Components

Abbreviation

Name

Description

AM

proNEXT Audit Manager

Is a service for providing audit management functions for the components of the server signing architecture. The functions of the service include the delivery of audit entries via the REST interface, verification and export of the audit log, ensuring integrity protection in s and configurations. The Audit Manager is used in particular by the Server Signing Application (SSA) and the Signature Activation Module (SAM).

CA

Certification Authority

Provides certificate services in the sense of a certification authority. In particular, it provides the additional services required for a TW4S, such as:

• the identification and registration of signers and

• the certification of signature keys

SCDev

Cryptographic Module

Used to create both signer signature keys and signatures (signature values) requested by the signer. Located in a specially secured environment within the TW4S remote environment. In the context of remote signing, it is mandatory to use an HSM of the model family 'CryptoServer Se-Series Gen2 CP5' (CC certificate [CCertCP5]) in conjunction with the also CC certified proNEXT SignatureActivationModule v1.0.0 (CC certificate [ CCertSAM]) as a so called QSCD.

KM

proNEXT Key Manager

Provides functions that enable the creation, management and retrieval of key material. Objects managed by KM, so called managed objects, consist of a unique ID and a binary, which can represent certificates, public keys and user objects, among other things. Links between the managed objects are used to link them and can, for example, represent relationships such as the ownership.

RSAPI

Remote Signature API

Software that is installed in the signer's environment. Can be an application accessed from a browser or a mobile device, for example. Participates in the signature activation protocol (SAP) and generates the SAD. Provides the link between the signer and the signature process (linking the document to be signed, the remote signature key used by the signer to sign, and the data that authenticates the signer). Communicates with the SSA for the purpose of transferring the generated SAD to the SAM. Can be used alternatively to the SAK/OS.

SAK

proNEXT SAK

CC certified signature application component (CC certificate: [CCertSAK]). Is situated in the remote TSP protected environment. Can be used to generate process relevant data structures as the SAD. Verifies the certificates generated during key pair generation. Collects certificate information for this purpose, evaluates it, and generates reports based on the checks.

SAK/OS

proNEXT SAK

/Operations

Software that is installed in the signer's environment. Can be an application accessed from a browser or a mobile device, for example. Participates in the signature activation protocol (SAP) and generates the SAD. Provides the link between the signer and the signature process (linking the document to be signed, the remote signature key used by the signer to sign, and the data that authenticates the signer). Communicates with the SSA for the purpose of transferring the generated SAD to the SAM. Can be used as an alternative to the Remote Signature API.

SAM

proNEXT Signature Activation Module

A control unit for the cryptographic module, which is also located together with it in the specially secured environment. It registers users, initiates the generation of signature keys, is responsible for executing the signature process, and verifies the SAD. The SAM provides its own. With the help of the and information stored there about signers and authentication factors, it is ensured that only the actual owner of a key can access it and thus use it for remote signing. The SAM further activates the signature key against the cryptographic module.

The SAM consists of three modules: the SAM Service, the SAM Firmware and the SAM Management. The SAM firmware is integrated into the cryptographic module.

SSA

proNEXT Server Signing Application

Acts as a kind of proxy for the controlled addressing of the functionality of the SAM and provides via it an interface to the cryptographic module for generating, holding and using signature keys. All requests to the SAM by the SIC or SAK/OS or users of the SAM shall be received, pre screened, and routed appropriately by the SSA. Signatories shall successfully identify and authenticate themselves before the SSA permits any actions involving the SAM. The SSA may maintain signer authentication for a specified period of time and/or for a specified number of signatures. In addition, the SSA creates audit records and passes them to the Audit Manager to manage audit logs.