Document toolboxDocument toolbox

Configuration of BankID C Server

Owned by S (Deactivated)
07 Sept 2017
3 min read

The configuration of BankID C Server can be done programmatically via the API or by using a configuration file. If no configuration file is present, the required parameters must be supplied during the creation of a merchant session. All configuration parameters are described below.

Name of key

Example value

Description

webaddress

www.merchant.com,192.123.12.2

The DNS name of the Merchant web server comma separated with all IP addresses that resolve to this DNS name.

truststore

C:\ssl\truststore

This directory points to a location where there will reside one or several files with the extension ".0". Each of these files contain a BankID Root Certificate for the given environment. By placing a ".0" file for an environment in this location, the merchant trusts SSL certificates for the given environment.

grantedpolicies

2.16.578.1.16.1.6.1.1,
2.16.578.1.16.1.9.1,
2.16.578.1.16.1.12.2.1


ALL

BankID Server does not allow the use of any kind of certificates if this parameter is not specified. This comma separated list tells BankID C Server which certificates can be used for cryptographic services.

The special value ALL grants access to any kind of BankID Certificate.

The defined policy OIDs is described in 4.1.

httpproxyserver

or

vahttpproxyserver
mgmfehttpproxyserver
serviceshttpproxyserver

192.168.10.1

The ip address of a local http proxy server. If the merchant application resides behind a HTTP proxy server, this value must be set to be able to communicate with other components like VA and MGMFE.

httpproxyport

or

vahttpproxyport
mgmfehttpproxyport
serviceshttpproxyport

8080

The port where the http proxy server listens

httpproxycredentials
vahttpproxycredentials
mgmfehttpproxycredentials
serviceshttpproxycredentials

username:password

Proxy user and password separated by a ":"

vatimeout1

30

The timout in seconds communicating with the VA.


It is possible to configure separate proxy settings for the communication with VA server and mobile gateway server. These are the keys with prefixes "va" and "mgmfe" respectively and will override the default proxy settings for that specific server. Note that both proxy server and port must be present to override the default settings, and that is only possible using the configuration file.

1 The vatimeout affects the BID_GetCertStatus, BID_GetOwnCertStatus and BID_VerifyTransactionRequest methods. See BID_VerifyTransactionRequest for more information.

Defined policy values

Policy OID

Description

"2.16.578.1.16.1.6.1.1"

Soft merchant certificate

"2.16.578.1.16.1.6.2.1"

HSM merchant certificate

"2.16.578.1.16.1.9.1"

NetCentric personal certificate

"2.16.578.1.16.1.11.2.1"

NetCentric employee certificate

"2.16.578.1.16.1.12.1.1"

NetCentric Qualified personal certificate

"2.16.578.1.16.1.13.1.1"

NetCentric Qualified employee certificate

"2.16.578.1.16.1.12.2.1"

Mobile personal certificate

 

Sample configuration file

webaddress=www.merchant.no,192.156.2.3
grantedpolicies=2.16.578.1.16.1.6.1.1,2.16.578.1.16.1.9.1
truststore=C:\BankID_Distribusjon\C-versjon\Config\ssl

Supported document formats

The BankID C Server API supports several different document formats when used in sign operations. The table below shows the formats and the client type that supports it. 

Client

Text

BIDXML

PDF

BankID on mobile

X

 

 

BankID 2.0 (WebClient)

X

X

X

BankID 2.1 (WebClient)

X

X

X

Note that the text that is signed in BankID on mobile signing is limited to 120 characters. In addition to this the text is washed against the GSM character map (invalid characters are removed). At present all texts that are to be signed with BankID on mobile starts with two control characters. These characters are added by BankID C Server.

Additional configuration

In BankID authentication and signing processes merchant applications need to initialize a client, handle client callbacks and verify the end users signature ( by verifying the end-user’s certificate status ). In  these cases BankID Server needs to contact remote BankID applications.

To be able to use the BankID Server, a .bid file must be generated. The generation of bid-files are beyond the scope of this document, but a detailed description is provided in the HAT User Guide [HAT].

Useful information

It is important that programmers implementing the merchant application are aware of the following:

  • BankID Server supports the PKCS#11 interface and therefore requires that the merchant HSM supplies a PKCS#11 driver/adapter. Even if an HSM has a PKCS#11 driver it is not given that BankID Server works with this HSM. HSM vendors are free to implement subsets of the PKCS#11 interface, if the PKCS#11 driver does not expose the required PKCS#11 methods that BankID Server uses, then the use of the HSM will fail.

BankID C Server is tested on the following HSMs:

  • SafeNet Luna SA v3.1 (PKCS#11 driver: cryptoki.dll)
  • SafeNet Luna PCI-7000 (PKCS#11 driver: cryptoki.dll)
  • SafeNet Luna SA v3.1 (PKCS#11 driver: cryptoki2_64.so)