- AEM 6.5 Forms Guide
- Release Notes
- Getting Started
- Introduction to AEM Forms
- Introduction to authoring adaptive forms
- Introduction to Interactive Communications
- Introduction to managing forms
- Introduction to Automated Forms Conversion service
- Tutorial: Create your First Adaptive Form
- Tutorial: Create your First Interactive Communication
- AEM Forms Reference Collaterals
- Set up and configure We.Gov and We.Finance reference site
- We.Gov and We.Finance reference site walkthrough
- Employee recruitment reference site walkthrough
- We.Finance Auto Insurance Renewal reference site
- We.Gov reference site FOIA walkthrough
- Reference adaptive form fragments
- Reference Themes
- Reference letter templates
- Configure Microsoft Dynamics 365 for the home mortgage workflow of the We.Finance reference site
- Install and configure AEM Forms
- Architecture and deployment topologies for AEM Forms
- Choosing a persistence type for an AEM Forms installation
- Install AEM Forms on OSGi
- Install AEM Forms on JEE
- Supported platforms for AEM forms on JEE
- Installing and Deploying AEM Forms on JEE Using JBoss Turnkey
- Installing and configuring AEM Forms Document Security server
- Preparing to install AEM Forms (Single Server)
- Installing and Deploying Adobe Experience Manager Forms on JEE for JBoss
- Installing and Deploying Adobe Experience Manager forms on JEE for WebSphere
- Installing and Deploying AEM Forms on JEE for WebLogic
- Install AEM Forms Workbench
- Install and configure Designer
- Preparing to Install AEM Forms (Server Cluster)
- Configuring Adobe Experience Manager Forms on JEE on JBoss Cluster
- Configuring Adobe Experience Manager Forms on JEE on WebSphere Cluster
- Configuring Adobe Experience Manager Forms on JEE on WebLogic Cluster
- Configure AEM Forms
- Performance tuning of AEM Forms server
- Configure adaptive forms cache
- Configuring AEM DS settings
- Configuring the synchronization scheduler
- Configuring the Connector for Microsoft SharePoint
- Connecting AEM Forms with Adobe LiveCycle
- Configuring AEM Forms to submit form data to an AEM Forms on JEE process
- AEM desktop app for AEM Forms
- Upgrade AEM Forms
- Available upgrade paths
- Upgrade AEM Forms on OSGi
- Upgrade AEM Forms on JEE
- Preparing to upgrade AEM Forms
- Adobe Experience Manager Forms on JEE upgrade checklist and planning
- Upgrade to AEM 6.5 forms on JEE
- Upgrading to Adobe Experience Manager Forms on JEE for JBoss
- Upgrading to AEM Forms on JEE for JBoss Turnkey
- Upgrading to Adobe Experience Manager Forms on JEE for WebSphere
- Upgrading to Adobe Experience Manager Forms on JEE for WebLogic
- Manage AEM Forms
- AEM Forms on OSGi Groups and Privileges
- Create new folders to categorize forms
- Searching for forms and assets
- Manage form metadata
- Download an XFA or a PDF form template
- Deleting forms and related resources
- Getting XDP and PDF documents in AEM Forms
- Importing and exporting assets to AEM Forms
- Supporting new locales for adaptive forms localization
- Handling user data
- Hardening AEM Forms Environment
- Form Data Model
- Adaptive Forms - Core Components
- Adaptive Forms - Basic Authoring
- Best practices for working with adaptive forms
- Creating an adaptive form
- Create or add an Adaptive Form to AEM Sites page
- Adaptive form fragments
- Configuring the Submit action
- Using CAPTCHA in adaptive forms
- Adaptive forms keywords
- Tables in adaptive forms
- Auto-save an adaptive form
- Configuring redirect page
- Creating accessible adaptive forms
- Creating forms with repeatable sections
- Embed an adaptive form or interactive communication in AEM sites page
- Embed adaptive form in external web page
- Inline styling of adaptive form components
- Introduction to multi-step form sequence
- Layout capabilities of adaptive forms
- Placeholder text in AEM Forms
- Previewing a form
- Reusing adaptive forms
- Separator component in adaptive forms
- Apply electronic signatures to a form using scribble signatures
- AEM Forms Keyboard Shortcuts
- Associating submission reviewers with a form
- Authoring in-context help for form fields
- Use Layout mode to resize components
- Connect and submit Adaptive Form data to Microsoft® Power Automate
- Adaptive Forms - Advanced Authoring
- Creating adaptive forms using JSON Schema
- Creating adaptive forms using XML Schema
- Using Adobe Sign in an adaptive form
- Creating and using themes
- Adaptive forms rule editor
- API to invoke form data model service from adaptive forms
- Asynchronous submission of adaptive forms
- Create an adaptive form using a set of adaptive forms
- Adaptive Form Templates
- Adaptive Form Expressions
- Generate Document of Record for adaptive forms
- Improve performance of large forms with lazy loading
- Prefill adaptive form fields
- Using SOM expressions in adaptive forms
- Adding information from user data to form submission metadata
- XFA support in XDP-based adaptive forms
- Grant rule editor access to select user groups
- Using AEM translation workflow to localize adaptive forms and document of record
- Styling constructs for adaptive forms
- Synchronizing Adaptive Forms with XFA Form Templates
- Integrate Adobe Sign with AEM Forms
- Creating and managing reviews for assets in forms
- Embed an adaptive form or Interactive Communication in AEM Sites Single Page Application
- Create and use custom error handler for Adaptive Forms
- Interactive Communications
- Introduction to Interactive Communication authoring UI
- Create an Interactive Communication
- Using charts in Interactive Communications
- Texts in Interactive Communications
- Conditions in Interactive Communications
- Prepare and send Interactive Communication using the Agent UI
- Print channel and web channel
- Interactive Communications configuration properties
- Generate multiple interactive communications
- Use Layout mode to resize components
- Workflows
- Forms-centric workflow on OSGi
- Forms-centric workflow on OSGi - Step Reference
- Dynamically select a user or group for AEM Forms-centric workflow steps
- Actions and capabilities of Form-centric AEM Workflows on OSGi and AEM Forms JEE workflows
- Initiate Document Services APIs from AEM Workflow
- Logging in AEM Forms workflows
- Variables in AEM workflows
- Share and request access to Inbox items of a user
- Configure Out of Office
- AEM Forms Workspace
- Introduction to AEM Forms workspace
- Working with AEM Forms workspace
- AEM Forms Workspace Architecture
- Features of AEM Forms workspace not available in Flex workspace
- Features of Flex workspace not available in AEM Forms workspace
- Backbone interaction
- Description of reusable components
- Document details for renderer
- Integrating AEM Forms workspace components in web applications
- New render and submit service
- Understanding the folder structure
- Integrating third-party applications in AEM Forms workspace
- AEM Forms workspace JSON object description
- Introduction to Customizing AEM form workspace
- Generic steps for AEM Forms workspace customization
- Changing the locale of AEM Forms workspace user interface
- Creating a new login screen
- Customizing error dialogs
- Customizing tabs for a task
- Customizing the task details page
- Customizing the listing of process instances
- Customizing Task Actions
- Displaying additional data in ToDo list
- Getting Task Variables in Summary URL
- Customize images used in route actions
- Minification of the JavaScript files
- Customize tracking tables
- Updating the link to the documentation
- Working with Formsets in AEM Forms workspace
- APIs used in AEM Forms workspace
- Initiating a new process with existing process data in AEM Forms workspace
- Hosting two AEM Forms workspace instances on one server
- Changing the color scheme of the interface
- Changing the font on the interface
- Changing the organization logo for branding
- Displaying information in the Task Summary pane
- Displaying the user avatar
- Getting started with AEM Forms workspace
- Managing tasks in an organizational hierarchy using Manager View
- Starting processes
- Tracking processes
- Single Sign On and timeout handlers
- Using an adaptive form in HTML Workspace
- Integrating AEM forms workspace with Microsoft Office SharePoint Server
- Working with To-do lists
- Troubleshooting guidelines for AEM Forms workspace
- AEM Forms app
- Introduction to AEM Forms app
- Set up environment for AEM Forms app
- Set up the Xcode project and build the iOS app
- Building a secure AEM Forms app for iOS
- Set up the Visual Studio project and build the Windows app
- Set up the Android studio project and build the Android app
- Build the AEM Forms Android app
- Distribute AEM Forms app
- Gesture customization
- Branding Customization
- Theme Customization
- Logging in to AEM Forms app
- Home screen
- Synchronizing the app
- Working with a Form
- Working with Startpoints
- Opening a task
- Saving a task or form as a draft
- Using autosave in AEM Forms app
- Save forms as templates
- Adding attachments
- Working in the offline mode
- Updating general settings
- Troubleshoot AEM Forms app
- HTML5 Forms
- Introduction to HTML5 forms
- Getting started with HTML5 forms
- Architecture of HTML5 forms
- Feature differentiation between HTML5 forms and PDF forms
- Frequently asked questions (FAQ) for HTML5 forms
- Designing form templates for HTML5 forms
- Best practices for HTML5 forms
- Designing accessible HTML5 forms
- Generate HTML5 preview of an XDP form
- Rendering form template for HTML5 forms
- Enabling attachments for an HTML5 form
- HTML5 forms service proxy
- Optimizing HTML5 forms
- Screen readers for HTML5 forms
- Creating a custom profile for HTML5 forms
- Right-to-left languages in HTML5 forms
- Integrating Form Bridge with custom portal for HTML5 forms
- Create custom appearances in HTML5 forms
- Changing default styles of HTML5 forms
- Picture clause support for HTML5 forms
- Create accessible complex tables in HTML5 forms
- Creating CSS styles for HTML5 forms
- Customizing error messages for HTML5 forms
- Saving an HTML5 form as a draft
- Enable logging for HTML5 forms
- Debugging HTML5 forms
- Scripting support for HTML5 forms
- Form set in AEM Forms
- Letters and Correspondences
- Correspondence Management Overview
- Layout Design
- Data Dictionary
- Document Fragments
- Create Letter
- Create Correspondence
- Remote functions in Expression Builder
- Manage agent signature images
- Post processing of letters and interactive communications
- Add custom action to the Asset Listing view
- Add custom action/button in Create Correspondence UI
- Add custom properties to Correspondence Management assets
- Customize create correspondence UI
- Customize text editor
- Correspondence Management: Troubleshooting
- APIs to access letter instances
- Integrating Create Correspondence UI with your custom portal
- Custom special characters in Correspondence Management
- Custom watermark in letter PDF preview
- Configuring a Correspondence Management solution
- Inline condition and repeat in Interactive Communications and letters
- Document Fragments
- Correspondence Management Configuration Properties
- Integrate AEM Forms with Experience Cloud solutions
- Publish and process AEM Forms
- Introduction to publishing forms on a portal
- Sample for integrating drafts & submissions component with database
- Configuring storage services for drafts and submissions
- Manage Forms applications and tasks in AEM Inbox
- Watched folder in AEM Forms
- Drafts and submissions component
- Embedding link component in a page
- Publishing and unpublishing forms and documents
- Listing forms on a web page using APIs
- Accessing and filling published forms
- Sending a form submission acknowledgement via email
- Create or Configure a watched folder
- Use custom email templates in an Assign Task step
- Use metadata in an email notification
- Forms Portal
- Document Services
- Document Security
- Document security offerings
- Enable AEM to search document security protected PDF documents
- Reader extending policy-protected PDF documents using Portable Protection Library
- Enable AEM to search document security protected PDF and Microsoft Office documents
- Protect a document on behalf of another user
- Forms Designer
- Customize AEM Forms
- Appearance framework for adaptive and HTML5 forms
- Creating a custom adaptive form template
- Creating custom layout components for adaptive forms
- Adding custom action on form lister items
- Customize layout and positioning of error messages of an adaptive form
- Creating a custom toolbar action
- Customizing form event tracking
- Create custom appearances for adaptive form fields
- Customizing Draft and Submission data services
- Dynamically populating drop-down lists
- Writing custom Submit action for adaptive forms
- Creating custom toolbar layout
- Displaying components based on the template used
- Creating custom adaptive form themes
- Transaction Reports
- Administrator help for AEM Forms on JEE
