PGPEncryption Module: A Simple How to Guide
I am sure many of you must have by now been made aware that SAP has released B2B and SFTP/PGP capabilities for SAP PI. Earlier, we had to depend upon third party vendors for this service but with SAP filling this gap, I strongly believe that PI is now in a better position to be provisioned and a true enterprise service bus.
If you are on PI 7.11, the prerequisite for installing and using these new add ons are SP08. I have been able to get my hands on a PI 7.11 SP08 machine and have successfully tested the PGP module as a start. In this blog, I will explain how to do PGP encryption using the SAP provided standard module PGPEncryption.
For simplicity sakes, I have created a simple scenario as follows;
A Basic Introduction to PGP Encryption:
1. Encryption Only
To do encryption, we will use the public key provided to us by the partner. Along with the public key, we also need to understand what is the encryption algorithm that is expected by the partner. There are various algorithms and the SAP standard module supports the following AES_128, AES_192, AES_256, BLOWFISH, CAST5, DES, 3DES and TWOFISH.
2. Sign and Encrypt
In this case along with the public key provided to us by the partner, we will also need our own private key and its passphrase that we will use to sign the message. We can also along with the encryption algorithm, choose what should be the signing algorithm. Currently the supported algorithms for signing are MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 and SHA512.
3. Compression
We can also define the compression that needs to be carried out on the message which will help reduce the message size. This is an optional usage but if used the supported compressions are ZIP, ZLIB and BZIP2
Receiver Communication channel configuration:
In the below communication channel, we will use both Sign and encrypt while sending the message to Receiver.
Note that in the above, we have used the partners public key pubring.pkr for encryption and our private key didikey.skr along with its passphrase for signing the messages. Also we have used ZIP as the compression mode.
By default, the keys can be placed under the path usr/sap/<System ID>/<Instance ID>/sec. But in case you want to use a different path, then use the parameter keyRootPath to define your custom path.
Input file used;
Signed and Encrypted message;
In the next blog, I will show you how we can decrypt this file to a human readable content 🙂
Great!!, you have made hands dirty with the new SP feature of PI..
It will be helpful for newbies if you can share the paths of the keys where it has stored..and also any available tools for generating the keys for playing..
Smiles
Rajesh
updated the blog to include the key file path.
regarding test tool, there are many tools available online. Just search with the term 'pgp key generator'. The one i have used was already existing in my landscape.
Shabarish,
Good to have this nice blog so soon with usage of PGP modules.Thx
@Rajesh, I have tested the similar functionality with modules provided by other product vendor - Advantco.
Keys used for testing has been generated by tool PGP Desktop 10.1.1. Hope it should work fine with this case as well.
Hi Bhavesh,
I have a requirement to implement PGP from Tumbleweed to SAP ECC using SFTP/PGP modules,i have got the public and private keys from Tumbleweed as .txt format.
As i am following your blog to implement this and noticed that we need Public Keyring(.PKR) and Secure Keyring(.SKR) from Tumbelweed apart from Public Key and Private Keys to be used in the PGG Module parameters.
When i ask Tumbleweed team to provide me the .PKR and .SKR,they say they can not share them.
Is there any way we can generate Tumpleweed .PKR and .SKR files to be used for PGP.
I am able to generate own .PKR and .SKR using PGP Desktop software.
Pls help me with your expert suggestions on how to go about this.
Many Thanks,
Naga
Hi Naga,
I believe you have your own .PKR and .SKR keys.Inorder to implement the PGP encryption and decryption,Share your Public key(.PKR) with Tumbleweed and Tumbleweed should share their PublicKey(.PKR) with you.
Ask Tumble weed to share their .PKR key so that you can decrypt the files.But Tumbleweed won't share .SKR as it is private key and cannot be shared with anyone.
If they are using any Signing of the message then you can use your .SKR in the module as shown above.
Please let usknow if you have any queries.
Hi Naga,
You can use the public key in the format *.asc this will do.
you you still need a .pkr (Public Key Ring) and .skr(Secure Key ring) you can get many a tools to generate the key rings like AEDAPTIVe, etc
Just make sure you just place these keys in the tool and generate the key rings.
Thanks for the blog - it really helped !
We required PGP decryption and were able to use it on 7.1 SP4 even though the prerequisite is SP8. We didn't have to use other features of the add on and hence can't be sure about them .
Cheers,
Vikas
Hi Shabarish,
I am very new to PGP. I
Got a fair idea of the process. Thank you so much for writing this.
