Message level security: difference digital signature and certificate

Similar Messages

• Digital signature and certificates on Mail

  Hello All,
  I'm new using mac and i have a token with my digital certificate. So i wanna know:
  How can i use subscribe or use a digital signature on Mail. How can i use my certificate to sign the message.
  Thanks,
  Altemir Pacheco

  Altemir ... It's important that the certificate has been created for the e-mail address you want to use as sender e-mail. Your certificate needs to be imported into keychain. Keychain only accepts certificates in a number of formats, among them .p12. You can import in a number of ways, you can for example drop your .p12 file (the certificate) on the keychain icon. Then open keychain and check whether the certificate is visible under "my certificates". It has to appear there and it has to show as "valid" and not as "expired". Control-click on the certificate and set-up a new preferred identity for your e-mail address (I am not sure whether this step actually does any difference but give it a try). Close mail.app and restart mail.app. When you now create a new e-mail and you choose as sender e-mail the e-mail address for which you have the certificate then you should see on the right side, just below the subject line a little symbol which you can click on for activating the signature for the e-mail your writing. Hope all this works.

• Digital Signatures and Certificates

  I use Adobe Profession 8,
  I installed a certifcate on my computer (certnew.cer) which has my informations and stuff on it.. ok so far. We have our own certificate server.
  When i try to apply a signature on a pdf i created, my name is not on the list (Adobe). The only options i have is to create one or import one (.pfx, .p12). I dont mind importing one but it cant import .cer files.
  Testing on another computer, after installing his certificate, his name was shown on the list in adobe.
  Is there something that I can be doing wrong?
  Is there are way to import a .cer file instead of a .pfx, .p12?
  Is there an easy method of converting a .cer to .pfx (.p12) apart from using Windows Drivers Kit?

  A cer file doesn't have a private key. It contains a public key and other certificate data. Signing requires a digital ID which includes both the cert/public key and the private key, and these are usually stored in pfx/p12 files.
  Self-signed digital IDs are inherently less secure, but they can be made more secure if the recipient verifies the cert "thumbprints" that the signer shares ahead of time. . .
  Comprehensive digital signature instructions exist in this doc:
  http://www.adobe.com/devnet/acrobat/pdfs/digsig_user_guide.pdf
  See also other security related docs on:
  http://www.adobe.com/devnet/acrobat/security.html
  ben

• Digital Signatures and Certificate Authorities

  My users are wanting a way to sign PDF documents, and have them verified for internal and external receipients. We are currently using Acrobat 9 Standard. I know you can create signatures and 'self-sign' them, but those are only trusted if the receipient manually adds them to their 'Trusted' people.
  From my reading, it looks like we need to purchase a third party code signing certificate, such as the following: http://www.verisign.com/code-signing/
  My question is, what do we need to do to make that certificate availbable to my users to use for their signatures? I'm having a hard time finding documentation on this part.

  Here's a good starting point for understanding how CDS and AATL work with Acrobat and Reader: http://learn.adobe.com/wiki/display/security/Digital+Signatures+101
  Another option you should look into is Adobe EchoSign: http://blogs.adobe.com/acrobat/tag/echosign

• Message Level Security and Performance

  Hi All,
  Does the implementation of Message Level security features Like SSL and Encryption degrade the performance of the server in Processing the messages ?
  regards,
  Rahul

  Encryption related performance issue is purely related to size of messages.
  In my opinion, SSL wouldnt affect the performance for large messages. SSL will take its usual time for checking for security.
  And the volume and size could anytime affect the performance
  Regards,
  Prateek

• Message Level Security

  Hi All,
    In the PI to PI scenario i used certificates for sigining and encryption. For this i followed message level security document.
  In PI1 message is signed and encrypted, but the sign is not validated and message is not decrypted in PI2 server. Output from PI2 server is coming in  encrypted form. How to solve this issue.
  PI1 SP is 11 and PI2 SP is 06.
  Kindly suggest some solution.
  Regards
  Prakash

