SAP Net Weaver

How -To Gui de

How t o Sec ur e t he Ac c ess t o t he
Adobe Doc ument Ser vi c es



Appl i c abl e Rel eases:
Net Weaver CE 7.1 and new er

Topi c Ar ea:
User Pr oduc t i vi t y
Capabi l i t y:
User I nt er f ac e Tec hnol ogy


Ver si on 1.0
Apr i l 2009


Copyright 2009 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,
i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader
are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or
registered trademarks of W3C, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
NetWeaver, and other SAP products and services
mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are the
trademarks of their respective companies. Data contained
in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions with
respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in
the express warranty statements accompanying such
products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
These materials are provided as is without a warranty of
any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or consequential
damages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the
information, text, graphics, links or other items contained
within these materials. SAP has no control over the
information that you may access through the use of hot
links contained in these materials and does not endorse
your use of third party web pages nor provide any warranty
whatsoever relating to third party web pages.
SAP NetWeaver How-to Guides are intended to simplify
the product implementation. While specific product
features and procedures typically are explained in a
practical business context, it is not implied that those
features and procedures are the only approach in solving a
specific business problem using SAP NetWeaver. Should
you wish to receive additional information, clarification or
support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (Code)
included in this documentation are only examples and are
not intended to be used in a productive system
environment. The Code is only intended better explain and
visualize the syntax and phrasing rules of certain coding.
SAP does not warrant the correctness and completeness of
the Code given herein, and SAP shall not be liable for
errors or damages caused by the usage of the Code, except
if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java Source Code delivered with this product is only
to be used by SAPs Support Services and may not be
modified or altered in any way.


Doc ument Hi st or y
Document Version Description
1.00 First official release of this guide




Typogr aphi c Convent i ons
Type Style Description
Example Text Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Exampl e t ext File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
I c ons
Icon Description

Caution

Note or Important

Example

Recommendation or Tip






Tabl e of Cont ent s
1. Business Scenario............................................................................................................... 1
2. Prerequisites ........................................................................................................................ 1
3. Securing access to Adobe Document Service................................................................. 2
3.1 Creating an ADS User public private key pare............................................................. 2
3.1.1 Creating an ADS Certification View in the Key Storage Service..................... 2
3.1.2 Creating ADSUsers publicprivate key pair.................................................... 2
3.1.3 Export private key to a file and sign with Certification Authority...................... 5
3.2 Bind a client certificate to the UME user - ADSUSER.................................................. 5
3.2.1 Export a client certificate from the ADSCerts view.......................................... 5
3.2.2 Import a client certificate (public key) to the UME user - ADSUSER .............. 6
3.3 Secure the ADS Client Webservice Destination........................................................... 6
3.3.1 Setting up the SSL Connection for the ADS Web Service.............................. 6
3.3.2 Restart PDFObject service.............................................................................. 7
3.4 Installing ADS Trusted Anchors.................................................................................... 8
3.4.1 Users or Servers Public Keys that the ADS server will be using for Digital
Signatures validation........................................................................................ 9



How to Secure the Access to the Adobe Document Services
1. Busi ness Sc enar i o
This document guides you how to configure a NetWeaver CE Application Server 7.1 J ava Adobe
Document Services for secured access.

2. Pr er equi si t es
Prerequisite to this is guide is to have the NetWeaver CE Application Server configured for the use of
SSL. This is usually done by default during the installation or performed as a later step. Also it is
required that the J VM is configured with the J ava Cryptography Extension (J CE) Unlimited Strength
J urisdiction Policy Files, please refer to an SSL configuration guide if you need more information.
April 2009 1
How to Secure the Access to the Adobe Document Services
3. Sec ur i ng ac c ess t o Adobe Doc ument
Ser vi c e
3.1 Cr eat i ng an ADS User publ i c pr i vat e k ey par e
3.1.1 Cr eat i ng an ADS Cer t i f i c at i on Vi ew i n t he Key St or age
Ser vi c e
...
1. Start and log in to the SAP NetWeaver Administrator.
You can use the predefined shortcut: Start Menu Programs SAP NW Composition
Environment System CE1 Welcome Page
2. Navigate to Configuration Management Security Certificates and Keys Key Storage
service


3. Click on Create View
4. In the input dialog box, enter an alias name: ADSCerts
5. Press Create

3.1.2 Cr eat i ng ADSUser s publ i c pr i vat e k ey pai r
6. To create the Public-Private-Key Pair for the ADS User click on the created view ADSCerts
7. Press the button Create
April 2009 2
How to Secure the Access to the Adobe Document Services
8. Fill out the subject properties.

9. Common Name suppose to be the name or ID of the user you are creating a key-pair (In this
case ADSUser)
10. The Entry Name is the name for identifying the key pair in the key store.
11. Specify Validity period;
12. Select RSA as secure algorithm
13. Select 1024 - Key Length
14. Choose Store Certificate
15. Press the button Next

16. Fill out the subject properties. {Note: You can add more Subject Properties}
17. Press the button Next {Note: According the new RCA regulations, self signed key pairs are
not accepted as valid identity. You have to always use Certification Authorities for signing self
generated key-pairs. So, there are two possibilities generating the key pairs and sending
them to a CA for signing. Or since the Server Credential has been signed by a CA, use it to
sign your newly created key pair. We will do the latter.}
April 2009 3
How to Secure the Access to the Adobe Document Services




April 2009 4
How to Secure the Access to the Adobe Document Services
3.1.3 Ex por t pr i vat e k ey t o a f i l e and si gn w i t h Cer t i f i c at i on
Aut hor i t y
18. Select the created private key and click on Generate CSR Request

19. Store the file to the file system and send it to your Certification Authority for signing.
20. After getting the response back: Select the Cert you want to update and use the Import CRS
Response button for importing
21. The CA Public Key the root certificate associated with this Private Key should be imported as
well.

