Skip to Content
Author's profile photo Shabarish V Nair

PGPEncryption Module: A Simple How to Guide

I am sure many of you must have by now been made aware that SAP has released B2B and SFTP/PGP capabilities for SAP PI. Earlier, we had to depend upon third party vendors for this service but with SAP filling this gap, I strongly believe that PI is now in a better position to be provisioned and a true enterprise service bus.

If you are on PI 7.11, the prerequisite for installing and using these new add ons are SP08. I have been able to get my hands on a PI 7.11 SP08 machine and have successfully tested the PGP module as a start. In this blog, I will explain how to do PGP encryption using the SAP provided standard module PGPEncryption.

For simplicity sakes, I have created a simple scenario as follows;

pgp_10apr2012_1.JPG

A Basic Introduction to PGP Encryption:

1. Encryption Only

To do encryption, we will use the public key provided to us by the partner. Along with the public key, we also need to understand what is the encryption algorithm that is expected by the partner. There are various algorithms and the SAP standard module supports the following AES_128, AES_192, AES_256, BLOWFISH, CAST5, DES, 3DES and TWOFISH.

2. Sign and Encrypt

In this case along with the public key provided to us by the partner, we will also need our own private key and its passphrase that we will use to sign the message. We can also along with the encryption algorithm, choose what should be the signing algorithm. Currently the supported algorithms for signing are MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 and SHA512.

3. Compression

We can also define the compression that needs to be carried out on the message which will help reduce the message size. This is an optional usage but if used the supported compressions are ZIP, ZLIB and BZIP2

Receiver Communication channel configuration:

In the below communication channel, we will use both Sign and encrypt while sending the message to Receiver.

pgp_10apr2012_2.JPG

Note that in the above, we have used the partners public key pubring.pkr for encryption and our private key didikey.skr along with its passphrase for signing the messages. Also we have used ZIP as the compression mode.

By default, the keys can be placed under the path usr/sap/<System ID>/<Instance ID>/sec. But in case you want to use a different path, then use the parameter keyRootPath to define your custom path.

Input file used;

pgp_10apr2012_3.JPG

Signed and Encrypted message;

pgp_10apr2012_4.JPG

In the next blog, I will show you how we can decrypt this file to a human readable content 🙂


Assigned tags

      57 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Great!!, you have made hands dirty with the new SP feature of PI..

      It will be helpful for newbies if you can share the paths of the keys where it has stored..and also any available tools for generating the keys for playing..

      Smiles

      Rajesh

      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author

      updated the blog to include the key file path.

      regarding test tool, there are many tools available online. Just search with the term 'pgp key generator'. The one i have used was already existing in my landscape.

      Author's profile photo Former Member
      Former Member

      Shabarish,

      Good to have this nice blog so soon with usage of PGP modules.Thx

      @Rajesh, I have tested the similar functionality with modules provided by other product vendor - Advantco.

      Keys used for testing has been generated by tool PGP Desktop 10.1.1. Hope it should work fine with this case as well.

      Author's profile photo Former Member
      Former Member

      Hi Bhavesh,

      I have a requirement to implement PGP from Tumbleweed to SAP ECC using SFTP/PGP modules,i have got the public and private keys from Tumbleweed as .txt format.

      As i am following your blog to implement this and noticed that we need Public Keyring(.PKR) and Secure Keyring(.SKR) from Tumbelweed apart from Public Key and Private Keys to be used in the PGG Module parameters.

      When i ask Tumbleweed team to provide me the .PKR and .SKR,they say they can not share them.

      Is there any way we can generate Tumpleweed .PKR and .SKR files to be used for PGP.

      I am able to generate own .PKR and .SKR using PGP Desktop software.

      Pls help me with your expert suggestions on how to go about this.

      Many Thanks,

      Naga

      Author's profile photo Sahithi M
      Sahithi M

      Hi Naga,

           I believe you have your own .PKR and .SKR keys.Inorder to implement the PGP encryption and decryption,Share your Public key(.PKR) with Tumbleweed and Tumbleweed should share their PublicKey(.PKR) with you.

      Ask Tumble weed to share their .PKR key so that you can decrypt the files.But Tumbleweed won't share .SKR as it is private key and cannot be shared with anyone.

      If they are using any Signing of the message then you can use your .SKR in the module as shown above.

      Please let usknow if you have any queries.

