Skip to end of metadata
Go to start of metadata

Why Go>Sign Applet is not running on client machine

Make sure the following if you are unable to run the Applet on client machine:
  1. Make sure that the JRE (32-bit for Windows and Linux while 64-bit for MAC) is installed on the client machine. The minimum acceptable version of JRE to run the Go>Sign Applet is 1.7u51 but it is always preferred to install the latest version of JRE. Click here to verify that the installed JRE is up to date and compatible with the browser.
  2. Mostly web browsers block the applet by default. In order to load the Go>Sign Applet, client is required to run the web page and select the option "Allow and Remember" from the drop down list appeared on the web browser's address bar.
  3. If the Go>Sign Service is hosted in your environment then contact suppport@ascertia.com to get the Go>Sign Applet jar resigned. Also provide the URL for the business application which will embed the Go>Sign Applet.
  4. If the Go>Sign Applet is still not loaded then also try to clear the Java cache.
  5. Make sure that a modern browser is installed that supports HTML 5 if Go>Sign Viewer is used. The following is the list of supported browsers on different platforms:  
    • Windows: Firefox, Chrome, IE9+
    • MAC: Safari, Firefox
    • Linux: Firefox, Chrome
Icon

It is preferred to use the latest version of the supported browsers.

Google Chrome from version 42 and later, by default blocks running Java applets. To enable follow the steps mentioned here.

The certificates are not shown when Go>Sign Applet is launched

When Go>Sign Applet is loaded and certificates are not shown in the signing dialog then make sure that:
  1. The signing key is available in the keystore configured in the Go>Sign Profile.
  2. If you are using a hardware device then make sure that:
    1. Device is properly plugged in.
    2. Device drivers are installed and correct library name is configured in the Go>Sign Profile.
    3. Vendor application can open the token and display its content (certificates). Also check the required signing key is available in the device.
    4. Device contains the required key using the vendor software.
    5. Device have correct key pair for your certificate. If any of the key (public or private) is missing then certificate will not be shown.
  3. If any certificate filter criteria is configured in the Go>Sign profile, then the certificates must match with the defined criteria.
  4. ADSS Go>Sign Service URL configured in business application is also configured in Go>Sign Service Address field at Go>Sign Service > Service Settings page.

Possible reasons why client-side document signing fails

In order to avoid signature creation failure, make sure that:
  1. Verification Service is up and running.
  2. Verification response signing certificate is not expired
  3. TSA response signing certificate is not expired
  4. The certificate issuer chain is trusted in Trust Manager and this chain is in allowed list of target Verification Profile.
  5. The CRLs of the certificate issuer chain is downloaded. If the Validation Policy for your CAs is CDP then further make sure that Proxy Configurations if configured in your environment. Proxy in ADSS Server can be configured from Global Settings > Miscellaneous page.
  6. Token (PKCS#11 Device) supports the hashing algorithm configured in the Go>Sign Profile if the key is held in token.

How can I clear Java cache before using the new version of Go>Sign Applet

Follow the below instructions to clear Java Cache on a user machine:
  1. Close all opened web browsers,
  2. Delete the Go>Sign directory present at the location: [User-Home]/Ascertia
  3. Follow these instructions to delete the Java Cache:
    1. Go to Start Menu > Control Panel > Java
    2. Click Settings button on General tab
    3. Click Delete Files button
    4. Enable all check boxes and click OK button to clear the cache

How to create/configure the environment to use the Signotec Tablet with the Go>Sign Service

Follow these instructions to configure the environment to use Signotec tablet with the Go>Sign Service: 

