Skip to Content
Digital signatures allow you to sign a form, more precisely they allow you to sign the data entered into the form. This allows you to verify the integrity of data and also authenticity of the submitter of the data. To use digital signatures a so-called digital certificate is needed. For example, data is processed in a SAP backend only if the signature is valid (i.e. integrity) and if the cert used to sign can be mapped to a person or entity (authenticity). The signature validity can be verified by the Adobe Document Services (ADS). Mapping of certificates to persons needs to be done in the implementation of a scenario (i.e. in ABAP or Java). ADS can provide the cert chain to facilitate this but does not provide any means of this mapping built-in.

Let’s take a look at what this means by discussing a scenario.

A Simple Digital Signature Scenario

Here’s what you’ve got to do for a simple example.

  1. Create a new form in one of the integration environments of your choice (e.g. Form Builder in the ABAP Workbench/SAP GUI).
  2. Drag and drop a text field from the standard library to the form.
  3. Add a document signature field on the form. For some basic tests, I recommend not to lock form fields after signing so that you can test what it looks like if the data is modified after signing.
  4. Resize the field so that it occupies more space (to get rid of the warning). Figure 1 shows what my form template looked like after this step.
    image
    Figure 1: Form template with a text field and a document signature field
  5. Render the form as an interactive PDF; use for example a print program written in ABAP. This is necessary because the usage right to enable document signing in Adobe Reader is necessary. (If you use Adobe Acrobat instead of Adobe Reader, preview PDF in Adobe Designer can be used directly).
  6. Bring up the PDF in Reader and click on the document signature field. The dialog shown in Figure 2 comes up. In this example a certificate stored on the computer’s hard disk is used.
    image
    Figure 2: This is the dialog to sign a PDF document
  7. Save the signed PDF form (figure 3 shows an example). Check out the “Signatures” button on the Navigation Panel to see what information is provided by Reader for signed PDF documents (e.g. if the signature is valid).
    image
    Figure 3: The signed PDF document
  8. You can use the report FP_PDF_TEST_12 as a test program to verify the signature. This test program implements server side validation of digital signatures. Please see also note 4 of the next section.
  9. Do some tests by modifying the content of the text field after signing and see how the the display of the signature in Reader changes and you could also run the test program again and see what the response is then.

Important Things to Note when Using Dig Sigs

Here’s a list of things you should know when using dig sigs:

  1. Starting with Designer 8 and Reader 8, digital signatures allow locking fields after signing a form without using scripting (see the Document Signature tab of the Object palette).
  2. The context menu of the document signature field (in Adobe Reader/Acrobat) provides a clear signature menu item.
  3. Digital signatures affect the file size since all information needs to be included in the PDF to allow reconstruction/display of revisions of the signed PDF. This is especially true if multiple document signature fields are used on one form. This affects transmission times and hence often response time in online scenarios.
  4. A root certificate, also called trusted anchor, has to be installed on ADS to allow validation of signatures on the server. Certificate Revocation Lists allow you to identify certificates that now longer can be trusted. See the Configuration Guide for SAP Interactive Forms by Adobe in section 7.7 Trusted Anchors and Certificate Revocation Lists. This document is available on SDN see below for a link.
  5. Chapter 7 of the Configuration Guide for SAP Interactive Forms by Adobe describes more the technical prerequisites in more detail. I recommend reading that if you plan to use and implement digital signatures.

Here’s the link to the SAP Interactive Forms by Adobe – Configuration Guides

Server Side Digital Signature

ADS also provide the ability to apply a digital signature to an interactive PDF form on the server side. Also for server side signing, a document signature field needs to be on the form. This is where the signature is stored in. SAP Interactive Forms by Adobe do no support time stamp servers when applying dig sigs on the server (i.e. by ADS).

Qualified Digital Signature

Qualified digital signatures are a special topic, for example in Germany or Austria. In those countries legal aspects have to be considered. In simple terms the certificate used for signing has to be stored on separate hardware. On the client side, special Reader plug-ins can be used to support qualified dig sigs (i.e. plug-ins are vendor dependent). On the server side there is no support for applying qualified dig sigs. Validation depends on the implementation by the vendor.

Digital Signatures and Print Forms

SAP Interactive Forms by Adobe do not support signing print forms.