      Author's profile photo Rohan DCosta
      Rohan DCosta

      Hi Naga,

      You can use the public key in the format *.asc this will do.

      you you still need a .pkr (Public Key Ring) and .skr(Secure Key ring) you can get many a tools to generate the key rings like AEDAPTIVe, etc

      Just make sure you just place these keys in the tool and generate the key rings.

      PGPGPG.JPG

      Author's profile photo Vikas Singh
      Vikas Singh

      Thanks for the blog - it really helped !

      We required PGP decryption and were able to use it on 7.1 SP4 even though the prerequisite is SP8. We didn't have to use other  features of the add on and hence can't be sure about them .

      Cheers,

      Vikas

      Author's profile photo Anupam Ghosh
      Anupam Ghosh

      Hi Shabarish,

                           I am very new to PGP. I

      Got a fair idea of the process. Thank you so much for writing this.

      Regards

      Anupam

      Author's profile photo Anupam Ghosh
      Anupam Ghosh

      Hi Shabarish,

                            Please  keep writing more blogs. If possible I would love to attend some seminars from you.

      regards

      Anupam

      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author

      Thanks for comment Anupam 🙂

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      Great blog! Thanks for sharing this valuable information with us.

      In the blog you mentioned that currently the following  signing algorithms are (standard) supported: MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 and SHA512. However, I cannot see in the screenshots where do you configure it. Could you please further explain that? For instance what steps are needed in order to configure a signing algorithm?

      Many thanks,

      Roberto Viana

      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author

      use the parameter signingAlgo with the possible value as MD5, RIPEMD160, SHA1, SHA224, SHA256, SHA384 or SHA512. By default, the value is SHA1.

      Author's profile photo Former Member
      Former Member

      Hey Shabraish,

      We are trying to implement the new PGPEncyption Module.  We are on PI 7.3

       

      Service Pack: 05
      Release: NW730EXT_05_REL

      and have followed the standard procedure to instal the add-on.  On executing a basic encyption scenario , we get a JNDI:name not found error for the EJB bean localejbs/PGPEncyption.

      The receiver communication channel is an NFS based channel.

      Did u face this kind of an issue?  if yes please help us with possible solutions.

      Thanks in advance

      Abhishek

      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author

      please recheck the spelling of localejbs/PGPEncyption. it should be PGPEncryption.

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      Great blog!

      We are trying to implement the new PGPEncyption Module. We are on PI 7.11 and SP08 and have followed the standard procedure to instal the add-on.


      In the File Receiver Adapter we use the new PGPEncyption Module only with the parameters:

      - encryptionAlgo          AES_256

      - partnerPublicKey      pubring.gpg

      But in the communication channel we get the error:

      Error PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

      12.06.2012 11:02:35.990 Error PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

      12.06.2012 11:02:35.990 Error MP: exception caught with message Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

      12.06.2012 11:02:35.990 Error Adapter Framework caught exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

      12.06.2012 11:02:35.991 Error Delivering the message to the application using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.lang.Exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher).

      Can you help us?

      Thanks in advance

      Octavio


      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author

      It could be a potential unlimeted JCE issue.

      Could you try as described in the section 'Unlimited JCE' of this document -

      http://www.didisoft.com/wp-content/uploads/OpenPGP_Java_2_4.pdf

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      It's solved, thank you very much.

      I'd I had forgotten to change the JCE in a folder.

      Octavio

      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author

      good to know 🙂

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      Very nice info regarding the config of SFTP scenario. Keep up the good work!

      We have implemented the same however we have encountered some peculiar issue. The message does not pass through after it is done in the module processor. Below is the log:

      21.06.2012 16:05:30.170     Information     MP: processing local module localejbs/PGPEncryption

      21.06.2012 16:05:30.170     Information     PGP Encryption Module: Message xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx arrived in PGP Module.

      21.06.2012 16:05:30.171     Information     PGP Encryption Module: The module-paramteter "asciiArmored"is not set. Using default value "true"

      21.06.2012 16:05:30.171     Information     PGP Encryption Module: The module-paramteter "format"is not set. Using default value "binary"

      21.06.2012 16:05:30.171     Information     PGP Encryption Module: The module-paramteter "keyRootPath"is not set. Using default value "/usr/sap/XXX/XXXXXXX00/sec"

      21.06.2012 16:05:30.171     Information     PGP Encryption Module: Reading public key at /usr/sap/XXX/XXXXXXX00/sec/rsapubring.pkr

      21.06.2012 16:05:30.194     Information     PGP Encryption Module: The module-paramteter "signingAlgo"is not set. Using default value "SHA1"

      21.06.2012 16:05:30.194     Information     PGP Encryption Module: Reading private key at /usr/sap/XXX/XXXXXXX00/sec/rsaccakey.skr

      21.06.2012 16:05:30.201     Information     PGP Encryption Module: Creating ASCII-Armor

      21.06.2012 16:05:30.201     Information     PGP Encryption Module: Applying compression.

