Skip to Content

Introduction

I kindly request all readers to go through this The specified item was not found. by Juergen.  It provides a good  introduction to digital signatures in Adobe Interactive Forms for SAP.

While Juergen in his blog has very well explained this concept by explaining a simple digital signature scenario – implementation of a form containing signature and its validation on ABAP side.  My blog would discuss this similar scenario for developers implementing it on JAVA side.

In addition to this blog, e-learning section of SAP Interactive Forms by Adobe in SDN contains a very useful recording on ‘Securing Online Interactive Forms by Adobe’ by Angel Dichev.  Link for pdf presentation document.

In this recording, Angel has explained

  • Configurations to be done on Java stack of SAP WAS 2004s to enable SSL communication
  • Configurations to be done on ADS to run online form application using SSL communication
  •  Implementation and validation of digital signatures in online processing scenario

The recording also includes actual demo explained by him.

My Experiences

Following the recording step by step, I could immediately configure Java stack of WAS for using SSL. It was an easy task.

But I had to struggle for the next task i.e. to run an online form in secure mode. Following were the exceptions faced by me:

1.       SSLCertificateException: InvalidResponseCodeException (401)Unauthorized (SSLCertificateException: InvalidResponseCodeException (401) Unauthorized)

2.       Peer certificate: Bad certificate

3.       Finally when I was able to run my online form in secure way, the Digital Signature Validation process used to go into unending state  (Digital Signature Validation process goes into unending state)

 

First two problems that occurred were because while assigning certificate to ADSUSER in UME, instead of certificate from Trusted CA view of Key Storage service, certificate from ADSCerts view was used. See picture below.

image

The third problem was solved by ensuring no pop-up (warning message) appears while running the online form in secure mode – a tip given by SAP employee friend working on Adobe forms.

Validation Process of digital signature implemented on server-side

Scenario

Employee has to apply for leave online. In an online form application, employee fills the form with required details and signs the form with own digital signature and submits to the SAP system. Further processing of the leave application form is initiated only if the signature is valid.

image

 

Code for validating the signatures present in the form:

 

IWDPDFDocumentHandler pdfDocumentHandler = WDPDFDocumentFactory.getDocumentHandler();
//      msgMgr.reportSuccess("The document handler is " + pdfDocumentHandler.toString());
    
      IWDPDFDocumentAccessibleContext accessibleContext = pdfDocumentHandler.getDocumentAccessibleContext();
    
      byte[] pdf = wdContext.currentContextElement().getPdf();
    
      accessibleContext.setPDF(pdf);
    
      accessibleContext.getTaskSetter().addGetSignatureTask();
        
      IWDPDFDocument pdfDocument = accessibleContext.execute();
//    GetCertification
      IWDPDFDocumentCertificate certificate = pdfDocument.getCertification();
    
      IWDPDFDocumentSignature[] signatures = pdfDocument.getSignature();
    
//    Check all signature fields
      if(null == certificate){
      }else{
            wdThis.wdGetAPI().getComponent().getMessageManager().reportSuccess("Certificate Status: " + certificate.getStatus().toString());
            wdThis.wdGetAPI().getComponent().getMessageManager().reportSuccess("Certificate Validity: " + certificate.isValid());
      }
      if(null == signatures){
            wdComponentAPI.getMessageManager().reportWarning(
            "The document has not been signed.");
      }
      else{
            StringBuffer buffer = new StringBuffer();
            
            buffer.append("Number of signature fields attached : " + signatures.length);
            buffer.append("||");
            buffer.append("Accessing signature details one by one : ");
            
            for(int i = 0; i<signatures.length; i++){
                  buffer.append("||");
                  buffer.append("Field :" + signatures[i].getField());
                  buffer.append("||");
                  buffer.append("ContactInfo :" + signatures[i].getContactInfo());
                  buffer.append("||");
                  buffer.append("Date :" + signatures[i].getDate());
                  buffer.append("||");
                  buffer.append("Location :" + signatures[i].getLocation());
                  buffer.append("||");
                  buffer.append("Reason :" + signatures[i].getReason());
                  buffer.append("||");
                  buffer.append("Signer :" + signatures[i].getSigner());
                  buffer.append("||");
                  buffer.append("Status :" + signatures[i].getStatus().toString());
                  buffer.append("||");
                  buffer.append("isValid :" + signatures[i].isValid());
                  buffer.append("||");
 
                  if(signatures[i].isValid()){
                        wdComponentAPI.getMessageManager().reportSuccess("This is a signed document");
                  }
                  
                  wdComponentAPI.getMessageManager().reportSuccess(
                              "The document has  been signed." + buffer);
            }
      }

 

Case1 : What happens if online form application is run in non-secure (http) mode

The PDF Document APIs fail to recognize the signatures present in the form and return null value for the same.

Case2 : Valid Signature

As we understand from case1, in order to validate signatures present in the form, the online form application has to be run in secure (https) mode only. 

Now, suppose the digital signature (key pair) that would be used for signing the form was generated by the j2ee server from its Key storage service and assigned to a user. 

The validation of user’s signature succeeds only if  the user’s certificate (public key) are available at  the following places:

1.       TrustedCAs view of Key Storage service

image

2. SSL Ports (in SSL Provider service) should request for user’s certificate (public key)

image

3.  Trusted Anchors in Document Services Configuration service (refer above help links as well)

image

From my experience while validating signatures, if user’s certificate is not available in any of the above locations, the PDF Document APIs return false validity.

Conclusion

All the above information mentioned could be found in the blog and recording links. But since it is too much of information for a beginner like me and in order to pin-point main focus areas, I felt to blog it on SDN.

I hope this blog is of help to those who are trying to implement digital signatures in SAP Interactive Forms by Adobe (SIFbA).

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Kapil Kamble Post author
    Hi Artem
    Yes, I have not explained how to get user certificates in the described places because the recording and pdf document links provided explain it precisely. I request you to please refer them.
    I totally agree with you on the note of manual addition of certificate being inappropriate in case of hundred or thousands of users. I have not explored APIs on this since I was trying to get the basic scenario correct 🙂
    May be you could update us on this if you chance upon relevant APIs.
    Thanks to you for reading the blog and discussing it with me.
    Kapil
    (0) 
        1. Kapil Kamble Post author
          OK. In that way, the type of certificate used is self-signed.
          However, I have also tried with certificates tested by SAP Trust Center Services (http://service.sap.com/tcs) and have got similar results. But when I tried with certificates trusted by Verisign, I was not able to validate the signatures.
          BR
          Kapil
          (0) 
  2. Angel Dichev
    Hello guys,

    Please use CA root certificate for signing the client credentials. validate aganst the CA Root and configure CRL URLs that point to the CA revocation lists XMLs.

    Hopefully this helps.

    Regards, and have fun with your IFbA implementations.  

    (0) 

Leave a Reply