The configuration of BankID C Server can be done programmatically via the API or by using a configuration file. If no configuration file is present, the required parameters must be supplied during the creation of a merchant session. All configuration parameters are described below.

Name of key	Example value	Description
webaddress	www.merchant.com,192.123.12.2	The DNS name of the Merchant web server comma separated with all IP addresses that resolve to this DNS name.
truststore	C:\ssl\truststore	This directory points to a location where there will reside one or several files with the extension ".0". Each of these files contain a BankID Root Certificate for the given environment. By placing a ".0" file for an environment in this location, the merchant trusts SSL certificates for the given environment.
grantedpolicies	2.16.578.1.16.1.6.1.1, 2.16.578.1.16.1.9.1, 2.16.578.1.16.1.12.2.1 ALL	BankID Server does not allow the use of any kind of certificates if this parameter is not specified. This comma separated list tells BankID C Server which certificates can be used for cryptographic services. The special value ALL grants access to any kind of BankID Certificate. The defined policy OIDs is described in 4.1.
httpproxyserver or vahttpproxyserver mgmfehttpproxyserver serviceshttpproxyserver	192.168.10.1	The ip address of a local http proxy server. If the merchant application resides behind a HTTP proxy server, this value must be set to be able to communicate with other components like VA and MGMFE.
httpproxyport or vahttpproxyport mgmfehttpproxyport serviceshttpproxyport	8080	The port where the http proxy server listens
httpproxycredentials vahttpproxycredentials mgmfehttpproxycredentials serviceshttpproxycredentials	username:password	Proxy user and password separated by a ":"
vatimeout¹	30	The timout in seconds communicating with the VA.

It is possible to configure separate proxy settings for the communication with VA server and mobile gateway server. These are the keys with prefixes "va" and "mgmfe" respectively and will override the default proxy settings for that specific server. Note that both proxy server and port must be present to override the default settings, and that is only possible using the configuration file.

1 The vatimeout affects the BID_GetCertStatus, BID_GetOwnCertStatus and BID_VerifyTransactionRequest methods. See BID_VerifyTransactionRequest for more information.

Defined policy values

Policy OID	Description
"2.16.578.1.16.1.6.1.1"	Soft merchant certificate
"2.16.578.1.16.1.6.2.1"	HSM merchant certificate
"2.16.578.1.16.1.9.1"	NetCentric personal certificate
"2.16.578.1.16.1.11.2.1"	NetCentric employee certificate
"2.16.578.1.16.1.12.1.1"	NetCentric Qualified personal certificate
"2.16.578.1.16.1.13.1.1"	NetCentric Qualified employee certificate
"2.16.578.1.16.1.12.2.1"	Mobile personal certificate

Sample configuration file

webaddress=www.merchant.no,192.156.2.3
grantedpolicies=2.16.578.1.16.1.6.1.1,2.16.578.1.16.1.9.1
truststore=C:\BankID_Distribusjon\C-versjon\Config\ssl

Supported document formats

The BankID C Server API supports several different document formats when used in sign operations. The table below shows the formats and the client type that supports it.

Client	Text	BIDXML	PDF
BankID on mobile	X
BankID 2.0 (WebClient)	X	X	X
BankID 2.1 (WebClient)	X	X	X

Note that the text that is signed in BankID on mobile signing is limited to 120 characters. In addition to this the text is washed against the GSM character map (invalid characters are removed). At present all texts that are to be signed with BankID on mobile starts with two control characters. These characters are added by BankID C Server.

Additional configuration

In BankID authentication and signing processes merchant applications need to initialize a client, handle client callbacks and verify the end users signature ( by verifying the end-user’s certificate status ). In these cases BankID Server needs to contact remote BankID applications.

To be able to use the BankID Server, a .bid file must be generated. The generation of bid-files are beyond the scope of this document, but a detailed description is provided in the HAT User Guide [HAT].

Useful information

It is important that programmers implementing the merchant application are aware of the following:

BankID Server supports the PKCS#11 interface and therefore requires that the merchant HSM supplies a PKCS#11 driver/adapter. Even if an HSM has a PKCS#11 driver it is not given that BankID Server works with this HSM. HSM vendors are free to implement subsets of the PKCS#11 interface, if the PKCS#11 driver does not expose the required PKCS#11 methods that BankID Server uses, then the use of the HSM will fail.

BankID C Server is tested on the following HSMs:

SafeNet Luna SA v3.1 (PKCS#11 driver: cryptoki.dll)
SafeNet Luna PCI-7000 (PKCS#11 driver: cryptoki.dll)
SafeNet Luna SA v3.1 (PKCS#11 driver: cryptoki2_64.so)

Browser not supported