DSS API Service

Overview

The DSS API can be configured through it's DSS properties file. In this file we reference a TSA configuration and a Keystore which can also be configured. Below you can find for each of these options how you can configure these.

DSS Properties

For the DSS API itself we have a .properties file we can configure. Below you can find the curren configuration.

For each deployment type the file is located in a certain folder or configuration.

The contens of this file is the same across the deployment types;

# JDBC database config
datasource.jdbc.enabled = true
datasource.driver.class = org.hsqldb.jdbcDriver
datasource.url = jdbc:hsqldb:mem:testdb
datasource.username = sa
datasource.password =

# Cache config (values in seconds)
cache.expiration = 86400
cache.crl.default.next.update = 600
cache.crl.max.next.update = 10800
cache.ocsp.default.next.update = 60
cache.ocsp.max.next.update = 180

# EU LOTL config
oj.content.keystore.type = PKCS12
oj.content.keystore.filename = keystore.p12
oj.content.keystore.password = dss-password
current.oj.url = https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG
current.lotl.url = https://ec.europa.eu/tools/lotl/eu-lotl.xml
lotl.country.code = EU

# AdES LOTL config
tl.loader.ades.enabled=false
tl.loader.ades.lotlUrl=https://ec.europa.eu/tools/lotl/mra/ades-lotl.xml
tl.loader.ades.keystore.type=PKCS12
tl.loader.ades.keystore.filename=ades/ades-keystore.p12
tl.loader.ades.keystore.password=ks-password
tl.loader.ades.tsl.type=http://ec.europa.eu/tools/lotl/mra/ades-lotl-tsl-type

# Server signing token
dss.server.signing.keystore.type = PKCS12
dss.server.signing.keystore.filename = user_a_rsa.p12
dss.server.signing.keystore.password = password

# TSA
tsp-source = classpath:config/tsp-config.xml

# LOTL/TLs loading
cron.tl.loader.enable = true
cron.initial.delay.tl.loader = 0
cron.delay.tl.loader = 3600000

# File size limit
multipart.maxFileSize = 52428800
multipart.maxInMemorySize = 52428800

# default validation policy (in dss-policy-jaxb/src/main/resources/)
default.validation.policy = policy/constraint.xml

# validation policy for a certificate validation (in dss-policy-jaxb/src/main/resources/)
default.certificate.validation.policy = policy/certificate-constraint.xml

# Custom trusted key store
trusted.source.keystore.type = PKCS12
trusted.source.keystore.filename = keystore.p12
trusted.source.keystore.password = dss-password

# Custom trusted adjacent key store
trusted.source.keystore-intermediate.type = PKCS12
trusted.source.keystore-intermediate.filename = keystore-intermediate.p12
trusted.source.keystore-intermediate.password = dss-password

# CommonsDataLoader configuration (timeouts in milliseconds)
dataloader.connection.timeout = 5000
dataloader.connection.request.timeout = 5000
dataloader.redirect.enabled = true

# Defines a number of secure validation tests to be performed on imported RSA keys (disabled by default, use value '1' or higher to enable)
bc.rsa.max_mr_tests = 0

proxy.http.enabled = false
#proxy.http.host =
#proxy.http.scheme =
#proxy.http.port = 0
#proxy.http.user =
#proxy.http.password =
#proxy.http.exclude =
# e.g.: proxy.http.exclude = test.site.lu, test.website.com

proxy.https.enabled = false
#proxy.https.host =
#proxy.https.scheme =
#proxy.https.port = 0
#proxy.https.user =
#proxy.https.password =
#proxy.https.exclude =
# e.g.: proxy.https.exclude = test.site.lu, test.website.com

cxf.debug = true
cxf.mtom.enabled = true

cookie.secure = false

nexuDownloadUrl=https://github.com/nowina-solutions/nexu/releases/download/nexu-${nexu.version}/nexu-bundle-${nexu.version}.zip
nexuVersion = 1.
nexuUrl=http://localhost:9795

dssVersion = ${project.version}

# https://webgate.ec.europa.eu/tl-browser/# (old link)
tl.browser.root.url = https://eidas.ec.europa.eu/efda/tl-browser/#/screen

# Default digest algo to be checked in the web interface
default.digest.algo = SHA256

# Defines the "SameSite" parameter value for "Set-Cookie" header
web.security.cookie.samesite = strict

# Defines the "X-Content-Security-Policy" header value
web.security.csp = default-src 'self' ${nexuUrl} 'unsafe-inline' data:;

Bare metal

For the Bare metal deployment type the configuration file is embedded in the war file, you can override the configuration via the lib/dss-custom.properties file.

Kubernetes

In kubernetes environment the configuration is loaded via a ConfigMap. This configmap can be found in Kubernetes and can be updated via kubectl and its subcommands.

Standalone

Similar to the Bare metal deployment the properties are embedded in the WAR file. you can override these via the dss-custom.propertiesfile.

This file is located in apache-tomcat-8.5.95/lib/dss-custom.properties

TSA configuration

The TSA configuration file holds information for which TSA server to be used. The configuration looks like the following

<beans xmlns="http://www.springframework.org/schema/beans"
	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

	<bean id="tspSource" class="eu.europa.esig.dss.service.tsp.OnlineTSPSource">
		<constructor-arg name="tspServer" value="http://tss.certificateservices.eads.com/longlife" />
	</bean>

</beans>

If you wish to update the TspServer you can contact Trust1Team to provide a build with updated TSP configuration

Keystore configuration

The keystore configuration is also included in the WAR file. This can be update by Trust1Team upon request.

The keystore configuration is split in 2 different configuration files which are in JKS format.

We have the Custom trusted key store, and the Custom trusted adjacent key store. Respectively;

keystore.p12
keystore-intermediate.p12

These keystores are protected by a password which can be found in the dss.properties file.

These are the keystores currently in use.

You can open these JKS with the following application. This application makes it easy to update and or create keystore containers.

When you open a keystore with this application you will be prompted for a password. You can provide the password to open the contents of the keystore.

Once opened the application will look similar to this

Add/remove certificate

If you want an updated keystore with an additional or one less certificate you can do this via the User interface.

Click the import certificate button

And select the certificate you want to import

When you have imported the certificate you will see it in the list of certificates

Then you save the keystore by clicking the floppy-disk/save icon or ctrl+s.

You can then send us the updated keystore which we can then embed into a new build.

Update password

Similar to adding or removing certificates you can also update the keystore's password.

This can be done by right-clicking in the keystore UI, just like the image below

After this you can click the Set KeyStore Password box and choose a new password

Then save the keystore and send it to us so that we can create a new build with the updated keystore

Last updated 1 year ago

hashtagOverview

hashtagDSS Properties

hashtagBare metal

hashtagKubernetes

hashtagStandalone

hashtagTSA configuration

hashtagKeystore configuration

hashtagAdd/remove certificate

hashtagUpdate password

Overview

DSS Properties

Bare metal

Kubernetes

Standalone

TSA configuration

Keystore configuration

Add/remove certificate

Update password