- Get Started
- Setting up and managing domains
- Configuring User Management
- Change the order of evaluation for authentication
- Configure the LDAP bind password
- Configure AEM forms to prefetch domain information
- Configuring certificate-based authentication
- Configure SAML service provider settings
- Enabling single sign-on in AEM forms
- Configure User Management for an SSL-enabled LDAP server
- Importing and exporting the configuration file
- Configure advanced system attributes
- Preventing CSRF attacks
- Setting up and organizing users
- Connecting to a content management system
- Managing certificates and credentials
- Importing and managing applications and archives
- Managing Services
- Managing Endpoints
- Configuring Acrobat Reader DC extensions
- Certificate types used by Acrobat Reader DC extensions
- Recognizing valid and expired certificates in PDF documents
- Configuring Acrobat Reader DC extensions for data capture
- Review credential use information
- Configuring credentials for use with Acrobat Reader DC extensions
- Review the usage rights of a PDF file
- Enabling online commenting for Adobe Reader web browser plug-in
- Setting timeout values for use with Acrobat Reader DC extensions
- Updating expired Reader Extension service certificates
- Working with PDF Generator
- Introduction to working with PDF Generator
- Enabling multi-threaded file conversions
- Configuring Adobe PDF settings
- Configuring security settings
- Configuring file type settings
- Importing and exporting PDF Generator configuration files
- Enable PDF/A support
- Setting up a PDFG Network Printer (Windows only)
- Configuring fallback fonts
- Modifying the PDF Export conversion settings
- Converting files using PDF Generator
- Configuring SSL
- Working with document security
- About document security
- High-volume secure information delivery
- Configuring client and server options
- Managing invited and local user accounts
- Controlling access to policy-protected documents
- Monitoring events
- Creating and managing policies
- Using the document security webpages
- Creating and managing policy sets
- Registering as a User
- Configuring Forms
- Configuring Output
- Configuring forms workflow
- About administration and process terminology
- Managing Processes
- Configuring Business Calendars
- Overview of Forms workflow
- Configuring Out of Office Settings
- Searching for process instances
- Configuring Server Settings
- Working with stalled operations and branches
- Configuring Shared Queues
- Working with tasks
- Configuring Workspace
- Health Monitor
- Maintaining AEM forms
- Maintaining the AEM forms Database
- Maintaining the Application Server
- AEM forms Backup and Recovery
- Backing up and recovering the EMC Documentum repository
- Enabling and disabling safe backup mode
- Backing up the AEM forms data
- Files to back up and recover
- Backup and recovery strategy for AEM forms
- PDF Generator backup limitations
- Backup strategies for watched folders
- Recovering the AEM forms data
- Backup strategy for Connector for EMC Documentum users
- Strategy for backup and restore in a clustered environment
- System information service
- Process Reporting
- Developer Reference
- Developer basics
- HTML Template Language
- AEM plug-in to debug adaptive forms
- AEM Forms Java API Reference
- AEM Forms on JEE Java API Reference
- Form Bridge APIs for HTML5 forms
- JavaScript Library API reference for Adaptive Forms
- Assembler Service and DDX Reference
- Workbench Help
- Programming with AEM Forms on JEE
- Introduction to programming with AEM Forms on JEE
- Developing SPIs for AEM Forms
- Java API Quick Start - Code Examples
- Application Manager Client JavaAPI Quick Start(SOAP)
- Application Manager Service JavaAPI Quick Start(SOAP)
- Assembler Service Java API QuickStart(SOAP)
- Acrobat Reader DC extensions Service Java API Quick Start(SOAP)
- Backup and Restore Service APIQuick Starts
- Barcoded Forms Service Java APIQuick Start(SOAP)
- Components and Services Java APIQuick Start(SOAP)
- Convert PDF Service Java API QuickStart(SOAP)
- Credential Service Java API QuickStart(SOAP)
- Distiller Service Java API QuickStart(SOAP)
- DocConverter Service Java API QuickStart(SOAP)
- Document Management Service (Deprecated)Java API Quick Start(SOAP)
- Document Security Service JavaAPI Quick Start(SOAP)
- Encryption Service Java API QuickStart(SOAP)
- Endpoint Registry Java API QuickStart(SOAP)
- Form Data Integration Service JavaAPI Quick Start(SOAP)
- Forms Service API Quick Starts
- Generate PDF Service Java API QuickStart(SOAP)
- Invocation API Quick Starts
- LiveCycleProcess Java API(SOAP)Quick Start
- Output Service Java API Quick Start(SOAP)
- PDF Utilities Service Java APIQuick Start(SOAP)
- Repository Service API Quick Starts
- Signature Service Java API QuickStart(SOAP)
- Task Manager Service Java API QuickStart(SOAP)
- User Manager Java API Quick Start(SOAP)
- XMP Utilities Service Java APIQuick Start(SOAP)
- Invoking AEM Forms on JEE using APIs
- Performing Service Operations using APIs
- Performing Service Operations Using APIs
- Rendering Forms
- Assembling PDF Documents
- Programmatically Assembling PDF Documents
- Converting Between File Formats and PDF
- Programmatically Disassembling PDF Documents
- Assembling Encrypted PDF Documents
- Assembling Multiple XDP Fragments
- Assembling Documents Using Bates Numbering
- Assembling Non-Interactive PDF Documents
- Assembling PDF Documents with Bookmarks
- Assigning Usage Rights
- Assembling PDF Portfolios
- Calculating Form Data
- Creating Web Applications thatRenders Forms
- Creating PDF Documents with SubmittedXML Data
- Disassemble a PDF document using the web service API
- Determining Whether Documents Are PDF/A-Compliant
- Dynamically Creating DDX Documents
- Handling Submitted Forms
- Optimizing the Performance of theForms Service
- Passing Documents to the FormsService
- Prepopulating Forms with Flowable Layouts
- Rendering Forms Based on Fragments
- Rendering Forms By Value
- Rendering Forms as HTML
- Rendering Forms at the Client
- Rendering HTML Forms Using Custom CSS Files
- Rendering HTML Forms with CustomToolbars
- Rendering Interactive PDF Forms
- Rendering Rights-Enabled Forms
- Validating DDX Documents
- Converting PDF to Postscript andImage Files
- Converting Postscript to PDF Documents
- Creating Document Output Streams
- Digitally Signing and Certifying Documents
- Encrypting and Decrypting PDF Documents
- Importing and Exporting Data
- Managing Users
- Working with AEM Forms Repository
- Working with barcoded forms
- Working with Credentials
- Working with PDF/A Documents
- Working with PDF Utilities
- Working with XMP Utilities
- Preparing AEM Forms for Backup
- Programmatically Managing Endpoints
- Programmatically managing the Preferences Nodes
- Protecting Documents with Policies
- Validate a DDX document using the web service API
- Troubleshooting
- Unable to use some forms features with certain versions of Oracle JDK
- Additional Steps to get Email with Attachment for Adaptive Forms On JEE version
- Unable to convert Word or Excel file to PDF on Windows Server
- Unable to open XFA-based PDF forms in Google Chrome, Firefox, Microsoft Edge, Microsoft Internet Explorer, or Apple Safari
- Unable to restore CRX Repository
- Service unavailable errors after installing AEM 6.5.15.0 service pack
- AEM Forms JEE 6.5.15.0 service pack installation issue on JBoss Linux environment
- Legacy documentation
- Using the execute script service in AEM Forms on JEE Workbench to build XML data
- Compressing and decompressing files using a AEM Forms on JEE Custom DSC
- Configuring and troubleshooting an AEM Forms on JEE server cluster
- Generating and working with Hashes in dynamic PDF forms
- Passing credentials using WS-Security headers
Digitally Signing and Certifying Documents
Samples and examples in this document are only for AEM Forms on JEE environment.
About the Signature Service
The Signature service lets your organization protect the security and privacy of Adobe PDF documents that it distributes and receives. This service uses digital signatures and certification to ensure that only intended recipients can alter documents. Because security features are applied to the document itself, the document remains secure and controlled for its entire life cycle. A document remains secure beyond the firewall, when it is downloaded offline, and when it is submitted back to your organization.
You can create a custom signature handler for the Signature service that is invoked when certain operations are invoked, such as signing a PDF document.
Signature field names
Some Signature service operations require that you specify the name of the signature field on which an operation is performed. For example, when signing a PDF document, you specify the name of the signature field to sign. Assume that the full name of a signature field is form1[0].Form1[0].SignatureField1[0]. You can specify SignatureField1[0] instead of form1[0].Form1[0].SignatureField1[0].
Sometimes a conflict causes the Signature service to sign (or perform another operation that requires the signature field name) the wrong field. This conflict is the result of the name SignatureField1[0] appearing in two or more places in the same PDF document. For example, consider a PDF document that contains two signature fields named form1[0].Form1[0].SignatureField1[0] and form1[0].Form1[0].SubForm1[0].SignatureField1[0] and you specify SignatureField1[0]. In this situation, the Signature service signs the first signature field that it finds while iterating over all the signature fields in the document.
If there are multiple signature fields located within a PDF document, it is recommended that you specify the full names of the signature fields. That is, specify form1[0].Form1[0].SignatureField1[0]instead of SignatureField1[0].
You can accomplish these tasks using the Signature service:
- Add and delete digital signature fields to a PDF document. (See Adding Signature Fields.)
- Retrieve the names of signature fields located in a PDF document. (See Retrieving Signature Field Names.)
- Modify signature fields. (See Modifying Signature Fields.)
- Digitally sign PDF documents. (See Digitally Signing PDF Documents.)
- Certify PDF documents. (See Certifying PDF Documents.)
- Validate digital signatures located in a PDF document. (See Verifying Digital Signatures.)
- Validate all digital signatures located in a PDF document. (See Verifying Multiple Digital Signatures.)
- Remove a digital signature from a signature field. (See Removing Digital Signatures.)
For more information about the Signature service, see Services Reference for AEM Forms…
Adding Signature Fields
Digital signatures appear in signature fields, which are form fields that contain a graphic representation of the signature. Signature fields can be visible or invisible. Signers can use a preexisting signature field, or a signature field can be programmatically added. In either case, the signature field must exist before a PDF document can be signed.
You can programmatically add a signature field by using the Signature service Java API or Signature web service API. You can add more than one signature field to a PDF document; however, each signature field name must be unique.
Some PDF document types do not let you programmatically add a signature field. For more information about the Signature service and adding signature fields, see Services Reference for AEM Forms.
Summary of steps
To add a signature field to a PDF document, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get a PDF document to which a signature field is added.
- Add a signature field.
- Save the PDF document as a PDF file.
Include project files
Include necessary files into your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, ensure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
Create a Signature client
Before you can programmatically perform a Signature service operation, you must create a Signature service client.
Get a PDF document to which a signature field is added
You must obtain a PDF document to which a signature field is added.
Add a signature field
To successfully add a signature field to a PDF document, you specify coordinate values that identify the location of the signature field. (If you add an invisible signature field, these values are not required.) Also, you can specify which fields in the PDF document are locked after a signature is applied to the signature field.
Save the PDF document as a PDF file
After the Signature service adds a signature field to the PDF document, you can save the document as a PDF file so that users can open it in Acrobat or Adobe Reader.
See also
Including AEM Forms Java library files
Digitally Signing PDF Documents
Add signature fields using the Java API
Add a signature field by using the Signature API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s classpath.
