Document and transaction signing is being used more widely to ensure integrity between parties and systems. The most popular formats are XML DigSig and PKCS#7, where the most comprehensive XML format is the XaDES and the PKCS#7 (ASN.1) variant called CaDES. The IBM digital signature solutions support both formats.
The IBM XML Signer is a business package developed in Java with application interfaces as Java APIs and a Java node in IBM Websphere MQ Message Broker. The IBM XML Signer is using the IBM cryptographic hardware and is available on z Systems, Power and Intel86. The IBM XML Signer supports the XaDES functions BES, T, C and A.
The IBM P7Lite solution consist of the basic APIs for having the PKCS#7 signing and verification functions executed, and a Batch Processor that enables automatic processing of high volumes of documents/files. The IBM z Systems cryptographic hardware and software is used for secure processing and key management. Trusted certificates are handled through RACF.
As a Sender the P7Lite API provides the basic functions for signing a document/file and wrap it into the PKCS#7 message format.
As a Receiver the P7Lite API provides the basic functions for verifying/validating a document/file in the PKCS#7 message format and unwrap the context.
The APIs are available in C and Cobol.
The IBM System z cryptographic hardware and ICSF software is used for providing a very secure system besides the high availability and impressive performance from this highly scalable system.
P7Lite Batch Processor
The P7Lite Batch Processor handles a series of files - processing all INPUT files and the results are placed in OUTPUT with detailed status reporting. Trusted certificates are fetched from the RACF keyring and CRL lists are assumed made available by a separate process. P7Lite Batch does all certificate verification and CRL checking during the receive process. In the signing process P7Lite builds the certificate trust chain and signs the PKCS#7 message with a Private key protected by the IBM System z cryptographic hardware.
Key and Certificate Management
To support a message and document signing system with many parties involved you will need a good key management system to support the generation and exchange of keys and certificates with dual control and logging. The IBM EKMF Enterprise Key Management system is such a system. For more information about IBM EKMF, please refer to www.ibm.com/dk/security/cccc/products/ekmf.html
Need More Info?
For more information, contact
Ready to buy?
Contact your local IBM representative or the IBM Crypto Competence Center Copenhagen directly at