Using Fortanix Data Security Manager with Quadient Inspire Designer

1.0 Introduction

This article explains how to integrate Fortanix-Data-Security-Manager (DSM) with Quadient Inspire Designer to add digital signatures to PDF documents using the PKCS#11 protocol.

Fortanix DSM helps securely store and manage cryptographic keys, making it easier to sign documents while keeping them safe and tamper-proof. By connecting Inspire Designer with Fortanix DSM, organizations can ensure their documents are authentic, secure, and compliant with industry standards.

This integration simplifies key management, protects important documents, and works smoothly across different environments such as design, testing, and production.

2.0 How Fortanix DSM Works With Inspire Designer?

This section explains how Fortanix DSM integrates with Quadient Inspire Designer to enable secure digital signatures for PDF documents using the PKCS#11 protocol.

Fortanix DSM acts as a centralized key management system, securely storing cryptographic keys and handling signing operations. Quadient Inspire Designer connects to Fortanix DSM through PKCS#11, allowing it to access cryptographic keys and sign documents without exposing sensitive credentials. This ensures that every signed document is authentic, tamper-proof, and compliant with security standards.

During the integration:

• Fortanix DSM stores and protects private keys used for signing.

• Quadient Inspire Designer communicates with DSM using PKCS#11, retrieving the required key when signing a PDF.

• A digital signature is applied, ensuring the document's integrity and verifying the signer’s identity.

3.0 Prerequisites

To successfully integrate Fortanix DSM with Quadient Inspire Designer for digital signatures, ensure you have the following:

• The latest version of Quadient Inspire Designer is installed and configured. For more information, refer to the Quadient University Installers.

• Fortanix PKCS#11 library (FortanixKmsPkcs11.dll) is installed and accessible. For more information, refer to the Clients: PKCS#11 Library.

• Administrator access to Fortanix DSM. For more information, refer to the Section 7.1: Setting Up Fortanix DSM and Section 7.2: Configuring Signing Devices.

4.0 Product Tested Version

This integration has been tested on the following versions:

• Quadient Inspire Designer version 17.FMATS

• Fortanix PKCS#11 latest version

5.0 Architecture Workflow

This architecture explains how Quadient Inspire Designer integrates with Fortanix DSM to securely generate digitally signed PDFs. The workflow is divided into two main stages, design and runtime, both of which involve specific interactions with Fortanix DSM through the PKCS#11 library.

During the design phase, users work with Inspire Designer to create a Workflow Definition (WFD) file. This file contains the structure, styling, and communication logic for the final PDF output. In parallel, the user creates a JOB file. This file includes important runtime instructions, such as the path to the PKCS#11 library and details about the digital certificate to be used for signing. Once created, both the WFD and JOB files are stored in Inspire Content Manager (ICM), which acts as a central repository and version control system for design assets.

At this stage, Fortanix DSM comes into the picture through the PKCS#11 library. The JOB file references the local PKCS#11 library, which is configured to communicate with the Fortanix DSM application. Fortanix DSM securely stores the certificate and private signing key within its hardware-backed secure enclave. This ensures that the private key never leaves the protected environment and signing operations remain tamper-proof.

In the runtime phase, Inspire Production Server (IPS) retrieves the WFD and JOB files from ICM. It also pulls input data from external sources such as files or databases to generate a PDF document. Once the PDF content is prepared, IPS creates a hash (or fingerprint) of the content. This fingerprint is passed to the PKCS#11 library, which acts as a secure channel to Fortanix DSM.

Fortanix DSM receives the fingerprint and signs it, using the stored private key inside its secure enclave. It then returns the digital signature to the Inspire Production Server. IPS applies this digital signature to the final PDF, completing the process. The result is a digitally signed PDF that is ready for secure distribution.

Fortanix DSM plays a central role in this workflow by ensuring that all digital signing operations are executed in a secure, compliant, and auditable manner. It enforces key protection, enables secure key usage through industry-standard PKCS#11 integration, and supports high-throughput signing without compromising on cryptographic security.

6.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

6.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

6.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

6.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

6.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 6.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

6.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it as the value of PIN in DigitalSignatureDeviceConfig.json configuration file.

