29 Replies Latest reply: Jul 23, 2009 12:32 PM by SForrest96 RSS

    Removing signatures in a digital signature field

    bilimam Community Member

      Hi all, I have a question relating to the topic above that i hope
      you guys can help me with;

       

      1) Is it possible to remove digital signatures from form? For instance
      if you have a form going thru several approval steps that requires
      signatures, and then one step happened to reject, it would be nice to
      remove the previous signatures so that they could be re-signed.

       

      2) And finally is there a simpler way to combine digital signatures
      and rights management then what was listed in the pdf provided by
      Duane (second post from the bottom of the thread)? When creating a policy there is

      a checkbox for "Filling in form fields and signing". Is this forsomething else?

       

      Thanks!
      Billy 

        • 1. Re: Removing signatures in a digital signature field
          SForrest96 techies

          1)  Is it possible to remove digital signatures from form?

          ANSWER:  A signature can only be removed ("unsigned") if the system or user has access to the "private" key used to generate the signature in the first place.  For example, let's say User A signs a PDF... Only User A can unsign that PDF.  If you were to use LC Digital Signatures ES to "unsign" a PDF, you would need to have all of the potential user "Credentials" and Credential passwords stored in the Trust Store so LC would have access to the private keys to be able to unsign a signature field.  This is not very feasable if the number of potential signers is large.

           

          2) Is there a simpler way to combine digital signatures and rights management

          ANSWER: Combining Digital Signature and Rights Management is not complicated.  You just need to be aware of the "Order of Operations" required.  Always "Encrypt" first (Rights Mgt, Certificates, and Password can be used for encryption) then "Certify" (assuming you are Certifying the PDF), then add Reader Extension rights (assuming you want to extend functionality of the document for Reader)

           

          The reason the above order is required...  When you sign a document, a hash is generated based on the document, if you then encrypt that signed document, you are modifying the document which in turn causes a different hash to be generated... this breaks the signature.

           

          As for the "Filling in form fields and signing" option in a policy, this is a "permission" that you can allow or disallow for PDF forms with a policy applied by RM.  For example, A PDF has a policy applied where User A has the "Filling in form fields and signing" permission enabled andf User B does not.  User A can open the form and interact with it by filling it in and or sign the form.  User B would only be able to "view" the form.  This permission is only relevant what using RM to protect fillable PDF forms.  Also, it shouldn't be confused with the Reader Extensions permission of allowing Digital Signatures in Reader.

           

          For example, If you wanted a "Certified" form to be filled in and signed by User A with Adobe Reader, you would need to:

           

          Apply a policy to the PDF where User A had the "Filling in form fields and signing" permission enabled, then apply a "Certify" signature which had the "Allow Form Fill and Signing" permission enabled, then Reader Extend the PDF form that enables the "Digital Signatures" permission which activates the Digfital Signatures functionality in Reader for that particular form.

           

          It may sound complicated, but it really isn't

           

          Regards

          Steve

          • 2. Re: Removing signatures in a digital signature field
            bilimam Community Member

            Gotcha. Thanks for the quick response!

             

            Billy

            • 3. Re: Removing signatures in a digital signature field
              bilimam Community Member

              Hi all, came accross a few other problems and hopefully someone can
              help me out,

               

              I've managed to place digital signatures on a form and I used a custom renderer to apply a policy for rights management. I used a Document
              Form type variable in the process and specified that the form should only be rendered once. Now at some point in my process I wanted to
              remove a signature so I tried to use the Clear signature field service. When i run it however i get a stall and an error in my logs
              saying "The input PDF is encrypted using APS and could not be opened, hence the operation clearSignatureField can not be performed on Signature Field ConsultantSig. (in the operation : clearSignatureField)"

               

              So figure, ah well, thats cool, i'll just remove the policy as I figured thats what was encrypting it. So i threw in a Remove Policy service and then i get another error in my logs saying that

               

              *******************************************************

              Cannot coerce object:

               

