QM Digital Signature SAP System's Personal Security Environments (PSEs)

Similar Messages

• SAP HR-IN Form 16 Queries , Digital Signatures, SAP ADS

  Hi.
  I have a couple of queries with regard to Form 16.
  1. My firm wants to use digital signature in the Form 16. How to configure the signature part of the Form16 in SAP?
  2. Where is the purpose of SAP ADS in digital signature?
  3. Do I need to get a new license for using the digital signature feature in form 16?
  4. My company is getting the digital signature part done thru a 3rd party. How to upload this digital signature into PC00_M40_F16?
  5. What are the relevant SNotes to be installed to use this feature?
  Regards
  Abraham

  Hi Abraham,
  The workaround software we have used is provided by Ace Technology, they are one of the approved DSC vendors.
  This is their contact details:
  | Email: [email protected] | website: www.acetechnology.co.in
  If you are going for the same vendor, go for a Grade 3 signature, it allows you to do a Mass Digital Signature.
  The tech support provided by them was not that great, we eventually figured out how to use thier product, but incase you take the same service I can help you in figuring out how to use the USB token.
  Regards,
  Vishwas

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• Securing pdf document with digital signatures

  I have a pdf document that has digital signatures. We need to secure it so no one who has input their digital signature can go back in later, delete their signature and then 're-sign' it. But I get an error message telling me I can't secure the document because it has digital signatures.
  Is there any way to secure the document so only I can secure/unsecure it after digital signatures have been input?
  Thanks!

  You don't need to use document encryption to lock the PDF file. You can set the signature field properties to mark all fields as read-only at signature creation. Try this:
  Select the Tools > Toolbars > Advanced Editing menu item
  Click the Select Object tool on the Advanced editing toolbar (it's the arrow icon)
  Right mouse click on the signature field and select Properties from the pop-up menu
  Select the Signed tab on the Digital Signature Properties dialog
  Select the Mark as read-only radio button and All fields from the corresponding drop-down list
  Click the Close button on the Digital Signature Properties dialog
  Select the File > Save As menu item and save a copy (in other words, leave the original copy as is in case you find you locked yourself out of the document, that way you'll have a fall-back recovery option)
  Good luck,
  Steve

• Digital Signatures for cProjects Approval

  Hi Folks,
  I am on cProjects 4.5 and from what I understand there are 2 options for this based on whether or not I check the "Signature of Approval with User Certificate" box in Project Type config.
  Unchecked - user is prompted for cProjects password and this works fine. Only issue for us is, we are on the portal and most likely cProjects password will be different and unknown to user. As per note 928527 this is standard behavior and tough luck for anybody on the portal.
  Checked - use is given the ability to digitally sign the PDF approval document. When I select "sign" on the PDF I am given the ability to create a new ID or use an existing ID from a file, server etc. I created a new ID and signed the document. Once I do this and click the transfer button the system appears to hang. The progress indicator appears and keeps going.
  Therefore my questions are:
  1. Is there any additional config I need to do in cProjects. ADS or anywhere else?
  2. How exactly does adobe digital signatures work? If anybody simply create a signature how does that provide any verification of authenticity?
  Appreciate any help.
  Thanks,
  Lashan

  Hi,
  please see teh Configuration Content for cProjects 4.5 available in SAP Solution Manager and also as PDF attachment to SAP Note 1035436.
  There it says:
  Making Settings for the Approval
  Use
  You can use user certificates for digital signatures of approvals.
  Prerequisites
  ● You are using Microsoft® Internet Explorer 6.0 or higher.
  ● You have a user certificate that is suitable for digital signatures (for example, the single
  sign-on certificate).
  ● You have installed Adobe® Reader and Adobe Document Services.
  Procedure
  To verify the signature, enter the corresponding root certificate in the certificate list of the
  Personal Security Environment (PSE, transaction STRUST). For more information, see the
  documentation for the activity and the Adobe Document Services u2013 Configuration Guide NW
  2004s on SAP Service Marketplace at service.sap.com/adobe u2192 Media Library u2192
  Documentation.
  In fact, what is described in the ADS documentation referenced above is that you have to install
  the certificate also on the ADS.
  Kind regards,
     Florian