      21.06.2012 16:05:30.201     Information     PGP Encryption Module: Signing

      21.06.2012 16:05:30.201     Information     PGP Encryption Module: Processing

      21.06.2012 16:05:30.666     Information     PGP Encryption Module: Applying encryption

      21.06.2012 16:05:30.681     Information     PGP Encryption Module: Message successfull processed.

      21.06.2012 16:05:30.682     Information     MP: processing local module localejbs/CallSapAdapter

      21.06.2012 16:05:30.682     Information     MP: leaving

      21.06.2012 16:05:30.683     Information     The message was successfully delivered to the application using connection SFTP_http://sap.com/xi/XI/SFTP.

      21.06.2012 16:05:30.689     Information     The message status was set to DLVD.

      Could you help me out on this one thanks.

      Regards,

      Rare

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      do you know of any way to not store the message id in the encrypted file?

      One of our partners doesn't use PI to decrypt the files we send to them encrypted, but uses PGP8 on their servers.

      Whenever i send them an encrypted file (f.e. original file is testfile.csv, encrypted file written to partners sftp server is testfile.csv.pgp) it decrypts to the message-id as filename instead of just substracting the .pgp file extension.

      I think this is very annoying. We tried to set asam to the communication channels, but this didn't work.

      Best regards,

      Peter Hermanns

      Author's profile photo Ravi Maheshwari
      Ravi Maheshwari

      Hello Shabarish,

      Can i use PGP Desktop 10.1.1 , if i am on PI 7.11, SP5.

      Regards,

      Rachana

      Author's profile photo Former Member
      Former Member

      Hello Shabarish,

      Can you please help me regarding below issue.

      I encrypted the file and sent to my vendor. but while decrypting from vendor side and it is gving the below error. Just used 2 modules only applyEncryption/PartnerPublicKey

      PI - 7.31

      Enter
      pass phrase: event 23: Decryption
      symmetric cipher used: CAST5 event3: error -11391 event2: final Error decrypting file '834_TEST20120914-062150-197.PGP'. Corrupt data.

      badpacket exitcode= 32

      I am using PGP encryption software - GNUPG

      and Vendor is using - E-business server.

      I just found there were some compatiable issues GNUPG vs E-Business server.

      https://kc.mcafee.com/corporate/index?page=content&id=KB59133

      please advice your thoughts.

      Did any one tested with PI 7.31 encryption/decryption with the vendor.

      Regards,

      Venu.

      Author's profile photo Chandra Sekhar H
      Chandra Sekhar H

      Hi Shabarish,

      On PI7.3 EHP1, can we use PGP encryption while sending a file as part of multipart HTTPS POST request?

      Please let me know...

      Thanks,

      Chandra

      Author's profile photo Smith Smith
      Smith Smith

      Hi Shabarish,

      Is this module supported by PI 7.1 SP06 in FTP channel...please advise.

      Author's profile photo Former Member
      Former Member

      SAP note 1695563 specifically says that the module is compatible with the following releases:

      • SAP NetWeaver PI 7.11 Support Package 8
      • SAP NetWeaver PI 7.30 Support Package 5
      • SAP NetWeaver PI 7.31 Support Package 3

      and higher.

      Best regards,

      Peter

      Author's profile photo pavan thiruveedula
      pavan thiruveedula

      Hi Sabarish,

      I am working on your approach as POC. i have few doubts, can you please help me out on these questions

      1)do i need to write adapter module for this approach?

      2)where i will get partners public key pubring.pkr for encryption and our private key didikey.skr  ?

      3) do i need to import those keys in PI trust store in STRUST?

      4) do i use filezilla  as FTP server?

      My PI version is 7.3 SP5.

      Thanks & Regards

      Pavan

      Author's profile photo Former Member
      Former Member

      Dear Pavan,

      1) no, the necessary modules are all provided by SAP as part of the B2B add-on and can be downloaded seperately from the SAP support portal.

      2) your partners public key is sent to you by your partner, your private key you have to create on your own. Please find the documentation on how to create a GPG public/private keypair for your operating system on the net or on the SCN.

