Using PGP in Process Integration
Introduction
Pretty Good Privacy (PGP) is a data encryption and decryption algorithm that provides cryptographic privacy and authentication for data communication.
With PI 7.11+, PGP is available as part of the SAP NetWeaver Process Orchestration Secure Connectivity Add-On. PGP is an adapter user-module which can be used with any Java adapters, e.g. File/FTP, JDBC, SOAP, JMS, Mail, RFC, HTTP_AAE, IDoc_AAE, etc. This add-on also includes the SFTP adapter.
Both products are available for download from the SAP Service Marketplace without any additional cost.
Download and Installation
PGP can be downloaded from SMP as part of the Secure Connectivity Add-On. The download location:
Go to: SAP Software Download Center
Installations and Upgrades
Browse our Download Catalog
- Select “SAP NetWeaver and complementary products”, and then “PI SFTP PGP ADDON”.
- After extracting the downloaded ZIP file, use JSPM to deploy PIB2BPGP00_0.SCA on PI.
Concept
The PGP module uses the public key encryption method to secure the content of the business document. The PGP module allows us to encrypt/decrypt and digitally sign or verify a message.
This method contains two sets of keys; their purpose is described below:
Public Key:
- Your public key is used by all your business partners to encrypt a message when sending that message to you. Therefore, you must send the public key to your partners first.
- Your partner’s public key is used to verify the digital signature in the message when you receive that message from your business partner. Therefore, your partner must send you his public key first.
Private Key:
- Your private key is used to decrypt a message when receiving it from your partner. Your business partner will use your public key to encrypt the message.
- Your private key is used to digitally sign a message when sending it to your business partner. Your business partner will use your public key to verify the digital signature.
The PGP keys can be generated by publicly-available programs and many web sites can generate them for you, both are available for free. For your testing purposes, I created the following keys. Copy-n-paste them to 2 files, e.g. testPGPPublic.txt and testPGPPrivate.txt. (The 2 files are also attached with this blog.)
While copying, include the BEGIN and END lines. The password for the private key is “test”.
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: BCPG C# v1.6.1.0
mI0EURFDPAEEAIk55y664cU2ueElz+DJXXWpnmo/kawMzA+WKwIauy86Zu65pFoZ
PgbKSLOxDvEIGhnQEPiyqJ8GB4Q+u8MYoN84ND7Zg8xjyaLQuZ6FPgJmgyvSiAUl
8oBangWGQ7qxLTxsc/CtXHpM5vLZnYnHqs5ld/ugou31wdHD7WxRjHf5ABEBAAG0
D2JpbGwwM0B0YWRpLmNvbYicBBABAgAGBQJREUM8AAoJEM1imjZSvCjysCED+gNE
HsWTC0NycNxykh6/10WzS00YfjrWKv5pi5+Z5wqiK9vWx49tXgObzSL994f+vmbA
u3Z7Pd8wQMf6kkDKromsQIU3PTdpwxYHjQWTFz4d4xvbs1R+skoXbKgm/pzbJoZ6
cUz6uDK2is/o3UlDvH+qTgQCBekiTZ/q1ciYMDCT
=/9ML
—–END PGP PUBLIC KEY BLOCK—–
—–BEGIN PGP PRIVATE KEY BLOCK—–
Version: BCPG C# v1.6.1.0
lQHsBFERQzwBBACJOecuuuHFNrnhJc/gyV11qZ5qP5GsDMwPlisCGrsvOmbuuaRa
GT4GykizsQ7xCBoZ0BD4sqifBgeEPrvDGKDfODQ+2YPMY8mi0LmehT4CZoMr0ogF
JfKAWp4FhkO6sS08bHPwrVx6TOby2Z2Jx6rOZXf7oKLt9cHRw+1sUYx3+QARAQAB
/wMDAhxscq0soQxwYJTVOwH2+UivWK9VpcHdXfsjJ+lLuJg+/tjT9g2hBZrW78sZ
xHa27qHBI67Cndzc9QqC9ptISru4Ni20Z/WcoTkEp2dnpYugpwUbnF3Eee3z9LzI
rNsd4V45HTcs/i3jXqCxwdZYXKRgOJzRXwvPZT5aqYJZveNJu+XX1adeChMZF24P
wY6vJRCH85aBSf2zfyD1ckLyQSdF1U/fDuC/9fDAW/rro48PsC9TpbVLjgO8QXre
rRI1pPkBqsCxDzSp2gJHqI5Zsx0thr8Q6N2EYoBJig9L5E359Oxn2ueW6FV0lS6I
kmdfKddlNxaoXH/UcLPwU0TCLFQbf1GEgxqIDqHUelMQ5SqF2227T1pJeBuWBm6g
2/Xk0hEtlFIJ6b20sKU/XWcy9+SPC//vzL+GHs3t0N9fT2PVMq8uNWCAFadMuj1U
cne5sHHDFQsoF8rzMpq8tA9iaWxsMDNAdGFkaS5jb22InAQQAQIABgUCURFDPAAK
CRDNYpo2Urwo8rAhA/oDRB7FkwtDcnDccpIev9dFs0tNGH461ir+aYufmecKoivb
1sePbV4Dm80i/feH/r5mwLt2ez3fMEDH+pJAyq6JrECFNz03acMWB40Fkxc+HeMb
27NUfrJKF2yoJv6c2yaGenFM+rgytorP6N1JQ7x/qk4EAgXpIk2f6tXImDAwkw==
=vKXy
—–END PGP PRIVATE KEY BLOCK—–
User-Module Configuration
Please reference SAP HELP for details:
https://help.sap.com/saphelp_nwposc/helpdata/en/08/d47f0c5abd4f4f9d0b167ff693b1a7/frameset.htm
For this blog, we will be sending the messages to ourselves; therefore, for sending and receiving messages we will use the same public-private keys.
