Skip to main content
Skip table of contents

Deploy-time Configuration

You can configure properties in conf/signserver_deploy.properties, which are used when deploying SignServer to the application server. The properties include settings used by the deployment script to find the application server, the database type to use, and other settings included in the deployment of the application.

The Deploy-time Configuration feature is only available for the SignServer Software Stack and Container deployments. See Installation.

See the sample configuration script conf/signserver_deploy.properties.sample for available options and default values.

To ensure that changes in signserver_deploy.properties and databasprotection.properties take effect, the application needs to be deployed again using bin/ant deploy. It is however not necessary to run bin/ant clean.

CryptoToken Configuration

Property

Default

Description

cryptotoken.disablekeygeneration

false

Disable the key generation functionality for all crypto tokens.

With this property set to true, worker key renewal and key generation operations in crypto tokens are being denied with the error message "Key generation has been disabled". Additionally, the key generation pages in Admin Web are disabled.
The purpose of using this option could be that key generation should be carried out by a different procedure outside of SignServer possibly with dual person control.

Database Configuration

Property

Default

Description

database.hibernate.disable.cache

false

Disable the hibernate L2 (Second-level) and query cache.

With this property set to true, the SignServerJPA and EJBCA persistence units will be deployed with some extra elements to disable the L2 and query cache.

The elements added are:

CODE 
<property name="hibernate.cache.use_second_level_cache" value="false"/>

<property name="hibernate.cache.use_query_cache" value="false"/>

<property name="hibernate.cache.region.factory_class" value="org.hibernate.cache.internal.NoCachingRegionFactory"/>

The results of disabling the L2 and query cache have not been tested, but it is expected to have a negative impact on performance.

Allowlist Configuration

Property

Description

pdfsigner.archive.path.allowed.X

There is the possibility of archiving signed documents in the local file system, see the ARCHIVETODISK properties in PDF Signer. To do so, you must also configure the pdfsigner.archive.path.allowed.X as deploy properties, where X is an integer corresponding to a path entry in the archiving allowlist. The number of allowed archiving paths is limited to 256 entries. All the configured archive paths in the properties file are added to the archiving allowlist.

Example:

CODE 
pdfsigner.archive.path.allowed.0=/home/user/archiving1/
pdfsigner.archive.path.allowed.1=/home/user/archiving2/
pdfsigner.archive.path.allowed.2=/home/user/archiving3/

pdfsigner.image.path.allowed.X

There is the possibility of specifying a visible signature image using a file path (for example, using VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH or VISIBLE_SIGNATURE_IMAGE_PATH) in the PDF Signer or AdES Signer. To do so, you must also configure the pdfsigner.image.path.allowed.X as deploy properties, where X is an integer corresponding to a path entry in the custom image allowlist. The number of allowed image paths is limited to 256 entries. All the configured custom image paths in the properties file are added to the custom image allowlist.

Example:

CODE 
pdfsigner.image.path.allowed.0=/home/user/images1/
pdfsigner.image.path.allowed.1=/home/user/images2/
pdfsigner.image.path.allowed.2=/home/user/images3/

signerstatusreportworker.outputfile.path.allowed.X

Specify the path entry to use for the Signer Status Report Timed Service.

Configure the outputfile path where the report is stored:

  • Configure the signerstatusreportworker.outputfile.path.allowed.X as deploy properties, where X is an integer corresponding to a path entry in the outputfile allowlist.

  • The number of allowed outputfile paths is limited to 256 entries.

  • All the configured outputfile paths in the properties file are added to the outputfile allowlist.

keystorecryptotoken.keystore.path.allowed.X

Specify the path entry to use for the Keystore Crypto Token.

Configure the keystore path where the keystore file is stored:

  • Configure the keystorecryptotoken.keystore.path.allowed.X as deploy properties, where X is an integer corresponding to a path entry in the keystore allowlist.

  • The number of allowed keystore paths is limited to 256 entries.

  • All the configured keystore paths in the properties file are added to the keystore allowlist.

renewalworker.truststore.path.allowed.X

Specify the path entry to use for the Renewal Worker.

Configure the truststore path where the CA’s SSL server certificate is stored:

  • Configure the renewalworker.truststore.path.allowed.X as deploy properties, where X is an integer corresponding to a path entry in the truststore allowlist.

  • The number of allowed truststore paths is limited to 256 entries.

  • All the configured truststore paths in the properties file are added to the truststore allowlist.

legacypkcs11cryptotoken.attributesfile.path.allowed.X

Specify the path entry to use for the PKCS#11 Crypto Token.

Configure the attributesfile path where the file with PKCS#11 attributes is stored:

  • Configure the legacypkcs11cryptotoken.attributesfile.path.allowed.X as deploy properties, where X is an integer corresponding to a path entry in the attributesfile allowlist.

  • The number of allowed attributesfile paths is limited to 256 entries.

  • All the configured attributesfile paths in the properties file are added to the attributesfile allowlist.

Worker ID Configuration

Property

Default

Description

workerids.genid.start

1

Specifies the starting number for auto-generated worker IDs.

When adding a new worker using a placeholder (such as GENID1 in the Admin Web or the Admin CLI), the system will search for the next available integer ID starting from this value. If workers already exist with IDs higher than this value, the system will continue to increment from the current maximum ID found in the configuration.

This property is useful for reserving specific ID ranges for manual assignment while allowing auto-generated workers to start from a higher, non-conflicting offset.

Example:

CODE 
workerids.genid.start=1000

workerids.readonly

Empty

Enables workers to be read-only through the remote interfaces such as REST API, Admin WS, or the Admin Web.

Setting this property means that the worker IDs listed cannot be edited. This includes removing or adding a worker within the specified range. Changes using Admin CLI are still allowed.

This property allows multiple ranges which can be specified using a comma as the delimiter.

Example:

CODE 
workerids.readonly=1-10,11,20-100

Allow Any Configuration

Property

Default

Description

admin.allowany.enabled

true

Enables or disables using ALLOW ANY as an authorization mode for administrators.

Setting this property to true, or unconfigured, permits ALLOW ANY usage in the SignServer deployment. When the use of ALLOW ANY is enabled, users can perform admin actions without being listed as an administrator.

Setting this property to false disables ALLOW ANY and any associated functionality with its configuration. This includes editing the Global Configuration value of ALLOW ANY to true, switching from ONLY LISTED to ALLOW ANY on the Administrators Page, or removing the ALLOW ANY configuration.

For more information on ALLOW ANY, see Administrators Page.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close