Regards
Anupam
Hi Shabarish,
Please keep writing more blogs. If possible I would love to attend some seminars from you.
regards
Anupam
Thanks for comment Anupam 🙂
Hi Shabarish,
Great blog! Thanks for sharing this valuable information with us.
In the blog you mentioned that currently the following signing algorithms are (standard) supported: MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 and SHA512. However, I cannot see in the screenshots where do you configure it. Could you please further explain that? For instance what steps are needed in order to configure a signing algorithm?
Many thanks,
Roberto Viana
use the parameter signingAlgo with the possible value as MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 or SHA512. By default, the value is SHA1.
Hey Shabraish,
We are trying to implement the new PGPEncyption Module. We are on PI 7.3
and have followed the standard procedure to instal the add-on. On executing a basic encyption scenario , we get a JNDI:name not found error for the EJB bean localejbs/PGPEncyption.
The receiver communication channel is an NFS based channel.
Did u face this kind of an issue? if yes please help us with possible solutions.
Thanks in advance
Abhishek
please recheck the spelling of localejbs/PGPEncyption. it should be PGPEncryption.
Hi Shabarish,
Great blog!
We are trying to implement the new PGPEncyption Module. We are on PI 7.11 and SP08 and have followed the standard procedure to instal the add-on.
In the File Receiver Adapter we use the new PGPEncyption Module only with the parameters:
- encryptionAlgo AES_256
- partnerPublicKey pubring.gpg
But in the communication channel we get the error:
Error PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
12.06.2012 11:02:35.990 Error PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
12.06.2012 11:02:35.990 Error MP: exception caught with message Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
12.06.2012 11:02:35.990 Error Adapter Framework caught exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
12.06.2012 11:02:35.991 Error Delivering the message to the application using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.lang.Exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher).
Can you help us?
Thanks in advance
Octavio
It could be a potential unlimeted JCE issue.
Could you try as described in the section 'Unlimited JCE' of this document -
http://www.didisoft.com/wp-content/uploads/OpenPGP_Java_2_4.pdf
Hi Shabarish,
It's solved, thank you very much.
I'd I had forgotten to change the JCE in a folder.
Octavio
good to know 🙂
Hi Shabarish,
Very nice info regarding the config of SFTP scenario. Keep up the good work!
We have implemented the same however we have encountered some peculiar issue. The message does not pass through after it is done in the module processor. Below is the log:
21.06.2012 16:05:30.170 Information MP: processing local module localejbs/PGPEncryption
21.06.2012 16:05:30.170 Information PGP Encryption Module: Message xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx arrived in PGP Module.
21.06.2012 16:05:30.171 Information PGP Encryption Module: The module-paramteter "asciiArmored"is not set. Using default value "true"
21.06.2012 16:05:30.171 Information PGP Encryption Module: The module-paramteter "format"is not set. Using default value "binary"
21.06.2012 16:05:30.171 Information PGP Encryption Module: The module-paramteter "keyRootPath"is not set. Using default value "/usr/sap/XXX/XXXXXXX00/sec"
21.06.2012 16:05:30.171 Information PGP Encryption Module: Reading public key at /usr/sap/XXX/XXXXXXX00/sec/rsapubring.pkr
21.06.2012 16:05:30.194 Information PGP Encryption Module: The module-paramteter "signingAlgo"is not set. Using default value "SHA1"
21.06.2012 16:05:30.194 Information PGP Encryption Module: Reading private key at /usr/sap/XXX/XXXXXXX00/sec/rsaccakey.skr
21.06.2012 16:05:30.201 Information PGP Encryption Module: Creating ASCII-Armor
21.06.2012 16:05:30.201 Information PGP Encryption Module: Applying compression.
21.06.2012 16:05:30.201 Information PGP Encryption Module: Signing
21.06.2012 16:05:30.201 Information PGP Encryption Module: Processing
21.06.2012 16:05:30.666 Information PGP Encryption Module: Applying encryption
21.06.2012 16:05:30.681 Information PGP Encryption Module: Message successfull processed.
21.06.2012 16:05:30.682 Information MP: processing local module localejbs/CallSapAdapter
21.06.2012 16:05:30.682 Information MP: leaving
21.06.2012 16:05:30.683 Information The message was successfully delivered to the application using connection SFTP_http://sap.com/xi/XI/SFTP.
21.06.2012 16:05:30.689 Information The message status was set to DLVD.
Could you help me out on this one thanks.
Regards,
Rare
Hi Shabarish,
do you know of any way to not store the message id in the encrypted file?
