Working with digital signatures

Overview of Digital Security

FLM supports two scenarios for the handling of digital signatures:

  1. Outbound scenario - where FLM digitally signing a PDF before it is sent out from the server (usually via email) to a list of recipients.
  2. Inbound Scenario - where FLM receives a digitally signed PDF from an end user at the first step of the workflow.  Thereafter, the PDF travels around a workflow (unsigned), with the signed version attached as a standard PDF attachment.


Configuration of Digital Security

There are some activities required to be able to use digital signatures in the landscape:

  1. Configure ADS to support SSL – see section 5.4 of the ADS configuration guide
  2. Configure FLM to support the required scenario.

Outbound Scenario 

You configure the ‘Maintain Security Settings for Customer’ img activity.  Customers also must install a Certificate of the same name that is configured in the ‘alias’ field above into their ADS installation (see chapter 7 of the ADS configuration guide for how to do this).

There is also the 'Server Side Security' Customer level User Exit for security which becomes active if customers check the box ‘User Exit Active’ above.  Customers can then write code into this user exit to refine which certificates are applied and to which forms.  For example, customers could stop this signing process for all but certain form types.

Inbound Scenario

Here customers simply tick the box ‘store signed forms as attachments to themselves’ and signed inbound forms will be attached to themselves and the signatures analyzed.

There is a parameter (‘im_sig‘) in the routing user exit which allows customers to make a business decision based on the properties of the received signature.  For example, customers could route forms that were received without a valid signature to a different inbox than those that were received with a valid digital signature.


IMG Activity Fields

In SPRO -> IMG -> Cross Application Components -> General Application Functions -> Forms Lifecycle Manager -> Initialize Customer Code -> Advanced Settings -> Maintain Security Settings for Customer.

SSL Functionality Active

Setting the SSL Active flag switches on SSL functionality present in the FLM system, such as the ability to digitally sign out-going interactive forms.   However, all SSL functionality requires the ADS connection to also be configured to support SSL [see the SAP Netweaver Library for details on how to set this up].

SSL Port

The port maintained here is the port number that should be used to send HTTPS traffic to the SAP system from outside the corporate firewall


This port is used by FLM to host SSL traffic to and from the FLM system when for example a form is launched from an email hyperlink outside of the corporate firewall.

Example: Enter '1443'


There is no dependency with the 'SSL Active' flag also maintained here, as that flag is purely concerned with the SSL activation of ADS in order to render digital signatures.

Devices will always switch to HTTPS traffic using this port number if the device is not configured to only support HTTP traffic in the 'Maintain Device Characteristics' activity in the 'Advanced Settings' folder in the IMG.

If no port is maintained here, FLM will use the standard SAP configured SSL Port.

Type of Server-side Security

Indicates the type of server-side Digital Security to Apply to outgoing documents. 

There are 3 possible settings:

  • No server side security applied
  • Apply digital signature.
  • Apply server-side certification.

Certification Permissions

This specifies what type of subsequent changes can be made to a certified document without invalidating the certification. 

There are 3 possible settings:

  • None
  • FormFieldsAndComments
  • FormFields

Reason Field

This field will be visible in the form signature field and is free text.

Location Field

This field will be visible in the form signature field and is free text.

Contact Field

This field is part of the form signature field and is free text - it is visible inside the signature details and not directly from the form itself.

Legal Attestations

Free text indicating the signers legal attestations for the certification or signature. That is, the set of legal statements that the presence of the certification or signature affirms to be true.

Alias - of Certificate to be Used

In the event of not using a default alias to determine which certificate to apply, here you can specify the alias of the specific certificate to be used.  The certificate must have been installed in the Visual Administrator first.  

If this field is left blank, the default aliases will be used as follows:

  • ServerSignature - For applying digital signatures
  • DocumentCertification - For certifying a document
  • ReaderRights - For reader extending a pdf document

The alias ReaderRights is used for reader-extending the document and is always used in conjunction with the Adobe Credential file obtained via SAP,  and is a pre-requisite for applying any kind of subsequent certification or signature.

Note: You may not use the ReaderRights certificate supplied by SAP for certifying a pdf, you must use another certificate.

UserExit Active

Indicates that the server-side user-exit for server-side digital security is active.  In the user exit, any or all of the Server-side properties can be changed on a per-form type basis.

Store Signed Forms as attachments to themselves

If flag is set, any signed form coming into the system would be stored as a pdf attachment to the new instance of the form.