Installation Guide

This document describes a common procedure for installing the SecuSign SDK solution and the components needed to run the features and services it provides. The description is intended primarily for technical persons who manage servers and services or implement solution in the organization. Description of some sections, especially Server Manager, may differ depending on the version of the operating system you are using.

Required software and prerequisites

  • 64-bit operating system Microsoft Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019.

  • Web Server (IIS 8.0 or higher).

  • ASP.NET 4.8 or higher.

  • .NET Framework 4.8 or higher.

To provide high throughput, it is recommended to provide appropriate operation memory size and communication interface speed. Specified in more detail in the analysis or contract annex.

To provide correct functionality of SecuSign SDK, it is necessary to have allowed on the server (or on the firewall, proxy, etc.) allowed communication with the following addresses and ports:

Environment Domain name IP address Port Protocol

PROD (QS)

awsc.secusign.cz

13.73.167.130

443

https

PROD (HSM)

rsmint.secusign.cz

194.228.175.135

443

https

TEST (QS)

awsctest.secusign.cz

52.178.28.175

443

https

TEST (HSM)

rsminttest.secusign.cz

194.228.175.137

443

https

If checks for remote server certificate revocation are enabled, the address of the intermediate certificate issuer’s distribution point (Thawte RSA CA 2018) and that of the root certificate issuer (DigiCert Global Root CA) must be allowed:

Domain name IP address Port Protocol

cdp.thawte.com

93.184.220.29

80

http

crl3.digicert.com

93.184.220.29

80

http

Sufficient disk space. The SDK installation itself takes about 300 MB. However, if logging is enabled, it is necessary to count (depending on the number of requests) with additional disk space (up to tens of GB).

Related requirements

Authentication license certificate, issued by Software602 a.s., to use purchased services.

Created and active user account at the 602 ID portal with an active license certificate to use the purchased services.

SDK Installation

Install SecuSign SDK by running the MSI installer provided. During the installation, you will select a folder where to copy the source files.

MSI installer is available on request from the sales / project manager.

Web services

To use web service integration, an IIS Web Server with ASP.NET and .NET Framework must be provided, and the application pool and web application set up appropriately, see chapters IIS Web Server installation and SecuSign web application installation.

.NET assembly

SecuSign SDK also offers integration of functions and operations on documents using the .NET interface.

.NET libraries (SecuSign_NET.dll and more) are can be found in the main, installation folder after installing the SecuSign SDK. The .NET method interface contains comments as XML documentation (SecuSign_NET.xml). Most of the .NET assembly methods have the same interface as the web service methods, described in the technical documentation for SecuSign SDK. Integration in other information systems or web applications is therefore easy.

IIS Web Server installation

  • Run the Server Manager from the Start menu.

  • Click Manage.

  • Click Add Roles and Features.

  • Click Next.

  • Keep the selected type Role-based or feature-based installation and click Next.

  • Select a server (Select a server from a server pool) and click Next.

  • Check the option Web Server (IIS) and confirm by clicking Add Features.

  • Click Next.

  • Expand the option .NET Framework 4.8 Features and check .NET Framework 4.8 – or higher (depending on the version and up-to-dateness of the operating system).

  • Click Next.

  • Click Next again.

  • Expand the option Application Development, check ASP.NET 4.8 or higher (depending on the version and up-to-dateness of the operating system) - and click the Add Features button to confirm adding follow-up features.

  • Then go to the option Management Tools and check IIS Management Console.

  • Continue by clicking Next.

  • And run the installation of the selected features by clicking Install.

  • When the installation is finished, click Close.

    Server restart might be required.

SecuSign web application installation

  1. Install the SecuSign SDK package – the default installation location is C:\Program Files\Software602\SecuSign SDK.

  2. (Optional) Copy the WebService folder from the installation folder
    C:\Program Files\Software602\SecuSign SDK
    to your selected location on the server – the typical path to use is C:\inetpub\wwwroot\.

