Skip to main content

Trident SAM Crypto Token Properties

TridentSAMCryptoToken implements the Trident SAM and requires access to Trident QSCD. Once configured, it can be used to create remote signatures on behalf of the users. The TridentSAMCryptoToken can be attached to any Signer implementation.

TridentSAMCryptoToken can be operated in 2 modes:

  1. Signing-only mode: To support only remote signing operations (the user and key management is handled by different component in the solution)
  2. Key Management mode: To support signing, user, and key management operations (in this case, it is a single point of SAM key management)
  3. User Management mode: To suppord additional user management functions, such as create user, configure authorization, or remove user.

The implementation class of the TridentSAMCryotoToken Worker is:

company.threekey.signserver.trident.TridentSAMCryptoToken

The Worker seamlessly integrates with the Trident SAM interface. The TridentSAMCryptoToken Worker will check the following configuration properties.

Signing-only mode#

PropertyDescriptionDefault ValueMandatory
TRIDENT_URLURL to access the Trident SAM.NONEYES
TRIDENT_CEISKInfrastructural certificate for encryption, represented as PEM encoded string.NONEYES
TRIDENT_CSISKInfrastructural certificate for digital signature, represented as PEM encoded string.NONEYES
CERT_STORAGE_IMPLEMENTATION_CLASSImplementation class for certificate storage. Certificates issued for assigned signing keys will be stored according the implementation provided. Each implementation may have additional properties that needs to be configured.NONE
See Certificate Storage Providers for more information.
YES
SAP_PROVIDER_IMPLEMENTATION_CLASSImplementation class for Signature Activation Protocol handling between the Signature Integration Component and the Signature Activation Module. This is the interface for providing the Signature Activation Data to be used in order to execute signing operation.NONE
See Signature SAP Providers for more information.
YES

Key Management mode#

For the Key Management mode, the same properties as for the Signing-only mode must be configured. Additional properties are defined in order to support the management of the users and assigned keys. The following properties are optional for the Signing-only mode, but mandatory for Key Management mode:

PropertyDescriptionDefault ValueMandatory
TRIDENT_KEY_ADMINIdentification of the key administrator.NONENO
TRIDENT_KEY_ADMIN_PASSWORDPassword associated with the key administrator.NONENO
TRIDENT_KEY_ADMIN_TOTP_SEEDTOTP seed associated with the key administrator, in HEX format.NONENO
TRIDENT_KEY_ADMIN_TOTP_STEPTOTP step for generating correct codes for TOTP authentication. TOPS step is represented in seconds.NONENO
TRIDENT_KEY_ADMIN_TOTP_REFRESH_INTERVALRefresh interval of the key administrator session based on the TOTP authentication. Interval is represented in number of seconds.NONENO
KM_SAP_PROVIDER_IMPLEMENTATION_CLASSImplementation class for the key management operations handling through the Signature Activation Protocol. This interface provides ability for user to activate and manage assigned private keys.NONE
See Key Management SAP Providers for more information.
NO
TRIDENT_KEYGEN_MDOEMode of the key generation based on the configuration of the Trident HSM. Allowed values are:
  • AUTO
  • MANUAL
  • HYBRID
NONEYES

MANUAL and HYBRID key generation#

In order to enable MANUAL or HYBRID key generation mode, additional configuration properties must be available. These are not mandatory in case of AUTO key generation mode:

PropertyDescriptionDefault ValueMandatory
TRIDENT_CM_URLURL to access the Trident CM API.NONENO
TRIDENT_CM_ADMIN_UIDIdentification of the CM administrator.NONENO
TRIDENT_CM_ADMIN_PASSWORDPassword associated with the CM administrator.NONENO
TRIDENT_CM_ADMIN_SESSION_REFRESH_INTERVALRefresh interval of the CM administrator session. Interval is represented in number of seconds.NONENO

User Management Mode#

User Management mode is an extension of the Key Management mode allowing you to manage SAM users. The Key Management Mode must be configured in order to use the User Management mode. This mode allows you to manage users independently of the key management operations. The following properties are optional for other modes, but mandatory for User Management mode:

PropertyDescriptionDefault ValueMandatory
UM_SAP_PROVIDER_IMPLEMENTATION_CLASSImplementation class for the user management operations handling through the Signature Activation Protocol. This interface provides ability to manage users and the authorisation configuration.NONE
See User Management SAP Providers for more information.
NO