-
Create a Signature client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get a PDF document to which a signature field is added
- Create a
java.io.FileInputStreamobject that represents the PDF document to which a signature field is added by using its constructor and passing a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Add a signature field
-
Create a
PositionRectangleobject that specifies the signature field location by using its constructor. Within the constructor, specify coordinate values. -
If desired, create a
FieldMDPOptionsobject that specifies the fields that are locked when a digital signature is applied to the signature field. -
Add a signature field to a PDF document by invoking the
SignatureServiceClientobject’saddSignatureFieldmethod and passing the following values:- A
com.adobe.idp.Documentobject that represents the PDF document to which a signature field is added. - A string value that specifies the name of the signature field.
- A
java.lang.Integervalue that represents the page number to which a signature field is added. - A
PositionRectangleobject that specifies the location of the signature field. - A
FieldMDPOptionsobject that specifies fields in the PDF document that are locked after a digital signature is applied to the signature field. This parameter value is optional, and you can passnull.
- A
-
A
PDFSeedValueOptionsobject that specifies various run-time values. This parameter value is optional, and you can passnull.The
addSignatureFieldmethod returns acom.adobe.idp.Documentobject that represents a PDF document that contains a signature field.
NOTEYou can invoke the
SignatureServiceClientobject’saddInvisibleSignatureFieldmethod to add an invisible signature field. -
-
Save the PDF document as a PDF file
- Create a
java.io.Fileobject and ensure that the file extension is .pdf. - Invoke the
com.adobe.idp.Documentobject’scopyToFilemethod to copy the contents of theDocumentobject to the file. Ensure that you use thecom.adobe.idp.Documentobject that was returned by theaddSignatureFieldmethod.
- Create a
See also
Signature Service API Quick Starts
Add signature fields using the web service API
To add a signature field by using the Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get a PDF document to which a signature field is added
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store the PDF document that will contain a signature field. - Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMproperty with the contents of the byte array.
- Create a
-
Add a signature field
Add a signature field to the PDF document by invoking the
SignatureServiceClientobject’saddSignatureFieldmethod and passing the following values:- A
BLOBobject that represents the PDF document to which a signature field is added. - A string value that specifies the signature field name.
- An integer value that represents the page number to which a signature field is added.
- A
PositionRectobject that specifies the location of the signature field. - A
FieldMDPOptionsobject that specifies fields in the PDF document that are locked after a digital signature is applied to the signature field. This parameter value is optional, and you can passnull. - A
PDFSeedValueOptionsobject that specifies various run-time values. This parameter value is optional, and you can passnull.
The
addSignatureFieldmethod returns aBLOBobject that represents a PDF document that contains a signature field. - A
-
Save the PDF document as a PDF file
- Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document that will contain the signature field and the mode in which to open the file. - Create a byte array that stores the content of the
BLOBobject that was returned by theaddSignatureFieldmethod. Populate the byte array by getting the value of theBLOBobject’sbinaryDatadata member. - Create a
System.IO.BinaryWriterobject by invoking its constructor and passing theSystem.IO.FileStreamobject. - Write the contents of the byte array to a PDF file by invoking the
System.IO.BinaryWriterobject’sWritemethod and passing the byte array.
- Create a
See also
Invoking AEM Forms using SwaRef
Retrieving Signature Field Names
You can retrieve the names of all signature fields that are located in a PDF document that you want to sign or certify. If you are unsure of the signature field names that are located in a PDF document or you want to verify the names, you can programmatically retrieve them. The Signature service returns the fully qualified name of the signature field, such as form1[0].grantApplication[0].page1[0].SignatureField1[0].
For more information about the Signature service, see Services Reference for AEM Forms
Summary of steps
To retrieve signature field names, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get the PDF document that contains signature fields.
- Retrieve the signature field names.
Include project files
Include necessary files into your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, ensure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including AEM Forms Java library files.
Create a Signature client
Before you can programmatically perform a Signature service operation, you must create a Signature service client.
Get the PDF document that contains signature fields
Retrieve a PDF document that contains signature fields.
Retrieve the signature field names
You can retrieve signature field names after you retrieve a PDF document that contains one or more signature fields.
See also
Retrieve signature field names using the Java API
Retrieve signature field using the web service API
Including AEM Forms Java library files
Retrieve signature field names using the Java API
Retrieve signature field names by using the Signature API (Java):
-
Include project files
Include client JAR files, such as the adobe-signatures-client.jar, in your Java project’s classpath.
-
Create a Signature client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document that contains signature fields
- Create a
java.io.FileInputStreamobject that represents the PDF document that contains signature fields by using its constructor and passing a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Retrieve the signature field names
- Retrieve the signature field names by invoking the
SignatureServiceClientobject’sgetSignatureFieldListmethod and passing thecom.adobe.idp.Documentobject that contains the PDF document that contains signature fields. This method returns ajava.util.Listobject, in which each element contains aPDFSignatureFieldobject. Using this object, you can obtain additional information about a signature field, such as whether it is visible. - Iterate through the
java.util.Listobject to determine if there are signature field names. For each signature field in the PDF document, you can obtain a separatePDFSignatureFieldobject. To obtain the name of the signature field, invoke thePDFSignatureFieldobject’sgetNamemethod. This method returns a string value that specifies the signature field name.
- Retrieve the signature field names by invoking the
See also
Retrieving Signature Field Names
Quick Start (SOAP mode): Retrieving signature field names using the Java API
Including AEM Forms Java library files
Retrieve signature field using the web service API
Retrieve signature field names using the Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document that contains signature fields
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store the PDF document that contains signature fields. - Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMfield the byte array contents.
- Create a
-
Retrieve the signature field names
- Retrieve the signature field names by invoking
SignatureServiceClientobject’sgetSignatureFieldListmethod and passing theBLOBobject that contains the PDF document that contains signature fields. This method returns aMyArrayOfPDFSignatureFieldcollection object where each element contains aPDFSignatureFieldobject. - Iterate through the
MyArrayOfPDFSignatureFieldobject to determine whether there are signature field names. For each signature field in the PDF document, you can obtain aPDFSignatureFieldobject. To obtain the name of the signature field, invoke thePDFSignatureFieldobject’sgetNamemethod. This method returns a string value that specifies the signature field name.
- Retrieve the signature field names by invoking
See also
Retrieving Signature Field Names
Invoking AEM Forms using SwaRef
Modifying Signature Fields
You can modify signature fields that are located in a PDF document by using the Java API and web service API. Modifying a signature field involves manipulating its signature field lock dictionary values or seed value dictionary values.
A field lock dictionary specifies a list of fields that are locked when the signature field is signed. A locked field prevents users from making changes to the field. A seed value dictionary contains constraining information that is used at the time the signature is applied. For example, you can change permissions that control the actions that can occur without invalidating a signature.
By modifying an existing signature field, you can make changes to the PDF document to reflect changing business requirements. For example, a new business requirement may require locking all document fields after the document is signed.
This section explains how to modify a signature field by amending both field lock dictionary and seed value dictionary values. Changes made to the signature field lock dictionary result in all fields in the PDF document being locked when a signature field is signed. Changes made to the seed value dictionary prohibit specific types of changes to the document.
For more information about the Signature service and modifying signature fields, see Services Reference for AEM Forms.
Summary of steps
To modify signature fields located in a PDF document, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get the PDF document that contains the signature field to modify.
- Set dictionary values.
- Modify the signature field.
- Save the PDF document as a PDF file.
Include project files
Include necessary files in your development project. If you are creating a client application by using Java, include the necessary JAR files. If you are using web services, ensure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including LiveCycle Java library files.
Create a Signature client
Before you can programmatically perform a Signature service operation, you must create a Signature service client.
Get the PDF document that contains the signature field to modify
Retrieve a PDF document that contains the signature field to modify.
Set dictionary values
To modify a signature field, assign values to its field lock dictionary or seed value dictionary. Specifying signature field lock dictionary values involves specifying PDF document fields that are locked when the signature field is signed. (This section discusses how to lock all fields.)
The following seed value dictionary values can be set:
-
Revision checking: Specifies whether revocation checking is performed when a signature is applied to the signature field.
-
Certificate options: Assigns values to the certificate seed value dictionary. Before specifying certificate options, it is recommended that you become familiar with a certificate seed value dictionary. (See PDF Reference.)
-
Digest options: Assigns digest algorithms that are used for signing. Valid values are SHA1, SHA256, SHA384, SHA512, and RIPEMD160.
-
Filter: Specifies the filter that is used with the signature field. For example, you can use the Adobe.PPKLite filter. (See PDF Reference.)
-
Flag options: Specifies the flag values that are associated with this signature field. A value of 1 means that a signer must use only the specified values for the entry. A value of 0 means that other values are permitted. Here are the Bit positions:
- 1(Filter): The signature handler to be used to sign the signature field
- 2 (SubFilter): An array of names that indicate acceptable encodings to use when signing
- 3 (V): The minimum required version number of the signature handler to be used to sign the signature field
- 4 (Reasons): An array of strings that specify possible reasons for signing a document
- 5 (PDFLegalWarnings): An array of strings that specify possible legal attestations
-
Legal attestations: When a document is certified, it is automatically scanned for specific types of content that can make the visible contents of a document ambiguous or misleading. For example, an annotation can obscure text that is important for understanding what is being certified. The scanning process generates warnings that indicate the presence of this type of content. It also provides an additional explanation of the content that may have generated warnings.
-
Permissions: Specifies permissions that can be used on a PDF document without invalidating the signature.
-
Reasons: Specifies reasons why this document must be signed.
-
Time stamp: Specifies time-stamping options. You can, for example, set the URL of the time-stamping server that is used.
-
Version: Specifies the minimum version number of the signature handler to be used to sign the signature field.
Modify the signature field
After you create a Signature service client, retrieve the PDF document that contains the signature field to modify, and set dictionary values, you can instruct the Signature service to modify the signature field. The Signature service then returns a PDF document that contains the modified signature field. The original PDF document is not affected.
Save the PDF document as a PDF file
Save the PDF document that contains the modified signature field as a PDF file so that users can open it in Acrobat or Adobe Reader.
See also
Including AEM Forms Java library files
Signature Service API Quick Starts
Digitally Signing PDF Documents
Modify signature fields using the Java API
Modify a signature field by using the Signature API (Java):
-
Include project files
Include client JAR files, such as the adobe-signatures-client.jar, in your Java project’s class path.
-
Create a Signature client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document that contains the signature field to modify
- Create a
java.io.FileInputStreamobject that represents the PDF document that contains the signature field to modify by using its constructor and passing a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Set dictionary values
- Create a
PDFSignatureFieldPropertiesobject by using its constructor. APDFSignatureFieldPropertiesobject stores signature field lock dictionary and seed value dictionary information. - Create a
PDFSeedValueOptionSpecobject by using its constructor. This object lets you set seed value dictionary values. - Disallow changes to the PDF document by invoking the
PDFSeedValueOptionSpecobject’ssetMdpValuemethod and passing theMDPPermissions.NoChangesenumeration value. - Create a
FieldMDPOptionSpecobject by using its constructor. This object lets you set signature field lock dictionary values. - Lock all fields in the PDF document by invoking the
FieldMDPOptionSpecobject’ssetMdpValuemethod and passing theFieldMDPAction.ALLenumeration value. - Set seed value dictionary information by invoking the
PDFSignatureFieldPropertiesobject’ssetSeedValuemethod and passing thePDFSeedValueOptionSpecobject. - Set signature field lock dictionary information by invoking the
PDFSignatureFieldPropertiesobject’ssetFieldMDPmethod and passing theFieldMDPOptionSpecobject.
NOTETo see all seed value dictionary values that you can set, see the
PDFSeedValueOptionSpecclass reference. (See AEM Forms API Reference.) - Create a
-
Modify the signature field
Modify the signature field by invoking the
SignatureServiceClientobject’smodifySignatureFieldmethod and passing the following values:- The
com.adobe.idp.Documentobject that stores the PDF document that contains the signature field to modify - A string value that specifies the name of the signature field
- The
PDFSignatureFieldPropertiesobject that stores signature field lock dictionary and seed value dictionary information
The
modifySignatureFieldmethod returns acom.adobe.idp.Documentobject that stores a PDF document that contains the modified signature field. - The
-
Save the PDF document as a PDF file
- Create a
java.io.Fileobject and ensure that the file name extension is .pdf. - Invoke the
com.adobe.idp.Documentobject’scopyToFilemethod to copy the contents of thecom.adobe.idp.Documentobject to the file. Ensure that you use thecom.adobe.idp.Documentobject that themodifySignatureFieldmethod returned.
