Document ownership and integrity, automated
Entrust Signing Automation Engine is an on-premises signing platform for Enterprises and Trust Services Providers, providing a complete range of web services for integrating digital signatures into applications. It is designed to centrally incorporate digital signature operations in accordance with the standards of ETSI CAdES, XAdES and PAdES.
Benefits of Entrust Signing Automation Engine
Signature generation and verification services can be accessed via web APIs, or using our Watched Folders module.
Audit logs are generated for any service access request and configuration changes.
Acts as a centralized repository for certificates, keys, and policy management, allowing you to set signature profiles.
How it works
- Technical Specifications
- Optional Modules
Signing Automation Engine incorporates functions that provide a set of security and trust mechanisms as services that can be used with different integration strategies:
- SOAP/WS: Using the OASIS DSS standard as an access protocol for web services
- REST/WS, SOAP/WS: Using the Entrust Signing Automation Engine integration gateway, which supports configuring traffic and data processing with an XML pipeline language
- Java SDK: For easy integration of electronic signature services in native Java applications
The following diagram illustrates a typical integration of the Entrust Signing Automation Engine platform into your organization.
Supports native authentication methods based on passwords and digital certificates. The validation can be delegated to LDAP/AD.
Manages platform entities and objects. External repositories, such as user LDAP/AD, databases, files, and HSMs can be added for protecting private keys.
Provides PKI functions for validating certification chains and querying certificate status. Supports OCSP/CRL and customized mechanisms (e.g., databases).
Creates and validates signatures compliant with the PAdES, XAdES, and CAdES standards; including document, email, and web services signatures.
Extends a signature’s validity up to the lifetime of the TSA certificate. Cryptographic reliability is preserved, the certification chain is incorporated as well as the certificate status information at the time of signing, and a timestamp.
Logs are securely stored in a uniform and centralized way. It’s also possible to forward log data to an external SIEM tool for processing and generating a report.
- Format: Software appliance (please contact us to learn more about supported hardware or virtual machines)
- Event monitoring: Simple Network Management Protocol (SNMP)
- Security services: OASIS WS-Security, DSS (Digital Signature Service) and SAML, SOAP, and SSL/TLS
- Signature generation standards: PKCS#7, CMS, CAdES (ETSI TS 103 173), XML-DSig, XAdES (ETSI TS 103 171), signature for PDF documents (IETF), PAdES (ETSI TS 103 172) and S/MIME
- Signature validation and augmentation standards: PKCS#7, CMS, CAdES (ETSI TS 103 173 and ETSI EN 319 122), XML-DSig, XAdES (ETSI TS 103 171 and ETSI EN 319 132), signature for PDF documents (IETF), PAdES (ETSI TS 103 172 and ETSI EN 319 142), and S/MIME Encryption standards: PKCS#7, CMS, XML-Enc, and S/MIME
- Digital timestamping support: IETF RFC 3161 and RFC 5816 compatible servers
- Certificate validation support: Using CRLs, IETF OCSP compatible servers and customized mechanisms (OCSP is required for LTV signatures)
- Database and directory access: Oracle, Microsoft SQL Server, PostgreSQL and MySQL, LDAP directory access protocol
- Authentication and authorization: Native authentication methods based on passwords and digital certificates. Password validation can be delegated to LDAP/AD
- HSM support: PKCS#11 devices approved by Entrust Datacard (a license is required for the HSM connector)
- Network file systems supported: SMB/CIFS and NFS