  1. Install ADSS Server with the Go>Sign Service enabled in the license.
  2. Place the commons-io.jar,commons-lang.jar,jna-signo.jar,jna-platform-signo.jar,STPad.jar,asc_bc.jar files in the following respective locations: 
    • For Go>Sign Desktop: [Go>Sign-Desktop-Installation-Dir]/runtime/jre/lib/ext. This step is performed on the client machine.
    • For Go>Sign Applet: [ADSS-Server-Installation-Dir]/service/server/webapps/service/gosign/applet/lib. This step is performed on the ADSS Server machine.
  3. Place the STPadJava.dll file in the following respective locations: 
    • For Go>Sign Desktop: C:\Windows\System32. This step is performed on the client machine.
    • For Go>Sign Applet: [JRE-HOME]/bin. This step is performed on the client machine.
  4. Launch the ADSS Server Console.
    • Edit the relevant Go>Sign profile,
    • Go to Signature Settings tab
    • Enable the option Use signature tablet device, select the option Signotec Sigma and update the profile.
    • Restart the Go>Sign Service for the changes to take into effect from Go>Sign Service > Server Manager
  5. Restart the Go>Sign Desktop application if it is being used.
  6. Connect the Signotec tablet with the client machine. Re-launch the browser and run the respective demo. Click to sign an empty signature field and you will see the Signotec tablet screen to draw the hand signature.

How to create/configure the environment to use the Wacom STU-500 Tablet with the Go>Sign Service

Follow these instructions to configure the environment to use Wacom STU-500 tablet with the Go>Sign Service: 

  1. Install ADSS Server with the Go>Sign Service enabled in the license.
  2. Place the jna-3.4.0.jar, jSTUTablet.jar, platform.jar files in the following respective locations: 
    • For Go>Sign Desktop: [Go>Sign-Desktop-Installation-Dir]/app/lib. This step is performed on the client machine.
    • For Go>Sign Applet: [ADSS-Server-Installation-Dir]/service/server/webapps/service/gosign/applet/lib. This step is performed on the ADSS Server machine
  3. Place the STUTabletCore.dll,zlib1.dll,libeay32.dll file in the following respective locations: 
    • For Go>Sign Desktop:[Go>Sign-Desktop-Installation-Dir]/app/resources/tablet. This step is performed on the client machine..
    • For Go>Sign Applet: [JRE-HOME]/bin. This step is performed on the client machine.
  4. Launch the ADSS Server Console.
    • Edit the relevant Go>Sign profile,
    • Go to Signature Settings tab
    • Enable the option Use signature tablet device, select the option Wacom STU-500 and update the profile.
    • Restart the Go>Sign Service for the changes to take into effect from Go>Sign Service > Server Manager
  5. Restart the Go>Sign Desktop application if it is being used.
  6. Connect the Wacom STU-500 tablet with the client machine. Re-launch the browser and run the respective demo. Click to sign an empty signature field and you will see the Wacom STU-500 tablet screen to draw the hand signature. 

How to configure the E-Tendering demo

Follow the below instructions to run the E-Tendering demo:

  1. Edit the Go>Sign XML profile 006 (adss:gosign:profile:006) if you installed the ADSS Server with sample data.
  2. Change Document Input Source to Client on the General tab.
  3. Enable Encrypt XML after Signing check box on the Signature Settings tab.
  4. Configure Certification Service Settings on the Service Settings tab.
  5. Make sure that Decryption Service is licensed.
  6. Create a profile in Decryption Service.
  7. Run the tomcat server in Client-SDK to launch the demo programs
  8. Access to the URL: http://localhost:8766/e-tendering to runt the E-Tendering demo

How can I launch the Document Viewer on IE8?

Follow the below instructions to launch the Document Viewer on IE8:
  1. Open the JSP file in edit mode
  2. Remove the tag (if exists) <meta http-equiv="X-UA-Compatible" content="IE=5, IE=8, IE=9, IE=10" />
  3. Move the JavaScript code written in the tag <% ...%> after closing the tag <html> ... </html> as shown in below JavaScript code

  4. If you are using IE 8+ version then ensure  browser setting by pressing F12 button:
    1. Browser Mode: IE8
    2. Document Mode: IE8 Standards

How to configure the mutual authentication with ADSS Server

Follow the below instructions to configure the  mutual authentication with ADSS Server.

