Digital Signing guidelines - NatWest
Digital Signing guidelines - NatWest
Digital Signing guidelines - NatWest
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Bankline Direct<br />
<strong>Digital</strong> Signature Guidelines
Important Notice<br />
Nothing contained in this document or any other communication made between <strong>NatWest</strong> or its representatives<br />
and any party shall constitute an agreement, contract or representation between <strong>NatWest</strong> and any other party.<br />
Receipt by the recipient of this document does not imply the existence of a contract or commitment by or with<br />
<strong>NatWest</strong> for any purpose.<br />
This document has been produced during the development phase of the <strong>NatWest</strong> Bankline Direct solution. Every<br />
effort has been made to ensure that the contents of this document are correct and accurately reflect the way the<br />
product will operate. However, the functionality of the proposed service is not yet fully implemented and tested<br />
and therefore the information given here may be subject to change. Furthermore it may not be technically possible<br />
to implement some functionality described herein or it may not be available at the initial release of the product.<br />
The information contained in this document is subject to constant updating and amendment in the future and is<br />
necessarily selective. It does not purport to contain all of the information which the recipient may require. While<br />
<strong>NatWest</strong> has taken all reasonable steps to ensure, as at the date of this document, that the facts which are<br />
contained in this document are materially correct and accurate, <strong>NatWest</strong> does not make any representation or<br />
warranty as to the accuracy or completeness or otherwise of this document, or the reasonableness of any<br />
assumptions on which this document may be based. All information supplied by <strong>NatWest</strong>, including that contained<br />
in this document, is subject to any final agreement reached between <strong>NatWest</strong> and the recipient. <strong>NatWest</strong> accepts<br />
no liability to recipients whatsoever and however arising and whether resulting from the use of this document, or<br />
any omissions from or deficiencies in this document.<br />
The details contained in this document may be subject to change until such time as a final version is published.<br />
Customers should therefore seek further guidance from <strong>NatWest</strong> prior to making any decision on the basis of this<br />
current version of the document.<br />
Copyright<br />
The contents of this document are copyright of <strong>NatWest</strong>. Unless otherwise indicated you may not use, sell,<br />
licence, copy or reproduce in whole or in part any such content without the prior written consent of <strong>NatWest</strong>.<br />
Commercial Confidentiality<br />
This document is provided for customers of <strong>NatWest</strong> use only, under the terms of a non-disclosure agreement.<br />
The recipient of any copies of this document is bound by the terms of the non-disclosure agreement.<br />
Contact<br />
For further details, please contact your <strong>NatWest</strong> Relationship Manager.<br />
2
Terminology Used<br />
For ease of reference and reading of this document, the following terms are used to indicate the meaning<br />
described. A full glossary, describing all other terms used can be found at the end of this document.<br />
Bankline Direct<br />
Is the term used to refer to <strong>NatWest</strong>s’ various interfaces, network connections, systems and operational activities<br />
that collectively provide the functionality described in this document.<br />
Outbound/Outward/Sending<br />
This refers to the direction of a payment from a customer via the <strong>NatWest</strong> Bankline Direct service and onto the<br />
receiving member.<br />
Document History<br />
Version Date Notes<br />
0.1 05 August 2010 Converted from Bankline Exchange version<br />
