Digital Signing guidelines - NatWest
22.11.2014 Views
Share Embed Flag

Digital Signing guidelines - NatWest

Digital Signing guidelines - NatWest

Digital Signing guidelines - NatWest

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
natwest.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Bankline Direct<br />

<strong>Digital</strong> Signature Guidelines

Important Notice<br />

Nothing contained in this document or any other communication made between <strong>NatWest</strong> or its representatives<br />

and any party shall constitute an agreement, contract or representation between <strong>NatWest</strong> and any other party.<br />

Receipt by the recipient of this document does not imply the existence of a contract or commitment by or with<br />

<strong>NatWest</strong> for any purpose.<br />

This document has been produced during the development phase of the <strong>NatWest</strong> Bankline Direct solution. Every<br />

effort has been made to ensure that the contents of this document are correct and accurately reflect the way the<br />

product will operate. However, the functionality of the proposed service is not yet fully implemented and tested<br />

and therefore the information given here may be subject to change. Furthermore it may not be technically possible<br />

to implement some functionality described herein or it may not be available at the initial release of the product.<br />

The information contained in this document is subject to constant updating and amendment in the future and is<br />

necessarily selective. It does not purport to contain all of the information which the recipient may require. While<br />

<strong>NatWest</strong> has taken all reasonable steps to ensure, as at the date of this document, that the facts which are<br />

contained in this document are materially correct and accurate, <strong>NatWest</strong> does not make any representation or<br />

warranty as to the accuracy or completeness or otherwise of this document, or the reasonableness of any<br />

assumptions on which this document may be based. All information supplied by <strong>NatWest</strong>, including that contained<br />

in this document, is subject to any final agreement reached between <strong>NatWest</strong> and the recipient. <strong>NatWest</strong> accepts<br />

no liability to recipients whatsoever and however arising and whether resulting from the use of this document, or<br />

any omissions from or deficiencies in this document.<br />

The details contained in this document may be subject to change until such time as a final version is published.<br />

Customers should therefore seek further guidance from <strong>NatWest</strong> prior to making any decision on the basis of this<br />

current version of the document.<br />

Copyright<br />

The contents of this document are copyright of <strong>NatWest</strong>. Unless otherwise indicated you may not use, sell,<br />

licence, copy or reproduce in whole or in part any such content without the prior written consent of <strong>NatWest</strong>.<br />

Commercial Confidentiality<br />

This document is provided for customers of <strong>NatWest</strong> use only, under the terms of a non-disclosure agreement.<br />

The recipient of any copies of this document is bound by the terms of the non-disclosure agreement.<br />

Contact<br />

For further details, please contact your <strong>NatWest</strong> Relationship Manager.<br />

2

Terminology Used<br />

For ease of reference and reading of this document, the following terms are used to indicate the meaning<br />

described. A full glossary, describing all other terms used can be found at the end of this document.<br />

Bankline Direct<br />

Is the term used to refer to <strong>NatWest</strong>s’ various interfaces, network connections, systems and operational activities<br />

that collectively provide the functionality described in this document.<br />

Outbound/Outward/Sending<br />

This refers to the direction of a payment from a customer via the <strong>NatWest</strong> Bankline Direct service and onto the<br />

receiving member.<br />

Document History<br />

Version Date Notes<br />

0.1 05 August 2010 Converted from Bankline Exchange version<br />

0.2 28 August 2010 Cosmetic Changes<br />

0.3 30 March 2011 Converted to new template<br />

0.4 20 April 2011 Included Bankline Direct Transmissions and other introductory sections<br />