              <document state="passive" senderVersion="3" persistent="true"
              senderPersistent="false" passivated="true" senderPassivated="true"
              deserialized="true" senderHostId="127.0.0.1/10.37.129.2/192.168.0.143"
              callbackId="0" senderCallbackId="54" callbackRef="IOR:
              000000000000002849444C3A636F6D2F61646F62652F6964702F49446F63756D656E7443616C6C6261636B3A3 12E30000000000200000000000000D8000102000000000E3139322E3136382E302E313433000DC8000000114A4 26F73732F00160C034D230F2B012B02000000000000050000000000000008000000004A4143000000000100000 01C000000000001000100000001050100010001010900000001050100010000002100000050000000000000000 10000000000000024000000200000007E00000000000000010000000E3139322E3136382E302E313433000DC90 00000000000000000000000000000000000000000000000000000000000002000000004000000000000001F000 0000400000003000000010000002000000000000000020000002000000004000000000000001F0000000400000 003"
              isLocalizable="true" isTransactionBound="false"
              defaultDisposalTimeout="600" disposalTimeout="600"
              maxInlineSize="65536" defaultMaxInlineSize="65536" inlineSize="0"
              contentType="null" length="85284"><cacheId/><localBackendId/

              ><globalBackendId><DocumentFileID fileName="C:\Adobe\LiveCycle8.2\jboss

              \server\all\svcnative\DocumentStorage
              \docm1247766543265\66d5bdad216c55badc57fc5b86f44086"/><globalBackendId/

              ><senderLocalBackendId/><senderGlobalBackendId/><inline/
              ><senderPullServantJndiName>adobe/idp/DocumentPullServant/

              adobejb_server1</senderPullServantJndiName><attributes/></document> of
              type: com.adobe.idp.Document to type: class
              com.adobe.idp.taskmanager.form.impl.binarycontent.BinaryContentFormInstance

              :
              ALC-DSC-119-000: com.adobe.idp.dsc.util.InvalidCoercionException:
              Cannot coerce object: <document state="passive" senderVersion="3"
              persistent="true" senderPersistent="false" passivated="true"
              senderPassivated="true" deserialized="true"
              senderHostId="127.0.0.1/10.37.129.2/192.168.0.143" callbackId="0"
              senderCallbackId="54" callbackRef="IOR:
              000000000000002849444C3A636F6D2F61646F62652F6964702F49446F63756D656E7443616C6C6261636B3A3 12E30000000000200000000000000D8000102000000000E3139322E3136382E302E313433000DC8000000114A4 26F73732F00160C034D230F2B012B02000000000000050000000000000008000000004A4143000000000100000 01C000000000001000100000001050100010001010900000001050100010000002100000050000000000000000 10000000000000024000000200000007E00000000000000010000000E3139322E3136382E302E313433000DC90 00000000000000000000000000000000000000000000000000000000000002000000004000000000000001F000 0000400000003000000010000002000000000000000020000002000000004000000000000001F0000000400000 003"
              isLocalizable="true" isTransactionBound="false"
              defaultDisposalTimeout="600" disposalTimeout="600"
              maxInlineSize="65536" defaultMaxInlineSize="65536" inlineSize="0"
              contentType="null" length="85284"><cacheId/><localBackendId/
              ><globalBackendId><DocumentFileID fileName="C:\Adobe\LiveCycle8.2\jboss
              \server\all\svcnative\DocumentStorage
              \docm1247766543265\66d5bdad216c55badc57fc5b86f44086"/><globalBackendId/
              ><senderLocalBackendId/><senderGlobalBackendId/><inline/
              ><senderPullServantJndiName>adobe/idp/DocumentPullServant/

              adobejb_server1</senderPullServantJndiName><attributes/></document>

              of type: com.adobe.idp.Document to type: class com.adobe.idp.taskmanager.form.impl.binarycontent.BinaryContentFormInstance

              *******************************************************

               

              Oh great, a conversion problem when i try to remove the policy! Incidently i get this same conversion problem when i try to remove a signature using the Clear Signature on a form that has NOT had any policy placed on it at all.

               

               

              So basically, to sum up these are the main issues

              1) Can digital signatures be removed from a form that has a policy placed on it, or do i have to remove the policy first?

              2) Why am i getting these coercion errors? As i understood it using a Document Form variable is the correct way to go. What should i do to resolve this?

               

              So can anyone shed a little light on this?

