SAP SRM Digital Signature for RFx and RFx Response .
Most of you wondered how to activate the digital signature functionality in SRM. If you go to SPRO it is just a single node.But we have to do really do some work behind to make the Digital Signature feature really work. I am sharing my bit of knowledge on this to activate and make the single node SPRO functionality really work 😎 .
What is Digital Signature and where do I get one?
If you search in Google you will get thousands of answers for this question, so let us stick to the answer first Google returns 🙂
“It is a digital code (generated and authenticated by public key encryption) which is attached to an electronically transmitted document to verify its contents and the sender’s identity”. ie. it is a method using PKI infrastructure to avoid non-repudiation and to provide authenticity and integrity of a message . To make it bit more complicated when I am sending a document I will use my Private key to Sign the data and receiver will use the public key of the certificate to
verify it (fyi ,for encryption it is just opposite 😕 ).
The only check it has for Digital Certificate isKey Usage validation in the certificate as( 0-Digital Signature & 1- Non Repudiation).So technically we can even use a self signed certificate or a certificate generated from a demo X509 certificate Generator(For testing purpose you can use a demo certificate from this) but normally a certificate is issued by a Certifying Authority(CA).This is to make legal validity of a data exchange.
In India Controller of Certifying Authorities (CCA) has authorized different CAs to issue Digital Signature Certificate.
You can find the licensed CAs in India below link.
Pre-requisites to enable Digital Signature in SRM.
Before start using Digital signature in SRM, you have to download and install SECULIB component from service market place. Also SECULIB profile has to be setup in RZ10. Below OSS note will help you in completing these tasks. This is a technical activity, so please take the help of your SAP BASIS consultant to complete the setup. After the setup please don’t forget to re-start the server.
1471126 – STRUST: How to correctly install SAPCRYPTOLIB
662340 – SSF Encryption Using the SAPCryptolib
578377 – Digital signatures with SAPCRYPTOLIB
Activate Digital Signature in SRM
You can activate the Digital Signature under the node
SPRO->Supplier Relationship Management->Cross application Basic setting->Digital Signature->Activate Digital Signature.
Here you can make Digital signature mandatory, optional or not required for required document type upon your business requirement. For RFx Transaction category is BUS2200, Transaction type you can select for your required categories. RFx Response it is QUOT-BUS2202. Also follow below note to setup the iView details.
Upload the certificate root to STRUST
In order to Sign and verify a RFx or RFx response. The root certificates (CAs Roots) needs to be uploaded to the transaction STRUST. You can even export the public key of a person’s certificate (can be exported as a .cer file)from Microsoft IE key store and put in STRUST transaction, then the signing and verification will happen even with that. Exporting and storing individuals public certificate is not recommended because STRUST is not indented to store large certificate data (from all your bidders or purchasers)as it is designed like that. If you take deep dive into DSC then actually the verification should happen will the public key of the certificate. Still wonder how SAP is verifying with the root CA certificate 😕
Procedure to export the PFX certificate form IE keystore.
Procedure to import the Root certificate to STRUST
Go to STRUST transaction then select certificate->import then save it.
Get Ready to test the application
Before you start you have to install the certificate ( .PFX file )from CA to the IE keystore. If you are getting a USB token with certificate plug-in the USB token before you start(install the token drivers also). Now you are ready for testing 🙂 . You can create and Rfx and fill the require data and publish.When you first run in the IE browser it will ask you to install a cab file SAPSIGN.CAB.(Popup blocker should be de-active before you run this and always run IE as “Run as Administrator”(right click IE icon you can see this option)) . First time it will give a signing error next time it will ask a popup with the DSC. You can click sign and proceed. If the root of the CA or public key of the personal certificate (.cer file) is uploaded in the server (STRUST)it completes the signing process and saves the document otherwise you will get an error “Document could not be signed”.
Scope for SAP-DSC improvements.
The main scope for improvement to avoid the OS & browser dependancy.
- It will not support any new generation browser like chrome, Mozilla, safari etc. Because it is build on a Microsoft platform and only support IE and Windows OS.
- I have tested the application with IE 8, 9 with OS (XP,Vista,Windows 7). But my initial testing on IE 10, 11 on windows 7 has failed. Also not sure whether it supports on Windows 8.
- Certificate Revocation: The validity of the certificate needs to check using Certificate Revocation List(.crl file) or Online Certificate Status Protocol (OCSP). You can also develop an alternative solution to avoid this limitation.
Component for raising OSS and necessary links.
Even after these steps if you are facing some other issue you can raise an in the component BC-SEC-SSF Secure Store and Forward. Also make sure you have installed Microsoft Visual C++ 2010 Redistributable Package (x86) in your desktop pc or laptop (if using on Windows XP).
In this blog i am a bit more specific to indian DSC as am not that much aware of how this work in other countries. If you know about this you can share your experience also 🙂 .