Digital Signatures. Stefanie García Laule Security Product Management SAP AG

Similar documents
Download and Install Crystal Reports for Eclipse via the Eclipse Software Update Manager

Configuring Distribution List in Compliant User Provisioning

3 rd party Service Desk interface

How To Configure MDM to Work with Oracle ASM-Based Products

SAP GRC Access Control: Background jobs for risk analysis and remediation (formerly Virsa Compliance Calibrator)

How to Set Up an Authorization for a Business Partner in Customer Relationship Management (CRM) Internet Sales: Sample Case

Implementing Outlook Integration for SAP Business One

Backup & Restore with SAP BPC (MS SQL 2005)

Analyzing Sales Data for Choosing Forecast Strategies

CREATING A PURCHASE ORDER STORE RECORD WEB SERVICE

Developing Applications for Integration between PI and SAP ERP in Different Network Domains or Landscapes

Ronald Bueck SBO Product Definition

SAP Master Data Governance- Hiding fields in the change request User Interface

E-Recruiting Job Board Integration using XI

Enterprise Software - Applications, Technologies and Programming

Global Transport Label - General Motors -

R/3 and J2EE Setup for Digital Signature on Form 16 in HR Systems

Business One in Action - How can we post bank fees and charges while posting Incoming or Outgoing Payment transactions?

HR400 SAP ERP HCM Payroll Configuration

SAPFIN. Overview of SAP ERP Financials COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Sales Rush Sales Order Processing S01- Lean Baseline Package. SAP Lean Baseline Package Version: V1.500 Country: UK Language: EN Date: February 2006

How to Create Web Dynpro-Based iviews. Based on SAP NetWeaver 04 Stack 09. Jochen Guertler

Posting Messages into XI

Methodology to Implement SAP Process Integration

Extract Archived Data from SAP ERP

Table of Contents. How to Find Database Index usage per ABAP Report and Creating an Index

Alert Notification in SAP Supply Network Collaboration. SNC Extension Guide

Understanding HR Schema and PCR with an Example

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Data Archiving in CRM: a Brief Overview

Integration of SAP central user administration with Microsoft Active Directory

Performance Best Practices Guide for SAP NetWeaver Portal 7.3

Maintaining Different Addresses and Ids for a Business Partner via CRM Web UI

TM111. ERP Integration for Order Management (Shipper Specific) COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Process Archiving using NetWeaver Business Process Management

Collaboration Technology Support Center - Microsoft - Collaboration Brief

Third Party Digital Asset Management Integration

How to Create a Support Message in SAP Service Marketplace

AC200. Basics of Customizing for Financial Accounting: General Ledger, Accounts Receivable, Accounts Payable COURSE OUTLINE

Utilities for downloading and uploading OO ABAP classes in XML format

prioritize XI messages on integration server

How to configure BusinessObjects Enterprise with Citrix Presentation Server 4.0

Workflow extended notifications

Budget Control by Cost Center

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector

How to Schedule Report Execution and Mailing

Roster Configuration (Payroll) in SAP ECC 6.0 Tips & Tricks

Portfolio and Project Management 5.0: Excel Integration for Financial and Capacity Planning

Integrating Easy Document Management System in SAP DMS

UI Framework Simple Search in CRM WebClient based on NetWeaver Enterprise Search (ABAP) SAP Enhancement Package 1 for SAP CRM 7.0

NetWeaver Business Client (NWBC) for Incentives and Commissions Management (ICM)

SAP DSM/BRFPlus System Architecture Considerations

Compliant, Business-Driven Identity Management using. SAP NetWeaver Identity Management and SBOP Access Control. February 2010

SAP CCMS Monitors Microsoft Windows Eventlog

UI Framework Task Based User Interface. SAP Enhancement Package 1 for SAP CRM 7.0

Integration of SAP Netweaver User Management with LDAP

Enabling Full-Text Search for Business Objects in mysap ERP

Log Analysis Tool for SAP NetWeaver AS Java

How to Configure and Trouble Shoot Notification for Process Control 2.5

User Experience in Custom Apps

SAP NetWeaver BRM 7.3

Problems with your Data Model in SAP NetWeaver MDM Do s and Don ts

Integrate Third Party Collaboration Tools in the SAP NetWeaver Portal. SAP NetWeaver Product Management