0.2 28 August 2010 Cosmetic Changes<br />
0.3 30 March 2011 Converted to new template<br />
0.4 20 April 2011 Included Bankline Direct Transmissions and other introductory sections<br />
0.41 20 April 2011 Minor cosmetic changes<br />
0.42 21 April 2011 Improvements arising from feedback on Smartcard section<br />
0.43 05 May 2011 Included high level description/introduction to S/MIME<br />
3
Contents<br />
1. Introduction 5<br />
1.1 Introduction to Bankline Direct 5<br />
1.2 Purpose of Technical Specifications 5<br />
1.3 Purpose of <strong>Digital</strong> Signature Guidelines 6<br />
1.4 Use of <strong>Digital</strong> Signature Guidelines 6<br />
2. Overview of <strong>Digital</strong> <strong>Signing</strong> Solutions 7<br />
3. S/MIME <strong>Digital</strong> Signatures 8<br />
3.1 MIME 8<br />
3.2 S/MIME <strong>Digital</strong> Signatures 8<br />
4. Use of File <strong>Signing</strong> 13<br />
4.1 Typical Use of an HSM 13<br />
4.2 Typical Use of Smartcards 13<br />
5. Bankline Direct Transmissions 14<br />
5.1 Setup 14<br />
5.2 Integration 14<br />
5.3 Signature Validation 15<br />
5.4 Signed File Example 16<br />
6. Smartcard File <strong>Signing</strong> 17<br />
6.1 Smartcard <strong>Signing</strong> Overview 17<br />
6.2 Setup Instructions 19<br />
6.3 “PostURL” page 20<br />
6.4 S/MIME Output File 21<br />
6.5 Troubleshooting Tips 22<br />
7. Hardware Security Module 23<br />
7.1 HSM Requirements 23<br />
7.2 HSM Setup 23<br />
7.3 Integration 23<br />
4
Introduction<br />
1.1 Introduction to Bankline Direct<br />
Bankline Direct provides a transactional gateway between <strong>NatWest</strong> and those customers who require the facility<br />
to make payments and receive account information reports. The service supports a varied array of industry and<br />
<strong>NatWest</strong> formats to enable simple integration into customers’ own systems.<br />
The Bankline Direct service is scalable and flexible to meet the need of customers who wish to make single<br />
payments transactions or multi-payment files. An extensive number of different account information reports and<br />
payment advice notices are available, along with reconciliation and activity reporting. All reports are published<br />
at a frequency that suits the needs of the customer.<br />
All data exchanged between the customer and the Bankline Direct service is secure, adhering to industry<br />
security standards.<br />
1.2 Purpose of Technical Specifications<br />
The purpose of this document is to provide <strong>NatWest</strong> customers with the required technical specifications to build<br />
and use the relevant connectivity channels to communicate with the Bankline Direct service.<br />
The following are the different types of Bankline Direct technical specification documents available<br />
<br />
<br />
<br />
<br />
<br />
Channel Build Guidelines<br />
Technical specifications and setup instructions for the connectivity channel between <strong>NatWest</strong> and<br />
its customer<br />
<strong>Digital</strong> Signature Guidelines<br />
Technical specifications outlining the structure and format of digital signatures applied to files sent<br />
by Bankline Direct and also the requirements for signing payment files to the service<br />
Outward Payment Files and Messages<br />
Technical specifications for the content and format of payment instructions; either for individual<br />
payment messages or files containing multiple payment messages<br />
Acknowledgements<br />
Technical specifications for the content and format of acknowledgements sent to the customer from<br />
the Bankline Direct service<br />
Reports<br />
Technical specifications for the content and format of reports and statements sent to the customer<br />
from the Bankline Direct service<br />
5
1.3 Purpose of <strong>Digital</strong> Signature Guidelines<br />
The purpose of this document is to provide Bankline Direct customers with the instructions on how to apply a<br />
digital signature to payment files.<br />
