HCI: Using PGP message level security in HCI
Introduction
HCI comes packed with a lot of security related features. For message level security, it supports the OpenPGP standard. This is a commonly used standard in emails as well as file-based integrations.
In this blog, I will share how to create and deploy the OpenPGP keys, as well usage examples for PGP encryption and decryption in HCI.
Component Details
As HCI is a cloud solution with automatic rolling updates, these steps are valid for the following versions and may change in future updates.
Below are component versions of the tenant and Eclipse plugins.
HCI Tenant Version: 2.8.5
Eclipse Plugin Versions: Adapter 2.11.1, Designer 2.11.1, Operations 2.10.0
Required PGP Software
The online HANA Cloud documentation below details the steps required to create the keys using Gpg4win.
However, the steps there are more directed towards tenants managed by SAP, and some of the steps can be skipped. I found that the steps can be simplified by just following the Generating Key Pairs section of the following Wiki which is used for PGP encryption/decryption in PI.
Generating ASCII Armored PGP Key Pairs – Process Integration – SCN Wiki
Both methods requires the installation of the Gpg4win tool. Additionally, during the installation, I recommend installing Kleopatra which comes with Gpg4win. It is a GUI based certificate manager and unified cryto which I will use for the examples in the following sections.
Creating OpenPGP Keys
Following the steps in the above Wiki, launch the command prompt to execute Gpg4win. Execute the following command:-
gpg –gen-key
When Gpg4win is executed for the first time, the secret and public key rings will be created in the following folder.
C:\Users\<user>\AppData\Roaming\gnupg
Enter the following details based on the instructions of the program:-
- Key type – RSA and RSA (default)
- Keysize – 2048
- Validity – key does not expire
- Real name & email address – <provide own details>
- Passphrase – <enter passphrase to secure secret key ring>
Once everything has been entered, the public and secret key pair will be generated.
Deploying OpenPGP Keys
In order to use the keys, the keyrings have to be deployed into the HCI tenant.
Right click on the tenant in Node Explorer and select Deploy Artifacts.
First, select PGP Public Keyring and select the public keyring file that was generated above.
Repeat the above steps for PGP Secret Keyring. This will require the passphrase that was used during generation of the keyring above.
Once both keyrings have been deployed, they can be viewed on the Deployed Artifacts tab of the tenant.
Usage Example 1 – Encrypting & Signing
For the purpose of the following examples, another OpenPGP key pair has been generated which is used to represent the external partner that HCI will integrate with. This key pair is generated under the name PGP Partner.
For the first example, HCI will encrypt and sign the message. The encrypted and signed message will then be transmitted to the partner where it will be verified and decrypted. Below is the required set up in HCI for this scenario.
- Encryption with partner’s public key
- Signed with own private key
To simplify the example, the iFlow is designed with a static content in a Content Modifier and the output message is routed to an HTTP receiver.
The PGP Encryptor function is configured as follows:-
- Signatures are included in the message
- Encryption algorithm using AES 256
- Compression algorithm using ZLIB
- Output in ASCII Armored format
- Encryption using PGP Partner‘s public key
- Signing algorithm using SHA 256
- Signing using own private key
The Content Modifier is populated with the following static text in the message body.
After the iFlow is deployed and executed, the following encrypted PGP message is sent to the HTTP receiver.
The encrypted message is extracted and saved as a text file. We will then use Kleopatra to decrypt and verify the file.
The results of Kleopatra is as shown below. The signature corresponds to the signing configuration in HCI.
And the decrypted content matches the original content.
Usage Example 2 – Decrypting & Verifying
The second example is the reverse of the first example. This time round, Kleopatra will be used to simulate encryption and signing of the message by an external partner. The encrypted message will then be decrypted and verified by HCI.
Below is the required setup in HCI for this scenario.
- Verification using partner’s public key
This example will also use a simplified iFlow setup where the encrypted content is statically configured in the iFlow, and the decrypted output message will be routed to a HTTP receiver.
The PGP Decryptor is configured as follows:-
- Verification of signatures are mandatory
- Verification using PGP Partner‘s public key
Note that decryption key does not need to be specify in the function as it is determined implicitly from the message content.
