Digital Signatures and Document Encryption API

Use

You can use digital signatures and document encryption in your application to provide for document security. These documents are then protected as independent objects using Secure Store and Forward (SSF) mechanisms. This means that the documents are secured irregardless of where they are stored or how they are transported.

You can apply a digital signature to any digital document or message, which is comparable to a handwritten signature on a paper document. The digital signature uniquely identifies the signer of the document or message. It is not forgeable and also protects the integrity of the document. If the document is changed after being signed, then the digital signature is no longer valid. Also, the signer of such a document cannot deny having signed the document at a later time.

In addition, you can encrypt documents so that only intended recipients can view their contents.

Integration

Supported Formats

We support the use of digital signatures and document encryption for the following documentation formats:

Public-Key Cryptographic Standard # 7 (PKCS#7)
S/MIME Version 2
XML Signature

Security Products

The server uses a security products to perform the security functions. Depending on the format used, the following products are available:

Security Products

Format	Product
PKCS#7	SAP Java Cryptographic Toolkit for PKCS#7 ( `iaik_jce.jar` )
S/MIME Version 2	SAP Java Cryptographic Toolkit for S/MIME ( `iaik_smime.j` ar)
XML	SAP XML Toolkit

Caution

The export of software products that contain encryption is regulated and therefore not available to all customers. Therefore, when using document encryption in your application, make sure that the corresponding functions are available. If not, then return an error message.

Using Public-Key Technology

The functions for digital signatures and document encryption use public-key technology. Public-key technology is based on the use of a key pair; one of which is a private key and the other is a public key. The private key is to be kept secret; the public key is to be distributed as desired. The two keys belong and work together as follows:

To digitally sign a document, the signer of the document uses his or her private key. To verify the signature, the recipient of the document uses the corresponding public key.
To encrypt a document, the sender of the document encrypts the document using the recipient's public key. Because only the recipient has access to the corresponding private key (provided that he or she keeps it safe), only he or she can use this private key to decrypt the document.

The private key that a user or server uses for signing or decrypting documents is stored in the corresponding profile. If a user's or server's public-key has been certified by a Certification Authority (CA), then the public keys belonging to the CA, or chain of CAs) are also stored in the profile. The public keys belonging to other users or servers, which are used for verifying their digital signatures or for encrypting documents intended for them, are stored in a personal address book.

Note

To access its profile and personal address book, the application has to create an object which implements the corresponding interface ISsfProfile or ISsfPab , respectively. This object can either be an object of type SSF<Profile/Pab>KeyStore or SSF<Profile/Pab>PKCS12File .

Features

The security provided by the use of digital signatures or document encryption is independent of the transport protocols or storage means used. The documents are secured even if they leave the system.
The security provided is independent of the system security. This is useful, for example, for securing documents that are transported across systems, in particular in such processes where auditing is required.
By using digital signatures, you can replace paper documents with digital documents. If the digital signatures used conform to the corresponding digital signature laws, then these documents also have a legal binding status.