Server Authentication:
  1. Generate a new certificate from Key Manager > Service Keys module with certificate purpose SSL Server Authentication. The common name (CN) of the certificate should be either machine name or IP address.
  2. Configure the SSL Server Authentication certificate on the Global Settings > System Certificates page in SSL Server Authentication Certificate drop down.
  3. Restart the ADSS Server Core, Console and Service instance from the Windows Services Panel/UNIX daemons for the changes to take into effect.
  4. The following are the configurations on the client side if you are using the .Net Client APIs
    1. Click the Start > Run and type mmc

    2. A dialog is shown, click the File from the menu bar and select Add/Remove snap in. Another dialog is shown, select certificates from the left pane and press Add button, select Computer Account from the opened dialog, click next and then finish

    3. From the left pane under Certificates, select Trusted Root Certification Authorities and import SSL Server Certificate’s root CA over here.

    4. Send the request to ADSS Service over the SSL Server Authentication URL (ADSS Server SSL Server Authentication port is 8778)

Client Authentication:

  1. Go to ADSS Server Console > Client Manager
  2. Click to edit your client
  3. Configure your Client Authentication certificate in the SSL Client Authentication Certificate field.
  4. Send the request over the SSL Client Authentication URL (ADSS Server SSL Server Authentication port is 8779)

Google is blocking Java to run on Chrome. What are my alternatives to perform local signing

Google Chrome has started blocking the java plugin from executing. This is due to them stopping the support of the underlying plugin technology NPAPI on which the java plugin works. In place of NPAPI, another technology named PPAPI is launched by Google which only Chrome supports. This is yet to be supported by Java. Currently java is by default blocked in latest version of Chrome but it can be enabled. By Sep 2015 Java will be completely blocked in Chrome. Details of how to enable Java plugin in Chrome is explained here.
For clients who are using Chrome for local signing following are some possible alternatives.         
  1. Use different browsers - Oracle strongly recommend Java users consider alternatives to Chrome as soon as possible. They recommend Firefox, Internet Explorer and Safari as longer-term options. Details are here
  2. Use server-side signature - This is ideal because it is simpler, cheaper and more easily supported on mobile devices. However where smart cards have already been issued (e.g. eID cards) this solution will not be acceptable to the business. Ultimately we see server-side signing becoming more popular though
  3. Use an approach to local signing which does not require Java – Currently there is no graceful solution which can tackle the local signing use case with existing keys. There are few however possible upcoming solutions which can support local signing with some limitations. This includes:
    1. Using FIDO – This uses JavaScript to access a locally-held FIDO token which has a private key on it.  This is explained here. Although FIDO is primarily for authentication to websites, but it can be used for document signing. Currently SigningHub does not support FIDO but this is in the product's road map. Note that this does not help in the case of already issued eID cards rather the keys are generated by the business application which is later going to use it
    2. Using Webcrypto – this is a standard for accessing keys on the browser without requiring applet, by using JavaScript. This is explained here. Only issue is this does not yet have good support in browsers, especially the key discovery part of the specifications. So using the keys held within a smart card are not yet possible. Also this standard is currently not stable. This is a possible long term solution which Ascertia will support as it gets implemented in browsers
    3. Using a browser add-on – this is a small plugin which is installed by users locally. This is a more complex solution for users and requires solutions for different browsers and different operating systems. This doesn’t fit with the architecture of zero footprint, and hence Ascertia will not support it

For now, as per Oracle recommendation, an alternative browser (Firefox, Internet Explorer, Safari) should be used to run your Java applets for local signing.

How to fix JAVA VM crashing issue on MAC Safari browser when using Go>Sign Applet with PKCS#11 keystore

Background
Upon loading the Go>Sign Applet in Safari, the Java VM crashes and a crash report is shown. The Applet runs correctly in Firefox.