               

              Thanks

              Billy

              • 4. Re: Removing signatures in a digital signature field
                SForrest96 techies

                Billy

                 

                You don't need\want to Remove the policy to be able to sign the document.  Use the "Unlock Policy Protected PDF" operation, this temporarily decrypts the document so you can work with it (i.e. sign it).  When the work is done the PDF remains protected with the policy.  "Remove Policy" does just that, it removes the encryption.  You would nned to then reapply the policy to get the encryption back, which is problamatic in your case as the document will be signed, therefore you will not be able to apply a policy to it.

                 

                There are a couple of things that you need to know for this to work...

                 

                1)  The process that contains the "Unlock Policy Protected PDF" operation must be "Short-Lived"  Typically you would create a seperate process to do this and call is as a subprocess from the main one

                 

                2)  The process that contains the "Unlock Policy Protected PDF" operation must be executed in the *context of a user or account that has permissions to view the document (the user is a member of the policy)

                 

                * to set this, access the Admin UI and set the "Run As" property (Home > Services > Application and Services > Service Management > you service name > Security (tab)

                 

                 

                As for your variable type, you can use a "document" variable if you are dealing with a PDF.  The type "Document Form" is used to hold PDFs that are loaded into the Workspace application that is part of the Process Management ES solution component.

                 

                Regards

                Steve

                • 5. Re: Removing signatures in a digital signature field
                  bilimam Community Member

                  Again, thx for the quick reply Steve, just a few follow up questions;

                   

                  >  Use the "Unlock Policy Protected PDF" operation, this temporarily decrypts the document so you can work with it (i.e. sign it)

                   

                  Could you explain how the document becomes encrypted afterwards? If this temporarily decrypts the document, does it mean that it automatically puts the encryption back on?

                   

                  > The process that contains the "Unlock Policy Protected PDF" operation must be executed in the *context of a user or account that has permissions to view the document (the user is a member of the policy)

                   

                  Would system be good enough for this?

                   

                  >The type "Document Form" is used to hold PDFs that are loaded into the Workspace application that is part of the Process Management ES solution >component

                   

                  Which is what i'm trying to do, so i'm guessing i use the setvalue to convert the Document Form to document, and vice versa?

                   

                   

                  Billy

                  • 6. Re: Removing signatures in a digital signature field
                    SForrest96 techies

                    Billy

                     

                    Could you explain how the document becomes encrypted afterwards? If this temporarily decrypts the document, does it mean that it automatically puts the encryption back on?

                    ANSWER:  Basically, the document or parts of it is "decrypted" and stored in memory.  The encryption is automatically re-applied by RM when the process is complete.

                     

                    The process that contains the "Unlock Policy Protected PDF" operation must be executed in the *context of a user or account that has permissions to view the document (the user is a member of the policy)

                     

                    Would system be good enough for this?

                    ANSWER:  You cannot use the system context for the Unlock Policy Protected PDF operation as there is no way to add "System" as a user to the policy.  This is the reason that the "Run As" functionality was introduced in LiveCycle ES Update 1 (ver 8.2x)

                     

                    The type "Document Form" is used to hold PDFs that are loaded into the Workspace application that is part of the Process Management ES solution >component

                     

                    Which is what i'm trying to do, so i'm guessing i use the setvalue to convert the Document Form to document, and vice versa?

                    ANSWER:  You can access the "document" (PDF) stored in a Document Form variable by using XPath.  Use the XPath builder to navigate to the document, i.e.  /process_data/DocumentFormVariableNameHere/object/@document  You could map this into a document variable, but you shouldn't have to.

                     

                     

                    Regards

                    Steve

                    • 7. Re: Removing signatures in a digital signature field
                      bilimam Community Member

                      Ok, i have feeling if i get past this last bit i'll be in the clear. Right now I'm getting a "No view permission(error code bin: 770, hex: 0x302)" error in my log, and I'm assuming its related to setting the invoke as setting.

                       

                      I created a seperate process that contains the unlock service. I made that service short lived. I specified run as to be a specified user to be the policy set coordinator who also has rights to see the form.

                       

                      Is there anything you can see thats missing out?

                       

                      Thanks,

                      Billy

                      • 8. Re: Removing signatures in a digital signature field
                        SForrest96 techies

                        Billy

                         

                        Is sounds like you have everything configured correctly... but it would work if everything was correct!  The error you are getting typically means that the user attempting to open the PDF is not included as a member in the policy.

                         

                        1)  Can you open the PDF manually in Reader or Acrobat using the same user you have set as the "Run As" account?

