Skip to Content

Introduction

HCI comes packed with a lot of security related features. For message level security, it supports the OpenPGP standard. This is a commonly used standard in emails as well as file-based integrations.

In this blog, I will share how to create and deploy the OpenPGP keys, as well usage examples for PGP encryption and decryption in HCI.

Component Details

As HCI is a cloud solution with automatic rolling updates, these steps are valid for the following versions and may change in future updates.

Below are component versions of the tenant and Eclipse plugins.

HCI Tenant Version: 2.8.5

Eclipse Plugin Versions: Adapter 2.11.1, Designer 2.11.1, Operations 2.10.0

Required PGP Software

The online HANA Cloud documentation below details the steps required to create the keys using Gpg4win.

Creating OpenPGP Keys

However, the steps there are more directed towards tenants managed by SAP, and some of the steps can be skipped. I found that the steps can be simplified by just following the Generating Key Pairs section of the following Wiki which is used for PGP encryption/decryption in PI.

Generating ASCII Armored PGP Key Pairs – Process Integration – SCN Wiki

Both methods requires the installation of the Gpg4win tool. Additionally, during the installation, I recommend installing Kleopatra which comes with Gpg4win. It is a GUI based certificate manager and unified cryto which I will use for the examples in the following sections.

Creating OpenPGP Keys

Following the steps in the above Wiki, launch the command prompt to execute Gpg4win. Execute the following command:-

gpg –gen-key

When Gpg4win is executed for the first time, the secret and public key rings will be created in the following folder.

C:\Users\<user>\AppData\Roaming\gnupg

Enter the following details based on the instructions of the program:-

  • Key type – RSA and RSA (default)
  • Keysize – 2048
  • Validity – key does not expire
  • Real name & email address – <provide own details>
  • Passphrase – <enter passphrase to secure secret key ring>

/wp-content/uploads/2015/12/genkey_852293.png

Once everything has been entered, the public and secret key pair will be generated.

/wp-content/uploads/2015/12/keys_852294.png

Deploying OpenPGP Keys

In order to use the keys, the keyrings have to be deployed into the HCI tenant.

Right click on the tenant in Node Explorer and select Deploy Artifacts.

/wp-content/uploads/2015/12/deploy_852295.png

First, select PGP Public Keyring and select the public keyring file that was generated above.

/wp-content/uploads/2015/12/pubkey_852299.png

Repeat the above steps for PGP Secret Keyring. This will require the passphrase that was used during generation of the keyring above.

Once both keyrings have been deployed, they can be viewed on the Deployed Artifacts tab of the tenant.

/wp-content/uploads/2015/12/artifacts_852300.png

Usage Example 1 – Encrypting & Signing

For the purpose of the following examples, another OpenPGP key pair has been generated which is used to represent the external partner that HCI will integrate with. This key pair is generated under the name PGP Partner.

For the first example, HCI will encrypt and sign the message. The encrypted and signed message will then be transmitted to the partner where it will be verified and decrypted. Below is the required set up in HCI for this scenario.

  • Encryption with partner’s public key
  • Signed with own private key

To simplify the example, the iFlow is designed with a static content in a Content Modifier and the output message is routed to an HTTP receiver.

/wp-content/uploads/2015/12/iflow1_852301.png

The PGP Encryptor function is configured as follows:-

  • Signatures are included in the message
  • Encryption algorithm using AES 256
  • Compression algorithm using ZLIB
  • Output in ASCII Armored format
  • Encryption using PGP Partner‘s public key
  • Signing algorithm using SHA 256
  • Signing using own private key

/wp-content/uploads/2015/12/encrypt_852305.png

/wp-content/uploads/2015/12/sign_852306.png

The Content Modifier is populated with the following static text in the message body.

/wp-content/uploads/2015/12/content1_852307.png

After the iFlow is deployed and executed, the following encrypted PGP message is sent to the HTTP receiver.

/wp-content/uploads/2015/12/msg1_852304.png

The encrypted message is extracted and saved as a text file. We will then use Kleopatra to decrypt and verify the file.

/wp-content/uploads/2015/12/kleo1_852308.png

The results of Kleopatra is as shown below. The signature corresponds to the signing configuration in HCI.

/wp-content/uploads/2015/12/kleo_result1_852310.png

And the decrypted content matches the original content.

