Sign Signature Field operation

Commonproperties
Appearance properties
Advanced properties
Output properties
Exceptions

Signs the specified signature field that is located within the PDF document with the security credential that corresponds to the specified alias. Before a PDF document can be signed, the signature field must exist, be unsigned, and have permissions for signing. The alias maps to a credential that is located within the Signature service.

For example, your application must have a person click Complete in Workspace when they approve a PDF form. After clicking Complete, the signature field on the PDF form must be signed by the LiveCycle server with a corporate certificate. Signing a signature field automatically removes the need for each user to sign the form using Acrobat or Adobe Reader. You use the Sign Signature Field operation to sign the signature field on the server.

For information about the General and Route Evaluation property groups, see Common operation properties .

Commonproperties

Properties to specify the input PDF document and its signature attributes.

Input PDF

A document value that represents the PDF document to sign.

If you provide a literal value, clicking the ellipsis button opens the Select Asset dialog box. (See About Select Asset .)

When you provide a PDF document that has unsigned signature fields, it populates the Signature Field Name property as a list. The list contains fully qualified names of the unsigned signature fields in the PDF document.

Signing Credential

A Credential value that represents the security credential that is used to sign the PDF document.

If you provide a literal value, you can configure the following options.

Use SPI:: Select this option to use the credentials from the SPI. When this option is deselected, local credentials are used. By default, the option is deselected.
Alias:: Sets an alternative name for a credential managed by the Signature service. By default, a list of all signing credentials is provided. The list of credentials is comprised of Local and HSM credentials configured in Trust Store on the LiveCycle server.
SPI Name:: Sets the name of the SPI that is provided to the Signature service. The SPI is used to extend the digital signatures functionality when credentials are not exposed to the LiveCycle server. This option is available when the Use SPI option is selected. No default value is provided.
Certificate:: Sets the location of the certificate on the file system. No default value is provided. This option is available when the Use SPI option is selected. No default value is provided.
When you click the ellipsis button , the Open dialog box opens. In the dialog box, you can select a file from your computer or from a network location. During run time, if you selected a file from a location on your computer, it must exist in the same location on the LiveCycle server.
SPI Properties:: Sets the location of the properties file to pass custom inputs to an implementation of the SPI. This option is available when the Use SPI option is selected. No default value is provided.
If you provide a literal value, clicking the ellipsis button opens the SPI properties dialog box. (See SPI Properties .) In the dialog box, add, remove, and edit the keys and values for each SPI property. The SPI implementation determines the keys that you provide. For information about creating custom service providers, see Programming with LiveCycleES2.5 .

Signature Field Name

A string value that represents the name of the signature field in the PDF document that is signed. The fully qualified name of the signature field can be specified. If you are signing a PDF document, the partial name of the signature field can also be used. For example, form1[0].#subform[1].SignatureField3[3] can be specified as SignatureField3[3] .

If multiple signature fields exist with a similar partial name, the first signature field enumerated with the same partial name is signed. If the partial name is already signed, a DSSSignatureFieldSignedException is thrown. It is recommended that a fully qualified name is used to avoid these situations.

If the signature field name is not specified, the Signature service adds an invisible signature field with an automatically generated name.

If you provide a literal value for the Signature Field Name property and a literal value is provided in the Input PDF property, a list appears. Select one of the values from the list of fully qualified names. Each fully qualified name represents an unsigned signature field in the provided PDF document.

Digest Hashing Algorithm

(Optional) A HashAlgorithm value that represents the hash algorithm that is used to digest the PDF document.

If a literal value is provided, select one of these values:

SHA1:: The Secure Hash Algorithm that has a 160-bit hash value.
SHA256:: (Default) The Secure Hash Algorithm that has a 256-bit hash value.
SHA384:: The Secure Hash Algorithm that has a 384-bit hash value.
SHA512:: The Secure Hash Algorithm that has a 512-bit hash value.
RIPEMD160:: The RACE Integrity Primitives Evaluation Message Digest that has a 160-bit message digest algorithm and is not FIPS-compliant.

Embed Revocation Information

(Optional) A boolean value that specifies whether revocation checking is performed for the signer's certificate. If revocation checking is done, it is embedded in the signature. The default setting is False , which means that revocation checking is not performed.

Appearance properties

Properties to set the appearance of the certification.

