Use HSM to digitally sign or certify documents
Hardware security modules (HSM) and etokens are dedicated, hardened, and tamper-resistance computing devices designed to securely manage, process, and store digital keys. These devices are directly attached to a computer or a network server.
Adobe Experience Manager Forms can use credentials stored on an HSM or etoken to eSign or apply server-sided digital signatures to a document. To use an HSM or etoken device with AEM Forms:
Before you configure the HSM or etoken devices with AEM Forms
- Install the AEM Forms add-on package.
- Install and configure HSM or etoken client software on the same computer as the AEM server. The client software is required to communicate with the HSM and etoken devices.
Enable the DocAssurance service
By default, the DocAssurance service is not enabled. Perform the following steps to enable the service:
-
Stop the Author instance of your AEM Forms environment.
-
Open the [AEM_root]\crx-quickstart\conf\sling.properties file to edit.
NOTEIf you have used the [AEM_root]\crx-quickstart\bin\start.bat file to start the AEM instance, then open the [AEM_root]\crx-quickstart\sling.properties file for editing. -
Add or replace the following properties to the sling.properties file:
sling.bootdelegation.sun=sun.*,com.sun.*,sun.misc.* sling.bootdelegation.ibm=com.ibm.xml.*,com.ibm.* sling.bootdelegation.class.com.rsa.jsafe.provider.JsafeJCE=com.rsa.* -
Save and close the sling.properties file.
-
Restart the AEM instance.
NOTEIt is recommended to use the ‘Ctrl + C’ command to restart the SDK. Restarting the AEM SDK using alternative methods, for example, stopping Java processes, may lead to inconsistencies in the AEM development environment.
Create an alias for the device
The alias contains all the parameters that an HSM or etoken requires. Perform the instructions listed below to create an alias for each HSM or etoken credential that eSign or Digital Signatures uses :
-
Open the AEM console. The default URL of the AEM console is https://<host>:<port>/system/console/configMgr
-
Open the HSM Credentials Configuration Service and specify values for the following fields:
- Credential Alias: Specify a string used to identify the alias. This value is used as a property for some Digital Signatures operations, such as the Sign Signature Field operation.
- DLL Path: Specify the path of your HSM or etoken client library on the server. For example,
C:\Program Files\LunaSA\cryptoki.dll. In a clustered environment, you must ensure that all servers in the cluster must use an identical path. - HSM Pin: Specify the password required to access the device key.
- HSM Slot Id: Specify a slot identifier of type integer. The slot ID is set on a client-by-client basis. It is used to identify the slot on HSM which contains the private key for sign/certify.
NOTEWhile configuring Etoken, specify a numeric value for the HSM Slot Id field. A numeric value is required to get the Signatures operations working.- Certificate SHA1: Specify the SHA1 value (thumbprint) of the public key (.cer) file for the credential that you are using. Ensure that there are no spaces used in the SHA1 value.
- HSM Device Type: Select the manufacturer of the HSM (Luna or other) or eToken device.
Click Save. The hardware security module is configured for AEM Forms. Now, you can use the hardware security module with AEM Forms to sign or certify documents.
Use the DocAssurance Service APIs to sign or certify a document with digital keys stored on the device
The following sample code uses an HSM or etoken to sign or certify a document.
/*************************************************************************
*
* ADOBE CONFIDENTIAL
* ___________________
*
* Copyright 2014 Adobe Systems Incorporated
* All Rights Reserved.
*
* NOTICE: All information contained herein is, and remains
* the property of Adobe Systems Incorporated and its suppliers,
* if any. The intellectual and technical concepts contained
* herein are proprietary to Adobe Systems Incorporated and its
* suppliers and are protected by trade secret or copyright law.
* Dissemination of this information or reproduction of this material
* is strictly forbidden unless prior written permission is obtained
* from Adobe Systems Incorporated.
