Managed Cloud Signature Server or On-Premise (In-House) Signature ServerIt's your choice! Decide for yourself whether you want to operate the server yourself in your own data center or any other data center of your choice, or whether you want us to operate the server for you (here you can select a data center or we can suggest one that meets your requirements for data protection, data security, availability, etc.). We will then operate your signature portal server exclusively for you there so you don't have to worry about its operation, availability or updates).
Secure Managed Cloud
In-House (In-House (Self-Managed))
Your benefits at a glance
- You decide which requirements apply to the data center
- How long which files or data are stored on the server and when which data are deleted
- Which users can use the service and which user has which role
- How which user or user group should authenticate (e.g. password or two-factor authentication)
- Files are always sent encrypted according to BSI guidelines
- The server is multi-client capable
- You decide when updates are installed
- we take care of the TLS certificate
- If the signature is qualified, you (or we) can apply for the account at the trust center¹.
¹: Convenient connection of the trust center via web interface
- Supplying the hardware
- Administration of firewalls, load balancers, etc.
- Ensure the availability of the signature portal
- Installing updates and patches for the signature portal
- Maintenance of the TLS certificate and its validity for the server
Technical requirements for the operation
Of course, the exact requirements depend heavily on the planned usage, e.g., how many users will be using it and with what intensity, and how usage is distributed over the course of a day. To ensure ideal use of the signature portal, some requirements must be met.
Infrastructure depending on signature level:
You want to sign with a qualified remote signature:The SecPKI server must be able to reach the URLs of the remote signature provider. The signature portal can be connected to all European trust services. You can take the trust center of your choice. The connection is made conveniently via the dashboard website.
You want to perform advanced signatures:There are different ways to do this. The two most popular are as follows: You let the server create the certificates. This path is mainly used for internal use. The CSM tool from Bundesdruckerei can be used as an alternative. Here, the certificates created by the server are issued with a certificate from the Bundesdruckerei, so that you also have a green checkmark in Adobe, for example.
You would like to apply a seal:A distinction must be made here between remote sealing and sealing with a seal card. For remote sealing, the same requirements apply as for setting up the trust service for the QES. This is done conveniently via the website. For the seal card, it must be ensured that the server can access the seal card or the seal HSM.
- The signature portal can also be run with a seal card connected to the server
- In this case, the infrastructure must take into account the fact that the server can access the card reader and thus also the seal cards
There can be an Active Directory connection, Azure connection or SAML IDP:
- If, for example, the company's own Active Directory will be used for authentication at the signature portal
- There is also a convenient AD connector for this in the signature portal dashboard
- ADFS can be connected via SAML
- An external Active Directory does not have to be connected; the internal identity management of the signature portal server can also be used.
- Azure can be connected for instance via OAuth 2.0 or via SAML
E-Mail Server Connection
- In the signature portal - to inform the participants of a workflow of the new signature request by e-mail - an e-mail is sent
- In order for these emails to be sent from your mail server, an email server can be connected to the signature portal server
- If external users also need to be able to access the signature portal, the web pages for this must also be accessible.
- Alternatively, the service can also be operated completely behind the DMZ and fine-grained URL restrictions can be used to control which URLs are allowed to leave the DMZ and which are not.
The signature portal can be installed on:
- all servers running Java. This makes it universal in terms of platform.
- on a Windows server
- in a VM
- in a container (e.g., in a Kubernetes cluster). and much more