Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Reading Signed Document

Former Member

‎08-21-2007 9:25 AM

0 Kudos

Hi all,

I download a signed file to local with extension .p7s.

I've signed the document in server with FM SSF_KRN_SIGN_BY_AS.

If I open the downloaded file in my pc, I can see the Certicate which has signed the doc, but if I open the certificate there is a warning saying that Windows hasn't enough information to verify the Certificate...

If I sign the doc with my local app or using FM SSFS_CALL_CONTROL, I can see in downloaded file my Certificate, and a tree with the CAs that certificates my Certificate...

Why in the first way can't see that CAs tree? How can I see it to get the sign be ok?

Thanks in advance.

Regards.

Urtzi.

2 REPLIES 2

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎08-21-2007 1:13 PM

0 Kudos

Well, when using SSFS_CALL_CONTROL the digital signature operation is perform on the frontend (see ABAP program SSFSDEMO for an example).

When using SSF_KRN_SIGN_BY_AS, however, the digital signature operation takes place at the application server (AS).

When performing the digital signature operation on the frontend you are using one of the certificates (with corresponding private key) which are present in the keystore at the frontend PC. Microsoft Internet Explorer and the Microsoft Windows operating system are using the very same keystore - therefore it's not surprising that you'll be able to display the complete trust chain / tree (if the chain would be incomplete you would not have able to perform the digital signature operation).

Most likely the certificate used at the backend is self-signed. In that case it's not surprising that you fail to validate the certificate at the frontend. The situation would be different if the certificate would have been issued by a CA whose root certificate is present in the keystore of the frontend PC.

Former Member
In response to WolfgangJanzen

‎08-21-2007 1:25 PM

0 Kudos

Hi Wolfgang,

Thanks for your response!!

I've read some doc about SSFG Function Group, I know that KRN functions allow you to sign at WAS and others at local, but I can't sign in local with p.e.: SSF_SIGN_BY_USER or SSF_SIGN_BY_USER_POPUP...do I need to install external security product?

What's the diference between using SSFS_CALL_CONTROL or SSFG FG¿? wich is better?

Thanks, Wolfgang!

Regards.

Urtzi.