0.41 20 April 2011 Minor cosmetic changes<br />

0.42 21 April 2011 Improvements arising from feedback on Smartcard section<br />

0.43 05 May 2011 Included high level description/introduction to S/MIME<br />

3

Contents<br />

1. Introduction 5<br />

1.1 Introduction to Bankline Direct 5<br />

1.2 Purpose of Technical Specifications 5<br />

1.3 Purpose of <strong>Digital</strong> Signature Guidelines 6<br />

1.4 Use of <strong>Digital</strong> Signature Guidelines 6<br />

2. Overview of <strong>Digital</strong> <strong>Signing</strong> Solutions 7<br />

3. S/MIME <strong>Digital</strong> Signatures 8<br />

3.1 MIME 8<br />

3.2 S/MIME <strong>Digital</strong> Signatures 8<br />

4. Use of File <strong>Signing</strong> 13<br />

4.1 Typical Use of an HSM 13<br />

4.2 Typical Use of Smartcards 13<br />

5. Bankline Direct Transmissions 14<br />

5.1 Setup 14<br />

5.2 Integration 14<br />

5.3 Signature Validation 15<br />

5.4 Signed File Example 16<br />

6. Smartcard File <strong>Signing</strong> 17<br />

6.1 Smartcard <strong>Signing</strong> Overview 17<br />

6.2 Setup Instructions 19<br />

6.3 “PostURL” page 20<br />

6.4 S/MIME Output File 21<br />

6.5 Troubleshooting Tips 22<br />

7. Hardware Security Module 23<br />

7.1 HSM Requirements 23<br />

7.2 HSM Setup 23<br />

7.3 Integration 23<br />

4

Introduction<br />

1.1 Introduction to Bankline Direct<br />

Bankline Direct provides a transactional gateway between <strong>NatWest</strong> and those customers who require the facility<br />

to make payments and receive account information reports. The service supports a varied array of industry and<br />

<strong>NatWest</strong> formats to enable simple integration into customers’ own systems.<br />

The Bankline Direct service is scalable and flexible to meet the need of customers who wish to make single<br />

payments transactions or multi-payment files. An extensive number of different account information reports and<br />

payment advice notices are available, along with reconciliation and activity reporting. All reports are published<br />

at a frequency that suits the needs of the customer.<br />

All data exchanged between the customer and the Bankline Direct service is secure, adhering to industry<br />

security standards.<br />

1.2 Purpose of Technical Specifications<br />

The purpose of this document is to provide <strong>NatWest</strong> customers with the required technical specifications to build<br />

and use the relevant connectivity channels to communicate with the Bankline Direct service.<br />

The following are the different types of Bankline Direct technical specification documents available<br />

<br />

<br />

<br />

<br />

<br />

Channel Build Guidelines<br />

Technical specifications and setup instructions for the connectivity channel between <strong>NatWest</strong> and<br />

its customer<br />

<strong>Digital</strong> Signature Guidelines<br />

Technical specifications outlining the structure and format of digital signatures applied to files sent<br />

by Bankline Direct and also the requirements for signing payment files to the service<br />

Outward Payment Files and Messages<br />

Technical specifications for the content and format of payment instructions; either for individual<br />

payment messages or files containing multiple payment messages<br />

Acknowledgements<br />

Technical specifications for the content and format of acknowledgements sent to the customer from<br />

the Bankline Direct service<br />

Reports<br />

Technical specifications for the content and format of reports and statements sent to the customer<br />

from the Bankline Direct service<br />

5

1.3 Purpose of <strong>Digital</strong> Signature Guidelines<br />

The purpose of this document is to provide Bankline Direct customers with the instructions on how to apply a<br />

digital signature to payment files.<br />

This document describes how to sign files using Smartcards utilising eSigner application, which is supplied on<br />

CD along with the Smartcards.<br />

This document also outlines the use of Hardware Security Module (HSM) solution for file signing.<br />

1.4 Use of <strong>Digital</strong> Signature Guidelines<br />

This document should be used alongside the Bankline Direct Channel Build Guidelines (Ref: BD-31.01) which<br />

describe the overall setup of the communication channels including delivering file signing.<br />

You should also read the eSigner Integration Guide before reading this document.<br />

6

2. Overview of <strong>Digital</strong> <strong>Signing</strong> Solutions<br />

All communications between the customer and the Bankline Direct service in either direction must be secure.<br />