  Hi,
  Message-Level Security
  Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  ●      A digital signature authenticates the business partner signing the message and ensures data integrity of the business document carried by a message.
  Signatures are used in two scenarios:
  ○       Non-repudiation of origin
  The sender signs a message so that the receiver can prove that the sender actually sent the message.
  ○       Non-repudiation of receipt
  The receiver signs a receipt message back to the sender so that the original sender can prove that the receiver actually received the original message.
  ●      Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  SAP NetWeaver usage type Process Integration (PI) offers message-level security for the XI protocol itself, for the RosettaNet protocol, for the CIDX protocol, and for the SOAP and Mail adapters. The table below summarizes the message-level security features of these protocols and adapters.
  Message-Level Security Features
  XI Protocol (XI 3.0)
  Messaging components
  Integration Server and PCK
  SOAP
  Adapter Engine and PCK
  Mail
  Adapter Engine
  RNIF 2.0
  Adapter Engine
  RNIF1.1/CIDX
  Adapter Engine
  IIly
  Signature
  X
  X
  X
  X
  X
  Non-repudiation of origin
  X
  X
  (Web service security)
  X
  X
  Non-repudiation of receipt
  X
  X
  X
  Encryption
  X
  X
  X
  X
  Technology
  Web service security (XML signature)
  Signed parts are the SAP main header, the SAP manifest, and the payloads (SOAP attachments).
  Encrypted parts are the payloads (SOAP attachments).
  S/MIME or
  Web service security (XML signature)
  The SOAP body is signed.
  S/MIME
  S/MIME
  PKCS#7
  XI 3.0 is the XI protocol valid for both SAP NetWeaver ´04 and SAP NetWeaver 7.0.
  Message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths, as described under Service Users for Message Exchange.
  ●      XI protocol
  ○       (s4) Integration Server to Integration Server, PCK to Integration Server
  ○       (r4) Integration Server to Integration Server, Integration Server to PCK
  ●      SOAP protocol
  ○       (s3) SOAP sender to Adapter Engine or PCK
  ○       (r3) Adapter Engine or PCK to SOAP receiver
  ●      Mail protocols
  ○       (s3) Mail server to Adapter Engine or PCK (IMAP4/POP3)
  ○       (r3) Adapter Engine or PCK to mail server (IMAP4/SMTP)
  ●      RNIF and CIDX protocol
  ○       (s3) RNIF or CIDX sender to Adapter Engine
  ○       (r3) Adapter Engine to RNIF or CIDX receiver
  You define whether and how message-level security is to be applied to messages in the Integration Directory by using sender agreements on the inbound (sender) side in scenarios (s3) and (s4) and by using receiver agreements on the outbound (receiver) side in scenarios (r3) and (r4). For more information about configuring message-level security, see Security Configuration at Message Level.
  Message-level security relies on public and private x.509 certificates maintained in the J2EE keystore, where each certificate is identified by its alias name and the keystore view where it is stored. Certificates are used in the following situations:
  ●      When signing a message, the sender signs it with its private key and attaches its certificate containing the public key to the message.
  The receiver then verifies the digital signature of the message with the senderu2019s certificate attached to the message. There are two alternative trust models to verify the authenticity of the senderu2019s public certificate:
  ○       In the direct trust model, the signeru2019s public key certificate is compared with the locally maintained, expected public key certificate of the partner. Therefore, the direct trust model requires offline exchange of public key certificates, which can be self-signed or issued by a CA.
  ○       In the hierarchical trust model, the signeru2019s public key certificate is validated by a locally maintained public certificate of the CA that issued the signeru2019s public certificate. In addition, the subject name and the issuer of the signeru2019s certificate is compared with the expected partneru2019s identity configured in a receiver agreement on the receiver side.
  Generally, the hierarchical trust model enables chains of certificates attached to the message. The XI 3.0 message format, however, does not support such chains; the certificate used for signing has to be signed by a root CA.
  In the hierarchical trust model, the sender and the receiver only need to agree upon the CA and the subject name that the sender has used in its certificate.
  The following trust models are supported:
  ○       The RNIF and CIDX adapters support both a direct and a single-level hierarchical trust models.
  ○       The XI protocol and the SOAP adapter (with Web service security) only support a single-level hierarchical trust model.
  ○       The Mail adapter and the SOAP adapter (with S/MIME) support a multi-level hierarchical trust model.
  ●      When encrypting a message, the sender encrypts with the public key of the receiver (also verifying the correctness of the receiveru2019s certificate by using the public key of the certificateu2019s root CA).
  The receiver decrypts with its private key certificate.
  For more information about the certificate store, see Certificate Store.
  Whenever a message is signed, the receiver archives the signed messages for non-repudiation purposes. See Archiving Secured Messages.
  reg,
  suresh

