MINIPPS Community Marketplace – App4SAP User Guide

Digitally Signed Documents in SAP

User Guide

Contents What’s its function? 1

What business process will it solve? 1

Installation requirements 1

Functional specification 2

How to use 10

How to install 18

Appendix 19

Generate a Self-Signed Certificate with OpenSSL on Linux ......................................... 19

Author:

Lior Tabib

Community Marketplace ltd

1 | P a g e

Digitally Signed document in SAP

Digitally sign PDF documents from inside SAP ERP system.

What’s its function?

This mini application allows the following:

1. Digitally sign PDF documents from SAP standard ABAP run time. 2. Can be used both from SAP dialog (GUI) programs and background job. 3. Supports various key: Personal Smart Cards, USB Tokens, PKCS #12 file.

What business process will it solve?

To meet the local tax regulation and SOX (Sarbanes–Oxley) regulation regarding invoice files sending or archiving, files needs to be Digitally Signed, with one or two signees. This mini application allows sending or receiving of a document to be Digital Signed on your SAP application server or your local PC with SAPGUI.

Installation requirements

1. SAP ABAP based with SAP Basis release 6.20 and above or SAP Application 4.70 and above. 2. Windows client (for PK11 certificate) or Windows/UNIX/Linux server (for PK12 certificate). 3. Signature certificate key.

There are two types of certificates (PK11 & PK12) for two different usage scenarios: 3.1. For digital signature certificate linked to a specific computer, install documents digital

signature certificate file (PK12 file) on every signing SAP server system or PC computers. The key must be installed on your PC/Server (for Windows server - double click the key and follow windows instructions for "Importing the key to your windows operating system", for UNIX/Linux server – user OpenSSL package for the certificate import). Note that the documents digital signature on your DEV and QA server systems can be generated by SAP the server itself, but the PRD system should include an internationally recognized certificate that is issued by international approved vendor.

3.2. For a personal digital signature certificate smart card/USB token (PK11), issue your personal key at an approved internationally recognized certificate issuer, install on the signee PC computer and plug into to the PC when signing files.

4. Download and install JSignPdf open source solution from http://jsignpdf.sourceforge.net/ on every signing machine (PC and Servers). Note: Java runtime environment (JRE) in required before installing the JSignPdf – make sure you set

Community Marketplace ltd

2 | P a g e

the JAVA_HOME path (use system run command "sysdm.cpl ,3" → environment variables → and create/edit the JAVA_HOME variable) .

Functional specification

1. Although the Digital Signature for SAP solution can be incorporated into any business process that needs an actual PDF file signature, Digital Signature for SAP solution includes a best practice scenario. The best practice scenario is based on SAP DMS (Document Management System) module and includes two signees. The SAP DMS module is our best practice due to the fact that it can be attached to any SAP entity and it also holds an attached documents. See ABAP Code in old BAdI DOCUMENT_MAIN01 method BEFORE_SAVE. This enhancement, sign the DMS attached documents (originals). Scenario info: 1.1. DMS document type = ZDD 1.2. Status map:

1.2.1. Create CT (Internal code AL) – Initial status where invoice original document is attached.

1.2.2. First release R1 (Internal code WX) – Invoice approved by first approver. 1.2.3. First "Invoice approved and singed" PA (Internal code TG) – The invoice has its first

approve done and the invoice contains one signature. 1.2.4. Second release RE (Internal code 02) – Invoice approved by second approver. 1.2.5. Second "Invoice approved and singed" CO (Internal code W6) – The invoice has its

second approve done and the invoice contains two signature. DMS is now complete and a MIRO/FB60 invoice verification can be performed.

1.2.6. Release process was cancelled RJ (Internal code {A) – the DMS canceled and no MIRO/FB60 invoice verification should be created.

1.3. DMS created with status "Create" (CT) and original attached (PDF file before being signed1)

1.4. The first signee user changes the status of the DMS to "Release 1" (R1) – via transaction code CV02N :

1The file can be signed by external source or without any external signature. The Digital Signature for SAP solution adds1 your corporate's own internal signature (or your personal signature) to the PDF file, regardless of prior signature (if exists) in the file.

