Limiting users to 1 digital signature

Similar Messages

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• Digital Signatures - how to prevent anyone from using my name

  I've created a bunch of forms that have digital signatures enabled.  When I've created one either with the PKCS or the Windows Certificate, what's to prevent anyone else from just typing my name, email address and Company Name?  Yes, I can create one and save it with a password, but anyone can do that.  I'm confused how I can ask our users to use digital signatures on internal documents, then have them email to accounting or HR, yet there's nothing to prevent anyone from using anyone else's name (ie how can I prove that it wasn't me that signed it)? 
  Is there nothing that's tied to Windows ie I can't use my login ID on our domain unless I use my network password?  That's really the ONLY way I can prove I'm me. 

  Self-signed digital signatures are precisely that - the person creating them is the only one attesting to the contents, so you can make a perfectly-valid self-signed ID for Canta Claus of you want to. The critical thing to remember is that a self-signed ID will only validate if the recipient has your keyfile to compare it to. On your own machine it will show as valid because the key is present, but if you send the PDF to anyone else it will show as invalid unless you have separately transferred them a copy of your keyfile. It's that second file which tells them the ID is really yours, as they can physically check where it came from (e.g. by phoning you up). The recipient would then have to manually add the keyfile to the trusted list in Acrobat or Adobe Reader, and finally your PDF signature will get the green tick.
  Self-signed IDs are find for internal company workflows as everyone can share their keyfiles, and the IT department can manage what's going on. If you're using digital IDs in a public setting you should never use self-signed certificates, instead you should purchase an ID from a Certificate Authority - a company whose IDs are tied to the 'root certificates' embedded in Acrobat and Adobe Reader. The CA will require proof of identity before selling you the cert, and so anyone can verify it's genuine without needing to contact you. CAS-issued certs for signing PDF files are not cheap, there are several vendors out there and I won't comment on which may be better.

• Digital Signatures for cProjects Approval

  Hi Folks,
  I am on cProjects 4.5 and from what I understand there are 2 options for this based on whether or not I check the "Signature of Approval with User Certificate" box in Project Type config.
  Unchecked - user is prompted for cProjects password and this works fine. Only issue for us is, we are on the portal and most likely cProjects password will be different and unknown to user. As per note 928527 this is standard behavior and tough luck for anybody on the portal.
  Checked - use is given the ability to digitally sign the PDF approval document. When I select "sign" on the PDF I am given the ability to create a new ID or use an existing ID from a file, server etc. I created a new ID and signed the document. Once I do this and click the transfer button the system appears to hang. The progress indicator appears and keeps going.
  Therefore my questions are:
  1. Is there any additional config I need to do in cProjects. ADS or anywhere else?
  2. How exactly does adobe digital signatures work? If anybody simply create a signature how does that provide any verification of authenticity?
  Appreciate any help.
  Thanks,
  Lashan

  Hi,
  please see teh Configuration Content for cProjects 4.5 available in SAP Solution Manager and also as PDF attachment to SAP Note 1035436.
  There it says:
  Making Settings for the Approval
  Use
  You can use user certificates for digital signatures of approvals.
  Prerequisites
  ● You are using Microsoft® Internet Explorer 6.0 or higher.
  ● You have a user certificate that is suitable for digital signatures (for example, the single
  sign-on certificate).
  ● You have installed Adobe® Reader and Adobe Document Services.
  Procedure
  To verify the signature, enter the corresponding root certificate in the certificate list of the
  Personal Security Environment (PSE, transaction STRUST). For more information, see the
  documentation for the activity and the Adobe Document Services u2013 Configuration Guide NW
  2004s on SAP Service Marketplace at service.sap.com/adobe u2192 Media Library u2192
  Documentation.
  In fact, what is described in the ADS documentation referenced above is that you have to install
  the certificate also on the ADS.
  Kind regards,
     Florian

• Digital Signature - Username Cache

  Hi,
  We are using SAP MII 12.1.8 SP 05 (build 36).
  The problem is:  When a user doing a Digital signature (logon required check box not checked), the user id is defaulted with the previous user id.
  Steps to reproduce the problem:
  1. User1 Logs in the home page.
  2. User1 carries out required actions including the digital signature while posting the data back to DB/SAP.
  3. User1 logs out.
  4. User2 logs in.
  5. User2 carries out the required actions, but in the digital signature the USER1 username appears.(When USER1 Password provided, it worked.) The USER2 username should have come in the Digital Signature Username.
  I have checked with JRE1.6.0_24 with IE8, JRE 1.6.0_23 with IE7, JRE1.6.0_16 with IE6. All three combinations are producing this problem.
  Clearing the browser cache does not solve this problem. Closing the page and opening the page in the new window does not solve the problem.
  When I checked in the page it gives the current logged in User.
  When I clear the java cache and refresh the page it works fine. But the iCommand Digital signature states that, it always default to the User Id who is currently logged in. But it is not doing this. Is any one facing this problem?
  It looks like some problem with MII.  From where, the iCommand gets the USERNAME?
  Do I have login in an OSS message for this? 
  The only work around available as of now check the logon required box, so that the user, can enter his name and password. But the users / business does not want to do that.
  Thanks and Regards,
  Kishore Kumar P S