**************************************************************************/
package com.adobe.docassurance.samples;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import javax.jcr.Binary;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.jcr.resource.JcrResourceResolverFactory;
import com.adobe.aemfd.docmanager.Document;
import com.adobe.fd.docassurance.client.api.DocAssuranceException;
import com.adobe.fd.docassurance.client.api.DocAssuranceService;
import com.adobe.fd.docassurance.client.api.DocAssuranceServiceOperationTypes;
import com.adobe.fd.docassurance.client.api.SignatureOptions;
import com.adobe.fd.signatures.client.types.exceptions.InvalidArgumentException;
import com.adobe.fd.signatures.pdf.inputs.CredentialContext;
import com.adobe.fd.signatures.pdf.inputs.DSSPreferences;
import com.adobe.fd.signatures.pdf.inputs.DSSPreferencesImpl;
import com.adobe.fd.signatures.pdf.inputs.PDFSignatureAppearenceOptions;
import com.adobe.fd.signatures.pdf.inputs.UnlockOptions;
import com.adobe.fd.signatures.pdf.inputs.PDFSignatureAppearenceOptions.PDFSignatureAppearanceType;
import com.adobe.fd.signatures.pdf.inputs.PDFSignatureAppearenceOptions.TextDirection;
import com.adobe.fd.signatures.pki.client.types.common.HashAlgorithm;
import com.adobe.fd.signatures.pki.client.types.common.RevocationCheckStyle;
import com.adobe.fd.signatures.pki.client.types.prefs.CRLPreferences;
import com.adobe.fd.signatures.pki.client.types.prefs.CRLPreferencesImpl;
import com.adobe.fd.signatures.pki.client.types.prefs.GeneralPreferencesImpl;
import com.adobe.fd.signatures.pki.client.types.prefs.PKIPreferences;
import com.adobe.fd.signatures.pki.client.types.prefs.PKIPreferencesImpl;
import com.adobe.fd.signatures.pki.client.types.prefs.PathValidationPreferences;
import com.adobe.fd.signatures.pki.client.types.prefs.PathValidationPreferencesImpl;
/**
* Digital signatures can be applied to PDF documents to provide a level of security. Digital signatures, like handwritten signatures, provide a means by which signers
* identify themselves and make statements about a document. The technology used to digitally sign documents helps to ensure that both the signer and recipients are clear
* about what was signed and confident that the document was not altered since it was signed.
*
* PDF documents are signed by means of public-key technology. A signer has two keys: a public key and a private key. The private key is stored in a user's credential that
* must be available at the time of signing. The public key is stored in the user's certificate that must be available to recipients to validate the signature. Information
* about revoked certificates is found in certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP) responses distributed by Certificate Authorities (CAs).
* The time of signing can be obtained from a trusted source known as a Timestamping Authority.
*
* The following Java code example digitally signs a PDF document that is based on a PDF file.
* The alias that is specified for the security credential is secure, and revocation checking is performed.
* Because no CRL or OCSP server information is specified, the server information is obtained from the certificate used to
* digitally sign the PDF document
*
* PreRequisites - Digital certificate for signing the document has to be uploaded on Granite Key Store
*/
@Component
@Service(value=Sign.class)
public class Sign{
@Reference
private DocAssuranceService docAssuranceService;
@Reference
private SlingRepository slingRepository;
@Reference
private JcrResourceResolverFactory jcrResourceResolverFactory ;
/**
*
* @param inputFile - path to the pdf document stored at JCR node
* @param outputFile - path to the pdf document where the output needs to be stored
* @throws IOException
* @throws RepositoryException
* @throws InvalidArgumentException
* @throws DocAssuranceException
*/
public void signExtend(String inputFile, String outputFile, String alias) throws IOException, RepositoryException, InvalidArgumentException, DocAssuranceException{
Document inDoc = new Document(inputFile);
Document outDoc = null;
Session adminSession = null;
ResourceResolver resourceResolver = null;
try {
/** resourceResolver with admin privileges to be passed to SignatureServiceAPI and Reader Extensions
the resource resolver for signature options has to be corresponding to the user who has the signing certificate in his granite key store
the resource resolver for signature options has to be corresponding to the user who has the credential for reader extension in his granite key store
here we are using the same resource resolver
*/
adminSession = slingRepository.loginAdministrative(null);
resourceResolver = jcrResourceResolverFactory.getResourceResolver(adminSession);
//retrieve specifications for each of the services, you may pass null if you do not want to use that service
//as we do not want encryption in this case, passing null for Encryption Options
//for encrypted document pass Unlock Options - see the method getUnlockOptions() below
outDoc = docAssuranceService.secureDocument(inDoc, null, getSignatureOptions(alias,resourceResolver),null,null);
}
catch(Exception e){
e.printStackTrace();
}
finally{
/**
* always close the PDFDocument object after your processing is done.
