Issue
The Sun PKCS#11 provider is not supported on the Windows 64-bit platform. As a result, HSM functionality is not supported for LiveCycle ES running on Windows 64 using the Sun JDK.
Solution
To provide HSM functionality for LiveCycle ES running on Windows 64, create a Signature SPI component that is able to access an HSM credential. This component creates a LiveCycle ES service that implements the Signatures SPI model. The Signature service delegates the signing to the SPI component which in turn delegates the call to a secure HSM web service.
To enable LiveCycle ES running the Windows 64-bit platform to sign or certify a PDF document using an HSM credential, perform the following steps:
-
Install and deploy LiveCycle ES on the Windows 64-bit platform.
-
Deploy the HSM SPI service adobe-remoteHSMSPI-dsc.jar. This jar file is available in the [LiveCycleInstallRoot] \LiveCycle_ES_SDK\misc\Signatures folder.
-
Create a folder (for example, RemoteHSMWebservice) on the same computer or a different computer (a Windows 32 computer).
-
Copy the following jars to the RemoteHSMWebservice folder: bcmail-jdk15-135.jar, bcprov-jdk15-135.jar, jsafeFIPS.jar, and RemoteHSMWS.jar.
-
Create an SSL certificate and a Java keystore under RemoteHSMWebservice. Enable communication between LiveCycle ES and the RemoteHSMwebservice by using HTTPS to secure the HSM PIN value.
-
Set JAVA_HOME to reference the 32-bit Sun JDK 1.6.
-
Run the RemoteHSMWS.jar as a standalone application by using the following command:
java -jar RemoteHSMWS.jar -b https://<name of computer that runs HSM
webservice>:<port>/hsmws -k <path to java keystore> -p <keystore password> -n 10 -
Install the HSM client on the computer that runs the Remote HSM web service.
-
Run the Signature service using the following code to sign or certify a document:
HashMap prop = new HashMap();
prop.put("hsmAlias", Alias of HSM Profile in the LiveCycle ES Truststore);
prop.put("hsmWSEndPt", WSDL location given above, that is https://<machinename>:<port>/hsmws?wsdl);
Cert cert = provide the certificate which is provided in the HSM profile
Credential spiCred =Credential.getInstance(cert.getEncoded(),"RemoteHSMSPIService");
spiCred. setSPIProperties(prop);
Additional information
For information about signing a document using a SPI component, see the "Testing the signature handler" section in Programming with LiveCycle ES.