# SWS Firewall Rules Documentation ## Table of Contents - [Introduction](#introduction) - [INBOUND Firewall Rules](#inbound-firewall-rules) - [OUTBOUND Firewall Rules](#outbound-firewall-rules) - [Digital Signatures](#digital-signatures) - [Level B Signatures](#level-b-signatures) - [Level T Signatures](#level-t-signatures) - [Level LTV Signatures](#level-ltv-signatures) - [OUTBOUND Firewall Rules -- Apply Timestamp](#outbound-firewall-rules----apply-timestamp) - [OUTBOUND Firewall Rules -- Verify Signatures](#outbound-firewall-rules----verify-signatures) ## Introduction The communications required (firewall rules) to enable SWS operations depend on the type of operation performed: - Make digital signatures (PAdES, CAdES, XAdES) - Apply timestamp - Verify digital signatures, timestamps and certificates # INBOUND Firewall Rules To allow SWS to be contacted and used, the following rule must be enabled. | Protocol | Port | TCP/UDP | Environment | | --- | --- | --- | --- | | HTTP | 8080 | TCP | TEST, PROD | # OUTBOUND Firewall Rules ## Digital Signatures ### Level B Signatures The following communications are required. | Operation | Description | Protocol | Port | TCP/UDP | Address | Environment | | --- | --- | --- | --- | --- | --- | --- | | Signature | Sends a request to the Namirial server for signing the hash | HTTPS | 443 | TCP | fra.test.firmacerta.itfra.firmacerta.it | TESTPROD | | Retrieve a list of trusted certificates | Used to download all trusted root certificates | HTTPS | 443 | TCP | swsverifier.test.namirialtsp.comswsverifier.namirialtsp.com | TESTPROD | NOTE: Communications are protected by mTLS (mutual authentication). ### Level T Signatures Requires the same communications as Level B plus timestamp service. | Operation | Description | Protocol | Port | TCP/UDP | Address | Environment | | --- | --- | --- | --- | --- | --- | --- | | Timestamp | Sends request to Namirial server to apply timestamp to hash | HTTPS | 443 | TCP | timestamp.test.firmacerta.ittimestamp.firmacerta.it | TESTPROD | ### Level LTV Signatures Requires the same communications as Level B plus certificate validation services. | Operation | Description | Protocol | Ports | TCP/UDP | Address | Environment | | --- | --- | --- | --- | --- | --- | --- | | Verification using OCSP | For validate the certificate send request to OCSP for check the certificate | OCSP | 80 | TCP | ocsp.test.firmacerta.itocsp.test.namirialtsp.comocsp.firmacerta.itocsp.namirialtsp.com | TESTPROD | | Validation using CRL | For validate the signature certificate check the serial number into CRL | HTTP | 80 | TCP | crl.test.firmacerta.itcrl.test.namirialtsp.comcrl.firmacerta.itcrl.namirialtsp.com | TESTPROD | For **level LT signatures**, the comunications required are all above and VERY IMPORTANT → if you are signing file already signed from thirdparty company, the comunication outgoing, must be opened worldwide (because is not possible to know the CRL/OCSP endpoint of all CA and they can change also) # OUTBOUND Firewall Rules -- Apply Timestamp Use the same firewall rules required for: - Level B signatures - Level T signatures # OUTBOUND Firewall Rules -- Verify Signatures To verify: - Digital signatures - Timestamps - Certificates Use the same rules required for Level B signatures.