All transmissions generated by the service will be digitally signed; likewise any payment messages or files sent<br />

to the Bankline Direct service must be signed with a digital certificate.<br />

Section 5 details the security configuration applied to reports and acknowledgements generated by the Bankline<br />

Direct service.<br />

Customer utilising the payment submission service must send messages and files complying with the prescribed<br />

<strong>NatWest</strong> security and industry standards. There are two options for applying a digital signature to payment<br />

transmissions, Smartcards and Hardware Security Module (HSM), please refer to sections 6 and 7 respectively.<br />

An HSM solution offers an unattended solution for straight through processing and may be attractive to customers<br />

who process large volumes of payments. An HSM solution reduces the administrative overhead and associated<br />

staffing needs but is a more expensive option. It is the customer’s responsibility to procure and install an<br />

HSM module.<br />

A Smartcard solution is a secure, but manual process requiring intervention from staff members, by entering a<br />

PIN number using a card reader and individual card credentials. This Smartcard option is considerably cheaper.<br />

Bankline Direct transmissions are digitally signed using an HSM.<br />

<strong>Digital</strong>ly signed communications that travel in both directions adhere to the S/MIME standard.<br />

Section 3 provides a high level description of S/MIME.<br />

7

3. S/MIME <strong>Digital</strong> Signatures<br />

S/MIME is the standard used to sign files that are sent to the customer. All payment files must also be signed using<br />

S/MIME. <strong>Signing</strong> of all payment files must adhere to the S/MIME standard regardless of whether Smartcards or<br />

HSMs are used to provide the signature. As S/MIME is a complex standard this section is included as a ‘primer’ for<br />

customers who have no familiarity or experience with S/MIME.<br />

It is not meant to cover all areas of the (S)MIME standard. It is meant only to give a high-level overview of how<br />

S/MIME files are constructed, for use with Bankline Direct.<br />

3.1 MIME<br />

Bankline Direct requires that digitally signed files are submitted using the S/MIME format. S/MIME is an extension<br />

of the MIME standard and is used to describe how to deliver signed and encrypted files.<br />

Simply, MIME is formed of the following entities:<br />

<br />

<br />

<br />

MIME Header – description of the MIME file contents<br />

MIME Boundary – text delimiter to separate entities<br />

MIME Part – a MIME file can have one or more MIME parts, each separated by a MIME boundary.<br />

Each part will have headers describing the MIME part content<br />

MIME Header<br />

MIME Boundary<br />

Describes the MIME file<br />

Text delimiter<br />

MIME Part N MIME Part 1<br />

MIME Boundary<br />

Text delimiter<br />

MIME Part N+1 MIME Part 2<br />

MIME Boundary<br />

Text delimiter<br />

MIME Part N+2 MIME Part 3<br />

MIME Boundary<br />

Text delimiter<br />

For files with only one MIME Part, the boundary is not necessary:<br />

MIME Header<br />

Describes the MIME file<br />

MIME Part MIME Part 1<br />

3.2 S/MIME <strong>Digital</strong> Signatures<br />

<strong>Digital</strong>ly signed files can be submitted to Bankline Direct with detached or embedded (opaque) signatures.<br />

Bankline only creates files with detached signatures.<br />

8

Detached Signatures<br />

A detached signature is where the signature is a separate structure to the signed data.<br />

