Skip to Content
Author's profile photo Eng Swee Yeoh

HCI: Using PGP message level security in HCI

Introduction

HCI comes packed with a lot of security related features. For message level security, it supports the OpenPGP standard. This is a commonly used standard in emails as well as file-based integrations.

In this blog, I will share how to create and deploy the OpenPGP keys, as well usage examples for PGP encryption and decryption in HCI.

Component Details

As HCI is a cloud solution with automatic rolling updates, these steps are valid for the following versions and may change in future updates.

Below are component versions of the tenant and Eclipse plugins.

HCI Tenant Version: 2.8.5

Eclipse Plugin Versions: Adapter 2.11.1, Designer 2.11.1, Operations 2.10.0

Required PGP Software

The online HANA Cloud documentation below details the steps required to create the keys using Gpg4win.

Creating OpenPGP Keys

However, the steps there are more directed towards tenants managed by SAP, and some of the steps can be skipped. I found that the steps can be simplified by just following the Generating Key Pairs section of the following Wiki which is used for PGP encryption/decryption in PI.

Generating ASCII Armored PGP Key Pairs – Process Integration – SCN Wiki

Both methods requires the installation of the Gpg4win tool. Additionally, during the installation, I recommend installing Kleopatra which comes with Gpg4win. It is a GUI based certificate manager and unified cryto which I will use for the examples in the following sections.

Creating OpenPGP Keys

Following the steps in the above Wiki, launch the command prompt to execute Gpg4win. Execute the following command:-

gpg –gen-key

When Gpg4win is executed for the first time, the secret and public key rings will be created in the following folder.

C:\Users\<user>\AppData\Roaming\gnupg

Enter the following details based on the instructions of the program:-

  • Key type – RSA and RSA (default)
  • Keysize – 2048
  • Validity – key does not expire
  • Real name & email address – <provide own details>
  • Passphrase – <enter passphrase to secure secret key ring>

/wp-content/uploads/2015/12/genkey_852293.png

Once everything has been entered, the public and secret key pair will be generated.

/wp-content/uploads/2015/12/keys_852294.png

Deploying OpenPGP Keys

In order to use the keys, the keyrings have to be deployed into the HCI tenant.

Right click on the tenant in Node Explorer and select Deploy Artifacts.

/wp-content/uploads/2015/12/deploy_852295.png

First, select PGP Public Keyring and select the public keyring file that was generated above.

/wp-content/uploads/2015/12/pubkey_852299.png

Repeat the above steps for PGP Secret Keyring. This will require the passphrase that was used during generation of the keyring above.

Once both keyrings have been deployed, they can be viewed on the Deployed Artifacts tab of the tenant.

/wp-content/uploads/2015/12/artifacts_852300.png

Usage Example 1 – Encrypting & Signing

For the purpose of the following examples, another OpenPGP key pair has been generated which is used to represent the external partner that HCI will integrate with. This key pair is generated under the name PGP Partner.

For the first example, HCI will encrypt and sign the message. The encrypted and signed message will then be transmitted to the partner where it will be verified and decrypted. Below is the required set up in HCI for this scenario.

  • Encryption with partner’s public key
  • Signed with own private key

To simplify the example, the iFlow is designed with a static content in a Content Modifier and the output message is routed to an HTTP receiver.

/wp-content/uploads/2015/12/iflow1_852301.png

The PGP Encryptor function is configured as follows:-

  • Signatures are included in the message
  • Encryption algorithm using AES 256
  • Compression algorithm using ZLIB
  • Output in ASCII Armored format
  • Encryption using PGP Partner‘s public key
  • Signing algorithm using SHA 256
  • Signing using own private key

/wp-content/uploads/2015/12/encrypt_852305.png

/wp-content/uploads/2015/12/sign_852306.png

The Content Modifier is populated with the following static text in the message body.

/wp-content/uploads/2015/12/content1_852307.png

After the iFlow is deployed and executed, the following encrypted PGP message is sent to the HTTP receiver.

/wp-content/uploads/2015/12/msg1_852304.png

The encrypted message is extracted and saved as a text file. We will then use Kleopatra to decrypt and verify the file.

/wp-content/uploads/2015/12/kleo1_852308.png

The results of Kleopatra is as shown below. The signature corresponds to the signing configuration in HCI.

/wp-content/uploads/2015/12/kleo_result1_852310.png

And the decrypted content matches the original content.

/wp-content/uploads/2015/12/output1_852311.png

Usage Example 2 – Decrypting & Verifying

The second example is the reverse of the first example. This time round, Kleopatra will be used to simulate encryption and signing of the message by an external partner. The encrypted message will then be decrypted and verified by HCI.

Below is the required setup in HCI for this scenario.

  • Verification using partner’s public key

This example will also use a simplified iFlow setup where the encrypted content is statically configured in the iFlow, and the decrypted output message will be routed to a HTTP receiver.

/wp-content/uploads/2015/12/iflow2_852312.png

The PGP Decryptor is configured as follows:-

  • Verification of signatures are mandatory
  • Verification using PGP Partner‘s public key

Note that decryption key does not need to be specify in the function as it is determined implicitly from the message content.

/wp-content/uploads/2015/12/decrypt_852313.png

To complete this configuration, we first need to create an encrypted message to simulate content from the external partner.

The content of the following file will be encrypted and signed using Kleopatra.