                         

                        2)  Is the user who is the Policy Set Coordinator also a member of the policy that is applied to the PDF you are testing with?

                         

                        The user account that is specified in the "Run As" setting must be a member of the policy that was applied to the PDF that you are using.

                         

                        Regards

                        Steve

                        • 9. Re: Removing signatures in a digital signature field
                          bilimam Community Member

                          Yes on both counts. The user is able to pass the login when prompted by the rights management, and i set all the users of the domain as members of the policy. I just went and specified the user specifically as well, but still no go

                          • 10. Re: Removing signatures in a digital signature field
                            SForrest96 techies

                            Billy

                             

                            Can you post a screen shot of the "Security" tab and the settings for your service that you created to unlock the PDF?  Also, if possible could you export your process and post it as well?

                             

                            Thanks

                            Steve

                            • 11. Re: Removing signatures in a digital signature field
                              bilimam Community Member

                              Sure thing, I appreciate you taking the time. I've attached a screen shot of the securities tab of the subprocess (RemovePolicyAndSignature), and you can see that I've set the "invoke as" setting to the user gjames.

                              I've also included a screenshot of the policy "Consultant" in the policy set "Exp" to show that Glenn James (gjames) is a member of the policy as well as the policy set administrator.

                               

                              I've also included the lca file which has the main process (ExpenseSheet), the subprocess (RemovePolicyAndSignature), and the rendering service (RenderExtendedPolicyPDF) which applies the policy and reader extension.

                               

                              Thank,

                              Bilen

                              • 12. Re: Removing signatures in a digital signature field
                                SForrest96 techies

                                The LCA file did not make it.  Rename the file with a .TXT extension so it will not be blocked.

                                 

                                Thanks

                                Steve

                                • 14. Re: Removing signatures in a digital signature field
                                  SForrest96 techies

                                  The screen shots look like the correct configuration.  I made a few changes\corrections to your "RemovePolicyAndClearSignature" process, tested and got it working on my system.  I attached the new version.  By the way, prior to making the changes, I tested and duplicate your coercion error, it was caused by the fact that your "list" variabe had a subtype of document, you were trying to put an object of type "PDFSignatureField" into a "document" variable, therefore the corecion error.

                                   

                                  Changes I made included:

                                   

                                  1)  Changing the "sigLst" variable to have a subtype of "PDFSignatureField"  (You had used "document")

                                  2)  Created a variabe of type PDFSignatureField, named "objSignatureField"

                                  3)  Added a "Set Value" step to map the "PDFSignatureField" object from the "sigLst" variable into the "objSignatureField" variable, and a second mapping to map the "name" attribute of the "objSignatureField" (which hold the PDFSignatureField") into the "signatureName" variable of type string

                                   

                                  I set the service security to "RunAs" a named user, this named user was a member of the policy, and had "Modify" permissions.  I invoked the process from Workbench and was able to see that the resulting PDF file had the signature cleared from the field.

                                   

                                  Hope this helps.

                                   

                                  Regards

                                  Steve

                                  • 15. Re: Removing signatures in a digital signature field
                                    bilimam Community Member

                                    hmmm, i'm still having the No View Permission when trying to invoke the subprocess through the expensesheet process. Just out of curiosity does the policy get imported as well when with th e lca? Did you get the No View Permission when you ran it on your system for the first time?

                                     

                                    Thanks,

                                    Billy

                                    • 16. Re: Removing signatures in a digital signature field
                                      SForrest96 techies

                                      Policy Set and Policies do not come across as part of an LCA (neither do trust Store settings either)

                                       

                                      I created my own test policy and did not get the "No View Permission" error.  Can you test the process I posted (invoke from Workbench, with the "Run As" set to your user) with your policy and document to see if you get the error.

                                       

                                      Regards

                                      Steve

                                      • 17. Re: Removing signatures in a digital signature field
                                        bilimam Community Member

                                        No, i still have problems, I tried setting the user to various different users in the policy. I'm guessing its just the way that I'm setting the policy, though for the life of me i can't imagine what i'm doing wrong. Is there an online resource somewhere that goes step by step on how to create a policy?

                                         

                                        I'm also wondering though, I'm getting a Not Serializable error coming up as well, can this have anything to do with it?