• Digital signature in QM

  Hi all,
  I have some douts pls help me to solve it
  1)The digital signature ensures that certain tasks are only performed by specially authorized users and documented in a signed document together with the name of the undersigned person, and the date and time.
            But this can also be met by using basis tools providing authorisation to restricted usere only for UD and Result recording
            then what is the use of Digital signature?
  2)If i am using digital signature it is not reflecting any where.
    i can olny see logs for that under Tcode DSAL
  ASD

  I pasted below the help file info from SPRO on digitial signatures.  This gives you a good overview.  You can find more info on this by searching help for information on SSF Settings for the System Signature.  SSF = Secure Store and  Forward and you will help files on this as well.  These areas are set up by BASIS folks, not QM.  You may want to inquire in a BASIS forum for more specific info on setting this up.
  Craig
  The basis application component Secure Store and Forward (SSF) is used to realize digital signatures in the SAP System. This section tells you how to make the following settings:
  SSF settings for the digital signature
  Which settings you make here depends on the signature method you use (see Specify Signature Method for Approval Using Simple Signature and Define Signature Strategies)
  The complete names of the users that are supposed to execute the signatures as well as their personal time zones
  When a signature is executed, the system copies the signatory name together with the local time according to the signatory's personal time zone to the signed document.
  Caution
  All users can maintain their address data and defaults by choosing System -> User profile -> Own data. The general user settings along with the SSF settings for the user are part of this data. Therefore if you use digital signatures, do not assign the authorization to maintain own data to all users.
  Requirements
  If you use the user signature as your signature method, you need an external security product that islinked to your SAP System by way of SSF.
  Note that you should not store the users' Personal Security Environment (PSE) in a file system but rather, for example, on a smart card. The PSE software does not comply with legal requirements for digital signatures.
  Standard settings
  The SSF settings for the system signature are contained in the standard system.
  Activities
  SSF Settings for the User Signature
  1. Go to Customizing for Basis Components, choose System Administration -> Digital Signature and carry out activity Application-Dependent Parameters for SSF Functions.
  2. Enter the SSF information for the users that are supposed to execute digital signatures. If you want, you can also make the general user settings now (see below).
  a) Go to user maintenance.
  b) Enter the user ID of the user whose data you want to maintain and choose Change.
  c) Go to the Address tab page.
  d) Choose Other communication and double-click SSF (Secure Store & Forw.).
  e) Enter the user's SSF information.
  How the entries must be structured depends on the security product you use.
  f) Choose Continue and save your entries.
  SSF Settings for the System Signature
  Check and, if required, maintain the standard settings. To do so, go to Customizing for Basis Components, choose System Administration -> Digital Signature and carry out the following activities:
  Application-Dependent Parameters for SSF Functions
  SAPSECULIB Maintenance Information
  General User Settings
  1. Go to user maintenance.
  2. Enter the user ID of the user whose data you want to maintain and choose Change.
  3. Go to the Address tab page and enter the user's first and last names.
  4. Go to the Defaults tab page and enter the user's personal time zone.
  5. Save your entries.

• SAPGUI SNC logon and digital signature

  Dear all,
  I have setup in a test environment a sap logon with SNC in order to use the active directory authentication instead of SAP R/3 User and Password. It works well. So I can enter directly in the system without specify R3 user and R3 password. My users have no to maintain R/3 password anymore.
  Now I have a problem. For some transactions we have implemented the digital signature in order to have a further authentication when we want to perform some critical task. An example is releasing dms document in CV02N transaction.
  Our customizing for digital signature is:
  System signature with authorization by R/3 user ID/password
  The other options are:
  User signature with ext. security product with verification
  User signature with ext. security product w/o verification
  So the system still ask to the users their R/3 password for the authentication when they try to "sign" a document.
  Do you think there is a way to configure the system in order to ask and check the active directory user password instead of R/3 password? Where can I found documentation about it ?
  My system is SAP R/3 4.70 ext 2 on windows 2003 r2 sp2 x64.
  My active directory is based on Windows 2003 x32 sp2 in native mode.