MIME Header<br />

MIME Boundary<br />

MIME Part 1<br />

Signed Data<br />

MIME Boundary<br />

MIME Part 2<br />

The digital signature (CMS format)<br />

MIME Boundary<br />

This can be represented as follows:<br />

MIME Header<br />

MIME-Version: 1.0{CRLF}<br />

Content-Type: multipart/signed;<br />

{optional CRLF}{SPACE}protocol=”application/x-pkcs7-signature”;<br />

{optional CRLF}{SPACE}micalg=sha1;<br />

{optional CRLF}{SPACE}boundary=”{boundary text}”{CRLF}<br />

{CRLF}<br />

{optional message with CRLF}<br />

MIME Boundary<br />

--{boundary text}{CRLF}<br />

MIME Part 1<br />

Content-Type: {content type/content sub-type}{CRLF}<br />

{CRLF}<br />

{raw data}{CRLF}<br />

MIME Boundary<br />

--{boundary text}{CRLF}<br />

MIME Part 2<br />

Content-Type:application/x-pkcs7-signature; {optional<br />

CRLF}{SPACE}name=”smime.p7s”{CRLF}<br />

Content-Transfer-Encoding: base64{CRLF}<br />

Content-Disposition: attachment; filename=”smime.p7s”{CRLF}<br />

{CRLF}<br />

{signature}{CRLF}<br />

MIME Boundary<br />

--{boundary text}--<br />

9

Placeholder<br />

{boundary text}<br />

{CRLF}<br />

{signature}<br />

{content type/content sub-type}<br />

{raw data}<br />

Description<br />

Any alpha-numeric text. Preferably unique per file<br />

Carriage Return Line Feed – 0x0D 0x0A<br />

The CMS {pkcs7) object returned from<br />

signing application<br />

MIME media type describing the raw data. E.g.<br />

“text/plain”, “text/xml” or “application/octet-stream”<br />

The original data required to be processed by<br />

Bankline Direct<br />

An example of an S/MIME detached signature file is:<br />

MIME-Version: 1.0<br />

Content-Type: multipart/signed;<br />

protocol=”application/x-pkcs7-signature”; micalg=sha1;<br />

boundary=”myboundary123”<br />

S/MIME signed file<br />

--myboundary123<br />

Content-Type: text/plain<br />

Field1A,Field2A,Field3A<br />

Field1B,Field2B,Field3B<br />

--myboundary123<br />

Content-Type: application/x-pkcs7-signature; name=”smime.p7s”<br />

Content-Transfer-Encoding: base64<br />

Content-Disposition: attachment; filename=”smime.p7s”<br />

MIIFDgYJKoZIhvcNAQcCoIIE/zCCBPsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3<br />

DQEHAaCCA54wggHLMIIBNAIBBDANBgkqhkiG9w0BAQUFADAuMQwwCgYDVQQDDANC<br />

MkIxETAPBgNVBAoMCFN0ZXJsaW5nMQswCQYDVQQGEwJVUzAeFw0wOTA2MzAxMDU1<br />

MTBaFw0xMTA2MzAxMDU1MTBaMC4xDDAKBgNVBAMMA0IyQjERMA8GA1UECgwIU3Rx<br />

................................................................<br />

...........C3v2QmT8zwqHihIHxMHLrCTZmXMM=<br />

--myboundary123--<br />

10<br />

Placeholder<br />

{boundary text}<br />

{content type/content sub-type}<br />

{raw data}<br />

Value<br />

mybound123<br />

text/plain<br />

Field1A,Field2A,Field3A{LF}<br />

Field1B,Field2B,Field3B{LF}

Bankline Direct will use whatever data is between the MIME Part 1 start and end boundaries to verify the<br />

signature. Therefore, the data that needs to be signed must include all data from MIME Part 1.<br />

All this must be sent to the signing application:<br />

MIME Part 1<br />

Content-Type: {content type/content sub-type}{CRLF}<br />

{CRLF}<br />

{raw data}{CRLF}<br />

For example<br />

Content-Type: text/plain<br />

Field1A,Field2A,Field3A<br />

Field1B,Field2B,Field3B<br />

Embedded Signatures<br />

An embedded signature is where the signature and data are combined within a single (Cryptographic Message<br />

