Digital Signature in ABAP

Similar Messages

• How to Verify digital signature in ABAP web dynpro enviroment

  Hi,
  I have few questions regarding, how we can Verify digital signature in ABAP WebDynpro ?
  Do we have class or function modules to verify digital signature on WAS once signed offline or online interactive form is uploaded back?
  can we use function modules in function group SSFG for validating authors signature? Or any other classes or interfaces are available in NetWeaver environment.
  I searched to find any sample for validating signatures in ABAP WebDynpro, however I could not find any thing. Any sample code will be very useful?
  Thanks,
  Nitesh Shelar.

  I Found that Interface IF_FP_PDF_OBJECT can be used to extract signatures from document.
  Thanks,
  Nitesh Shelar.

• Digital Signature by ABAP-Means

  Hello everybody,
  I'm trying to write an interface from our SAP-System (640) to an external XML-gateway. The external gateway requires SSL-communication via HTTP. I stored the necessary certificate successfully in STRUST. My problem is now, that the external gateway demands that I calculate a signature over one of the XML-documents in the HTTP-Body and write this signature in the other XML-document. I didn't find any suitable method or function module to do so (we're not using JAVA, only ABAP).
  It should create a hash-value via SHA1 and decrypt it with the private key I stored
  in STRUST. Has anyone encountered anything like that ?
  Regards
  Monika

  Dear Klaus,
  we studied the mentioned SSF-features (SSF_KRN_*, SAPSECULIB)
  intensively.  Unfortunately, SSF_KRN_SIGN calculates a signature
  that is far too long. The SHA1-hashvalue is already too long.
  For instance, when we use SSF_KRN_DIGEST for creating a hashvalue
  in SHA1-format, we always get back a 66-bytes-string. This is too
  long for a SHA1-hashvalue, since this should be 20 bytes long.
  SAP gives us the hashvalue in PKCS#7-format, which is the only
  possible format.
  Have you any idea how to extract the relevant 20 bytes-hashvalue
  from the PKCS#7-returnvalue ?
  Text to be hashed:
  EFBBBF313233000... (Text "123" in OSTR_INPUT_DATA)
  OSTR_INPUT_DATA_L = 6
  Hashvalue: (in OSTR_DIGESTED_DATA)
  304006092A864886F70D010705A0333031020100300906052B0E03021A0500300B06092A864886F70D0107010414F5E24078C0936CA78815260E7D58D1A940966EBA
  Regards
  Monika

• Encryption and Digital signature in SAP

  Hi,
  We have a requirement to encrypt the payment data before it is sent to a Bank using SAP XI.We are planning to have a ABAP proxy which will do the encryption and hopefully attach a digital signature.We are working in SAPR/3 Enterprise edition.Does SAP supports doing  Encryption and digital signature in  ABAP.
  Thanks,
  Leo

  Hi Leo,
  have a look here:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/icc/secure store and forwarddigital signatures user guide.pdf
  regards Andreas

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• Security Issues: SSL on SOAP Adapter and Digital Signature in BPM

  Hi there,
  we're developing a R/3-XI-3rd Party Application scenario, where the XI/3rd Party communication is based on a webservice (SOAP adapter with SSL). Also, the messages in the XI/3rd Party communication must be digitally signed. I've got some questions on both subjects.
  1. About the SSL. I've started to investigate what will be necessary to enable the HTTPS option under SOAP Adapter (it's not enabled now). If I'm not correct, all I need to do is:
  - check whether the SAP Java Crypto Lib is installed in the Web AS;
  - generate the certificate request in the Visual Administrator and, after acquiring the certificate, store it with the KeyStorage option.
  Is that right?
  I'm considering that I won't need to use SSL in the ABAP Web AS, only the J2EE Java Engine (since the SOAP Adapter is based on J2EE).
  2. About the digital signature. As a first solution, we had decided on accessing a webservice based on another machine running a signature application. We'd send the unsigned XML and receive a signed XML. But since that needed to be done into the BPM, I thought that using a piece of Java code in a mapping would suit it better.
  But to be able to use the hashing/encrypting/encoding algorithms, which library needs to be installed? Is it the same SAP Java Crypto Lib that was installed for the SSL enabling?
  Thanks in advance!

  Hello Henrique,
  1. You're right. For detailed instructions please have a look at the online help: http://help.sap.com/nw04 - Security - Network and Transport Layer Security - Transport Layer Security on the SAP J2EE Engine
  2. The SOAP adapter supports security profiles. Please have a look at the online docu http://help.sap.com/nw04 -Process Integration - SAP Exchange Infrastructure - Runtime - Connectivty - Adapters - SOPA Adapter - Configuring the Sender SOAP adapter and from the link under Security Parameters to the Sender Agreement. You'll find some additional information in the following document: http://service.sap.com/~sapdownload/011000358700002767992005E/HowToMLSXI30_02_final.pdf
  Rgds.,
  Andreas

