Adding support for SHA-256 XML signatures to EmpowerID

The following steps are required if you wish to sign XML signatures using a SHA-256 certifcate in EmpowerID. You will also need to obtain a valid SHA-256 certificate from an internal or external certificate authority.

NOTE: Performing the following steps will cause a service interruption. Please schedule this during off-hours if you are performing this task against a production environment.

  1. Download 

Security.Cryptography 1.6.

  1. Unzip Security.Cryptography_1.6.zip to a known location, such as C:\SHA256.

  1. Download 

Global Assembly Cache Tool 4.0.

  1. Unzip gacutil40.zip to a known location, such as C:\SHA256.

  1. Open a Command Prompt window with Administrator privileges. In the Command Prompt window that appears, enter the following command and press ENTER:

gacutil /i Security.Cryptography.dll

You should see the message "Assembly successfully added to the cache".

  1. In the Command Prompt window with Administrator privileges, enter the following command and press ENTER:

iisreset /stop

You should see the message "Internet services successfully stopped".

  1. Open Windows Explorer and navigate to the following directory:

%windir%\Microsoft.NET\Framework\v4.0.30319\Config

  1. Open machine.config in a text editor of your choice, such as Notepad. Scroll all the way to the bottom of the file.

  1. Copy the following code block:

<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass RSASHA256SignatureDescription="Security.Cryptography.RSAPKCS1SHA256SignatureDescription, Security.Cryptography, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</cryptoClasses>
<nameEntry name="xmldsig-more namespace " class="RSASHA256SignatureDescription" />
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>

10. Paste the code block between the </system.web> and </configuration> elements at the end of the machine.config file.

11. Open Windows Explorer and navigate to the following directory:

%windir%\Microsoft.NET\Framework64\v4.0.30319\Config

12. Open machine.config in a text editor of your choice, such as Notepad. Scroll all the way to the bottom of the file.

13. Copy the following code block:

<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass RSASHA256SignatureDescription="Security.Cryptography.RSAPKCS1SHA256SignatureDescription, Security.Cryptography, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</cryptoClasses>
<nameEntry name="xmldsig-more namespace " class="RSASHA256SignatureDescription" />
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>

14. Paste the code block between the </system.web> and </configuration> elements at the end of the machine.config file.

15. In the Command Prompt window with Administrator privileges, enter the following command and press ENTER:

iisreset

You should see the message "Internet services successfully restarted".

16. Open the Services MMC Snap-in and scroll down until you see the EmpowerID Web Role. Right click the EmpowerID Web Role and choose Restart.

17. Scroll down until you see the EmpowerID Worker Role. Right click the EmpowerID Worker Role and choose Restart.

The SHA-256 cryptographic hash algorithm is now available to EmpowerID for XML signatures.

Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.