Difference between revisions of "Digital Signatures"

From LongJump Support Wiki
imported>Aeric
imported>Aeric
Line 19: Line 19:


To digitally sign a record:
To digitally sign a record:
#Open the record to be signed
#Open the record to be signed.
#Navigate to the Digital Signature section and click the [Button Label]; When a Block-Level Signature Group is defined, a [Button Label] is defined, which is displayed in the record
#Click the '''[Digital Signature]''' button, or
#Click the '''[Button Label]''', when a Block-Level Signature Group is defined.
#A new section opens, which includes these fields:
#A new section opens, which includes these fields:
#:*User name - displayed for reference
#:*User name - displayed for reference
Line 27: Line 28:
#Optionally, click the ''Show Fields you are signing'' link to display the fields in this Block-Level Signature Group  
#Optionally, click the ''Show Fields you are signing'' link to display the fields in this Block-Level Signature Group  
#:[[File:digitalsignature.gif|none|thumb]]
#:[[File:digitalsignature.gif|none|thumb]]
#Click the [Sign] button to create a digital signature and approve the corresponding data
#Click the '''[Sign]''' button to create a digital signature and approve the corresponding data
#A ''Signed by'' field is created, and displayed in the Form Layout, along with a ''Verify'' link; Click the verify link to confirm that the signature is valid
#A ''Signed by'' field is created, and displayed as an available field in the Form Layout, along with a ''Verify'' link; Click the verify link to confirm that the signature is valid
#:[[File:verify.gif|none|thumb]]
#:[[File:verify.gif|none|thumb]]



Revision as of 00:26, 12 July 2011

Designer > Objects > {object} > Digital Signatures

Digital Signatures provide the ability to approve (by electronic signature), the values of a group of fields in a record.


Lock-tiny.gif

  • The Digital Signatures option is managed by a Service Provider admin
  • This feature is disabled, by default
Learn more: Tenant Configuration Options

About Digital Signatures

  • Groups of fields are known as a Block-Level Signature Group
  • Multiple Block-Level Signature Groups can be created, which is useful when supporting group-based approval processes

Digitally Sign a Record

Lock-tiny.gif

  • Users in Roles with permission rights to View an Object can digitally sign a record in that object, provided that the Block-Level Signature Group is accessible to that particular role
  • Learn more:

To digitally sign a record:

  1. Open the record to be signed.
  2. Click the [Digital Signature] button, or
  3. Click the [Button Label], when a Block-Level Signature Group is defined.
  4. A new section opens, which includes these fields:
    • User name - displayed for reference
    • Pass Phrase - enter the login password
    • Purpose - choose an item from the list
  5. Optionally, click the Show Fields you are signing link to display the fields in this Block-Level Signature Group
    Digitalsignature.gif
  6. Click the [Sign] button to create a digital signature and approve the corresponding data
  7. A Signed by field is created, and displayed as an available field in the Form Layout, along with a Verify link; Click the verify link to confirm that the signature is valid
    Verify.gif

About Record Validation

  • After a record has been digitally signed, any change in the values for the fields associated in the Block-Level Signature Group will result in a verification failure, followed by Record-Level Digital Signature invalidation
  • If a Block-Level Signature Group is invalidated, all the signatures whose group order is greater will also be invalidated
  • If an attempt is made to change a record that has been digitally signed, a warning message is displayed, stating that if the action is confirmed, it will invalidate the Record-Level Digital Signature. The warning/confirmation message is also displayed on these record actions:
  • Ownership change
  • Mass update
  • Group actions
  • Imports (On Merge with a record that has already been digitally signed)
  • Any change to the configuration of the signature group will not affect the records that are already signed, until verification is done
  • Changes to any of the following will result in signature verification failure:
  • signature algorithm.key pair for the user
  • list of fields part of the signature group
  • value of the fields included in the particular signature group

Enable Digital Signatures

To Enable Digital Signatures for an Object:

  1. Click Designer > Data > Objects > {object}
  2. Click the Digital Signatures tab
  3. If Digital Signatures are not already enabled for the object, click the [Edit] button and click the checkbox Checkboxicon.gif icon to enable digital signatures
  4. The following read-only fields are created automatically:
    • Signed By - User name (lookup field)
    • Signed Date - date/time stamp
    • Sign Hash - a security feature
    • Purpose - a global picklist

Block-Level Signature Groups

Lock-tiny.gif

Users that have the Customize Objects permission can modify Digital Signatures and create, update or delete Digital Signature Groups 


To create Block-Level Signature Groups

  1. Click the [New Signature Group] button and specify the following information:
    • Signature name
    • Button label
    • Roles to which this signature group is accessible
    • List of fields to be included as part of the signature group
  2. Optionally, add additional Block-Level Signature Groups
  3. Optionally, reorder the Block-Level Signature Groups (which sets the order of execution)
Considerations
  • In an Object, the Digital Signature option must be enabled first, which automatically creates a Record-Level Digital Signature. This Record-Level Digital Signature is of a higher order than the Block-Level Signature Groups.
  • The Block-Level Signature Group:
  • Requires the Record-Level Digital Signature to be enabled
  • Includes these Signature Group elements: signature name, button label, roles to which this signature group is accessible, list of fields to be included as part of the signature group
  • Block-Level Signature Group can be re-ordered
  • A field can be part of only one Block-Level Signature Group
  • The Block-Level Signature Group order is automatically set by the system
  • To delete a Record-level signature field, the object must be deleted
  • Deleting any one of the four signature-specific fields will throw an exception, warning the user that the field is used in a Record-Level Digital Signature
  • Signature-specific fields are available in any Form Layout as a read-only field
  • To delete signature-specific fields, delete the Block-Level Signature Group
  • The order of Record-Level Digital Signature should be greater than the order of all the available Block-Level Signature Group

Encryption Key Infrastructure

The platform automatically creates default Encryption Keys for Digital Signatures. Optionally, an Encryption Key / Sign Hash can be created to align with the policies of an organization.

Lock-tiny.gif

Users that have the Company Information permission can setup and enable the Private Key Infrastructure 

Lock-tiny.gif

Users that have the Access Control/User Management permission can setup the Encryption Key / Sign Hash 

To set up the Encryption Key / Sign Hash:

  1. Click Settings > Administration > Company Information
  2. Click the [Edit] button
  3. In the Digital Signature Settings section, specify the algorithm to generate public and private encryption keys. Choose from:
    • (DSA) Digital Signature Algorithm (Default)
    • RSA encryption algorithm
  4. Click [Save]


Manage Digital Signature Keys

To manage Digital Signature Keys for individual users:

  1. Click Settings > Administration > Users
  2. Click the [Digital Signature Keys] button
  3. Provide either:
    • Private Key
    • Public Key or Certificate
  4. Click [Save]
Considerations
  • The key is validated using the algorithm specified in the Company Information
  • The platform ensures that the public/private key pair is valid, as well.
  • If a user doesn't have any private key and public key, the default hard-coded private key and public key is used
  • The private key is used to sign the data and the signed hash bytes are converted to base 64 bytes and converted to a string to store it in the Sign Hash field
  • To verify the signature, the base 64 encoded hash string is decoded and verified using the public key