- Create a
Modify signature fields using the web service API
Modify a signature field by using the Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document that contains the signature field to modify
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store the PDF document that contains the signature field to modify. - Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMproperty the contents of the byte array.
- Create a
-
Set dictionary values
- Create a
PDFSignatureFieldPropertiesobject by using its constructor. This object stores signature field lock dictionary and seed value dictionary information. - Create a
PDFSeedValueOptionSpecobject by using its constructor. This object lets you set seed value dictionary values. - Disallow changes to the PDF document by assigning the
MDPPermissions.NoChangesenumeration value to thePDFSeedValueOptionSpecobject’smdpValuedata member. - Create a
FieldMDPOptionSpecobject by using its constructor. This object lets you set signature field lock dictionary values. - Lock all fields in the PDF document by assigning the
FieldMDPAction.ALLenumeration value to theFieldMDPOptionSpecobject’smdpValuedata member. - Set seed value dictionary information by assigning the
PDFSeedValueOptionSpecobject to thePDFSignatureFieldPropertiesobject’sseedValuedata member. - Set signature field lock dictionary information by assigning the
FieldMDPOptionSpecobject to thePDFSignatureFieldPropertiesobject’sfieldMDPdata member.
NOTETo see all seed value dictionary values that you can set, see the
PDFSeedValueOptionSpecclass reference. (See AEM Forms API Reference). - Create a
-
Modify the signature field
Modify the signature field by invoking the
SignatureServiceClientobject’smodifySignatureFieldmethod and passing the following values:- The
BLOBobject that stores the PDF document that contains the signature field to modify - A string value that specifies the name of the signature field
- The
PDFSignatureFieldPropertiesobject that stores signature field lock dictionary and seed value dictionary information
The
modifySignatureFieldmethod returns aBLOBobject that stores a PDF document that contains the modified signature field. - The
-
Save the PDF document as a PDF file
- Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document that will contain the signature field, and the mode in which to open the file. - Create a byte array that stores the content of the
BLOBobject that theaddSignatureFieldmethod returns. Populate the byte array by getting the value of theBLOBobject’sMTOMdata member. - Create a
System.IO.BinaryWriterobject by invoking its constructor and passing theSystem.IO.FileStreamobject. - Write the contents of the byte array to a PDF file by invoking the
System.IO.BinaryWriterobject’sWritemethod and passing the byte array.
- Create a
See also
Invoking AEM Forms using SwaRef
Digitally Signing PDF Documents
Digital signatures can be applied to PDF documents to provide a level of security. Digital signatures, like handwritten signatures, provide a means by which signers identify themselves and make statements about a document. The technology used to digitally sign documents helps to ensure that both the signer and recipients are clear about what was signed and confident that the document was not altered since it was signed.
PDF documents are signed by means of public-key technology. A signer has two keys: a public key and a private key. The private key is stored in a user’s credential that must be available at the time of signing. The public key is stored in the user’s certificate that must be available to recipients to validate the signature. Information about revoked certificates is found in certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP) responses distributed by Certificate Authorities (CAs). The time of signing can be obtained from a trusted source known as a Timestamping Authority.
Before you can digitally sign a PDF document, you must ensure that you add the certificate to AEM Forms. A certificate is added using administration console or programmatically using the Trust Manager API. (See Importing Credentials by using the Trust Manager API.)
You can programmatically digitally sign PDF documents. When digitally signing a PDF document, you must reference a security credential that exists in AEM Forms. The credential is the private key used for signing.
The Signature service performs the following steps when a PDF document is signed:
- The Signature service retrieves the credential from the Truststore by passing the alias specified in the request.
- The Truststore searches for the specified credential.
- The credential is returned to the Signature service and is used to sign the document. The credential is also cached against the alias for future requests.
For information about handling the security credential, see the Installing and Deploying AEM Forms guide for your application server.
There are differences between signing and certifying documents. (See Certifying PDF Documents.)
Not all PDF documents support signing. For more information about the Signature service and digitally signing documents, see Services Reference for AEM Forms.
The Signature service does not support XDP files with embedded PDF data as input to an operation, such as certifying a document. This action results in the Signature service throwing a PDFOperationException. To resolve this issue, convert the XDP file to a PDF file by using the PDF Utilities service and then pass the converted PDF file to a Signature service operation. (See Working with PDF Utilities.)
nCipher nShield HSM credential
When using an nCipher nShield HSM credential to sign or certify a PDF document, the new credential cannot be used until the J2EE application server that AEM Forms is deployed on is restarted. However, you can set a configuration value, resulting in the sign or certify operation working without restarting the J2EE application server.
You can add the following configuration value in the cknfastrc file, which is located at /opt/nfast/cknfastrc (or c:\nfast\cknfastrc):
CKNFAST_ASSUME_SINGLE_PROCESS=0
After you add this configuration value to the cknfastrc file, the new credential can be used without restarting the J2EE application server.
Signature is not trusted
When certifying and signing the same PDF document, if the certifying signature is not trusted, a yellow triangle appears against the first signature when opening the PDF document in Acrobat or Adobe Reader. The certifying signature must be trusted in order to avoid this situation.
Signing documents that are XFA based forms
If you attempt to sign a XFA based form using the Signature service API, the data may be missing from the View Signed Version located in Acrobat. For example, consider the following workflow:
- Using an XDP file created by using Designer, you merge a form design that contains a signature field and XML data that contains form data. You use the Forms service to generate an interactive PDF document.
- You sign the PDF document using the Signature service API.
Summary of steps
To digitally sign a PDF document, perform the following tasks:
- Include project files.
- Create a Signature service client.
- Get the PDF document to sign.
- Sign the PDF document.
- Save the signed PDF document as a PDF file.
Include project files
Include necessary files into your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, ensure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
Create a Signatures client
Before you can programmatically perform a Signature service operation, you must create a Signature service client.
Get the PDF document to sign
To sign a PDF document, you must obtain a PDF document that contains a signature field. If a PDF document does not contain a signature field, it cannot be signed. A signature field can be added by using Designer or programmatically.
Sign the PDF document
When signing a PDF document, you can set run-time options that are used by the Signature service. You can set the following options:
- Appearance options
- Revocation checking
- Time stamping values
You set appearance options by using a PDFSignatureAppearanceOptionSpec object. For example, you can display the date within a signature by invoking the PDFSignatureAppearanceOptionSpec object’s setShowDate method and passing true.
You can also specify whether or not to perform a revocation check that determines whether the certificate that is used to digitally sign a PDF document has been revoked. To performing revocation checking, you can specify one of the following values:
- NoCheck: Do not perform revocation checking.
- BestEffort: Always attempt to check for revocation of all certificates in the chain. If any problem occurs in checking, the revocation is assumed to be valid. If any failure happens, assume that the certificate is not revoked.
- CheckIfAvailable: Check for revocation of all certificates in the chain if revocation information is available. If any problem occurs in checking, the revocation is assumed to be invalid. If any failure happens, assume the certificate is revoked and invalid. (This is the default value.)
- AlwaysCheck: Check for revocation of all certificates in the chain. If revocation information is not present in any certificate, revocation is assumed to be invalid.
To perform revocation checking on a certificate, you can specify a URL to a certificate revocation list (CRL) server by using a CRLOptionSpec object. However, if you want to perform revocation checking and you do not specify a URL to a CRL server, then the Signature service obtains the URL from the certificate.
Instead of using a CRL server, you can use an online certificate status protocol (OCSP) server when performing revocation checking. Typically when using an OCSP server as opposed to a CRL server, the revocation check is performed faster. (See “Online Certificate Status Protocol” at https://tools.ietf.org/html/rfc2560.)
You can set the CRL and OCSP server order that the Signature service uses using Adobe Applications and Services. For example, if the OCSP server is set first in Adobe Applications and Services, then the OCSP server is checked, followed by the CRL server. (See “Managing certificates and credentials using Trust Store” in AAC Help).
If you specify not to perform revocation checking, then the Signature service does not check to see if the certificate used to sign or certify a document has been revoked. That is, CRL and OCSP server information is ignored.
Although a CRL or an OCSP server may be specified in the certificate, you can override the URL specified in the certificate by using a CRLOptionSpec and an OCSPOptionSpec object. For example, to override the CRL server, you can invoke the CRLOptionSpec object’s setLocalURI method.
Time stamping refers to the process of tracking the time when a signed or certified document was modified. Once a document is signed, it should not be modified, even by the document owner. Time stamping helps enforce the validity of a signed or certified document. You can set time stamping options using a TSPOptionSpec object. For example, you can specify the URL of a time stamping provider (TSP) server.
In the Java and web service walk through sections and the corresponding quick starts, revocation checking is used. Because no CRL or OCSP server information is specified, the server information is obtained from the certificate used to digitally sign the PDF document.
To successfully sign a PDF document, you can specify the fully qualified name of the signature field that will contain the digital signature, such as form1[0].#subform[1].SignatureField3[3]. When using an XFA form field, the partial name of the signature field can also be used: SignatureField3[3].
You must also reference a security credential to digitally sign a PDF document. To reference a security credential, you specify an alias. The alias is a reference to an actual credential that may be in a PKCS#12 file (with a .pfx extension), or a hardware security module (HSM). For information about the security credential, see the Installing and Deploying AEM Forms guide for your application server.
Save the signed PDF document
After the Signature service digitally signs the PDF document, you can save it as a PDF file so that users can open it in Acrobat or Adobe Reader.
See also
Digitally sign PDF documents using the Java API
Digitally signing PDF documents using the web service API
Including AEM Forms Java library files
Retrieving Signature Field Names
Digitally sign PDF documents using the Java API
Digitally sign a PDF document by using the Signature API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s classpath.
-
Create a Signatures client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document to sign
- Create a
java.io.FileInputStreamobject that represents the PDF document to digitally sign by using its constructor and passing a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Sign the PDF document
Sign the PDF document by invoking the
SignatureServiceClientobject’ssignmethod and passing the following values:- A
com.adobe.idp.Documentobject that represents the PDF document to sign. - A string value that represents the name of the signature field that will contain the digital signature.
- A
Credentialobject that represents the credential that is used to digitally sign the PDF document. Create aCredentialobject by invoking theCredentialobject’s staticgetInstancemethod and passing a string value that specifies the alias value that corresponds to the security credential. - A
HashAlgorithmobject that specifies a static data member that represents the hash algorithm to use to digest the PDF document. For example, you can specifyHashAlgorithm.SHA1to use the SHA1 algorithm. - A string value that represents the reason why the PDF document was digitally signed.
- A string value that represents the signer’s contact information.
- A
PDFSignatureAppearanceOptionsobject that controls the appearance of the digital signature. For example, you can use this object to add a custom logo to a digital signature. - A
java.lang.Booleanobject that specifies whether to perform revocation checking on the signer’s certificate. - An
OCSPOptionSpecobject that stores preferences for Online Certificate Status Protocol (OCSP) support. If revocation checking is not done, this parameter is not used and you can specifynull. - A
CRLPreferencesobject that stores certificate revocation list (CRL) preferences. If revocation checking is not done, this parameter is not used and you can specifynull. - A
TSPPreferencesobject that stores preferences for time stamp provider (TSP) support. This parameter is optional and can benull. For more information, see AEM Forms API Reference.
