Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Maintaining User SSF Information in SU01 for SAPSECULIB

Former Member

Hi!

I was supposed to implement Digital Signatures in a standard transaction for a Pharma client of mine. The system being used is ECC 6.0 with Basis 7.0.

To achieve this, I used the Digital Signature Tool released with Basis 6.2 and called it in an enhancement. The tool is now running fine and the User who runs the transaction gets a pop up prompting for User ID and password. And he is able to sign it. I managed to get a signature strategy set up and all things related to the tool is running fine. However, I was facing a problem with restricting the signing process to particular users. After going through tons of documentation, I finally realized that this had to be done with SU01.

I added an entry in SSFA (Digital Signatures for Pharma Industries to adhere to FDA regulations) and linked it to the system PSE (SAPSYS.pse) and gave the SSF Profile id (it said optional but I gave it anyway) as digsig_test. Now my tool was restricting all users on the system saying invalid SSF Signer.

I do know that for the user that must sign this, the setting must be maintained SU01 (Address tab -> Other Communication -> SSF). Now when I do this, a pop comes up.

If what I have done so far is correct, if I fill the SSF ID and the SSF Profile here, I should be done. Trouble is I dont know what to put in as the SSF ID. All documentation I had found so far simply states that the SSF ID depends on the SSF Security product being used. Here it is obviously SAPSECULIB. So what on earth do I put in here when my product is SAPSECULIB? The SSF Profile should be digsig_test right?

I tried the thing that was in the System PSE certificate. That did not work. Do I have to create my own certificate or something and add it to the PSE? If so please let me know how that must be done.

Thanks and Regards,

Ramkumar V.

1 ACCEPTED SOLUTION

0 Kudos

Hi Ramkumar V,

in transaction SSFA, pass the subject name of the own certificate of the PSE to the field SSF Profile Id. You might get the subject name from transaction STRUST.

If you create signatures with user ID and password, you don't need to maintain the SSF settings in transaction SU01. As far as I know you can restrict the signing process to particular users with an authorization object, but I don't know the details.

Best regards,

Klaus

3 REPLIES 3

0 Kudos

Hi Ramkumar V,

in transaction SSFA, pass the subject name of the own certificate of the PSE to the field SSF Profile Id. You might get the subject name from transaction STRUST.

If you create signatures with user ID and password, you don't need to maintain the SSF settings in transaction SU01. As far as I know you can restrict the signing process to particular users with an authorization object, but I don't know the details.

Best regards,

Klaus

michelle_cannon
Explorer
0 Kudos

Hello Ram

It seems that you and I are trying to do the same thing. I am also experiencing the same problems you are experiencing by your post. I would very must appreciate it if you explain to me exactly what you did to resolve the problem.

If you could tell me the SSF ID and SSF profile that you entered for digital signatures that would be a great help.

Also I heard that transaction SSFA is needed to establish this connection. If you have information on this I would grately appreciate it.

Step by step instructions would be greatly appreciated.

Thanks again

Michelle

0 Kudos

Thank you for using the search - however bumping an thread older than 3 months or so very seldom attracts the attention of the original posters again, unless they read each thread in the forum still since 2 years...

When searching you might also have found this thread:

It contains more information for you about the requirements and the special object mentioned by Klaus. You can also use more than one product, such as the default SAPSECULIB for digi-sigs signed by the system, and an external product for digi-sigs signed by the user. They can also sign with their user ID and password, but only an ABAP system password is currently an option here.

Cheers,

Julius