1. Developing SOA Applications with Oracle SOA Suite
  2. Using the Human Workflow Service Component
  3. Understanding Human Workflow Services
  4. Introduction to Human Workflow Services
  5. Evidence Store Service and Digital Signatures

Evidence Store Service and Digital Signatures

The evidence store service is used for digital signature storage and nonrepudiation of digitally-signed human workflows. A digital signature is an electronic signature that authenticates the identity of a message sender or document signer. This ensures that the original content of the message or document sent is unchanged. Digital signatures are transportable, cannot be imitated by others, and are automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot repudiate it later. Digital signatures ensure that a human workflow document:

  • Is authentic

  • Has not been forged by another entity

  • Has not been altered

  • Cannot be repudiated by the sender

A cryptographically-based digital signature is created when a public key algorithm signs a sender's message with a sender's private key.

During design time, signatures are enabled for the task. During runtime in Oracle BPM Worklist, when a user approves or rejects the task, the web browser:

  • Asks the user to choose the private key to use for signing.

  • Generates a digital signature using the private key and task content provided by Oracle BPM Worklist.

Figure 34-2 provides an example.

Figure 34-2 Digital Signature and Certificate

Description of Figure 34-2 follows
Description of "Figure 34-2 Digital Signature and Certificate"

Note:

  • The certificate refers to a Personal Information Exchange Syntax Standard (PFX) file that includes a certificate and a private key, and is protected by a simple text password. PFX specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, and so on.

  • The possession of a private key that corresponds to the public key of a certificate is sufficient to sign the data, because the signature is verifiable through the public key in the certificate. However, no attempt is made to correlate the name of a user of a certificate with the person updating it. For example, user jstein can sign using the private key of user cdickens if jstein has that private key.

The following digital signature features are supported:

  • PKCS7 signatures based on X.509 certificates

  • Browser-based, digitally-signed content without attachments