Dynamic Configuration Signer
The Dynamic Configuration Signer is a special implementation of the Signer that can be used to sign and apply dynamic configuration for the Entrust SAM.
This implementation is compliant with the Entrust SAM version 1.0.3. For more information about the dynamic configuration, please refer to the official Entrust SAM documentation.
The implementation class that must be specified for the Signer is:
com.czertainly.signserver.module.entrustsam.signer.DynamicConfigSigner
The Dynamic Configuration Signer has the following modes of operation:
- sign only, in which case the signer will only sign the configuration using the Operation Privileged User private key and return the JWS
- sign and apply, in which case the signer will sign the configuration using the Operation Privileged User private key and apply the configuration to the Entrust SAM. The Signer will return the JWS of the current configuration.
The mode can be specified using the Request Metadata.
The Dynamic Configuration Signer is configured with the following properties:
Property | Description | Default Value | Mandatory |
---|---|---|---|
ENTRUST_SAM_SERVER | End point to access Entrust SAM administrative functions. The value of Entrust SAM Server should be specified if you would like to apply the dynamic configuration in the form https://[ip address or hostname]:[port]. | NONE | NO |
ENTRUST_TRUST_SELF_SIGNED | True if the self-signed certificate of the Entrust SAM server can be trusted. False otherwise. | false | NO |
ENTRUST_CONNECTION_POOL_SIZE | Number as the maximum size of the pooled connections with the Entrust SAM. This value can be fine-tuned to optimize the performance of the signing process. | 30 | NO |
OTHER_SIGNERS | Sets the reference to the Crypto Token containing the key that is used to authenticate to the Entrust SAM. Only one value should be specified for this attribute. In case it contains multiple comma separated references to Crypto Token, the first one is taken. | NONE | Must be present when ENTRUST_SAM_SERVER is specified. |
ENTRUST_CLIENT_AUTHENTICATION_KEY_ALIAS | Identification of the key, based on alias, that should be used to authenticate to the Entrust SAM interface. The key alias is taken from the OTHER_SIGNERS Crypto Token configuration. The specified key should authorize Operation Privileged User. | NONE | Must be present when ENTRUST_SAM_SERVER is specified. |
See the Dynamic Configuration Signer sample configuration.
Request Metadata
Request metadata can be used to control the behavior of the Signer. By default, the Dynamic Configuration Signer is in the sign only mode. If you would like to apply the configuration on the Entrust SAM once it is successfully signed, you can set the sign and apply mode using the following request metadata:
ENTRUST_SAM_SYNC=true
Sign and apply mode requires ENTRUST_SAM_SERVER
to be specified.