Additional Configuration
The following sections list additional configuration relevant for Code Signing but not specific to any signer:
Authentication and Authorization
To limit access to the workers, SignServer offers different authentication and authorization options configured per worker.
Client Certificate
Worker Property | Value |
---|---|
AUTHTYPE | CLIENTCERT |
With AUTHTYPE set to client certificate, only clients authenticating with a certificate trusted by the application server and for which the certificate serial number is listed in the worker's authorization list are allowed.
Username / Password
This AUTHTYPE implementation uses user names and passwords stored in the configuration. For testing and demonstration purposes, clear-text passwords can be used, and for real use cases the passwords can be hashed and salted:
Worker Property | Description |
---|---|
AUTHTYPE | org.signserver.server.UsernamePasswordAuthorizer |
USER.USER1 | mypassword1 |
USER.USER2 | mypassword2 |
Authentication Proxy
In case SignServer is set up behind a reverse proxy, such as Apache HTTP Server or Nginx, performing the authentication using any of its supported methods (i.e. HTTP auth or LDAP/Active Directory). SignServer can be configured to only look at the supplied user name and either accept all users or only specified users.
Worker Property | Description |
---|---|
AUTHTYPE | org.signserver.server.UsernameAuthorizer |
ACCEPT_ALL_USERNAMES | false |
ACCEPT_USERNAMES | user1;user2;user3 |
For more authorization alternatives, such as limiting access based on the client's IP address, refer to the the SignServer Manual.
Worker Logging
By default, transactions (signings) are only logged to file (and for the PKI Appliance to syslog). The WORKERLOGGER worker property can be set to enable logging to the database. When enabled, all available log fields are included by default and can be limited to include only a subset or to exclude certain fields:
Worker Property | Description |
---|---|
WORKERLOGGER | org.signserver.server.log.SecurityEventsWorkerLogger |
LOGINCLUDEFIELDS | PROCESS_SUCCESS,WORKER_NAME,CLIENT_IP, |
LOGEXCLUDEFIELDS | RESPONSE_ENCODED, SIGNER_CERT_ISSUERDN |
Maximum Upload Size
SignServer imposes a soft limit by refusing to process uploads with a size over 100 MB. This limit can be configured by setting a global configuration property.
Global Property | Description |
---|---|
HTTP_MAX_UPLOAD_SIZE | Global configuration property that can be set to specify the maximum size (in bytes) that is allowed for an HTTP request. |
FILE_SIZE_THRESHOLD | Global configuration property that can be set to specify the size threshold (in bytes) after which the data is written to disk. Default: 1048576 (thus 1 MB) In the software version the uploaded files are temporarily stored in the default temp directory and can be changed by starting the application server with a different value for the Java property java.io.tmpdir. For the PKI Appliance a separate partition with a maximum size of 20 GiB is used (since PKI Appliance version 2.7). |