• CFPOP and digital signatures

  Emails - Exchange 2003 mail server - that use "Digital
  signatures" do not show any Body text. Either in the "BODY" or in
  the "TEXTBODY" fields. Are there any work arounds or fixes for
  this?
  Thanks,

  Hi,
  I'm trying to use SAP Simple Digital Signature (username + password) with SSO.
  I implemented the following SAP notes: 1862737 (main note that makes in possible to combine Digital Signature with SSO, which means using Windows/Active directory password instead of SAP password), 1974495, 1975701, but unfortunately it is not working.
  I tried using SAP standard example of Digital Signature: program DSIG_BOOKING_EX (run from se38).
  When running this program in SAP GUI 7.2 (and even in the latest SAP GUI 7.3), a popup appears and asks for a password (Windows / Active Directory Password). When I type the password and press OK, I get the following DUMP:
  Category: ABAP Programming Error
  Runtime Errors: MESSAGE_TYPE_X
  Abap program: CL_GUI_CFW==========CP
  Application Component: BC-FES-GUI
  Do you know how to solve it?

• Implement Digital signatures in adobe using sap

  how do i implement digital signatures in adobe using sap web dynpro netweaver and abap for backend? if you can provide some documents or links that can help for the same.

  Hello,
  You can add digital signatures and/or encryption to the document going out of the SAP system.
  To add a signature from WDA you can use the PDFObject API.
  Regards,
  Francois

• Digital Signatures with SmartCards.

  Hi guys,
  Has anyone implemented in R/3 digital signatures with smartcards?
  Currently I'm at customer side trying to implement digital signatures within workflow processes using ABAP SSF functions. The smartcard devices are already installed, but I can't read the data inside the smartcard, moreover, I can't link the smartcard device with R/3 and I don't know how to do it…
  I read in some Weblogs and documents that it is necessary a SAP-certified external security product. I believe this external security product is the software that comes inside of smartcard drivers CD. It is something like a little application on which we can sign in data and put our fingerprint.
  I guess it is not supposed to develop an interface application between smartcard and R/3! When I started these developments I thought that I only needed to configure some environment variables to connect these devices with R/3 and then develop the ABAP flow logic with SSF Functions - Am I right?
  Can anyone provide me some guidelines for this issue?
  Thanks in advance,
  Ricardo.

  The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
  Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
  The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
  Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
  Regards, Wolfgang

• NWSSO and Digital Signatures

  This is a follow-up to Re-authenticate or provide additional credentials to access sensitive data.
  We are currently looking at implementing NWSSO. As far as I know, NWSSO can't be used as an external security product for Digital Signatures so that users could input their Windows credentials to sign documents. Is that correct? Assuming yes, is something planned? What is the standard solution from SAP in this regard? We are on ERP 6.0 EHP6 SPS04 running in a homogeneous Windows environment. In short the problem is that users shouldn't have to remember their username and password in the SAP backend system once SSO is enabled. If we choose to roll out the semi solution where users have to remember their username and password in the SAP backend system, there is nothing out of the box for them to change their password in the SAP backend system since SSO is enabled. The main client to access the SAP backend system will be NWBC for Desktop 4.0.

  Hi,
  I'm trying to use SAP Simple Digital Signature (username + password) with SSO.
  I implemented the following SAP notes: 1862737 (main note that makes in possible to combine Digital Signature with SSO, which means using Windows/Active directory password instead of SAP password), 1974495, 1975701, but unfortunately it is not working.
  I tried using SAP standard example of Digital Signature: program DSIG_BOOKING_EX (run from se38).
  When running this program in SAP GUI 7.2 (and even in the latest SAP GUI 7.3), a popup appears and asks for a password (Windows / Active Directory Password). When I type the password and press OK, I get the following DUMP:
  Category: ABAP Programming Error
  Runtime Errors: MESSAGE_TYPE_X
  Abap program: CL_GUI_CFW==========CP
  Application Component: BC-FES-GUI
  Do you know how to solve it?

• How Adobe reader will access SAP PKI for digital signatures

  Hello,
  I am using a ABAP report to upload signed PDF document and validating the signature. However signature which I am using is client side Signature and not the server side. I still hope that I would be able to get these signatures from document.
  When I call execute method of CL_FP_PDF_OBJECT it gives this error
  Exception from the class CX_FP_RUNTIME_SYSTEM was caught, and that is due to No SSL installed yet.
  But I have doubt that, does ADS has trouble seperating the client side (local signatures from document), I hope not!
  One more question, If my PKI is setup Using SAPSECLIB or SAPCRPLIB then how will my local adobe reader access to this server to get public keys..
  I am facing hard time visualizing, where we will specify in my Adobe acrobat that go to So and so SAP server for keys!! Or Private keys are always with signers on his machine?
  Thanks,
  Nitesh Shelar

  Hello Philipp,
  Thanks for your reply.
  So as we can add any directory server in Adobe reader and trusted identities, we can do the same with Adobe document services? So its Adobe document services, which actually validates the signature and not the web application server.
  I have one more query. I have five level approval on my form where five approvers will use Windows Certificate Store to sign the document. But for this I assume that document needs to be passed from one approver to next approver in offline mode. Because once PDF document goes back to server only data of PDF will be retained after validating the signatures. So if we have multilevel approver scenario as I have in my case, we will always have to use offline mode? I am using the WebDynpro right now, can Guided procedure or ISR can help in this case.(Multiple approvers using digital signatures to sign the document)?
  Thanks,
  Nitesh Shelar.

