8/14/2019 How to Secure the Access to the Adobe Document Services
1/17
SAP Net Weav er
How -To Guide
How t o Secu re t he Ac c ess t o t he
Adobe Doc um ent Serv ic es
Appl icable Releases:
Net Weaver CE 7.1 and new er
Topic Area:
User Produc t iv i t y
Capabi l i ty :
User In ter face Technology
Version 1.0
Apr i l 2009
8/14/2019 How to Secure the Access to the Adobe Document Services
2/17
Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,
i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader
are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or
registered trademarks of W3C, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
NetWeaver, and other SAP products and services
mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are the
trademarks of their respective companies. Data contained
in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAP
Group products and services are those that are set forth in
the express warranty statements accompanying such
products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
These materials are provided as is without a warranty of
any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or consequentialdamages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the
information, text, graphics, links or other items contained
within these materials. SAP has no control over the
information that you may access through the use of hot
links contained in these materials and does not endorse
your use of third party web pages nor provide any warranty
whatsoever relating to third party web pages.
SAP NetWeaver How-to Guides are intended to simplify
the product implementation. While specific product
features and procedures typically are explained in apractical business context, it is not implied that those
features and procedures are the only approach in solving a
specific business problem using SAP NetWeaver. Should
you wish to receive additional information, clarification or
support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (Code)
included in this documentation are only examples and are
not intended to be used in a productive system
environment. The Code is only intended better explain and
visualize the syntax and phrasing rules of certain coding.
SAP does not warrant the correctness and completeness ofthe Code given herein, and SAP shall not be liable for
errors or damages caused by the usage of the Code, except
if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java Source Code delivered with this product is only
to be used by SAPs Support Services and may not be
modified or altered in any way.
8/14/2019 How to Secure the Access to the Adobe Document Services
3/17
Document H is to ry
Document Version Description
1.00 First official release of this guide
8/14/2019 How to Secure the Access to the Adobe Document Services
4/17
Typographic Convent ions
Type Style Description
Example Text Words or characters quotedfrom the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Description
CautionNote or Important
Example
Recommendation or Tip
8/14/2019 How to Secure the Access to the Adobe Document Services
5/17
Table of Content s
1. Business Scenario............................................................................................................... 12. Prerequisites ........................................................................................................................13. Securing access to Adobe Document Service.................................................................2
3.1 Creating an ADS User public private key pare............................................................. 23.1.1 Creating an ADS Certification View in the Key Storage Service ..................... 23.1.2 Creating ADSUsers publicprivate key pair....................................................23.1.3 Export private key to a file and sign with Certification Authority ...................... 5
3.2 Bind a client certificate to the UME user - ADSUSER..................................................53.2.1 Export a client certificate from the ADSCerts view..........................................53.2.2 Import a client certificate (public key) to the UME user - ADSUSER .............. 6
3.3 Secure the ADS Client Webservice Destination...........................................................63.3.1 Setting up the SSL Connection for the ADS Web Service .............................. 63.3.2 Restart PDFObject service .............................................................................. 7
3.4 Installing ADS Trusted Anchors.................................................................................... 83.4.1 Users or Servers Public Keys that the ADS server will be using for Digital
Signatures validation........................................................................................9
8/14/2019 How to Secure the Access to the Adobe Document Services
6/17
How to Secure the Access to the Adobe Document Services
1. Business Sc enar io
This document guides you how to configure a NetWeaver CE Application Server 7.1 Java Adobe
Document Services for secured access.
2. Prerequis i tes
Prerequisite to this is guide is to have the NetWeaver CE Application Server configured for the use of
SSL. This is usually done by default during the installation or performed as a later step. Also it is
required that the JVM is configured with the Java Cryptography Extension (JCE) Unlimited Strength
Jurisdiction Policy Files, please refer to an SSL configuration guide if you need more information.
April 2009 1
8/14/2019 How to Secure the Access to the Adobe Document Services
7/17
How to Secure the Access to the Adobe Document Services
3. Secur ing ac c ess to Adobe Docum ent
Serv ice
3.1 Creat ing an ADS User publ ic pr ivat e k ey pare
3.1.1 Creat ing an ADS Cert i f i c at ion V iew in the K ey Storage
Serv ice...
