Introduction

Signing administration allows AvantGard Trax to determine who is allowed to authorize payments, based on a number of criteria. It is possible to configure signing in the GUI so that the correct signing method, hardware and cyphers are used.

Do note that the device drivers for the supported hardware must be installed on the client machines and will not be distributed by SunGard for legal reasons.

Multiple tokens can be used by a single user, with possibly multiple certificates on each device. Vice versa, the same certificate can be assigned to multiple users, allowing them to physically share the same token.

The components below are supplied by default and should not be modified. If so desired, new methods and types can be created, but this can require coding.

What is a Signing Method?

A signing method combines the following four characteristics into a single easy-to-use set:

Approval type: Which type of authentication is required? None, PIN, token?

Key storage: Which token type is used?

Hash algorithm: How is the hash value calculated to represent the data?

Signing algorithm: How to create and verify a signature.

Figure 111 Signing Method

The active flag is turned off for legacy signing methods, but can be activated if so desired within projects. Do note that when this flag is deactivated, it is not only impossible to use this signing method, but also any of the token administration functions. Unless no token is required, a signing method must have approval type, key storage, hash algorithm and signing algorithm filled out.

Which kinds of Approval Types are Supported?

An approval type is the means of authentication for signing and the following approval types are supported by default:

No authentication

Authentication (User needs to provide a password, could be internal DB password or LDAP or RADIUS password)

Challenge/Response (Strong authentication) via a token (User needs to provide token PIN) or key store file (User needs to provide key store file PIN)

Digital signature of specific fields via a token (User needs to provide token PIN) or key store file (User needs to provide key store file PIN)

Digital signature of the entire content via a token (User needs to provide token PIN) or key store file (User needs to provide key store file PIN)

Figure 112 Approval type

Which Tokens are Supported? (Key Storage)

The following tokens are supported:

SafeNet eToken PRO (72k Java)

SWIFT 3SKey token

Gemalto USB eSeal Token v3

Figure 113 Token

The following key storages are supported:

The private key stored in the database – PKCS8 key store (only for EBICS communications)

The private key (and its corresponding certificate) stored in the Windows registry of the local PC. AvantGard Trax accesses this private key using the Microsoft Cryptography API (MS-CAPI).

The private key (and its corresponding certificate) stored in a PKCS12/PFX key store file on disk of the local PC.

Which Signing Algorithm is Supported?

By default, the RSA public key cryptography algorithm is supported. The signing algorithm is used to create and verify the signatures and to initialize the token.

Figure 114 Signing Algorithm