Workaround
Changing Safari settings to run Java Plug-in in unsafe mode solves the problem. Follow these instructions:
  1. Choose Safari > Preference
  2. Click the Security pane


     
  3. Click Plug-in Settings to see plug-in details for a particular website

     

     
  4. Java plug-ins installed on your computer appear on the left side of the plug-ins sheet. Select Java plug-in to configure its website settings
  5. Websites that are currently open in Safari appear on the right side of the plug-ins sheet
  6. For your desired website select the option Run in Unsafe Mode


     
  7. A dialog appears stating: "Do you want to trust the website '(website)' to use the 'Java' plug-in?

     

  8. Click on Trust button
  9. Click on Done button to close the preferences

 

How to confirm Go>Sign Desktop is properly deployed and running on client machine

 Make sure the following if you are unable to run the Go>Sign Desktop on a client machine:
  1. Ensure that Go>Sign Desktop is up and running using these URLs:

  2. If the above links are not accessible, then ensure that Go>Sign Desktop is properly installed.  Check the hosts file to ensure this entry was correctly added: 127.0.0.1 client.go-sign-desktop.com

    • Windows: C:\Windows\System32\Drivers\etc\hosts

    • Mac OS: Macintosh HD\private\etc\hosts

  3. Check the log file to confirm that Go>Sign Desktop service was started correctly (check Windows system tray for Go Sign Desktop icon) and is running: 

    • Log file location: C:\Users\[UserName]\AppData\Roaming\Ascertia\Go-Sign-Desktop\logs (Substitute user name [in brackets] for your local directory)

  4. Ensure that ADSS Client SDK version used in the business application should be same/compatible with the version of Go>Sign Desktop

If all of the above are OK and still you are unable to run the Go>Sign Desktop then contact support@ascertia.com.

Why Go>Sign Desktop is not running with Microsoft Edge browser 

Follow these instructions to run the Go>Sign Desktop using Microsoft Edge browser:
  1. Close the Microsoft Edge browser if already launched
  2. Launch the command prompt by using Run as administrator
  3. Run this command:

  4. Launch the Microsoft Edge browser and run your application again to test the Go>Sign Desktop


How to enable Cross-Origin Resource Sharing (CORS) for Go>Sign Demos when IPv6 addresses are used

  1. Go to location [ADSS-Server-Installation-Dir]/service/server/webapps/service/web-inf
  2. Edit the web.xml file  
  3. Append the following code before the tag <servlet> ... </servlet>

     

  4. Save the changes

  5. Restart the ADSS Server Service instance from Windows NT Services panel or UNIX daemon in order to take the change into effect.

     

How to change the default language for Go>Sign Service

ADSS Server Changes:

  1. Launch ADSS Server Console 
  2. Go to location Go>Sign Service --> Language Manager
  3. Export the default language (adss:gosign:language:001) file (English.xls)
  4. Edit the Language file and Add new language name in first cell of next available column ( i.e. 4th column with language name 'French' )
  5. Translate values against each English key in newly added column and save the file as e.g. French.xls
  6. Add new language with the same name as given in step 2 and specify a Short Name (Two characters e.g. fr)
  7. Import the edited file (e.g. French.xls) and save it, new language will be available with the specified short name.
  8. Restart the Go>Sign service from Service Manager to have the changes take effect

 

Client Application changes:

In order to utilize the newly added language in Client Application follow these steps:  

  1. Open the relevant client application JSP/ASPX file in edit mode
  2. Add the property USER_LANGUAGE as shown:

  3. Save the changes

How to change color of the PIN dialog when using Go>Sign Desktop/Applet

For Viewer:

  1. Open the relevant JSP/ASPX file in edit mode
  2. Write the JavaScript code as shown after closing the tag <html> ... </html> in the end.

  3. Save the changes.


For Non-Viewer:

  1. Open the relevant JSP/ASPX file in edit mode
  2. Add the JavaScript code after the line GoSign_SetCertificateListName under the function GoSign_PostInit() as shown here:

  3. Save the changes.

Icon

The values of the parameters are as {"titleColor","titleTextColor","backgroundColor","textColor","buttonsTextColor"), for more details please see the section 4.1 of [ADSS Client-SDK Home Directory]/GoSign/ADSS Go>Sign Developers Guide.pdf

  • No labels