Configuration: Digital Signing of
Documents
The following section provides an overview of the Customizing and configuration settings for the digital signature and for the verification of documents and incoming post items (e-mails with digital signed attachments) in the component Records and Case Management. You carry out the required steps in Records and Case Management, in the SSF settings (Secure Store and Forward) of the SAP system, and for the external security product.
Note that the settings presented here use the external product of SECUDE ® as an example.
The installation and configuration of the external security product is not part of this documentation. If you want to use SECUDE ®, install the SECUDE SSF and SNC software using the SECUDE signon&secure handbook or refer to the customer-specific documentation of SECUDE.
Settings in the Component Public Sector Records Management
...
...
...
...
...
1. Define the registry settings for documents with digital signatures in an element type. You do this in Customizing of Records and Case Management → Document → Digital Signature → Define Digital Signature of Documents. For more information, see the IMG documentation.
2. Activate the OCSP (Online Certificate Status Protocol) in Customizing under Records and Case Management → Basic Settings → Global Parameters with the parameter PSOCSPAC.
3. Register all the file types that represent the digitally signed attachments of incoming post items in the table TOADD under the MIME type application/pkcs7-signature.
In the SAP system, all documents of document type p7s are automatically recognized as signed documents.
Settings in the Component Secure Store and Forward (SSF)
Server
4. From the SAP Easy Access Menu, choose Tools → CCMS → Configuration → System Profile and define the two SSF products SAPSECULIB and SECUDE in the profile of the application server by setting the following parameters:
ssf/name |
SAPSECULIB |
ssf/ssfapi_lib |
<complete path of sapsecu.dll> |
ssf2/name |
SECUDE |
ssf2/ssfapi_lib |
<complete path of secude.dll> |
5. Define the SNC settings in the profile of the application server by setting the following parameters:
snc/enable |
1 |
snc/gssapi_lib |
<complete path of secude.dll> |
snc/identity/as |
p:<DN of SNC-PSE, see step 6> |
snc/accept_insecure_gui |
1 |
snc/accept_insecure_gui |
1 |
snc/data_protection/min |
3 |
snc/data_protection/min |
3 |
6. Define a work directory for SECUDE, for example, “C:\usr\sap\<SID>\<Instanz>\secude“. Create the SSF-PSE (Personal Security Environment) in this directory using the Secude tool and include the issuer certificate in the PSE. In doing this you specify which signature certificates you can verify. The holder certificate of the SSF-PSE does not have to be issued by your PKI; it can be self-signed.
7. Create the SNC-PSE (Secure Network Communication) in the work directory for SECUDE. Select the Distinguished Name (DN) of the PSE as entered in the profile parameter snc/identity/as and include the issuer certificate of the smart cards in the PSE. Create a certificate request from the PSE and have your PKI (Public-Key-Infrastructure) issue you a certificate that you import into PSE.
8. Set the environment variable CREDDIR of the server (for example in start script of the servers in the work directory for SECUDE. In this directory, create CREDENTIALS for SNC-PSE and SSF-PSE: secude seclogin -p <PSE File>.
9. Specify the settings for the SSF application PSRM Public Sector Records Management in Customizing under SAP Customizing Implementation Guide → SAP NetWeaver → SAP Web Application Server → System Administration → Maintain Public-Key Information of Systems → Maintaining Application-Dependent SSF.
Set the following parameters:
Parameters for SSF Application PSRM Public Sector Records Management
Security Product |
SECUDE |
SSF Format |
PKCS7 |
Private Address Book |
<your file name of SSF-PSE> |
SSF-Profile Name |
<your file name of SSF-PSE> |
SSF-Profile ID (opt.) |
<blank> |
SHA1 |
|
Include Certificates |
X |
Digital Signature with Data |
X |
Distribute PSE (only SAPSECULIB) |
<blank> |
10. Specify the following settings for all SAP users who want to use their smart card for digital signatures. You do this in user maintenance (SU01) on the tab page Address under Other Communications for the parameter SSF:
SSF Parameters for User Signature
SSF ID |
<holder name (subject) of smart card> |
SSF Profile |
psesvc: |
Destination |
SAP_SSFATGUI |
11. In transaction SU01, enter the SNC name for each SAP user who want to log on to the system using a smart card.
Also see: Section 3.6.1 of the SAP SNC user handbook (http://service.sap.com/security under Security in Detail → Secure User Access → Authentication & Single Sign-On.
12. Choose Tools → Administration → Networks → RFC Destinations and activate SNC for the RFC destination SAP_SSFATGUI under Registration/Security → Security Options → SNC Active.
Client
13. Install the SECUDE software and if necessary of the driver for the smart card reader and the smart card in the client.
14. Load the SNC issuer certificate of the application server in the Secude Profile Manager under Certificates and trust this certificate. Now you should be able to log on to the SAP system with SNC.
15. Enter the SSF configuration in the file SSFRFC in the client, for example.
SSF_LIBRARY_PATH <complete path of secude.dll>
SSF_TRACE_LEVEL = 0
SSF_MD_ALG = SHA1
SSF_SYMENCR_ALG = DES-CBC
You can use
report SSF01 to check if the SSF library can be called up in the client with
the function Determine Version. You can use the Sign function to create a test signature (you must be
logged on to the system with SNC) (also see
Test SSF
Installation).