  Hi,
  We are running SAP ECC Version 6.0 wih Netweaver 7.1.  We also talked with SAP about this and they have given a small BADI to disable the R3 user id and Password prompt.  However, they informed us to write a own coding to activate/authenticate with LDAP.
  Wondering, what need to modify and which functional module.  I saw the below from one of the thread...Please let me know what to modify in the coding to make the LDAP authentication works.
  +There are some options for what changes need to be made to the SSFT_PPPI_SIGN function module:+
  +1. It could be changed to call a SAP supplied function module called LDAP_SIMPLEBIND. This would mean that a user and password entered by user would then be checked with LDAP server (e.g. Active Directory) instead of the user and password entered being checked with SAP user store, which of course won't work when SNC is enabled because user SAP passwords are then deactivated.+

• DMS & Workflow - Handling Digital Signatures

  Hello,
  I have set up a DMS status network, and I'm controlling this network using workflow.
  My workflow listens to "DRAW" for changes, and when a particular status is seen,
  workflow starts.
  This workflow sends out work items to several users, prompting them to review.
  At this point, users can go into the DIR from their Inbox, and either select Approve or Reject Status.
  Both Approve and Reject status are set up to require a Digital Signature.  Workflow controls moving the status back to a "ready" state for the next reviewer.  It also keeps track of the number of reviewers, in order to know when all reviews are done.
  When everyone behaves in timely manner, this works great.  Workflow has no issue with setting DMS statuses - in most cases.
  However, I also have deadline monitoring set up on my workflow.  After 3 days pass with no action, I want to "auto-reject".  System id WF-BATCH is what I use to set statuses through workflow, and this works fine in most cases. However since the status "Approve" and "Reject" are set to require digital signatures, this system initiated status change FAILS.  The system does not provide a digital signature for itself.
  My question is - is this possible through configuration - to set it up in some way that a system ID can promote to a status and either pass a password or simply not require a digital signature?
  My network is kind of stuck at this point because one of the 2 statuses MUST be selected for it to proceed.
  Edited by: Bill Bessette on Jul 24, 2008 9:40 PM

  Hello Niranjan,
  That's an interesting suggestion... I'll investigate.  Any additional detail you can provide on how to implement this User/Pwd hard coding in WF would be appreciated.
  In the meantime, here is some additional info.
  Imagine a status network as follows:
  Draft
  Initiate Workflow
  In Review - Reject/Approve
  Active
  Document starts in draft.  The author selects a status of (Initiate Workflow) at which point the workflow starts.
  Workflow moves the status from (Initiate Workflow) to (In Review)
  and puts a work item in the reviewers mailbox. Reviewers can change the status to (Reject) or (Approve) and each requires a digital signature.  After each reject/approve, Workflow moves the status back to (In Review) so that the next person may act.  When everyone has reviewed and approved, workflow moves the status to (Active).  If anyone has rejected, workflow moves the status back to (Draft.)
  This is a simplification, but that's the scenario.  WF-BATCH is our workflow ID that has SAP-ALL authorization.  Problem occurs when deadline monitoring is in effect.  If a reviewer doesn't act within the designated deadline, the monitor fires and the work item is flagged as obsolete.  Due to the status network, the only valid path is to either move to (Approve) or (Reject).  But since both of those statuses have been set up to require digital signature, they fail.  We end up stuck in (In Review) with no way out.
  If hard coding the userid WF-BATCH and the password in some table will solve this problem, then we'd be thrilled.
  Bill
  Edited by: Bill Bessette on Jul 25, 2008 6:00 PM

• Projects & Digital Signatures

  Hi Experts,
  One of our Client deals with Projects.
  According to my solution, every Project will have a Project Code and WH with same name.
  1. The material lying at one project location some time is transfered to another Project location, and that has to be linked with Project Code for Costing purpose in Stock Transfers.
  In SBO there can be only One Project linked, how to deal with this situation.
  2. When the material is Purchase, it is booked as expense insted of current asset and they also want the quantity available.
  Can i assign Expense account at Inventory account in G/L Determination, If so what all the things i should mind
  3. My Client also wants Digital Signature of the approved person on the doc's. I have no idea about this, Can any help me about this.
  Thanks in Advance
  Regards,
  Sandeep