3.2 Bi nd a c l i ent c er t i f i c at e t o t he UME user -
ADSUSER
3.2.1 Ex por t a c l i ent c er t i f i c at e f r om t he ADSCer t s vi ew
22. Navigate to Configuration Management -> Security -> Certificates and Keys -> Key Storage tab
section
23. Select the ADSCerts from the list of key storage views
24. Select the ADSuser Cert Public Key from the list of key storage view details

25. Press the Export to File button and choose Base64 X.509 in the select export format
dropdown
26. Save the file locally to the file system by selecting the Download link

April 2009 5
How to Secure the Access to the Adobe Document Services
3.2.2 I mpor t a c l i ent c er t i f i c at e (publ i c k ey) t o t he UME user
- ADSUSER
27. Navigate to Operation Management > Users and Access -> Identity Management
28. Search for ADSUSER select user In the Details of User section select Modify button
29. Navigate to the Certificates tab section
30. Select the Browse button and navigate to the exported certificate ADSUser - Cert (Public Key)
31. Press the Upload Certificate button
32. Press the Save button {Note: You can add more than one certificate with different privileges to
a user.}


3.3 Sec ur e t he ADS Cl i ent Webser vi c e Dest i nat i on
3.3.1 Set t i ng up t he SSL Connec t i on f or t he ADS Web
Ser vi c e
33. Navigate to SOA Management -> Technical Configuration -> Destination Template Management
34. Search for SecureConfigPort_Document in the Details About SecureConfigPort_Document
destination section select Edit button

April 2009 6
How to Secure the Access to the Adobe Document Services
35. In the General tab section provide the URL: https://localhost:50001/inspection.wsil/

36. In the Security tab section select X.509 Client Certificate
37. Click on the Details button
38. Select ADSCerts from the Keystore view list box,
39. Select ADSCerts from the Private Key list box, which is the Credential file associated with the
user: ADSUser
40. Select Save button

3.3.2 Rest ar t PDFObj ec t ser vi c e
41. Navigate to Operation Management -> Systems -> Start & Stop
42. Click on Java EE Applications
43. Choose tc~wd~pdfobject and restart it.
44. Click on Stop Application Button. To confirm. Click OK on the next window.
April 2009 7
How to Secure the Access to the Adobe Document Services
45. Click on Start Application Button. To confirm, click OK on the next window


3.4 I nst al l i ng ADS Tr ust ed Anc hor s
A trusted anchor can be trusted for the following attributes


Trusted for

Description

Certified Documents
Documents signed with this signature as an author signature, or whose certificate
chain includes this certificate, are considered trusted for certified documents

Embedded High
Privilege Java Script
This option is available only if Certified Documents is already selected
When this option is enabled, J avaScript embedded in the document is allowed to be
executed(*)

Signatures and as
trusted root
Documents signed with this signature, or whose certificate chain includes this
certificate, are considered trusted for signed documents(**)
This option is needed when the document must be signed and signature validated,
in case only of a certifying document, only the element Certified Documents is
required

April 2009 8
How to Secure the Access to the Adobe Document Services
Useful combinations of attributes assigned to a certificate.

Certified Document Signatures and as CA trusted
root
Description

X


Trust only children certificates for certifying



X
Trust certificate itself and children certificates if
the certificate is not issued by a CA
Trust children certificates for signing if public
certificate is issued by a CA

X

X
Trust certificate itself and children certificates for
signing and certifying

3.4.1 User s or Ser ver s Publ i c Keys t hat t he ADS ser ver w i l l
be usi ng f or Di gi t al Si gnat ur es val i dat i on
46. Exporting users certificates to ADS key store. (In real scenario this step will be performed on
the client users certificates, however, we generated a credential and used SAP Trust Center
Service at http://service.sap.com/tcs to sign. We also retrieved the RootCA from SAP Trust
Center Service for this demo example.) We have provided the credential file and the
corresponding RootCA for you {Maria.cer, Maria.p12}.
47. Navigate to Configuration Management -> Infrastructure-> Adobe Document Services->
Document Security
48. In the Document Security tab select Trusted Anchors

April 2009 9
How to Secure the Access to the Adobe Document Services
49. Select Manage CER files button


50. Select Add New File button

51. Choose Browse

52. Choose the certificates that ADS will trust (in this case the Maria.cer) and click Select

April 2009 10
How to Secure the Access to the Adobe Document Services
53. Select Add New Object button

54. Select the check boxes: Signatures and as trusted root and Certified Documents Click Save.

55. Navigate to Operations Management -> Systems -> Start & Stop select the tab JAVA EE
Services
56. In order these changes to take effect restart these 2 services:
PDF Manipulation Module
Document Services Trust Manager Service.


April 2009 11



w w w . sdn. sap. c om/i r j /sdn/how t ogui des