obtaining a Certificate Signed by the SAP CA

Usehttps://help.sap.com/doc/saphelp_scm41/4.1/en-
US/99/6edc3a8266a113e10000000a11402f/frameset.htm
To obtain a certificate signed by the SAP CA for the SAP Web Application Server to
use for digitally signing logon tickets, you must generate a key pair and PSE for the
application sever. You also generate the corresponding certificate request, which
you send to the SAP CA. You then import the certificate request response into the
server's PSE as described in the procedures below.

A certificate request and corresponding response belong to a specific

key pair and PSE. You can therefore only import the response into the
PSE for which the request was generated.
If, for example, you generate a new PSE after you have already sent a
certificate request to the SAP CA, then the response you receive is
invalid and cannot be imported into the server's PSE.

Procedure
Sending the Certificate Request

1. Execute the trust manager (transaction STRUST).

The Trust Manager screen appears.
2. Expand the PSE node for the SSO PSE (per default, the System PSE).

Per default, the PSE used is the System PSE, however, if a different
PSE is to be used, then select it. A different PSE can be used in the
following cases:
 If the system has been upgraded from a Release <= 4.6B, then the
PSE used for logon tickets is the SAPSSO2 PSE.
 If you have defined an explicit PSE to use for logon tickets, then
this PSE (as specified in the table SSFARGS) is used.
3. Create a new PSE (see Creating or Replacing a PSE).
The information for the PSE appears in the PSE maintenance section.
4. Choose PSE ® Generate certificate request and save it to a file.
The content of the request is generated in binary-code as shown below.
 -----BEGIN CERTIFICATE REQUEST-----
MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0F
QLmNvbS
BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaX
MxDDAK
BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWzn
Q9I+i
4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PH
EWKiF
AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO
3Wj2
MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQ
wAC
QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAF
L+qC
zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qElu
P/Kfi
+6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=
-----END CERTIFICATE REQUEST-----
5. Copy the certificate request's content to a customer message under the
component BC-SEC.
The SAP CA validates your information and sends you a response, which
contains the server’s signed public-key certificate.

Entering the Certificate Request Response Data

After receiving a response:

1. Save the contents of the response to a file.
2. Execute the trust manager (transaction STRUST).
The Trust Manger screen appears.
3. Expand the PSE node for the SSO PSE (System PSE) node and select an
application server.
4. Choose PSE  Import certificate response.
5. Select the file containing the response and choose OK.
6. Save the data.
Result
The server possesses a public-key certificate signed by the SAP CA. It can use the
corresponding public-key information (that is, the private key) to digitally sign logon
tickets issued by the SAP Web Application Server.

Sap digitally signed InvoicesApril 15, 2015

Understanding SAP license files

I’ll start this post with a compliment to SAP:

SAP ECC license files are impossible to break.

(Unless you have some supercomputers at your disposal and a few years to dedicate on bruteforcing SSL
private keys, that are probably expired before you can break them)
(Unless[2] you reverse engineer and patch the server binaries, but then you wouldn’t be breaking the
license check but rather disabling it)

Beginning with its ECC6 product version, the licensing system used to control the
products’ allowed usage and installations uses public-key cryptography with digitally
signed files.

A digital signature is a mathematical scheme for demonstrating the authenticity of a

digital message or document. A valid digital signature gives a recipient reason to
believe that the message was created by a known sender, such that the sender
cannot deny having sent the message (authentication and non-repudiation) and that
the message was not altered in transit (integrity). Digital signatures are commonly
used for software distribution, financial transactions, and in other cases where it is
important to detect forgery or tampering.

