HCI: Using PGP message level security in HCI
HCI comes packed with a lot of security related features. For message level security, it supports the OpenPGP standard. This is a commonly used standard in emails as well as file-based integrations.
In this blog, I will share how to create and deploy the OpenPGP keys, as well usage examples for PGP encryption and decryption in HCI.
As HCI is a cloud solution with automatic rolling updates, these steps are valid for the following versions and may change in future updates.
Below are component versions of the tenant and Eclipse plugins.
HCI Tenant Version: 2.8.5
Eclipse Plugin Versions: Adapter 2.11.1, Designer 2.11.1, Operations 2.10.0
Required PGP Software
The online HANA Cloud documentation below details the steps required to create the keys using Gpg4win.
However, the steps there are more directed towards tenants managed by SAP, and some of the steps can be skipped. I found that the steps can be simplified by just following the Generating Key Pairs section of the following Wiki which is used for PGP encryption/decryption in PI.
Both methods requires the installation of the Gpg4win tool. Additionally, during the installation, I recommend installing Kleopatra which comes with Gpg4win. It is a GUI based certificate manager and unified cryto which I will use for the examples in the following sections.
Creating OpenPGP Keys
Following the steps in the above Wiki, launch the command prompt to execute Gpg4win. Execute the following command:-
When Gpg4win is executed for the first time, the secret and public key rings will be created in the following folder.
Enter the following details based on the instructions of the program:-
- Key type – RSA and RSA (default)
- Keysize – 2048
- Validity – key does not expire
- Real name & email address – <provide own details>
- Passphrase – <enter passphrase to secure secret key ring>
Once everything has been entered, the public and secret key pair will be generated.
Deploying OpenPGP Keys
In order to use the keys, the keyrings have to be deployed into the HCI tenant.
Right click on the tenant in Node Explorer and select Deploy Artifacts.
First, select PGP Public Keyring and select the public keyring file that was generated above.
Repeat the above steps for PGP Secret Keyring. This will require the passphrase that was used during generation of the keyring above.
Once both keyrings have been deployed, they can be viewed on the Deployed Artifacts tab of the tenant.
Usage Example 1 – Encrypting & Signing
For the purpose of the following examples, another OpenPGP key pair has been generated which is used to represent the external partner that HCI will integrate with. This key pair is generated under the name PGP Partner.
For the first example, HCI will encrypt and sign the message. The encrypted and signed message will then be transmitted to the partner where it will be verified and decrypted. Below is the required set up in HCI for this scenario.
- Encryption with partner’s public key
- Signed with own private key
To simplify the example, the iFlow is designed with a static content in a Content Modifier and the output message is routed to an HTTP receiver.
The PGP Encryptor function is configured as follows:-
- Signatures are included in the message
- Encryption algorithm using AES 256
- Compression algorithm using ZLIB
- Output in ASCII Armored format
- Encryption using PGP Partner‘s public key
- Signing algorithm using SHA 256
- Signing using own private key
The Content Modifier is populated with the following static text in the message body.
After the iFlow is deployed and executed, the following encrypted PGP message is sent to the HTTP receiver.
The encrypted message is extracted and saved as a text file. We will then use Kleopatra to decrypt and verify the file.
The results of Kleopatra is as shown below. The signature corresponds to the signing configuration in HCI.
And the decrypted content matches the original content.
Usage Example 2 – Decrypting & Verifying
The second example is the reverse of the first example. This time round, Kleopatra will be used to simulate encryption and signing of the message by an external partner. The encrypted message will then be decrypted and verified by HCI.
Below is the required setup in HCI for this scenario.
- Verification using partner’s public key
This example will also use a simplified iFlow setup where the encrypted content is statically configured in the iFlow, and the decrypted output message will be routed to a HTTP receiver.
The PGP Decryptor is configured as follows:-
- Verification of signatures are mandatory
- Verification using PGP Partner‘s public key
Note that decryption key does not need to be specify in the function as it is determined implicitly from the message content.
To complete this configuration, we first need to create an encrypted message to simulate content from the external partner.
The content of the following file will be encrypted and signed using Kleopatra.
The output will be in ASCII armored format.
The public key representing HCI is selected during encryption by Kleopatra.
Subsequently, Kleopatra will sign using the partner’s private key.
After the content has been encrypted and signed using Kleopatra, it is populated in the message body of the Content Modifier.
Once all configuration is complete, the iFlow is deployed and executed. At the HTTP receiver, the following decrypted output is transmitted, which matches the original content.
As shown, usage of PGP message level security can be achieved relatively easily in HCI. This can help ensure that message content can be secured in cloud based integrations (especially file-based ones).