cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Adding Electronic signature to outbound INVOICE message

Go to solution
shweta_walaskar2
Contributor

on ‎03-17-2010 5:36 PM

0 Kudos

Hello,

We have a scenario where we send INVOIC messages in the form of IDoc XML to our partner.

Now,they would like to have Electronic signature added to these messages.

I am quite unaware of this,can someone please explain me as what exactly is meant by adding electronic signature to a message and how should I implement it?

Thanks a lot in advance.

Best Regards,

Shweta

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

iprieto
Contributor
‎03-18-2010 3:21 PM
0 Kudos

Hi Shweta,

Basically, when you add digital signature to XML structure, the XML data are encrypting using a Private Key. Then, you should attach some additional tags to XML Structure with the result of the encryption process, for instance, X509 certificate, digest, etc... There are a lot of documentation about this issue, I recommend you take a look to http://www.w3.org/TR/xmldsig-core/

Normally, there are several methods for signing an electronic invoice. It depends the technology that you want to use for do it.

If you want to sign XML structures, the normal procedure is using XML-SIgnature with some of the Signing methods.

1.- CMS attached

2 u2013 CMS detached.

3 u2013 CMS detached.

4 u2013 PDF (CMS detached embedded in PDF document).

5 u2013 XMLdsig enveloped

6 u2013 XMLdsig enveloping

7 u2013 XMLdsig detached

8 u2013 XAdES-BES enveloped, enveloping, detached and detached with hash pre-calculate.

9 u2013 XAdES-T enveloped, enveloping, detached and detached with hash pre-calculated.

The 5,6,7,8 and 9 methods are usually used for signing XML.

You can to implement this signatures method by means XML Digital Signature API. This libraries are included in Java SDK.

Reference:

- RFC 2828

- http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/

- http://santuario.apache.org/

Regards

Ivá

Show replies
Show replies
shweta_walaskar2
Contributor
‎03-18-2010 3:40 PM
0 Kudos

Hello Ivan,

Thanks for the useful information.

I apologize for my lack of knowledge in this area,but I have gone through all these details and still not sure if I would be able to implement this.

If we think,that we can create a java mapping which will encrypt XML message,would I still need to deploy or create certificates?

how does encryption and decryption works in this case?

what info we need to provide to our partner so that they can decrypt this message?

Would it be possible to provide a code example which I can try to use in my scenario?

Thanks again.

Regards,

Shweta

iprieto
Contributor
‎03-18-2010 4:09 PM
0 Kudos

In my opinion there are two methods for resolve this issue in SAP PI:

- Create a Java mapping. This is easier method than second method.

- Create an Adapter Java Module. This is a more complex method because you have to create a EJB, deploy the EAR application......

Both methods use Java language for implement the core of the process.

You can use the XML Signature API into your Java Mapping or EJB components.

You can access to SAP J2EE keystore for using the certificates that are installed in this wharehouse. For accessing to keystore check out this post:

Your partner will can decrypt the XML if they use an application that can be validate XML-DSig files. All information about the signing and certificates are stored in XML data if you make the signature correctly.

Regards

Ivá

shweta_walaskar2
Contributor
‎03-18-2010 4:35 PM
0 Kudos

Hello Ivan,

I would try to go for java mapping using the code mentioned in the link:

For the points:

The private key used to sign is located in the DEFAULT keystore view, under the alias sign_test.

Then, we obtain the public address book, which is also located in the keystore view DEFAULT, alias verify_test.

How do we set up private key sign_test and public key verify_test?Can you please let me know?

Thanks a lot in advance.

Best Regards,

Shweta

former_member200962
Active Contributor
‎03-19-2010 5:47 AM
0 Kudos 
I would try to go for java mapping using the code mentioned in the link

When you go for JAVA mapping for encoding the payload, you dont need to maintain certificates.....there is a blog by Farooq on how to encode/ decode data using base64encoder/decoder ..... if your requirement is similar have a look into this blog:

/people/farooq.farooqui3/blog/2008/09/24/sap-xipi-encode-outgoing-payload-using-adapter-module

Please excuse if the reply is not related to your requirement.

Regards,

Abhishek.

shweta_walaskar2
Contributor
‎03-19-2010 8:22 AM
0 Kudos

Hello Abhishek,

Thanks for giving details about this alternative option to encode payload.

I have already worked on Base64 encoder/decoders using Java mapping and hence,this approach would be easier for me to implement.