The
signmethod returns acom.adobe.idp.Documentobject that represents the signed PDF document. - A
-
Save the signed PDF document
- Create a
java.io.Fileobject and ensure that the file extension is .pdf. - Invoke the
com.adobe.idp.Documentobject’scopyToFilemethod and passjava.io.Fileto copy the contents of theDocumentobject to the file. Ensure that you use thecom.adobe.idp.Documentobject that was returned by thesignmethod.
- Create a
See also
Digitally Signing PDF Documents
Quick Start (SOAP mode): Digitally signing a PDF document using the Java API
Including AEM Forms Java library files
Digitally signing PDF documents using the web service API
To digitally sign a PDF document by using the Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signatures client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document to sign
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store a PDF document that is signed. - Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document to sign, and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMproperty the contents of the byte array.
- Create a
-
Sign the PDF document
Sign the PDF document by invoking the
SignatureServiceClientobject’ssignmethod and passing the following values:- A
BLOBobject that represents the PDF document to sign. - A string value that represents the name of the signature field that will contain the digital signature.
- A
Credentialobject that represents the credential that is used to digitally sign the PDF document. Create aCredentialobject by using its constructor and specify the alias by assigning a value to theCredentialobject’saliasproperty. - A
HashAlgorithmobject that specifies a static data member that represents the hash algorithm to use to digest the PDF document. For example, you can specifyHashAlgorithm.SHA1to use the SHA1 algorithm. - A Boolean value that specifies whether the hash algorithm is used.
- A string value that represents the reason why the PDF document was digitally signed.
- A string value that represents the signer’s location.
- A string value that represents the signer’s contact information.
- A
PDFSignatureAppearanceOptionsobject that controls the appearance of the digital signature. For example, you can use this object to add a custom logo to a digital signature. - A
System.Booleanobject that specifies whether to perform revocation checking on the signer’s certificate. If this revocation checking is done, it is embedded in the signature. The default isfalse. - An
OCSPOptionSpecobject that stores preferences for Online Certificate Status Protocol (OCSP) support. If revocation checking is not done, this parameter is not used and you can specifynull. For information about this object, see AEM Forms API Reference. - A
CRLPreferencesobject that stores certificate revocation list (CRL) preferences. If revocation checking is not done, this parameter is not used and you can specifynull. - A
TSPPreferencesobject that stores preferences for time stamp provider (TSP) support. This parameter is optional and can benull.
The
signmethod returns aBLOBobject that represents the signed PDF document. - A
-
Save the signed PDF document
- Create a
System.IO.FileStreamobject by invoking its constructor. Pass a string value that represents the file location of the signed PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
BLOBobject that was returned by thesignmethod. Populate the byte array by getting the value of theBLOBobject’sMTOMdata member. - Create a
System.IO.BinaryWriterobject by invoking its constructor and passing theSystem.IO.FileStreamobject. - Write the contents of the byte array to a PDF file by invoking the
System.IO.BinaryWriterobject’sWritemethod and passing the byte array.
- Create a
See also
Digitally Signing PDF Documents
Invoking AEM Forms using SwaRef
Digitally Signing Interactive Forms
You can sign an interactive form that the Forms service creates. For example, consider the following workflow:
- You merge an XFA-based PDF form created by using Designer and form data located in an XML document using the Forms service. The Forms server renders an interactive form.
- You sign the interactive form using the Signature service API.
The result is a digitally signed interactive PDF form. When signing a PDF form that is based on an XFA form, ensure that you save the PDF file as an Adobe Static PDF form. If you attempt to sign a PDF form that is saved as an Adobe Dynamic PDF form, an exception occurs. Because you are signing the form that is returned from the Forms service, ensure that the form contains a signature field.
Before you can digitally sign an interactive form, you must ensure that you add the certificate to AEM Forms. A certificate is added using administration console or programmatically using the Trust Manager API. (See Importing Credentials by using the Trust Manager API.)
When using the Forms Service API, set the GenerateServerAppearance run-time option to true. This run-time option ensures that the appearance of the form that is generated on the server remains valid when opened in Acrobat or Adobe Reader. It is recommended that you set this run-time option when generating an interactive form to sign by using the Forms API.
Before reading Digitally Signing Interactive Forms, it is recommended that you are familiar with signing PDF documents. (See Digitally Signing PDF Documents.)
Summary of steps
To digitally sign an interactive form the Forms service returns, perform the following tasks:
- Include project files.
- Create a Forms and Signatures client.
- Obtain the interactive form using the Forms service.
- Sign the interactive form.
- Save the signed PDF document as a PDF file.
Include project files
Include necessary files into your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, ensure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-forms-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including AEM Forms Java library files.
Create a Forms and Signatures client
Because this workflow invokes both the Forms and Signature services, create both a Forms service client and Signature service client.
Obtain the interactive form using the Forms service
You can use the Forms service to obtain the interactive PDF form to sign. As of AEM Forms, you can pass a com.adobe.idp.Document object to the Forms service that contains the form to render. The name of this method is renderPDFForm2. This method returns a com.adobe.idp.Document object that contains the form to sign. You can pass this com.adobe.idp.Document instance to the Signature service.
Likewise, if you are using web services, you can pass the BLOB instance that the Forms service returns to the Signature service.
The quick start associated with Digitally Signing Interactive Forms section invokes the renderPDFForm2 method.
Sign the interactive form
When signing a PDF document, you can set run-time options that the Signature service uses. You can set the following options:
- Appearance options
- Revocation checking
- Time stamping values
You set appearance options by using a PDFSignatureAppearanceOptionSpec object. For example, you can display the date within a signature by invoking the PDFSignatureAppearanceOptionSpec object’s setShowDate method and passing true.
Save the signed PDF document
After the Signature service digitally signs the PDF document, you can save it as a PDF file. The PDF file can be opened in Acrobat or Adobe Reader.
See also
Digitally sign an interactive form using the Java API
Digitally sign an interactive form using the web service API
Including AEM Forms Java library files
Digitally Signing PDF Documents
Rendering Interactive PDF Forms
Digitally sign an interactive form using the Java API
Digitally sign an interactive form by using the Forms and Signature API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar and adobe-forms-client.jar, in your Java project’s classpath.
-
Create a Forms and Signatures client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject. - Create a
FormsServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Obtain the interactive form using the Forms service
-
Create a
java.io.FileInputStreamobject that represents the PDF document to pass to the Forms service by using its constructor. Pass a string value that specifies the location of the PDF document. -
Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject. -
Create a
java.io.FileInputStreamobject that represents the XML document that contains form data to pass to the Forms service by using its constructor. Pass a string value that specifies the location of the XML file. -
Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject. -
Create a
PDFFormRenderSpecobject that is used to set run-time options. Invoke thePDFFormRenderSpecobject’ssetGenerateServerAppearancemethod and passtrue. -
Invoke the
FormsServiceClientobject’srenderPDFForm2method and pass the following values:- A
com.adobe.idp.Documentobject that contains the PDF form to render. - A
com.adobe.idp.Documentobject that contains data to merge with the form. - A
PDFFormRenderSpecobject that stores run-time options. - A
URLSpecobject that contains URI values that are required by the Forms service. You can specifynullfor this parameter value. - A
java.util.HashMapobject that stores file attachments. This is an optional parameter and you can specifynullif you do not want to attach files to the form.
The
renderPDFForm2method returns aFormsResultobject that contains a form data stream - A
-
Retrieve the PDF form by invoking the
FormsResultobject’sgetOutputContentmethod. This method returns acom.adobe.idp.Documentobject that represents the interactive form.
-
-
Sign the interactive form
Sign the PDF document by invoking the
SignatureServiceClientobject’ssignmethod and passing the following values:- A
com.adobe.idp.Documentobject that represents the PDF document to sign. Ensure that this object is thecom.adobe.idp.Documentobject obtained from the Forms service. - A string value that represents the name of the signature field that is signed.
- A
Credentialobject that represents the credential that is used to digitally sign the PDF document. Create aCredentialobject by invoking theCredentialobject’s staticgetInstancemethod. Pass a string value that specifies the alias value that corresponds to the security credential. - A
HashAlgorithmobject that specifies a static data member that represents the hash algorithm to use to digest the PDF document. For example, you can specifyHashAlgorithm.SHA1to use the SHA1 algorithm. - A string value that represents the reason why the PDF document was digitally signed.
- A string value that represents the signer’s contact information.
- A
PDFSignatureAppearanceOptionsobject that controls the appearance of the digital signature. For example, you can use this object to add a custom logo to a digital signature. - A
java.lang.Booleanobject that specifies whether to perform revocation checking on the signer’s certificate. - An
OCSPPreferencesobject that stores preferences for Online Certificate Status Protocol (OCSP) support. If revocation checking is not done, this parameter is not used and you can specifynull. - A
CRLPreferencesobject that stores certificate revocation list (CRL) preferences. If revocation checking is not done, this parameter is not used and you can specifynull. - A
TSPPreferencesobject that stores preferences for time stamp provider (TSP) support. This parameter is optional and can benull.
The
signmethod returns acom.adobe.idp.Documentobject that represents the signed PDF document. - A
-
Save the signed PDF document
- Create a
java.io.Fileobject and ensure that the filename extension is .pdf. - Invoke the
com.adobe.idp.Documentobject’scopyToFilemethod and passjava.io.Fileto copy the contents of theDocumentobject to the file. Ensure that you use thecom.adobe.idp.Documentobject that thesignmethod returned.
- Create a
See also
Digitally Signing Interactive Forms
Quick Start (SOAP mode): Digitally signing a PDF document using the Java API
Including AEM Forms Java library files
Digitally sign an interactive form using the web service API
Digitally sign an interactive form by using the Forms and Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Because this client application invokes two AEM Forms services, create two service references. Use the following WSDL definition for the service reference associated with the Signature service:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.Use the following WSDL definition for the service reference associated with the Forms service:
http://localhost:8080/soap/services/FormsService?WSDL&lc_version=9.0.1.Because the
BLOBdata type is common to both service references, fully qualify theBLOBdata type when using it. In the corresponding web service quick start, allBLOBinstances are fully qualified.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Forms and Signatures client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType.
- Assign the AEM forms user name to the field
-
Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
NOTERepeat these steps for the Forms service client.
-
-
Obtain the interactive form using the Forms service
-
Create a
BLOBobject by using its constructor. TheBLOBobject is used to store a PDF document that is signed. -
Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document to sign, and the mode in which to open the file. -
Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. -
Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. -
Populate the
BLOBobject by assigning itsMTOMproperty the contents of the byte array. -
Create a
BLOBobject by using its constructor. TheBLOBobject is used to store form data. -
Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the XML file that contains form data, and the mode in which to open the file. -
Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. -
Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. -
Populate the
BLOBobject by assigning itsMTOMproperty the contents of the byte array. -
Create a
PDFFormRenderSpecobject that is used to set run-time options. Assign the valuetrueto thePDFFormRenderSpecobject’sgenerateServerAppearancefield. -
Invoke the
FormsServiceClientobject’srenderPDFForm2method and pass the following values:- A
BLOBobject that contains the PDF form to render. - A
BLOBobject that contains data to merge with the form. - A
PDFFormRenderSpecobject that stores run-time options. - A
URLSpecobject that contains URI values that are required by the Forms service. You can specifynullfor this parameter value. - A
java.util.HashMapobject that stores file attachments. This is an optional parameter and you can specifynullif you do not want to attach files to the form. - A long output parameter used to store the number of pages in the form.
- A string output parameter that is used for the locale value.
- A
FormResultvalue that is an output parameter that is used to store the interactive form.
- A
-
Retieve the PDF form by invoking the
FormsResultobject’soutputContentfield. This field stores aBLOBobject that represents the interactive form.
-
-
Sign the interactive form
Sign the PDF document by invoking the
SignatureServiceClientobject’ssignmethod and passing the following values:- A
BLOBobject that represents the PDF document to sign. Use theBLOBinstance returned by the Forms service. - A string value that represents the name of the signature field that is signed.