*/
if(inDoc != null){
inDoc.close();
}
if(adminSession != null && adminSession.isLive()){
if(resourceResolver != null){
resourceResolver.close();
}
adminSession.logout();
}
}
//flush the output document contents to JCR Node
flush(outDoc, outputFile);
}
/**
*
* @param rr resource resolver corresponding to the user with the access to signing credential for the
* given alias "allcertificatesanypolicytest11ee_new" in this case
* @return SignatureOptions
*/
private SignatureOptions getSignatureOptions(String alias, ResourceResolver rr){
//create an instance of SignatureOptions
SignatureOptions signatureOptions = SignatureOptions.getInstance();
//set the operation you want to perform - SIGN/CERTIFY
signatureOptions.setOperationType(DocAssuranceServiceOperationTypes.SIGN);
//field to sign
String fieldName = "Signature1" ;
//Hash Algo to be used to compute digest the PDF document
HashAlgorithm algo = HashAlgorithm.SHA384;
//Reason for signing/certifying
String reason = "Test Reason";
//location of the signer
String location = "Test Location";
//contact info of the signer
String contactInfo = "Test Contact";
//Create a PDFSignatureAppearanceOptions object
//and show date information
PDFSignatureAppearenceOptions appOptions = new PDFSignatureAppearenceOptions(
PDFSignatureAppearanceType.NAME, null, 1.0d, null, true, true,
true, true, true, true, true, TextDirection.AUTO);
signatureOptions.setSignatureFieldName(fieldName);
signatureOptions.setAlgo(algo);
signatureOptions.setContactInfo(contactInfo);
signatureOptions.setLocation(location);
signatureOptions.setSigAppearence(appOptions);
signatureOptions.setReason(reason);
signatureOptions.setDssPref(getDSSPreferences(rr));
signatureOptions.setCredential(new CredentialContext(alias, rr, true));
return signatureOptions;
}
private DSSPreferences getDSSPreferences(ResourceResolver rr){
//sets the DSS Preferences
DSSPreferencesImpl prefs = DSSPreferencesImpl.getInstance();
prefs.setPKIPreferences(getPKIPreferences());
GeneralPreferencesImpl gp = (GeneralPreferencesImpl) prefs.getPKIPreferences().getGeneralPreferences();
gp.setDisableCache(true);
return prefs;
}
private PKIPreferences getPKIPreferences(){
//sets the PKI Preferences
PKIPreferences pkiPref = new PKIPreferencesImpl();
pkiPref.setCRLPreferences(getCRLPreferences());
pkiPref.setPathPreferences(getPathValidationPreferences());
return pkiPref;
}
private CRLPreferences getCRLPreferences(){
//specifies the CRL Preferences
CRLPreferencesImpl crlPrefs = new CRLPreferencesImpl();
crlPrefs.setRevocationCheck(RevocationCheckStyle.CheckIfAvailable);
crlPrefs.setGoOnline(true);
return crlPrefs;
}
private PathValidationPreferences getPathValidationPreferences(){
//sets the path validation preferences
PathValidationPreferencesImpl pathPref = new PathValidationPreferencesImpl();
pathPref.setDoValidation(false);
return pathPref;
}
/**
* sets Unlock Options for encrypted PDF
*/
private UnlockOptions getUnlockOptions(){
UnlockOptions unlockOptions = new UnlockOptions();
//sets the Open Password for password encrypted PDF
unlockOptions.setPassword("OpenPassword");
//for Certificate Encrypted Document, set the alias of the credential uploaded in the user's key store
//and corresponding resource resolver
return unlockOptions;
}
/**
* This method copies the data from {@code Document}, to the specified file at the given resourcePath.
* @param doc
* @param resourcePath
* @throws IOException
*/
private void flush(Document doc, String resourcePath) throws IOException {
//extracts the byte data from Document
byte[] output = doc.getInlineData();
Binary opBin;
Session adminSession = null;
try {
adminSession = slingRepository.loginAdministrative(null);
//get access to the specific node
//here we are assuming that node exists
Node node = adminSession.getNode(resourcePath);
//convert byte[] to Binary
opBin = adminSession.getValueFactory().createBinary((InputStream)new ByteArrayInputStream(output));
//set the Binary data value to node's jcr:data
node.getNode("jcr:content").getProperty("jcr:data").setValue(opBin);
} catch (RepositoryException e) {
}
finally{
if(adminSession != null && adminSession.isLive()){
try {
adminSession.save();
adminSession.logout();
} catch (RepositoryException e) {
}
}
}
}
}
If you have upgraded from AEM 6.0 Form or AEM 6.1 Forms, and you were using the DocAssurance service in the previous version, then:
- To use the DocAssurance service without an HSM or etoken device, keep using the existing code.
- To use the DocAssurance service with an HSM or etoken device, replace your existing CredentialContext object code with the API listed below.
/**
*
* @param credentialAlias alias of the PKI Credential stored in CQ Key Store or
* the alias of the HSM Credential configured using HSM Credentials Configuration Service.
* @param resourceResolver corresponding to the user with the access to the key store and trust store.
* @param isHSMCredential if the alias is corresponding to HSM Credential.
*/
public CredentialContext(String credentialAlias, ResourceResolver resourceResolver, boolean isHSMCredential);
For detailed information about APIs and sample code of the DocAssurance service, see Using AEM Document Services Programmatically.
Experience Manager
Espressos & Experience Manager: AEM Forms
Espressos & Experience Manager
Thursday, Mar 6, 7:00 PM UTC
Join Adobe's AEM product team as they highlight AEM Forms' latest innovations, including: the new Gen AI Assistant, Unified Composition with AEM Sites, and new ways to deploy forms through conversations.
RegisterAdobe Experience Manager Forms at Summit
Register for these sessions:
- The True Cost of a Failed Implementation (attend online)
- The Future of Forms: Experience Success Across the Enrollment Journey (attend online)
- Elevate and Empower Teams with Agentic AI for Exceptional Experiences (attend online)
- Rapid Feature Releases with AEM Cloud: Telegraph Media Group’s RDE Strategy (attend online)
- Put the Customer at the Center and Build Relationships That Last a Lifetime (attend online)
Connect with Experience League at Summit!
Get front-row access to top sessions, hands-on activities, and networking—wherever you are!
Learn more