Receiver Communication Channel
The receiver communication channel is used to send a message to your partner. Consequently, we will use your partner’s public key to encrypt the message, and we can optionally use your own private key to digitally sign the message.
- Enter Module Name: localejbs/PGPEncryption
- Enter Module Parameters:
- For encryption:
- keyRootPath = <file directory of the private and public keys>
- partnerPublicKey = <file name of the public key> (this is your partner’s key)
- For signing the message: (optional)
- applySignature: true (the default is false)
- ownPrivateKey: <file name of the private key> (this is your own private key)
- pwdOwnPrivateKey: <password of the private key> (for this blog, “test”)
- For encryption:
Sender Communication Channel
The sender communication channel is used to receive a message from your partner. Consequently, we will use your own private key to decrypt the message, and we can optionally use your partner’s public key to verify your partner’s digital signature in the message.
- Enter Module Name: localejbs/PGPDecryption
- Enter Module Parameters:
- For decryption:
- keyRootPath = <file directory of the private and public keys>
- ownPrivateKey: <file name of the private key> (this is your own private key)
- pwdOwnPrivateKey: <password of the private key> (for this blog, “test”)
- For verifying the signature in the message: (only used if the message is signed by your partner)
- partnerPublicKey = <file name of the public key> (this is your partner’s key)
- For decryption:
Thanks Bill,for sharing..
Cheers
Agasthuri
Hi William,
This is a neat new feature.
What i found a bit confusing is that the keys need to be stored on disk of the PI server and not in the NWA truststores (would be a huge simplification as all adapters invoke their certificates from there, too).
Cheers
Sebastian
Hi,
From my understanding, the PGP certificates are not based on standrads, e.g. X.509. Therefore, it cannot be imported into the keystore.
I tried to import the PGP certificate into the keystore in the past, but error resulted.
Regards,
William
Hi William,
this is a very nice blog. However I have got few questions here.
I haven't worked on PGP module before but It seems that PGP uses Self signed certificate, leaving certificate and key management to users.Thus when estimating the effort required, something that may appear to reduce developement effort may increase subsequent administration and support effort. Is that correct?
Also, PGP carries out a public-key encryption for each message. Public-Key encryption is orders of magnitude slower than symmetric key encryption. While that may not matter for occasional messages, it can have huge performance impact on frequent messages. Is that correct?
We have requirement in our project to encrypt/decrypt and sign the messages before sending it to 3rd party and I am tempted to use PGP Add-ons but before that would like to find out if there are any sorts of obligations to use this algorithm.
Thanks,
Pratibha
Hi,
I am not an expert on public-key infrastructure. I do not believe there is a Certificate Authority (CA) who manages PGP public-private keys. Maybe other readers will know.
As for symmetric vs asymmetric, symmetric key requires that both parties have the same key. This can cause security problems. With asymmetric, the public key can be used by anyone to encrypt, and only you have the private key to be able to decrypt the msg. With symmetric key, all parties will have to have the same key. Performance shoud have minimum impact for using asymmetric keys.
PGP is publicly available and there is no restriction on its usage...everyone can use it.
Regards,
William
thanks for the information William.
Can you please let me know if uploading Private/Public key pair is one off activity and do we have to do it once for every system (e.g. one for Dev..one for QA..one for Prod) ?