• Securing Digital Signatures and none of that other stuff

  Hello.  I am new to getting help from highly knowledgeable people in this type of forum.  This will be my second question asked.  The first time response was quick, correct, and succinct.  I am grateful for your help and I thank you.  I will need to find out how to close out the thread I initiated wit the first question.  Now my second question will allow me to cut to the chase, (provided I learned correctly what my mentors told me when responding to my first question).  Here it is: I want to lock my digital signature to a PDF document without the use of a third party CA or without becoming a do it yourself CA.  From my perspective it would seem that these programs or services are far more that I need.  I simply need to secure, lock don my digital signature of PDF document that I send out to government agencies.  It’s a one way trip.  Copies of the documents are provided to members of my association, again a one way trip.  I need to have my digital signature integrated into the text of the document and secure as well as the PDF document itself.  That is all I want to do; no tracking, no secured return digital signatures, etc.  I prefer to by a add in or an easy to use software program, but if I absolutely have to, I can work with the “cloud”.  Can anybody point me in the right direction?   Eally need help.
  Thanks for your consideration and past assistance.
  HALO

  There are many different types of digital signatures. I use digital signatures that are self-signed. They cannot be verified by the people that receive them, but guarentee the documents haven't been changed since signed.
  This article might help: http://help.adobe.com/en_US/acrobat/X/standard/using/WS11dd809af63f0e1e-43e0464b12b4384d3b 6-8000.html
  As to your previous thread. We do not close threads usually as other people with similar issues may want to post or read the thread. You can go and mark the thread as solved.

• Digital Signatures and Security Policies

  Is there a way to combine a digital signature and a Security Policy. We have a need to digitally sign a document, but not allow that signature to be removed and to not allow any further editing of the document?

  Hello Francesco,
  I want to  generate a digital signature (PKCS#7,XML) using SAP SSF API as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/content.htm and in Amol Joshi's reply in
  Digital Signatures and Document Encryption api
  so my question  is From which PI/XI version and its SPS this SAP SSF LIBRARY is supported ?
  Kind Regards,
  Kubra fatima.

• WebServices and message level security

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

• Invoking a message-level secured webservice WS Security

  I am not having any luck invoking a webservice that has been secured via message-level security. For simplicity, I have been using WS-Security Policies provided by WebLogic and applying them on my webservice via annotations. I have been testing with Wssp1.2-Wss1.0-X509-TripleDesRsa.xml. I am using soapUI to invoke the webservice. When I send a singed soap request, I get a response indicating that it wasn't able to validate the signature. I made sure that both soapUI and WebLogic server is using the same identity store. I have also made sure that the certificate in the identity store is also in the trust store for WebLogic. There could also be a problem with the structure of the soap request. I send a soap request that includes a signature of the timestamp, the initiator token (x509 in binary form), and the body.
  Anyone have luck with WebLogic webservice security and soapUI?

