Tamino X-Application and XML Digital Signature

Hi all,

I?m working with Tamino X-application 4.1.1 and I?ve tried the new demo from http://tamino.demozone.softwareag.com/mainSiteX/ . This demo was built using x-application and I have some doubts that maybe someone could explain me.

1. Demo shows one way to manage digital signature with x-application. Search page of customer role has two columns with XML documents ? unsigned and signed. When you want to insert and sign an XML document you have to insert it and after that sign it, you can?t insert and sign in the same transaction.

- Is this the way that x-application propose to manage digital signature in XML documents?
- Basic X-application functions (Create, view, modify, search and delete) remain without changes. The new function ?Sign? is not part of x-application. Is this right? If I want to reproduce the demo, I have to implement ?Sign? function by myself?
- It?s very important for us to know the ?Right way? to work with x-application and digital signature.

2. X-application GUI generator works fine but I?ve experienced some problems: when an application is generated, it appears in a list of applications but If I close the GUI and enter again, this list doesn?t appear, Have someone experienced the same behavior? So, as the list of applications is not present inside the GUI, I can?t re-generate my application. However, regenerate process works, because I executed it outside the GUI, by the command line.

Thanks and best regards,
Leo

Hello,

To your questions:

1) The X-Application package that you can download from the community does not include functionality to sign documents. Therefore, you are right: you have to implement the sign functionality by yourself.

However, the basic mechanism for the integration of the XML signature is the Plugin mechanism.
I will please my colleagues who wrote the demo application to post more information to the implementation. If there are no legal restrictions that prevent the use of the existing demo code, they can contribute this code.

2) The GUI generator is session related. It collects the application you generated during one session. It neither saves its state after your session times out, nor analyzes the Tomcat webapps directory when a new session is started.
Therefore, you are right: The GUI does not the regeneration process for applications that were build within a former session. I will add this to our task list.

Workaround: Use the ‘regenerate’ command that accepts the directory path of your application and rebuild it based on the structure.xml file of the application directory (see also the chapter “Generating Applications Using the Command Line” of the X-Application documentation).

Bye,
Christian.

Hi Leo,

the sign part of the demo is implemented as a signed Java applet. The reason is, for digitally signing a document, the private key of the signing person is needed. In a default scenario the private key is located on a smart card (qualified signatures) or in a keystore at the client side (like in our demo). However, in each case the key needed for creating the signature is located on the client side and it should not be necessary to have it on the server side (sending the key to the server is in the most scenarios not possible e.g. by using smart cards). For this reason, the default approach is to implement the sign part in an applet. The applet itself has to be signed because of it accesses local resources (the keystore or the smart card).

regards
Eckehard Hermann
Software AG

Thanks

Thank you, Christian and Eckehard

I was looking for answers that assure the direction I?ve set, and I think I found it.

Regards,
Leo