This document describes how to sign files using Smartcards utilising eSigner application, which is supplied on<br />
CD along with the Smartcards.<br />
This document also outlines the use of Hardware Security Module (HSM) solution for file signing.<br />
1.4 Use of <strong>Digital</strong> Signature Guidelines<br />
This document should be used alongside the Bankline Direct Channel Build Guidelines (Ref: BD-31.01) which<br />
describe the overall setup of the communication channels including delivering file signing.<br />
You should also read the eSigner Integration Guide before reading this document.<br />
6
2. Overview of <strong>Digital</strong> <strong>Signing</strong> Solutions<br />
All communications between the customer and the Bankline Direct service in either direction must be secure.<br />
All transmissions generated by the service will be digitally signed; likewise any payment messages or files sent<br />
to the Bankline Direct service must be signed with a digital certificate.<br />
Section 5 details the security configuration applied to reports and acknowledgements generated by the Bankline<br />
Direct service.<br />
Customer utilising the payment submission service must send messages and files complying with the prescribed<br />
<strong>NatWest</strong> security and industry standards. There are two options for applying a digital signature to payment<br />
transmissions, Smartcards and Hardware Security Module (HSM), please refer to sections 6 and 7 respectively.<br />
An HSM solution offers an unattended solution for straight through processing and may be attractive to customers<br />
who process large volumes of payments. An HSM solution reduces the administrative overhead and associated<br />
staffing needs but is a more expensive option. It is the customer’s responsibility to procure and install an<br />
HSM module.<br />
A Smartcard solution is a secure, but manual process requiring intervention from staff members, by entering a<br />
PIN number using a card reader and individual card credentials. This Smartcard option is considerably cheaper.<br />
Bankline Direct transmissions are digitally signed using an HSM.<br />
<strong>Digital</strong>ly signed communications that travel in both directions adhere to the S/MIME standard.<br />
Section 3 provides a high level description of S/MIME.<br />
7
3. S/MIME <strong>Digital</strong> Signatures<br />
S/MIME is the standard used to sign files that are sent to the customer. All payment files must also be signed using<br />
S/MIME. <strong>Signing</strong> of all payment files must adhere to the S/MIME standard regardless of whether Smartcards or<br />
HSMs are used to provide the signature. As S/MIME is a complex standard this section is included as a ‘primer’ for<br />
customers who have no familiarity or experience with S/MIME.<br />
It is not meant to cover all areas of the (S)MIME standard. It is meant only to give a high-level overview of how<br />
S/MIME files are constructed, for use with Bankline Direct.<br />
3.1 MIME<br />
Bankline Direct requires that digitally signed files are submitted using the S/MIME format. S/MIME is an extension<br />
of the MIME standard and is used to describe how to deliver signed and encrypted files.<br />
Simply, MIME is formed of the following entities:<br />
<br />
<br />
<br />
MIME Header – description of the MIME file contents<br />
MIME Boundary – text delimiter to separate entities<br />
MIME Part – a MIME file can have one or more MIME parts, each separated by a MIME boundary.<br />
Each part will have headers describing the MIME part content<br />
MIME Header<br />
MIME Boundary<br />
Describes the MIME file<br />
Text delimiter<br />
MIME Part N MIME Part 1<br />
MIME Boundary<br />
Text delimiter<br />
MIME Part N+1 MIME Part 2<br />
MIME Boundary<br />
Text delimiter<br />
MIME Part N+2 MIME Part 3<br />
MIME Boundary<br />
Text delimiter<br />
For files with only one MIME Part, the boundary is not necessary:<br />
MIME Header<br />
Describes the MIME file<br />
MIME Part MIME Part 1<br />
3.2 S/MIME <strong>Digital</strong> Signatures<br />