Syntax) CMS structure. These are also known as Opaque signatures.<br />

MIME Header<br />

MIME Part<br />

Signed Data and Signature – CMS format<br />

This can be represented as follows:<br />

MIME Header<br />

MIME-Version: 1.0{CRLF}<br />

Content-Disposition: attachment;<br />

{optional CRLF}{SPACE}filename=”smime.p7m”{CRLF}<br />

Content-Type: application/x-pkcs7-mime;<br />

{optional CRLF}{SPACE}smime-type=signed-data;<br />

{optional CRLF}{SPACE}name=”smime.p7m”{CRLF}<br />

Content-Transfer-Encoding: base64{CRLF}<br />

{CRLF}<br />

MIME Part<br />

{CMS object with Data and Signature}<br />

11

Placeholder<br />

{CRLF}<br />

{pkcs7 signature}<br />

{CMS object with Data and Signature}<br />

Description<br />

Carriage Return Line Feed – 0x0D 0x0A<br />

The pkcs7 object returned from signing application<br />

CMS object containing original data to be signed and<br />

the signature<br />

An example of an S/MIME embedded signature file is:<br />

MIME-Version: 1.0<br />

Content-Disposition: attachment; filename=”smime.p7m”<br />

Content-Type: application/x-pkcs7-mime; smime-type=signed-data;<br />

name=”smime.p7m”<br />

Content-Transfer-Encoding: base64<br />

MIIFDgYJKoZIhvcNAQcCoIIE/zCCBPsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3<br />

DQEHAaCCA54wggHLMIIBNAIBBDANBgkqhkiG9w0BAQUFADAuMQwwCgYDVQQDDANC<br />

MkIxETAPBgNVBAoMCFN0ZXJsaW5nMQswCQYDVQQGEwJVUzAeFw0wOTA2MzAxMDU1<br />

MTBaFw0xMTA2MzAxMDU1MTBaMC4xDDAKBgNVBAMMA0IyQjERMA8GA1UECgwIU3Rx<br />

................................................................<br />

...........C3v2QmT8zwqHihIHxMHLrCTZmXMM=<br />

In this case, only the raw data need be sent to the signing application:<br />

Field1A,Field2A,Field3A<br />

Field1B,Field2B,Field3B<br />

The signing application must be instructed to return the CMS object with the signed data included. This can be<br />

then used to populate MIME Part<br />

12

4. Use of File <strong>Signing</strong><br />

4.1 Typical Use of an HSM<br />

A Hardware Security Module (HSM) can be used to apply a digital signature to a payment file before it is sent onto<br />

the Bankline Direct service. The HSM stores the certificates and signing keys.<br />

A typical use of an HSM solution is for a payment file to be generated and presented to the HSM in order to apply<br />

a digital signature automatically to the file before being sent to the Bankline Direct service.<br />

HSMs also have the capability to store the Bankline Direct certificate details to validate files being sent to the<br />

customer from the service.<br />

Please refer to section 7 for configuration details for HSM.<br />

4.2 Typical Use of Smartcards<br />

Smartcards and card readers provide a manual approach to apply digital signatures to payment files. The card<br />

readers are connected to a local computer using specific signing software. Smartcards are assigned to individuals<br />

and must be combined with a user passcode to sanction the digital signing.<br />

A typical use of a Smartcard solution is for a payment file to be generated and presented to the signing software,<br />

where the operator can sign the file (using the eSigner software provided) using their individual Smartcard and<br />

passcode before they submit the files onto the Bankline Direct service.<br />

13

5. Bankline Direct Transmissions<br />

All communications from the Bankline Direct service to a customer will be digitally signed using an HSM.<br />

In order to receive these signed transmissions from the Bankline Direct service, the customer must check that the<br />

signature is one from the Bankline Direct service. The customer will need to extract the data from the file for<br />

processing by their systems whether that is an automated or manual process.<br />

Please refer to section 5.4 for an example of a signed file. The following sections describe how that will<br />

be achieved.<br />

5.1 Setup<br />

During the registration process, the customer will be sent certificate details which will enable them to authenticate<br />

files received from the Bankline Direct service.<br />

The following details will be provided to the customer;<br />

<br />

<br />

<br />

Production root.cer<br />

Production Sub CA.cer (this is the certificate authority used by the Bankline Direct service)<br />