Reason

(Optional) A string value that represents the reason for signing the PDF document. If you provide a literal value, type a value or choose one of the following values:

I am the author of this document 
I have reviewed this document 
I am approving this document 
I attest to the accuracy and integrity of this document 
I agree to the terms defined by the placement of my signature on this document 
I agree to the specified portions of this document

Location

(Optional) A string value that represents the location of the signer.

Contact Information

(Optional) A string value that represents the contact information, such as an address and a telephone number, of the person who signed the PDF document.

Appearance Options Spec

(Optional) A PDFSignatureAppearanceOptionSpec value that represents options for the signature appearance. If you provide a literal value, specify the following options.

Signature Type:

Sets the appearance type of the signature. The default value is Name. Select one of these values:

No Graphic: The appearance of the signature consists of only the signature text.
Graphic: The appearance of the signature consists of a graphic area and a text area. The graphic area displays the PDF document specified by the Graphic PDF Document option. The text area displays the signature text.
Name: The appearance of the signature consists of a graphic area and a text area. The graphic area displays a graphic of the name of the signer and the text area displays the signature text.

Graphic PDF Document:

Sets the graphic that is displayed within the signature if a signature type of Graphic is used. Only a PDF file can be used. This option can be set if Graphic is selected in the Signature Type list.

When you click the ellipsis button , the Open dialog box opens. In the dialog box, you can select a file from your computer or from a network location. During run time, if you selected a file from a location on your computer, it must exist in the same location on the LiveCycle server.

Use Default Adobe PDF Logo:

Select this option to display the default Adobe PDF logo within the signature appearance. When this option is deselected, the Adobe PDF logo is not displayed. By default, the option is selected.

Logo PDF Document:

Sets a PDF document to display within the signature appearance. The PDF document contains an image to display. This option can be set when the Use Default Adobe PDF Logo option is deselected.

When you click the ellipsis button, the Open dialog box opens. In the dialog box, you can select a file from your computer or from a network location. During run time, if you selected a file from a location on your computer, it must exist in the same location on the LiveCycle server.

Logo Opacity:

Sets the opacity of the logo that is displayed within the signature. Valid values are from 0.0 (fully transparent) to 1.0 (fully opaque). Can be set only if Use Default Adobe PDF Logo is deselected. If any value outside this range is specified, the default of 0.50 is used.

Text Direction:

Sets the direction of the text displayed within the signature. The default value is Auto. Select one of these values:

Auto: Use the direction specified by the PDF document.
Left: The text direction is left to right.
Right: The text direction is right to left.

Show Name:

Select this option to display the name of the signer in the digital signature. When this option is deselected, the name of the signer is not displayed. By default, the option is selected.

Show Date:

Select this option to display the date the PDF document was signed in the digital signature. When this option is deselected, the date is not displayed. By default, the option is selected.

Show Reason:

Select this option to display the reason the PDF document was signed in the digital signature. When this option is deselected, the reason is not displayed. By default, the option is selected.

Show Location:

Select this option to display the location the PDF document was signed in the digital signature. When this option is deselected, the location is not displayed. By default, the option is selected.

Show Distinguished Name:

Select this option to display the certificate of the signer in the digital signature. When this option is deselected, the certificate is not displayed. By default, the option is selected.

Show Labels:

Select this option to display the labels for the preceding display items. When this option is deselected, the labels for the preceding display items are not displayed. By default, the option is selected.

Advanced properties

Properties for setting optional advanced properties.

OCSP Options Spec

(Optional) An OCSPOptionSpec value that represents settings for using Online Certificate Status Protocol (OCSP) revocation checking. To provide a literal value, specify the following options.

URL to Consult Option: Sets the list and order of the OCSP servers used to perform the revocation check. Select one of these values:

UseAIAInCert:

(Default) Use the URL of an online certificate status protocol server specified in the Authority Information Access (AIA) extension in the certificate. The AIA extension is used to identify how to access certificate authority (CA) information and services for the issuer of the certificate.

LocalURL:

Use the specified URL for the OCSP server specified in the OCSP Server URL option.

UseAIAIfPresentElseLocal:

Use the URL of the OCSP server specified in the AIA extension in the certificate if present. If the AIA extension is not present in the certificate, use the URL that is configured in the OCSP Server URL.

