Information Guide 1 DocuSign Signature Appliance Administrator Guide Version 8.2 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 11 Copyright ©2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents refer to the DocuSign Intellectual Property page (https://www.docusign.com/IP) on the DocuSign website. All other trademarks and registered trademarks are the property of their respective holders. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of DocuSign, Inc. Under the law, reproducing includes translating into another language or format. Every effort has been made to ensure that the information in this manual is accurate. DocuSign, Inc. is not responsible for printing or clerical errors. Information in this document is subject to change without notice. DocuSign Signature Appliance Administrator Guide September 2016 If you have any comments or feedback on our documentation, please send them to us at: [email protected]. 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 33 Table of Contents Chapter 1: Overview .......................................................................................................................... 11 Requirements for Data Authentication Systems ........................................................................... 11 Introduction to DocuSign Signature Appliance (DocuSign SA) ..................................................... 11 Environments Supported by DocuSign SA ............................................................................. 12 Applications that Work with DocuSign SA .............................................................................. 12 DocuSign SA Components ..................................................................................................... 13 DocuSign SA Guides ................................................................................................................... 13 DocuSign Signature Appliance Hardware Models ........................................................................ 14 End User Platforms ...................................................................................................................... 14 Intended Audience ....................................................................................................................... 14 Chapter 2: DocuSign SA Architecture and Data Flow ........................................................................ 15 Enrollment Using a Standard User Management Application ....................................................... 15 Central Storage of Signing Keys .................................................................................................. 16 User Authentication...................................................................................................................... 16 Extending User Authentication ..................................................................................................... 16 Turnkey Solution .......................................................................................................................... 17 Directory Independent Environment ............................................................................................. 17 Using DocuSign SA’s Internal CA ................................................................................................ 17 Using DocuSign SA in Manual External CA Mode ....................................................................... 18 Using DocuSign SA in Automatic External CA Mode ................................................................... 19 Using DocuSign SA in Common Criteria EAL4+ Deployments ..................................................... 19 Extended Authentication using an External Radius Server ..................................................... 20 User Activation ....................................................................................................................... 21 Signature key Generation and Certificate Enrollment ............................................................. 21 Physical Security: Tamper Evidence and Tamper Response ................................................. 22 Recommended OTP Devices ................................................................................................. 22 Using SAML Tickets to Authenticate DocuSign SA Users ............................................................ 23 ADFS Flow ............................................................................................................................. 23 Passive Mode using the DocuSign SA Web App and DocuSign SA Connector for SharePoint ............................................................................................................................................... 24 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 44 Active Mode Using the DocuSign SA Client ........................................................................... 24 SAML Ticket Requirements .................................................................................................... 24 Chapter 3: Installing DocuSign SA ..................................................................................................... 27 Installing the DocuSign SA Administrative Client ......................................................................... 27 Installation Requirements ....................................................................................................... 28 Installing the DocuSign SA Administrative Client .................................................................... 28 Uninstalling the DocuSign SA Administrative Client ............................................................... 29 Installing the DocuSign Signature Appliance Hardware version 8.0 ............................................. 30 Installing the DocuSign SA FIPS Appliance Hardware 8.0 ..................................................... 30 Installing the DocuSign Signature Appliance Hardware version 7.0 ............................................. 34 Installing the DocuSign SA FIPS Hardware version 7.0 ......................................................... 34 Installing the DocuSign SA Enterprise Hardware v7.0 and 8.0 ............................................... 37 Installing the DocuSign Signature Appliance Software ................................................................. 41 Installing DocuSign SA in a Microsoft Active Directory Environment ...................................... 41 Installing DocuSign SA in an LDAP based Environment ........................................................ 53 Installing DocuSign SA in a Directory Independent Environment ............................................ 60 Installing DocuSign SA in a Common Criteria EAL4+ Mode as a Signature Creation Device or Seal Creation Device ............................................................................................................. 65 Installing an Internal Certificate Authority ............................................................................... 69 Using an External CA in Manual Mode ................................................................................... 73 Using an External CA in Automated Mode ............................................................................. 73 Creating a Symantec Profile Preparatory to Configuring Symantec as DocuSign SA’s External CA .......................................................................................................................................... 80 Installing DocuSign SA as a Subordinate CA ......................................................................... 93 Multi-Language Support ......................................................................................................... 95 Chapter 4: Deploying the DocuSign SA Client ................................................................................... 96 Deploying the Client ..................................................................................................................... 96 Deployment Options ............................................................................................................... 96 Installing the DocuSign SA Client ........................................................................................... 97 Uninstalling the DocuSign SA Client .................................................................................... 102 Distributing DocuSign SA Information through the SCP ....................................................... 102 Using the DocuSign SA Control Panel ....................................................................................... 104 User Actions......................................................................................................................... 105 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 55 Administrator Actions ........................................................................................................... 105 DocuSign SA Control Panel Menu Bar ................................................................................. 106 DocuSign SA Control Panel – Tray Item .............................................................................. 106 Directory Independent Environment Options ........................................................................ 107 Using the Graphical Signature Management Application ........................................................... 110 Installing the Graphical Signature Capture Device ............................................................... 