Skip to Content

Summary

Pretty Good Privacy (PGP) is a data encryption and decryption algorithm that provides privacy and authentication for data communication. It is primarily used for the requirements where the data is sensitive and needs to encrypted before it is sent to Third party vendors/External Applications  via SAP PI and vice versa.In this blog,  Seeburger PGP Module configuration with SFTP adapter is described. The Seeburger PGP module provides composition and decomposition of OpenPGP messages in SAP NW PI. The messages comply with RFC 4880 (OpenPGP Message Format), which is based on PGP 5.x. With PI 7.11+, PGP is available as part of the SAP Net Weaver Process Orchestration Secure Connectivity Add-On.  PGP is an adapter user –module which can be used with any Java adapters e.g. File/FTP/SFTP, JDBC , SOAP, RFC , HTTP etc .

The PGP module uses the public key encryption method to secure the content of the business document.  It allows us to encrypt/decrypt and digitally sign or verify a message.

Features

Composing

  • Signing a message with a Private Key
  • Encrypting a message with Public Key or Pass-phrase
  • Signing and Encrypting a message

Decomposing

  • Verifying a received OpenPGP message.
  • Decrypting a received OpenPGP message.

Simple Integration diagram presentation of a scenario where Source System is an Internal FTP Server and Target System is External/Third Party Application. SAP PI is the middle ware used for Interfacing.

/wp-content/uploads/2016/04/image001_922267.png

Procedure

1.    Pre-requisite for using PGP

The file SeePGPModulePI.sca has to be available.Deploy the file SeePGPModulePI.sca with the SAP  Software Deployment Manager (JSPM). This step was performed by the Basis Team.

Installation Steps

A user with sufficient permissions should be configured for PGP module under Property Store’s front-end settings.

Namespace Name Values
http://seeburger.com/xi/PGP Key pgpUser PGPUSER
http://seeburger.com/xi/PGP Key pgpPass

/wp-content/uploads/2016/04/image002_922271.png

3.   SAP Net Weaver (NWA)Settings

Login to NWA and navigate to Identity Management.Create a user with the same user name and password as the one registered in Seeburger Property Store front-end in the first step i.e. PGPUSER. Assign the role view-creator.<PGPViewName> to the newly created user.

Manage Role of PGP front end settings has to be assigned in NWA. (This step was performed by the basis team)

/wp-content/uploads/2016/04/image003_922272.png

4.  PGP Key Management

The PGP keys can be generated  directly from seeburger key center Front end or it can be  generated from publicly available websites & programs, the generated key pair can be imported in the seeburger key store. Both options are described below.

Encryption The concept is your private key is used to digitally sign/ encrypt a message when sending to your  business partner. And the public needs to be provided to your business partner.Your business partner will use the public key to verify the digital signature.

Decryption Your business partner will use the public key (provided by you) to  encrypt the message.  For decryption , your private key will be used  to decrypt the file sent by your business  partner.

A Test view is created in NWA ( for testing purposes)- > Configuration Management->Certificates & Keys . The key  pair will be generated under this view once all the steps are completed.

Option1 Create the PGP Keys from Seeburger Key Store Management .Navigate to Key Center Front End and click on create ( PGP Key Management).

/wp-content/uploads/2016/04/image004_922273.png

Complete the PGP Keyring details  and provide all the key-specific information like key size, Username, email address etc. If generate public key option is selected then corresponding Public key –ring will be created and stored in the TRUSTED/<view>/<cert>_pub ,otherwise only the private key-ring will be created and stored to the TRUSTED/<view>/<cert_sec> view ‘Test’ which was created in NWA. Click on confirm the key pair will be generated.

/wp-content/uploads/2016/04/image005_922274.png

Option 2 You can also use any publicly available programs and websites, open tools available for key generation.                              Reference https://www.igolder.com/pgp/generate-key/

Set the pass-phrase for the key-pair and click on Generate PGP Keys.

/wp-content/uploads/2016/04/image006_922275.png

The generated key pair has to be imported in seeburger workbench-> Key Center front end.

/wp-content/uploads/2016/04/image007_922276.png

After the key pair is created by either of the methods, the public & private key can be viewed and downloaded from NWA. Navigate to PI NWA-> Config Management->Certificates and Keys->Select ‘Test’ view .

Public key _pub is renamed as pgpencrpypt_pub

Private key _sec is renamed as pgpdecrypt_sec

(Any naming convention can be used here)

Capture.PNG

5.  PGP Module Configuration in the Communication Channel

PGP Module is configured to be used in a certain adapter channel to allow  secured data transmission according to the PGP protocol.A new module needs to be inserted in the module tab  of the communication channel.

Module Name: localejbs/Seeburger/PGP

Module Type: Local Enterprise Bean

The module position is important, it should be placed after all the attachments have been created and after unpacking any zip document.

Encryption Process

Action Description
Sign Signs the message using PGP public key from trusted keystore
Encrypt Encrypts  a message using PGP public keys from a keystore
Sign- Encrypt Combination of Sign & Encrypt






The below channel is configured as per the ‘encrypt’ action

/wp-content/uploads/2016/04/image009_922281.png


/wp-content/uploads/2016/04/image010_922282.png

Explanation

  • Encryption algorithm :  CAST5 -The algorithms used to encrypt a document with a session key. The  Supported algorithms are  CAST5 (Default), TRIPLEDES,, BLOWFISH, AES-128, AES-192 and AES-256
  • Encrypt Mode : encrypt
  • Encrypt Key : key store path where the encrypt public key is located/stored (Public key format –TRUSTED/<view>/<certificate>).
  • EncryptPass (Character sequence used to encrypt a message. The receiver needs the same pass phrasefor decrypting the message.

Encrypted File Received at Recipient Side.Target system receives the encrypted file and utilizes the shared public key to decrypt the file.

/wp-content/uploads/2016/04/image011_922283.png


Decryption ProcessThere are three actions that can be performed with Decryption process.

Action Description
Verify Verifies the signature  of PGP documentWith public keys
Decrypt Decrypts the messages with PGP private  keys  from trusted keystore
Decrypt- verify This is combination of decrypt & verify

The below channel is configured as per the ‘decrypt’ action

/wp-content/uploads/2016/04/image012_922284.png


Explanation

  • Decrypt Key- Key-store entry that stores the private key. The entry has to be specified as TRUSTED/<view>/<certificate>
  • Decryptkey pass- This parameter is the pass-phrase to access the private key.
  • Mode – Decrypt
  • Decrypt pass- Pass-phrase to decrypt the session ID.

When PI receives the decrypted file from the vendor , the private key stored in the trusted key-store is utilized to decrypt the file  and  then a plain/ text file is sent to the source system.

Additional Information

References

1. Seeburger PGP Manual

2. https://help.sap.com/saphelp_nw-secure-connect102/helpdata/en/8b/11483856d04f6b9c7bf378ecd1670c/content.htm


System Details where the scenario was successfully tested

Component Releases
SAP Process Intgration 7.1 , SP10
To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply