Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can you help me understand Adobe Document Digital Signatures and how it works with NetWeaver ?

Go to solution
tim_alsop
Active Contributor

‎06-01-2015 6:29 PM

0 Kudos

HI

I am trying to understand SSO with the Adobe Document Digital Signatures in NetWeaver AS ABAP (WebDynpro) - as described at Digital Signatures in Form Integration - Web Dynpro for ABAP - SAP Library

I assume (might be wrong) that the user first logs onto the Web Dynpro ABAP application using a web browser, and so the authentication of the user is handled by the ABAP ICF engine. Once the SAP user id is known, is this SAP user id used for signing Adobe documents ? What is Java stack used for in this case, if anything ? If client side certificates are used, does NetWeaver launch Adobe Acrobat on users workstation, and if so, which user id is used to sign the document ?

Thanks

Tim

1 ACCEPTED SOLUTION

Go to solution
Matt_Fraser
Active Contributor

‎06-01-2015 6:44 PM

0 Kudos

Hi Tim,

I can't speak to the digital signatures specifically, as we haven't implemented that here, but I may be able to point you in the right direction with some of the peripheral questions you asked, as we do use ADS for interactive forms over SSL.

The Java stack is the host for the ADS functionality. You can use any existing Java stack in your landscape, such as your Enterprise Portal, for instance, or you can install ADS on a dedicated Java stack (which is what we do, and what I recommend). So, the basic level of SSL communication is regular Java stack configuration, not specific to ADS.

The end users do not normally need their own userID on the ADS server. Instead, you will create a user called ADSUSER as a technical user on the Java stack, and then you will use the client certificate of your ABAP system (i.e., the SSL client SSL Client (Standard) entry in STRUST). Export the ABAP system's SSL client cert and import it to the Java stack's ICM SSL view, and as a client certificate for the ADSUSER. This way, your ABAP system can talk and authenticate to the ADS system over SSL as ADSUSER.

You will also need to create a system user on the ABAP system called ADS_AGENT and give it the SAP_BC_FPADS_ICF role. Then you will create a Destination on the Java system called FP_ICF_DATA_<ABAP_SID> that points to your ABAP system and authenticates with the ADS_AGENT credentials.

You will probably need to install some sort of Adobe credential to the ADS configuration on the Java system. For instance, for interactive forms, there is a credential called ReaderRights to be installed. You apply to SAP for this credential, and it is specific to your customer number. With this credential installed, your end users can use the basic Adobe Reader application to fill in interactive forms, or sign documents, or whatever the credential authorizes. They shouldn't need the full Acrobat product. The Adobe Reader will be called within a frame when they are logged into the ABAP system.

Anyway, that's a high-level overview of the basic landscape for SSL on ADS and integration within an ABAP scenario. I know it doesn't answer your digital signature questions, but hopefully points you in the right direction.

Cheers,

Matt

10 REPLIES 10

Go to solution
Matt_Fraser
Active Contributor

‎06-01-2015 6:44 PM

0 Kudos

Hi Tim,

I can't speak to the digital signatures specifically, as we haven't implemented that here, but I may be able to point you in the right direction with some of the peripheral questions you asked, as we do use ADS for interactive forms over SSL.

The Java stack is the host for the ADS functionality. You can use any existing Java stack in your landscape, such as your Enterprise Portal, for instance, or you can install ADS on a dedicated Java stack (which is what we do, and what I recommend). So, the basic level of SSL communication is regular Java stack configuration, not specific to ADS.

The end users do not normally need their own userID on the ADS server. Instead, you will create a user called ADSUSER as a technical user on the Java stack, and then you will use the client certificate of your ABAP system (i.e., the SSL client SSL Client (Standard) entry in STRUST). Export the ABAP system's SSL client cert and import it to the Java stack's ICM SSL view, and as a client certificate for the ADSUSER. This way, your ABAP system can talk and authenticate to the ADS system over SSL as ADSUSER.

You will also need to create a system user on the ABAP system called ADS_AGENT and give it the SAP_BC_FPADS_ICF role. Then you will create a Destination on the Java system called FP_ICF_DATA_<ABAP_SID> that points to your ABAP system and authenticates with the ADS_AGENT credentials.

You will probably need to install some sort of Adobe credential to the ADS configuration on the Java system. For instance, for interactive forms, there is a credential called ReaderRights to be installed. You apply to SAP for this credential, and it is specific to your customer number. With this credential installed, your end users can use the basic Adobe Reader application to fill in interactive forms, or sign documents, or whatever the credential authorizes. They shouldn't need the full Acrobat product. The Adobe Reader will be called within a frame when they are logged into the ABAP system.

Anyway, that's a high-level overview of the basic landscape for SSL on ADS and integration within an ABAP scenario. I know it doesn't answer your digital signature questions, but hopefully points you in the right direction.

Cheers,

Matt

Go to solution
tim_alsop
Active Contributor
In response to Matt_Fraser

‎06-01-2015 7:06 PM

0 Kudos

Matt,

Thank you for the helpful and detailed information. I now understand better how ABAP and JAVA stacks are used and how they communicate with each other. However, if we look at the user authentication, I assume that a user would login to the ABAP stack using a specific SAP user id and this user id is used as their identity when they sign an Adobe form. Is this correct ?