/wp-content/uploads/2015/12/input_852314.png

/wp-content/uploads/2015/12/kleo_encrypt_852315.png

The output will be in ASCII armored format.

/wp-content/uploads/2015/12/kleo_encrypt2_852320.png

The public key representing HCI is selected during encryption by Kleopatra.

/wp-content/uploads/2015/12/kleo_encrypt3_852321.png

Subsequently, Kleopatra will sign using the partner’s private key.

/wp-content/uploads/2015/12/kleo_encrypt4_852322.png

After the content has been encrypted and signed using Kleopatra, it is populated in the message body of the Content Modifier.

/wp-content/uploads/2015/12/kleo_encrypt5_852318.png

/wp-content/uploads/2015/12/content2_852316.png

Once all configuration is complete, the iFlow is deployed and executed. At the HTTP receiver, the following decrypted output is transmitted, which matches the original content.

/wp-content/uploads/2015/12/output2_852317.png

Conclusion

As shown, usage of PGP message level security can be achieved relatively easily in HCI. This can help ensure that message content can be secured in cloud based integrations (especially file-based ones).

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Nice blog, security is more important in HCI than on-premise integration, and openPGP standard is a quite common standard.

      Thanks for sharing.

      Author's profile photo Former Member
      Former Member

      Nice Blog,

      I have a small question.

      In your first example, do we need to include the Public key under the name PGP Partner also into HCI Tenant?

      Thanks,
      Amit

      Author's profile photo Emre Ozkan
      Emre Ozkan

      Hi,

      I find this blog very useful. Thanks for putting together.

      Is there a way to make Encryption User Id of Key(s) from Public Key Ring parametric?

      Seems like does not work. I am receiving this error:

      "No public encryption key found for the User Ids [${header.PGP_PUBLIC_KEY_USER_ID}] in the public keyring."

      What is your experience about this?

      Best Regards

      Emre

      Author's profile photo Kaleo Fava-Kuntgen
      Kaleo Fava-Kuntgen

      Hi,

      I am getting the same error, did you find a way to user the User Ids dynamic?

      Thank you

      Kaleo

      Author's profile photo Aditya W. Sharma
      Aditya W. Sharma

      Hi Emre,

       

      Did you try with setting Camel header(s) in Content Modifier? Set header "CamelPGPDataFormatKeyUserids" in script as List<String> type from your dynamic parameter before the PGP step and maintain any dummy user in PGP step.

      The Camel Header will override the dummy user and your dynamic parameter will be set as PGP username.

      Further details at - PGP :: Apache Camel and How to – Dynamic PGP Encryption UserId | SAP Blogs

       

      Thanks,

      Aditya

      Author's profile photo Sujai Kaarthik Balasubramanian
      Sujai Kaarthik Balasubramanian

      Hi Eng Swee Yeoh,

      Nice blog there. I have a query on this.

      Our scenario is like, encryption will happen on local system and decryption will happen on HCI. For encryption part, we have written a Java utility which is used via an abap program. The file in getting encrypted, but decryption on HCI gets failed. Is there anyway that we can make our encrypted file compatible with decryption process on HCI? Any help links on that would be helpful.

      PS: We are using Bouncy Castle APIs for PGP encryption. Below is the error that we are getting on HCI system:

      Error               = com.sap.esb.camel.security.pgp.PgpException: An exception occurred during decrypting/verifiyng a PGP message. The PGP message may have been tampered.  Reason: The input message body has an invalid format. The PGP decryption/verification processor expects a sequence of PGP packets of the form (entries in brackets are optional and ellipses indicate repetition, comma represents  sequential composition, and vertical bar separates alternatives): Public Key Encrypted Session Key ..., Symmetrically Encrypted Data | Sym. Encrypted and Integrity Protected Data, Compressed Data, (One Pass Signature ...,) Literal Data, (Signature ...,), cause: iaik.pgp.exceptions.PGPParsingException: Read invalid packet (COMPRESSED_DATA (TAG 8)) while decoding iaik.pgp.transferables.PGPMessage

      Author's profile photo venkatesh koukuntla
      venkatesh koukuntla

      Hi Sujaai,

       

      Did you find  the solution for this? We are having a same issue with decrypting using CPI  for a file received from Commerce?

       

      Regards,

      Venkat

      Author's profile photo Shoukat Ali
      Shoukat Ali

      Hi Sujai,

      I have a requirement where I have to perform only signing with PGP key. the standard PGP Encryptor pallete activity in CPI does both encryption and signing. the other activity Simple Signer does not allow PGP secring. I guess the solution can be achieved using BouncyCastle API. I understand you have used BC API in your project. Please help me with some pointers how to set up BC APIs in CPI and how to access PGP private key.

      Author's profile photo Roland Marquez
      Roland Marquez

      Hello,

      How many public keys is permitted to upload in each tenant? I need to handle more than one for each Iflow. How can I do this?

      Regards.

      Author's profile photo Iddo Rijsdijk
      Iddo Rijsdijk

      Hi Roland,

      I just asked the same question on https://answers.sap.com/questions/634434/upload-multiple-pgp-public-keys.html Did you managed to sort this out?

      Iddo

      Author's profile photo Satya Verma
      Satya Verma

      Thank for sharing this blog. I have recently read out the blog post on SAP CPI PGP Security then I have search out for HCI and finally I got that.