Conclusion

Simple dig sig scenarios can be implemented quite easily. This blog explained the basics. Finally, two notes on the availability of what was described in this blog:

  • Minimum requirements for what is described in this blog is SAP NetWeaver 7.0 SP 13 with Designer 8.0 and Reader 8 or later.
  • You need to check if the framework/integration you are using does support what is described here in this blog. Not everything is possible everywhere.
  • Check your legal requirements, if a simple scenario as described in this blog is acceptable (e.g. company internal).
To report this post you need to login first.

32 Comments

You must be Logged on to comment or reply to a post.

  1. Sergio Ferrari
    Thanks a lot for this interesting blog.
    I’m wondering to know what do you think about the verification processes in the inbound scenarios.
    For example, a customer fills an Adobe IF offline, signs it, emails it to the SAP ECC. Now the interesting challenge is to associate the received form with the right business partner.
    I mean, it would be great to verify if the electronic sign is valid but even more to extract “an” IdentificationCode  (e.g. customer number) to finally assure that the incoming data are coherent also at business level (eg. the order contains an allowed ship to partner number).
    Where is the best place to store the certificates of customers/vendors/employees and which is the right functionality to link them to the master data.
    Sergio
    (0) 
    1. Juergen Hauser Post author
      The inbound scenarios, or offline scenarios, are the most interesting use cases for IF. As you said it is possible to use either the dig sig and/or a customer number to identify where a request belongs to. The recommendation here is that the incoming IF is only processed if the signature can be validated.

      Since I’m not the expert in the NW security area, I do not want to recommend where to store the certificates. The important information I wanted to share is that it is definitely not in ADS.

      Juergen

      (0) 
  2. Eileen Nieves
    Thank you for the valuable information on your blog!

    I’m wondering if this is the same process that we would use to get a signature to print on a vendor check that’s designed in Adobe LiveCycle and is generated in the background with a print job.  We have the signature stored in a SIMM that’s installed on the check printer.

    I’m thinking that even though the signature is digitized, the term “digital signature” is used for a different type of signature.

    Would you have any recommendations for us?

    Thank you very much.

    Eileen

    (0) 
    1. Juergen Hauser Post author
      First of all, if it is a pure print form it is not supported by IFbA.

      For “digital signatures” you need a certificate (private/Public keys). NOt sure waht you mean with “the signature is digitized”. Scanned?

      Adobe LiveCycle has some more options compared to IFbA when it comes to signing PDF-based print forms.

      Cheers,
      Juergen

      (0) 
      1. Eileen Nieves
        Hi Juergen,

        Actually, ‘digital signatures’ is different from what we’re trying to achieve. 

        In our case we have a spool in SAP with several forms in it.  Each form has a space (field) where a graphic must print only when the forms are sent to the printer by the user.  The graphic is a secured graphic stored on the printer.  We need to find a way to call this secured graphic from the Adobe form at the moment when the document is sent for printing. 

        In SAPscript we could achieve this by issuing a PCL command.  With Adobe we haven’t been able to find something similar.

        Thanks for your guidance!

        Best regards,
        Eileen Nieves

        (0) 
        1. Juergen Hauser Post author
          Hello Eileen,

          Ok, got it now. But I do not know the answer. Have you thought about opening a support message or contacting someone from SAP who could request help from Adobe?

          Regards,
          Juergen

          (0) 
  3. ENRICA PERNICENI
    Dear Juergen,
    I need to insert in an Adobe document (generated by Sap Interactive forms) a digital signature generated by Entrust. The extension of file signature is .epf. If you try to insert an existing  signature in attached document there is a pop-up that let you choose files with different extension (.p12, .apf and so on)  but not .epf. We need to insert a digital signature generated by entrust.
    How could we perform it?

    Regards
    Enrica

    (0) 
    1. Juergen Hauser Post author
      Dear Enrica,

      In such cases I recommend to work with Adobe people directly. This is a very specific question. Adobe also has people who are responsible for customers.

      Regards,
      Juergen

      (0) 
  4. Sachidananda Shetty
    Dear Juergen,
    I am trying to use the digital signature in PRint forms. My requirement is to have digital signature in checks we are printing.