UseAIAInSignerCert:

Use the URL of the OCSP server specified in the AIA extension in the OCSP request of the signer certificate.

OCSP Server URL:: Sets the URL of the configured OCSP server. The value is used only when the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult Option.
Revocation Check Style:: Sets the revocation-checking style that is used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:

Sets the URL of the configured OCSP server. The value is used only when the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult Option.

Revocation Check Style:

Sets the revocation-checking style that is used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:

NoCheck:

Does not check for revocation.

BestEffort:

Checks for revocation of all certificates when possible.

CheckIfAvailable:

(Default) Checks for revocation of all certificates only when revocation information is available.

AlwaysCheck:

Checks for revocation of all certificates.

Max Clock Skew Time (Minutes):: Sets the maximum allowed skew, in minutes, between response time and local time. Valid skew times are 0 - 2147483647 min. The default value is 5 min.
Response Freshness Time (Minutes):: Sets the maximum time, in minutes, for which a preconstructed OCSP response is considered valid. Valid response freshness times are 1 - 2147483647 min. The default value is 525600 min. (one year).
Send Nonce:: Select this option to send a nonce with the OCSP request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent the unauthorized replay or reproduction of a file. When the option deselected, a nonce is not sent with the request. By default, the option is selected.
Sign OCSP Request:: Select this option to specify that the OCSP request must be signed. When the option is deselected, the OCSP request does not need be signed. By default, the option deselected.
Request Signer Credential Alias:: Sets the credential alias used for signing the OCSP request when signing is enabled.
Go Online for OCSP:: Select this option to access the network for OCSP information. The network can be accessed to retrieve OCSP information for OCSP checking. The LiveCycle server uses embedded and cached OCSP information when possible to reduce the amount of network traffic generated due to OCSP checking. When the option is deselected, OCSP checking is not retrieved from the network, and only embedded and cached OCSP information is used. By default, the option is selected.
Ignore Validity Dates:: Select this option to use the OCSP response thisUpdate and nextUpdate times. Ignoring these response times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP, and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate times are ignored. By default, the option is deselected.
Allow OCSP NoCheck Extension:: Select this option to allow an OCSPNoCheck extension in the response signing certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s certificate to prevent infinite loops from occurring during the validation process. When the option is deselected, the OCSPNoCheck extension is not used. By default, the option is selected.
Require OCSP ISIS-MTT CertHash Extension:: Select this option to specify that certificate public key hash (CertHash) extensions must be present in OCSP responses. This extension is required for SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Select this option when processing for SigQ compliance and supported OCSP responders. When the option is deselected, the CertHash extension presence in the OCSP response is not required. By default, the option is deselected.

Sets the maximum allowed skew, in minutes, between response time and local time. Valid skew times are 0 - 2147483647 min. The default value is 5 min.

Response Freshness Time (Minutes):

Sets the maximum time, in minutes, for which a preconstructed OCSP response is considered valid. Valid response freshness times are 1 - 2147483647 min. The default value is 525600 min. (one year).

Send Nonce:

Select this option to send a nonce with the OCSP request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent the unauthorized replay or reproduction of a file. When the option deselected, a nonce is not sent with the request. By default, the option is selected.

Sign OCSP Request:

Select this option to specify that the OCSP request must be signed. When the option is deselected, the OCSP request does not need be signed. By default, the option deselected.

Request Signer Credential Alias:

Sets the credential alias used for signing the OCSP request when signing is enabled.

Go Online for OCSP:

Select this option to access the network for OCSP information. The network can be accessed to retrieve OCSP information for OCSP checking. The LiveCycle server uses embedded and cached OCSP information when possible to reduce the amount of network traffic generated due to OCSP checking. When the option is deselected, OCSP checking is not retrieved from the network, and only embedded and cached OCSP information is used. By default, the option is selected.

Ignore Validity Dates:

Select this option to use the OCSP response thisUpdate and nextUpdate times. Ignoring these response times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP, and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate times are ignored. By default, the option is deselected.

Allow OCSP NoCheck Extension:

Select this option to allow an OCSPNoCheck extension in the response signing certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s certificate to prevent infinite loops from occurring during the validation process. When the option is deselected, the OCSPNoCheck extension is not used. By default, the option is selected.