<strong>Digital</strong>ly signed files can be submitted to Bankline Direct with detached or embedded (opaque) signatures.<br />
Bankline only creates files with detached signatures.<br />
8
Detached Signatures<br />
A detached signature is where the signature is a separate structure to the signed data.<br />
MIME Header<br />
MIME Boundary<br />
MIME Part 1<br />
Signed Data<br />
MIME Boundary<br />
MIME Part 2<br />
The digital signature (CMS format)<br />
MIME Boundary<br />
This can be represented as follows:<br />
MIME Header<br />
MIME-Version: 1.0{CRLF}<br />
Content-Type: multipart/signed;<br />
{optional CRLF}{SPACE}protocol=”application/x-pkcs7-signature”;<br />
{optional CRLF}{SPACE}micalg=sha1;<br />
{optional CRLF}{SPACE}boundary=”{boundary text}”{CRLF}<br />
{CRLF}<br />
{optional message with CRLF}<br />
MIME Boundary<br />
--{boundary text}{CRLF}<br />
MIME Part 1<br />
Content-Type: {content type/content sub-type}{CRLF}<br />
{CRLF}<br />
{raw data}{CRLF}<br />
MIME Boundary<br />
--{boundary text}{CRLF}<br />
MIME Part 2<br />
Content-Type:application/x-pkcs7-signature; {optional<br />
CRLF}{SPACE}name=”smime.p7s”{CRLF}<br />
Content-Transfer-Encoding: base64{CRLF}<br />
Content-Disposition: attachment; filename=”smime.p7s”{CRLF}<br />
{CRLF}<br />
{signature}{CRLF}<br />
MIME Boundary<br />
--{boundary text}--<br />
9
Placeholder<br />
{boundary text}<br />
{CRLF}<br />
{signature}<br />
{content type/content sub-type}<br />
{raw data}<br />
Description<br />
Any alpha-numeric text. Preferably unique per file<br />
Carriage Return Line Feed – 0x0D 0x0A<br />
The CMS {pkcs7) object returned from<br />
signing application<br />
MIME media type describing the raw data. E.g.<br />
“text/plain”, “text/xml” or “application/octet-stream”<br />
The original data required to be processed by<br />
Bankline Direct<br />
An example of an S/MIME detached signature file is:<br />
MIME-Version: 1.0<br />
Content-Type: multipart/signed;<br />
protocol=”application/x-pkcs7-signature”; micalg=sha1;<br />
boundary=”myboundary123”<br />
S/MIME signed file<br />
--myboundary123<br />
Content-Type: text/plain<br />
Field1A,Field2A,Field3A<br />
Field1B,Field2B,Field3B<br />
--myboundary123<br />
Content-Type: application/x-pkcs7-signature; name=”smime.p7s”<br />
Content-Transfer-Encoding: base64<br />
Content-Disposition: attachment; filename=”smime.p7s”<br />
MIIFDgYJKoZIhvcNAQcCoIIE/zCCBPsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3<br />
DQEHAaCCA54wggHLMIIBNAIBBDANBgkqhkiG9w0BAQUFADAuMQwwCgYDVQQDDANC<br />
MkIxETAPBgNVBAoMCFN0ZXJsaW5nMQswCQYDVQQGEwJVUzAeFw0wOTA2MzAxMDU1<br />
MTBaFw0xMTA2MzAxMDU1MTBaMC4xDDAKBgNVBAMMA0IyQjERMA8GA1UECgwIU3Rx<br />
................................................................<br />
...........C3v2QmT8zwqHihIHxMHLrCTZmXMM=<br />
--myboundary123--<br />
10<br />
Placeholder<br />
{boundary text}<br />
{content type/content sub-type}<br />
{raw data}<br />
Value<br />
mybound123<br />
text/plain<br />
Field1A,Field2A,Field3A{LF}<br />
Field1B,Field2B,Field3B{LF}
Bankline Direct will use whatever data is between the MIME Part 1 start and end boundaries to verify the<br />
signature. Therefore, the data that needs to be signed must include all data from MIME Part 1.<br />
All this must be sent to the signing application:<br />
MIME Part 1<br />
Content-Type: {content type/content sub-type}{CRLF}<br />
{CRLF}<br />
{raw data}{CRLF}<br />
For example<br />
Content-Type: text/plain<br />
Field1A,Field2A,Field3A<br />
Field1B,Field2B,Field3B<br />
Embedded Signatures<br />
An embedded signature is where the signature and data are combined within a single (Cryptographic Message<br />
Syntax) CMS structure. These are also known as Opaque signatures.<br />
MIME Header<br />
MIME Part<br />
Signed Data and Signature – CMS format<br />
This can be represented as follows:<br />
MIME Header<br />
MIME-Version: 1.0{CRLF}<br />
Content-Disposition: attachment;<br />
{optional CRLF}{SPACE}filename=”smime.p7m”{CRLF}<br />
Content-Type: application/x-pkcs7-mime;<br />
