rights management and policy server
182 views
Skip to first unread message
elektronikka
Sep 25, 2008, 6:40:05 AM9/25/08
to Adobe LiveCycle Developers
Hi all
I have a question related to rights management and policy server.
The idea is so: the document should be available for signing by user
only for one day. Therefore the germane policy was created and
applied. But there is a problem to open the policy-protected document.
The policy server can be accessed at the moment only in local area.
How should the policy server be accessible? Maybe via internet or via
third-party application? It would be better if we can hide this
connection process from user.
Have you any ideas how such functionality could be realized? Or
perhaps you know appropriate literature..
Thanks in advance.
Irina.
I have a question related to rights management and policy server.
The idea is so: the document should be available for signing by user
only for one day. Therefore the germane policy was created and
applied. But there is a problem to open the policy-protected document.
The policy server can be accessed at the moment only in local area.
How should the policy server be accessible? Maybe via internet or via
third-party application? It would be better if we can hide this
connection process from user.
Have you any ideas how such functionality could be realized? Or
perhaps you know appropriate literature..
Thanks in advance.
Irina.
Duane Nickull
Sep 25, 2008, 11:40:51 AM9/25/08
to Adobe LiveCycle Developers
There are two different deployment options. When you deploy it to an internal (behind firewall) IP address, you will have to get your network admin to open up the IP address and map it to the DMZ and allow packets traveling to it (port too) to reach it. Another way to use documents outside the firewall is to extend the offline lease period (whoever the policy owner is has to do this). The second option is to use it only internally.
You will also need to note that when you are using signed documents with policy server, there is a very specific set of steps required since the policy server creating a Microsafe can change the hash value for the computations the signature uses. PCS is the general rule (Policy Protect, Certify, Signatures). There is a white paper I wrote on this somewhere that explains the nauseating details. I’ll try to dig it up and see if it is still relevant WRT LC ES.
Duane
You will also need to note that when you are using signed documents with policy server, there is a very specific set of steps required since the policy server creating a Microsafe can change the hash value for the computations the signature uses. PCS is the general rule (Policy Protect, Certify, Signatures). There is a white paper I wrote on this somewhere that explains the nauseating details. I’ll try to dig it up and see if it is still relevant WRT LC ES.
Duane
--
**********************************************************************
Senior Technical Evangelist - Adobe Systems, Inc.
Duane's World TV Show - http://www.duanesworldtv.org/
Blog - http://technoracle.blogspot.com
Community Music - http://www.mix2r.com
My Band - http://www.myspace.com/22ndcentury
Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html
**********************************************************************
Howard@Avoka
Sep 25, 2008, 7:42:07 PM9/25/08
to Adobe LiveCycle Developers
Just to add to what Duane has already indicated...
We generally recommend that instead of opening the firewall to allow
access directly to your LiveCycle server, you instead place an Apache
or IIS server in your DMZ and have that forward requests to the
LiveCycle server. You can either set up Apache as a reverse proxy, or
you can use the MOD_JK extension. Either of these options will give
you a great level of security for your internal network, since your
firewall will be configured to only allow traffic from the Apache
server, rather than from anyone on the internet.
Notes:
* You must set up SSL on the apache server.
* You must set up DNS so that the Rights management hostname resolves
to the Apache server for external users, and the LiveCycle server for
internal users. (Or you can point internal users also at the Apache
server.)
Duane, I'd love to see that white paper - please dig it up...
Howard
http://www.avoka.com
On Sep 26, 1:40 am, Duane Nickull <dnick...@adobe.com> wrote:
> There are two different deployment options. When you deploy it to an
> internal (behind firewall) IP address, you will have to get your network
> admin to open up the IP address and map it to the DMZ and allow packets
> traveling to it (port too) to reach it. Another way to use documents
> outside the firewall is to extend the offline lease period (whoever the
> policy owner is has to do this). The second option is to use it only
> internally.
>
> You will also need to note that when you are using signed documents with
> policy server, there is a very specific set of steps required since the
> policy server creating a Microsafe can change the hash value for the
> computations the signature uses. PCS is the general rule (Policy Protect,
> Certify, Signatures). There is a white paper I wrote on this somewhere that
> explains the nauseating details. I¹ll try to dig it up and see if it is
> still relevant WRT LC ES.
