Secure Store And Forward (SSF) Tutorial NFE Digital Signature Guide
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 20
| Download | |
| Open PDF In Browser | View PDF |
ABAP Digital Signature guide for NFE Disclaimer The Web sites listed on this page do not contain SAP content and SAP does not represent or endorse the accuracy or reliability of any of the information, content, or advertisements (collectively, the "Materials") contained on, distributed through, or linked, downloaded, or accessed from any of the services contained on these Web sites. The information listed makes no claim to completeness, is a snapshot of 01/01/2015 and can change at any time or expire. 1 PROLOGUE 2 1.1 Installing the SAP Cryptographic Library 2 1.2 Determine the current SAPCryptolib version and patch level 2 1.3 XML Signature Test Program 2 1.4 Required Notes 2 1.5 Check and Warn About Certificates that Expire in Near Future 2 2 NFE INCOMING 3 2.1 Creating the PSE for NFE Signature Check 3 2.2 Import CA certificates 5 3 NFE OUTGOING 3.1 Obtain the private certificate 12 3.2 Create PSE 12 3.3 Create SSF application 12 3.4 Set Application Parameters 14 3.5 Load the PSE 16 12 1 Prologue 1 Prologue 1.1 Installing the SAP Cryptographic Library For the digital signature of NF-e data in the SAP system using Secure Store and Forward (SSF) you must install the SAP Cryptographic Library (SAPCRYPTOLIB) as described in SAP Note 662340 - SSF Encryption Using the SAPCryptolib. This is the prerequisite for the instructions in this manual. To support certificates with SHA-2 hashes the patch level should be at least on PL29. 1.2 Determine the current SAPCryptolib version and patch level (1) Run program SSF02 (2) Execute (3) “Determine Version” (4) Execute (5) Version information: “SSFLIB Version 1.555.34” (6) The last two digits are the patch level 1.3 XML Signature Test Program The program SECXML_DSIGNATURE provides an UI for testing both Sign and Verify a XML source and takes the configured PSE application and a local XML file name as input. SAPCRYPTOLIB with Patch Level 30 is needed as prerequisite. 1.4 Required Notes To prevent that the XML signature check fails if inclusive canonicalization is specified the following Notes must be applied: 1866334 CL_SEC_SXML_DSIGNATURE: Inclusive C14N 1666950 XML Signature check fails for inclusive canonicalization 1736879 XML Signature check fails for inclusive canonicalization 1333974 Central Note for WS Security on 7.20 1.5 Check and Warn About Certificates that Expire in Near Future SSF_ALERT_CERTEXPIRE is a dialog report to check the validity period of certificates (SAP Note 572035). The task of this report is to provide warnings in the desired time before the expiry of the validity of installed certificates. The warnings can be provided in a variety of ways, e.g. via email. You can also schedule this report as a daily background job. Page 2 2.1 Creating the PSE for NFE Signature Check 2 NFE Incoming Importing the CA certificates for verification of the digital signature of incoming NF-e’s 2.1 Creating the PSE for NFE Signature Check From the Administration workplace use transaction STRUST – SSF: Trust Manager and create a self-signed PSE for SSF NFE signature validation: Page 3 2 NFE Incoming Confirming suggestion of PSE: Page 4 2.2 Import CA certificates 2.2 Import CA certificates After receive the message “Data saved successfully”, import the CA certificate of the issuer (the certification authority, e.g. AC CERTISIGN or SERASA) of the signing certificate (encoded in the XML tag). You can download the CA certificates as described here: http://www.iti.gov.br > ICP-BRASIL > Repositório You have to import all CA certificates of the signers of the NF-e you get in your Inbound scenario, and that might be a double digit number. Still, you don’t need the whole certificate chain, only the lowest intermediate certificate from each CA. You can restrict the number by finding out the CA’s of your partner. To speed up a particular case with a particular partner, you can ask him for the certification provider he used. Or to find the CA in the XML of the Inbound-NF-e take the Certificate between the tags and and copy the content of X509Certificate tag to a notepad file between two fixed lines below: -----BEGIN CERTIFICATE----MIIGWjCCBUKgAwIBAgIIe94LRpgIoVYwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwx NjA0BgNVBAsTLVNlY3JldGFyaWEgZGEgUmVjZWl0YSBGZWRlcmFsIGRvIEJyYXNpbCAtIFJGQjEZMBcGA1UEAxMQQUMgU0VSQVNB IGRvIEJyYXNpbCAtIFJGQjEWMBQGA1UECxMNUkZCIGUtQ05QSiBBMTESMBAGA1UECxMJQVIgU0VSQVNBMTYwNAYDVQQDEy1VTklM