This way, it’s practically impossible to create a fake license key, because only SAP has
the private keys.
So you won’t see any keygens around unless someone manages to sneak the private
keys from inside SAP.
This is an example license file, generated for a trial NetWeaver ABAP system:

----- Begin SAP License -----

SAPSYSTEM=NSP

HARDWARE-KEY=S0141382012

INSTNO=DEMOSYSTEM

BEGIN=20140922

EXPIRATION=20141222

LKEY=MIIBOwYJKoZIhvcNAQcCoIIBLDCCASgCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAT
GCAQcwggEDAgEBMFgwUjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbSBXb3JrcGxhY
2UxJTAjBgNVBAMTHG15U0FQLmNvbSBXb3JrcGxhY2UgQ0EgKGRzYSkCAgGhMAkGBSsOAwIaBQCg
XTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA5MjMxNjIwNTJ
aMCMGCSqGSIb3DQEJBDEWBBSRMtiAacWFK02IcR6F+swWQZjJLjAJBgcqhkjOOAQDBC8wLQIVAJ
ULjsn8jIvGg0nHJ551TbYMZvwBAhRhpFgLT1lJuQV6ntftE693Ip8tIw==

SWPRODUCTNAME=NetWeaver_ADA

SWPRODUCTLIMIT=2147483647

SYSTEM-NR=000000000312339695

The LKEY field content is a base64 encoded and digitally signed text file containing
some product license information:

NSPS0141382012NetWeaver_ADA 21474836472014092220141222DEMOSYSTEM
The digital signature is done with the PKCS#7 algorythm (the same used for S/MIME
email messages).
The digital signer for the NSP licenses is identified as “SAP Trust Community”:

CN=NSP, OU=I0610000083, OU=SAP Web AS, O=SAP Trust Community, C=DE

(in this case “I0610000083” is the target installation number).

The signature verification used for the license files is done by the Application Server
directly (not by ABAP code), and it uses a special PSE file named “LASVerify.pse”, that
you can’t find in the server directories. It’s encrypted somewhere hidden and loaded
into memory by the Application Server every time a license verification is performed.

For not being available in the server directories, it’s not possible to validate an SAP
license file in ABAP without debugging the server binaries and extracting the PSE file.
Therefore I’ll show you how to create your own certificate and sign a text file to be
verified by ABAP code.

1 – Create a certificate

Using the instructions taken from the OpenSSL docs on certificates, we create a
private/public key pair to sign our files.

The private key

Certificates are related to public key cryptography by containing a

public key. To be useful, there must be a corresponding private key
somewhere. With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

So we create a new private key:

$ openssl dsaparam -out dsaparam.pem 2048

Generating DSA parameters, 2048 bit long prime

This could take some time

...

openssl gendsa -out privkey.pem dsaparam.pem

Generating DSA key, 2048 bits

The public key

You can create a self-signed certificate if you don’t want to deal

with a certificate authority, or if you just want to create a test
certificate for yourself. This is similar to creating a certificate
request, but creates a certificate instead of a certificate request.
This is NOT the recommended way to create a CA certificate, see
https://www.openssl.org/docs/apps/ca.html.

$ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]:BR

State or Province Name (full name) [Some-State]:Sao Paulo

Locality Name (eg, city) []:Sao Paulo

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABAP Ninja

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:Guilherme Maeda

Email Address []:

2 – Import the certificate into the SAP trusted store

In transaction STRUST , add the newly created certificate to the trusted certificate
list:

1. Open the System PSE profile

2. Import the generated certificate ( Certificate -> Import )
3. Press Add to Certificate List
4. Save
3 – Sign a file

Create a text file with some human readble contents in it:

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc sit amet
lacus faucibus nisi mattis fermentum.

Nam ut ligula justo. Donec sed condimentum arcu. Quisque auctor in mi ac

interdum.

Morbi sit amet nunc fermentum, congue nisl ac, hendrerit libero. Phasellus
vitae tellus a lacus viverra aliquam.

Duis eleifend arcu ut bibendum facilisis. Donec porttitor in turpis in

vestibulum.

Suspendisse tristique lacus nec metus semper ornare. Sed hendrerit varius
libero, et efficitur nisl laoreet nec.