NWBSigner1.cer (this is the certificate used for Natwest customers)<br />

In order for the Bankline Direct digital signature to be validated by the customer, the certificates must be loaded<br />

into the customer’s HSM module or within any other system being used to check files. Section 5.2 will outline the<br />

standards that the Bankline Direct signed files will comply with.<br />

5.2 Integration<br />

Transmissions sent by the Bankline Direct service will be signed using an S/MIME standard, with the following<br />

options applied.<br />

Security Type<br />

MIME Type<br />

MIME Sub-Type<br />

Content Transfer Encoding<br />

Apply Content Transfer Encoding on<br />

Detached Document<br />

<strong>Signing</strong> Option<br />

<strong>Signing</strong> Algorithm<br />

Message Syntax<br />

Message Output Format<br />

Detached Signed Only<br />

Application<br />

octet-stream<br />

Base64<br />

No<br />

Single Signature<br />

SHA-1<br />

CMS<br />

S/MIME<br />

14

5.3 Signature Validation<br />

There are two well known methods for checking the validity of the digital signature, i.e. to check whether the<br />

certificate has been revoked. These are;<br />

<br />

<br />

Online Certificate Status Protocol (OCSP)<br />

This allows the revocation status of a certificate to be determined at the time the file is received<br />

Certificate Revocation List (CRL)<br />

This is a list of all certificates that have been revoked. It will need to be refreshed at ‘regular’ intervals<br />

(e.g. 24 hours). This approach is not perfect as the certificate could have been revoked between the time<br />

a file is received from <strong>NatWest</strong> and the last time the certificate was published.<br />

Customers using an HSM solution may find their supplier provides software with the ability to validate signatures<br />

applied to files.<br />

The customer’s system must extract the signature from the file in order to;<br />

<br />

<br />

check the signature is valid<br />

check the file has been supplied by <strong>NatWest</strong><br />

separate the main file content from the signature for onward processing<br />

15

5.4 Signed File Example<br />

The following is an example of a digitally signed file that would be sent from the Bankline Direct service.<br />

The example used here is a positive File Status Notification.<br />

In the example below, the content transfer encoding has been truncated, but the signature header and message<br />

content is displayed.<br />

S/MIME<br />

Header and<br />

boundary<br />

Message/File<br />

Data<br />

Refer to Tech<br />

Specs for each<br />

format<br />

S/MIME<br />

boundary and<br />

base 64<br />

encoding<br />

Truncated for<br />

display<br />

Content-Type: multipart/signed; micalg=SHA1; protocol=”application/pkcs7-signature”;<br />

boundary=”_=8054618849605373Sterling8054618849605373MOKO”<br />

--_=8054618849605373Sterling8054618849605373MOKO<br />

Content-Type: application/octet-stream<br />

{1:F99NWBKGB2LXGPL0000000000}{2:I198499013 N}{4:<br />

:20:FSN15602<br />

:12:198<br />

:77E:<br />

GPL.MT103.106033AX.PM<br />

2010-11-20/14:24:12<br />

File accepted for further processing<br />

-}<br />

--_=8054618849605373Sterling8054618849605373MOKO<br />

Content-Type: application/pkcs7-signature; name=dsig.p7s<br />

Content-Transfer-Encoding: base64<br />

MIIN/gYJKoZIhvcNAQcCoIIN7zCCDesCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDAQw<br />

ggX+MIIE5qADAgECAhAKAUE[truncation]02Bp4FL19ANn8g==<br />

--_=8054618849605373Sterling8054618849605373MOKO—<br />

16

6. Smartcard File <strong>Signing</strong><br />

6.1 Smartcard <strong>Signing</strong> Overview<br />

The steps required to construct and sign payment files are illustrated in the following diagram. The top half of the<br />

diagram outlines how the solution operates, whilst the second half details the implementation steps.<br />

Smartcards are distributed with a CD incorporating:<br />

<br />

<br />

Gemalto Classic Client for certificate administration<br />

eSigner to facilitate generation of the digital signature required by Bankline Direct<br />