Community Marketplace ltd

3 | P a g e

or via mass approval transaction ZMDS (included in the installation package):

1.5. At save, the document is digitally singed and the status changes to "Part. Approved"

(PA). 1.6. The second signee user changes the status of the DMS to "Release" (RE) – via

transaction code CV02N or via mass approval transaction ZMDS (included in the installation package).

1.7. At save, the document is digitally singed again and the status changes to "Completed" (CO).

1.8. Now, the PDF attached to the DMS (original) has two signatures.

Community Marketplace ltd

4 | P a g e

2. Main cockpit transaction ZDDS

3. To activate the Digital Signature for SAP solution, click :

Click “New Entries”

Community Marketplace ltd

5 | P a g e

3.1. User Name – Add specific users to the list and/or allow the solution to all users (user = *). 3.2. Active – Mark to active the Digital Signature for SAP solution for the user (or users if User

Name = *). 3.3. Path to JSignPDF Dir – The path to the directory where the JSignPdf.jar file is located on

your workstation. You can execute program ZDDS_FIND_JSIGNPDF_JAR_ON_PC to find the directory:

Hint: if the JSignPdf not found, please install on your PC / Server the JSignPdf.

3.4. JSignPDF conf.proper – The path to the conf.proper file (the JSignPdf local solution's configuration file). Hint: This file usually residents at a subdirectory Conf of the Path to JSignPDF Dir.

3.5. Signature picture pa – The location the user's signature scanned *.png file. This picture would be displayed at the resulted signature area in the signed document, alongside with the signature text data.

Community Marketplace ltd

6 | P a g e

3.6. Lower left corner X 2– Set the lower left corner position on X-axe of a visible signature. Number from 1 to 595.

3.7. Lower left corner Y – Set the lower left corner position on Y-axe of a visible signature. Number from 1 to 842.

3.8. Upper right corner X– Set the upper right corner position on X-axe of a visible signature area. Number from 1 to 595

3.9. Upper right corner Y – Set the upper right corner position on Y-axe of a visible signature area. Number from 1 to 842

3.10. JSignPdf local attr – The full path to the attributes file (file with name like: *.JSignPdf). Hint: The file contains the encrypted password and the name of the keystore.

3.11. Password – Your certificate password. Leave blank for PK12 certificates. Hint: The password field is only valid for PK11 certificates because the PK12 certificates are already installed on the PC/Server with their password.

3.12. Signature type – Personal USB token/ Smart Card (PK11 file) or a certificate file registered to the PC/Server (PK12 file).

3.13. PK12 key alias – If Signature type is a PK12 file and you are using signing on the PC workstation (not signing on the server) , then fill the field with the alias name of your certificate3.

2 Use application JSignPdf.exe that includes in the JSignPdf installed on your PC, to decide the X and Y position:

Click the

and re-position the square area. Click Close at the end and see the coordinates. 3 Use Windows DOC command line : java -jar <full path to the JSignPdf.jar file> -kst WINDOWS-MY -lk –q

Community Marketplace ltd

7 | P a g e

3.14. Temporary Folder – This field is not a mandatory field. If you set this field, then it overrides the SAP Gui temporary folder. This is the temporary folder where the singed file would be created at.

3.15. Digt.Signt LicenseId – The License Id you have got from MINIPPS when purchasing the "Digitally Signed document in SAP".

4. To explore the ABAP Class that executes the File Digital Signature solution click:

. This Class can be incorporated into any ABAP flow to achieve File Digital Signature.

5. The find the path location where the JSignPdf.exe is located on your PC, click:

. The JSignPDF.exe is mandatory for the File Digital Signature solution so it must be installed on every signing PC/Server. To use the program, just use a temporary location on your PC:

, click , and you would see the location of your JSognPdf.exe file:

. 6. The Best Practice solution includes massive approving of DMS documents. Click:

to navigate into report the changes status for DMS documents. Changing status, in the Best Practice scenario, sign the attached (original)

to get the list of aliases or use the JSignPdf.exe local application, choose Keystore type WINDOWS-MY, Click "Load Keys" and see the list of "Key Alias":

Community Marketplace ltd

8 | P a g e

documents of every DMS. If you are using PK11 certificate, make sure that the USB Token in plug to your PC and that the File Digital Signature is active for your user. To use the program, just fill selection screen data, including source and destination status:

, click , and you would the documents in the source status. Mark the invoices you would like to change status to (changing status of DMS causes the invoice in the DMS to be signed):

, and click

to sign.

