Professional Documents
Culture Documents
Steps To Output A Microsoft Word Document From An SAP System
Steps To Output A Microsoft Word Document From An SAP System
Steps To Output A Microsoft Word Document From An SAP System
Usehttps://help.sap.com/doc/saphelp_scm41/4.1/en-
US/99/6edc3a8266a113e10000000a11402f/frameset.htm
To obtain a certificate signed by the SAP CA for the SAP Web Application Server to
use for digitally signing logon tickets, you must generate a key pair and PSE for the
application sever. You also generate the corresponding certificate request, which
you send to the SAP CA. You then import the certificate request response into the
server's PSE as described in the procedures below.
Procedure
Sending the Certificate Request
Per default, the PSE used is the System PSE, however, if a different
PSE is to be used, then select it. A different PSE can be used in the
following cases:
If the system has been upgraded from a Release <= 4.6B, then the
PSE used for logon tickets is the SAPSSO2 PSE.
If you have defined an explicit PSE to use for logon tickets, then
this PSE (as specified in the table SSFARGS) is used.
3. Create a new PSE (see Creating or Replacing a PSE).
The information for the PSE appears in the PSE maintenance section.
4. Choose PSE ® Generate certificate request and save it to a file.
The content of the request is generated in binary-code as shown below.
-----BEGIN CERTIFICATE REQUEST-----
MIIBkzCCAVICAQAwWjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0F
QLmNvbS
BXb3JrcGxhY2UxDzANBgNVBAsTBlNBUCBBRzEOMAwGA1UECxMFQmFzaX
MxDDAK
BgNVBAMTA0JJTzCB7jCBpgYFKw4DAhswgZwCQQCSnauC/cAfQVrmOtWzn
Q9I+i
4twoPq8wCE0Fk5EAVjQnX2oMqBnyoi+ee/ZH2cLwyhp5mOOw70+exS7PH
EWKiF
AhUAw9FSY1AsFV4U9fC9w+Bg5H4ISYcCQARcC+7q3UkM0TF0A5zRaq7viO
3Wj2
MwYUNwFkc0hxzhloUQd21megZADoFiisdzkn/nF4eIxV9vq9XxcV63xTsDQ
wAC
QFher18UA8YkY4/zHe4mbupBXvDSucm2nbJuQ5PgDBvVaMmtpXIisyzuAF
L+qC
zQ92mkNqUR9JLWpz09ghQdISCgADAJBgcqhkjOOAQDAzAAMC0CFA7qElu
P/Kfi
+6HF/8I7j4NfF44xAhUAqkDgAeR3tzmNegKUTQ+JzeCXawE=
-----END CERTIFICATE REQUEST-----
5. Copy the certificate request's content to a customer message under the
component BC-SEC.
The SAP CA validates your information and sends you a response, which
contains the server’s signed public-key certificate.
(Unless you have some supercomputers at your disposal and a few years to dedicate on bruteforcing SSL
private keys, that are probably expired before you can break them)
(Unless[2] you reverse engineer and patch the server binaries, but then you wouldn’t be breaking the
license check but rather disabling it)
Beginning with its ECC6 product version, the licensing system used to control the
products’ allowed usage and installations uses public-key cryptography with digitally
signed files.
This way, it’s practically impossible to create a fake license key, because only SAP has
the private keys.
So you won’t see any keygens around unless someone manages to sneak the private
keys from inside SAP.
This is an example license file, generated for a trial NetWeaver ABAP system:
SAPSYSTEM=NSP
HARDWARE-KEY=S0141382012
INSTNO=DEMOSYSTEM
BEGIN=20140922
EXPIRATION=20141222
LKEY=MIIBOwYJKoZIhvcNAQcCoIIBLDCCASgCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAT
GCAQcwggEDAgEBMFgwUjELMAkGA1UEBhMCREUxHDAaBgNVBAoTE215U0FQLmNvbSBXb3JrcGxhY
2UxJTAjBgNVBAMTHG15U0FQLmNvbSBXb3JrcGxhY2UgQ0EgKGRzYSkCAgGhMAkGBSsOAwIaBQCg
XTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA5MjMxNjIwNTJ
aMCMGCSqGSIb3DQEJBDEWBBSRMtiAacWFK02IcR6F+swWQZjJLjAJBgcqhkjOOAQDBC8wLQIVAJ
ULjsn8jIvGg0nHJ551TbYMZvwBAhRhpFgLT1lJuQV6ntftE693Ip8tIw==
SWPRODUCTNAME=NetWeaver_ADA
SWPRODUCTLIMIT=2147483647
SYSTEM-NR=000000000312339695
The LKEY field content is a base64 encoded and digitally signed text file containing
some product license information:
NSPS0141382012NetWeaver_ADA 21474836472014092220141222DEMOSYSTEM
The digital signature is done with the PKCS#7 algorythm (the same used for S/MIME
email messages).
