SAP SRM Digital Signature for RFx and RFx Response .
Most of you wondered how to activate the digital signature functionality in SRM. If you go to SPRO it is just a single node.But we have to do really do some work behind to make the Digital Signature feature really work. I am sharing my bit of knowledge on this to activate and make the single node SPRO functionality really work 😎 .
What is Digital Signature and where do I get one?
If you search in Google you will get thousands of answers for this question, so let us stick to the answer first Google returns 🙂
“It is a digital code (generated and authenticated by public key encryption) which is attached to an electronically transmitted document to verify its contents and the sender’s identity”. ie. it is a method using PKI infrastructure to avoid non-repudiation and to provide authenticity and integrity of a message . To make it bit more complicated when I am sending a document I will use my Private key to Sign the data and receiver will use the public key of the certificate to
verify it (fyi ,for encryption it is just opposite 😕 ).
SAP digital signature component will take any types (No Class limitation) of Digital Certificates (X509 Format).
The only check it has for Digital Certificate isKey Usage validation in the certificate as( 0-Digital Signature & 1- Non Repudiation).So technically we can even use a self signed certificate or a certificate generated from a demo X509 certificate Generator(For testing purpose you can use a demo certificate from this) but normally a certificate is issued by a Certifying Authority(CA).This is to make legal validity of a data exchange.
In India Controller of Certifying Authorities (CCA) has authorized different CAs to issue Digital Signature Certificate.
You can find the licensed CAs in India below link.
Pre-requisites to enable Digital Signature in SRM.
Before start using Digital signature in SRM, you have to download and install SECULIB component from service market place. Also SECULIB profile has to be setup in RZ10. Below OSS note will help you in completing these tasks. This is a technical activity, so please take the help of your SAP BASIS consultant to complete the setup. After the setup please don’t forget to re-start the server.
1471126 – STRUST: How to correctly install SAPCRYPTOLIB
662340 – SSF Encryption Using the SAPCryptolib
578377 – Digital signatures with SAPCRYPTOLIB
Activate Digital Signature in SRM
You can activate the Digital Signature under the node
SPRO->Supplier Relationship Management->Cross application Basic setting->Digital Signature->Activate Digital Signature.
Here you can make Digital signature mandatory, optional or not required for required document type upon your business requirement. For RFx Transaction category is BUS2200, Transaction type you can select for your required categories. RFx Response it is QUOT-BUS2202. Also follow below note to setup the iView details.
1377544 – iView not found error when Digital Signature is active.
Upload the certificate root to STRUST
In order to Sign and verify a RFx or RFx response. The root certificates (CAs Roots) needs to be uploaded to the transaction STRUST. You can even export the public key of a person’s certificate (can be exported as a .cer file)from Microsoft IE key store and put in STRUST transaction, then the signing and verification will happen even with that. Exporting and storing individuals public certificate is not recommended because STRUST is not indented to store large certificate data (from all your bidders or purchasers)as it is designed like that. If you take deep dive into DSC then actually the verification should happen will the public key of the certificate. Still wonder how SAP is verifying with the root CA certificate 😕
Procedure to export the PFX certificate form IE keystore.
Procedure to import the Root certificate to STRUST
Go to STRUST transaction then select certificate->import then save it.
Get Ready to test the application
Before you start you have to install the certificate ( .PFX file )from CA to the IE keystore. If you are getting a USB token with certificate plug-in the USB token before you start(install the token drivers also). Now you are ready for testing 🙂 . You can create and Rfx and fill the require data and publish.When you first run in the IE browser it will ask you to install a cab file SAPSIGN.CAB.(Popup blocker should be de-active before you run this and always run IE as “Run as Administrator”(right click IE icon you can see this option)) . First time it will give a signing error next time it will ask a popup with the DSC. You can click sign and proceed. If the root of the CA or public key of the personal certificate (.cer file) is uploaded in the server (STRUST)it completes the signing process and saves the document otherwise you will get an error “Document could not be signed”.
Scope for SAP-DSC improvements.
The main scope for improvement to avoid the OS & browser dependancy.
- It will not support any new generation browser like chrome, Mozilla, safari etc. Because it is build on a Microsoft platform and only support IE and Windows OS.
- I have tested the application with IE 8, 9 with OS (XP,Vista,Windows 7). But my initial testing on IE 10, 11 on windows 7 has failed. Also not sure whether it supports on Windows 8.
- Certificate Revocation: The validity of the certificate needs to check using Certificate Revocation List(.crl file) or Online Certificate Status Protocol (OCSP). You can also develop an alternative solution to avoid this limitation.
Component for raising OSS and necessary links.
Even after these steps if you are facing some other issue you can raise an in the component BC-SEC-SSF Secure Store and Forward. Also make sure you have installed Microsoft Visual C++ 2010 Redistributable Package (x86) in your desktop pc or laptop (if using on Windows XP).
In this blog i am a bit more specific to indian DSC as am not that much aware of how this work in other countries. If you know about this you can share your experience also 🙂 .
Nice Document for RFx & Response Digital Signature
Thank You Ram. Even though i mentioned it is for Rfx & Response the same procedure is for other documents, The customization are same. For installing seculib enabled digital signature in on all SAP system this is the common procedure.
Thank you very much for this informative post ! Helpful for RFx and Response Digital Signature !
Quite informative Can you suggest to me if its mandatory for documents like PO and SC to have these signatures .. I also tried using the txn STRUST_SSO2 and it does not open up
Could you elaborate more on what are the benefits and the cost of Incorporating the tool and the signature .. is there a link where I could check if a digital signature is already there or not if not Ill ask my client to incorprate .. is it needed it should be incorporated in the smart form as well.. sorry for asking so many questions would be helpful if you can guide me ..
Use the transaction STRUST.
SAP Digital Signature tool is come along with the standard package and there is no additional cost associated with it.This is come standard from SRM 6 or 7 onwards. The benefits are more.
1. Security:it can act as a second layer of security mechanism( apart from the userid and password), so any valid action like publish or submit a document will ask for individual digital signature.
2. Authenticity & Non repudiation: There will be legal binding for Digital signature, it is as good as a signed document.
3. Cost: You can save the courier and postal charges 🙂
Really helpful document.
But i am facing issues while using digtal signature.
we are using srm 7.02 and SRM_SERVER 702.
when we are submitting bid response from bidder side, verify signature button is not available.
System is showing error as,” Digital Signature is enabled. Please publish RFx from
we are usign class III digital signature.
Our client is using SRM 7.01 in our company. Currently PKI component & digital signatures(used by users to float tenders) are provided by same vendor.But now client decided to purchase PKI component from some vendor & digital signatures from some other vendor.So it will work in SRM or not that PKI component & digital signature are provided by different vendors.
Thanks in advance.