Application of EDS in SAP NetWeaver web templates
The article is devoted to the rather nontrivial task of integrating electronic digital signatures into SAP Business Templates Web Applications that I work with in SAP NetWeaver.
I apologize in advance if the article will make mistakes in terminology or in logic.
General information about EDS can be obtained in Wikipedia EDS
There is SAP NetWeaver in the role of data warehouse Business Warehouse.
All data is stored in cubes. Documents are stored in cubes. The document, in fact, is a set of cube rows that have the same attribute — the document number. Work with data is based on web templates of Business Explorer Web Application. The contents of the documents are displayed in the analisys item component.
A few words for those unfamiliar with Bex Web. The technology of web templates (web forms) essentially resembles ASP.NET. In the designer, you create a form layout using components similar to ASP (dataGrid, button, etc.). Using wizards you hook up event handlers (these can be certain commands or arbitrary ABAP code). When you run a web form - it is processed on the server and clients are given an HTML page with JS. Reaction to user actions - performed on the server side when the page is updated. In the web template code, there is usually no need to generate HTML, as in PHP.
')
In a certain web form, users enter data into a table represented by the analisys item. The entered data is saved to the cube. After entering the data, the user must change their status (for example, from “New” to “Processed”: status is transferred using the repost function according to the values ​​of the status data storing feature; this feature is also in the same cube).
So, it is necessary to sign the entered data using an EDS after entering / saving the data and before the user transfers this data from the “New” status to “Processed” (the user who entered the data must sign).
An online search has shown that using EDS is not as easy as we would like. Most countries have their own laws governing the use of cryptographic tools. Federal Law of the Russian Federation of January 10, 2002 N 1-FZ "On Electronic Digital Signature"
In particular, algorithms are established that should be used in encrypting and generating a signature. For example, the algorithm for the formation and verification of electronic digital signature GOST R 34.10-2001
Of course, it makes no sense to try to implement these algorithms ourselves, so we look at what is offered on the market.
For example, solutions "LISSI"
http://www.lissi.ru/solution/
Position themselves saviors on a white horse for SAP'ovtsev. The complex of software from them will cost more than 300,000 rubles. The software is an API for SAP products that can be accessed through ABAP.
The problem is that these products imply signing data through an ABAP code. On the client, we only have a web page with JS. You can execute ABAP code only on the server, for example using an AJAX request. But there is a problem - the user's private key is available only on the client. It should not be sent to the server. The LISSI solution implies working on a client machine of a full-fledged, non-thin SAP client, in which ABAP can be performed.
Therefore, I refused ready-made solutions and implemented EDS through CAPICOM CAPICOM
Here is a description of how implemented the EDS
1) The security administrator registers the certificate in the certificate database. The certificate must be obtained from an authentic certification authority.
2) The user works in the system, creates a document and signs it using his private key on an external medium. Wherein:
a) A “cast” of the document is created (all its content is selected).
b) A cryptographic signing operation is performed on the contents, resulting in a signature.
c) The fingerprint is extracted from the signer's certificate and compared with the fingerprint registered to this user. In case of coincidence - the signature is saved in the database, otherwise the signature is canceled.
3) On subsequent document views, the signature is checked when the document is opened. The signature is retrieved from the database. Over the signature and the contents of the document are carried out cryptographic verification of the signature.
4) The security administrator can add user certificates to the certificate database, suspend them temporarily or permanently.
Signatures are stored in a flat table "Signatures".
Database certificates - a set of two flat tables:
Keys - certificates themselves. The table stores the key-tied user, the date of the beginning and end of the key's validity, the key itself, the status (blocked or not), a description.
Suspensions - a set of possible key stoppages. Stores the start, end, and pause date. Also stores ID of the suspended key.
The digital signature mechanism is based on the following components.
1) ActiveX component to access the cryptographic API. (CAPICOM)
2) Using JS, we get the contents of the document
3) Call the ActiveX method of the component to sign the data.
4) Send a signature to the server (ABAP class) in order to place in the database of signatures.
CAPICOM is a library from MS that provides an interface to crypto providers.
1 - by means of JS code, calls to the CAPICOM library occur
2 - A web template forms the data for the signature (XML, describing the DataProvider).
3 - The received signature is transmitted by AJAX to the ABAP class, which maintains the signature in a flat table.
4 - the interaction of the crypto provider with eToken occurs automatically.
Signer class - implements custom methods -
Sign, verify signature, get latest signature
The CryptoProvider class is a Capicom wrapper.
ZCL_AJAX_DIG_SIGN - implementation of interface methods via Ajax.
Z_DIGITAL_SIGNER - implementation of methods for saving and searching for a signature, methods for checking the validity of a public key using a key database.
Consider the procedure for signing \ document verification.