  Hi,
  Additional Info:  I have checked with USER3. It is still showing the USER1 in the Digital Signature.
  Thanks and Regards,
  Kishore Kumar P S

• Reader not allowing digital signatures

  I used Adobe9 to create a form so our volunteers/interns can fill it out, sign it and send it back to us via email. I can get everything to work so that it works in Acrobat reader, EXCEPT allow signing. No matter how I've tried, (extending the form, creating a policy to allow filling in forms and signing), when I bring the form up in reader (ver 9.3), the document properties still say signing is not allowed. I've tried other reader versions, same result. This should be so much easier, but I cannot figure for the life of me what is wrong. Any idas?
  Thanks
  Ken

  George,
  That is what I thought too. So I did extend it, and it still won't work. Here is a copy of my security properties after
  I extended it as you mentioned:  ------> 
  I can now save data in the form, but the only thing that is NOT working is this %$#@ digital signature thing. Maybe I don't understand digital signatures enough, but in Acrobat9, when designing a form, I could create a digital signature in the fly. Can't users do that when they view a document in Reader? Is it a properties issue, or can't a user create a digital signature in Acrobat Reader at all? Seems like extending a form takes away the signing property.
  Ken

• Digital signature in SharePoint hosted app

  I am creating a sharepoint hosted app where user must use digital signature(loginname, password) before submitting request.
  I am unable to find any machenism to validate user credentials using jquery/javascript.

  Hi,
  Check the blog below:
  Use tasks to maintain your workflow state. Each approval adds a task for the signer. There is a workflow action to handle this for you. When the task is done, it moves to the next step.
  Use the Wait action to have your workflow pause until a change is made. You would have a column for each signer. When the column is filled in, the workflow continues with the email for the next signer.
  Have a workflow that runs for each signing step. The workflow will be kicked off on item change. You will need a column for each signer again. The workflow will examine each column in order to determine what stage it is on and then email the appropriate person.
  http://sharepoint-community.net/forum/topics/multiple-signatures-in-a-document-library-workflow
  Hope this helps

• Automatically renewing certificates for digital signatures

  Is it possible to setup some form of system that automatically renews the user certificate for digital signatures? If so, where can i find information on this?

  Hi - these are all reader extended through Livecycle ES Reader extensions and are signed by users in Reader. What I am asking is if anyone has an idea where this behaviour is declared, so that I can change it.

• IQS9 Completes Quality Notifications without digital signature

  Hi all,
  When we complete quality notifications, the system requires the user to enter digital signature (username and password) in qm02. However when you select a list of notifications in IQS9, and then click on Edit from there, it brings the notificaion up in transaction IQS22 and you can complete a nitification there without digital signature which is bad.
  We can't take everyone away from using IQS22 because it provides a much better selection and drill down capabilities for all types of notifications (service and quality). Is there a way to have IQS22 require a digital signature for quality notifications just like qm02 does?
  Thank you very much,
  Sergiy

  E-signatures in Quality Notifications WAS (!!) not a part of the standard features in SAP. But as of ECC 6 (extension pack 4 - I think) e.signature in notifications are avalable in tasks and actions. I have never test this function. But:
  If this not solves your problem you can implement SAP e-signature Tool with alow you to add digital signatures "everywhere" in the system. This is a pre defined "ABAP-tool" to cal up at any system action by a exit/mod.
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0fbaa71-cd8d-2910-5982-e30626035400
  I hope this will awnser you question and that anyone that has test te e-signatures in notifications can add info.

• Digital Signature other that SAP user password

  Hi there,
               We want that the digital signature should be other than the SAP login user password .
  Please suggest me that how can we do the same....
  Regards
  Kaushik

  Hi
  You can refer to my post for digital signature
  Digital signatures in DMS
  and
  Digital Signature limitations
  Niranjan
  Let me know if it helps !!!

• How can I create digital signatures for my users using Windows 2008 Active Directory Certificate Services?

