Getting started with the UI

Edit online

Auditors can use the IBM Digital Asset Offline Signing Orchestrator UI to view, approve, or deny documents on the preconfirmation and postconfirmation queues. Operators can use the UI to start a signing iteration or perform a system flush. This section explains how to set up the client machine for the UI and start it in a supported browser.

Configuring the UI client

Edit online

You must configure the client where the UI will run using a supported browser.

Prerequisites

Edit online

  • Certificate and key for the Auditor or Operator who will be using the UI. The certificate will be generated and supplied by the System Custodian.

  • Get the IP address of the LPAR hosting the UI server.

  • Obtain the Offline Signing Orchestrator server component CA certificate from the System Custodian.

  • Use a supported browser.

Importing required keys and certificates

Edit online

To run the UI on your local computer, obtain the key and certificate for an Auditor or Operator who will be using the UI. The user's certificate can be obtained from the System Custodian. Additionally, you will need the server CA cert returned from the Offline Signing Orchestrator backend.

macOS

Edit online
  1. Once you bring up the conductor, init the components, and portmap on lpar1-3000:
    1. Copy the user and admin certs to local machine.
    2. Import into Keychain (mac).
    3. Mark them as trusted and use them to perform operation on your browser.
    4. Copy certificates from LPAR to your local machine.
  2. Consolidate certs to import them into keychain from your local : 
    
cat ./admin1-key.pem >> ./mac-keys
cat ./admin1.crt >> ./mac-keys
  3. Similarly, add admin2, user1, and user2 certs in mac-keys.
  4. Import consolidated certs into keychain from your local: 
    security import ./mac-keys ~/Library/Keychains/login.keychain
  5. Under the Default Keychains section, click Login, double-click admin1 > Trust > Always Trust.
  6. Click Save.
    Note:
    • Perform the same steps for all other certificates.
    • In the Login section on top, you can view certificates under My certificates column.
  7. Add dns to local /etc/hosts file: 
    <lpar-ip>  oso-cs-ui-server.dap.local
    Note: If Bond is configured, provide the Bond IP address instead of the lpar1-ip value.
  8. Open your web browser and navigate to the following URL, replacing <prefix> with your specific prefix: 
    https://<prefix>oso-cs-ui-server.dap.local:3000/

Windows

Edit online

  1. Ensure that the required Offline Signing Orchestrator keys/certs are transferred to the Windows client machine.

  2. Create Personal Information Exchange (.pfx) files from the keys/certs for the required users according to the following example:

    C:\oso-test-certs\test-certs>"\Program Files\Git\usr\bin\openssl.exe" pkcs12 -export -out .\approver.pfx -inkey .\approver-key.pem -in .\approver-cert.pem
``` {: codeblock}

  3. Open Windows Certificate Manager.

  4. Import the earlier generated .pfx files into the Personal Certificates.

  5. Import component-ca-cert.pem into the into the Trusted Root Certificate Authorities.

Mapping the UI server IP address to host name

Edit online

  1. Update C:\Windows\System32\drivers\etc\hosts with IP address and hostnames for Offline Signing Orchestrator server(s).

  2. In the /etc/hosts file on your local computer, add the following mapping:

    LPAR1_IP_ADDRESS <prefix>-cs-ui-server.dap.local

    <prefix> - Specify the prefix used when deploying the Offline Signing Orchestrator components.

Launching or accessing the UI

Edit online

Auditors and Operators can complete their tasks in the UI .

  • Once the client machine configuration is complete, go to https://<prefix>-cs-ui-server.dap.local:3000?role=<user-role> using one of the supported browsers on the client machine.

    - `<prefix>` - Specify the prefix used when deploying the Offline Signing Orchestrator components.
- `<role>` - Specify the role of the user launching the UI: Auditor or Operator.

  • When the UI loads, you'll need to select your certificate and enter your client machine credentials. After that, you can carry out your user role tasks.

  • Remember to close the browser after using the Offline Signing Orchestrator UI to clear the client certificate-based authentication and prevent unauthorized access.

Using the UI with the test components and test data

Edit online

This section is applicable only when the testend components (frontend, frontend-plugin, backend, and backend-plugin) are deployed in the environment.

  1. Run the oso-cli command to generate test documents.

    oso-cli --cert <path-to-user's-cert-file> --key <path-to-user's-private-key> --cacert <path-to-CA-certificate> frontend gen <doc-count>

  2. When authenticated as an approver in the UI, you can go to the Confirmation queues page to view, approve, or deny the test documents generated in the Preconfirmation queue.

  3. When authenticated to the UI as an Operator, you can open the System operations page and start an iteration.

  4. After an iteration ends, a user authenticated to the UI as an approver can navigate to the Confirmation queues page and view, approve or deny the signed documents that are now on the Postconfirmation queue.