BW Workspaces Use Cases

Sending Additional Files from SAP Netweaver PI to third Party System

Installation Guide Customized Installation of SQL Server 2008 for an SAP System with SQL4SAP.VBS

SAP NetWeaver MDM 5.5 SP3 SAP Portal iviews Installation & Configuration. Ron Hendrickx SAP NetWeaver RIG Americas Foundation Team

How To Balance In Sap Bw

UI Framework Logo exchange without skin copy. SAP Enhancement Package 1 for SAP CRM 7.0

Data Source Enhancement Using User Exit

SAP Sustainability Solutions: Achieving Customer Strategies

SAP Sales and Operations Planning Software Product (xsop)

DATA ARCHIVING IN SAP R/3 ENTERPRISE. Georg Fischer PM Data Archiving SAP AG

ERP Quotation and Sales Order in CRM WebClient UI Detailed View. SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA

How-to-Guide: Middleware Settings for Download of IPC Configuration (KB) Data from R/3 to CRM System

Single Sign-On between SAP Portal and SuccessFactors

Accounts Receivable. SAP Best Practices

K in Identify the differences between the universe design tool and the information design tool

SAP SYSTEM MEASUREMENT GUIDE

Consume an External Web Service in a Nutshell with good old ABAP

How to Add an Attribute to a Case, Record and a Document in NW Folder Management (ex-records Management)

SAP Business ByDesign Reference Systems. Scenario Outline. SAP ERP Integration Scenarios

SAP Cloud Strategy - Timeless Software. Frank Stienhans on behalf of Kaj van de Loo SAP

BC407 Reporting: QuickViewer, InfoSet Query and SAP Query

SAP xapp Resource and Portfolio Management (SAP xrpm)

Siteco Relies on SDN for its SAP CRM 5.0 Upgrade

Business Requirements... 3 Analytics... 3 Typical Use Cases... 8 Related Content... 9 Copyright... 10

USDL XG WP3 SAP use case. Kay Kadner

SAP Portfolio and Project Management

Application Lifecycle Management

Monitoring and Management of Landscapes with SAP NetWeaver Administrator. Dieter Krieger, SAP AG

mysap ERP Talent Management Dr. Christian Acosta-Flamma

Integration of Universal Worklist into Microsoft Office SharePoint

How To Use the BPC Mass User Management Tool in BPC 10.0 NW

SAP HANA Cloud Integration Document Version: Template Guide for SAP Sales and Operations Planning

R&D Logistics: Clinical Trial Supply Management for the Life Sciences Industry. SAP Online Conference October 7, 2003

Variable Exit in Sap BI How to Start

SOP through Long Term Planning Transfer to LIS/PIS/Capacity. SAP Best Practices

Configuring Single Sign-on for SAP HANA

Transcription:

Digital Signatures Stefanie García Laule Security Product Management SAP AG

Agenda Technology: Electronic Signatures Interfaces SAP NetWeaver Legal Requirements SAP AG 2004, SAP TechEd / SCUR104 / 2

Agenda Technology: Electronic Signatures Interfaces SAP NetWeaver Legal Requirements SAP AG 2004, SAP TechEd / SCUR104 / 3

Up to now: Handwritten Signatures Visibility of document Copy / Print Document content Document unchanged Identity of signer Legally binding Thomas Smith Signature Verification SAP AG 2004, SAP TechEd / SCUR104 / 4

Digitally Signed Documents Integrity Authenticity Validity Legally binding sign Contract verify Private Key (register) CA trust Public Key SAP AG 2004, SAP TechEd / SCUR104 / 5

Certificates = Digital Identity Certificate contains CA certification authority issues Trust Center Service Name of the subject Name of the issuer Validity interval Public key 1-1 Private key (secret!) Can be in software (e.g. PSE Management) Or in Hardware (e.g. SmartCard) SAP AG 2004, SAP TechEd / SCUR104 / 6