7. To test your solution (signature on the PC), click: . This program allows you to sign a document on the PC ("Sign document with JSignPdf") and also allows you to check your java installation ("Get Java Version").

Community Marketplace ltd

9 | P a g e

. Note the for "Sign document with JSignPdf", signed document would opened by this program at the end of signing process.

8. To test your solution (signature on SAP server), click: This program allows you to sign a document on the server ("Sign document with JSignPdf") and also allows you to check your java installation ("Get Java Version").

9. BAdI exit at DMS save, calls Class ZDDS_UTILITIES that connects to the integrated Digital

Signature solution to sign the PDF document. 10. In our DMS Demo Scenario, signed PDF documents replacing the existing DMS documents. 11. The ZDDS_UTILITIES Class can be called from any ABAP program or system exits to meet any

business requirement. 12. The ZDDS_UTILITIES Class can be used for Digital Signing of invoices sent to a customer. Just

add the class at the print program, before E-Mailing the layout.

Community Marketplace ltd

10 | P a g e

How to use

1. Set the java path on the signing machine (PC and Servers) by: setting the JAVA_HOME path (use system run command "sysdm.cpl ,3" → environment variables → and create/edit the JAVA_HOME variable) .

2. Download and install JSignPdf open source solution from http://jsignpdf.sourceforge.net/ on every signing machine (PC and Servers).

3. Activate the solution with Active Docs.Digital Sign. at from main cockpit transaction ZDDS

4. At first use, set user signature parameters:

4.1. For signing with smart USB user owned key card (that is installed on your PC) , use application JSignPdf.exe that includes in the JSignPdf installed on your PC. In the JSignPdf.exe, fill the fields as described:

Community Marketplace ltd

11 | P a g e

Click Close and then Sign It a test PDF document.

Community Marketplace ltd

12 | P a g e

4.2. For signing using Keystore file (PK12 signature file installed on your PC), use application JSignPdf.exe that includes in the JSignPdf installed on the signing PC/Server. In the JSignPdf.exe, fill the fields as described:

Community Marketplace ltd

13 | P a g e

Click Close and then Sign It a test PDF document.

4.3. For signing using Keystore file (PK12 signature file installed on your server), use application JSignPdf.exe that includes in the JSignPdf installed on the signing PC/Server. In the JSignPdf.exe, fill the fields as described:

Community Marketplace ltd

14 | P a g e

Note the after choosing KeyStore type, KeyStore file and KeyStore password, you need to

click the choose the only alias (usually there is only one alias).

Community Marketplace ltd

15 | P a g e

Click Close and then Sign It a test PDF document.

5. A non-mandatory step: For best practice use with SAP DMS, saved DMS with an originals (attachments) via CV02N or BAPI, would automatically signed the attached documents according to the DMS status change. Sample implementation: 5.1. You can customize your DMS with transaction code SPRO.

Community Marketplace ltd

16 | P a g e

Set the Initial status.

Set first signature status.

Community Marketplace ltd

17 | P a g e

And the second (and last) signature. This step would release the DMS.

5.2. And set BAdI exit that sign the originals when DMS status changes: 5.2.1. In new SAP releases, Implement New BAdI (Enhancement Implementation)

definition DOCUMENT_STATUS and create an implementation or change an existing. 5.2.2. In old SAP releases, Implement Old BAdI definition DOCUMENT_MAIN01, method

BEFORE_SAVE (see file "DOCUMENT_MAIN01~BEFORE_SAVE.txt" in the installation.zip that was sent at purchase)

Community Marketplace ltd

18 | P a g e

How to install

1. Download and install JSignPdf open source solution from http://jsignpdf.sourceforge.net/ on every signing machines (PC and Servers).

2. For SAP ERP system, there is a change request transports for this mini application (LDVK940374: ZDDS:Document Digital Signature with SAP).

3. For SAP ERP system, there is a change request transports for this mini application (SLMK900068: ZDDS:Document Digital Signature with SAP).

