How t o Sec ur e t he Ac c ess t o t he Adobe Doc ument Ser vi c es
Appl i c abl e Rel eases: Net Weaver CE 7.1 and new er
Topi c Ar ea: User Pr oduc t i vi t y Capabi l i t y: User I nt er f ac e Tec hnol ogy
Ver si on 1.0 Apr i l 2009
Copyright 2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided as is without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. SAP NetWeaver How-to Guides are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP NetWeaver. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting. Any software coding and/or code lines / strings (Code) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Doc ument Hi st or y Document Version Description 1.00 First official release of this guide
Typogr aphi c Convent i ons Type Style Description Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Exampl e t ext File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER. I c ons Icon Description
Caution
Note or Important
Example
Recommendation or Tip
Tabl e of Cont ent s 1. Business Scenario............................................................................................................... 1 2. Prerequisites ........................................................................................................................ 1 3. Securing access to Adobe Document Service................................................................. 2 3.1 Creating an ADS User public private key pare............................................................. 2 3.1.1 Creating an ADS Certification View in the Key Storage Service..................... 2 3.1.2 Creating ADSUsers publicprivate key pair.................................................... 2 3.1.3 Export private key to a file and sign with Certification Authority...................... 5 3.2 Bind a client certificate to the UME user - ADSUSER.................................................. 5 3.2.1 Export a client certificate from the ADSCerts view.......................................... 5 3.2.2 Import a client certificate (public key) to the UME user - ADSUSER .............. 6 3.3 Secure the ADS Client Webservice Destination........................................................... 6 3.3.1 Setting up the SSL Connection for the ADS Web Service.............................. 6 3.3.2 Restart PDFObject service.............................................................................. 7 3.4 Installing ADS Trusted Anchors.................................................................................... 8 3.4.1 Users or Servers Public Keys that the ADS server will be using for Digital Signatures validation........................................................................................ 9
How to Secure the Access to the Adobe Document Services 1. Busi ness Sc enar i o This document guides you how to configure a NetWeaver CE Application Server 7.1 J ava Adobe Document Services for secured access.
2. Pr er equi si t es Prerequisite to this is guide is to have the NetWeaver CE Application Server configured for the use of SSL. This is usually done by default during the installation or performed as a later step. Also it is required that the J VM is configured with the J ava Cryptography Extension (J CE) Unlimited Strength J urisdiction Policy Files, please refer to an SSL configuration guide if you need more information. April 2009 1 How to Secure the Access to the Adobe Document Services 3. Sec ur i ng ac c ess t o Adobe Doc ument Ser vi c e 3.1 Cr eat i ng an ADS User publ i c pr i vat e k ey par e 3.1.1 Cr eat i ng an ADS Cer t i f i c at i on Vi ew i n t he Key St or age Ser vi c e ... 1. Start and log in to the SAP NetWeaver Administrator. You can use the predefined shortcut: Start Menu Programs SAP NW Composition Environment System CE1 Welcome Page 2. Navigate to Configuration Management Security Certificates and Keys Key Storage service
3. Click on Create View 4. In the input dialog box, enter an alias name: ADSCerts 5. Press Create
3.1.2 Cr eat i ng ADSUser s publ i c pr i vat e k ey pai r 6. To create the Public-Private-Key Pair for the ADS User click on the created view ADSCerts 7. Press the button Create April 2009 2 How to Secure the Access to the Adobe Document Services 8. Fill out the subject properties.
9. Common Name suppose to be the name or ID of the user you are creating a key-pair (In this case ADSUser) 10. The Entry Name is the name for identifying the key pair in the key store. 11. Specify Validity period; 12. Select RSA as secure algorithm 13. Select 1024 - Key Length 14. Choose Store Certificate 15. Press the button Next
16. Fill out the subject properties. {Note: You can add more Subject Properties} 17. Press the button Next {Note: According the new RCA regulations, self signed key pairs are not accepted as valid identity. You have to always use Certification Authorities for signing self generated key-pairs. So, there are two possibilities generating the key pairs and sending them to a CA for signing. Or since the Server Credential has been signed by a CA, use it to sign your newly created key pair. We will do the latter.} April 2009 3 How to Secure the Access to the Adobe Document Services
April 2009 4 How to Secure the Access to the Adobe Document Services 3.1.3 Ex por t pr i vat e k ey t o a f i l e and si gn w i t h Cer t i f i c at i on Aut hor i t y 18. Select the created private key and click on Generate CSR Request
19. Store the file to the file system and send it to your Certification Authority for signing. 20. After getting the response back: Select the Cert you want to update and use the Import CRS Response button for importing 21. The CA Public Key the root certificate associated with this Private Key should be imported as well.