  Hi,
  I need to create local digital signatures for my users. How can I do that using W2k8 Active Directory Certificate Services? We are gonna sign Office 2010 documents.
  What company offers cheap digital signatures solutions?
  Thanks in advanced

  Consider the following:
  if you use your local CA server to issue digital signature certificates, there is no cost, because you are eligible to issue so many certificates as you need. However, documents signed by these certificates will be considered trusted only within your AD
  forest and other machines that explicitly trust your local CA. Any external client will not trust your signatures.
  If you want to make your signature trusted outside your network (say, in worldwide), you need to pruchase a certificate from trusted commercial CA (VeriSign, GoDaddy, GlobalSign, StartCom, etc) according to respective vendor price list. In that case you
  don't need to have your local CA server, because it is not used. All certificate management is performed by the external CA. A most common scenario is to purchase signing certificate for particular departament principals (head managers) or few certificates
  for a whole company (all documents are revised by a responsible person or persons who holds signing certificate and sign them after review).
  so, it is not clear from your post what exactly you need.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Windows PKI reference:
  on TechNet wiki

• [b]How to validate user's digital signature by ClientAuthentication?[u]HELP

  Hello,
  My Problem:
  By client-certificate-based authentication the first step is to prove "Does user�s public key validate user�s digital signature?". How can I prove this on the ServerSide manually, resp. I want to verify it with java classes on the server side additional to web-server. Actually the Web-Server verify this through the SSL-Connection, I'm conscious of this, but how can I additionally verify this step with java classes.
  Thanks a lot

  You would have to code it all again from the client side: obtain the certificate and private key from the keystore, send the cert, sign it, send the signature, and have the server receive the certificate and check the signature, all as part of your application protocol.
  Instead of all this duplication I have no doubt that you should just point your firm at RFC 2246 in which the Certificate and CertificateVerify messages are mandated, or at the pages of Rescoria's book that I pointed you to before. The transport already meets the requirement and there is zero value in re-implementing it. Indeed there is a negative value: (a) there is a development time and execution time cost which they should consider, especially the development cost, and (b) if you get it wrong you are going to reject legal clients. (There is no possibility that you will accept illegal clients by programming error. SSL/TLS works.)
  EJP

• Digital Signature - Requirement to Enter User ID

  Whassup Ya'll-
  We'd like to leverage digital signature in our landscape. However, in order to be Part 11 compliant we will need to have our approvers enter both their user ID and corresponding password. However, as it stands when an approver is prompted for an e-sig, the User ID is already populated.
  Please advise how to customize so the user is forced to enter both fields. I'll make it rain with points.
  Cheers

  Have you tried restarting the touchpad by pressing and holding both the center button and the power button together for around 15 - 20 seconds?
  WyreNut
  I am a Volunteer here, not employed by HP.
  You too can become an HP Expert! Details HERE!
  If my post has helped you, click the Kudos Thumbs up!
  If it solved your issue, Click the "Accept as Solution" button so others can benefit from the question you asked!

• Add Digital Signature to outgoing messages for all exchange users

  Is it possible to add digital signature to outgoing messages for all exchange users? Currently we have add digital signature individually using Outlook.

  Update to my question:
  Can we use our internal CA to publish certificates.  We only want digital signed emails for internal users.

• Digital signature valid or invalid depending on the signing Windows user

  I have a very strange problem and was not able to determine how to resolve it because I quite don't undestand the mechanisms of signing, it seems.
  I have a digital signature issued by a member of the "Adobe Approved Trust List". If I sign a document with Adobe Reader XI or Adobe Acrobat XI Standard logged in with one Windows user account the signature appears valid on any other Windows user account. If I use another Windows user account and sign the document with the same digital signature the signature is invalid in this Windows user account and any other.
  I didn't change any settings in any of the Adobe products. I use the standard configuration as present just after a fresh install.
  One thing I already checked, which nevertheless doesn't explain this strange behavior, is to enable Windows-Integration in the signature configuration of the Adobe products. If this is enabled both documents (the one signed with the "good" Windows user account and the other signed in a "bad" one) show the signature as valid on any Windows account.
  So I am wondering if, besides the signature itself, anything else is integrated into a document while being signed that could explain that behavior and, if this is the case, where the setting, trigger, whatsoever, is, to set up Adobe correctly.
  Please help.

  What do you mean by "signature is invalid"? Is it a a red X or is it Unknown? A problem with trust results in the "Unknown" status, not "Invalid".
  In any case, inspect the signature, first in the Signature panel. It will tell you some info about what's wrong with this signature. Then right-click on the signature and select "Show Signature Properties". You'll get a dialog with more info. In this dialog select "Show Signer's Certificate". Check the chain (in the left pane) and "Revocation" tab for each certificate in the chain.
  Compare this info for signatures created on a "good" account and "bad". My guess is that the "bad" account is lacking some certificate-related component.and the "good account has it. The fact that if you turn on Windows integration signature becomes valid tells me that it is something related to account.
  Another thing to try is this. Go to C:\Users\<username>\AppData\Roaming\Adobe\Acrobat\11.0\Security folder and see if it has CRLCache folder. If it has, delete it and try to sign again.
  Also compare the preferences. Check the Edit->Preferences->Signatures->Verification->More->Verification Time preference. Is it the same on both accounts? Is it "Time when the signature was created"? Is the "Include signature's revocation status" check box in  Edit->Preferences->Signatures->Verification->More->Creation and Appearances->More checked in both accounts?