- A
Credentialobject that represents the credential that is used to digitally sign the PDF document. Create aCredentialobject by using its constructor and specify the alias by assigning a value to theCredentialobject’saliasproperty. - A
HashAlgorithmobject that specifies a static data member that represents the hash algorithm to use to digest the PDF document. For example, you can specifyHashAlgorithm.SHA1to use the SHA1 algorithm. - A Boolean value that specifies whether the hash algorithm is used.
- A string value that represents the reason why the PDF document was digitally signed.
- A string value that represents the signer’s location.
- A string value that represents the signer’s contact information.
- A
PDFSignatureAppearanceOptionsobject that controls the appearance of the digital signature. For example, you can use this object to add a custom logo to a digital signature. - A
System.Booleanobject that specifies whether to perform revocation checking on the signer’s certificate. If this revocation checking is done, it is embedded in the signature. The default isfalse. - An
OCSPPreferencesobject that stores preferences for Online Certificate Status Protocol (OCSP) support. If revocation checking is not done, this parameter is not used and you can specifynull. For information about this object, see AEM Forms API Reference. - A
CRLPreferencesobject that stores certificate revocation list (CRL) preferences. If revocation checking is not done, this parameter is not used and you can specifynull. - A
TSPPreferencesobject that stores preferences for time stamp provider (TSP) support. This parameter is optional and can benull.
The
signmethod returns aBLOBobject that represents the signed PDF document. - A
-
Save the signed PDF document
- Create a
System.IO.FileStreamobject by invoking its constructor. Pass a string value that represents the file location of the signed PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
BLOBobject that was returned by thesignmethod. Populate the byte array by getting the value of theBLOBobject’sMTOMdata member. - Create a
System.IO.BinaryWriterobject by invoking its constructor and passing theSystem.IO.FileStreamobject. - Write the contents of the byte array to a PDF file by invoking the
System.IO.BinaryWriterobject’sWritemethod and passing the byte array.
- Create a
See also
Digitally Signing Interactive Forms
Certifying PDF Documents
You can secure a PDF document by certifying it with a particular type of signature called a certified signature. A certified signature is distinguished from a digital signature in these ways:
- It must be the first signature applied to the PDF document; that is, at the time the certified signature is applied, any other signature fields in the document must be unsigned. Only one certified signature is permitted in a PDF document. If you want to sign and certify a PDF document, you must certify it before signing it. After you certify a PDF document, you can digitally sign additional signature fields.
- The author or originator of the document can specify that the document can be modified in certain ways without invalidating the certified signature. For example, the document may permit filling in forms or commenting. If the author specifies that a certain modification is not permitted, Acrobat restricts users from modifying the document in that way. If such modifications are made, such as by using another application, the certified signature is invalid and Acrobat issues a warning when a user opens the document. (With non-certified signatures, modifications are not prevented, and normal editing operations do not invalidate the original signature.)
- At the time of signing, the document is scanned for specific types of content that could make the contents of a document ambiguous or misleading. For example, an annotation could obscure some text on a page that is important for understanding what is being certified. An explanation (legal attestation) can be provided about such content.
You can programmatically certify PDF documents by using the Signature service Java API or the Signature web service API. When certifying a PDF document, you must reference a security credential that exists in the Credential service. For information about the security credential, see the Installing and Deploying AEM Forms guide for your application server.
When certifying and signing the same PDF document, if the certify signature is not trusted, a yellow triangle appears next to the first sign signature when you open the PDF document in Acrobat or Adobe Reader. The certifying signature must be trusted to avoid this situation.
When using an nCipher nShield HSM credential to sign or certify a PDF document, the new credential cannot be used until the J2EE application server on which AEM Forms is deployed is restarted. However, you can set a configuration value, resulting in the sign or certify operation working without restarting the J2EE application server.
You can add the following configuration value in the cknfastrc file, which is located at /opt/nfast/cknfastrc (or c:\nfast\cknfastrc):
CKNFAST_ASSUME_SINGLE_PROCESS=0
After you add this configuration value to the cknfastrc file, the new credential can be used without restarting the J2EE application server.
For more information about the Signature service and certifying a document, see Services Reference for AEM Forms.
Summary of steps
To certify a PDF document, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get the PDF document to certify.
- Certify the PDF document.
- Save the certified PDF document as a PDF file.
Include project files
Include necessary files into your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, ensure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including AEM Forms Java library files.
Create a Signature client
Before you can programmatically perform a Signature operation, you must create a Signature client.
Get the PDF document to certify
To certify a PDF document, you must obtain a PDF document that contains a signature field. If a PDF document does not contain a signature field, it cannot be certified. A signature field can be added by using Designer or programmatically. For information about programmatically adding a signature field, see Adding Signature Fields.
Certify the PDF document
To successfully certify a PDF document, you require the following input values that are used by the Signature service to certify a PDF document:
- PDF document: A PDF document that contains a signature field, which is a form field that contains a graphic representation of the certified signature. A PDF document must contain a signature field before it can be certified. A signature field can be added by using Designer or programmatically. (See Adding Signature Fields.)
- Signature field name: The fully-qualified name of the signature field that is certified. The following value is an example:
form1[0].#subform[1].SignatureField3[3]. When using an XFA form field, the partial name of the signature field can also be used:SignatureField3[3]. If a null value is passed for the field name, an invisible signature field is dynamically created and certified. - Security credential: A credential that is used to certify the PDF document. This security credential contains a password and an alias, which must match an alias that appears in the credential that is located within the Credential service. The alias is a reference to an actual credential that may be in a PKCS#12 file (with a .pfx extension) or a hardware security module (HSM).
- Hash algorithm: A hash algorithm to use to digest the PDF document.
- Reason for signing: A value that is displayed in Acrobat or Adobe Reader so that other users know the reason why the PDF document was certified.
- Location of the signer: The location of the signer specified by the credential.
- Contact information: Contact information, such as address and telephone number, of the signer.
- Permission information: Permissions that control the actions that an end user can perform on a document without causing the certified signature to be invalid. For example, you can set the permission so that any change to the PDF document causes the certified signature to be invalid.
- Legal explanation: When a document is certified, it is automatically scanned for specific types of content that could make the contents of a document ambiguous or misleading. For example, an annotation could obscure some text on a page that is important for understanding what is being certified. The scanning process generates warnings about these types of content. This value provides an additional explanation of the content that may have generated warnings.
- Appearance options: Options that control the appearance of the certified signature. For example, the certified signature can display date information.
- Revocation checking: This value specifies whether revocation checking is done for the signer’s certificate. The default setting of
falsemeans that revocation checking is not done. - OCSP settings: Settings for Online Certificate Status Protocol (OCSP) support, which provides information about the status of the credential that is used to certify the PDF document. You can, for example, specify the URL of the server that provides information about the credential that you are using to sign on to the PDF document.
- CRL settings: Settings for certificate revocation list (CRL) preferences if revocation checking is done. For example, you can specify to always check whether a credential was revoked.
- Time stamping: Settings that define time stamping information that is applied to the certified signature. A time stamp indicates that specific data was established before a certain time. This knowledge helps build a trusting relationship between the signer and verifier.
Save the certified PDF document as a PDF file
After the Signature service certifies the PDF document, you can save it as a PDF file so that users can open it in Acrobat or Adobe Reader.
See also
Certify PDF documents using the Java API
Certify PDF documents using the web service API
Including AEM Forms Java library files
Certify PDF documents using the Java API
Certify a PDF document by using the Signature API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s class path.
-
Create a Signature client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document to certify
- Create a
java.io.FileInputStreamobject that represents the PDF document to certify by using its constructor and passing a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Certify the PDF document
Certify the PDF document by invoking the
SignatureServiceClientobject’scertifymethod and passing the following values:- The
com.adobe.idp.Documentobject that represents the PDF document to certify. - A string value that represents the name of the signature field that will contain the signature.
- A
Credentialobject that represents the credential that is used to certify the PDF document. Create aCredentialobject by invoking theCredentialobject’s staticgetInstancemethod and passing a string value that specifies the alias value that corresponds to the security credential. - A
HashAlgorithmobject that specifies a static data member that represents the hash algorithm used to digest the PDF document. For example, you can specifyHashAlgorithm.SHA1to use the SHA1 algorithm. - A string value that represents the reason why the PDF document was certified.
- A string value that represents the signer’s contact information.
- A
MDPPermissionsobject that specifies actions that can be performed on the PDF document that invalidates the signature. - A
PDFSignatureAppearanceOptionsobject that controls the appearance of the certified signature. If desired, modify the appearance of the signature by invoking a method, such assetShowDate. - A string value that provides an explanation of what actions invalidate the signature.
- A
java.lang.Booleanobject that specifies whether to perform revocation checking on the signer’s certificate. If this revocation checking is done, it is embedded in the signature. The default isfalse. - A
java.lang.Booleanobject that specifies whether the signature field being certified is locked. If the field is locked, the signature field is marked as read only, its properties cannot be modified, and it cannot be cleared by anyone who does not have the required permissions. The default isfalse. - An
OCSPPreferencesobject that stores preferences for Online Certificate Status Protocol (OCSP) support. If revocation checking is not done, this parameter is not used and you can specifynull. For information about this object, See AEM Forms API Reference. - A
CRLPreferencesobject that stores certificate revocation list (CRL) preferences. If revocation checking is not done, this parameter is not used and you can specifynull. - A
TSPPreferencesobject that stores preferences for time stamp provider (TSP) support. For example, after you create aTSPPreferencesobject, you can set the URL of the TSP server by invoking theTSPPreferencesobject’ssetTspServerURLmethod. This parameter is optional and can benull. For more information, see Services Reference for AEM Forms.
The
certifymethod returns acom.adobe.idp.Documentobject that represents the certified PDF document. - The
-
Save the certified PDF document as a PDF file
- Create a
java.io.Fileobject and ensure that the file extension is .pdf. - Invoke the
com.adobe.idp.Documentobject’scopyToFilemethod to copy the contents of thecom.adobe.idp.Documentobject to the file.
- Create a
See also
Quick Start (SOAP mode): Certifying a PDF document using the Java API
Including AEM Forms Java library files
Certify PDF documents using the web service API
Certify a PDF document by using the Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document to certify
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store a PDF document that is certified. - Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document to certify and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod and passing the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMdata member the contents of the byte array.
- Create a
-
Certify the PDF document
Certify the PDF document by invoking the
SignatureServiceClientobject’scertifymethod and passing the following values:- The
BLOBobject that represents the PDF document to certify. - A string value that represents the name of the signature field that will contain the signature.
- A
Credentialobject that represents the credential that is used to certify the PDF document. Create aCredentialobject by using its constructor, and specify the alias by assigning a value to theCredentialobject’saliasproperty. - A
HashAlgorithmobject that specifies a static data member that represents the hash algorithm used to digest the PDF document. For example, you can specifyHashAlgorithm.SHA1to use the SHA1 algorithm. - A Boolean value that specifies whether the hash algorithm is used.
- A string value that represents the reason why the PDF document was certified.
- A string value that represents the signer’s location.
- A string value that represents the signer’s contact information.
- An
MDPPermissionsobject’s static data member that specifies actions that can be performed on the PDF document that invalidate the signature. - A Boolean value that specifies whether to use the
MDPPermissionsobject that was passed as the previous parameter value. - A string value that explains what actions invalidate the signature.
- A
PDFSignatureAppearanceOptionsobject that controls the appearance of the certified signature. Create aPDFSignatureAppearanceOptionsobject by using its constructor. You can modify the appearance of the signature by setting one of its data members. - A
System.Booleanobject that specifies whether to perform revocation checking on the signer’s certificate. If this revocation checking is done, it is embedded in the signature. The default isfalse. - A
System.Booleanobject that specifies whether the signature field being certified is locked. If the field is locked, the signature field is marked as read only, its properties cannot be modified, and it cannot be cleared by anyone who does not have the required permissions. The default isfalse. - A
System.Booleanobject that specifies whether the signature field is locked. That is, if you passtrueto the previous parameter, then passtrueto this parameter. - An
OCSPPreferencesobject that stores preferences for Online Certificate Status Protocol (OCSP) support, which provides information about the status of the credential that is used to certify the PDF document. If revocation checking is not done, this parameter is not used and you can specifynull. - A
CRLPreferencesobject that stores certificate revocation list (CRL) preferences. If revocation checking is not done, this parameter is not used and you can specifynull. - A
TSPPreferencesobject that stores preferences for time stamp provider (TSP) support. For example, after you create aTSPPreferencesobject, you can set the URL of the TSP by setting theTSPPreferencesobject’stspServerURLdata member. This parameter is optional and can benull.
