Configuration: Digital Signing of Documents

Use

The following section provides an overview of the Customizing and configuration settings for the digital signature and for the verification of documents and incoming post items (e-mails with digital signed attachments) in the component Records and Case Management. You carry out the required steps in Records and Case Management, in the SSF settings ( Secure Store and Forward) of the SAP system, and for the external security product.

Settings in the Component Public Sector Records Management

Define the registry settings for documents with digital signatures in an element type. You do this in Customizing of Records and Case Management Document Digital Signature Define Digital Signature of Documents. For more information, see the IMG documentation.
Activate the OCSP (Online Certificate Status Protocol) in Customizing under Records and Case Management Basic Settings Global Parameters with the parameter PSOCSPAC.
Register all the file types that represent the digitally signed attachments of incoming post items in the table TOADD under the MIME type application/pkcs7-signature.

Note

In the SAP system, all documents of document type p7s are automatically recognized as signed documents.

Settings in the Component Secure Store and Forward (SSF) Server

Server

From the SAP Easy Access Menu, choose Start of the navigation path Tools Next navigation step CCMS Configuration System Profile End of the navigation path and define the two SSF products SAPSECULIB and SECUDE in the profile of the application server by setting the following parameters:

ssf/name	SAPSECULIB
ssf/ssfapi_lib	<complete path of sapsecu.dll>
ssf2/name	SECUDE
ssf2/ssfapi_lib	<complete path of secude.dll>

Configure SNC on the AS ABAP.

For more information, see SNC Configuration on Application Server (SAP Web AS).
Specify the settings for the SSF application PSRM Public Sector Records Management in Customizing under SAP Customizing Implementation Guide SAP NetWeaver SAP Web Application Server System Administration Maintain Public-Key Information of Systems Maintaining Application-Dependent SSF.

Set the following parameters:

Parameters for SSF Application PSRM Public Sector Records Management

Security Product	SAPSECULIB
SSF Format	PKCS7
Private Address Book	<your file name of SSF-PSE>
SSF Profile Name	<your file name of SSF-PSE>
SSF Profile ID (opt.)	<blank>
Hash Algorithm	SHA1
Include Certificates	X
Digital Signature with Data	X
Distribute PSE (only SAPSECULIB)	<blank>

Specify the following settings for all SAP users who want to use their smart card for digital signatures. You do this in user maintenance (SU01) on the tab page Address under Other Communications for the parameter SSF:

SSF Parameters for User Signature

SSF-ID	<holder name (subject) of smart card>
SSF Profile	toksw:mem://securelogin/<profile_name>:
Destination	SAP_SSFATGUI

In transaction SU01, enter the SNC name for each SAP user who want to log on to the system using a smart card.
Choose Tools Administration Management Networks RFC Destinations and activate SNC for the RFC destination SAP_SSFATGUI under Registration/Security Security Options SNC Active.

Client

Install the Secure Login Client software and if necessary of the driver for the smart card reader and the smart card in the client.
Load the SNC issuer certificate of the application server and import it into the Microsoft Certificate Store of the client PC. Now you should be able to log on to the SAP system with SNC.