110 Managing Graphical Signatures ........................................................................................... 112 Creating an Image-Based Graphical Signature .................................................................... 115 Creating a Text-Based Graphical Signature ......................................................................... 118 Installing the Root Certificate and DocuSign SA Verifier ............................................................ 120 Adding the ROOT Certificate to a Trusted CA List (Active Directory only) ............................ 120 Using DocuSign SA Verifier for Validation Purposes ............................................................ 121 Extended Authentication Modes................................................................................................. 121 Chapter 5: Managing the DocuSign Signature Appliance ................................................................ 123 Prerequisites to Using the DocuSign SA Administration MMC ................................................... 123 Starting the DocuSign SA Administration MMC .......................................................................... 123 DocuSign SA Administration MMC Capabilities .................................................................... 125 Backing up the DocuSign SA Data ............................................................................................. 125 Upgrading DocuSign SA ............................................................................................................ 126 Upgrading to Version 7.1...................................................................................................... 127 Upgrading to Version 7.4...................................................................................................... 127 Upgrading to Version 7.5...................................................................................................... 127 Upgrading to Version 8.0...................................................................................................... 127 Uploading a Software Update .............................................................................................. 128 Synchronizing DocuSign SA with the Directory Service ............................................................. 128 Synchronizing DocuSign SA with the External CA in Automated mode ...................................... 129 Refreshing Certificates ............................................................................................................... 130 Clearing CA files ........................................................................................................................ 131 Downloading Log Files ............................................................................................................... 131 Shutting Down and Restarting DocuSign SA Services ............................................................... 132 Restarting the DocuSign Signature Appliance............................................................................ 132 High Availability ......................................................................................................................... 133 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 66 Renewing the Subordinate CA Certificate .................................................................................. 133 Uploading an SSL Certificate ..................................................................................................... 136 Renewing the Symantec Authentication Key File ....................................................................... 137 Monitoring Performance Parameters of the DocuSign Signature Appliance ............................... 138 Activating Performance Monitoring ....................................................................................... 138 Stopping Performance Monitoring ........................................................................................ 138 Viewing Performance Parameters ........................................................................................ 139 Obtaining a New DocuSign SA License ..................................................................................... 139 Requesting a New License ................................................................................................... 139 Uploading the New License .................................................................................................. 140 Changing DocuSign SA System Parameters ............................................................................. 140 Users Directory Parameters ................................................................................................. 141 Key Management Parameters .............................................................................................. 143 Certificate Management Parameters .................................................................................... 144 Client Security Setting Parameters ....................................................................................... 148 Auditing and Accounting Parameters ................................................................................... 150 Alerts and Notifications Parameters ..................................................................................... 150 Password Policy ................................................................................................................... 151 LDAP ................................................................................................................................... 151 Advanced Parameters .......................................................................................................... 153 Extended Authentication ...................................................................................................... 155 SNMP .................................................................................................................................. 159 SAML ................................................................................................................................... 159 Restoring the DocuSign Signature Appliance ............................................................................ 161 Restoring the DocuSign Signature Appliance in Microsoft Active Directory .......................... 161 Restoring the DocuSign Signature Appliance in an LDAP Environment ............................... 162 Restoring the DocuSign Signature Appliance in a Directory Independent Environment ........ 163 Using the Users Management Utility .......................................................................................... 163 Activating the Users Management Utility .............................................................................. 164 Users Management Main Window ........................................................................................ 165 Users Management Menus .................................................................................................. 166 Users Management Toolbar ................................................................................................. 175 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 77 Using Command Line Utilities .................................................................................................... 176 GetBackup ........................................................................................................................... 177 GetEvt .................................................................................................................................. 178 restartServer.exe ................................................................................................................. 179 Switch2Prim.exe .................................................................................................................. 180 SetSCP ................................................................................................................................ 181 Groups ................................................................................................................................. 181 Chapter 6: Using the DocuSign SA Consoles .................................................................................. 182 Console Types ........................................................................................................................... 182 Overview of the Web-based Console for Hardware v8.0 ...................................................... 182 Overview of the Built-in Console for Hardware versions prior to v8.0 ................................... 182 Using the Built-in Console –Hardware versions prior to 8.0 ........................................................ 184 Displaying DocuSign SA Status ........................................................................................... 185 Enabling DHCP .................................................................................................................... 187 Using a Static IP Address..................................................................................................... 187 Resetting the Tamper Mechanism (DocuSign SA Enterprise Only) ...................................... 188 Restoring Factory Settings ................................................................................................... 189 Shutting Down ...................................................................................................................... 