To complete this configuration, we first need to create an encrypted message to simulate content from the external partner.
The content of the following file will be encrypted and signed using Kleopatra.
The output will be in ASCII armored format.
The public key representing HCI is selected during encryption by Kleopatra.
Subsequently, Kleopatra will sign using the partner’s private key.
After the content has been encrypted and signed using Kleopatra, it is populated in the message body of the Content Modifier.
Once all configuration is complete, the iFlow is deployed and executed. At the HTTP receiver, the following decrypted output is transmitted, which matches the original content.
Conclusion
As shown, usage of PGP message level security can be achieved relatively easily in HCI. This can help ensure that message content can be secured in cloud based integrations (especially file-based ones).
Nice blog, security is more important in HCI than on-premise integration, and openPGP standard is a quite common standard.
Thanks for sharing.
Nice Blog,
I have a small question.
In your first example, do we need to include the Public key under the name PGP Partner also into HCI Tenant?
Thanks,
Amit
Hi,
I find this blog very useful. Thanks for putting together.
Is there a way to make Encryption User Id of Key(s) from Public Key Ring parametric?
Seems like does not work. I am receiving this error:
"No public encryption key found for the User Ids [${header.PGP_PUBLIC_KEY_USER_ID}] in the public keyring."
What is your experience about this?
Best Regards
Emre
Hi,
I am getting the same error, did you find a way to user the User Ids dynamic?
Thank you
Kaleo
Hi Emre,
Did you try with setting Camel header(s) in Content Modifier? Set header "CamelPGPDataFormatKeyUserids" in script as List<String> type from your dynamic parameter before the PGP step and maintain any dummy user in PGP step.
The Camel Header will override the dummy user and your dynamic parameter will be set as PGP username.
Further details at - PGP :: Apache Camel and How to – Dynamic PGP Encryption UserId | SAP Blogs
Thanks,
Aditya
Hi Eng Swee Yeoh,
Nice blog there. I have a query on this.
Our scenario is like, encryption will happen on local system and decryption will happen on HCI. For encryption part, we have written a Java utility which is used via an abap program. The file in getting encrypted, but decryption on HCI gets failed. Is there anyway that we can make our encrypted file compatible with decryption process on HCI? Any help links on that would be helpful.
PS: We are using Bouncy Castle APIs for PGP encryption. Below is the error that we are getting on HCI system:
Error = com.sap.esb.camel.security.pgp.PgpException: An exception occurred during decrypting/verifiyng a PGP message. The PGP message may have been tampered. Reason: The input message body has an invalid format. The PGP decryption/verification processor expects a sequence of PGP packets of the form (entries in brackets are optional and ellipses indicate repetition, comma represents sequential composition, and vertical bar separates alternatives): Public Key Encrypted Session Key ..., Symmetrically Encrypted Data | Sym. Encrypted and Integrity Protected Data, Compressed Data, (One Pass Signature ...,) Literal Data, (Signature ...,), cause: iaik.pgp.exceptions.PGPParsingException: Read invalid packet (COMPRESSED_DATA (TAG 8)) while decoding iaik.pgp.transferables.PGPMessage
Hi Sujaai,
Did you find the solution for this? We are having a same issue with decrypting using CPI for a file received from Commerce?
Regards,
Venkat
Hi Sujai,
I have a requirement where I have to perform only signing with PGP key. the standard PGP Encryptor pallete activity in CPI does both encryption and signing. the other activity Simple Signer does not allow PGP secring. I guess the solution can be achieved using BouncyCastle API. I understand you have used BC API in your project. Please help me with some pointers how to set up BC APIs in CPI and how to access PGP private key.
Hello,
How many public keys is permitted to upload in each tenant? I need to handle more than one for each Iflow. How can I do this?
Regards.
Hi Roland,
I just asked the same question on https://answers.sap.com/questions/634434/upload-multiple-pgp-public-keys.html Did you managed to sort this out?
Iddo
Thank for sharing this blog. I have recently read out the blog post on SAP CPI PGP Security then I have search out for HCI and finally I got that.