4. Install Documents Digital Signature certificate (X.509 certificates) purchased from ComSign or any other vendor. 4.1. If Smart Card Token is used, please use the installation pack supply by your Token

supplier. 4.2. If server PK12 (*.PFX file or *.PK12 file) certificate is used

4.2.1. For windows 4.2.1.1. Install the certificate using CertUtil command line server tool (use

the importPFX command) on windows or 4.2.1.2. Use MMS.exe tool to install the certificate for the service SAP user

that runs your SAP: Run mms.exe (you can use the one that is used to run SAP service). Choose File->Add/Remove Snapins. Select Certificates. Click Add. Select Service Account. Select local computer. Select SAP Service (SAPXXX_##) (you may need to repeat this step for every SAP service). Finish the wizard and OK to close the add/remove dialog. On the applicable category right click and select add tasks to find the import. Import the PK12 certificate (it is recommended to add password to the file).

4.2.2. For UNIX/Linux 4.2.2.1. OpenSSL utility from command line as describe in this document's

Appendix. 4.3. If workstation PK12 (*.PFX file or *.PK12 file) certificate is used, just right click the file

and choose install. Also open your Internet Explorer and choose Internet Setting -> Content Tab – Click Certificates. On the Personal tab choose Import to add the certificate is not already ther (this put the certificate in the Windows My StoreKey).

5. Implement the mini application transport (LDVK940302) to your system with your SAP BASIS team or use MINIPPS free mini application Uploading transport from local files.

6. For signing document by server, create new External Operating System Command at transaction code SM49 (on the signing server): 6.1. Name: ZDDS_JSIGNPDF 6.2. For windows

6.2.1. Operating system command: CMD /C 6.3. For UNIX/Linux

Community Marketplace ltd

19 | P a g e

6.3.1. Leave blank the Operating system command. 6.4. Additional parameters allowed: Checked

7. In order to implement the best practice DEMO process, implement old BAdI definition DOCUMENT_MAIN01, method BEFORE_SAVE using transaction SE19 and add the code attached from file "DOCUMENT_MAIN01~BEFORE_SAVE.txt" in the installation.zip that was sent after purchase. If the DOCUMENT_MAIN01~BEFORE_SAVE already exists in your system, just add the code from file "DOCUMENT_MAIN01~BEFORE_SAVE.txt" in the installation.zip that was sent after purchase, at the beginning of the method. Note that the " IF draw-dokar EQ 'ZDD'." ABAP code line can be changes according to the DMS document type that you are using for the demo (in the best practice demo described in this document we have used ZDD).

Appendix

Generate a Self-Signed Certificate with OpenSSL on Linux

To Digitally Sign PDF documents with MINIPPS "Document Digital Signature with SAP" from inside SAP ERP server requires a PK12 certificate file. If you have none from an external CA source (like COMODO or Symantec and so on…) you can generate your own PK12 file (a *pfx file or *.p12 file) with OpenSSL.

4. Make sure to have Linux OS or UNIX OS on SAP application server. 5. Make sure you have JAVA Run-Time Environment installed and configured on you server.

You can open terminal on the server and make sure that command java -fullversion returns your java version (XXXX full version "1.X.X_XXX-XXX"). Note: Version should be 1.5 and above (1.6 and above support the full features).

6. Make sure that you have OpenSSL installed on your server. Use terminal on SAP server and type: openssl list-standard-commands if installed, you would get a list of OpenSSL standard commands.

7. To generate PKCS #12 file, open terminal on SAP server and use the OpenSSL full guide or IBM Guide or just follow those steps: 1. Type (change the path and file name of the pem file) :

openssl req -newkey rsa:2048 -nodes -keyout /…<full path where you want your certificate file to be located at>…/key.pem -x509 -days 3650 -out /…<full path where you want your certificate file to be located at>…/YOURCERTIFICATE.pem

2. Answer all required questions (note that the common name is your domain name). 3. At the end of the process, YOURCERTIFICATE.pem is created at the requested path. 4. Now, let us convert the YOURCERTIFICATE.pem file into YOURCERTIFICATE.pfx file the

is suitable for file signatures with JSignPDF: openssl pkcs12 -inkey /…<full path where you want your certificate file to be located at>…/key.pem -in /…<full path where you want your certificate file to be located at>…/YOURCERTIFICATE.pem -export -out /…<full path where you want your certificate file to be located at>…/YOURCERTIFICATE.pfx

Community Marketplace ltd

20 | P a g e

Enter the certificate password (Case Sensative) as required (the password would be required for files signing).

5. The YOURCERTIFICATE.pfx is now ready.