1. Start and log in to the SAP NetWeaver Administrator.
You can use the predefined shortcut: Start MenuProgramsSAP NW Composition
EnvironmentSystem CE1 Welcome Page
2. Navigate to Configuration Management Security Certificates and Keys Key Storageservice
3. Click on Create View
4. In the input dialog box, enter an alias name: ADSCerts
5. Press Create
3.1.2 Creat ing ADSUsers publ ic pr ivat e k ey pai r
6. To create the Public-Private-Key Pair for the ADS User click on the created view ADSCerts
7. Press the button Create
April 2009 2
8/14/2019 How to Secure the Access to the Adobe Document Services
8/17
How to Secure the Access to the Adobe Document Services
8. Fill out the subject properties.
9. Common Name suppose to be the name or ID of the user you are creating a key-pair (In this
case ADSUser)
10. The Entry Name is the name for identifying the key pair in the key store.
11. Specify Validity period;
12. Select RSA as secure algorithm
13. Select 1024 - Key Length
14. Choose Store Certificate
15. Press the button Next
16. Fill out the subject properties. {Note: You can add more Subject Properties}
17. Press the button Next {Note: According the new RCA regulations, self signed key pairs are
not accepted as valid identity. You have to always use Certification Authorities for signing self
generated key-pairs. So, there are two possibilities generating the key pairs and sending
them to a CA for signing. Or since the Server Credentialhas been signed by a CA, use it tosign your newly created key pair. We will do the latter.}
April 2009 3
8/14/2019 How to Secure the Access to the Adobe Document Services
9/17
8/14/2019 How to Secure the Access to the Adobe Document Services
10/17
How to Secure the Access to the Adobe Document Services
3.1.3 Expor t p r i vate k ey to a f i l e and s ign w i th Cert i f i ca t ion
Author i t y
18. Select the created private key and click on Generate CSR Request
19. Store the file to the file system and send it to your Certification Authority for signing.
20. After getting the response back: Select the Cert you want to update and use the Import CRS
Response button for importing21. The CA Public Key the root certificate associated with this Private Key should be imported as
well.
3.2 Bind a c l ient c er t i f i c a te t o the UME user -
ADSUSER
3.2.1 Expor t a c l i ent cer t i f i ca te f rom the ADSCer ts v iew
22. Navigate to Configuration Management -> Security -> Certificates and Keys -> Key Storage tab
section
23. Select the ADSCertsfrom the list of key storage views
24. Select the ADSuser Cert Public Keyfrom the list of key storage view details
25. Press the Export to Filebutton and choose Base64 X.509in the select export format
dropdown
26. Save the file locally to the file system by selecting the Downloadlink
April 2009 5
8/14/2019 How to Secure the Access to the Adobe Document Services
11/17
8/14/2019 How to Secure the Access to the Adobe Document Services
12/17
8/14/2019 How to Secure the Access to the Adobe Document Services
13/17
How to Secure the Access to the Adobe Document Services
45. Click on Start ApplicationButton. To confirm, click OK on the next window
3.4 Inst a l l ing ADS Trust ed Anchors
A trusted anchor can be trusted for the following attributes
Trusted for Description
Certified Documents
Documents signed with this signature as an author signature, or whose certificate
chain includes this certificate, are considered trusted for certified documents
Embedded HighPrivilege Java Script
This option is available only if Certified Documents is already selected
When this option is enabled, JavaScript embedded in the document is allowed to beexecuted(*)
Signatures and astrusted root
Documents signed with this signature, or whose certificate chain includes this
certificate, are considered trusted for signed documents(**)
This option is needed when the document must be signed and signature validated,
in case only of a certifying document, only the element Certified Documents isrequired
April 2009 8
8/14/2019 How to Secure the Access to the Adobe Document Services
14/17
How to Secure the Access to the Adobe Document Services
Useful combinations of attributes assigned to a certificate.
Certified Document Signatures and as CA trusted
root
Description
X
Trust only children certificates for certifying
X
Trust certificate itself and children certificates ifthe certificate is not issued by a CA
Trust children certificates for signing if publiccertificate is issued by a CA
X X
Trust certificate itself and children certificates forsigning and certifying
3.4.1 Users or Server s Publ ic K eys t hat the ADS server w i l l
be us ing for D ig i ta l S ignatures va l idat ion
46. Exporting users certificates to ADS key store. (In real scenario this step will be performed on
the client users certificates, however, we generated a credential and used SAP Trust Center
Service at http://service.sap.com/tcs to sign. We also retrieved the RootCA from SAP Trust
Center Service for this demo example.) We have provided the credential file and the
corresponding RootCA for you {Maria.cer, Maria.p12}.
47. Navigate to Configuration Management -> Infrastructure-> Adobe Document Services->
Document Security
48. In the Document Security tab select Trusted Anchors
April 2009 9
http://service.sap.com/tcshttp://service.sap.com/tcs8/14/2019 How to Secure the Access to the Adobe Document Services
15/17
How to Secure the Access to the Adobe Document Services
49. Select Manage CER filesbutton
50. Select Add New Filebutton
51. Choose Browse
52. Choose the certificates that ADS will trust(in this case the Maria.cer) and click Select
April 2009 10
8/14/2019 How to Secure the Access to the Adobe Document Services
16/17
How to Secure the Access to the Adobe Document Services
53. Select Add New Objectbutton
54. Select the check boxes: Signatures and as trusted rootand Certified DocumentsClick Save.
55. Navigate to Operations Management -> Systems -> Start & Stop select the tab JAVA EE
Services
56. In order these changes to take effect restart these 2 services:
PDF Manipulation ModuleDocument Services Trust Manager Service.
April 2009 11
8/14/2019 How to Secure the Access to the Adobe Document Services
17/17
www.sdn . sap . com/ i r j / sdn /how togu ides