One of our partners doesn't use PI to decrypt the files we send to them encrypted, but uses PGP8 on their servers.
Whenever i send them an encrypted file (f.e. original file is testfile.csv, encrypted file written to partners sftp server is testfile.csv.pgp) it decrypts to the message-id as filename instead of just substracting the .pgp file extension.
I think this is very annoying. We tried to set asam to the communication channels, but this didn't work.
Best regards,
Peter Hermanns
Hello Shabarish,
Can i use PGP Desktop 10.1.1 , if i am on PI 7.11, SP5.
Regards,
Rachana
Hello Shabarish,
Can you please help me regarding below issue.
I encrypted the file and sent to my vendor. but while decrypting from vendor side and it is gving the below error. Just used 2 modules only applyEncryption/PartnerPublicKey
PI - 7.31
Enter
pass phrase: event 23: Decryption symmetric cipher used: CAST5 event3: error -11391 event2: final Error decrypting file '834_TEST20120914-062150-197.PGP'. Corrupt data.
badpacket exitcode= 32
I am using PGP encryption software - GNUPG
and Vendor is using - E-business server.
I just found there were some compatiable issues GNUPG vs E-Business server.
https://kc.mcafee.com/corporate/index?page=content&id=KB59133
please advice your thoughts.
Did any one tested with PI 7.31 encryption/decryption with the vendor.
Regards,
Venu.
Hi Shabarish,
On PI7.3 EHP1, can we use PGP encryption while sending a file as part of multipart HTTPS POST request?
Please let me know...
Thanks,
Chandra
Hi Shabarish,
Is this module supported by PI 7.1 SP06 in FTP channel...please advise.
SAP note 1695563 specifically says that the module is compatible with the following releases:
and higher.
Best regards,
Peter
Hi Sabarish,
I am working on your approach as POC. i have few doubts, can you please help me out on these questions
1)do i need to write adapter module for this approach?
2)where i will get partners public key pubring.pkr for encryption and our private key didikey.skr ?
3) do i need to import those keys in PI trust store in STRUST?
4) do i use filezilla as FTP server?
My PI version is 7.3 SP5.
Thanks & Regards
Pavan
Dear Pavan,
1) no, the necessary modules are all provided by SAP as part of the B2B add-on and can be downloaded seperately from the SAP support portal.
2) your partners public key is sent to you by your partner, your private key you have to create on your own. Please find the documentation on how to create a GPG public/private keypair for your operating system on the net or on the SCN.
3) no... just put them into the file system as specified in the SFTP/PGP adapter/module documentation.
4) you can use whatever ftp server you want. 🙂
Best regards,
Peter
Hi ,
Can anyone please suggest how to use RSA Encryption Algorithm in PGP Module
Regards,
Amit
In a default installation RSA encryption algorithm is not possible. According to the configuration guide the only possible encryption algorithms are:
AES_128, AES_192, AES_256, Blowfish, CAST5, DES, 3DES and Twofish.
Best regards,
Peter
Hi Shabarish,
I found this article just today, it's a good work.
I would add just a warning in the blog: being a guide for beginners I would add that some algorithms have long been dead or otherwise unsafe like MD5, DES definitily unsafe or SHA1, RIPEMD160, CAST5, 3DES that are at risk at least theoretically.
Kind regards
Roberto
Nice job.
I also run into this article today and found it pretty useful for my first time working with the PGP addon.
Thanks to both of you for sharing your knowledge.
Kind regards,
Eric
Nice Work !
Hi Shabarish,
Need your help : I want to replicate exact scenario in my System.
But i didn't get this , Where to get to private and public Key . as I am creating a test scenario . So abt Client Public Key - Can I generate it from Somewhere ?? and our Private key - Do i have to generate it some where in SAP PI System ???
please refer - http://scn.sap.com/community/pi-and-soa-middleware/blog/2013/03/27/pgp-and-sftp-faq-sheet
Hello Shabarish,
Although the thread is quite long existed, but still relevant. I present a scenario just as in your blog. And it is the decryption stage where I face problems. I am using the following for encription in the sftp receiver adapter:
And the sftp sender adapter decryption settings are :
And when I send a file, its encrypted correctly (I decrypt it locally). But the receipient
can not decrypt the file, the sftp adapter gives the following error:
I will highly appreciate if you could give me some hints / solution on this
issue.
Ajeet Phadnis
And what is the problem exactly?
