Introduction to Digital Signatures and SAP Interactive Forms by Adobe
Let’s take a look at what this means by discussing a scenario.
A Simple Digital Signature Scenario
Here’s what you’ve got to do for a simple example.
- Create a new form in one of the integration environments of your choice (e.g. Form Builder in the ABAP Workbench/SAP GUI).
- Drag and drop a text field from the standard library to the form.
- Add a document signature field on the form. For some basic tests, I recommend not to lock form fields after signing so that you can test what it looks like if the data is modified after signing.
- Resize the field so that it occupies more space (to get rid of the warning). Figure 1 shows what my form template looked like after this step.
Figure 1: Form template with a text field and a document signature field
- Render the form as an interactive PDF; use for example a print program written in ABAP. This is necessary because the usage right to enable document signing in Adobe Reader is necessary. (If you use Adobe Acrobat instead of Adobe Reader, preview PDF in Adobe Designer can be used directly).
- Bring up the PDF in Reader and click on the document signature field. The dialog shown in Figure 2 comes up. In this example a certificate stored on the computer’s hard disk is used.
Figure 2: This is the dialog to sign a PDF document
- Save the signed PDF form (figure 3 shows an example). Check out the “Signatures” button on the Navigation Panel to see what information is provided by Reader for signed PDF documents (e.g. if the signature is valid).
Figure 3: The signed PDF document
- You can use the report FP_PDF_TEST_12 as a test program to verify the signature. This test program implements server side validation of digital signatures. Please see also note 4 of the next section.
- Do some tests by modifying the content of the text field after signing and see how the the display of the signature in Reader changes and you could also run the test program again and see what the response is then.
Important Things to Note when Using Dig Sigs
Here’s a list of things you should know when using dig sigs:
- Starting with Designer 8 and Reader 8, digital signatures allow locking fields after signing a form without using scripting (see the Document Signature tab of the Object palette).
- The context menu of the document signature field (in Adobe Reader/Acrobat) provides a clear signature menu item.
- Digital signatures affect the file size since all information needs to be included in the PDF to allow reconstruction/display of revisions of the signed PDF. This is especially true if multiple document signature fields are used on one form. This affects transmission times and hence often response time in online scenarios.
- A root certificate, also called trusted anchor, has to be installed on ADS to allow validation of signatures on the server. Certificate Revocation Lists allow you to identify certificates that now longer can be trusted. See the Configuration Guide for SAP Interactive Forms by Adobe in section 7.7 Trusted Anchors and Certificate Revocation Lists. This document is available on SDN see below for a link.
- Chapter 7 of the Configuration Guide for SAP Interactive Forms by Adobe describes more the technical prerequisites in more detail. I recommend reading that if you plan to use and implement digital signatures.
Here’s the link to the SAP Interactive Forms by Adobe – Configuration Guides
Server Side Digital Signature
ADS also provide the ability to apply a digital signature to an interactive PDF form on the server side. Also for server side signing, a document signature field needs to be on the form. This is where the signature is stored in. SAP Interactive Forms by Adobe do no support time stamp servers when applying dig sigs on the server (i.e. by ADS).
Qualified Digital Signature
Qualified digital signatures are a special topic, for example in Germany or Austria. In those countries legal aspects have to be considered. In simple terms the certificate used for signing has to be stored on separate hardware. On the client side, special Reader plug-ins can be used to support qualified dig sigs (i.e. plug-ins are vendor dependent). On the server side there is no support for applying qualified dig sigs. Validation depends on the implementation by the vendor.
Digital Signatures and Print Forms
SAP Interactive Forms by Adobe do not support signing print forms.
Simple dig sig scenarios can be implemented quite easily. This blog explained the basics. Finally, two notes on the availability of what was described in this blog:
- Minimum requirements for what is described in this blog is SAP NetWeaver 7.0 SP 13 with Designer 8.0 and Reader 8 or later.
- You need to check if the framework/integration you are using does support what is described here in this blog. Not everything is possible everywhere.
- Check your legal requirements, if a simple scenario as described in this blog is acceptable (e.g. company internal).