I must say,I am not able to understand fully the requirement as the only statement we received from our partner is 'They need to have electronic signature added to incoming invoices for security reasons'

I would like to know if encoding payload using Base64 encoding can be considered as addition of electronic signature.

I am thankful to all of you for sharing such useful information.

Regards,

Shweta

Answers (3)

Answers (3)

sri_chittineni
Explorer
‎08-18-2010 8:34 PM
0 Kudos

Shweta,

We are currently implementing outbound EDI for Invoice and have a requirement to send Invoice XML file with a digital signature. Can you explain how you achieved this?

Thanks,

Raghu

Show replies
Show replies
Former Member
‎03-18-2010 8:47 AM
0 Kudos

Hi Shweta,

There are 2 options for digitial, electronic signatures.

a) Secure the transport layer

SMIME, WebServiceSecurity,https, is a way to secure the transport layer, where you can use a certificate to sign+encrypt your payload and transmission.

b) Validate an Invoice using a digital signature

A digital signature, which is used to validate an Invoice, is an additional file (or in some cases a signature can also be embedded). Your partner can use this signature to verify that you were the original sender of the invoice and nothing has been

modified during the transmission.For each invoice/signature a unique hash value is created, which won't match if someone modifies the invoice during a transmission. The signature also contains information about the sender (company,name, valid until,..) so that the receiver can validate the identity of the sender.

So if you just want to secure your transport layer, some adapters, as already mentioned in the previous post, already have the ability to use SMIME, etc.. But if you want to generate a digital signature, so that the partner can validate the invoice, i think you have to use 3rd party products that can generate and validate such signatures. You might be able to create your own module which communicates with a 3rd party signature server like Authentidate, Secunet, etc..and also Seeburger has some modules that can handle digital signatures for invoicing.

regards,

Daniel

Show replies
Show replies
shweta_walaskar2
Contributor
‎03-18-2010 9:00 AM
0 Kudos

Hello Daniel,

For the second option i.e.adding electronic signature to invoice , it would be great if we can use Seeburger modules to achieve this as we already have Seeburger installed in our system and I am not sure about the possibility to buy a new software at the moment.

Would it be possible for you to elaborate a bit on this?

Thanks a lot.

Best Regards,

Shweta

Former Member
‎03-18-2010 12:11 PM
0 Kudos

Hi Shweta,

there is a package from Seeburger which contains modules (DSig Module) that can communicate with external servers from 3rd parties. These modules can pass a payload to a signature server and wait for a digital signature to be created.Once the signature was created, it will be added to the XI Message as a separate payload. The modules can also pass incoming signatures and files to a signature server and afterwards analyse the verification protocol to determine whether a signature was valid or not. However, you would need a 3rd party signature server like Authentidate, Secunet, AppliedSecurity,etc..since the Seeburger modules only interact as an interface towards an external signature server and won't create their own signatures.

regards,

Daniel

shweta_walaskar2
Contributor
‎03-18-2010 12:32 PM
0 Kudos

Thanks to all for sharing this useful information.

I would try to find the possibility of implementing these options and would update soon.

Regards,

shweta

MichalKrawczyk
Active Contributor
‎03-17-2010 5:40 PM
0 Kudos

hi,

there are some adapter which allow signing messages before you send them to the receiver

for a list:

http://help.sap.com/saphelp_nwpi71/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm

but this will only sing the message going from PI to the receiver (not the IDOC from ABAP to PI stack)

so I don't know if this is your requirement

Regards,

Michal Krawczyk

Show replies
Show replies
shweta_walaskar2
Contributor
‎03-18-2010 8:35 AM
0 Kudos

Hello Michal,

Thanks for your reply.

Yes,this is fine,we too want to send a signed message(IDoc XML) from PI to receiver.

Do you have any link to a blog or a document which explains the procedure to achieve this.

Thanks again.

Best Regards,

Shweta

former_member200962
Active Contributor
‎03-18-2010 8:59 AM
0 Kudos

Check this blog which mentions the use of digital signature for receiver MAIL adapter: /people/varadharajan.krishnasamy/blog/2007/05/11/how-to-use-digital-certificates-for-signing-encrypting-messages-in-xi

The procedure would remain similar for other protocols.

Regards,

Abhishek.

shweta_walaskar2
Contributor
‎03-18-2010 9:34 AM
0 Kudos

Thanks Abhishek,

I don't have access to Visual Administrator as it is handled by our Basis team.

I would follow up with them and would update if we have some progress.

Regardsm,

Shweta

Ask a Question