                                        • 18. Re: Removing signatures in a digital signature field
                                          SForrest96 techies

                                          I'll take a look at your other processes.  I'll let you know what I find shortly.

                                           

                                          Are you using "Record and Playback"?  What step in the process is causing the Not Serializable error?

                                           

                                          Regards

                                          Steve

                                          • 19. Re: Removing signatures in a digital signature field
                                            bilimam Community Member

                                            I get the not serializable error when i run the process, but when i play it back it only shows the no view permission. I included a screenshot to show what i mean.

                                             

                                            Thanks

                                            Billy

                                            • 20. Re: Removing signatures in a digital signature field
                                              SForrest96 techies

                                              Billy

                                               

                                              I tested everything again (including your render service, and your Expense process), ands was able to run the process(es) successfully, with no errors.

                                               

                                              I did however create my own policy set and policy which I set in your render service.

                                               

                                              On your end, it has to be an issue between the policy and the user that you are defining as the "Run As" account.

                                               

                                              Can you now post a screen shot of the Policy configuration, including the specific permission details for the user "glennj".

                                               

                                              Regards

                                              Steve

                                              • 21. Re: Removing signatures in a digital signature field
                                                bilimam Community Member

                                                Sure thing, i've included a couple of screenshots;

                                                • 22. Re: Removing signatures in a digital signature field
                                                  SForrest96 techies

                                                  Billy

                                                   

                                                  I was actually looking for the specific permissions for "glennj"... see attached screen shot for the screen I was referring to.  The user in the screen shot is the account I use to run the "RemovePolicyandClearSignature" process.

                                                   

                                                  Make sure the "glennj" user has the "Modify" permission eanbled.

                                                   

                                                  Thanks

                                                  Steve

                                                  • 23. Re: Removing signatures in a digital signature field
                                                    bilimam Community Member

                                                    I didn't have modify checked off, i had collaborate instead. Just wondering why you can only select one and not the other?

                                                     

                                                    Either way, i changed it around and its still a no go, it stalls at the unlockPDF

                                                    • 24. Re: Removing signatures in a digital signature field
                                                      SForrest96 techies

                                                      Billy

                                                       

                                                      The "collaborate" permission is a subset of the "Modifiy" permission.  If "Modify" is enabled, "collaborate" will also be enabled.

                                                       

                                                      I'm not sure why you are experiencing the error still.  As I have stated before, everything looks ok, and I am able to get it to work in my environment.

                                                       

                                                      At this point, a few things I would try are:

                                                       

                                                      Test with a different\new policy and policy set

                                                      Create a new user that will be used exclusively as the "Run As" account

                                                      Recreate the "RemovePolicyAndClearSignature" process from scratch and test it with your other processes

                                                       

                                                      Regards

                                                      Steve

                                                      • 25. Re: Removing signatures in a digital signature field
                                                        bilimam Community Member

                                                        Ya, i'll try and reabuild everything from scratch. Thanks again for all your help, i'll let you know how it goes

                                                         

                                                        Billy

                                                        • 26. Re: Removing signatures in a digital signature field
                                                          bilimam Community Member

                                                          Hi Steve, just to give you an update, it seemed that it was the user domain that was causing the problem. I tried just using the defaultDom and there were no complaints. Not sure why it didn't like the domain tho, any ideas?

                                                           

                                                          Thanks,

                                                          Billy

                                                          • 27. Re: Removing signatures in a digital signature field
                                                            SForrest96 techies

                                                            Billy

                                                             

                                                            Does the user "glennj" happen to exist in both domains (DefaultDom and the one you were using previously)?

                                                             

                                                            Steve

                                                            • 28. Re: Removing signatures in a digital signature field
                                                              bilimam Community Member

                                                              I believe at one point he did, but then again there were times where the user was exclusive (ie in onee group but not the other) and the issue was still there. There isn't a minimum number of characters or other domain restriction is there?

                                                               

                                                              Billy

                                                              • 29. Re: Removing signatures in a digital signature field
                                                                SForrest96 techies

                                                                Billy

                                                                 

                                                                A user can be in multiple "groups" in that same domain, but a user should not be duplicated in multiple "domains"  If a user is duplicated across domains, LiveCycle will simply find the first instance one and stop looking.

                                                                 

                                                                I'm not aware of any restrictions around minimum number of characters etc...

                                                                 

                                                                Steve