17

An Integration Guide will also be sent separately to the Smartcards.<br />

These are the OS supported by eSigner 4.1.9 – 001:<br />

<br />

<br />

Windows XP Home (SP2) – 32-bit only<br />

Windows XP Home (SP3) – 32-bit only<br />

Windows XP Pro (SP2 and SP3) – 32-bit only<br />

Windows Server 2003 R2 SP2 (only with Citrix Metaframe Presentation Server 4.5 or with Terminal Services)<br />

Windows Vista SP1 – 32-bit and 64-bit<br />

Windows Vista SP2 – 32-bit and 64-bit<br />

Windows Server 2008 – SP2 32-bit and 64-bit<br />

Windows 7 – 32-bit and 64-bit<br />

Windows Server 2008 R2 - 32-bit and 64-bit<br />

These are the supported browsers:<br />

<br />

Internet Explorer 6, 7 and 8 (32-bit versions of IE only)<br />

Mozilla Firefox 3.6 (32-bit version of Firefox only)<br />

All payment files must be signed to an S/MIME v3.1 standard, with the following options applied:<br />

<br />

The message syntax can be PKCS7 or CMS<br />

The algorithm must be SHA-1<br />

The signature can be detached (original data not included) or embedded (original data included)<br />

The Content Transfer Encoding can be None or Base64<br />

18

6.2 Setup Instructions<br />

The following instructions provide some guidance on how to setup your systems to sign payment files using eSigner<br />

prior to submission to Bankline Direct:<br />

Install the eSigner application. This must be installed on all clients who will be signing files.<br />

The eSigner plugin is a Java plugin for Internet Explorer. The HTML code which is generated when a user browses<br />

to the internal file signing page is as follows:<br />

<br />

<br />

The image below shows the eSigner plugin as it will be displayed to the user.<br />

19

The table below provides an explanation of the parameters you should use to configure the eSigner application.<br />

Parameter<br />

Date Type/Field Length<br />

EXPECTEDVERSION Leave this as the default value 100<br />

TYPE<br />

DataToBeSigned<br />

PostURL<br />

Height<br />

Width<br />

Mime-type<br />

This tells the web browser what to load for the embed plugin<br />

This should contain the data you wish to sign<br />

The eSigner plugin will post the signature to this page<br />

The height of the plugin as it will be displayed on the page. Use 500 as less than this<br />

value will cause the plugin to be displayed in a popup window<br />

The width of the plugin as it will be displayed on the page. Use 500 as less than this<br />

value will cause the plugin to be displayed in a popup window<br />

The mime-type of the data in the DataToBeSigned field<br />

6.3 “PostURL” page<br />

This page will be used by the eSigner plugin to send the signature to.<br />

The signature will be sent as HTTP POST data.<br />

Below is an example of an ASP.net page which will get the signature and the original file and save it to a file.<br />

/// <br />

/// Handles the Load event of the Page control.<br />

/// <br />

/// The source of the event.<br />

/// The instance containing the event data.<br />

protected void Page_Load(object sender, EventArgs e)<br />

{<br />

string signature = (string)Request.Form[“Signature”];<br />

string rawFileName = (string)Session[“RawFileName”];<br />

string rawFileContent = (string)Session[“RawFileContent”];<br />

if (Request.Form[“<strong>Signing</strong>InterfaceException”] != null)<br />

{<br />

string errorType = Request.Form[“<strong>Signing</strong>InterfaceException”];<br />

// Handle the error<br />

}<br />

else<br />

{<br />

this.SaveSignedFile(rawFileName, rawFileContent, signature);<br />

}<br />

}<br />

20

The code extract overleaf shows that the signature is stored in the HTTP POST variable called “Signature”.<br />

The code first checks the “<strong>Signing</strong>InterfaceException” post data. If this exists an error has occurred and will need<br />

to be handled.<br />

The method “SaveSignedFile” you will need to implement yourself. This saves the original file data and signature to<br />

an S/MIME file<br />

6.4 S/MIME Output File<br />

S/MIME files allow you to save the original file data and the signature in a file which can be easily sent<br />

to a destination.<br />

The SMIME RFC 2633 will give you a detailed explanation of the SMIME format.<br />