• Variable number of required digital signatures

  Hi,
  I have following problem: I have a document type wich requires a variable type of digital signatures bevore it is released. Who has to check the document depends on its content.
  1st Question: Is there a way to define wich user has to sign the document (at moment we just define that one user with the right authorization has to sign, but not exactly who).
  2nd Question: Is there a way to define a status wich requires defined signatures (more than one) before it switches to the next status?
  The signature process should look like this: After the document is created the creator defines who has tho check it. Then he sets it to status "to be checked". As long as not all of the required users has signed it stays in this status. When all rewuired users have signed status changes to "released".
  Every answer is helpfull.

  For question 1, we normally have a classification field with the approver listed in it (used for workflow as well). When the user attempts to execute a digital signature we normally add an enhancement to check that its the same user listed in the approver field.
  For question 2, there are a couple of alternatives, but we normally handle this with workflow or abap for multiple approvers. We make the approver field in classification a multiple entry field and then use either workflow or abap to kick the document back to the previous status so that if there is more than one approver, each approver has the ability to set the same status. The enhancement also keeps tabs on who has signed the document and once all the approvers have signed we kick it over to the final status.
  This same process can be used for multiple entries on both a reviewer and approver field (if you require review and approver otherwise you can just use approval) and allows you to use this process for both review and approval. For example, you could use a status network that goes:
  In Work - For Review - Reviewed - For Approval - Approved - Released.
  In the process of approval, the approver would set the "approved" status whilst the system would reset it back to "for approval" and only once the last person had approved it would automatically set the released status. The trick using this method is to ensure that the work items are not regenerated every time it sets it back to "for approval" so there is some logic required for your workflow consultant.
  The review process would be exactly the same with the exception that the system would automatically kick it over from "reviewed" to "for approval" or whatever you next status might be.
  Message was edited by:
          Athol Hill

• Digital Signature for SAP Script

  Hi ABAP Gurus!
  Is it possible to implement the Digital signature in SAP Script.
  If the printer has properties to print Signatures.
  Any one implement succesfully digital signature in SAP Script.
  Your suggestion and guildlines will be apprecaited.
  Thanks!

  Hi Reddy,
  What I did was a image signature. Scan the signature into a image file, upload it to system via transaction code SE78.
  Call the image to be printed on your form with the below code
  BITMAP 'ZMY_SIGNATURE' OBJECT GRAPHICS ID BMAP TYPE BMON
  Is this applicable to you?

• Digital Signature for QM notification status change

  Hello experts,
  I need your guidance regarding implementation of user digital signature for QM notification status change. Our customer has ECC 6.0 but they are not inclined to introduce enhancement package 3 soon. Now their requirement is that while QM notification status change they want to have a user signature pop-up to verify the user authorization to do so. But they don't want to do so by using digital signature via DMS status change.
  I am really not sure if I have explained the situaion correctly or not as i am quite new to QM. But I am desparately looking forward to get your valued replies in this regard.
  Best regards,
  Anirban

  To fulfill the FDA requirement we have apply the logic to make sure that a digital signature is captured for status changes during task processing.
  To map this requirement we have developed one custom table to store remark that will be displayed on digital signature remarks textbox. This table will have following feild:
  STAT - System/ user status
  QMART - QN type
  SPARS - language
  TEXT - character text.
  Work with ABAPer to implement this, and after implementing validate following key point:
  u2022     Validate that after successful digital signature that the signature cannot be overwritten.
  u2022     Validate the locking of the User ID after customer specific number of unsuccessful signature attempts.
  u2022     Verify that the digital signature works for each status.
  u2022     Validate that if the digital signature is cancelled prior to successful entry that the system status reverts back to previous status and all processing authorizations allowed for that status still function properly.
  Hope my reply will help you.
  Thanks!!!

• Digital Signature on TDS certificate - Vendors

  Dear All,
  Their is possiblity to insert digital signature on TDS certificate given to employees(form 16), but is their any chance of inseting the digital signature on TDS certificate given to Vendors.
  Thanks & Regards
  Krishna Chaitanya

  Hi,
  Thanks for your reply.
  I allready worked on this SAP note.
  But there are some configurations like ADS,SSL in Java and ABAP instances.
  I did the configuration of ADS,SSL in both the instances.
  I followed the blog of Dezso Pap "ADS SSL configuration journal I. / ABAP -> JAVA / 640 - 70x
  But when i test the program FP_PDF_TEST_00 i'am getting an error message "SOAP runtime exception."
  I feel some problem in SSL certificates.I'am working on it.
  With Regards,
  Pradeep.B