/wp-content/uploads/2015/12/output1_852311.png

Usage Example 2 – Decrypting & Verifying

The second example is the reverse of the first example. This time round, Kleopatra will be used to simulate encryption and signing of the message by an external partner. The encrypted message will then be decrypted and verified by HCI.

Below is the required setup in HCI for this scenario.

  • Verification using partner’s public key

This example will also use a simplified iFlow setup where the encrypted content is statically configured in the iFlow, and the decrypted output message will be routed to a HTTP receiver.

/wp-content/uploads/2015/12/iflow2_852312.png

The PGP Decryptor is configured as follows:-

  • Verification of signatures are mandatory
  • Verification using PGP Partner‘s public key

Note that decryption key does not need to be specify in the function as it is determined implicitly from the message content.

/wp-content/uploads/2015/12/decrypt_852313.png

To complete this configuration, we first need to create an encrypted message to simulate content from the external partner.

The content of the following file will be encrypted and signed using Kleopatra.

/wp-content/uploads/2015/12/input_852314.png

/wp-content/uploads/2015/12/kleo_encrypt_852315.png

The output will be in ASCII armored format.

/wp-content/uploads/2015/12/kleo_encrypt2_852320.png

The public key representing HCI is selected during encryption by Kleopatra.

/wp-content/uploads/2015/12/kleo_encrypt3_852321.png

Subsequently, Kleopatra will sign using the partner’s private key.

/wp-content/uploads/2015/12/kleo_encrypt4_852322.png

After the content has been encrypted and signed using Kleopatra, it is populated in the message body of the Content Modifier.

/wp-content/uploads/2015/12/kleo_encrypt5_852318.png

/wp-content/uploads/2015/12/content2_852316.png

Once all configuration is complete, the iFlow is deployed and executed. At the HTTP receiver, the following decrypted output is transmitted, which matches the original content.

/wp-content/uploads/2015/12/output2_852317.png

Conclusion

As shown, usage of PGP message level security can be achieved relatively easily in HCI. This can help ensure that message content can be secured in cloud based integrations (especially file-based ones).

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Hailong Ji

    Nice blog, security is more important in HCI than on-premise integration, and openPGP standard is a quite common standard.

    Thanks for sharing.

    (0) 
  2. Amit Kocharekar

    Nice Blog,

    I have a small question.

    In your first example, do we need to include the Public key under the name PGP Partner also into HCI Tenant?

    Thanks,
    Amit

    (1) 
  3. Emre Ozkan

    Hi,

    I find this blog very useful. Thanks for putting together.

    Is there a way to make Encryption User Id of Key(s) from Public Key Ring parametric?

    Seems like does not work. I am receiving this error:

    “No public encryption key found for the User Ids [${header.PGP_PUBLIC_KEY_USER_ID}] in the public keyring.”

    What is your experience about this?

    Best Regards

    Emre

    (0) 
    1. Sreyas R

      Hi All,

      I tried giving a part of key’s fingerprint,but then it is showing me the error – ” No public encryption key found for the User Ids”. Is there any way to get the UserId of the keys.? Kindly let us know if any.

      Thanks,

      Sreyas R
      (0) 
  4. Sujai Kaarthik Balasubramanian

    Hi Eng Swee Yeoh,

    Nice blog there. I have a query on this.

    Our scenario is like, encryption will happen on local system and decryption will happen on HCI. For encryption part, we have written a Java utility which is used via an abap program. The file in getting encrypted, but decryption on HCI gets failed. Is there anyway that we can make our encrypted file compatible with decryption process on HCI? Any help links on that would be helpful.

    PS: We are using Bouncy Castle APIs for PGP encryption. Below is the error that we are getting on HCI system:

    Error               = com.sap.esb.camel.security.pgp.PgpException: An exception occurred during decrypting/verifiyng a PGP message. The PGP message may have been tampered.  Reason: The input message body has an invalid format. The PGP decryption/verification processor expects a sequence of PGP packets of the form (entries in brackets are optional and ellipses indicate repetition, comma represents  sequential composition, and vertical bar separates alternatives): Public Key Encrypted Session Key …, Symmetrically Encrypted Data | Sym. Encrypted and Integrity Protected Data, Compressed Data, (One Pass Signature …,) Literal Data, (Signature …,), cause: iaik.pgp.exceptions.PGPParsingException: Read invalid packet (COMPRESSED_DATA (TAG 8)) while decoding iaik.pgp.transferables.PGPMessage

    (0) 

Leave a Reply