    My question is, Is there a way i can have the signature in prinetr and print the same while printing?

    Best Regards
    Sachi

    (0) 
    1. Juergen Hauser Post author
      Hi Sachi,

      When you say “while printing” you really mean sending it to a printer?
      I would recommend looking at the scenario and figure out if certification is an option for the use case.
      Signing a print from is not supported by IFbA.

      Cheers,
      Juergen

      (0) 
    2. Eileen Nieves
      Hi Sachi,

      You can explore having your signature stored as a font in a SIMM or DIMM card in the check printer.  These fonts are assigned a character code by the vendor which can be mapped in the XDC file of your printer.  Check OSS note 1122142.

      I hope this helps!

      Regards,
      Eileen

      (0) 
      1. Manish Bisht
        hi ,
        Thanks for ur reply, But we are using the Adobe Forms where we have added a new document signature field, Apart form This new field every data in pdf is geeting saved in CRM , as i think this is happing becouse we didnt have A binding field for the signature field.
        Did we need to create a binding for this field in backend?
        or Can we do that.
        (0) 
        1. Juergen Hauser Post author
          Hi,
          You do not need a data binding. The signature field is used to sign the pdf and needs to be validated before the pdf form is processed. ADS provides functionality to do this. You should only process the data if the validation of the signature is OK. Besides the valid signature you need to figure out if this person was allow to sign the document – this can only be done on application level (i.e. not using ADS). ADS return information to help you with that. Check out the APIs (i.e. ABAP PDF-Object).
          Regards,
          Juergen
          (0) 
  5. suresh babu

    Hi Juergen,

                   Greate post. Thanks..

    I have one question.

    When we click on the signature field, apopup is comming to choose certificate & we can create new ID’s also, I can create my manager digital signature as him & i can put in signature field.

    How can move further with these cases

    Thanks

    Suresh

    (0) 
    1. Juergen Hauser Post author

      Hi Suresh,

      If you create a new ID it is a self-signed certificate and comes with all limitations of such certs (e.g. no trusted root certification authority (CA)). Usually, you would use certificates that are issued by an official CA.

      Such scenarios usually consist of two steps: (1) validating the signature and (2) checking if the right person signed the form, i.e. making sure the certificate used belongs to the person supposed to sign. The second step is not part of IFbA and needs to be implemented in your application. And they make use of PKIs (Public Key Infrastructures). On other words you need to be able to know who is using which cert.

      Hope this helps.

      Regards,

      Juergen

      (0) 
  6. Umit Coskun Aydinoglu

    Hello Jürgen,

    Great Article.What I want to do is combine digital signature and SAP Workflow. The idea in my mind is:

    1 – Responsibles who are suppose to approve/reject receives interactive form to their email inbox during the execution of workflow.

    2 – After that they fill and sign the document and send to a special email inbox

    3 – A program will check this inbox and read the document. First, check if the signature is valid. Second; Check if the person who signed the document is valid approver for the workflow step. If everything is ok, program will execute the decision of the user by calling workflow BAPIs

    Have you ever implemented or any idea about this kind of integration between adobe forms and SAP workflow.

    Kind Regards

    Coşkun

    (0) 
    1. Juergen Hauser Post author

      Hi Coşkun,

      A scenario like this has been implemented by customers.

      Also there is a description (chapter 10) how this scenario could be implemented using the ABAP Offline Infrastructure in the Interactive Forms book (title “SAP Interactive Forms by Adobe”, SAP Press/Galileo). I’m one of the two authors of this chapter. Scenarios like this are actually the reason why we added the ABAP Offline Infrastructure to speed up customer implementations.

      Some customers implemented this scenario using the ABAP PDFObject covered in chapter 11 of the book.

      The only thing that you need to figure out is the last check if this person was allowed to sign the document and if it was this person’s certificate. We cannot handle this generically in the infrastructure or on form design level

      Regards,

      Juergen

      (0) 
  7. Varun Vadnala

    Hi Juergen,

    I have couple of questions in implementing digital signatures in Adobe interactive forms.

    1.How to create signatures?In one of the above reply of yours , its mentioned that “Usually certificates issued by CA are preferred”, does certificate here refer signatures?How to get the CA certificate, kindly let me know? Can we create the signature manuallly by clicking the signature field? Is it recommended?