{optional CRLF}{SPACE}smime-type=signed-data;<br />
{optional CRLF}{SPACE}name=”smime.p7m”{CRLF}<br />
Content-Transfer-Encoding: base64{CRLF}<br />
{CRLF}<br />
MIME Part<br />
{CMS object with Data and Signature}<br />
11
Placeholder<br />
{CRLF}<br />
{pkcs7 signature}<br />
{CMS object with Data and Signature}<br />
Description<br />
Carriage Return Line Feed – 0x0D 0x0A<br />
The pkcs7 object returned from signing application<br />
CMS object containing original data to be signed and<br />
the signature<br />
An example of an S/MIME embedded signature file is:<br />
MIME-Version: 1.0<br />
Content-Disposition: attachment; filename=”smime.p7m”<br />
Content-Type: application/x-pkcs7-mime; smime-type=signed-data;<br />
name=”smime.p7m”<br />
Content-Transfer-Encoding: base64<br />
MIIFDgYJKoZIhvcNAQcCoIIE/zCCBPsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3<br />
DQEHAaCCA54wggHLMIIBNAIBBDANBgkqhkiG9w0BAQUFADAuMQwwCgYDVQQDDANC<br />
MkIxETAPBgNVBAoMCFN0ZXJsaW5nMQswCQYDVQQGEwJVUzAeFw0wOTA2MzAxMDU1<br />
MTBaFw0xMTA2MzAxMDU1MTBaMC4xDDAKBgNVBAMMA0IyQjERMA8GA1UECgwIU3Rx<br />
................................................................<br />
...........C3v2QmT8zwqHihIHxMHLrCTZmXMM=<br />
In this case, only the raw data need be sent to the signing application:<br />
Field1A,Field2A,Field3A<br />
Field1B,Field2B,Field3B<br />
The signing application must be instructed to return the CMS object with the signed data included. This can be<br />
then used to populate MIME Part<br />
12
4. Use of File <strong>Signing</strong><br />
4.1 Typical Use of an HSM<br />
A Hardware Security Module (HSM) can be used to apply a digital signature to a payment file before it is sent onto<br />
the Bankline Direct service. The HSM stores the certificates and signing keys.<br />
A typical use of an HSM solution is for a payment file to be generated and presented to the HSM in order to apply<br />
a digital signature automatically to the file before being sent to the Bankline Direct service.<br />
HSMs also have the capability to store the Bankline Direct certificate details to validate files being sent to the<br />
customer from the service.<br />
Please refer to section 7 for configuration details for HSM.<br />
4.2 Typical Use of Smartcards<br />
Smartcards and card readers provide a manual approach to apply digital signatures to payment files. The card<br />
readers are connected to a local computer using specific signing software. Smartcards are assigned to individuals<br />
and must be combined with a user passcode to sanction the digital signing.<br />
A typical use of a Smartcard solution is for a payment file to be generated and presented to the signing software,<br />
where the operator can sign the file (using the eSigner software provided) using their individual Smartcard and<br />
passcode before they submit the files onto the Bankline Direct service.<br />
13
5. Bankline Direct Transmissions<br />
All communications from the Bankline Direct service to a customer will be digitally signed using an HSM.<br />
In order to receive these signed transmissions from the Bankline Direct service, the customer must check that the<br />
signature is one from the Bankline Direct service. The customer will need to extract the data from the file for<br />
processing by their systems whether that is an automated or manual process.<br />
Please refer to section 5.4 for an example of a signed file. The following sections describe how that will<br />
be achieved.<br />
5.1 Setup<br />
During the registration process, the customer will be sent certificate details which will enable them to authenticate<br />
files received from the Bankline Direct service.<br />
The following details will be provided to the customer;<br />
<br />
<br />
<br />
Production root.cer<br />
Production Sub CA.cer (this is the certificate authority used by the Bankline Direct service)<br />
NWBSigner1.cer (this is the certificate used for Natwest customers)<br />
In order for the Bankline Direct digital signature to be validated by the customer, the certificates must be loaded<br />
