See also: “Configuring Jobs and Checking Job Protocol” on page 95.
Command hashtree Arguments
Archive name Scheduling
If you use ArchiSig timestamps, schedule a nightly job. If the hash trees are written to a storage system, make sure that the job is finished before the Writejob starts.
7.4.4 Renewing Hash Trees
Renewal of hash
tree If documents must be retained a very long time (more than 20 years), the hash algorithm that is used to calculate the hash values may become unsafe. In this rare case, the hash tree must be renewed: The system reads the documents and calculates new hash values and a new hash tree with a new hash algorithm, and signs the new tree with a time stamp. This procedure is very time-consuming.
If you need to renew your hash trees, contact OpenText Customer Support.
7.4.5 Renewing Timestamps of Hash Trees
Renewal of
timestamps Electronically signed documents can lose their validity in the course of time, because the availability and verifiability of certificates is limited (depend on the regional laws) and the key lengths, certificates as well as cryptographic and hash algorithms can become unsafe. Therefore, you can renew the timestamps for long-term stored documents. You should renew the timestamps before
• the certificate is invalid,
• the key length is unsafe,
• the cryptographic algorithm is unsafe,
• the public key method is unsafe.
You need only one new timestamp per hash tree. No access to the documents is necessary.
To renew timestamps:
1. Configure a new certificate on your timestamp server, make sure that is
available for the Archive Server and enable it in the Timestamp Certificates tab in the Certificates entry in Key Store in the System object of the console tree Details: “Timestamp Usage” on page 111.
2. In a command line, enter:
dsHashTree show names
3. In the resulting list, find the distinguished subject name(s) of your timestamp service (subject of the service’s certificate).
4. In a command line, enter:
dsHashTree -a <ArchiveName> -s <DistinguishedNameOfOldCertificate>
The process finds all timestamps that were created with the certificate indicated in the command. It calculates hash values for the timestamps and builds new hash trees. Each hash tree is signed with a new timestamp.
7.4.6 Migrating Existing Document Timestamps
You can migrate existing document timestamps into hash trees and sign the tree with a timestamp. Thus, you can significantly reduce the number of timestamps required for timestamp renewal.
Important
You can migrate document timestamps only once! Never disable ArchiSig timestamps after starting migration.
7.5 Certificates
To migrate existing timestamps:
1. Configure as described in “Basic Settings” on page 113.
2. In a command line, call the timestamp migration tool for each pool to be migrated:
dsReSign —p <pool name>
3. Call the hash tree creation tool for each archive with migrated timestamps:
dsHashTree <archive name>
The tools calculate hash values from the existing timestamps, build hash trees and get a timestamp for each tree.
7.5 Certificates
Certificates A certificate is an electronic document which uses a digital signature to bind together a public key with information on the client issuing this public key
(information such as the name of a person or an organization, their address, and so forth). The certificate can be used to verify that a public key belongs to an
individual, e.g., an archive uses this information to verify requests based on signed URLs from various clients.
Certificate use
cases Archive Server uses certificates for various use cases:
• Authentication certificates, used for signed URLs; see “Configuring a Certificate for Authentication” on page 122
• Encryption certificates, used for document encryption; see “Configuring a Certificate for Document Encryption” on page 125
• Timestamp certificates, used for document verification; see “Importing a Certifi-cate for Timestamp Verification” on page 126
pem files A PEM file (Privacy Enhanced Mail Security Certificate) is an encoded certificate file used to store public key and certificate. Archive Server uses various PEM files.
Certificates for
Remote Standby In Remote Standby environment, the Synchronize_Replicatesjob copies the certificates for authentication. Only enabled certificates are copied. The certificate on the Remote Server is disabled after synchronization, enable it as described in the procedure “Enabling a Certificate” on page 119.
7.5.1 Basic Procedures and Commands
Introduction This topic provides some basic knowledge of certificates, e.g., how to create a certificate using the Certtool or how to enable a certificate. These basic procedures are relevant for configuration of authentication certificates, encryption certificates and timestamp certificates.
• authentication certificates, i.e., Global tab or the Assigned tab
• encryption certificates, i.e., Encryption Certificates tab
• timestamp certificates, i.e., Timestamp Certificates tab
7.5.1.1 Checking a Certificate
Certificates can be checked manually by approving their fingerprint. Just as every human's fingerprints are unique, every certificate's fingerprint is unique. The fingerprint is a hash of the certificate and is shown as one of the certificate's
properties, it is shown as a hexadecimal number. Using the View Certificate action, certificates can be displayed for reading.
To verify the authenticity of the transmitted certificate, the system administrators of the leading application and the Archive Server compare the fingerprints of the sent and the received certificates. If the fingerprints match, the archive administrator enables the certificate (see “Enabling a Certificate” on page 119).
To establish validity of someone's certificate, you can trust that a third individual has gone through the process of validating it. A Certification Authority (CA), for example, is responsible for ensuring that prior to issuing a certificate, he or she carefully checks it to be sure the public key portion really belongs to the purported owner. Anyone who trusts the CA will automatically consider any certificates signed by the CA to be valid.
The following procedure describes the manual verification by checking the fingerprint.
To check a certificate:
1. Select Key Store in the System object of the console tree.
2. Select the Certificates object and select the appropriate <certificate> tab in the