IRM Content Decrypt API

asayo

We are trying to make a decrypt application for IRM protected PDF documents, and have a few quetsions.

Regarding how to generate the XML file (to be used to register the decrypt application with IRM Server), the help aid "add a certificate chain," but is this a certificate for IRM Server?

If we use "DocDecrypt.exe" as is in the c_examples, can we also use "DocDecrypt.xml" file as is in the c_exmaples?

PeteT

The certificates and associated private key and .xml file are part of the "Application Authentication" mechanism that is designed to ensure that only authenticated applications are able to decrypt documents.  The .xml file is presented to the IRM Server via the IRM Server Administrator and tells the server about a specific application that the administrator wishes to authorize (in this case for programmatic decrypt of IRM protected documents).  See Application Authorzation in the IRM Server Administrator.

Once this step has been completed, it is necessary to configure your server for programmatic decrypt.  See the various permissions at the server, group, and document level.  The administrator can configure the server to allow or disallow programmatic decrypt and also specify if documents can override this.  Additionally, when an application wants to decrypt a document, it must do so in the context of a specific user and this user must belong to a group that has programmatic decrypt permission.

The certificates (application and CA) supplied with the sample decrypt applications are certainly valid for you to use for testing your application.  However, I would suggest that you derive your own certificates for your specific application for production.  The sample certificates will eventually expire, of course.

The sample certificates and key were derived via openssl tools.  There are several steps involved in generating both certificates and extracting the (unprotected in this case) private key.  Once these are available it is then possible to generate the .xml file and also make the certificates and key available to your application.  How you securely maintain and access these in production is up to you.  The sample application simply hard-coded the certificate and key data into the application; a more secure approach would be preferable for production environments.

There are probably many different ways to obtain the certificates you need: openssl is just one possible way.  I can probably find the commands I used if you need an example.  Please let me know if this is the case.

PeteT

The certificates and associated private key and .xml file are part of the "Application Authentication" mechanism that is designed to ensure that only authenticated applications are able to decrypt documents.  The .xml file is presented to the IRM Server via the IRM Server Administrator and tells the server about a specific application that the administrator wishes to authorize (in this case for programmatic decrypt of IRM protected documents).  See Application Authorzation in the IRM Server Administrator.

Once this step has been completed, it is necessary to configure your server for programmatic decrypt.  See the various permissions at the server, group, and document level.  The administrator can configure the server to allow or disallow programmatic decrypt and also specify if documents can override this.  Additionally, when an application wants to decrypt a document, it must do so in the context of a specific user and this user must belong to a group that has programmatic decrypt permission.

The certificates (application and CA) supplied with the sample decrypt applications are certainly valid for you to use for testing your application.  However, I would suggest that you derive your own certificates for your specific application for production.  The sample certificates will eventually expire, of course.

The sample certificates and key were derived via openssl tools.  There are several steps involved in generating both certificates and extracting the (unprotected in this case) private key.  Once these are available it is then possible to generate the .xml file and also make the certificates and key available to your application.  How you securely maintain and access these in production is up to you.  The sample application simply hard-coded the certificate and key data into the application; a more secure approach would be preferable for production environments.

There are probably many different ways to obtain the certificates you need: openssl is just one possible way.  I can probably find the commands I used if you need an example.  Please let me know if this is the case.

jyoti.tiwari

Hi,

Kindly send me example how U decrypt the document through IRM API.

PeteT

HI,

There are code examples provided with the IRM APIs.  See (probably under Program Files):

..\EMC IRM\EMC IRM SDK\Client\c_examples

..\EMC IRM\EMC IRM SDK\Client\csharp_examples

and look for files named like docdecrypt...

docdecrypt.cpp is a simple c++ example that uses the COM API in libEDS.dll and can decrypt a single document.

docdecryptex.cpp is similar but uses the updated COM API in libEDSEx.dll

The csharp examples also use libEDSEx.dll and present an example that can decrypt multiple documents, each in their own thread.  See the associated readme file also.

If you need more information, please let me know.

Pete

jyoti.tiwari

hi

Thanks for ur reply.

Actually  we have used this example but we want to achive this using java. we have applied the java example, but the problem is, it is displaying the list of the encrypted content, but we can't find whether it is decrypting the protected content or not & if it is decrypting the protected content then where we can find that decypted content...

PeteT

I'm not sure which java example you're refering to?  There is currently no JAVA api for the Decrypt SDK.  There IS Java support for the Server Management API.

Since the Decrypt SDK, as implemented in libEDSEx.dll, is a dual interface COM implementation, it should be possible to use it via Java using one of the available Java-COM technologies.  We have not experimented with this in Engineering and do not have any example code currently.

I would need to see some of the java code you mentioned to see what it is attempting to do relating to decryption.

Pete

ajay.kumar

Hi,

Have you come across any solution for decrypting the IRM protected document? I also have the same requirement. kindly let me know. Its very urgent.

IRM version I am using is 4.5.1.

Thanks

ajay.kumar

I am using IRM Server 4.5.1 and I have installed IRM SDK 4.5.1 on another machine when I am trying to execute the DocDecrypt.exe provided in c_examples

I am getting this error.

Document is Encrypted; about to prepare for decrypt.

IEDS::PrepareDocStreamForDecrypt failed with error code: 0x80040a08

...Last error text is: Cannot connect to server: irmCreateSession failed with IRM Status: 21001 and detail: Unknown er

DecryptTheStream() failed with hr: 0x80040a08

DecryptAsIlockBytesStream() failed with hr: 0x80040a08

...Releasing pEDSClientContext now

...Releasing pEDS now

IdentifyAndDecryptDoc Failed

Doing ::CoUninitialize now

Kindly tell me the procedure to execute the DocDecrypt.exe.

Thanks

Govindaraj Rajendran

i have same issue, please help me how to resolve this