02-05-2007 5:44 PM
Hi folks,
It is my first time with digital signatures on R/3 system. Im at customer that uses smart cards (hardware cryptography). We are doing the SAPCRYPTOLIB and front end installations. After finish these tasks, we need to implement the signatures into 3 workflow processes. I already read the SSF programmers guide, API specifications and SSF user guide. But I still have some doubts:
The SSF profile is stored into smart card with private key information, but where are the public keys stored? (PAB Private Address Book of my trusted circle).
Do I need the CRLs? Note: this is only for workflow processes that run inside of customer landscape; this is not a B2B scenario.
We dont have clear yet how we sign the data; we are thinking sign a BOR object. Create an attribute and use it to pass the signer data. Note: for the customer, the objective is user authenticity guarantee.
The BOR object instance ends when the flows finish, so wee need to store the signed data for auditable reasons. A database table can be a good approach or there is another standard way?
P.S.: anyone have documentation about this subject, something like how-to with guidelines?
Thanks in advance,
Ricardo.
Message was edited by:
Ricardo Quintino
02-06-2007 9:07 AM
The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
Regards, Wolfgang
02-06-2007 9:07 AM
The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
Regards, Wolfgang