Sed velit orci, vehicula nec imperdiet at, hendrerit a est. Suspendisse
potenti.
We can use the OpenSSL S/MIME tool to sign the license file in PKCS#7 format using
our certificate.

$ openssl smime -sign -in data.txt -outform DER -binary -nodetach -out
signed.bin \

-signer cacert.pem -inkey privkey.pem

You’re going to get a binary signed file (signed.bin).

4 – Validate the signature in SAP

SSF Test Program

1. In transaction SE38 , run report SSF02

2. Select the Verify function
3. In the Input data parameter, select the signed.bin file
4. Run, and press Verify

If you correctly added the certificate to STRUST, you should get a positive result with
the signer information:

Results of the digital signature check:

CN=Guilherme Maeda, O=ABAP Ninja, L=Sao Paulo, SP=Sao Paulo, C=BR

SigningTime= Wed Apr 15 20:21:31 2015 (UTCTime: 150415232131Z)

SSF_API_SIGNER_OR_RECIPIENT_OK

If you temper with the signed file, say, change something in the data section, the
signature verification will fail.
Result: SSF_API_SIGNER_ERRORS

Results of the digital signature check:

CN=Guilherme Maeda, O=ABAP Ninja, L=Sao Paulo, SP=Sao Paulo, C=BR

SigningTime= Wed Apr 15 20:21:31 2015 (UTCTime: 150415232131Z)

SSF_API_SIGNER_OR_RECIPIENT_NOT_OK

ABAP Code

You can use the SSF_KRN_VERIFY function module to verify the signature. To do
that, you must provide the path to a trusted certificates address book (.pse file).
In this example we use the system PSE (SAPSYS.pse).

report zverify_pkcs7_signature no standard page heading.

data: t_input_data type table of ssfbin,

t_output_data type table of ssfbin,

i_input_length type i,

v_pab type ssfpab,

t_signer_info type table of ssfinfo,

 v_error type string.

field-symbols: <signer_info> like line of t_signer_info,

<output_data> like line of t_output_data.

"// Read the signed file

call function 'GUI_UPLOAD'

exporting

filename = 'C:\Users\Administrator\Desktop\signed.bin'

filetype = 'BIN'

importing

filelength = i_input_length

tables

data_tab = t_input_data.

"// Find the default address book file

data: t_parameter type table of parmvalues.

field-symbols: <parameter> like line of t_parameter.

append initial line to t_parameter assigning <parameter>.

<parameter>-param_name = 'DIR_INSTANCE'.

call function 'PFL_GET_PARAMETER_LOCAL'

tables

parameter_table = t_parameter.

call 'BUILD_DS_SPEC' id 'PATH' field <parameter>-user_value

id 'FILENAME' field 'sec'

id 'OPSYS' field sy-opsys

id 'RESULT' field v_pab.

call 'BUILD_DS_SPEC' id 'PATH' field v_pab

id 'FILENAME' field 'SAPSYS.pse'

id 'OPSYS' field sy-opsys

id 'RESULT' field v_pab.

"// Verify the signature

call function 'SSF_KRN_VERIFY'

exporting
 ostr_signed_data_l = i_input_length

str_pab = v_pab

str_pab_password = ''

tables

ostr_signed_data = t_input_data

signer_result_list = t_signer_info

ostr_output_data = t_output_data.

if t_signer_info[] is initial.

write / 'Signature verification failed' color col_negative.

endif.

write: /, / 'Signer info:'.

loop at t_signer_info assigning <signer_info>.

write: / 'ID:', <signer_info>-id,

/ 'Profile:', <signer_info>-profile,

/ 'Result:', <signer_info>-result.

if <signer_info>-result = 0.

write / 'Signature is valid' color col_positive.

 else.

write / 'Signature is invalid' color col_negative.

endif.

endloop.

write: /, / 'Output data:'.

data: o_conv type ref to cl_abap_conv_in_ce,

v_line type string.

o_conv = cl_abap_conv_in_ce=>create( ).

loop at t_output_data assigning <output_data>.

o_conv->convert(

exporting input = <output_data>-bindata

importing data = v_line

).

write / v_line.

endloop.