    2.How do we embed the signature on the PDF? When user tries to click on the signature field, he should be having the signature by default.

    3.Am using a webdynpro application with interactive form, how should i deal with the necessary things to be checked when using digital signatures?

    regards,

    Varun

    (0) 
    1. Juergen Hauser Post author

      Hi Varun,

      1. A digital signature technically requires a certificate. A CA sells such certificates and that has the advantage that the root certificate for a CA is usually known and trusted(!) by Reader, your browser etc. You can use self-signed certificates for dev and test and there are lots of blogs out there how to create one.

      2. Step 6 in the blog describes the experience. There needs to be an action to sign, the click and then there might be multiple certificates installed on a users system that the user can choose from. Step 7 shows what the embedded signature looks like.

      3. Web Dynpro knows what to do if the PDF has a signature field on it (e.g. transfer always the PDF in binary and no longer only the data). The ABAP PDF object provides methods to check for example the validity of a signature.

      Regards,

      Juergen

      (0) 
  8. Suraj Mathur

    Hi Juergen,

    We are trying to implement digital signature by server side signing in interactive adobe forms. We are referring the SAP standard program FP_PDF_TEST_07 for achieving the scenario.

    We are facing an issue that we can see the digital signature field but, it is asking for manually input (click to sign a document) everytime with some  digital ID.

    Can you please help us here how we can automate the process that user will not required to sign a document manually. It should be done at server side automatically while running the document.

    Many thanks

    Regards,

    Suraj Mathur 

    (0) 
    1. Juergen Hauser Post author

      Hi Suraj,

      This is not an “issue” as this is intentional. The user is asked to sign a document and he needs to express that he agrees (legally binding in most countries) to the content of the document. If you do this on the server you assume that the user whose certificate you would use agreed with the document.

      The digital signature replaces the wet signature (with a pen on a piece of paper).

      The proof of origin of a document is called certification and is also possible with ADS. This  allows users to verify that a document was actually created and published by the organization that certified it. You as a user can trust the document and its content.

      Regards,

      Juergen

      (0) 
      1. Suraj Mathur

        https://wiki.scn.sap.com/wiki/display/ABAP/Server+side+signing+of+SAP+IfbA+documentsHey Juergen,

        Thanks for your quick response on this.

        What I am trying to achieve here is that when the user opens the pdf document, it already has the digital signatures embedded on the document(server side signing). There should not be any action taken by any user.

        You can refer to the below link for what I am trying to achieve.

        It would be great if you can help on this.

        (0) 
        1. Juergen Hauser Post author

          As I said this is from a user perspective not an ideal scenario. Just because something is technically possible doesn’t mean that it is something you should implement. I explained what the issue is with a server side signature for a specific user

          This is the reason why in some countries, e.g. Germany, Austria, etc this is not a legally binding signature.

          You’d also need to manage all certificates for all on the server.

          If the post you mention doesn’t work please check with the author of the post.

          Regards,

          Juergen

          (0) 
          1. Suraj Mathur

            Hi Juergen,

            Thanks for your reply!! But my requirement is to achieve security at server side without any intervention of User.

            When I am trying to implement the same I have the signature implemented but we have to add digital id after that as we have to do it in client side certification.

            Can you please help me in achieving the same!! Many thanks for your support !!

            Regards,

            Suraj Mathur

            (0) 
  9. EBRAHIM IMAM

    Hello…!!

    Can any one please let me knw abt Digital signature in adobe form (T-code SFP)

    i have added digitally signed certificate in setting of Digital signature field, its added successfully

    but after execution(F8) signature is not displaying in Digital box…its blank ….again i am adding here manually.

    Regards,
    Ebrahym

     

    (0) 
  10. Vidhi Kamdar

    Hi Juergen,

     

    Thanks for such an informative post. I require an assistance regarding use of Digital Signatures.

    We have a requirement for a 3 level authentication in offline scenario.

    As the digital signature can’t be binded within the data-stream, can we add any validation/script to identify if the document has been verified and signed by the first approver?

    For example setting a flag variable that approver 1 has signed and if we could bind the same flag variable with a web-service/rfc data connection.

    Thanks & Regards,

    Vidhi.

    (0) 

Leave a Reply