Installing Trusted Anchors
Context
To enable the server to verify the certification or signature of a document, you need to install and configure the corresponding Trusted Anchor.
This procedure is necessary for documents that are certified or signed by the server as well as documents submitted by users. Trusted Anchors must exist for all CA certificates used to issue credentials including those of the server.
When you install the Trusted Anchor, a .cer file, you must specify the security-related activities that certificates are trusted for. By doing this, you specify the behavior that will be trusted for documents (signed or certified) that chain to these Trusted Anchors. In the case of a CA certificate, you specify behavior that will be trusted for any signature, that has a certificate issued by that CA. By configuring these activities you can, for example, distinguish if you will trust a certificate for signing or certifying.
A Trusted Anchor can be trusted for the following elements:
|
Trusted Eelements of Trusted Anchors |
Description |
|---|---|
|
Certified documents |
Documents signed with this signature as an author signature, or whose certificate chain includes this certificate, are considered trusted for certified documents. Note: You must select this option if you want to select Embedded High Privilege JavaScript . |
|
Embedded High Privilege Java Script |
This option is only available when Certified documents is already selected. When enabled, JavaScript embedded in the document is allowed to be executed. |
|
Signatures and as trusted root |
Documents signed with this signature, or whose certificate chain includes this certificate, are considered trusted for signed documents. The certificate chain consists of the root certificate on the highest level and the dependent children certificates below. The Trusted Anchor of the Certificate Authority or entity can itself be a certificate used for digital signing and certifying. Do not choose this option if the Trusted Anchor is only expected to be in a signer's certificate chain. If you are certifying the document, you only need to select Certified documents ; if the document must be signed and validated, you must choose this option. |
If you install certificates, you should choose one or more of these options to specify what the certificate is trusted for. If you do not choose any options, the certificates are not trusted for any actions.
The table below shows which combinations of attributes for certificates are useful.
|
Certified forms |
Signatures and as trusted root |
Description |
|---|---|---|
|
X |
- |
Trust only children certificates for certifying. |
|
- |
X |
Trust certificate itself and children certificates if the certificate is not issued by a CA. Trust children certificates for signing if public certificate is issued by a CA. |
|
X |
X |
Trust certificate itself and children certificates for signing and certifying. |
Procedure
-
Copy the Trusted Anchor file ( <filename>.cer ) to the /<DIR_GLOBAL>/AdobeDocumentServices/ TrustManagerService/trust/certificates directory.
-
Repeat these steps on each Server node. Note that these steps are not required on the Dispatcher node.
NoteIf the Server nodes are running within a single cluster, the nodes are updated automatically and you do not have to repeat the steps.
-
Start the SAP NetWeaver Administrator via the address http://<server>:<port>/nwa .
<server> : AS Java where the ADS are installed
<port> : HTTP port of the AS Java
-
Choose
Configuration Management 
Infrastructure Management Adobe Document Services 
-
Choose Configuration in the left pane.
-
Select Trusted Anchors from the list and choose Add New Object .
-
In the CER File field, choose the name of the Trusted Anchor file.
-
Select the actions that you want the Trusted Anchor to be Trusted For , and then save.
-
Restart the service PDF Manipulation Module for the changes to take effect.
More information: Starting or Stopping an ADS-Relevant Service