Configuring HSM support using Sun JDK on Windows 64-bit platform

Issue

The Sun PKCS#11 provider is not supported on the Windows 64-bit platform. As a result, HSM functionality is not supported for LiveCycle ES running on Windows 64 using the Sun JDK.

Solution

To provide HSM functionality for LiveCycle ES running on Windows 64, create a Signature SPI component that is able to access an HSM credential. This component creates a LiveCycle ES service that implements the Signatures SPI model. The Signature service delegates the signing to the SPI component which in turn delegates the call to a secure HSM web service.  

To enable LiveCycle ES running the Windows 64-bit platform to sign or certify a PDF document using an HSM credential, perform the following steps:

  1. Install and deploy LiveCycle ES on the Windows 64-bit platform.
  2. Deploy the HSM SPI service adobe-remoteHSMSPI-dsc.jar. This jar file is available in the [LiveCycleInstallRoot] \LiveCycle_ES_SDK\misc\Signatures folder. 
  3. Create a folder (for example, RemoteHSMWebservice) on the same computer or a different computer (a Windows 32 computer).
  4. Copy the following jars to the RemoteHSMWebservice folder:  bcmail-jdk15-135.jar, bcprov-jdk15-135.jar, jsafeFIPS.jar, and RemoteHSMWS.jar.
  5. Create an SSL certificate and a Java keystore under RemoteHSMWebservice. Enable communication between LiveCycle ES and the RemoteHSMwebservice by using HTTPS to secure the HSM PIN value.
  6. Set JAVA_HOME to reference the 32-bit Sun JDK 1.6.
  7. Run the RemoteHSMWS.jar as a standalone application by using the following command:

    java -jar RemoteHSMWS.jar -b https://<name of computer that runs HSM

    webservice>:<port>/hsmws -k <path to java keystore> -p <keystore password> -n 10
  8. Install the HSM client on the computer that runs the Remote HSM web service.
  9. Run the Signature service using the following code to sign or certify a document:

    HashMap prop = new HashMap();

    prop.put("hsmAlias", Alias of HSM Profile in the LiveCycle ES Truststore);

    prop.put("hsmWSEndPt", WSDL location given above, that is https://<machinename>:<port>/hsmws?wsdl);

    Cert cert = provide the certificate which is provided in the HSM profile

    Credential spiCred =Credential.getInstance(cert.getEncoded(),"RemoteHSMSPIService");

    spiCred. setSPIProperties(prop);

Additional information

For information about signing a document using a SPI component, see the "Testing the signature handler" section in Programming with LiveCycle ES.

 

 Adobe

Get help faster and easier

New user?