Shown below is an example of an SMIME file. This can be used this as a template for generating files of this type.<br />

Ensure you pass the “Content-Type: text/plain” data to the eSigner plugin as well the data to sign in order for it be<br />

validated correctly.<br />

MIME-Version: 1.0<br />

Content-Type: multipart/signed; protocol=”application/x-pkcs7-signature”; micalg=sha1; boundary=<br />

”----261FEEA5CDD648E5A546D076DE289589”<br />

This is an S/MIME signed message<br />

------261FEEA5CDD648E5A546D076DE289589<br />

Content-Type: text/plain<br />

Data to be signed to be signed will be displayed here<br />

------261FEEA5CDD648E5A546D076DE289589<br />

Content-Type: application/x-pkcs7-signature; name=”smime.p7s”<br />

Content-Transfer-Encoding: base64<br />

Content-Disposition: attachment; filename=”smime.p7s”<br />

MIINogYJKoZIhvcNAQcCoIINkzCCDY8CA==<br />

------261FEEA5CDD648E5A546D076DE289589--<br />

21

6.5 Troubleshooting Tips<br />

The eSigner plugin will post the signature to the page configured by the “PostURL” parameter. You will need to<br />

save this as required.<br />

The eSigner plugin only sends the signature to the “PostURL” page. In order to create an S/MIME file you will also<br />

need the original file data. Save a reference to this as a session variable so it can be retrieved by the “PostURL” page.<br />

You will need to have your card inserted into the card reader before you click the Sign button. If it is not inserted<br />

you will be presented with the following error:<br />

22

7. Hardware Security Module<br />

Customers opting for a Hardware Security Module (HSM) solution should look to have this device installed and<br />

part-configured* ahead of submitting the Bankline Direct registration mandate.<br />

Bankline Direct certificates will be supplied as part of service registration process and are chargeable with a lifespan of<br />

three years. Please refer to your Relationship Manager or Implementation Manager for more details.<br />

*pre-configuration of Bankline Direct transmissions security (as outlined in section 5) cannot be completed until<br />

the details have been supplied.<br />

7.1 HSM Requirements<br />

The Bankline Direct service requires HSMs to conform to the FIPS 140-2, Level 2 standard. Please consult your<br />

HSM supplier for more information.<br />

7.2 HSM Setup<br />

During the registration process, the customer will receive a letter and a form from <strong>NatWest</strong> containing details on<br />

how to generate a Certificate Request.<br />

The Certificate Request must be generated from the HSM module and copied to a CD. The CD must be posted to<br />

<strong>NatWest</strong> (details outlined in the letter). Once the Certificate Request has been received by <strong>NatWest</strong>,<br />

a customer specific Certificate will be generated by TrustAssured (who are the <strong>NatWest</strong> certificate authority).<br />

The customer specific Certificate will be emailed in a zip file back to the requester for uploading into the HSM<br />

module. The following details will be sent to the customer:<br />

Production root.cer<br />

Production Sub CA.cer (This is the issue certificate of the Certificate Authority that signed the customer’s<br />

Certificate <strong>Signing</strong> Request)<br />

.cer (this is the uploaded into the HSM)<br />

7.3 Integration<br />

The HSM module must be configured to apply a digital certificate to payment files to an S/MIME standard.<br />

The following S/MIME file signing options must be enabled:<br />

the message syntax can be PKCS7 or CMS<br />

the algorithm must be SHA-1<br />

the signature can be detached (original data not included) or embedded (original data included)<br />

the Content Transfer Encoding can be None or Base64<br />

23<br />

The signing certificate can be included but it is not used. The customer’s public certificate(s) will already have<br />

been registered on Bankline Direct as part of the registration process.

National Westminster Bank Plc.<br />

Registered in England No 929027.<br />

Registered Office: 135 Bishopsgate, London EC2M 3UR. 90079500

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!