  Applying 'format XML' after signing it changes the message and makes the signature invalid, different content == different signature.
  You should also ask yourself why you'd like to transport blank characters (zero information) over the wire just to make it more readable for yourself? Just compare the size of the unformatted and formatted message to see the waste of bandwidth.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Digital Signatures and Encryption in Yosemite Mail

  After upgrading to Yosemite, I am having difficulty using the Mac Mail app to send digitally signed and encrypted email.
  Before the upgrade to Yosemite, I was able to send signed and encrypted emails using certificate/keys in my keychain using both the Mac Mail app and Microsoft Outlook 2011 for Mac.
  After upgrading, I am still able to send signed and encrypted message in Outlook, but the Mac Mail app gives the following error when I attempt to send a signed email:
  'You don’t have a trusted certificate in your keychain that matches the email address “XXXX@XXXX”. Without a certificate, you can’t sign messages sent from this address.'   (Actual name replaced)
  When I look at my certificates in my keychain, a certificate is available with "Usage: Digital Signature" that has the email address from the error message "XXXX@XXXX" with exact case in the RFC 822 Name.
  Another interesting piece of data that might help track this down is that when I first launch the Mac Mail application, the Mac Mail application is able to successfully decrypt emails that have been previously sent encrypted to me.  HOWEVER, after I attempt to send an email and get the "You don’t have a trusted certificate..." error message, these emails are no longer able to be decrypted.  I get the "Unable to decrypt message" header above the message and the content of the message is just a "smime.p7m".  If I close the mail application and restart it, these encrypted message are once again decrypt-able until I attempt to send a message.
  It almost seems like things are working until mail tries to access the keychain.
  I have attempted to delete my certificate and keys from my keychain and then adding those items again.
  I have attempted to close the mail application and reopen it.
  I have attempted to reboot my computer.

  1.  I want to confirm that this is still an issue for me in 10.10.1 and mail Version 8.1 (1993)
  2.  I have another data point.
  At my office I have wired networking and wireless networking available.  Primarily I utilize the wired networking for access to network drives, etc.
  When using the wired networking, I experience all the problems that have been catalogued in this thread.  Can't sign, can't encrypt, can't close the compose window after the mail program fails to find my certificate.
  However, when I switch to wireless networking before starting the mail application, digital signatures and encryption seem to work!  This is pretty weird behavior.  Make sure to restart mail if you were previously wired.
  Here are some theories:
  Something to do with OCSP?  When I am wired vs wireless I am on different ip subnets and subject to different firewall rule sets.  Perhaps OCSP is trying to determine the status of the certificate and failing? 
  Here are some things I have tested:
  I switched to a different official apple brand thunderbolt to ethernet adapter with no change in behavior
  I disabled wireless and disconnected my wired network.  So no network access at all.  Signatures and encryption work!  The message obviously does not send, but it appears in my outbox and I don't get the signature error.  When I reconnect my wired cable, the message sends successfully and appears as encrypted in my sent folder!
  I have attempted to disable OCSP by using "Keychain Access --> Preferences --> Certificates Tab --> OCSP (OFF) and CRL (OFF)" but this hasn't made a difference in the behavior of wired networking.
  Ran a TCPDUMP on traffic to the OCSP service but didn't see any traffic when I attempted to send a message and received the signature error
  I am pretty stumped on this.  This is very odd behavior
  Does anyone else experience this behavior?

• Message Level Security in FTPS

  Hi ,
     Did File Adapter with FTPS will provide the Message Level Security ?
  And What is the Exact  Difference Between FTPS for Control Connection and FTPS for Control and Data Connection .
  What is the Significance of Use X.509 Certificate for Client Authentication check box. If we check it what will happen r if we dont what will happen ?
  Thanks.
  Anitha.

