PGPDecryption Module: A Simple How to Guide
This in continuation of the blog PGPEncryption Module: A Simple How to Guide.
In the earlier blog, we had signed and encrypted a file. In this blog, we will see how we can decrypt that file and read the original content.
High Level Scenario:
Basics of Decryption:
1. Decryption only
In case of decryption, we will need to use our private key and its passphrase. There is no need to exclusively specify the algorithm as it will be automatically detected by the module.
2. Decrypt and Verify
Here along with our private key and passphrase, we need to provide the partners public key for verifying the signature of the sender. There is no need to provide any algorithm information specifically in this case too.
Sender communication channel configuration:
In the above, we have used our private key secring.skr along with its passphrase for decryption and the partners public key didikey.pkr for verifying the sender signature.
Input Message:
Output Message:
End Note:
Even though I have used the file adapter in the blogs, please note that the PGP Modules can be used along with other adapters also. By default, all the keys can be stored on the OS level at the path ‘usr/sap/<System ID>/<Instance ID>/sec‘. But if required, you can store them in a different location and then use the parameter keyRootPath to specify the path in the module configuration. Note that the path and the keys should be accessible by the user <SID>adm.
Hi Shabarish,
Thanks for two great blogs regarding the possibilities of the PGPEncryption/PGPDecryption. These are two modules, which SAP has neglected for far too long and finally they are here.
One thing I really don't understand is why SAP cannot make up its mind on where to store certificates. In most configurations in PI the certificates are stored and accessed - in my mind correctly - in the keystore of the JEE and then we see this exception. Why would they choose to store the certificates for such a vital thing as this in the filesystem? It really bugs me that SAP hasn't made an effort in streamlining handling of certificates towards using the keystore.
Anyways, I was doing a bit of searching for the documentation on how to setup PGP and SFTP, but have not been able to find it. I would appreciate if you could maybe post a link to where SAP is hiding this documentation.
Best regards,
Jacob
Jacob,
From what I understand SAP has used the bouncycastle API for developing their module. The api basically does a fileinputstream kind of read of the certificates and that seems to be the reason SAP is not storing it in the keystores but at the OS level
Also regarding the documentation, i think it is not yet released on the SAP help site. You will have to follow Piyush's blog on the B2B add on availability and follow the SAP notes. As part of the download mentioned in the note, you will find the documentation as a PDF.
Hi Shabarish,
Based on ur's blog i developed decryption module in my ftp 2 file Interface .i am getting below error pls help me, how to avoid this error ...it's any configuration error or we need to install any add_on or import any java api?
Error:org.Bouncycastle.openpgp.PGPexception:checksum missmatch at 0 to 20.
excellent blog!!!
Excellent blog. Thank you Shabarish for your sharing.
Excellent blog. One question Shabarish: I have created the sender channel following the instructions and the Private and Secret Key are being referenced from OS level file system properly. However I have a secret key issue where the channel fails because the key is not being found.
It seems that it's happening due an inconsistant file *.skr.
Any help will be appreciated.
Thanks.
Nice blog.. On similar lines and information point of view.. sekhar.dachepalli's blog:http://scn.sap.com/people/sekhar.dachepalli/blog/2010/12/16/pgp-encryption-and-decryption-process-in-pi
Dated as back as Dec 16,2010..
Nice blog.
Is GPG supported by SAP PI for decryption?
Hi Vipul,
SAP PI Supports for decryption.
Hi Shabarish,
I have to do SFTP (.PGP) file to PO to Proxy interface with mapping involved.
For this first I have to do decryption of .pgp file in sender sftp channel, is this correct? then only I will be able to do mapping, correct me if I am wrong.
If this is correct then you have mentioned ownPrivatekey in your screenshot, from where I will get value for this. For public key I will ask from sender.
Regards,
Dheeraj Kumar
HI Dheeraj,
Yes,In Sender side you have to decrypt the encrypted file and then have to do mapping.
Regarding Private Key:
1) You have to generate your Public and Private key by using the tools provided.
2) Exchange your public keys between you and your partner.
3) In Module configuration provide your own Private key details.
The partner has provided us with the partner key in .txt extension. Can we deploy the key in same extension or we need to change the extension of the public key to .pkr or any other format?
Hi Shabarish,
Can this decryption be done without the SAP PI module? We are using SAP as a development environment and wanted to decrypt the client file.
Regards,
Avinash
Hi Shabarish,
I am currently working on a scenario where PI will decrypt an encrypted file(using our public key) without verification of the sender. For this, I am using ownPrivateKey and pwdOwnPrivateKey, these two parameters in PGP Decryption module as suggested in your blog too.
But I am getting this error: Parameter partnerPublicKey is not set: please check the module configuration. So, could you please let me know whether the signing by the sender is important in decryption process or not, for which we require partners public key? Please find the screenshot for the same.
I will highly appreciate if you will be respond this query on priority basis.
Thank you,
Regards,
Pooja Varshney