>
> Duane
>
We generally recommend that instead of opening the firewall to allow
access directly to your LiveCycle server, you instead place an Apache
or IIS server in your DMZ and have that forward requests to the
LiveCycle server. You can either set up Apache as a reverse proxy, or
you can use the MOD_JK extension. Either of these options will give
you a great level of security for your internal network, since your
firewall will be configured to only allow traffic from the Apache
server, rather than from anyone on the internet.
Notes:
* You must set up SSL on the apache server.
* You must set up DNS so that the Rights management hostname resolves
to the Apache server for external users, and the LiveCycle server for
internal users. (Or you can point internal users also at the Apache
server.)
Duane, I'd love to see that white paper - please dig it up...
Howard
http://www.avoka.com
On Sep 26, 1:40 am, Duane Nickull <dnick...@adobe.com> wrote:
> There are two different deployment options. When you deploy it to an
> internal (behind firewall) IP address, you will have to get your network
> admin to open up the IP address and map it to the DMZ and allow packets
> traveling to it (port too) to reach it. Another way to use documents
> outside the firewall is to extend the offline lease period (whoever the
> policy owner is has to do this). The second option is to use it only
> internally.
>
> You will also need to note that when you are using signed documents with
> policy server, there is a very specific set of steps required since the
> policy server creating a Microsafe can change the hash value for the
> computations the signature uses. PCS is the general rule (Policy Protect,
> Certify, Signatures). There is a white paper I wrote on this somewhere that
> explains the nauseating details. I¹ll try to dig it up and see if it is
> still relevant WRT LC ES.
>
> Duane
>
Duane Nickull
Sep 25, 2008, 7:48:28 PM9/25/08
to Adobe LiveCycle Developers
Here it is – somewhat dated but probably still relevant.
For anyone using LC ES to do document certification, Rights management and digital signatures, it is essential to understand how documents get signed and certified. If you try to policy protect a signed document, it invalidates the signature since the doc length is changed. Use the steps prescribed in the attached doc to mitigate this.
For anyone using LC ES to do document certification, Rights management and digital signatures, it is essential to understand how documents get signed and certified. If you try to policy protect a signed document, it invalidates the signature since the doc length is changed. Use the steps prescribed in the attached doc to mitigate this.
Duane
On 25/09/08 4:42 PM, "Howard@Avoka" <htre...@gmail.com> wrote:
elektronikka
Sep 30, 2008, 12:56:01 PM9/30/08
to Adobe LiveCycle Developers
Thanks for your answers. :)
I would try to use reverse proxy with apache modules.
Best regards, Irina.
On Sep 26, 2:42 am, "Howard@Avoka" <htreis...@gmail.com> wrote:
> Just to add to what Duane has already indicated...
>
> We generally recommend that instead of opening the firewall to allow
> access directly to your LiveCycle server, you instead place an Apache
> or IIS server in your DMZ and have that forward requests to the
> LiveCycle server. You can either set up Apache as a reverse proxy, or
> you can use the MOD_JK extension. Either of these options will give
> you a great level of security for your internal network, since your
> firewall will be configured to only allow traffic from the Apache
> server, rather than from anyone on the internet.
>
> Notes:
> * You must set up SSL on the apache server.
> * You must set up DNS so that the Rights management hostname resolves
> to the Apache server for external users, and the LiveCycle server for
> internal users. (Or you can point internal users also at the Apache
> server.)
>
> Duane, I'd love to see that white paper - please dig it up...
>
> Howardhttp://www.avoka.com
I would try to use reverse proxy with apache modules.
Best regards, Irina.
On Sep 26, 2:42 am, "Howard@Avoka" <htreis...@gmail.com> wrote:
> Just to add to what Duane has already indicated...
>
> We generally recommend that instead of opening the firewall to allow
> access directly to your LiveCycle server, you instead place an Apache
> or IIS server in your DMZ and have that forward requests to the
> LiveCycle server. You can either set up Apache as a reverse proxy, or
> you can use the MOD_JK extension. Either of these options will give
> you a great level of security for your internal network, since your
> firewall will be configured to only allow traffic from the Apache
> server, rather than from anyone on the internet.
>
> Notes:
> * You must set up SSL on the apache server.
> * You must set up DNS so that the Rights management hostname resolves
> to the Apache server for external users, and the LiveCycle server for
> internal users. (Or you can point internal users also at the Apache
> server.)
>
> Duane, I'd love to see that white paper - please dig it up...
>
Reply all
Reply to author
Forward
0 new messages