Hello Peter,
Thanks for the prompt reply. The problem is decryption fails, and get the following exception:
Error: java.security.NoSuchAlgorithmException: No such algorithm: IDEA/CFB/NoPadding
I am using AES_128 algol, and still the Decryption module fails.
While in Sabharish's blog, he has successfully demonstrated
the decryption stage to work.
Appreciate your suggestions.
Ajeet Phadnis
Have you encrypted the message? Or your partner? I ask because it makes no sense, beside a proof of concept, to encrypt your message and then decrypt it afterwards with a second interface.
Just a guessing from my side (in hope that it helps):
If your partner has encrypted the file please ask him which algorithm he has used, because your error message says that AES_128 wasn't used, but an IDEA algorithm probably used by an OpenPGP implementation.
The libraries used by the PGP module (bouncycastle) do not support them as far as i know.
So please ask the one providing you the file which kind of pgp, pgp version and algorithm he is using for encrypting the file.
If this is sorted out please let him use compatibility modes or algorithms that the SAP PGP module supports.
Thanks, Peter
Yes, its a scenario I am running on my PI instance. Created a sender that encrypts the message (pic 1 in my first query) the file is placed on sftp server directory.
Then I have created a resipient that picks this encrypted file decrypts it (pic 2 in my first query) and sends to another sftp server location.
And its this resipient decryption stage that fails (pic 3 in my first query).
Ajeet Phadnis
Ok, so some kind of proof of concept. 🙂
Did you try to do the same with two key pairs? I.e. generate a second key pair to simulate a receiver/sender different from your system?
Yes, I have two keyrings one used for sender and other for resipient.
Then i have no idea to be honest.
Sorry. 🙁
Hi there
Below error is occurred when using PGP Module in File adapter with localejbs/PGPEncryption. Kindly advise.
"java.lang.Exception: Exception in XML Parser (format
problem?):'org.xml.sax.SAXParseException: Content is not allowed in prolog.'"
Hi Ravi,
Are you using FCC in your scenario. If yes please use Module transform bean instead of using normal FCC content conversion. That will solve your PGP problem.
Thanks,
Pavan T
+91 9892398599
http://help.sap.com/saphelp_nw04/helpdata/en/24/4cad3baabd4737bab64d0201bc0c6c/content.htm
Thanks Pravan.. The prolog error is solved .
I used Module transform bean already.. Only think I missed is normal FCC is unselected.Thank you for your inputs.
Dear Vijay,
Kindly confirm , whether we need to delete the module parameter "localejbs/ModuleProcessorExitBean " . when we are using this , we are getttig the below exception,could you please guide me.
"MessagingException: java.lang.NullPointerException: SFTP "
Regards
Raju
Hi All,
We are getting the following error in the receiver channel.
nested exception is: java.lang.NullPointerException: while trying to invoke the method com.sap.engine.interfaces.messaging.api.Message.getMessageKey() of an object loaded from local variable 'msMessage'
BASIS has confirmed that JCE unlimted has been installed and System was restarted.
Could you kindly help
Hi Guys,
And unlimited JCE unlimited and the Module sequence solves this.
Found out the 'CallSapAdapter' was the culprit. Once I removed it, the PGP module worked.
How to use "Diffie-Hellman" algorithm in PGP ENCRYPTION in SAP PO
Hi,
We are using PI 7.3 and for B2B requirement we are supposed to send the MT100 message to banks after signing the message using PKCS7 standard algorithm. Can any one explain how this would be achieved?
Hi,
anyone can you tell me, can we encrypt CSV files in PI and send to file adapter?
Yes...
all in receiver adapter as described in the official SAP documentation. 😉
Best regards,
Peter
Hi Peter,
in our case when we try with simple txt file, its happening. ie its converting into encrypted document. But when its CSV file its not happening. same flat file is processing to reciver folder.
Note: sender is SFSF adapter and reciver is File adapter.
Thanks.
File adapter on receiver side is totally ok. Sender adapter doesn't play any role as encryption is only done in the receiver adapter.
Any hints to errors in the audit log? Are there any hints about the encryption at all in the audit log?
If not, then recheck your adapter module settings in the receiver channel of your interface.
Sree,
It may be because of the wrong sequence of the modules in Receiver channel. can you create a separate thread and put the screenshot of channel config there.
Br,
Manoj
Sure, thank you Manoj
🙂
Hi,
If we are using partnerPublicKey to encrypt the message and send to the third party ,then what is the use of encryptionAlgo parameter in PGP .In some of the cases i see the parameter encryptionAlgo has not been used.
Thanks