Encryption/Decryption in SAP PI with Seeburger PGP Module
Pretty Good Privacy (PGP) is a data encryption and decryption algorithm that provides privacy and authentication for data communication. It is primarily used for the requirements where the data is sensitive and needs to encrypted before it is sent to Third party vendors/External Applications via SAP PI and vice versa.In this blog, Seeburger PGP Module configuration with SFTP adapter is described. The Seeburger PGP module provides composition and decomposition of OpenPGP messages in SAP NW PI. The messages comply with RFC 4880 (OpenPGP Message Format), which is based on PGP 5.x. With PI 7.11+, PGP is available as part of the SAP Net Weaver Process Orchestration Secure Connectivity Add-On. PGP is an adapter user –module which can be used with any Java adapters e.g. File/FTP/SFTP, JDBC , SOAP, RFC , HTTP etc .
The PGP module uses the public key encryption method to secure the content of the business document. It allows us to encrypt/decrypt and digitally sign or verify a message.
- Signing a message with a Private Key
- Encrypting a message with Public Key or Pass-phrase
- Signing and Encrypting a message
- Verifying a received OpenPGP message.
- Decrypting a received OpenPGP message.
Simple Integration diagram presentation of a scenario where Source System is an Internal FTP Server and Target System is External/Third Party Application. SAP PI is the middle ware used for Interfacing.
1. Pre-requisite for using PGP
The file SeePGPModulePI.sca has to be available.Deploy the file SeePGPModulePI.sca with the SAP Software Deployment Manager (JSPM). This step was performed by the Basis Team.
A user with sufficient permissions should be configured for PGP module under Property Store’s front-end settings.
3. SAP Net Weaver (NWA)Settings
Login to NWA and navigate to Identity Management.Create a user with the same user name and password as the one registered in Seeburger Property Store front-end in the first step i.e. PGPUSER. Assign the role view-creator.<PGPViewName> to the newly created user.
Manage Role of PGP front end settings has to be assigned in NWA. (This step was performed by the basis team)
4. PGP Key Management
The PGP keys can be generated directly from seeburger key center Front end or it can be generated from publicly available websites & programs, the generated key pair can be imported in the seeburger key store. Both options are described below.
Encryption The concept is your private key is used to digitally sign/ encrypt a message when sending to your business partner. And the public needs to be provided to your business partner.Your business partner will use the public key to verify the digital signature.
Decryption Your business partner will use the public key (provided by you) to encrypt the message. For decryption , your private key will be used to decrypt the file sent by your business partner.
A Test view is created in NWA ( for testing purposes)- > Configuration Management->Certificates & Keys . The key pair will be generated under this view once all the steps are completed.
Option1 Create the PGP Keys from Seeburger Key Store Management .Navigate to Key Center Front End and click on create ( PGP Key Management).
Complete the PGP Keyring details and provide all the key-specific information like key size, Username, email address etc. If generate public key option is selected then corresponding Public key –ring will be created and stored in the TRUSTED/<view>/<cert>_pub ,otherwise only the private key-ring will be created and stored to the TRUSTED/<view>/<cert_sec> view ‘Test’ which was created in NWA. Click on confirm the key pair will be generated.
Option 2 You can also use any publicly available programs and websites, open tools available for key generation. Reference https://www.igolder.com/pgp/generate-key/
Set the pass-phrase for the key-pair and click on Generate PGP Keys.
The generated key pair has to be imported in seeburger workbench-> Key Center front end.
After the key pair is created by either of the methods, the public & private key can be viewed and downloaded from NWA. Navigate to PI NWA-> Config Management->Certificates and Keys->Select ‘Test’ view .
Public key _pub is renamed as pgpencrpypt_pub
Private key _sec is renamed as pgpdecrypt_sec
(Any naming convention can be used here)
5. PGP Module Configuration in the Communication Channel
PGP Module is configured to be used in a certain adapter channel to allow secured data transmission according to the PGP protocol.A new module needs to be inserted in the module tab of the communication channel.
Module Name: localejbs/Seeburger/PGP
Module Type: Local Enterprise Bean
The module position is important, it should be placed after all the attachments have been created and after unpacking any zip document.
|Sign||Signs the message using PGP public key from trusted keystore|
|Encrypt||Encrypts a message using PGP public keys from a keystore|
|Sign- Encrypt||Combination of Sign & Encrypt|
The below channel is configured as per the ‘encrypt’ action
- Encryption algorithm : CAST5 -The algorithms used to encrypt a document with a session key. The Supported algorithms are CAST5 (Default), TRIPLEDES,, BLOWFISH, AES-128, AES-192 and AES-256
- Encrypt Mode : encrypt
- Encrypt Key : key store path where the encrypt public key is located/stored (Public key format –TRUSTED/<view>/<certificate>).
- EncryptPass (Character sequence used to encrypt a message. The receiver needs the same pass phrasefor decrypting the message.
Encrypted File Received at Recipient Side.Target system receives the encrypted file and utilizes the shared public key to decrypt the file.
Decryption ProcessThere are three actions that can be performed with Decryption process.
|Verify||Verifies the signature of PGP documentWith public keys|
|Decrypt||Decrypts the messages with PGP private keys from trusted keystore|
|Decrypt- verify||This is combination of decrypt & verify|
The below channel is configured as per the ‘decrypt’ action
- Decrypt Key- Key-store entry that stores the private key. The entry has to be specified as TRUSTED/<view>/<certificate>
- Decryptkey pass- This parameter is the pass-phrase to access the private key.
- Mode – Decrypt
- Decrypt pass- Pass-phrase to decrypt the session ID.
When PI receives the decrypted file from the vendor , the private key stored in the trusted key-store is utilized to decrypt the file and then a plain/ text file is sent to the source system.
1. Seeburger PGP Manual
System Details where the scenario was successfully tested