into the customer’s HSM module or within any other system being used to check files. Section 5.2 will outline the<br />
standards that the Bankline Direct signed files will comply with.<br />
5.2 Integration<br />
Transmissions sent by the Bankline Direct service will be signed using an S/MIME standard, with the following<br />
options applied.<br />
Security Type<br />
MIME Type<br />
MIME Sub-Type<br />
Content Transfer Encoding<br />
Apply Content Transfer Encoding on<br />
Detached Document<br />
<strong>Signing</strong> Option<br />
<strong>Signing</strong> Algorithm<br />
Message Syntax<br />
Message Output Format<br />
Detached Signed Only<br />
Application<br />
octet-stream<br />
Base64<br />
No<br />
Single Signature<br />
SHA-1<br />
CMS<br />
S/MIME<br />
14
5.3 Signature Validation<br />
There are two well known methods for checking the validity of the digital signature, i.e. to check whether the<br />
certificate has been revoked. These are;<br />
<br />
<br />
Online Certificate Status Protocol (OCSP)<br />
This allows the revocation status of a certificate to be determined at the time the file is received<br />
Certificate Revocation List (CRL)<br />
This is a list of all certificates that have been revoked. It will need to be refreshed at ‘regular’ intervals<br />
(e.g. 24 hours). This approach is not perfect as the certificate could have been revoked between the time<br />
a file is received from <strong>NatWest</strong> and the last time the certificate was published.<br />
Customers using an HSM solution may find their supplier provides software with the ability to validate signatures<br />
applied to files.<br />
The customer’s system must extract the signature from the file in order to;<br />
<br />
<br />
check the signature is valid<br />
check the file has been supplied by <strong>NatWest</strong><br />
separate the main file content from the signature for onward processing<br />
15
5.4 Signed File Example<br />
The following is an example of a digitally signed file that would be sent from the Bankline Direct service.<br />
The example used here is a positive File Status Notification.<br />
In the example below, the content transfer encoding has been truncated, but the signature header and message<br />
content is displayed.<br />
S/MIME<br />
Header and<br />
boundary<br />
Message/File<br />
Data<br />
Refer to Tech<br />
Specs for each<br />
format<br />
S/MIME<br />
boundary and<br />
base 64<br />
encoding<br />
Truncated for<br />
display<br />
Content-Type: multipart/signed; micalg=SHA1; protocol=”application/pkcs7-signature”;<br />
boundary=”_=8054618849605373Sterling8054618849605373MOKO”<br />
--_=8054618849605373Sterling8054618849605373MOKO<br />
Content-Type: application/octet-stream<br />
{1:F99NWBKGB2LXGPL0000000000}{2:I198499013 N}{4:<br />
:20:FSN15602<br />
:12:198<br />
:77E:<br />
GPL.MT103.106033AX.PM<br />
2010-11-20/14:24:12<br />
File accepted for further processing<br />
-}<br />
--_=8054618849605373Sterling8054618849605373MOKO<br />
Content-Type: application/pkcs7-signature; name=dsig.p7s<br />
Content-Transfer-Encoding: base64<br />
MIIN/gYJKoZIhvcNAQcCoIIN7zCCDesCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDAQw<br />
ggX+MIIE5qADAgECAhAKAUE[truncation]02Bp4FL19ANn8g==<br />
--_=8054618849605373Sterling8054618849605373MOKO—<br />
16
6. Smartcard File <strong>Signing</strong><br />
6.1 Smartcard <strong>Signing</strong> Overview<br />
The steps required to construct and sign payment files are illustrated in the following diagram. The top half of the<br />
diagram outlines how the solution operates, whilst the second half details the implementation steps.<br />
Smartcards are distributed with a CD incorporating:<br />
<br />
<br />
Gemalto Classic Client for certificate administration<br />
eSigner to facilitate generation of the digital signature required by Bankline Direct<br />
17
An Integration Guide will also be sent separately to the Smartcards.<br />
These are the OS supported by eSigner 4.1.9 – 001:<br />
<br />
<br />
Windows XP Home (SP2) – 32-bit only<br />
