Show TOC

Installing and Configuring Credentials for ADSLocate this document in the navigation structure

Context

Adobe Document Services (ADS) require access to a credential (private key) in the SAP Application Server to assign usage rights to PDF forms. This is typically the Adobe Reader Rights credential. If you require additional credentials for certification or digital signatures, you can obtain them from a Certificate Authority (CA).

Note

Only DER-encoded X.509 certificates are supported.

In any of these cases, you must install and configure the credentials in the ADS. For ease of use throughout the SAP system, the credential is identified by an alias. The alias is a unique text name, that represents the credential. If you need to install more than one credential on your system, use the default alias for the default credential and any other alias for additional credentials.

SAP applications certifying a PDF form must specify the name of the credential. Otherwise the default credential is used. The table below gives you an overview of the credentials (and their aliases) according to their use.

Use of the Credential

Default Alias of the Credential

Reader Rights

ReaderRights

Certification

DocumentCertification

Digital Signatures

ServerSignature

Procedure

  1. If you require additional Certification or Digital Signatures credentials, obtain them from a Certificate Authority (CA).
  2. Install and handle each credential according to the credential's file type:

    • A PKCS #12 credential may be delivered as a Public Key Cryptography Standards (PKCS) #12 file, with a .pfx filename extension, on a disk or over the Web. This file is password-protected as it represents the identity of the owner. In the SAP NetWeaver Administrator, PKCS #12 credentials are also called P12 Records.

      More information: Installing a PKCS #12 Credential

    • An MSCAPI credential is stored in the certificate storage database on your Microsoft Windows system. The Certificate Authority that provides credentials can recommend which credentials should be stored in the MSCAPI certificate storage database.

      More information: Installing an MSCAPI Credential

    • An HSM credential is delivered as a hardware device - a Hardware Security Module (HSM) - that must be connected to the system. This credential is much more secure than a PKCSĀ #12 credential, because once inserted into the device, it cannot be copied from the device. For installations where security is a priority, it is advantageous to copy any PKCS #12 credentials into a HSM where they are more secure. Access to the HSM is password-protected.

      More information: Installing an HSM Credential

  3. Configure the attributes of the credentials used by ADS.

    More information: Configuring Credential Attributes used by ADS

  4. ADS log messages that warn, if a credential is about to expire. You can set the number of days that the server begins logging daily warning messages before the credential expires. The ADS check the credentials daily to calculate, which credentials it should log messages for. You can configure the time of day that the expiry dates are calculated.

    More information: Configuring Credential Expiry Logging

  5. To be able to use the certification and digital signatures features, you need to install Trusted Anchors to enable the server to verify the certification or signature of a form and Certificate Revocation Lists (CRLs) to identify credentials that can no longer be trusted.

    More information: Installing Trusted Anchors and Certificate Revocation Lists