Introduction
SWS to complete her flow of sign or verify use external services (for example download all the trusted list, send to Namirial server the hash to sign ecc...). Below will be described the main comunication used by SWS. If this comunication aren't enabled, SWS will not work correctly.
Ports and Protocols Usages (firewall rules)
Below the list of port and protocol used by SWS:
| Operation | Description | Frequency | Protocol | Ports | TCP/UDP | Address | SWS Environment |
|---|---|---|---|---|---|---|---|
| Signature | Sends a request to the Namirial server for signing the hash | Every call | HTTPS | 443 | TCP | fra.firmacerta.it | PROD |
| Timestamp | Sends a request to the Namirial server for applying the timestamp to the hash | Every call | HTTP | 80 | TCP | timestamp.firmacerta.it | PROD |
| Timestamp | Sends a request to the Namirial server for applying the timestamp to the hash | Every call | HTTPS | 443 | TCP | timestamp.firmacerta.it | PROD |
| Verification OCSP | Sends a request to the OCSP link for checking the certificate | Every call (whenever possible) | OCSP | 80 | TCP | It depends on the the CA that issued the certificate for the signature. For Namirial, the link is: "ocsp.firmacerta.it" | PROD |
| Signature | This operation sends a request to the Namirial server for signing the hash | Every call | HTTPS | 443 | TCP | fra.test.firmacerta.it | TEST |
| Timestamp | Sends a request to the Namirial server for applying the timestamp to the hash | Every call | HTTP | 80 | TCP | timestamp.test.firmacerta.it | TEST |
| Timestamp | Sends a request to Namirial server for applying the timestamp to the hash | Every call | HTTPS | 443 | TCP | timestamp.test.firmacerta.it | TEST |
| Verification OCSP | For validate the certificate send request to OCSP for check the certificate | Every call (whenever possible) | OCSP | 80 | TCP | It depends on the CA issued the certificate used for the signature. For Namirial it's: "ocsp.firmacerta.it" | PROD |
| Verification CRL | For validate the signature certificate check the serial number into CRL | HTTP/LDAP | 80, 389 | TCP | It depends on the CA issued the certificate used for the signature. For Namirial it's: "crl.firmacerta.it" | PROD | |
| Verification | At startup SWS download all European Trusted Root from European supervisory agenciences | HTTPS | 443 | TCP | ec.europa.eu (the full link is: https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml) | TEST, PROD | |
| Updates and Monitoring | Used for receiving automatic updates and receive | Always | JABBER, HTTP, HTTPS | 5222, 443, 80 | TCP | scm.firmacerta.it | TEST, PROD |
| NTP sync | Used for synchronization of date and time | Always | NTP | 123 | UDP | TEST, PROD |
Outbound communication to the Namirial FRA service are done through HTTPS, with a mutual authentication, and take place via a unique TLS certificate that Namirial distributes to every applicant, in order to identify the virtual appliance SWS caller.
Here is a table with the incoming protocols:
| Service | Description | Protocol | Port | TCP/UDP | SWS Environment |
|---|---|---|---|---|---|
| Web Services | Web services interfacing | HTTP | 8080 | TCP | TEST, PROD |