The
certifymethod returns aBLOBobject that represents the certified PDF document. - The
-
Save the certified PDF document as a PDF file
- Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document that will contain the certified PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
BLOBobject that was returned by thecertifymethod. Populate the byte array by getting the value of theBLOBobject’sbinaryDatadata member. - Create a
System.IO.BinaryWriterobject by invoking its constructor and passing theSystem.IO.FileStreamobject. - Write the contents of the byte array to a PDF file by invoking the
System.IO.BinaryWriterobject’sWritemethod and passing the byte array.
- Create a
See also
Invoking AEM Forms using SwaRef
Verifying Digital Signatures
Digital signatures can be verified to ensure that a signed PDF document was not modified and that the digital signature is valid. When verifying a digital signature, you can check the signature’s status and the signature’s properties, such as the signer’s identity. Before trusting a digital signature, it is recommended that you verify it. When verifying a digital signature, reference a PDF document that contains a digital signature.
Assume that the identity of the signer is unknown. When you open the PDF document in Acrobat, a warning message states that the signer’s identity is unknown, as shown in the following illustration.
Likewise, when you programmatically verify a digital signature, you can determine the status of the signer’s identity. For example, if you verify the digital signature in the document shown in the previous illustration, the result would be that the signer’s identity is unknown.
For more information about the Signature service and verifying digital signatures, see Services Reference for AEM Forms.
Summary of steps
To verify a digital signature, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get the PDF document that contains the signature to verify.
- Set PKI run-time options.
- Verify the digital signature.
- Determine the status of the signature.
- Determine the identity of the signer.
Include project files
Include the necessary files in your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including AEM Forms Java library files.
Create a Signature client
Before you programmatically perform a Signature service operation, create a Signature service client.
Get the PDF document that contains the signature to verify
To verify a signature used to digitally sign or certify a PDF document, obtain a PDF document that contains a signature.
Set PKI run-time options
Set these PKI run-time options that the Signature service uses when verifying signatures in a PDF document:
- Verification time
- Revocation checking
- Time-stamping values
As part of setting these options, you can specify verification time. For example, you can select current time (the time on the validator’s computer), which indicates to use the current time. For information about the different time values, see the VerificationTime enumeration value in AEM Forms API Reference.
You can also specify whether to perform revocation checking as part of the verification process. For example, you can perform a revocation check to determine whether the certificate is revoked. For information about the revocation-checking options, see the RevocationCheckStyle enumeration value in AEM Forms API Reference.
To perform revocation checking on a certificate, specify a URL to a certificate revocation list (CRL) server by using a CRLOptionSpec object. However, if you do not specify a URL to CRL server, the Signature service obtains the URL from the certificate.
Instead of using a CRL server, you can use an online certificate status protocol (OCSP) server when performing revocation checking. Typically, when using an OCSP server as opposed to a CRL server, the revocation check is performed faster. (See Online Certificate Status Protocol.)
You can set the CRL and OCSP server order that the Signature service uses by using Adobe Applications and Services. For example, if the OCSP server is set first in Adobe Applications and Services, then the OCSP server is checked, followed by the CRL server.
If you do not perform revocation checking, the Signature service does not check whether the certificate is revoked. That is, CRL and OCSP server information is ignored.
You can override the URL specified in the certificate by using a CRLOptionSpec and an OCSPOptionSpec object. For example, to override the CRL server, you can invoke the CRLOptionSpec object’s setLocalURI method.
Time stamping is the process of tracking the time when a signed or certified document was modified. After a document is signed, no one can modify it. Time stamping helps enforce the validity of a signed or certified document. You can set time stamping options using a TSPOptionSpec object. For example, you can specify the URL of a time stamping provider (TSP) server.
In the Java and web service quick starts, the verification time is set to VerificationTime.CURRENT_TIME and revocation checking is set to RevocationCheckStyle.BestEffort. Because no CRL or OCSP server information is specified, the server information is obtained from the certificate.
Verify the digital signature
To successfully verify a signature, specify the fully qualified name of the signature field that contains the signature, such as form1[0].#subform[1].SignatureField3[3]. When using an XFA form field, you can also use the partial name of the signature field : SignatureField3.
By default, the Signature service limits the amount of time that a document can be signed after validation time to 65 min. If a user attempts to verify a signature at current time and the sign time is later than the current time and is within 65 min, the Signature service does not create a verification error.
For other values that you require when verifying a signature, see AEM Forms API Reference.
Determine the status of the signature
As part of verifying a digital signature, you can check the status of the signature.
Determine the identity of the signer
You can determine the identity of the signer, which can be one of the following values:
- Unknown: This signer is unknown because the signer verification cannot be performed.
- Trusted: This signer is trusted.
- Not trusted: This signer is not trusted.
See also
Verify digital signatures using the Java API
Verify digital signatures using the web service API
Including AEM Forms Java library files
Verify digital signatures using the Java API
Verify a digital signature by using the Signature Service API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s classpath.
-
Create a Signature client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document that contains the signature to verify
- Create a
java.io.FileInputStreamobject that represents the PDF document that contains the signature to verify by using its constructor. Pass a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Set PKI run-time options
- Create a
PKIOptionsobject by using its constructor. - Set the verification time by invoking the
PKIOptionsobject’ssetVerificationTimemethod and passing aVerificationTimeenumeration value that specifies the verification time. - Set the revocation-checking option by invoking
PKIOptionsobject’ssetRevocationCheckStylemethod and passing aRevocationCheckStyleenumeration value that specifies whether to perform revocation checking.
- Create a
-
Verify the digital signature
Verify the signature by invoking the
SignatureServiceClientobject’sverify2method and passing the following values:- A
com.adobe.idp.Documentobject that contains a digitally signed or certified PDF document. - A string value that represents the signature field name that contains the signature to verify.
- A
PKIOptionsobject that contains PKI run-time options. - A
VerifySPIOptionsinstance that contains SPI information. You can specifynullfor this parameter.
The
verify2method returns aPDFSignatureVerificationInfoobject that contains information that can be used to verify the digital signature. - A
-
Determine the status of the signature
- Determine the signature’s status by invoking the
PDFSignatureVerificationInfoobject’sgetStatusmethod. This method returns aSignatureStatusobject that specifies the signature status. For example, if a signed PDF document is not modified, this method returnsSignatureStatus.DocumentSigNoChanges.
- Determine the signature’s status by invoking the
-
Determine the identity of the signer
- Determine the signer’s identity by invoking the
PDFSignatureVerificationInfoobject’sgetSignermethod. This method returns anIdentityInformationobject. - Invoke the
IdentityInformationobject’sgetStatusmethod to determine the signer’s identity. This method returns anIdentityStatusenumeration value that specifies the identity. For example, if the signer is trusted, this method returnsIdentityStatus.TRUSTED.
- Determine the signer’s identity by invoking the
See also
Quick Start (SOAP mode): Verifying a digital signature using the Java API
Including AEM Forms Java library files
Verify digital signatures using the web service API
Verify a digital signature by using the Signature Service API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document that contains the signature to verify
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store a PDF document that contains a digital or certified signature to verify. - Create a
System.IO.FileStreamobject by invoking its constructor. Pass a string value that represents the file location of the signed PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod. Pass the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMproperty the contents of the byte array.
- Create a
-
Set PKI run-time options
- Create a
PKIOptionsobject by using its constructor. - Set the verification time by assigning the
PKIOptionsobject’sverificationTimedata member aVerificationTimeenumeration value that specifies the verification time. - Set the revocation-checking option by assigning the
PKIOptionsobject’srevocationCheckStyledata member aRevocationCheckStyleenumeration value that specifies whether to perform revocation checking.
- Create a
-
Verify the digital signature
Verify the signature by invoking the
SignatureServiceClientobject’sverify2method and passing the following values:- The
BLOBobject that contains a digitally signed or certified PDF document. - A string value that represents the signature field name that contains the signature to verify.
- A
PKIOptionsobject that contains PKI run-time options. - A
VerifySPIOptionsinstance that contains SPI information. You can specifynullfor this parameter.
The
verify2method returns aPDFSignatureVerificationInfoobject that contains information that can be used to verify the digital signature. - The
-
Determine the status of the signature
Determine the signature’s status by getting the value of the
PDFSignatureVerificationInfoobject’sstatusdata member. This data member stores aSignatureStatusobject that specifies the signature’s status. For example, if a signed PDF document is modified, thestatusdata member stores the valueSignatureStatus.DocumentSigNoChanges. -
Determine the identity of the signer
- Determine the signer’s identity by retrieving the value of the
PDFSignatureVerificationInfoobject’ssignerdata member. This member returns anIdentityInformationobject. - Retrieve the
IdentityInformationobject’sstatusdata member to determine the signer’s identity. This data member returns anIdentityStatusenumeration value that specifies the identity. For example, if the signer is trusted, this member returnsIdentityStatus.TRUSTED.
- Determine the signer’s identity by retrieving the value of the
See also
Invoking AEM Forms using SwaRef
Verifying Multiple Digital Signatures
AEM Forms provides the means to verify all digital signatures that are located in a PDF document. Assume that a PDF document contains multiple digital signatures as a result of a business process that requires signatures from multiple signers. For example, consider a financial transaction that requires both a loan officer’s and a manager’s signature. You can use the Signature service Java API or web service API to verify all signatures within the PDF document. When verifying multiple digital signatures, you can check the status and properties of each signature. Before you trust a digital signature, it is recommended that you verify it. It is recommended that you are familiar with verifying a single digital signature.
For more information about the Signature service and verifying digital signatures, see Services Reference for AEM Forms.
Summary of steps
To verify multiple digital signature, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get the PDF document that contains the signatures to verify.
- Set PKI run-time options.
- Retrieve all digital signatures.
- Iterate through all signatures.
Include project files
Include the necessary files in your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including AEM Forms Java library files.
Create a Signature client
Before you programmatically perform a Signature service operation, create a Signature service client.
Get the PDF document that contains the signatures to verify
To verify a signature used to digitally sign or certify a PDF document, obtain a PDF document that contains a signature.
Set PKI runtime options
Set these PKI run-time options that the Signature service uses when verifying all signatures in a PDF document:
- Verification time
- Revocation checking
- Time-stamping values
As part of setting these options, you can specify verification time. For example, you can select current time (the time on the validator’s computer), which indicates to use the current time. For information about the different time values, see the VerificationTime enumeration value in AEM Forms API Reference.
You can also specify whether to perform revocation checking as part of the verification process. For example, you can perform a revocation check to determine whether the certificate is revoked. For information about the revocation-checking options, see the RevocationCheckStyle enumeration value in AEM Forms API Reference.
To perform revocation checking on a certificate, specify a URL to a certificate revocation list (CRL) server by using a CRLOptionSpec object. However, if you do not specify a URL to a CRL server, the Signature service obtains the URL from the certificate.
Instead of using a CRL server, you can use an online certificate status protocol (OCSP) server when performing revocation checking. Typically, when using an OCSP server instead of a CRL server, the revocation check is performed faster. (See Online Certificate Status Protocol.)
You can set the CRL and OCSP server order that the Signature service uses by using Adobe Applications and Services. For example, if the OCSP server is set first in Adobe Applications and Services, the OCSP server is checked, followed by the CRL server.