      3) no... just put them into the file system as specified in the SFTP/PGP adapter/module documentation.

      4) you can use whatever ftp server you want. 🙂

      Best regards,

      Peter

      Author's profile photo Former Member
      Former Member

      Hi ,

            Can anyone please suggest how to use RSA Encryption Algorithm in PGP Module

      Regards,

      Amit

      Author's profile photo Former Member
      Former Member

      In a default installation RSA encryption algorithm is not possible. According to the configuration guide the only possible encryption algorithms are:

      AES_128, AES_192, AES_256, Blowfish, CAST5, DES, 3DES and Twofish.

      Best regards,

      Peter

      Author's profile photo Roberto Vidotti
      Roberto Vidotti

      Hi Shabarish,

      I found this article just today, it's a good work.

      I would add just a warning in the blog: being a guide for beginners I would add that some algorithms have long been dead or otherwise unsafe like MD5,  DES definitily unsafe or SHA1, RIPEMD160, CAST5, 3DES that are at risk at least theoretically.

      Kind regards

           Roberto

      Author's profile photo Former Member
      Former Member

      Nice job.

      I also run into this article today and found it pretty useful for my first time working with the PGP addon.

      Thanks to both of you for sharing your knowledge.

      Kind regards,

      Eric

      Author's profile photo Former Member
      Former Member

      Nice Work !

      Author's profile photo Former Member
      Former Member

      Hi Shabarish,

      Need your help : I want to replicate exact scenario in my System.

      But i didn't get this , Where to get to private and public Key . as I am creating a test scenario . So abt Client Public Key - Can I generate it from Somewhere ?? and our Private key - Do i have to generate it some where in SAP PI System ???

      Author's profile photo Shabarish Vijayakumar
      Shabarish Vijayakumar
      Blog Post Author
      Author's profile photo Ajeet Phadnis
      Ajeet Phadnis

      Hello Shabarish,

      Although the thread is quite long existed, but still relevant. I present a scenario just as in your blog. And it is the decryption stage where I face problems. I am using the following for encription in the sftp receiver adapter:

      po_encry.PNG

      And the sftp sender adapter decryption settings are : po_decry.PNG

      And when I send a file, its encrypted correctly (I decrypt it locally). But the receipient

      can not decrypt the file, the sftp adapter gives the following error:

      po_decry_fails.PNG

      I will highly appreciate if you could give me some hints / solution on this

      issue.

      Ajeet Phadnis

      Author's profile photo Former Member
      Former Member

      And what is the problem exactly?

      Author's profile photo Ajeet Phadnis
      Ajeet Phadnis

      Hello Peter,

      Thanks for the prompt reply. The problem is decryption fails, and get the following exception:

      Error while sending message: Cannot send message to module processor com.sap.aii.af.lib.mp.module.ModuleException: PGPDecryption Module:
      Error 6/21/16 11:26:32 AM

      Error: java.security.NoSuchAlgorithmException: No such algorithm: IDEA/CFB/NoPadding



      I am using AES_128 algol, and still the Decryption module fails.

      While in Sabharish's blog, he has successfully demonstrated

      the decryption stage to work.

      Appreciate your suggestions.

      Ajeet Phadnis

      Author's profile photo Former Member
      Former Member

      Have you encrypted the message? Or your partner? I ask because it makes no sense, beside a proof of concept, to encrypt your message and then decrypt it afterwards with a second interface.

      Just a guessing from my side (in hope that it helps):

      If your partner has encrypted the file please ask him which algorithm he has used, because your error message says that AES_128 wasn't used, but an IDEA algorithm probably used by an OpenPGP implementation.

      The libraries used by the PGP module (bouncycastle) do not support them as far as i know.

      So please ask the one providing you the file which kind of pgp, pgp version and algorithm he is using for encrypting the file.

      If this is sorted out please let him use compatibility modes or algorithms that the SAP PGP module supports.

      Author's profile photo Ajeet Phadnis
      Ajeet Phadnis

      Thanks, Peter

      Yes, its a scenario I am running on my PI instance. Created a sender that encrypts the message (pic 1 in my first query) the file is placed on sftp server directory.

      Then I have created a resipient that picks this encrypted file decrypts it (pic 2 in my first query) and sends to another sftp server location.

      And its this resipient decryption stage that fails (pic 3 in my first query).