3.2 Bi nd a c l i ent c er t i f i c at e t o t he UME user - ADSUSER 3.2.1 Ex por t a c l i ent c er t i f i c at e f r om t he ADSCer t s vi ew 22. Navigate to Configuration Management -> Security -> Certificates and Keys -> Key Storage tab section 23. Select the ADSCerts from the list of key storage views 24. Select the ADSuser Cert Public Key from the list of key storage view details
25. Press the Export to File button and choose Base64 X.509 in the select export format dropdown 26. Save the file locally to the file system by selecting the Download link
April 2009 5 How to Secure the Access to the Adobe Document Services 3.2.2 I mpor t a c l i ent c er t i f i c at e (publ i c k ey) t o t he UME user - ADSUSER 27. Navigate to Operation Management > Users and Access -> Identity Management 28. Search for ADSUSER select user In the Details of User section select Modify button 29. Navigate to the Certificates tab section 30. Select the Browse button and navigate to the exported certificate ADSUser - Cert (Public Key) 31. Press the Upload Certificate button 32. Press the Save button {Note: You can add more than one certificate with different privileges to a user.}
3.3 Sec ur e t he ADS Cl i ent Webser vi c e Dest i nat i on 3.3.1 Set t i ng up t he SSL Connec t i on f or t he ADS Web Ser vi c e 33. Navigate to SOA Management -> Technical Configuration -> Destination Template Management 34. Search for SecureConfigPort_Document in the Details About SecureConfigPort_Document destination section select Edit button
April 2009 6 How to Secure the Access to the Adobe Document Services 35. In the General tab section provide the URL: https://localhost:50001/inspection.wsil/
36. In the Security tab section select X.509 Client Certificate 37. Click on the Details button 38. Select ADSCerts from the Keystore view list box, 39. Select ADSCerts from the Private Key list box, which is the Credential file associated with the user: ADSUser 40. Select Save button
3.3.2 Rest ar t PDFObj ec t ser vi c e 41. Navigate to Operation Management -> Systems -> Start & Stop 42. Click on Java EE Applications 43. Choose tc~wd~pdfobject and restart it. 44. Click on Stop Application Button. To confirm. Click OK on the next window. April 2009 7 How to Secure the Access to the Adobe Document Services 45. Click on Start Application Button. To confirm, click OK on the next window
3.4 I nst al l i ng ADS Tr ust ed Anc hor s A trusted anchor can be trusted for the following attributes
Trusted for
Description
Certified Documents Documents signed with this signature as an author signature, or whose certificate chain includes this certificate, are considered trusted for certified documents
Embedded High Privilege Java Script This option is available only if Certified Documents is already selected When this option is enabled, J avaScript embedded in the document is allowed to be executed(*)
Signatures and as trusted root Documents signed with this signature, or whose certificate chain includes this certificate, are considered trusted for signed documents(**) This option is needed when the document must be signed and signature validated, in case only of a certifying document, only the element Certified Documents is required
April 2009 8 How to Secure the Access to the Adobe Document Services Useful combinations of attributes assigned to a certificate.
Certified Document Signatures and as CA trusted root Description
X
Trust only children certificates for certifying
X Trust certificate itself and children certificates if the certificate is not issued by a CA Trust children certificates for signing if public certificate is issued by a CA
X
X Trust certificate itself and children certificates for signing and certifying
3.4.1 User s or Ser ver s Publ i c Keys t hat t he ADS ser ver w i l l be usi ng f or Di gi t al Si gnat ur es val i dat i on 46. Exporting users certificates to ADS key store. (In real scenario this step will be performed on the client users certificates, however, we generated a credential and used SAP Trust Center Service at http://service.sap.com/tcs to sign. We also retrieved the RootCA from SAP Trust Center Service for this demo example.) We have provided the credential file and the corresponding RootCA for you {Maria.cer, Maria.p12}. 47. Navigate to Configuration Management -> Infrastructure-> Adobe Document Services-> Document Security 48. In the Document Security tab select Trusted Anchors
April 2009 9 How to Secure the Access to the Adobe Document Services 49. Select Manage CER files button
50. Select Add New File button
51. Choose Browse
52. Choose the certificates that ADS will trust (in this case the Maria.cer) and click Select
April 2009 10 How to Secure the Access to the Adobe Document Services 53. Select Add New Object button
54. Select the check boxes: Signatures and as trusted root and Certified Documents Click Save.
55. Navigate to Operations Management -> Systems -> Start & Stop select the tab JAVA EE Services 56. In order these changes to take effect restart these 2 services: PDF Manipulation Module Document Services Trust Manager Service.