The digital signer for the NSP licenses is identified as “SAP Trust Community”:
The signature verification used for the license files is done by the Application Server
directly (not by ABAP code), and it uses a special PSE file named “LASVerify.pse”, that
you can’t find in the server directories. It’s encrypted somewhere hidden and loaded
into memory by the Application Server every time a license verification is performed.
For not being available in the server directories, it’s not possible to validate an SAP
license file in ABAP without debugging the server binaries and extracting the PSE file.
Therefore I’ll show you how to create your own certificate and sign a text file to be
verified by ABAP code.
1 – Create a certificate
Using the instructions taken from the OpenSSL docs on certificates, we create a
private/public key pair to sign our files.
...
$ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
-----
Country Name (2 letter code) [AU]:BR
In transaction STRUST , add the newly created certificate to the trusted certificate
list:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc sit amet
lacus faucibus nisi mattis fermentum.
Morbi sit amet nunc fermentum, congue nisl ac, hendrerit libero. Phasellus
vitae tellus a lacus viverra aliquam.
Suspendisse tristique lacus nec metus semper ornare. Sed hendrerit varius
libero, et efficitur nisl laoreet nec.
Sed velit orci, vehicula nec imperdiet at, hendrerit a est. Suspendisse
potenti.
We can use the OpenSSL S/MIME tool to sign the license file in PKCS#7 format using
our certificate.
$ openssl smime -sign -in data.txt -outform DER -binary -nodetach -out
signed.bin \
If you correctly added the certificate to STRUST, you should get a positive result with
the signer information:
SSF_API_SIGNER_OR_RECIPIENT_OK
If you temper with the signed file, say, change something in the data section, the
signature verification will fail.
Result: SSF_API_SIGNER_ERRORS
SSF_API_SIGNER_OR_RECIPIENT_NOT_OK
ABAP Code
You can use the SSF_KRN_VERIFY function module to verify the signature. To do
that, you must provide the path to a trusted certificates address book (.pse file).
In this example we use the system PSE (SAPSYS.pse).
i_input_length type i,
exporting
filename = 'C:\Users\Administrator\Desktop\signed.bin'
filetype = 'BIN'
importing
filelength = i_input_length
tables
data_tab = t_input_data.
<parameter>-param_name = 'DIR_INSTANCE'.
tables
parameter_table = t_parameter.
exporting
ostr_signed_data_l = i_input_length
str_pab = v_pab
str_pab_password = ''
tables
ostr_signed_data = t_input_data
signer_result_list = t_signer_info
ostr_output_data = t_output_data.
if t_signer_info[] is initial.
endif.
/ 'Profile:', <signer_info>-profile,
/ 'Result:', <signer_info>-result.
if <signer_info>-result = 0.
endif.
endloop.
o_conv = cl_abap_conv_in_ce=>create( ).
o_conv->convert(
).
write / v_line.
endloop.
That’s it. Now you know how to the license files are created and validated.
Signature Process Flow (Components
Involved)
Use
The process explains how the components involved work together in a signature
process:
Note
In the case of the simple digital signature without a signature strategy, the
authorization check, sequence check, and release check are omitted.
2. …
3. DMS Customizing
Go to start of metadata
Prerequisite
1)You must have Authorization object {}C_SIGN_BGR to be set (ask basis team to do the same) for the digital
signature.
2)Following are the authorization object for Documents (If you have all access to the authorization object will be very
good, mainly a & b must).
a) C_DRAW_TCD
b) C_DRAW_TCS
c) C_DRAW_STA
d) C_DRAW_BGR
e) C_DRAW_DOK
f) C_DRAD_OBJ
How to config for Digital Signature in DMS
5. Create DIR
6. In DIR once the Document status is set for required digital signature, the system informs you that a digital signature
is required. Yellow warning will come, enter two times.
7. The Digital Signature dialog box appears. Enter your comment in the text field. Select the individual signature that is
assigned to your authorization group in the Signatures to be executed section and enter the password .Then
save it again.6) you can see this digital signature again, in cv03n, go to top menu Environment --> digital
signature. You will get all the details.
Thus the Digital signature process has been completed.
With help of Transaction code SU01 ,in user tab enter your user name and press F7 check first and last name if it is
correct its well and good or else go to change mode and enter correct one, save it.Because while making digital
signature using user ID and password it is must or else it will give an error.