7.0 Integration Steps

This section outlines the steps required to integrate Fortanix DSM with Inspire Designer for digital signature processing using the PKCS#11 interface. The integration involves configuring the Fortanix DSM PKCS#11 library, updating Inspire Designer settings, and verifying the functionality.

7.1 Configuring JSON Configuration File

To enable digital signing in Inspire, create a configuration file named DigitalSignatureDeviceConfig.json and place it in the appropriate location.

You must store the DigitalSignatureDeviceConfig.json file in one of the following locations:

• The same directory as Inspire.exe or InspireProductionServer.exe.

• The Redist folder.

• A custom location defined in the CX_DIGITALSIGNATUREDEVICECONFIG environment variable.

The DigitalSignatureDeviceConfig.json file defines the digital signing devices that will be used for cryptographic operations.

It includes the following parameters:

• ID – A unique identifier for the device used for signing. This ID must remain consistent across all environments such as, design, test, production.

• Library – The file path to the PKCS#11 library used for cryptographic operations.

  NOTE

  Ensure that only one path format such as absolute, relative, soft link, or hard link is used. Mixing different path types is not recommended.

  "Devices": [
        {
           "ID": "Soft HSM Slot 0",
           "Library": "C:/SoftHSM2/lib/softhsm2-x64.dll",
           "SlotID": "0x1e578ba",
           "PIN": "***",
           "CKAID": "0xA2",
        },

• PIN – The passphrase used to access the certificate.

  • For Fortanix DSM: This is either an API key or a reference to a configuration file containing the API key as copied in Section 7.6: Copying the API Key. For more information for the specific PIN format, refer to the User PIN.

    NOTE

    The passphrase is stored in plaintext; therefore, restrict file access to authorized personnel only.

• Log – Enables logging of configuration-related activities. Set "Log": true to log events in log.txt.

  NOTE

  Logging may slow down performance and is primarily recommended for debugging.

• SingleThread – Enables a single-thread approach, which is recommended for debugging and issue resolution. Set "SingleThread" : true for every device in a used Library. If not specified, the operation defaults to multithreaded mode.

7.2 Configuring Digital Signature Device

Once the DigitalSignatureDeviceConfig.json file has been set up, perform the following steps to configure and verify the digital signature device within Inspire Designer.

NOTE

Ensure that you restart the Inspire Designer before proceeding with the verification as some configuration changes may require a restart for the settings to take effect.

Perform the following steps to configure the digital signatures in Inspire Designer:

1. Launch Inspire Designer from the Start menu.

2. Go to Tools in the top menu and select Configurations… from the drop-down menu.

3. In the Configuration window, expand PDF Engine Config and click Digital Signatures.

   

4. On the Digital Signatures tab, enter the required information for each field.

   1. Add digital signatures: Select this check box to activate the digital signature options for the document.

   2. Digest method: Select the required Secure Hash Algorithm (SHA) encryption method from the dropdown menu. The available options are:

      • SHA-1 – It uses 20-byte words.

      • SHA-256 – It uses 32-byte words.

      • SHA-384 – It uses 48-byte words.

      • SHA-512 – It uses 64-byte words.

   3. In the Identities section, define the method of digital signing. There are three available tabs:

      1. Preset Devices: This tab allows you to select one of the devices automatically loaded from the DigitalSignatureDeviceConfig.json file.

         NOTE

         If a device ID is defined in both the JOB file (old method) and JSON configuration file, settings from the JSON configuration file will take precedence.

   4. Set the Signature Method as required. For more information, refer to the official documentation for Signature Method section.

   5. Set the Identity Selection Method as required. For more information, refer to the official documentation for Identity Selection Method section.

   6. Set the Reason for Signing as required. For more information, refer to the official documentation for Reason for Signing section.

   NOTE

   Verify that the configured digital signature device is detected. Ensure the device details, such as ID, Library Path, Slot ID, and PIN, match the values defined in the DigitalSignatureDeviceConfig.json file.

5. Click SAVE to keep the changes.

6. Click OK to exit the configuration window.

7. Navigate to Production → Start Production and generate a sample digitally signed PDF to ensure the setup works correctly. For more information, refer to the official documentation for Main Production Window.

   

8. Open the generated PDF in a PDF reader or signature validation tool to verify the applied digital signature.

9. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 6.4: Creating an Application to go to the detailed view of the app and view the audit logs.