  Hi Sandeep
  The best way to handle items to an expense account is to set them as non inventory items. This will automatically use the expense account for the account determination. The only problem is that SAP Business One will not have any on hand quantity for the item. You could try changing the stock account to be an expense account but I would not recommend this (as it seems you might have already done).
  In the scenario you have, the best would be to purchase stock into the asset account and then use stock transfer to move it between projects or use goods issue to expense as the items are consumed for the project. That way you would know which items have being used or not. Please let me know what kind of projects these are, ie. construction over time, etc. How are customers billed, on milestones, etc.?
  Note that you can change the allocated project code against the journal entry, though I would advise you to use this carefully as any mistakes would cause the project reports to be inaccurate.
  As for the project on stock transfers, in the project column (form settings to activate) you can select a different project for each item in the rows. If the same item is being moved to 2 different locations, this will not be a problem as each project is also a warehouse and you must add 2 rows for the item and set a warehouse for each one.
  With regards to digital signatures, this is not that easily handled in SAP Business One. The problem is how to relate a jpg or bmp image file (for example) to a specific user and not allow other users to access the file.
  Kind regards
  Peter Juby

• Digital Signature tool to Embed Approver signature on PDF Original Files

  Hi,
  Good Day...!
  We have implemented SAP DMS and configured workflow for DMS. When it reaches certain status workflow will be triggered and send workitem to the Approver. If approver can approve or reject based on his review on the original document. If he approves DIR will directly go to released status. Once Approver approves Digital signature has to popup and it has to embed approvers signature on the Original file.
  Is there any third party tools available in the market or can any body provide some inputs how to achieve.
  Please share your experience, if anybody has implemented the same.
  All original files we are using will be in PDF format.
  Note: Our requirement is Approver's signature has to embed on to the Original file when he approves the document.
  Thanks & Regards,
  Prasad.

  Hi,
  Please find details on digital signature in DMS
  Prerequisite
  1)You must have Authorization object {}C_SIGN_BGR to be set (ask basis team to do the same) for the digital signature.
  2)Following  are the authorization object for Documents (If you have all access to the authorization object will be very good, mainly a & b must).
  a) C_DRAW_TCD
  b) C_DRAW_TCS
  c) C_DRAW_STA
  d) C_DRAW_BGR
  e) C_DRAW_DOK
  f) C_DRAD_OBJ
  How to config for Digital Signature in DMS
  The required settings are made under
         a)Document Management ->Approval?->Define individual Signature .
         b)Document Management ->Approval?->Define Signature strategy .
  2.   Assign a signature strategy to the document status .
  3.   Also the required settings are made in customizing under
        Document Management - Control data - Define Document Types (DC10) - Define document status.
       Assign a signature strategy to the document status (As per point no.1 in sign start).
  4.  Save the changes.
  5.  Create DIR
  6.  In DIR once the Document status is set for required digital signature, the system informs you that a digital signature is required. Yellow warning will come, enter two times.
  7.  The Digital Signature dialog box appears. Enter your comment in the text field. Select the individual signature that is assigned to your authorization group in the Signatures to be              executed section and enter the password .Then save it again.6) you can see this digital signaure again, in cv03n, go to top menu Environment --> digital signature.  You will get all the details. 
  Thus the Digital signature process has been completed.
  With help of Transaction code SU01 ,in user tab enter your user name and press F7 check first and last name if it is correct its well and good or else go to change mode and enter correct one, save it.Because while making digital signature using user ID and password it is must or else it will give an error.
  Additionally check the help link for more details.
  http://help.sap.com/saphelp_470/helpdata/en/83/acd928db1c11d397d3080009c17b92/content.htm
  Regards,
  Deepak Kori

• Multiple digital signatures in one file

  I have a client who wants me to combine 4 different forms into one--then--require a digital signature by the same person after each independent form. So that would be 4 digital signatures total. And all identical. I'm using a different name per each field so there's no conflict.
  It appears to work fine until I have it submit dynamically with a PHP script via email inbox.
  When I open the PDF (having crunched the info back in from an FDF) the data is there EXCEPT the digital signatures.
  Can someone point me to a tutorial?
  Best regards,
  Mare

