Macromedia live cycle 7.2 매뉴얼
Adobe LiveCycle
Before You Install
Installing and Configuring LiveCycle Security Products for JBoss
Preparing trust components for LiveCycle Document Security 17
Preparing trust components for LiveCycle Document Security
LiveCycle Document Security uses a variety of security resources to sign, certify, encrypt, decrypt, and
validate PDF documents. You can perform the most basic security operations, such as password
encryption, without using certificates. However, you will need one key pair configured for basic signing
operations, such as signing and validating the trust.xml file.
validate PDF documents. You can perform the most basic security operations, such as password
encryption, without using certificates. However, you will need one key pair configured for basic signing
operations, such as signing and validating the trust.xml file.
If you are using a public key infrastructure (PKI), you use the credentials (private key), certificates (public
keys), and CRLs that make up the PKI to perform security operations with LiveCycle Document Security.
You should obtain these resources before you perform the product installation so that you can configure
the trust components during the installation process.
keys), and CRLs that make up the PKI to perform security operations with LiveCycle Document Security.
You should obtain these resources before you perform the product installation so that you can configure
the trust components during the installation process.
Obtaining digital certificates and CRLs
Digital certificates are obtained from a Certificate Authority (CA) and sent to you by email or over the web
as a certificate file. This certificate file contains the public keys (also called certificates) and references to
private keys (also called credentials) used for encrypting and signing documents. Certificates do not
contain actual private keys; instead, they contain a reference to the identity of the user who keeps the
private key securely stored in an encrypted file or Hardware Security Module (HSM).
as a certificate file. This certificate file contains the public keys (also called certificates) and references to
private keys (also called credentials) used for encrypting and signing documents. Certificates do not
contain actual private keys; instead, they contain a reference to the identity of the user who keeps the
private key securely stored in an encrypted file or Hardware Security Module (HSM).
You can use Internet Explorer (Windows) to export PFX, P12, and CER files for certificates stored in any
compatible certificate store available on your computer. PFX files can only be exported as allowed by the
certificate store or the credential itself. CER files holding the public key corresponding to a credential can
also be exported from PFX files using either Internet Explorer or OpenSSL.
compatible certificate store available on your computer. PFX files can only be exported as allowed by the
certificate store or the credential itself. CER files holding the public key corresponding to a credential can
also be exported from PFX files using either Internet Explorer or OpenSSL.
The CRL distribution point describes where you can download the CRL that corresponds to a particular
CER or PFX file.
CER or PFX file.
The following file types are supported:
Certificates: DER-encoded X.509 and base64 -encoded certificate (.cer) files. Certificates verifying the
trust.xml file can be either DER-encoded or base64-encoded.
trust.xml file can be either DER-encoded or base64-encoded.
Credentials: PKCS#12 files (.pfx files), PKCS #11 files, MSCAPI records.
CRLs: RFC3280.crl files.
Maintaining the security of private keys (credentials) is critical to ensuring the stability of sensitive
information. A physical storage device (often called a Hardware Security Module) typically provides the
maximum level of security for private keys. If you do not use a physical device, it is important to store
highly sensitive private keys and certificates in encrypted files in a safe place.
information. A physical storage device (often called a Hardware Security Module) typically provides the
maximum level of security for private keys. If you do not use a physical device, it is important to store
highly sensitive private keys and certificates in encrypted files in a safe place.
LiveCycle Document Security supports the industry-standard PKCS #11 interface to communicate with
HSMs. An HSM vendor can provide the resources and tools you need to install and configure an HSM
storage system.
HSMs. An HSM vendor can provide the resources and tools you need to install and configure an HSM
storage system.
Configuring trust data
If you have not yet set up a trust directory to contain your credentials, certificates, and CRLs, the
installation program leads you through the process of setting up a trust directory and populates it with the
credential, certificate, and CRL files you will be using to encrypt or apply digital signatures to PDF
documents. The installation program creates a corresponding trust.xml file and places all of these
components in the root installation directory. It also signs the trust.xml file (after allowing you to verify it)
and loads it into the Trust Manager Module, which you deploy to the application server as part of the
deployment process.
installation program leads you through the process of setting up a trust directory and populates it with the
credential, certificate, and CRL files you will be using to encrypt or apply digital signatures to PDF
documents. The installation program creates a corresponding trust.xml file and places all of these
components in the root installation directory. It also signs the trust.xml file (after allowing you to verify it)
and loads it into the Trust Manager Module, which you deploy to the application server as part of the
deployment process.