Product Documentation

Signing, Unsigning, Re-signing, and Verifying Data

May 11, 2015

The Data Signing Tool, CtxSignData.exe, allows you to sign, re-sign, unsign, and verify in your central store. It is a command-line driven tool available from the installation media under \Service. CtxSignData.exe is also installed on the server hosting the service at %ProgramFiles%\Citrix\MetaFrame Password Manager\Service\SigningTool\CtxSignData.exe.

Note: The Data Signing Tool is installed with the Data Integrity Module of Single Sign-on Service. This module can be installed at a later time if it was not part of the initial Single Sign-on installation.

To start the data signing tool, at a command prompt of the computer running Single Sign-on Service, type CtxSignData.exe and use the appropriate command line parameter (-s, -r, -u, -v).

Signing Data (-s)

Use the sign command-line parameter to enable data integrity in an environment with existing unsigned data.

Note: If you have a Single Sign-on environment that is running without data integrity implemented and you later decide to use data integrity, you must use the Data Signing Tool to sign data in the existing central store.

You must supply the signing certificate file name, the Single Sign-on Service Uniform Resource Identifier (URI), the location of the central store, and central store type (NTFS network share or Active Directory). All data is read and signed using the new signing certificate.

The syntax for the CtxSignData command with the -s parameter is:

 
CtxSignData [-s service_path certificate_file centralstore_location NTFS|AD] 

where:

-s Signs data files in the central store
service_path Indicates the Single Sign-on Service path in URI format
certificate_file Indicates the filename of the certificate to use for signing or resigning data
centralstore_location Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller
NTFS|AD
NTFS|AD = Central store network directory service type, where
  • NTFS = Microsoft NTFS file share
  • AD = Microsoft Active Directory

The following are examples of the CtxSignData command with the -s parameter:

 
ctxsigndata -s “mpmserver.mycompany.com/MPMService” “C:\priv12mos.cert” “\\MPMCentralServer\citrixsync$” NTFS 
 
ctxsigndata -s mpmserver.mycompany.com/MPMService “C:\priv12mos.cert” DC1.mycompany.com AD 

Re-signing Data (-r)

Use the re-sign command-line parameter when the existing signing certificate is nearing expiration, has expired, or is compromised. You must supply the new signing certificate file name, the Single Sign-on Service URI, the location of the central store, and central store type (NTFS network share or Active Directory). All data is read and verified and then signed using the new certificate. No setting changes are necessary in the console or plug-in software because they already have data integrity enabled.

Use the following steps to re-sign corrupt data:

  1. Open the Single Sign-on component of the Citrix AppCenter and locate the user configuration that is affected.
  2. Open the user configuration to verify the data can be read from the central store.
  3. Close the user configuration to save new corruption-free data in the central store.
  4. Use the signing tool (ctxsigndata) to re-sign the data in the central store.
Note: If the corruption appears to be caused by a security breach, perform this procedure for all user configurations before re-signing the data to avoid inadvertently signing unsecured data.

The syntax for the CtxSignData command with the -r parameter is:

 
CtxSignData [-r service_path certificate_file centralstore_location NTFS|AD] 

where:

-r Re-signs data files in the central store (includes -v)
service_path Indicates the Single Sign-on Service path in URI format
certificate_file Indicates the filename of the certificate to use for signing or re-signing data
centralstore_location Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller
NTFS|AD
NTFS|AD = Central store network directory service type, where
  • NTFS = Microsoft NTFS file share
  • AD = Microsoft Active Directory

The following are examples of the CtxSignData command with the -r parameter:

 
ctxsigndata -r “mpmserver.mycompany.com/MPMService” “C:\priv12mos.cert” “\\MPMCentralServer\citrixsync$” NTFS 
 
ctxsigndata -r mpmserver.mycompany.com/MPMService “C:\priv3mos.cert” DC1.mycompany.com AD 

Unsigning Data (-u)

Use the unsign command-line parameter when you disable data integrity. You must supply the signing certificate file name, the Single Sign-on Service URI, the location of the central store, and central store type (NTFS network share or Active Directory). All data is read without verification and the signatures are removed.

The syntax for the CtxSignData command with the -u parameter is:

 
CtxSignData [-u centralstore_location NTFS|AD] 

where:

-u Unsigns all the data files in the central store
centralstore_location Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller
NTFS|AD
NTFS|AD = Central store network directory service type, where
  • NTFS = Microsoft NTFS file share
  • AD = Microsoft Active Directory

The following are examples of the CtxSignData command with the -u parameter:

 
ctxsigndata -u “\\MPMCentralServer\citrixsync$” NTFS 
 
ctxsigndata -u DC1.mycompany.com AD 

Verifying Data (-v)

Use the verify command-line parameter to check that all data in the central store is signed and verified. You must supply the signing certificate file name, the Single Sign-on Service URI, the location of the central store, and central store type (NTFS network share or Active Directory). All data is read with verification and signed.

The syntax for the CtxSignData command with the -v parameter is:

 
CtxSignData [-v service_path centralstore_location NTFS|AD] 

Where:

-v Verifies signatures on the data files in the central store
service_path Indicates the Single Sign-on Service path in URI format
centralstore_location Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller
NTFS|AD
NTFS|AD = Central store network directory service type, where
  • NTFS = Microsoft NTFS file share
  • AD = Microsoft Active Directory

The following are examples of the CtxSignData command with the -v parameter:

 
ctxsigndata -v “mpmserver.mycompany.com/MPMService” “\\MPMCentralServer\citrixsync$” NTFS 
 
ctxsigndata -v mpmserver.mycompany.com/MPMService “https://mpmserver.mycompany.com/MPMService” DC1.mycompany.com AD 

Displaying Help (-h)

Use the help command-line parameter to display help for the CtxSignData command.

The syntax for the CtxSignData command with the -h parameter is:

 
CtxSignData [-h] 

Where:

-h Displays the help

The following is an example of the CtxSignData command with the -h parameter:

 
ctxsigndata -h