Introduction

This blog describes a bug in most SAP PLM 7.x systems out there leveraging digital signatures. Before you continue, you might want to familiarize yourself with Digital Signatures in SAP PLM 7.x. I reported the problem described in this blog to SAP support on 02/25/15 and it is currently being worked on by PLM Development Support. Since exploiting the bug requires system access, I feel confident exposing the problem in the current digital signature implementation.

Technical Details

Whenever a status change is done to a status requiring a digital signature, the warning message 26 188 is issued to the user to indicate that a digital signature is required in order to switch to the desired status. The lower APIs, mainly API_DOCUMENT_MAIN02 and the function modules it is using, treat the condition as an error and it is converted to an warning (meh!) in the upper layers, e.g. in the Web UI. Reading the code carefully shows that in case of any error, the enqueue locks to the document are released allowing anyone having access to the document to change the document while it is being edited by another user having access to the document.

Solution

While PLM Development Support is working on providing a fix, the simplest way to avoid digital signature corruption in this case is to implement the Service Provider method AFTER_UPDATE and issue a new enqueue lock for the document.

Update: SAP released note 2143092 to address the issue. They chose not to fix the source of the problem meaning the lock being dropped by API_DOCUMENT_MAIN02 but rather lock the document again when the lock is lost. The solution leaves an window, admitted a small one, for another user to get into the document.