Windows XP Home (SP3) – 32-bit only<br />
Windows XP Pro (SP2 and SP3) – 32-bit only<br />
Windows Server 2003 R2 SP2 (only with Citrix Metaframe Presentation Server 4.5 or with Terminal Services)<br />
Windows Vista SP1 – 32-bit and 64-bit<br />
Windows Vista SP2 – 32-bit and 64-bit<br />
Windows Server 2008 – SP2 32-bit and 64-bit<br />
Windows 7 – 32-bit and 64-bit<br />
Windows Server 2008 R2 - 32-bit and 64-bit<br />
These are the supported browsers:<br />
<br />
Internet Explorer 6, 7 and 8 (32-bit versions of IE only)<br />
Mozilla Firefox 3.6 (32-bit version of Firefox only)<br />
All payment files must be signed to an S/MIME v3.1 standard, with the following options applied:<br />
<br />
The message syntax can be PKCS7 or CMS<br />
The algorithm must be SHA-1<br />
The signature can be detached (original data not included) or embedded (original data included)<br />
The Content Transfer Encoding can be None or Base64<br />
18
6.2 Setup Instructions<br />
The following instructions provide some guidance on how to setup your systems to sign payment files using eSigner<br />
prior to submission to Bankline Direct:<br />
Install the eSigner application. This must be installed on all clients who will be signing files.<br />
The eSigner plugin is a Java plugin for Internet Explorer. The HTML code which is generated when a user browses<br />
to the internal file signing page is as follows:<br />
<br />
<br />
The image below shows the eSigner plugin as it will be displayed to the user.<br />
19
The table below provides an explanation of the parameters you should use to configure the eSigner application.<br />
Parameter<br />
Date Type/Field Length<br />
EXPECTEDVERSION Leave this as the default value 100<br />
TYPE<br />
DataToBeSigned<br />
PostURL<br />
Height<br />
Width<br />
Mime-type<br />
This tells the web browser what to load for the embed plugin<br />
This should contain the data you wish to sign<br />
The eSigner plugin will post the signature to this page<br />
The height of the plugin as it will be displayed on the page. Use 500 as less than this<br />
value will cause the plugin to be displayed in a popup window<br />
The width of the plugin as it will be displayed on the page. Use 500 as less than this<br />
value will cause the plugin to be displayed in a popup window<br />
The mime-type of the data in the DataToBeSigned field<br />
6.3 “PostURL” page<br />
This page will be used by the eSigner plugin to send the signature to.<br />
The signature will be sent as HTTP POST data.<br />
Below is an example of an ASP.net page which will get the signature and the original file and save it to a file.<br />
/// <br />
/// Handles the Load event of the Page control.<br />
/// <br />
/// The source of the event.<br />
/// The instance containing the event data.<br />
protected void Page_Load(object sender, EventArgs e)<br />
{<br />
string signature = (string)Request.Form[“Signature”];<br />
string rawFileName = (string)Session[“RawFileName”];<br />
string rawFileContent = (string)Session[“RawFileContent”];<br />
if (Request.Form[“<strong>Signing</strong>InterfaceException”] != null)<br />
{<br />
string errorType = Request.Form[“<strong>Signing</strong>InterfaceException”];<br />
// Handle the error<br />
}<br />
else<br />
{<br />
this.SaveSignedFile(rawFileName, rawFileContent, signature);<br />
}<br />
}<br />
20
The code extract overleaf shows that the signature is stored in the HTTP POST variable called “Signature”.<br />
The code first checks the “<strong>Signing</strong>InterfaceException” post data. If this exists an error has occurred and will need<br />
to be handled.<br />
The method “SaveSignedFile” you will need to implement yourself. This saves the original file data and signature to<br />
an S/MIME file<br />
6.4 S/MIME Output File<br />
S/MIME files allow you to save the original file data and the signature in a file which can be easily sent<br />
to a destination.<br />
The SMIME RFC 2633 will give you a detailed explanation of the SMIME format.<br />
