Installing Trusted Anchors
Use
To enable the server to verify the certification or signature of a document, you need to install and configure the corresponding Trusted Anchor. This procedure is necessary for documents that are certified or signed by the server as well as documents submitted by users. Trusted Anchors must exist for all CA certificates used to issue credentials including those of the server.
When you install the Trusted Anchor, typically a .cer file, you must specify the security-related activities that certificates are trusted for. By doing this, you specify the behavior that will be trusted for documents (signed or certified) that chain to these Trusted Anchors. In the case of a CA certificate, you specify behavior that will be trusted for any signature that has a certificate issued by that CA. By configuring these activities you can, for example, distinguish if you will trust a certificate for signing or certifying.
A Trusted Anchor can be trusted for the following elements:
Trusted elements of Trusted Anchors
Trusted for |
Description |
Certified documents |
Documents signed with this signature as an author signature, or whose certificate chain includes this certificate, are considered trusted for certified documents. Note: You must select this option if you want to select Embedded High Privilege JavaScript. |
Embedded High Privilege Java Script |
This option is only available when Certified documents is already selected. When enabled, JavaScript embedded in the document is allowed to be executed. |
Signatures and as trusted root |
Documents signed with this signature, or whose certificate chain includes this certificate, are considered trusted for signed documents. The certificate chain consists of the root certificate on the highest level and the dependent children certificates below. The Trusted Anchor of the Certificate Authority or entity can itself be a certificate used for digital signing and certifying. Do not choose this option if the Trusted Anchor is only expected to be in a signer’s certificate chain. If you are certifying the document, you only need to select Certified documents; if the document must be signed and validated, you must choose this option. |
If you install certificates, you should choose one or more of these options to specify what the certificate is trusted for. If you do not choose any options, the certificates are not trusted for any actions.
The table below shows which combinations of attributes for certificates are useful.
Useful combinations of attributes assigned to a certificate
Certified documents |
Signatures and as trusted root |
Description |
X |
- |
Trust only children certificates for certifying. |
- |
X |
Trust certificate itself and children certificates if the certificate is not issued by a CA. Trust children certificates for signing if public certificate is issued by a CA. |
X |
X |
Trust certificate itself and children certificates for signing and certifying. |
Procedure
To install a Trusted Anchor file:
...
1. Start the SAP NetWeaver Administrator via the address http://<server>:<port>/nwa.
<server> is the AS Java where the Adobe document services are installed and <port> is the HTTP port of the AS Java.
2. Choose Configuration Management → Infrastructure → Adobe Document Services.
3. SelectTrusted Anchors from the list and choose Manage CER Files.
4. Choose Add New File.
5. Browse the CER file and choose Upload.
6. Select Trusted Anchors from the list and choose Add New Object.
7. In the CER File field, choose the name of the Trusted Anchor file.
8. Select the actions that you want the Trusted Anchor to be Trusted For, and then choose Save.
9. Restart the Document Services Trusted Manager Service and the PDF Manipulation Module service for the changes to take effect (see How to Restart a Service).