T0cgVU5JVkVSU08gTE9HSVNUSUNBIExUREE6MDUyOTY1OTAwMDAxNjUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKn+Ghn9 B8WMXAlE+kb9Xg87bzVmCBz312RWmP4IMpY0TGCoHe8ncVTPysiQovwMvJjrXXRZhlCSt1UBCazpYVNY/cdkBiljGg24/S0Yn4N8 xc+XJC2AhpC9dx9MvpbIA9t0WjNsgxTpXBZuYBxPj/7yQbs43T5th5tFy2tH2HzICi91fIO3D1sAdxtGKaDmii9LMIQ== -----END CERTIFICATE----- Then save it as .cer-file and double click on the file. Windows will show the certificate: Page 5 2 NFE Incoming If you have the full chain inside your computer you can also see the path and the name of the CA: Page 6 2.2 Import CA certificates Page 7 2 NFE Incoming Import the CA certificate of the certification authority in STRUST: Page 8 0 If receive an error like “SSF kernel error: invalid parameter” try to change file format: Page 9 2 NFE Incoming The certificate will be shown on Certificate box: Click on Add to Certificate List Page 10 0 Repeat the same step for other CA certificates Import one by one the CA certificates for all certification authorities of your business partners. After import and add all certificates to list, save it to persist the changes Page 11 3 NFE Outgoing 3 NFE Outgoing In the following the customizing of the private certificate for digital signature of outgoing NF-es is described. 3.1 Obtain the private certificate In order to issue electronic invoices the xml must be signed using a digital certificate compliant with ICP-Brasil standards securing the access between the NFE system and the government's servers. To obtain the digital certificate you must interact with a Certification Authority. You can find a completed and updated list of Certificating Authorities on the National Information Technology Institute (ITI Brazil) website http://www.iti.gov.br. The main Certification Authorities are: Caixa, Serasa, Certisign, Valid, Digitalsign, Boa Vista. The Certificating Authorities can issue both certificates as well as certificates in the form of a physical token; so make sure you request the digital certificate that can be used for ecommerce transactions in PKSC#12 format with the file ending .pfx. Hints: The certificate can also be used for the client authentication using https in PI. For signing you can also use the /XNFE/CORE_SIGNATURE_CREATE_EN 3.2 physical token and connect it via PI using enhancement spot Create PSE Use tool SAPGENPSE to create PSE on the Command Prompt from existing private certificate as described in Importing a PKCS#12 File: sapgenpse import_p12 -pfile.pse bras.pfx Hints: In case of an error that the pfx is missing the certification chain you can complete the chain by adding the missing certificates with option '-r'. Then the command line should look like this: sapgenpse import_p12 -r SerasaACPv2.cer -r ICPBrasilv2.cer -p file.pse bras.pfx Inform the full path for the PSE to be created. If asked for a PSE PIN enter one or click Return. 3.3 Create SSF application From the Administration workplace use application SSF: Define Application. With this administration UI SSF applications are created and also all attributes are set correctly in the SSFAPPLIC table. You need a separate SSF application for each private certificate that you use for signing the NF-e (e.g. for each own tax number). This step has to be done in all three the dev, test and production systems (no transport). Page 12 3.3 Create SSF application The SSF applications have also to be customized in IMG activity Outbound > "Maintain System Response for Own Tax Numbers". Page 13 3 NFE Outgoing 3.4 Set Application Parameters From the Administration workplace use transaction SSFA – SSF: Set Application Parameters Create the configuration for ZNFE01 (for sign NF-es) Page 14 3.4 Set Application Parameters Filling data: Page 15 3 NFE Outgoing 3.5 Load the PSE From the Administration workplace use transaction STRUST – SSF: Trust Manager and load the PSE: Double click on File: Page 16 3.5 Load the PSE Informing the .pse which is copied from server to local machine Inform the password of PSE Page 17 3 NFE Outgoing Choosing PSE -> Save as… Page 18 3.5 Load the PSE Select SSF application on Save PSE as box, and select and confirm the proper SSF for signature which are being created: Page 19 3 NFE Outgoing Data saved successfully… Page 20
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 20 Language : de-DE Tagged PDF : Yes Title : Secure Store and Forward (SSF) - Tutorial Author : Michael Friedrich Subject : Programmer's Guide Keywords : SSF, Cryptography, Secure, Store, Forward, Signature, Authenticate Creator : Microsoft® Word 2010 Create Date : 2015:02:04 15:27:26+01:00 Modify Date : 2015:02:04 15:27:26+01:00 Producer : Microsoft® Word 2010EXIF Metadata provided by EXIF.tools