      Ajeet Phadnis

      Author's profile photo Former Member
      Former Member

      Ok, so some kind of proof of concept. 🙂
      Did you try to do the same with two key pairs? I.e. generate a second key pair to simulate a receiver/sender different from your system?

      Author's profile photo Ajeet Phadnis
      Ajeet Phadnis

      Yes, I have two keyrings one used for sender and other for resipient.

      Author's profile photo Former Member
      Former Member

      Then i have no idea to be honest.

      Sorry. 🙁

      Author's profile photo Former Member
      Former Member

      Hi there

        Below error is occurred when using PGP Module in File adapter with localejbs/PGPEncryption. Kindly advise.

      "java.lang.Exception: Exception in XML Parser (format

      problem?):'org.xml.sax.SAXParseException: Content is not allowed in prolog.'"

      Author's profile photo pavan thiruveedula
      pavan thiruveedula

      Hi Ravi,

      Are you using FCC in your scenario. If yes please use Module transform bean instead of using normal FCC content conversion. That will solve your PGP problem.

      Thanks,

      Pavan T

      +91 9892398599

      http://help.sap.com/saphelp_nw04/helpdata/en/24/4cad3baabd4737bab64d0201bc0c6c/content.htm

      Author's profile photo Former Member
      Former Member

      Thanks Pravan.. The prolog error is solved .

      I used Module transform bean already.. Only think I missed is normal FCC is unselected.Thank you for your inputs.

      Author's profile photo Former Member
      Former Member

      Dear Vijay,

      Kindly confirm , whether we need to delete the module parameter "localejbs/ModuleProcessorExitBean " .  when we are using this , we are getttig the below exception,could you please guide me.

      "MessagingException: java.lang.NullPointerException: SFTP "

      Regards

      Raju

      Author's profile photo Rohan DCosta
      Rohan DCosta

      Hi All,

      We are getting the following error in the receiver channel.

      nested exception is: java.lang.NullPointerException: while trying to invoke the method com.sap.engine.interfaces.messaging.api.Message.getMessageKey() of an object loaded from local variable 'msMessage'

      BASIS has confirmed that JCE unlimted has been installed and System was restarted.

      Could you kindly help

      Capture1111111111.JPG

      Capture222222222.JPG

      Author's profile photo Rohan DCosta
      Rohan DCosta

      Hi Guys,

      And unlimited JCE unlimited and the Module sequence solves this.

      Found out the 'CallSapAdapter' was the culprit. Once I removed it, the PGP module worked.

      Capture11111.JPG

      Capture222222.JPG

      Author's profile photo Former Member
      Former Member

      How to use "Diffie-Hellman" algorithm in PGP ENCRYPTION in SAP PO

      Author's profile photo Muhammad Abdullah
      Muhammad Abdullah

      Hi,

      We are using PI 7.3 and for B2B requirement we are supposed to send the MT100 message to banks after signing the message using PKCS7 standard algorithm. Can any one explain how this would be achieved?

      Author's profile photo Remo Sha
      Remo Sha

      Hi,

      anyone can you tell me, can we encrypt CSV files in PI and send to file adapter?

      Author's profile photo Former Member
      Former Member

      Yes...
      all in receiver adapter as described in the official SAP documentation. 😉

      Best regards,

      Peter

      Author's profile photo Remo Sha
      Remo Sha

      Hi Peter,

      in our case when we try with simple txt file, its happening. ie its converting into encrypted document. But when its CSV file its not happening. same flat file is processing to reciver folder.

      Note: sender is SFSF adapter and reciver is File adapter.

      Thanks.

      Author's profile photo Former Member
      Former Member

      File adapter on receiver side is totally ok. Sender adapter doesn't play any role as encryption is only done in the receiver adapter.

      Any hints to errors in the audit log? Are there any hints about the encryption at all in the audit log?
      If not, then recheck your adapter module settings in the receiver channel of your interface.

      Author's profile photo Manoj Kh
      Manoj Kh

      Sree,

      It may be because of the wrong sequence of the modules in Receiver channel. can you create a separate thread and put the screenshot of channel config there.

      Br,

      Manoj

      Author's profile photo Remo Sha
      Remo Sha

      Sure, thank you Manoj

      🙂

      Author's profile photo Pavithra N
      Pavithra N

      Hi,

      If we are using partnerPublicKey to encrypt the message and send to the third party ,then what is the use of encryptionAlgo parameter in PGP .In some of the cases i see the parameter encryptionAlgo has not been used.

      Thanks