    Rename the WebService folder copy to SecuSign.

  3. Use the IIS administration to create a new application pool, SecuSign, or modify an existing pool.

    If you modify an existing pool, the new settings might impact the operation of existing applications in the pool, therefore we recommend creating a new pool instead.

    • Click Start – Control panels – Windows Administrative Tools – Internet Information Services (IIS) Manager.

    • Click “+” to expand the current computer’s node.

    • Click Application Pools.

    • On the right, in the Actions column, click Add application pool.

    • Enter the name of the pool, SecuSign, go to the field .NET Framework Interface version and select .NET CLR version v4.x. Check that Managed pipeline mode is set to Integrated. Keep the option Start application pool immediately checked. Click OK.

    • After creating the application pool, right-click on it, select Advanced settings and change the items:

      • Identity - set your own user (must have access to the folder where the web service is running and license / authentication certificates are located).

      • Load user profile - set to True.

There are two ways of adding a web service to IIS as an application. Select one of the methods.

The user under which the service is running must have read permissions in the given location.

  1. Adding a new SecuSign application in IIS.

    • Go to Connections and click “+” to expand Sites.

    • Right-click Default Web Site and select Add Application from the menu.

    • In the field Alias, give the application the name SecuSign.

    • On the right, next to Application Pool, click Select, select the value SecuSign (or other pool you have prepared) and click OK.

    • Go to Physical path and enter or browse to the path of installation folder SecuSign SDK\WebService.

    • Click OK.

  2. Let the application be created automatically (assumes settings from step 2).

    • Go to Connections and click “+” to expand Sites\Default Web Site.

    • Right-click the WebService folder (or renamed SecuSign).

    • Select Convert to Application.

When it is added/created, left-click the new application, SecuSign, then go to the middle of the /SecuSign - Home window, double-click Default document and check that the default document is set to Default.asmx. If the document is missing from the list, you can add it using the right menu ActionsAdd.

Installing a license certificate

In order to run the SecuSign web service properly, access to the license certificate is needed.

  1. Download and open the provided PDF file with license certificate. Click the link “DOWNLOAD ELECTRONIC LICENSE CERTIFICATE” and you will be offered a file in P12 format (license certificate) for download. Save this file in a location available to the SecuSign web service for reading.

  2. Enter the path to the license certificate and the password in the Web.config configuration file, located in the web service folder (WebService), as the values of LicCertPath and LicCertPass.

    • As of version 2.1.7233.1011, it is possible to set the license using the configuration page /config.aspx (described in chapter Configuration, which is only available in Czech).

If you are using .NET libraries of the SecuSign SDK, the path to the license file and the password should be set as values of the LicCertPath and LicCertPass keys in the Assembly.config configuration file. The keys must be created in section <appSettings>.

Testing the license certificate functionality

  1. Open a web browser and enter the address of “[your server]/[web service name]”.

  2. Select the method GetVersionInfo.

  3. Click Invoke.

  4. Check the output to see whether the certificate is installed correctly. The correct output is information with the product name, version and maximum request size.

Setting the electronic seal certificate

To configure the certificate for the (qualified) electronic seal to sign files using the Seal or SealEx method, open the web service folder and edit the Web.config file.

Find the <appSettings> element and enter the values for the keys SigningCertPath (path to the .p12/.pfx file) and SigningCertPass (path to the certificate’s private key):

<add key="SigningCertPath" value="soubor.pfx" />

<add key="SigningCertPass" value="heslo" />

A certificate from a hardware resource (HSM) that is located locally (access via PKCS11 interface) or remotely (access via web services) can also be used for a qualified seal. See the SecuSign SDK technical manual for more information.

Configuration of logging and other parameters

You can use the web service configuration file, Web.config, to set detailed logging of all requests and other parameters of SecuSign SDK. Available parameters are listed and commented in the <appSettings> element.

All configuration settings of SecuSign SDK are described in chapter Configuration (only available in Czech).