The Signing Process I Document Document Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Cryptographic Hash-Algorithm Cryptographic Checksum 010110.. SAP AG 2004, SAP TechEd / SCUR104 / 7

The Signing Process II Private Key of Signer Document Document Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Cryptographic Hash-Algorithm Cryptographic Checksum 010110.. Signature Value Public Key Algorithm Signed Document Document Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 SAP AG 2004, SAP TechEd / SCUR104 / 8

The Verification Process I Cryptographic Hash-Algorithm Signed Document Document Docu ment 010110.. Cryptographic Checksum Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 SAP AG 2004, SAP TechEd / SCUR104 / 9

The Verification Process II Signed Document Cryptographic Hash-Algorithm Docu ment 010110.. Document Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Cryptographic Checksum Public Key of Signer Public Key Algorithm 010110.. SAP AG 2004, SAP TechEd / SCUR104 / 10

The Verification Process III Signed Document Docu ment Cryptographic Hash-Algorithm 010110.. Signature of CA OK? Certificate not revoked?? No Yes Document Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Cryptographic Checksum =? Yes No Dokument Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 OK 80000639 50.0 50 80000711 10 Public Key of Signer Public Key Algorithm 010110.. Pos. Material Dokument 10 80000311 1100.0 Wrong 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 SAP AG 2004, SAP TechEd / SCUR104 / 11

Technical Calculation of Digital Signatures Document Private key of the signer Dokument Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Cryptographic Hash Algorithm Cryptographic Check Sum 010110.. Public Key Algorithm signature value signed document Dokument Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 signed document Dokument Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Public Key of the signer Doku ment Cryptographic Hash Algorithm Cryptographic Check Sum 010110.. = Public Key Algorithm 010110..? Signature of CA OK? Certificate not revoked? Yes No Dokument Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 80000639 50.0 50 80000711 10 Yes No Incorrect Dokument Pos. Material 10 80000311 1100.0 20 80000620 100.2 30 80000636 110.3 40 OK 80000639 50.0 50 80000711 10 SAP AG 2004, SAP TechEd / SCUR104 / 12

Advantages of Digital Signatures Authenticity Integrity Validity Legally Binding SAP AG 2004, SAP TechEd / SCUR104 / 13

Agenda Technology: Electronic Signatures Interfaces SAP NetWeaver Legal Requirements SAP AG 2004, SAP TechEd / SCUR104 / 14

Secure Store & Forward (SSF) Interface SAP Application SAP Application SAP Application SAP NetWeaver ABAP SSF JAVA SSF Partner Product SAPSECULIB IAIK Toolkit SAP AG 2004, SAP TechEd / SCUR104 / 15

Secure Store & Forward (SSF) Interface ABAP ABAP Applications with Electronic Signatures ABAP SSF-API Signing in SAP GUI for Windows Frontend (Software Partner Program SPP) without Signaturcontrol Signaturcontrol: BSP (6.20) or WinGUI (7.0) Application server signs (SAPSECULIB) SAP AG 2004, SAP TechEd / SCUR104 / 16

Secure Store & Forward (SSF) Interface ABAP ABAP SAPSECULIB supports: digital signatures without cryptographic hardware (Smartcards, Cryptoboards) ABAP Application server signs with Electronic Signatures Java Java Java IAIK Toolkit supports: - Electronic Signatures without cryptographic hardware SAP AG 2004, SAP TechEd / SCUR104 / 17

Secure Store & Forward (SSF) Interface Supported Signature Formats: ABAP Java PKCS#7 SSF Partner product PKCS#7 SAP Java Cryptographic Toolkit S/MIME IAIK S/MIME XML SAP XML Toolkit SSF Partner Certification Support of Cryptographic Hardware No Partner Certification No support of Cryptographic Hardware Valid for Web Application Server 6.30 SAP AG 2004, SAP TechEd / SCUR104 / 18