Require OCSP ISIS-MTT CertHash Extension:

Select this option to specify that certificate public key hash (CertHash) extensions must be present in OCSP responses. This extension is required for SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Select this option when processing for SigQ compliance and supported OCSP responders. When the option is deselected, the CertHash extension presence in the OCSP response is not required. By default, the option is deselected.

CRL Options Spec

(Optional) A CRLOptionSpec value that represents the certificate revocation list (CRL) preferences when CRL is used to perform revocation checking. If you provide a literal value, specify the following options.

Consult Local URI First:

Select this option to use the CRL location provided as a local URI before any specified locations within a certificate. The CRL location provided is used for revocation checking. When this option is selected, it means the local URI is used first. When this option is deselected, the locations specified in the certificate before using the local URI are used. By default, the option is deselected.

Local URI for CRL Lookup:

Sets the URL for the local CRL store. This value is used only if the Consult Local URI First option is selected. No default value is provided.

Revocation Check Style:

Sets the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:

NoCheck: Does not check for revocation.
BestEffort: (Default) Checks for revocation of all certificates when possible.
CheckIfAvailable: Checks for revocation of all certificates only when revocation information is available.
AlwaysCheck: Checks for revocation of all certificates.

LDAP Server:

Sets the URL or path of the Lightweight Directory Access Protocol (LDAP) server used to retrieve information about the certificate revocation list (CRL). The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280 , section 4.2.1.14. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port. No default value is provided.

Go Online for CRL Retrieval:

Select this option to access the network to retrieve CRL information. CRL information is cached on the server to improve network performance. CRL information is retrieved online only when necessary. When this option is deselected, CRL information is not retrieved online. By default, the option is selected.

Ignore Validity Dates:

Select this option to use thisUpdate and nextUpdate times. Ignoring the response’s thisUpdate and nextUpdate times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate time are ignored. By default, the option deselected.

Require AKI Extension in CRL:

Select this option to specify that the Authority Key Identifier (AKI) extension must be present in the CRL. The AKI extension can be used for CRL validation. When this option is deselected, the presence of the AKI extension the CRL is not required. By default, the option is deselected.

TSP Options Spec

(Optional) A TSPOptionSpec value that represents the settings that define timestamp information applied to the certified signature.

If you provide a literal value, specify the following options.

Time Stamp Server URL:

Sets the URL for a TSP server. If no value is provided, the timestamp from the local system is applied. No default value is provided.

Time Stamp Server Username:

Sets the user name, if necessary, for accessing the TSP server. No default value is provided.

Time Stamp Server Password:

Sets the password for the user name, if necessary, for accessing the TSP server. No default value is provided.

Time Stamp Server Hash Algorithm:

Sets the hash algorithm used to digest the request sent to the timestamp provider. Select one of these values:

SHA1: (Default): The Secure Hash Algorithm that has a 160-bit hash value.
SHA256:: The Secure Hash Algorithm that has a 256-bit hash value.
SHA384:: The Secure Hash Algorithm that has a 384-bit hash value.
SHA512:: The Secure Hash Algorithm that has a 512-bit hash value.
RIPEMD160:: The RACE Integrity Primitives Evaluation Message Digest that has a 160-bit message digest algorithm and is not FIPS-compliant.

Predicted Time Stamp Token Size (In Bytes):

Sets the estimated size, in bytes, of the TSP response. The size is used to create a signature hole in the PDF document. This value represents the maximum size of the timestamp response that the configured TSP could return. Configuring an undersized value can cause the operation to fail; however, configuring an oversized value causes the size to be larger than necessary. It is recommended that this value is not modified unless the timestamp server requires a response size to be less than 4096 bytes. Valid values are from 60 to 10240 . The default value is 4096 .

Send Nonce:

Select this option to send a nonce with the request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent the unauthorized replay or reproduction of a file. When the option deselected, a nonce is not sent with the request. By default, the option is selected.

Output properties

Property to specify the output PDF document.

Output PDF

The location in the process data model to store the signed PDF document. This document is new, and the input PDF document is not modified. The data type is document .

Exceptions

This operation can throw PDFOperationException , SigningException , PermissionsException , InvalidArgumentException , SeedValueValidationException , MissingSignatureFieldException , SignatureFieldSignedException , CredentialLoginException , and FIPSComplianceException exceptions.