencesImpl.getInstance();
        prefs.setPKIPreferences(getPKIPreferences());
        GeneralPreferencesImpl gp = (GeneralPreferencesImpl) prefs.getPKIPreferences().getGeneralPreferences();
        gp.setDisableCache(true);
        return prefs;
    }

    private PKIPreferences getPKIPreferences(){
     //sets the PKI Preferences
        PKIPreferences pkiPref = new PKIPreferencesImpl();
        pkiPref.setCRLPreferences(getCRLPreferences());
        pkiPref.setPathPreferences(getPathValidationPreferences());
        return pkiPref;
    }

    private CRLPreferences getCRLPreferences(){
        //specifies the CRL Preferences
        CRLPreferencesImpl crlPrefs = new CRLPreferencesImpl();
        crlPrefs.setRevocationCheck(RevocationCheckStyle.CheckIfAvailable);
        crlPrefs.setGoOnline(true);
        return crlPrefs;
    }

    private PathValidationPreferences getPathValidationPreferences(){
     //sets the path validation preferences
        PathValidationPreferencesImpl pathPref = new PathValidationPreferencesImpl();
        pathPref.setDoValidation(false);
        return pathPref;

    }

    /**
     * sets Unlock Options for encrypted PDF
     */
    private UnlockOptions getUnlockOptions(){
        UnlockOptions unlockOptions = new UnlockOptions();
        //sets the Open Password for password encrypted PDF
        unlockOptions.setPassword("OpenPassword");

        //for Certificate Encrypted Document, set the alias of the credential uploaded in the user's key store
        //and corresponding resource resolver

        return unlockOptions;

    }
    /**
     * This method copies the data from {@code Document}, to the specified file at the given resourcePath.
     * @param doc
     * @param resourcePath
     * @throws IOException
     */
    private void flush(Document doc, String resourcePath) throws IOException {
   //extracts the byte data from Document
   byte[] output = doc.getInlineData();
   Binary opBin;
   Session adminSession = null;
      try {
         adminSession = slingRepository.loginAdministrative(null);

         //get access to the specific node
         //here we are assuming that node exists
           Node node = adminSession.getNode(resourcePath);

           //convert byte[] to Binary
           opBin = adminSession.getValueFactory().createBinary((InputStream)new ByteArrayInputStream(output));

           //set the Binary data value to node's jcr:data
           node.getNode("jcr:content").getProperty("jcr:data").setValue(opBin);
      } catch (RepositoryException e) {

      }
      finally{

       if(adminSession != null && adminSession.isLive()){
        try {
      adminSession.save();
      adminSession.logout();
     } catch (RepositoryException e) {

     }

             }
      }

  }
}

If you have upgraded from AEM 6.0 Form or AEM 6.1 Forms, and you were using the DocAssurance service in the previous version, then:

To use the DocAssurance service without an HSM or etoken device, keep using the existing code.
To use the DocAssurance service with an HSM or etoken device, replace your existing CredentialContext object code with the API listed below.

/**
  *
  * @param credentialAlias alias of the PKI Credential stored in CQ Key Store or
  * the alias of the HSM Credential configured using HSM Credentials Configuration Service.
  * @param resourceResolver corresponding to the user with the access to the key store and trust store.
  * @param isHSMCredential if the alias is corresponding to HSM Credential.
  */
 public CredentialContext(String credentialAlias, ResourceResolver resourceResolver, boolean isHSMCredential);

For detailed information about APIs and sample code of the DocAssurance service, see Using AEM Document Services Programmatically.

Business.Adobe.com resources

Multichannel Communication Content Insights Asset Collections Mobile Forms Theme Editor Headless Cms

Use HSM to digitally sign or certify documents

Before you configure the HSM or etoken devices with AEM Forms

Enable the DocAssurance service

Set up certificates for Reader extensions

Create an alias for the device

Use the DocAssurance Service APIs to sign or certify a document with digital keys stored on the device

Business.Adobe.com resources

On this page

View next:

Learn

Documentation

Community

Support

Resources

Adobe Account

Adobe