SSF and digital signatures

Former Member · ‎01-15-2014

Hi Guys!

I need to exchange XML documents with third-party. The aproach is to generate it from SAP and then sign it with Digital Signature.

I found information, that I could use SSF to achieve it. On help.sap.com I found information, that I could use SAP Cryptographic library.

I have installed SAP Crypto and I maintained ssfrfc.ini file:

SSF_LIBRARY_PATH = D:\CRYPTO\sapcrypto.dll
SSF_TRACE_LEVEL = 3
SSF_MD_ALG = MD5
SSF_SYMENCR_ALG = DES-CBC

Now I want to test it with report SSF01 - but I'm getting an error:

Result: SSF_API_NOSECTK

Version information: 61

SSFRFC V1.46.3 No security toolkit version information found.

So I thought I will manually run ssfrfc.exe. And again I'm getting an error:

=================================================
=== SSF INITIALIZATION:
===... SSF initialization file ssfrfc.ini found.
===...SSF library is D:\CRYPTO\sapcrypto.dll .
===...SSF trace level is 3 .
===...SSF hash algorithm is MD5 .
===...SSF symmetric encryption algorithm is DES-CBC .
===...completed.
=================================================

=================================================
=== LOAD SSF FUNCTIONS:
===...could not load SSF library D:\CRYPTO\sapcrypto.dll .

I checked two libraries:

SAPCRYPTOLIBP_8412-20011729

SAPCRYPTOLIB_36-10010888

I checked all file destinations and so on at least three times. I don't have any new idea to make it working. Please help me.

Best regards

Ana

Former Member · ‎01-15-2014

In order to use SSF or any SAP Cryptographic Library functionality from AS ABAP, configuration is required. See link and link for details. You can use transaction SSO2 to verify. If you want to use it from the OS, at least the environment variable has to be set.

Former Member · ‎01-15-2014

I want to run it from Front-End to be able to communicate with smartcard.

Best regards

Ana

Former Member · ‎01-15-2014

You can't invoke it directly, it is invoked by RFC from AS ABAP and for it to work you need to have SAP GUI installed and be connected to the AS ABAP.

Former Member · ‎01-15-2014

I can do a test with ssfrfc.exe. And it's telling me that the DLL cannot be loaded.

I found one more DLL: secgss.dll.

This one was loaded successfully, but doesn't have functions that I'm interested in.

=================================================

=== SSF INITIALIZATION:

===... SSF initialization file ssfrfc.ini found.

===...SSF library is C:\Program Files (x86)\SAP\FrontEnd\SapGui\Encryption\secgss.dll .

===...SSF trace level is 3 .

===...SSF hash algorithm is MD5 .

===...SSF symmetric encryption algorithm is DES-CBC .

===...completed.

================================================= =================================================

=== LOAD SSF FUNCTIONS:

===...SSF library C:\Program Files (x86)\SAP\FrontEnd\SapGui\Encryption\secgss.dll loaded successfully.

===... could not load function SsfVersion from SSF library.

===... could not load function SsfEncode from SSF library.

===... could not load function SsfDecode from SSF library.

===... could not load function SsfSign from SSF library.

===... could not load function SsfVerify from SSF library.

===... could not load function SsfEnvelope from SSF library.

===... could not load function SsfDevelope from SSF library.

===... could not load function SsfAddSign from SSF library.

===... could not load function SsfDigest from SSF library.

===... could not load function SsfDELSsfOctetstring from SSF library.

===... could not load function SsfNEWSigRcpSsfInfo from SSF library.

===... could not load function SsfDELSigRcpSsfInfo from SSF library.

===... could not load function SsfINSSigRcpSsfInfo from SSF library.

===... could not load function SsfDELSigRcpSsfInfoList from SSF library.

===... could not load function SsfQueryProperties from SSF library.

Best regards

Ana

martin_voros · ‎01-15-2014

Hi Ana,

as far as I am aware the crypto library from SAP does not support smartcards. So unless this has changed recently you are wasting your time with SAP library. A quick google query returns some 3rd party vendors with solution that supports smartcards. I do not have any practical experience with any 3rd party solution.