Shown below is an example of an SMIME file. This can be used this as a template for generating files of this type.<br />
Ensure you pass the “Content-Type: text/plain” data to the eSigner plugin as well the data to sign in order for it be<br />
validated correctly.<br />
MIME-Version: 1.0<br />
Content-Type: multipart/signed; protocol=”application/x-pkcs7-signature”; micalg=sha1; boundary=<br />
”----261FEEA5CDD648E5A546D076DE289589”<br />
This is an S/MIME signed message<br />
------261FEEA5CDD648E5A546D076DE289589<br />
Content-Type: text/plain<br />
Data to be signed to be signed will be displayed here<br />
------261FEEA5CDD648E5A546D076DE289589<br />
Content-Type: application/x-pkcs7-signature; name=”smime.p7s”<br />
Content-Transfer-Encoding: base64<br />
Content-Disposition: attachment; filename=”smime.p7s”<br />
MIINogYJKoZIhvcNAQcCoIINkzCCDY8CA==<br />
------261FEEA5CDD648E5A546D076DE289589--<br />
21
6.5 Troubleshooting Tips<br />
The eSigner plugin will post the signature to the page configured by the “PostURL” parameter. You will need to<br />
save this as required.<br />
The eSigner plugin only sends the signature to the “PostURL” page. In order to create an S/MIME file you will also<br />
need the original file data. Save a reference to this as a session variable so it can be retrieved by the “PostURL” page.<br />
You will need to have your card inserted into the card reader before you click the Sign button. If it is not inserted<br />
you will be presented with the following error:<br />
22
7. Hardware Security Module<br />
Customers opting for a Hardware Security Module (HSM) solution should look to have this device installed and<br />
part-configured* ahead of submitting the Bankline Direct registration mandate.<br />
Bankline Direct certificates will be supplied as part of service registration process and are chargeable with a lifespan of<br />
three years. Please refer to your Relationship Manager or Implementation Manager for more details.<br />
*pre-configuration of Bankline Direct transmissions security (as outlined in section 5) cannot be completed until<br />
the details have been supplied.<br />
7.1 HSM Requirements<br />
The Bankline Direct service requires HSMs to conform to the FIPS 140-2, Level 2 standard. Please consult your<br />
HSM supplier for more information.<br />
7.2 HSM Setup<br />
During the registration process, the customer will receive a letter and a form from <strong>NatWest</strong> containing details on<br />
how to generate a Certificate Request.<br />
The Certificate Request must be generated from the HSM module and copied to a CD. The CD must be posted to<br />
<strong>NatWest</strong> (details outlined in the letter). Once the Certificate Request has been received by <strong>NatWest</strong>,<br />
a customer specific Certificate will be generated by TrustAssured (who are the <strong>NatWest</strong> certificate authority).<br />
The customer specific Certificate will be emailed in a zip file back to the requester for uploading into the HSM<br />
module. The following details will be sent to the customer:<br />
Production root.cer<br />
Production Sub CA.cer (This is the issue certificate of the Certificate Authority that signed the customer’s<br />
Certificate <strong>Signing</strong> Request)<br />
.cer (this is the uploaded into the HSM)<br />
7.3 Integration<br />
The HSM module must be configured to apply a digital certificate to payment files to an S/MIME standard.<br />
The following S/MIME file signing options must be enabled:<br />
the message syntax can be PKCS7 or CMS<br />
the algorithm must be SHA-1<br />
the signature can be detached (original data not included) or embedded (original data included)<br />
the Content Transfer Encoding can be None or Base64<br />
23<br />
The signing certificate can be included but it is not used. The customer’s public certificate(s) will already have<br />
been registered on Bankline Direct as part of the registration process.
National Westminster Bank Plc.<br />
Registered in England No 929027.<br />
Registered Office: 135 Bishopsgate, London EC2M 3UR. 90079500