Configuring HSM support using Sun JDK on Windows 64-bit platform

Issue

The Sun PKCS#11 provider is not supported on the Windows 64-bit platform. As a result, HSM functionality is not supported for LiveCycle ES running on Windows 64 using the Sun JDK.

Solution

To provide HSM functionality for LiveCycle ES running on Windows 64, create a Signature SPI component that is able to access an HSM credential. This component creates a LiveCycle ES service that implements the Signatures SPI model. The Signature service delegates the signing to the SPI component which in turn delegates the call to a secure HSM web service.  

To enable LiveCycle ES running the Windows 64-bit platform to sign or certify a PDF document using an HSM credential, perform the following steps:

  1. Install and deploy LiveCycle ES on the Windows 64-bit platform.
  2. Deploy the HSM SPI service adobe-remoteHSMSPI-dsc.jar. This jar file is available in the [LiveCycleInstallRoot] \LiveCycle_ES_SDK\misc\Signatures folder. 
  3. Create a folder (for example, RemoteHSMWebservice) on the same computer or a different computer (a Windows 32 computer).
  4. Copy the following jars to the RemoteHSMWebservice folder:  bcmail-jdk15-135.jar, bcprov-jdk15-135.jar, jsafeFIPS.jar, and RemoteHSMWS.jar.
  5. Create an SSL certificate and a Java keystore under RemoteHSMWebservice. Enable communication between LiveCycle ES and the RemoteHSMwebservice by using HTTPS to secure the HSM PIN value.
  6. Set JAVA_HOME to reference the 32-bit Sun JDK 1.6.
  7. Run the RemoteHSMWS.jar as a standalone application by using the following command:

    java -jar RemoteHSMWS.jar -b https://<name of computer that runs HSM

    webservice>:<port>/hsmws -k <path to java keystore> -p <keystore password> -n 10
  8. Install the HSM client on the computer that runs the Remote HSM web service.
  9. Run the Signature service using the following code to sign or certify a document:

    HashMap prop = new HashMap();

    prop.put("hsmAlias", Alias of HSM Profile in the LiveCycle ES Truststore);

    prop.put("hsmWSEndPt", WSDL location given above, that is https://<machinename>:<port>/hsmws?wsdl);

    Cert cert = provide the certificate which is provided in the HSM profile

    Credential spiCred =Credential.getInstance(cert.getEncoded(),"RemoteHSMSPIService");

    spiCred. setSPIProperties(prop);

Additional information

For information about signing a document using a SPI component, see the "Testing the signature handler" section in Programming with LiveCycle ES.

 

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online