GitHubContribute in GitHub: Open doc issue|Edit online

Getting started with the UI console

Auditors can use Offline Signing Orchestrator UI console to view, approve or deny documents on the preconfirmation and postconfirmation queues. Operators can use the UI console to start a signing iteration or perform a system flush. This section will explain how to set up the client machine for the UI console and how to start the UI console in a supported browser.

Configuring the UI console client machine

You must configure the client machine where the UI console will run using a supported browser.

Prerequisites

  • Certificate and key for the Auditor or Operator that will be using the UI console. The certificate will be generated and supplied by the System Custodian.

  • Get the IP address of the LPAR hosting the UI server.

  • Obtain the Offline Signing Orchestrator server component CA certificate from the System Custodian.

  • Use a supported browser.

Importing required keys and certificates

To run the UI on your local computer, obtain the key and certificate for an Auditor or Operator who will be using the console UI. The user's certificate can be obtained from the System Custodian. Additionally, you will need the server CA cert returned from the Offline Signing Orchestrator backend.

macOS

  1. Load the required key and certs into the system Keychain according to the following example:
cat ./approver-cert.pem >> ./mac-keys
cat ./approver-key.pem >> ./mac-keys
cat ./component-ca-cert.pem >> ./mac-keys
security import ./mac-keys ~/Library/Keychains/login.keychain
  1. Launch the Keychain Access application.
  2. Under the Default Keychains section, click Login and then click My Certificates tab.
  3. Locate the name of the certificate you just imported and double-click it.
  4. In a new window that opens, expand the Trust section and set the value for When using this certificate to Always Trust.
  5. Close the window and enter your authentication credentials to confirm the change.
  6. Click the Certificates tab and search for the Offline Signing Orchestrator server component CA certificate (example, "dap.local") that was also imported.
  7. Double-click the certificate name.
  8. In a new window that opens, expand the Trust section and set the value for When using this certificate to Always Trust.
  9. Close the window and enter your authentication credentials to confirm the change.

Windows

  1. Ensure that the required Offline Signing Orchestrator keys/certs are transferred to the Windows client machine.

  2. Create Personal Information Exchange (.pfx) files from the keys/certs for the required users according to the following example:

    C:\oso-test-certs\test-certs>"\Program Files\Git\usr\bin\openssl.exe" pkcs12 -export -out .\approver.pfx -inkey .\approver-key.pem -in .\approver-cert.pem

  3. Open Windows Certificate Manager.

  4. Import the earlier generated .pfx files into the Personal Certificates.

  5. Import component-ca-cert.pem into the into the Trusted Root Certificate Authorities.

Mapping the UI server IP address to host name

  1. Update C:\Windows\System32\drivers\etc\hosts with IP address and hostnames for Offline Signing Orchestrator server(s).

  2. In the /etc/hosts file on your local computer, add the following mapping:

    LPAR1_IP_ADDRESS <prefix>-cs-ui-server.dap.local

    <prefix> - Specify the prefix used when deploying the Offline Signing Orchestrator components.

Launching or accessing the UI console

Auditors and Operators can complete their tasks in the UI console.

  • Once the client machine configuration is complete, go to https://<prefix>-cs-ui-server.dap.local:3000?role=<user-role> using one of the supported browsers on the client machine.

    - `<prefix>` - Specify the prefix used when deploying the Offline Signing Orchestrator components.
- `<role>` - Specify the role of the user launching the UI: Auditor or Operator.

  • When the UI console loads, you'll need to select your certificate and enter your client machine credentials. After that, you can carry out your user role tasks.

  • Remember to close the browser after using the Offline Signing Orchestrator UI console to clear the client certificate-based authentication and prevent unauthorized access.

Using the UI with the test components and test data

This section is applicable only when the testend components (frontend, frontend-plugin, backend, and backend-plugin) are deployed in the environment.

  1. Run the oso_cli.py command to generate test documents.

    oso_cli.py <prefix>  --cert <path-to-user's-cert-file> --key <path-to-user's-private-key> --cacert <path-to-CA-certificate> gen <doc-count>

  2. When authenticated as an approver in the UI, you can go to the Confirmation queues page to view, approve, or deny the test documents generated in the Preconfirmation queue.

  3. When authenticated to the UI as an Operator, you can open the System operations page and start an iteration.

  4. After an iteration ends, a user authenticated to the UI as an approver can navigate to the Confirmation queues page and view, approve or deny the signed documents that are now on the Postconfirmation queue.