Cheers

Former Member · ‎01-15-2014

Well, according to help.sap.com: http://help.sap.com/saphelp_nw04/helpdata/en/62/459f34f36311d3a6510000e835363f/content.htm

SSF requires the use of a security product to perform its functions. Per default, we deliver the SAP Security Library (SAPSECULIB) as the security provider. SAPSECULIB is a software solution with capabilities limited to digital signatures. For support of crypto hardware (for example, smart cards or crypto boxes) or digital envelopes, we also offer the SAP Cryptographic Library, which is available for download on the SAP Service Marketplace.

martin_voros · ‎01-15-2014

I think that documentation is misleading in this case. Check note 86927 It's from 2009 but I think it's still valid. It seems like SAP has a lirbary that supports smartcards but it's part of NW SSO 2.0.

Cheers

Former Member · ‎01-16-2014

Hi Anatoly,

the page you are referring to is related to the features of security products of third party companies, not the features of the crypto libraries provided by SAP. If you want to do front-end signatures with smart cards, you need such a product. However at the moment I can not find any partner which is certified for the SSF interface and supporting what you want. Maybe if you describe the use case, there is an other solution, that can be used instead?

Regards,

Patrick

MichaelShea · ‎01-16-2014

Patrick is correct about the statement. We have since improved the wording of the statement to make the distinction clearer (fromGeneral Information - SAP NetWeaver Application Server ABAP Security Guide - SAP Library😞

Security Product

SSF requires the use of a security product to perform its functions. Per default, we deliver the SAP Cryptographic Library as the security provider. For more information, see SAP Note 1848999 ..

For support of cryptographic hardware (for example, smart cards or hardware security modules) or digital envelopes, you need to use an external security product. SAP offers SAP NetWeaver Single Sign-On in addition to external security products offered by our partners.

For SAP-certified partner products, see the SAP Software Partner Program on the SAP Service Marketplace (SSF interface).

Sorry for the confusion.

-Michael

Former Member · ‎01-16-2014

Hello, thanks for the information.

For me it's really unclear and the documentation provided is very misleading.

My problem is that I need to sign XML documents with XaDES. So far we recieved our certificates as files - co we created a small Java app that was able to do the work (background job that was runing app and signing XMLs) . Nowadays policy has changed and we need to use security tokens / smart cards.

I found information about SSF and I thought it has all I need - smartcards and envelopes - but you say it's not working Do you know any 3rd party product that we could use for this purpose?

Best regards

Ana

MichaelShea · ‎01-16-2014

Hi Ana,

Just to be precise, I did not say that it is not working, I said it was not supported. I do not know of any 3rd party products you can use. Patrick had the best suggestion though. He said, "Maybe if you describe the use case, there is an other solution, that can be used instead?"

former_member994974 · ‎02-11-2015

Hello Anatoly,

If you have not solved the problems signing XML documents and need a solution from a third party, you can find in the SAP Store a certified solution GDG SX3200, here is the link https://store.sap.com/sap/cpa/ui/resources/store/html/SolutionDetails.html?pid=0000013710&catID=&pcn...

Best regards,

Daniela

Former Member · ‎12-19-2014

Hello Anatoly,

I had exactly the same issue with a SSF library provided by SBKontur (RU). Their library "KonturSSF.dll" could not be loaded by ssfrfc.exe on the frontend, the trace file contained something like:

=================================================
=== SSF INITIALIZATION:
===... SSF initialization file C:\Program Files (x86)\SAP\FrontEnd\SAPgui\ssfrfc.ini found.
===...SSF library is C:\Program Files (x86)\SAP\FrontEnd\SAPgui\KonturSSF.dll .
===...SSF trace level is 5 .
===...SSF hash algorithm is SHA1 .
===...SSF symmetric encryption algorithm is DES-CBC .
===...completed.
=================================================

=================================================
=== LOAD SSF FUNCTIONS:
===...could not load SSF library C:\Program Files (x86)\SAP\FrontEnd\SAPgui\KonturSSF.dll .

After some investigation I found out by calling the ssfrfc.exe directly in a Windows command box with option -D, that the library had dependencies to Microsoft's C runtime libraries MSVCP120.DLL and MSVCR120.DLL.

Unfortunately, this is not logged into the SSF RFC Trace File dev_ssfa*, but only shown as error message in a popup window if you execute ssfrfc.exe directly as mentioned before.

So you should try this in order to find out if there are dependencies with your special library.

Kind regards

Heiko

Former Member · ‎12-19-2014

Perhaps using a less exotic approach and supported solution is a better approach?

That the server manages it is always a better approach IMO, even if user credentials are a part of the digest or signature.

Starting things on the front end I would generally not recommend (particularly SAPGui front end services or RFC clients). If it does not work in a browser or a local SAPGui normal secure installation then it is not a good design.

Cheers,

Julius