Question / Problem:
In KIC it is possible to convert password protected PDFs when the password is known and entered in a custom script for the decryption.
The same scripting method is not available in KTA, therefore a feature was implemented into KTA 7.6 to process such documents.
The document conversion activity supports converting password protected PDF documents to PDF or TIFF or PDF/A, but does not support converting password protected PDF Portfolio, MS Office documents or ZIP files.
Answer / Solution:
Beginning with KTA 7.6, there is a new field in the document conversion activity - configuration tab with the name: "Passwords".
You can select a complex variable which holds the known passwords (type: string) for the password protected PDFs for which you want to have a conversion.
The online help says to use a dynamic complex variable but a complex type works as well.
Configuration details have been enhanced in the online help of KTA 7.9 but it doesn't provide any details about what the configuration looks like when you want to use this feature.
A .NET node is needed to encrypt the password before passing it to the document conversion activity.
In older versions like 7.6.x - 7.8.x, you would need to use the SecurityService class from the Total Agility SDK.
This was corrected in 7.9 and now the ServerService should be used. (bug 1579145)
The needed method is "EncryptStrings" (you will notice that this is not available under ServerService in the older KTA versions).
After configuring this with the session ID, you need to select the variable with the password(s) for the unencryptedData and next the variable to return the encrypted data.
In the document conversion activity, select the variable with the encrypted data for the Passwords field.
The passwords can be seen in clear text in the KTA map for a short period of time until they are encrypted, therefore our best practice recommendation is that these steps reside in a synchronous process to avoid any potential security issue.
Below you can find some screenshots on what the configuration looks like:
Besides the folder variable, add 2 complex variables into the process:
"clear" is the variable for the used password(s) in plain text and "encrypted" would be the variable, like the name says, for the encrypted password(s).
Here is an example for the variable with the passwords:
For the "encrypted" variable, no specific configuration is needed.
And in the .NET activity, we have the following configuration:
Beginning with 7.9, we are using the previously mentioned ServerSecurity class:
And the document conversion activity looks like this:
The process map is actually very simple:
Attached are 2 sample processes (Convert PW PDF (7.6r2).zip and Convert PW PDF (7.9).zip) which can be imported for you to check the full configuration.
One was made with 7.6 R2 which can be imported in newer KTA versions as well.
The 2nd one is from 7.9 using the new class, everything else is the same.
Also included (test documents.zip), are some test documents for the import (note: the document password is written in the file name within the brackets).
To provoke an error, import “PWprotectedDoc(passwordprotected).pdf” for which the password isn’t included in the “clear“ variable.
The result would be a suspended document conversion node with the error: “Document Conversion failed with exit code 1”.
The same is visible in the document conversion trace and in the transformation server logs.
Checking the KFXConverter.log (C:\ProgramData\Kofax\KFXConverter), you can see entries trying to unlock the password protected PDF and for this document it should fail.
A document review activity can be added at the end to check the conversion result, but this is optional.
You could check this in the repository browser as well (if you have done a TIFF conversion, the exported PDF from there would still be password protected).
In case of a PDF/A normalization, of course the original file is still password protected and the PDF/A conversion result is not.