The user clicks on the form button "Approve (save) the document." JS collects the content of the document previously uploaded there from the html code of the template. Appeals to CAPICOM, which asks a person to select the desired certificate. When choosing a certificate made for cryptoPro specifically for work in the system - CAPICOM contact the provider CryptoPRO, the same will ask for a token with a private key. When the token is inserted - the document content will be signed. The AJAX signature is thrown into the BSP application; it passes the signature to the interface class Z_DIGITAL_SIGNER. The class will verify the certificate from the signature, the fact that such a certificate is tied to this logged in user. If verification is successful, it will write the signature to the signature database. There will be changes on the form - a mark about a successful signature will appear.
When another user opens a document, the signing status will appear. This will happen as follows. JS by AJAX will request signatures for the document, will receive a signature (a priori - it is made by the right person and signed by a certificate from the database of allowed certificates). Then js jerks CAPICOM - “signature verification” method with “signature” and “document content” parameters. If everything is in order with the document and signature, the method returns true, therefore, the document is signed and correct.
There is also a GUI for the security administrator - maintaining a database of active certificates.
1) connect the CAPICOM component to the XHTML web template of the ActiveX, for example
2) Create a new data provider with the same query as the main one. That is, make a copy of the provider. Thus, we will get the uploaded document in HTML, which we will sign. It is impossible to sign the provider who displays the document in the user's table, because when sorting or filtering the table, the data in the providers will change, and we need the document in its initial form.
3) Place on the form the component "data provider-information".
Let's call it DATA_PROVIDER_TO_SIGN.
Blue is the “data provider-information” component, red is in the component palette, yellow is the data provider supplying the document content
4) Specify in the settings DATA_PROVIDER_TO_SIGN:
Data Provider: We specify the provider’s copy created in step 2.
Navigation Status - Output: Off
Report data: output: On
5) Place the code on the form
It all depends on your imagination. I will not post ALL my code, including AJAX, ABAP, JavaScript, I will leave only a simple wrapper for CAPICOM, which I made based on examples from the Microsoft website.
Pastebin code
And an example of its use
Signing
Signature verification
I apologize in advance if the article will make mistakes in terminology or in logic.
General information about EDS can be obtained in Wikipedia EDS
What was the task
There is SAP NetWeaver in the role of data warehouse Business Warehouse.
All data is stored in cubes. Documents are stored in cubes. The document, in fact, is a set of cube rows that have the same attribute — the document number. Work with data is based on web templates of Business Explorer Web Application. The contents of the documents are displayed in the analisys item component.
A few words for those unfamiliar with Bex Web. The technology of web templates (web forms) essentially resembles ASP.NET. In the designer, you create a form layout using components similar to ASP (dataGrid, button, etc.). Using wizards you hook up event handlers (these can be certain commands or arbitrary ABAP code). When you run a web form - it is processed on the server and clients are given an HTML page with JS. Reaction to user actions - performed on the server side when the page is updated. In the web template code, there is usually no need to generate HTML, as in PHP.
')
In a certain web form, users enter data into a table represented by the analisys item. The entered data is saved to the cube. After entering the data, the user must change their status (for example, from “New” to “Processed”: status is transferred using the repost function according to the values ​​of the status data storing feature; this feature is also in the same cube).
So, it is necessary to sign the entered data using an EDS after entering / saving the data and before the user transfers this data from the “New” status to “Processed” (the user who entered the data must sign).
An online search has shown that using EDS is not as easy as we would like. Most countries have their own laws governing the use of cryptographic tools. Federal Law of the Russian Federation of January 10, 2002 N 1-FZ "On Electronic Digital Signature"
In particular, algorithms are established that should be used in encrypting and generating a signature. For example, the algorithm for the formation and verification of electronic digital signature GOST R 34.10-2001
Of course, it makes no sense to try to implement these algorithms ourselves, so we look at what is offered on the market.
For example, solutions "LISSI"
http://www.lissi.ru/solution/
Position themselves saviors on a white horse for SAP'ovtsev. The complex of software from them will cost more than 300,000 rubles. The software is an API for SAP products that can be accessed through ABAP.
The problem is that these products imply signing data through an ABAP code. On the client, we only have a web page with JS. You can execute ABAP code only on the server, for example using an AJAX request. But there is a problem - the user's private key is available only on the client. It should not be sent to the server. The LISSI solution implies working on a client machine of a full-fledged, non-thin SAP client, in which ABAP can be performed.
Therefore, I refused ready-made solutions and implemented EDS through CAPICOM CAPICOM
Realization of EDS
Here is a description of how implemented the EDS
1 Order of application of EDS
1) The security administrator registers the certificate in the certificate database. The certificate must be obtained from an authentic certification authority.