SSF ABAP Functions SSF_SIGN create digital signature(s) SSF_VERIFY verify digital signature(s) SSF_ENVELOPE SSF_DEVELOPE SSF_ADDSIGN encrypt for recipient(s) decrypt for recipient add a digital signature.. SSFS_CALL_CONTROL SSFS_GET_SIGNATURE starts the signature control gets the signature value from the control SSF_KRN_ done directly by the AS SAP AG 2004, SAP TechEd / SCUR104 / 19

Signature in Web Browser: Signature control SAP AG 2004, SAP TechEd / SCUR104 / 20

System Signatures Company A Company B Create electronic signature SAP System PDF Document PDF Document SAP System Check electronic signature ADS Adobe Document Server HTTP HTTPS S/MIME FTP Archiving ADS Adobe Document Server Automation of processes requiring approval and/or handwritten signatures, such as invoices Cost reduction through the elimination of manual tasks and process steps SAP AG 2004, SAP TechEd / SCUR104 / 21

User Signatures User Frontend Company Create electronic signature PDF Document PDF Document SAP System Check electronic signature Acrobat Reader HTTP HTTPS S/MIME FTP Archiving ADS Adobe Document Server Standardized format Legally binding SAP AG 2004, SAP TechEd / SCUR104 / 22

Applications with Electronic Signatures PLM ECH PLM DMS PLM PP-PI PLM QM CRM EBP Healthcare HCM Belgium Public Sector ERP SD/CRM ERP MM-FI ERP FI ERP FI/IHC SAP Content Server SAP NetWeaver SAP AG 2004, SAP TechEd / SCUR104 / 23

Agenda Technology: Electronic Signatures Interfaces SAP NetWeaver Legal Requirements SAP AG 2004, SAP TechEd / SCUR104 / 24

Legal Requirements Electronic Signature Acts all over the world German Electronic Signature Act Singapore Digital Signature Law and Regulations Japan Electronic Commerce Promotion Council EU Directive 1999/93/EC Argentina Digital Signature Law Malaysian Digital Signature Law US E-Sign Act Canada Uniform Electronic Commerce Act SAP AG 2004, SAP TechEd / SCUR104 / 25

Legal Requirements Let shavea lookat: FDA: 21 CFR Part 11 US: E-Sign Act EU: Directive 1999/93/EC Germany: Signature Act and Ordinance SAP AG 2004, SAP TechEd / SCUR104 / 26

FDA: 21 CFR Part 11 In 1997 the United States Food and Drug Administration (FDA) issued a regulation 21 CFR Part 11 (Code of Federal Regulations Electronic Records) entitled Electronic Records and Electronic Signatures : The regulations provide guidance for the use of electronic records and electronic signatures in the biotechnology, pharmaceutical, medical devices, radiological health, food, cosmetics and veterinary medicine fields. SAP AG 2004, SAP TechEd / SCUR104 / 27

FDA: 21 CFR Part 11 Definitions: Electronic Signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent to the individual s handwritten signature. Digital Signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. SAP AG 2004, SAP TechEd / SCUR104 / 28

FDA: 21 CFR Part 11 General implementation of Electronic Signatures: System Signature with authorization by userid and password First shipment with SAP R/3 Release 4.6C Usage of PKCS#7 standard, encryption executed by 128 bit No external security product is necessary When logging on to the system, users identify themselves by entering their user IDs and passwords. The SAP system then executes the digital signature. The user name and ID are part of the signed document. Public key infrastructure can be administered by the customers themselves, which is sufficient according to Part 11 for Digital Signatures. SAP AG 2004, SAP TechEd / SCUR104 / 29

FDA: mysap ERP Business Processes The following components support Electronic Signatures: PP-PI: Process step completion within process instructions sheet and acceptance of process values outside predefined tolerance limits ECM: Status change of Engineering Change Order and Object Management Records EBR: Electronic batch record approval QM: Inspection lot, Usage decision, Physical Sample Drawing DMS: Document Management Status create/change cprojects: document approval, project activities status change approval, for multiple signatures mysap ERP provides Signature Strategies that define allowed signatures and the sequence in which they must be executed SAP AG 2004, SAP TechEd / SCUR104 / 30