That’s it. Now you know how to the license files are created and validated.
Signature Process Flow (Components
Involved)
Use

The process explains how the components involved work together in a signature
process:

 Application: for example, EA-APPL

 Digital signature: SAP_ABA
 Secure Store and Forward: SAP_BASIS
Process

Figure 1: Signature Process (Components Involved)

1. From within the business context of a user's application, he or she starts a
process that requires a digital signature (for example, the approval of
deviations in a process instruction sheet).
2. The document to be signed is called by the application and forwarded to the
signature tool in SAP_ABA.
The signature function is opened in SAP_ABA. The system displays the
dialog box for executing the digital signature.

Note

In your application, you can specify whether the document to be signed is to

be managed by the application itself or the signature function.

3. You enter your user ID and password.

The user ID and password are either checked in the system (if you are using
the system signature) or on the smart card by the external security product
(component SSF).
4. The signature tool runs the following checks:
o Authorization check
The tool checks whether the user has authorization to execute the digital
signature.
o User data check
The tool checks whether the required user data such as first and last name
and the time zone were entered correctly in the system.
o Duplicate key check
If the user has already provided a signature as part of a signature strategy,
the signature process is canceled and an error message displayed.
o Authorization group check
The authorization group check determines whether the user has selected
the correct role in accordance with his or her assignment to an
authorization group in the authorization profile.
o Sequence check
The sequence check determines which signature steps the user can select
from before entering his or her user ID and password.
o Release check
The release check ensures that all necessary signatures were provided to
complete an approval or signature process successfully. Particularly in the
case of an asynchronous signature strategy, the system informs the
application which status (status Completed/ Not Completed) the signature
 process has. When you use the synchronous signature strategy, all
required signatures must be provided in the same SAP R/3 session.
Note

In the case of the simple digital signature without a signature strategy, the
authorization check, sequence check, and release check are omitted.

5. When the signature process has been completed successfully, follow-up

actions can be started in the application.

1. Product Lifecycle Management

2. …

3. DMS Customizing

Digital signature in DMS

Skip to end of metadata
 Created by Guest, last modified by Former Member on Dec 05, 2012

Go to start of metadata

Prerequisite
1)You must have Authorization object {}C_SIGN_BGR to be set (ask basis team to do the same) for the digital
signature.

2)Following are the authorization object for Documents (If you have all access to the authorization object will be very
good, mainly a & b must).
a) C_DRAW_TCD
b) C_DRAW_TCS
c) C_DRAW_STA
d) C_DRAW_BGR
e) C_DRAW_DOK

f) C_DRAD_OBJ
How to config for Digital Signature in DMS

1. The required settings are made under

a)Document Management ->Approval?->Define individual Signature .

b)Document Management ->Approval?->Define Signature strategy .

2. Assign a signature strategy to the document status .

3. Also the required settings are made in customizing under
Document Management - Control data - Define Document Types (DC10) - Define document status.
Assign a signature strategy to the document status (As per point no.1 in sign start).
4. Save the changes.

5. Create DIR

6. In DIR once the Document status is set for required digital signature, the system informs you that a digital signature
is required. Yellow warning will come, enter two times.
7. The Digital Signature dialog box appears. Enter your comment in the text field. Select the individual signature that is
assigned to your authorization group in the Signatures to be executed section and enter the password .Then
save it again.6) you can see this digital signature again, in cv03n, go to top menu Environment --> digital
signature. You will get all the details.
Thus the Digital signature process has been completed.
With help of Transaction code SU01 ,in user tab enter your user name and press F7 check first and last name if it is
correct its well and good or else go to change mode and enter correct one, save it.Because while making digital
signature using user ID and password it is must or else it will give an error.