2) The user works in the system, creates a document and signs it using his private key on an external medium. Wherein:
a) A “cast” of the document is created (all its content is selected).
b) A cryptographic signing operation is performed on the contents, resulting in a signature.
c) The fingerprint is extracted from the signer's certificate and compared with the fingerprint registered to this user. In case of coincidence - the signature is saved in the database, otherwise the signature is canceled.
3) On subsequent document views, the signature is checked when the document is opened. The signature is retrieved from the database. Over the signature and the contents of the document are carried out cryptographic verification of the signature.
4) The security administrator can add user certificates to the certificate database, suspend them temporarily or permanently.
2 Implementation of data storage
Signatures are stored in a flat table "Signatures".
Database certificates - a set of two flat tables:
Keys - certificates themselves. The table stores the key-tied user, the date of the beginning and end of the key's validity, the key itself, the status (blocked or not), a description.
Suspensions - a set of possible key stoppages. Stores the start, end, and pause date. Also stores ID of the suspended key.
3 Digital Signature System Architecture
The digital signature mechanism is based on the following components.
1) ActiveX component to access the cryptographic API. (CAPICOM)
2) Using JS, we get the contents of the document
3) Call the ActiveX method of the component to sign the data.
4) Send a signature to the server (ABAP class) in order to place in the database of signatures.
CAPICOM is a library from MS that provides an interface to crypto providers.
1 - by means of JS code, calls to the CAPICOM library occur
2 - A web template forms the data for the signature (XML, describing the DataProvider).
3 - The received signature is transmitted by AJAX to the ABAP class, which maintains the signature in a flat table.
4 - the interaction of the crypto provider with eToken occurs automatically.
4 API implementation
Signer class - implements custom methods -
Sign, verify signature, get latest signature
The CryptoProvider class is a Capicom wrapper.
ZCL_AJAX_DIG_SIGN - implementation of interface methods via Ajax.
Z_DIGITAL_SIGNER - implementation of methods for saving and searching for a signature, methods for checking the validity of a public key using a key database.
5 Optional verbal description
Consider the procedure for signing \ document verification.
The user clicks on the form button "Approve (save) the document." JS collects the content of the document previously uploaded there from the html code of the template. Appeals to CAPICOM, which asks a person to select the desired certificate. When choosing a certificate made for cryptoPro specifically for work in the system - CAPICOM contact the provider CryptoPRO, the same will ask for a token with a private key. When the token is inserted - the document content will be signed. The AJAX signature is thrown into the BSP application; it passes the signature to the interface class Z_DIGITAL_SIGNER. The class will verify the certificate from the signature, the fact that such a certificate is tied to this logged in user. If verification is successful, it will write the signature to the signature database. There will be changes on the form - a mark about a successful signature will appear.
When another user opens a document, the signing status will appear. This will happen as follows. JS by AJAX will request signatures for the document, will receive a signature (a priori - it is made by the right person and signed by a certificate from the database of allowed certificates). Then js jerks CAPICOM - “signature verification” method with “signature” and “document content” parameters. If everything is in order with the document and signature, the method returns true, therefore, the document is signed and correct.
There is also a GUI for the security administrator - maintaining a database of active certificates.
Connecting EDS to a web template
1) connect the CAPICOM component to the XHTML web template of the ActiveX, for example
<object id="CapicomObj" codebase="bwmimerep:///sap/bw/mime/Customer/JS/bin/capicom.cab" classid="clsid:A996E48C-D3DC-4244-89F7-AFA33EC60679" VIEWASTEXT="" /> 2) Create a new data provider with the same query as the main one. That is, make a copy of the provider. Thus, we will get the uploaded document in HTML, which we will sign. It is impossible to sign the provider who displays the document in the user's table, because when sorting or filtering the table, the data in the providers will change, and we need the document in its initial form.
3) Place on the form the component "data provider-information".
Let's call it DATA_PROVIDER_TO_SIGN.
Blue is the “data provider-information” component, red is in the component palette, yellow is the data provider supplying the document content
4) Specify in the settings DATA_PROVIDER_TO_SIGN:
Data Provider: We specify the provider’s copy created in step 2.
Navigation Status - Output: Off
Report data: output: On
5) Place the code on the form
It all depends on your imagination. I will not post ALL my code, including AJAX, ABAP, JavaScript, I will leave only a simple wrapper for CAPICOM, which I made based on examples from the Microsoft website.
Pastebin code
And an example of its use
Signing
SignerProv = new CryptoProvider(this.CapicomObj); if (SignerProv.IsCAPICOMInstalled()) { SignerProv.Init(); Sign = SignerProv.SignedData(DataToSign); } Signature verification
SignerProv = new CryptoProvider(this.CapicomObj); SignerProv.VerifySert = true;//false – if (SignerProv.IsCAPICOMInstalled()) { var SRes = SignerProv.VerifySig(ContentToVerif, SignToVerify); } Source: https://habr.com/ru/post/193654/
All Articles