US: E-Sign Act Most of the laws began with the Utah Digital Signature Act of 1995 focused on a narrow set of Digital Signature technologies based on PKI California realized that focusing on specific technologies in law was pointless because technology advances so quickly chose a minimalist and technology neutral approach, which became the foundation of the US E-Sign Act In order to avoid each American state from having conflicting law, the National Conference of Commissioners on Uniform State Laws developed the Uniform Electronic Transactions Act (UETA), while the European Union proposed its Directive on a Common Framework for Electronic Signatures for the European Union In the United States, all of these incompatible state laws were superseded by the Electronic Signatures in Global and National Commerce Act (US E-Sign Act), which was signed into law in 2000. It is technology neutral, provided certain disclosures are provided and the basic requirements of Electronic Signatures are followed. SAP AG 2004, SAP TechEd / SCUR104 / 31

US: E-Sign Act The term Electronic Signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." However, for such an electronic "symbol" to be legally binding, it is important that the symbol provide authentication of the party who created it, ensure that what was signed cannot be altered, ensure that the party understood that by creating the symbol the party was willingly signing, and that the party is able to keep an original of the data and his electronic signature for his own records. SAP AG 2004, SAP TechEd / SCUR104 / 32

US: E-Sign Act Can anything be signed electronically? Not everything, but most common documents can be. The E-SIGN Act specifically forbids a narrow range of documents that may not be signed electronically. The exceptions primarily relate to wills, testamentary trusts, adoption, divorce, court orders, termination of utilities, repossession, foreclosure, eviction, cancellation of life insurance, product recalls and documents related to the transportation of hazardous materials. SAP AG 2004, SAP TechEd / SCUR104 / 33

US: E-Sign Act Key features of legal electronic signatures include: Knowing who the parties are when they sign; Having those parties agree to use electronic signatures and show they are technically capable of signing electronically; Ensuring each party who signs receives a copy of the electronically signed documents (including the ability to reverify those signatures electronically); and Ensuring that a forged or tampered electronic document can be detected. SAP AG 2004, SAP TechEd / SCUR104 / 34

EU Directive 1999/93/EC Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for Electronic Signatures for the European Union Article 5 : Legal effects of Electronic Signatures Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device: a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data; and b) are admissible as evidence in legal proceedings Handwritten Signature = Electronic Signature SAP AG 2004, SAP TechEd / SCUR104 / 35

EU Directive 1999/93/EC Electronic signatures Advanced electronic signatures Qualified signatures Qualified signature : advanced electronic signature + qualified certificate (Annex I + II) + secure signature creation device (Annex III) SAP AG 2004, SAP TechEd / SCUR104 / 36

Germany: Multilevel Law Implementation of EU Directive 1999/93/EC in Germany: Signature Act (Signaturgesetz SigG) provides general framework, 22nd May 2001 defines a digital signature defines the role of a CA defines certificates and outlines how they are handled Signature Ordinance (Signaturverordnung SigV), 24th October 2001 sets out operational details and responsibilities of a CA SAP AG 2004, SAP TechEd / SCUR104 / 37

Germany: Electronic Signature Act 1. Electronic Signature shall be data in electronic form that are attached to other electronic data or logically linked to them and used for authentication; 2. Advanced Electronic Signature shall be electronic signature as 1. above that a) are exclusively assigned to the owner of the signature code b) enable the owner of signature code to be identified c) are produced with means which the owner of the signature code can keep under his sole control and d) are so linked to the data to which they refer that any subsequent alteration of such data may be detected; SAP AG 2004, SAP TechEd / SCUR104 / 38

Germany: Electronic Signature Act 3. Qualified Electronic Signature shall be electronic signatures as in 2. above that a) are based on a qualified certificate valid at the time of their creation and b) have been produced with a secure signature-creation device; SAP AG 2004, SAP TechEd / SCUR104 / 39

Copyright 2004 SAP AG. All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iseries, pseries, xseries, zseries, z/os, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mysap, mysap.com, xapps, xapp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP AG 2004, SAP TechEd / SCUR104 / 40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information