If you do not perform revocation checking, the Signature service does not check whether the certificate is revoked. That is, CRL and OCSP server information is ignored.
You can override the URL specified in the certificate by using a CRLOptionSpec and an OCSPOptionSpec object. For example, to override the CRL server, you can invoke the CRLOptionSpec object’s setLocalURI method.
Time stamping is the process of tracking the time when a signed or certified document was modified. After a document is signed, no one can modify it. Time stamping helps enforce the validity of a signed or certified document. You can set time stamping options by using a TSPOptionSpec object. For example, you can specify the URL of a time stamping provider (TSP) server.
In the Java and web service quick starts, the verification time is set to VerificationTime.CURRENT_TIME and revocation checking is set to RevocationCheckStyle.BestEffort. Because no CRL or OCSP server information is specified, the server information is obtained from the certificate.
Retrieve all digital signatures
To verify all digital signatures located in a PDF document, retrieve the digital signatures from the PDF document. All signatures are returned in a list. As part of verifying a digital signature, check the status of the signature.
Unlike when you verify a single digital signature, when you verify multiple signatures, you are not required to specify the signature field name.
Iterate through all signatures
Iterate through each signature. That is, for each signature, verify the digital signature, and check the signer’s identity and the status of each signature. (See Verifying Digital Signatures.)
You do not need to iterate through all the signatures if the requirement is the entire document.
See also
Verify multiple digital signatures using the Java API
Verifying multiple digital signatures using the web service API
Including AEM Forms Java library files
Verify multiple digital signatures using the Java API
Verify multiple digital signatures by using the Signature Service API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s classpath.
-
Create a Signature client
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document that contains the signatures to verify
- Create a
java.io.FileInputStreamobject that represents the PDF document that contains multiple digital signatures to verify by using its constructor. Pass a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Set PKI runtime options
- Create a
PKIOptionsobject by using its constructor. - Set the verification time by invoking the
PKIOptionsobject’ssetVerificationTimemethod and passing aVerificationTimeenumeration value that specifies the verification time. - Set the revocation checking option by invoking
PKIOptionsobject’ssetRevocationCheckStylemethod and passing aRevocationCheckStyleenumeration value that specifies whether to perform revocation checking.
- Create a
-
Retrieve all digital signatures
Invoke the
SignatureServiceClientobject’sverifyPDFDocumentmethod and pass the following values:- A
com.adobe.idp.Documentobject that contains a PDF document that contains multiple digital signatures. - A
PKIOptionsobject that contains PKI run-time options. - A
VerifySPIOptionsinstance that contains SPI information. You can specifynullfor this parameter.
The
verifyPDFDocumentmethod returns aPDFDocumentVerificationInfoobject that contains information about all the digital signatures located in the PDF document. - A
-
Iterate through all signatures
- Iterate through all signatures by invoking the
PDFDocumentVerificationInfoobject’sgetVerificationInfosmethod. This method returns ajava.util.Listobject where each element is aPDFSignatureVerificationInfoobject. Use ajava.util.Iteratorobject to iterate through the list of signatures. - Using the
PDFSignatureVerificationInfoobject, you can perform tasks such as determining the status of the signature by invoking thePDFSignatureVerificationInfoobject’sgetStatusmethod. This method returns aSignatureStatusobject whose static data member informs you about the status of the signature. For example, if the signature is unknown, this method returnsSignatureStatus.DocumentSignatureUnknown.
- Iterate through all signatures by invoking the
See also
Verifying Multiple Digital Signatures
Quick Start (SOAP mode): Verifying multiple digital signatures using the Java API
Including AEM Forms Java library files
Verifying multiple digital signatures using the web service API
Verify multiple digital signatures by using the Signature Service API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document that contains the signatures to verify
- Create a
BLOBobject by using its constructor. TheBLOBobject stores a PDF document that contains multiple digital signatures to verify. - Create a
System.IO.FileStreamobject by invoking its constructor. Pass a string value that represents the file location of the PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod. Pass the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMproperty the contents of the byte array.
- Create a
-
Set PKI runtime options
- Create a
PKIOptionsobject by using its constructor. - Set the verification time by assigning the
PKIOptionsobject’sverificationTimedata member aVerificationTimeenumeration value that specifies the verification time. - Set the revocation checking option by assigning the
PKIOptionsobject’srevocationCheckStyledata member aRevocationCheckStyleenumeration value that specifies whether to perform revocation checking.
- Create a
-
Retrieve all digital signatures
Invoke the
SignatureServiceClientobject’sverifyPDFDocumentmethod and pass the following values:- A
BLOBobject that contains a PDF document that contains multiple digital signatures. - A
PKIOptionsobject that contains PKI run-time options. - A
VerifySPIOptionsinstance that contains SPI information. You can specify null for this parameter.
The
verifyPDFDocumentmethod returns aPDFDocumentVerificationInfoobject that contains information about all the digital signatures located in the PDF document. - A
-
Iterate through all signatures
- Iterate through all signatures by getting the
PDFDocumentVerificationInfoobject’sverificationInfosdata member. This data member returns anObjectarray where each element is aPDFSignatureVerificationInfoobject. - Using the
PDFSignatureVerificationInfoobject, you can perform tasks like determining the status of the signature by getting thePDFSignatureVerificationInfoobject’sstatusdata member. This data member returns aSignatureStatusobject whose static data member informs you about the status of the signature. For example, if the signature is unknown, this method returnsSignatureStatus.DocumentSignatureUnknown.
- Iterate through all signatures by getting the
See also
Verifying Multiple Digital Signatures
Invoking AEM Forms using SwaRef
Removing Digital Signatures
Digital signatures must be removed from a signature field before a newer digital signature can be applied. A digital signature cannot be overwritten. If you attempt to apply a digital signature to a signature field that contains a signature, an exception occurs.
For more information about the Signature service, see Services Reference for AEM Forms.
Summary of steps
To remove a digital signature from a signature field, perform the following tasks:
- Include project files.
- Create a Signature client.
- Get the PDF document that contains a signature to remove.
- Remove the digital signature from the signature field.
- Save the PDF document as a PDF file.
Include project files
Include necessary files into your development project. If you are creating a client application using Java, then include the necessary JAR files. If you are using web services, then make sure that you include the proxy files.
The following JAR files must be added to your project’s classpath:
- adobe-livecycle-client.jar
- adobe-usermanager-client.jar
- adobe-signatures-client.jar
- adobe-utilities.jar (required if AEM Forms is deployed on JBoss)
- jbossall-client.jar (required if AEM Forms is deployed on JBoss)
For information about the location of these JAR files, see Including AEM Forms Java library files.
Create a Signature client
Before you can programmatically perform a Signature service operation, you must create a Signature service client.
Get the PDF document that contains a signature to remove
To remove a signature from a PDF document, you must obtain a PDF document that contains a signature.
Remove the digital signature from the signature field
To successfully remove a digital signature from a PDF document, you must specify the name of the signature field that contains the digital signature. Also, you must have permission to remove the digital signature; otherwise, an exception occurs.
Save the PDF document as a PDF file
After the Signature service removes a digital signature from a signature field, you can save the PDF document as a PDF file so that users can open it in Acrobat or Adobe Reader.
See also
Remove digital signatures using the Java API
Remove digital signatures using the web service API
Including AEM Forms Java library files
Remove digital signatures using the Java API
Remove a digital signature by using the Signature API (Java):
-
Include project files
Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s class path.
-
Create a Signature client.
- Create a
ServiceClientFactoryobject that contains connection properties. - Create a
SignatureServiceClientobject by using its constructor and passing theServiceClientFactoryobject.
- Create a
-
Get the PDF document that contains a signature to remove
- Create a
java.io.FileInputStreamobject that represents the PDF document that contains the signature to remove by using its constructor and passing a string value that specifies the location of the PDF document. - Create a
com.adobe.idp.Documentobject by using its constructor and passing thejava.io.FileInputStreamobject.
- Create a
-
Remove the digital signature from the signature field
Remove a digital signature from a signature field by invoking the
SignatureServiceClientobject’sclearSignatureFieldmethod and passing the following values:- A
com.adobe.idp.Documentobject that represents the PDF document that contains the signature to remove. - A string value that specifies the name of the signature field that contains the digital signature.
The
clearSignatureFieldmethod returns acom.adobe.idp.Documentobject that represents the PDF document from which the digital signature was removed. - A
-
Save the PDF document as a PDF file
- Create a
java.io.Fileobject and ensure that the file extension is .pdf. - Invoke the
com.adobe.idp.Documentobject’scopyToFilemethod. Pass thejava.io.Fileobject to copy the contents of thecom.adobe.idp.Documentobject to the file. Ensure that you use theDocumentobject that was returned by theclearSignatureFieldmethod.
- Create a
See also
Quick Start (SOAP mode): Removing a digital signature using the Java API
Including AEM Forms Java library files
Remove digital signatures using the web service API
Remove a digital signature by using the Signature API (web service):
-
Include project files
Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition:
http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.NOTEReplace
localhostwith the IP address of the server hosting AEM Forms. -
Create a Signature client
-
Create a
SignatureServiceClientobject by using its default constructor. -
Create a
SignatureServiceClient.Endpoint.Addressobject by using theSystem.ServiceModel.EndpointAddressconstructor. Pass a string value that specifies the WSDL to the AEM Forms service (for example,http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use thelc_versionattribute. This attribute is used when you create a service reference.) -
Create a
System.ServiceModel.BasicHttpBindingobject by getting the value of theSignatureServiceClient.Endpoint.Bindingfield. Cast the return value toBasicHttpBinding. -
Set the
System.ServiceModel.BasicHttpBindingobject’sMessageEncodingfield toWSMessageEncoding.Mtom. This value ensures that MTOM is used. -
Enable basic HTTP authentication by performing the following tasks:
- Assign the AEM forms user name to the field
SignatureServiceClient.ClientCredentials.UserName.UserName. - Assign the corresponding password value to the field
SignatureServiceClient.ClientCredentials.UserName.Password. - Assign the constant value
HttpClientCredentialType.Basicto the fieldBasicHttpBindingSecurity.Transport.ClientCredentialType. - Assign the constant value
BasicHttpSecurityMode.TransportCredentialOnlyto the fieldBasicHttpBindingSecurity.Security.Mode.
- Assign the AEM forms user name to the field
-
-
Get the PDF document that contains a signature to remove
- Create a
BLOBobject by using its constructor. TheBLOBobject is used to store a PDF document that contains a digital signature to remove. - Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the signed PDF document and the mode in which to open the file. - Create a byte array that stores the content of the
System.IO.FileStreamobject. You can determine the size of the byte array by getting theSystem.IO.FileStreamobject’sLengthproperty. - Populate the byte array with stream data by invoking the
System.IO.FileStreamobject’sReadmethod. Pass the byte array, the starting position, and the stream length to read. - Populate the
BLOBobject by assigning itsMTOMproperty with the contents of the byte array.
- Create a
-
Remove the digital signature from the signature field
Remove the digital signature by invoking the
SignatureServiceClientobject’sclearSignatureFieldmethod and passing the following values:- A
BLOBobject that contains the signed PDF document. - A string value that represents the name of the signature field that contains the digital signature to remove.
The
clearSignatureFieldmethod returns aBLOBobject that represents the PDF document from which the digital signature was removed. - A
-
Save the PDF document as a PDF file
- Create a
System.IO.FileStreamobject by invoking its constructor and passing a string value that represents the file location of the PDF document that contains an empty signature field and the mode in which to open the file. - Create a byte array that stores the content of the
BLOBobject that was returned by thesignmethod. Populate the byte array by getting the value of theBLOBobject’sMTOMdata member. - Create a
System.IO.BinaryWriterobject by invoking its constructor and passing theSystem.IO.FileStreamobject. - Write the contents of the byte array to the PDF file by invoking the
System.IO.BinaryWriterobject’sWritemethod and passing the byte array.
- Create a
See also
Resources
Adobe Account
