In my previous blog I have shown steps to install eclipse and connect HCI PI tenant, please find the link here https://blogs.sap.com/2017/02/15/hci-pi-tenant-set-up-part2/ if you want to review the blog. In this blog, I will let you know the different levels of security which HCI offers and how to create a Java key store.
HCI offers 2 levels of security as mentioned below.
Transport level security
Message level security
Transport level security: This level of security can be achieved by using SFTP or HTTPS protocol in the adapters and using Basic Authentication or Certificate based authentication.I always recommend the latter type of authentication which is more secure and robust.
Message level security: Apart from the Transport level security, HCI offers message level security which means you can secure the message payload information the best suited scenario will be sending payroll data over the internet. In this type of security, both the customer and vendor have an option to sing or sign and encrypt the messages by using public and private keys on both sides of configuration.
Supported standards and algorithms for encryption are as follows. The below information is referenced from help.sap.com from HCI-PI.
|PKCS#7/CMS Enveloped Data and Signed Data||Encryption/decryption of message content|
|PKCS#7/CMS Enveloped and Signed Data||Encryption/decryption and signing/verifying payload|
|Open Pretty Good Privacy (PGP)||Encryption/decryption of message content|
|Encryption/decryption and signing/verifying the message|
|XML Signature||Signing/verifying payload|
|WS-Security||Signing/verifying SOAP body|
Before looking into creating a Java key store. I will answer few questions which occurred to me while working on HCI- PI setup.
Why do we need to create a Java Key store? The reason being it will support above-mentioned encryption algorithms and tool which is used to create key pair is free.
Who needs to create a Java key store?If you have Basis background along with integration development background then integration developer can do it else it would be easy to assign this task to BASIS admin.
Who will deploy the key store? If your BASIS admin knows how to use eclipse then he/she can perform. It would be easy for an integration developer to deploy the key store onto a tenant.
Steps to create a Java key store
Assuming that Java key explorer is downloaded and installed on the local machine. If you have not installed the software please download and install using this link http://keystore-explorer.org/
Access to HCI with Admin roles (if not, refer to my previous blog)
Eclipse is installed and connected to HCI PI ( if not, refer to my previous blog)
Creating a Java Keystore
Step1: Open the key store and click on create a new key store.
Step2: Choose Java Cryptography Extension Key Store and click OK.
Step3: Go to the tool and select generate a key pair and follow the steps as shown below.
Step4: Click on the book icon in the screenshot below and provide the details as shown in the screenshot below.
Note: In the above-mentioned screenshot, for a common name (CN) you need to you use your company owned domain name like the email which you have in the organization (*.gmail.com). I have seen few blogs in which they have used IFLMAP URL from HCI PI to generate a Java key store which will not get signed after generating CSR as it is owned by SAP. We have gone back and forth regarding this requirement with SAP as I made a mistake of using IFLAMP URL details and they have mentioned clearly that you can’t use any SAP owned domains as CN.
Step 5: Provide a meaningful alias name which you can remember because you need to reference the same in channels if you need to sign any messages.
Step 6: Enter the password and please make a note of the same.
Step 7: After successful generation of the key pair you will see screenshot as below.Once the key pair is generated you can attach the required certificates and generate a CSR and get it signed by SAP authorized CA. I will cover this topic is my next blog about the certificates.
Hope this helps!
See you in my next blog!