If above is correct, a customer using our SSO product which supports ABAP ICF services, can login to the Web Dynpro ABAP ICF service using Active Directory credentials and sign Adobe forms using the SAP user id which is mapped onto their Active Directory identity. It sounds like it could be very easy, but I am still not very sure where the certificate that is used for signing comes from. If anybody has any insight into this part, let me know.

Thanks

Tim

Go to solution
mvoros
Active Contributor
In response to Matt_Fraser

‎06-02-2015 8:34 AM

0 Kudos

Hi,

The certificate mentioned by Matt is used for licensing. It has nothing to do with digitally signing a document by user. You need to pay an extra license for editable pdfs. This cost can be bared by somebody who reads/edits document by purchasing Adobe Acrobat (not Reader) that allows you to modify pdfs. The other option is that who generates a pdf have a special license that enables edit functionality in Adobe Reader. As you can image the companies usually go with this option because they can not force their users to purchase Acrobat. The way how it is implemented is PKI. When you purchase a license Adobe generates a certificate for your installation of ADS. This certificate needs to be installed with your ADS. When Reader opens a document that is signed by this cert that is trusted by Reader bacause it is signed by Adobe then it enables edit functionality.

I quickly checked the documentation and it seems to me that signing is completely handled by Adobe Reader. My understanding is that user goes to a web dynpro application which has embedded pdf. This pdf is opened in Reader and reader functionality is used to sign a form. It has nothing to do with SAP user. You could download the pdf, open it in Reader and sign it there without connection to SAP system. SAP provides an API that allows you to retrieve signatures from pdf document by calling ADS web service. But I believe there is no direct link between SAP user and cert usec for signing pdf document.

Cheers

Go to solution
tim_alsop
Active Contributor
In response to Matt_Fraser

‎06-02-2015 8:45 AM

0 Kudos

Thanks Martin. That gives me what I needed to know.

Go to solution
former_member184549
Participant
In response to Matt_Fraser

‎06-02-2015 10:13 AM

0 Kudos

At one site we implemented a paperless workflow whereby users digitally signed PDF documents that had readers rights credentials (and generated by ADS).

The digitial 'signatures' that we generated and installed on the user's workstations were signed by our CA. One thing I was disappointed in was that we couldn't revoke a signature and make Adobe Reader show that that signature was no longer valid. However, this was some time ago, so maybe Adobe Reader now has some mecahnism to check for revoked certificates?

Go to solution
mvoros
Active Contributor
In response to Matt_Fraser

‎06-02-2015 11:19 AM

0 Kudos

Hi Jonathan,

Could you confirm my assumption that signing was done in Adobe Reader and certs were associated to Windows logon? There was no direct relation between SAP user and cert used for signing. BTW a quick search suggests that Reader supports OCSP for revocation check.

Cheers

Go to solution
former_member184549
Participant
In response to Matt_Fraser

‎06-02-2015 1:03 PM

0 Kudos

Signing was done in Adobe Reader, and there was no relationship between SAP user and signature. PDF documents were mailed between individuals within the company to collect the necessary 'signatures' for the process involved. When 'completed', data was not fed back into SAP but instead the PDFs were archived.

Certificates (signatures) were installed by the networks people on each workstation – in the windows certificate store. Additionally, our self-signed CA public key was installed as a trusted certificate. Each certificate had a password set on it as well so that in order to sign as the individual you would need to have access to the workstation and the password. It was problematic when users forgot their passwords or wanted to change them. 'Valid' signatures got a visible green tick in Adobe Reader.

I think the OCSP revocation check should work if your CA is part of the trust chain that Adobe checks, and that that might have been the source of our problem. I did this work in about 2008, so my recollection may be a bit off! Also, not sure how OCSP check would work if the user had no internet connectivity.

Go to solution
mvoros
Active Contributor
In response to Matt_Fraser

‎06-02-2015 1:36 PM

0 Kudos

Thanks for the details. Yes, cert revocation is a hard problem. Distributing revocation list to all clients have some issues as well as doing OCSP check due to usually being set as in soft fail mode.

Cheers

Go to solution
Former Member

‎12-18-2015 10:40 AM

0 Kudos

Maybe I'm off-topic, but I'm trying to sign a PDF file by ABAP report.

Do you think is possible?

I have run the SSf01 report for thest the certificate, some lines are added at the end of the PDF file but the digital sign not appear when I open it.

Some suggestion?

Thank you,

Pasquale

Go to solution
Former Member
In response to Former Member

‎08-16-2016 10:01 AM

0 Kudos

Hi Pasquale,

Have you, in the mean time, found a solution in signing a PDF in ABAP?

I have the same issue, I would like to sign a PDF in ABAP based on the Function Modules used in SSF01. I get the certificate of the E-ID (in XSTRING) but I can not incorporate it in the ORIGINAL PDF.

It would be great if I could generate a new pdf with the signing certificate.

If someone else could help, it would be appreciated!

Thanks,

Nabil