Thanks,
Pratibha
Hi Pratibha,
I think this is something you can check with your management. I think you can have one pair for DEV and QA, for development and testing purposes. Then, another pair for PRD.
Regards,
William
Thanks Bill for sharing this. The add-on gets a Thumbs up from me as we have implemented it in our project and it worked pretty smooth, considering the fact that it was released recently. (end of March'12)
Pratibha Sethi my 2 cents on your questions:
>> reduce developement effort may increase subsequent administration and support effort
There could be some work associated, but it is not ever-increasing and time consuming work. I have seen some of the clients using never-expiring keys.
>> it can have huge performance impact on frequent messages. Is that correct?
Any encryption at PI message level will have some performance impact. But this is always subject to volume and sizing exercise. Note that compressing the payloads while encrypting reduces the load on the server and therefore should be chosen appropriately.
I shared some of my experience earlier here:
http://scn.sap.com/community/b2b-integration/blog/2012/07/27/b2b-add-on-pgp-module--pov
>>do we have to do it once for every system (e.g. one for Dev..one for QA..one for Prod) ?
You don't have to. Again, I have seen client using the same certificate for all the environments.
Regards,
Prateek Raj Srivastava
Very nicely written..step by step..helped me in my scenario..
Thankkksss
Hi Experts,
My scenario is like
Currently we are implementing SAP (ERP software) across the company and we have a requirement to send the EFT’s (payments) file by building an integrated interface with some bank. Initially, SAP FI generates the file and is placed in a predefined directory in client ERP on outbound side and PI needs to encrypt the file using PGP by AES 128/256 algorithm & need to post the xls files to SFTP/FTP folder on inbound side from where a server at Bank’s end will pick the file on a scheduled basis.
Regarding the above scenario Bank people[inbound] side confirmed that they use AES128 algorithm only but not PGP. My question is PI encrypt the file using PGP with AES128, what mechanism do bank people[inbound] side follow to decrypt it with their private key or should they use only PGP to decrypt the encrypted file from PI or can they follow some other way to decrypt it by their own private key? I mean to ask however PI use only PGP to encrypt the file, is it required bank[inbound] receiver side also use PGP to decrypt or can they use another mechanism to decrypt by private key + AES128 ?
Thanks!
Hi William Li,
Can I use the above module to insert a digital signature in PDF document say it is an passthrough scenario where I do no transformation other than just inserting digital signature. Pls confirm whether it is possible by above standard module with out using any custom module if so pls let me know additional steps if any.
Thnx, Nithin.
Dear expert PI
We found error pgp " Error: org.bouncycastle.openpgp.PGPException: A fitting private key for the encrypted data could not be found: check the password" please help me.
Hi Pattanant, I've same problem.
I check and password is OK.
Could you solve your problem?
Please share the solution.
Thanks in advance.
Hi All,
How did you solve this issue ?
Error:Org.bouncycastle.openpgp.PGPException:A fitting private key for the encrypted data could not be found : check the password
regards
Arun
https://blogs.sap.com/2013/02/07/using-pgp-in-process-integration/
keyRootPath = <file directory of the private and public keys>it seems keyRootPath is not always necessary? PFB.
Hi All,
Very useful information from all of you. have any of you worked with PGP modules for NFS.
My requirement is that a 3rd party system will post files to SAP PI folder (encrypted with our public key ), and SAP PI will pick up from the local folder and decrypt it . Also they will sign it and SAP PI will verify the signature.
Now my doubt is if there is any other method of achieving this with SSH public-private key pair and not using PGP keys. I am a bit confused using NFS and PGP combination. Also they need our keys signed by CA , so not sure if PGP keys can be signed as they are generated by online tool.
I know this is an old link but any lead would be helpful.
Hi Team,
I am facing issue with the same even if generated public & private key with passphrase.
#2.0#2022 03 22 12:10:17:385#+0530#Error#com.sap.aii.adapter.file.File2XI.processFileList()#
com.sap.SOA.apt_file.0017#BC-XI#com.sap.aii.af.lib#C0000A4F22842D6E0000000C000010F4#17736250011132670##com.sap.aii.adapter.file.File2XI.processFileList()#Guest#0##CFB88C49A18011ECAD29002248D4BDF9#cfb88c49a18011ecad29002248d4bdf9##0#XI File2XI[CC_FILE_SENDER_Concur_Decryption/BC_CONCUR/]_775652#Plain##
Channel CC_FILE_SENDER_Concur_Decryption: Sending file failed with org.bouncycastle.openpgp.PGPException: A fitting private key for the encrypted data could not be found: check the password. - continue processing#