  Hi Mare,
  You cannot merge files and expect that the digital signatures will be preserved. When you sign a file you are signing all of the bytes in that file, and only that file. Once you combine files you are creating a new unsigned file. If someone were to sign the new file they are signing all of the bytes in the new file, not just some of the bytes. There is no "page level" signing in PDF files, only whole file signing.
  You can however put the signed files into a Portfolio file. A Portfolio keeps the files separate. Think of a Portfolio like a file cabinet in the physical world. Just because you put different files into the file cabinet drawer, they don't merge.
  Steve

• Digital signatures with different versions of Reader

  I have created a form which requires a digital signature for approval. Typically, an employee will complete the form in Reader and forward it to a supervisor for approval. The supervisor needs to sign it digitally and forward it to me.
  The issue we are having is with those employees who are completing the form in Reader and the supervisor (or someone thereafter) has a more updated version of Reader and cannot sign the document. What can we do to stop this from happening? There is no practical way to keep everyone on the same version of Reader. We will have many more forms which require a signature, and we need this issue resolved. (I am using Adobe Acrobat 9 Pro to create the forms.)
  Also, is there a way to verify the digital signature without using a third-party source? At this point, we know anyone can create a digital signature using someone's hand-written signature they found on another paper and we would like to prevent this from happening. We need to validate the person who used the digital signature is really that person.
  Any help is appreciated! Thank you!

  If you are creating your forms in Acrobat 9 Pro. and then Reader-enabling them for digital signatures, then recipients of the form will need to use at least version 8 of the Adobe Reader. Also, you'll need to do a few things during the authoring stage of your form, if your form changes by role (i.e., additional data is entered, annotations, or multiple signatures). Mainly you'll need to use a certification sig. for the first signature and set permitted changes after certifying.
  You can find a lot more detail on best practices on developing forms for multiple signatures in the Digital Signature User Guide at:
  http://www.adobe.com/devnet/acrobat/pdfs/acrobat_digsig_userguide_90.pdf
  The guide also explains how to validate documents (authenticity validation and document integrity validation).

• Pop Up message when clicking digital signature stating "this is an official document"

  How can I have a message pop up when clicking on digital signature that warns the person they are signing an official government document.  I invision the message popping up making the statement and a button within the message that can be clicked to sign it.  Any ideas?   form Attached
  Thanks
  Mike

  Thats strange, cos it works when i add the code to the mouseDown event. When I click OK on the popUp it asks which handler I would like to use (I have a digital cert and a signing pad). I can then sign the doc and the form then attaches itself to an email. I do notice a small problem though... If i try to 'Cancel' (ie abort the signing process) when it asks which handler i want to use, the form still attaches itself to an email even though the sig field is empty. Im not sure if you want it to do that? I have attached the pdf with the code added. Let me know if it works.

• A problem about digital signature authentication

  Hi all:
  I just want to know how to implement the digital signature in the adobe form as well as its theroy, processing and the server condition. Please inform me any document available for reference.
  Thanks.

  The Digital Signature User Guide and Acrobat Security Administration Guide are of particular interest at the location Simon pointed to.

• AXI DB2 distributed sap systems and rsh

  Hello,
  we are running sap with aix 5.3 and db2 v9. our application server, central instance and database are running on different servers. Until now we are using rsh to start the distibuted systems. security colleagues asked us to change to ssh. we have seen, that it is possible to start db2 with ssh. but it is also possible in a distributed sap system to set rlogin=false and doesn't use rsh anymore?
  thanks
  alexander

  Not sure what you are asking about - indeed, to use ssh for DB2 is of importance for DPF systems (i.e. BW-based SAP systems in multi-partition environments).
  If you are asking how to enable ssh for starting SAP systems, then I guess the approach is to replace 'rlogin' by 'ssh' in your scripts. Of course, you need to ensure before that ssh is working as intended. E.g. if you expect the process to work without providing passwords, then you need to ensure that ssh can login without a password. You can find related information in the net e.g. searching with keywords
      ssh automatic login
  If all this does not help, or address your issue, please provide more exact information, e.g. the scripts you use.