  >
  Anitha SAP wrote:
  > Hi Rajesh,
  >
  >       I have to use only FTPS. Because my client is suggesting that only. Isn't possible using FTPS ?
  > And Tell me The Difference Between FTPS for Control Connection and FTPS and Control and Data Connection .
  > Neccesity of Public key certificate from FTP Sever?
  >
  > Thanks.
  > Anitha.
  PI supports FTPS. you can use the File adapter for the same.
  The basic difference when we talk about FTPS for Control Connection* and FTPS and Control and Data Connection is that in case of FTPS and Control and Data Connection, you data is also encrypted. Else the connection is secure but the data level encryption will not be active
  FTPS works with Certificates and hence the need for the same

• Digital Signatures and APEX

  Has anyone had any success implimenting digital signatures (PKI) within APEX?
  Here is a brief synapsis of what we are looking to accomplish and realize that third-party hardware/software might be necessary. We require users to login using LDAP credentials. We want them to be able to generate documents (i.e. PDF, Word, or Excel) from our application data. We want the users to have the ability to Digitally Sign their documents. We will be issuing individual private keys & certificates and we are considering generating the documents as XML. We are still in requirements gathering, but wanted to explore any and all capabilities within APEX.
  Any thoughts? Thanks.

  Hello Francesco,
  I want to  generate a digital signature (PKCS#7,XML) using SAP SSF API as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/content.htm and in Amol Joshi's reply in
  Digital Signatures and Document Encryption api
  so my question  is From which PI/XI version and its SPS this SAP SSF LIBRARY is supported ?
  Kind Regards,
  Kubra fatima.

• Java SSF for Digital Signatures and Document Encryption

  Hello,
  I have read in "SAP Help - Java Development Manual" that there is a Java SSF library for Digital Signatures and Document Encryption API.
  http://help.sap.com/saphelp_nw04s/helpdata/en/4f/65c3b32107964996a56e4165077e24/frameset.htm
  I am trying to develop an example application in NWDS using Interfaces/classes (ISsfData, SsfDataXml...), but NWDS does not find this classes in any library.
  I have searched for Javadocs in NWDS plugins directory and this classes and interfaces should be in JAR com.sap.security.api.jar, but they aren't there.
  Our WAS version is: NW04s WAS 7.0 SP11 and he have downloaded Java Crypto Library (IAIK) and also SAP XML Toolkit.
  Does anyone know how to find or obtain this library?
  Thanks in advance,
  Jorge Linares

  Hello Francesco,
  I want to  generate a digital signature (PKCS#7,XML) using SAP SSF API as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/4f/65c3b32107964996a56e4165077e24/content.htm and in Amol Joshi's reply in
  Digital Signatures and Document Encryption api
  so my question  is From which PI/XI version and its SPS this SAP SSF LIBRARY is supported ?
  Kind Regards,
  Kubra fatima.

• Digital Signature and SharePoint 2013

  Dear Expert,
  My company has a plan to do digital signature and sharepoint 2013. Now, we focus for internal use that I know use AD CS. and in near future we use for external use. We plan to buy 3rd party certificate.
  My question
  1. How to implement this solution? Please suggest
  2. If I implemented AD CS, can we use public certificate in near future.
  3. Can we use public certificate with SharePoint 2013?
  Thank you

  Hi,
  Based on your description, my understanding is that you want to use Digital Signature in SharePoint Server 2013.
  You can use digital signatures in forms ,then use these forms in you SharePoint site.
  In InfoPath form ,you can change the form to allow signature here: File>Info>Advanced form options >Digital Signatures .You can choose to sign the whole form or a field .
  https://social.technet.microsoft.com/Forums/en-US/0ed54d57-d67d-41cd-bd1b-9e5a4be10d0c/use-of-digital-signature-in-sharepoint-2010?forum=sharepointcustomizationprevious
  besides, here is a similar post, you can take a look at:
  http://sharepoint.stackexchange.com/questions/78058/custom-digital-signatures-or-hash-on-list-items
  For more information about implemented AD CS, refer to the following link:
  http://technet.microsoft.com/en-us/library/hh831574.aspx
  Best Regards,
  Lisa Chen    
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]                                                   
  Lisa Chen
  TechNet Community Support