configuration guide - digital signature and certificate

NF-e ProjectE-Invoicing Project Digital Signature and

Certificate

1/14

Document Control

Table of Contents

1 Introduction.........................................................................................................4

2 Step I: Permission Configuration....................................................................5

3 Step II: Install Digital Certificates....................................................................8

4 Step III: Configuration Test.................................................................................9

2/14

1 Introduction

The following requirement has been reported:

Current Business Process:The Digital Signature service is an Enterprise Java Bean (EJB) which is deployed in J2EE Engine of SAP Netweaver Application Server (SAP Netweaver AS) Java. The service has two main functions:

To access the key Storage service of the J2EE engine to retrieve the digital certificates that is used in the digital signature;

To execute the digital signature of the XML message (of authorization, cancellation and skipping request messages).

For the digital signature to be accessed through SAP Netweaver Exchange Infrastructure (SAP Netweaver XI), it has a Web Service interface. This interface can be accessed through the Web services Navigator Tool in the J2EE Engine where the Digital Signature service is deployed.

The Digital Signature uses a digital certificate to sign the data. In order to execute the digital signature for documents, you need digital certificates, which are files containing a key pair (public and private) that electronically assures the identity of the holder of the certificate.In the J2EE Engine of the SAP Netweaver AS Java, the digital certificates are maintained in the Key Storage.In SAP Netweaver AS Java, the digital certificates are installed within the Key Storage of the J2EE Engine. The Digital Certificate service needs to access this Key Storage to retrieve the digital certificates that are going to be used in the signature.

Requirement:Among the several technical definitions of the Brazilian government, it is required that all request messages be digitally signed under some specific requirements. This includes authorization, cancellation and skipping requests.Therefore, a specific service was developed to execute the digital signature of these messages according to these requirements.

Changes to be done:To access the digital certificate in the Key Storage, the digital signature service has to be granted with a special permission in Runtime. To grant this permission for the digital signature service of SAP NFE, go to the Security Provider service in the Visual Administrator tool of the J2EE Engine to attribute this permission.The key storage is organized by views (like folders of certificates) and Entries (each entry refers to a certificate which was loaded into the Key Storage).To install the digital certificates to be used for the SAP NFE 1.0, follow these steps:

Choose a view to install the certificates – either use a standard view or create a new one using the “create view” button as NFE;

Select the chosen view NFE, and then click the “load” button for the entry. Select the digital certificate file and enter the proper password

Objective:With the digital certificate loaded, the digital signature can sign the data.And with the digital signature configured, all request messages will be digitally signed under some specific requirement. This includes authorization, cancellation and skipping requests.

3/14

2 Step I: Permission Configuration

Before start be sure that all the steps of the document “Guide Certificate Exportation.doc” is done.

The permission configuration occurs in the GRC NFE JAVA Application INSTANCE.Access Visual Administrator >> Cluster >> Server >> Services >> Security Provider >> Protection Domains >> sap.com.

4/14

Access grc~nfe~dsig >> EJBContainer >> applicationjars >> sap.com~grc~nfe~dsig~dsigbean.jar.

5/14

Add permission, option NEW in Available permissions.Folder: java.lang.RuntimePermission (Specify Class Name), VARIANTSPermission: XiSecurityRuntimePermission (Specify Target Name)Attribute in Granted permissions.

In the production environment attribute the permission to central instance and for each application server.

6/14

3 Step II: Install Digital Certificates

The scenario explains the process of the NFE Digital Certificate configuration in Java.

The install of digital certificates occurs in GRC NFE JAVA INSTANCE of the Application and the Integration.The Digital Signature use a digital certificate to sign the data and the certificates must be loaded in the Key Storage Java service.In Production the sequence of the certificates will be installed in Central Instance and attribute automatically for each application server.

For installation on GRC NFE JAVA Application INSTANCE access Visual Administrator >> Cluster >> Server >> Services >> Key Storage.

Create View for the NFe solution and use option Load to import the Digital Certificate.

7/14

4 Step III: Configuration Test

Access the URL Java administration, click on Web Services Navigator.

8/14

Choose Digital Signature web services.

9/14

Digital Signature web service menu, click on TEST.

10/14

Click on Operations “sign”.

11/14

The parameters to test and validation can be filled with the test information below:Key storage view: NFEKey Storage entry: Unilever_alimentos_nfe_01615814000101Reference Id: 12345Xml: <a><b Id='12345'><data>ãàäâ</data></b></a>Check Cert: trueNo change time out.

Click on SEND.

12/14

Enter J2EE_ADMIN or J2EE_GUEST or the user specific created for the Signature Service and the respective password.

13/14

Check if the answer it’s OK.The configuration was completed successfully.

14/14