189 Setting Time ......................................................................................................................... 190 Using the DocuSign SA Web-based Console............................................................................. 191 Setting the Appliance IP Address ......................................................................................... 193 Setting Time ......................................................................................................................... 194 Shutting Down ...................................................................................................................... 196 Restarting the Appliance ...................................................................................................... 197 Resetting the Tamper Mechanism ........................................................................................ 197 Restoring Factory Settings ................................................................................................... 198 Displaying DocuSign Signature Appliance Status ................................................................ 200 Using the Touch Screen of a DocuSign SA v8.0 Appliance ........................................................ 203 Restoring the DocuSign Signature Appliance After an Internal Hard Disk Failure ...................... 204 In Appliance Hardware V7.0 or Appliance Hardware v8.0 Enterprise model ........................ 204 In DocuSign SA Hardware V8.0 – Appliance FIPS model .................................................... 204 Chapter 7: Configuring High Availability ........................................................................................... 207 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 88 Overview of High Availability ...................................................................................................... 207 Installing DocuSign Signature Appliances in a High Availability Configuration ........................... 209 Installing the Primary DocuSign Signature Appliance ........................................................... 209 Installing an Alternate DocuSign Signature Appliance .......................................................... 209 Managing the Alternate DocuSign Signature Appliance ............................................................. 213 Managing Data Replication in the Alternate DocuSign Signature Appliance .............................. 214 Viewing Replication Status of an Alternate DocuSign Signature Appliance .......................... 214 Re-initializing an Alternate DocuSign Signature Appliance ................................................... 215 Unsubscribing an Alternate DocuSign Signature Appliance ................................................. 215 Managing Primary Appliance Failure and Recovery ................................................................... 215 Setting an Alternate Appliance to be the Primary Appliance ................................................. 216 Setting a Previous Primary Appliance to be an Alternate Appliance ..................................... 218 Re-subscribing an Alternate Appliance with a Primary Appliance............................................... 219 Upgrading Appliances Participating in a High Availability Cluster ............................................... 219 Chapter 8: DocuSign SA Configuration Utility .................................................................................. 221 Overview .................................................................................................................................... 221 Using the DocuSign SA Configuration Utility .............................................................................. 221 DocuSign SA Configuration Utility Menus ............................................................................ 224 Running the DocuSign SA Configuration Utility in Admin Mode ................................................. 225 Configuration File Operations ............................................................................................... 227 Group Policies Operations ................................................................................................... 228 Running the DocuSign SA Configuration Utility in End User Mode ............................................. 229 Distributing the DocuSign SA Client Configuration ..................................................................... 229 Distributing the DocuSign SA Configuration Using Configuration Files ................................. 229 Distributing the DocuSign SA Configuration Using Group Policy .......................................... 230 Setting Admin Configuration ...................................................................................................... 231 Admin – Appliance Installation ............................................................................................. 231 Admin – Performance Monitoring ......................................................................................... 234 Chapter 9: Troubleshooting ............................................................................................................. 235 Installation Problems .................................................................................................................. 235 DocuSign SA IP Address is Invalid ....................................................................................... 235 Error When Setting the DocuSign SA IP Address Via the Console Interface ........................ 235 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc. DocuSign Signature Appliance Administrator Guide 99 Default Values Do Not Appear in the Directory Setup Dialog Box ........................................ 236 The Appliance is Not in Factory Settings Mode .................................................................... 236 Installation Failed ................................................................................................................. 236 Progress Bar Stops Advancing............................................................................................. 237 DocuSign Signature Appliance Installation Issues ................................................................ 237 High Availability/Load Balancing – Alternate Installation ...................................................... 237 DocuSign Signature Appliance Problems ................................................................................... 238 DocuSign Signature Appliance Does Not Start ..................................................................... 238 Console Problems ..................................................................................................................... 238 Client-Related Problems ............................................................................................................ 239 Cannot Enable the “Add Digital Signature to Outgoing Messages” Checkbox in Outlook ..... 239 Cannot See Any Certificates in Store ................................................................................... 239 Administrative Problems ............................................................................................................ 239 DocuSign SA System Parameters Do Not Appear in the DocuSign SA Administration MMC 239 All DocuSign SA Administration MMC Operations Fail ......................................................... 240 DocuSign SA Does Not Respond ......................................................................................... 240 New Users Do Not Receive Certificates ............................................................................... 241 Restore Appliance Fails ....................................................................................................... 241 Backup DocuSign SA Operation Fails .................................................................................. 242 Appendix A: DocuSign SA Installation with Reduced Privileges ....................................................... 243 Overview .................................................................................................................................... 243 Regular DocuSign SA Installation .............................................................................................. 244 Creating a New Computer Account for the DocuSign Signature Appliance .......................... 244 Joining the DocuSign Signature Appliance to MS Domain ................................................... 244 Creating a Services Connection Point (SCP) ....................................................................... 244 DocuSign SA User Synchronization ..................................................................................... 244 Updating the userCertificate Attribute for Users ................................................................... 244 DocuSign SA CA Root Certificate Information ...................................................................... 245 DocuSign SA CA CDP (Certificate Distribution Point) .......................................................... 245 DocuSign SA Installation with Reduced Privileges ..................................................................... 245 Preliminary Action – Adding the DocuSign SA Computer to the Domain .............................. 245 Installing DocuSign SA in a Reduced Privileges Environment .............................................. 246 221 Main Street, Suite 1000, San Francisco, CA 94105 Ι Tel. 866.219.4318 Ι www.docusign.com Ι © DocuSign, Inc.