Skip to Content
Technical Articles
Author's profile photo Sunny Kapoor

How to encrypt/decrypt XML payload with AES256-CBC and RSA Algorithm in SAP Cloud Integration

In one of my proof of concept work, the requirement was to decrypt a XML payload using SAP Cloud Integration. This XML payload is encrypted as per the W3C Recommendation i.e. XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002 and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002

XML is encrypted using the SECXML_XENCRYPTION  standarad executable ABAP Report with the following specification:

  • AES256-CBC algorithm to encrypt data
  • RSA v1.5 algorithm to encrypt the AES key


Encrypted XML:

<Person xmlns:nm="" xmlns:prx="">
        <xenc:EncryptedData Type="" xmlns:xenc="">
            <xenc:EncryptionMethod Algorithm=""/>
            <ds:KeyInfo xmlns:ds="">
                <xenc:EncryptedKey Type="">
                    <xenc:EncryptionMethod Algorithm=""/>



As there is no encryption/decryption flow step in Cloud Integration for XML messages, there are two possible solution to decrypt the above XML using SAP Cloud Integration:

  1. Use a Groovy Script flow step with standard JAVA JCE/JCA Classes.
  2. Use a Groovy Script flow step with third party jar i.e. Apache Santuario . The Apache XML Security for Java library supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002 and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002.

The advantage of using Apache Santuario jar is, it is written as per the W3C recommendation, so you only need to pass the Encrypted XML, it automatically finds the encrypted key + algorithm and encrypted data + algorithm to give you the final decrypted XML.

Where as in 1st solution, we need to find the encrypted key first, decrypt it and then use the decrypted key to decrypt the data and finally append it to the original XML structure. But this approach do not require any external jars.

In this blog, first solution is used.

Integration Flow:

As you can see in the above screenshot, we receive the encrypted XML payload via SOAP adapter then log the payload and finally send the payload to XML Decryption groovy script flow step to get the decrypted XML.

The algorithm to decrypt the XML with standard JAVA JCE/JCA Classes is as follows:

  1. To decrypt the AES key which is encrypted via RSA algorithm, first we need to get the private key pair from the Cloud Integration keystore.
  2. Then extract the encrypted AES key and AES Data(Encrypted XML) from the given XML.
  3. Decrypt the AES Key string using the private key which we got in step 1.
  4. Decrypt the AES Data string(Encrypted XML) using the AES key which we got in step 3.
  5. Append the Decrypted XML to the original XML Structure.

XML Decryption Groovy Script:

import java.util.HashMap;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.IvParameterSpec;
import org.apache.commons.codec.binary.Base64;
import groovy.xml.Namespace;
import groovy.util.XmlParser;
import groovy.xml.XmlUtil;

def Message processData(Message message) {
    KeystoreService service = ITApiFactory.getApi(KeystoreService.class, null);
    Certificate cert = service.getCertificate("rover");
    KeyPair keypair = service.getKeyPair("rover");
    PrivateKey privateKey = keypair.getPrivate();
    def body = message.getBody(java.lang.String) as String;
    def person = new XmlParser(false,false).parseText(body);
    def xencns = new groovy.xml.Namespace("",'xenc')
    def dsns = new groovy.xml.Namespace("",'ds');
    String encryptedAESKey = person[xencns.EncryptedData][dsns.KeyInfo][xencns.EncryptedKey][xencns.CipherData][xencns.CipherValue].text();
    String encryptedXMLData = person[xencns.EncryptedData][xencns.CipherData][xencns.CipherValue].text();
    SecretKey aes_key = decryptAESKey(encryptedAESKey, privateKey);
    String decryptedXMLData = decryptAESData(encryptedXMLData, aes_key);
    decryptedXMLData = "<root>" + decryptedXMLData + "</root>";
    def childNode = new XmlParser(true,true).parseText(decryptedXMLData);
    childNode.each{child ->
    def messageLog = messageLogFactory.getMessageLog(message);
    messageLog.addAttachmentAsString("Certificate", cert.toString(), "text/plain");
    messageLog.addAttachmentAsString("Encrypted AES Key", encryptedAESKey, "text/plain");
    messageLog.addAttachmentAsString("Encrypted XML Data", encryptedXMLData, "text/plain");
    messageLog.addAttachmentAsString("Decrypted AES Key", aes_key.getEncoded().toString(), "text/plain");
    messageLog.addAttachmentAsString("Decrypted XML Data", decryptedXMLData, "text/plain");
    return message;

SecretKey decryptAESKey(String encryptedAESKey, PrivateKey privateKey){
    byte[] decryptedAESKey = null;
    SecretKey aes_key = null;
    try {
        // get an RSA cipher object and print the provider
        final Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
        // decrypt the text using the private key
        cipher.init(Cipher.DECRYPT_MODE, privateKey);
        decryptedAESKey = cipher.doFinal(Base64.decodeBase64(encryptedAESKey));
        aes_key = new SecretKeySpec(decryptedAESKey, "AES");
    } catch (Exception e) {
        throw new Exception(e.getMessage());
    return aes_key;

String decryptAESData(String encrypted, SecretKey key)  {
    int ivLen = 16;
	byte[] ivBytes = new byte[ivLen];
	byte[] encryptedBytes = Base64.decodeBase64(encrypted);
	System.arraycopy(encryptedBytes, 0, ivBytes, 0, ivLen);		
	IvParameterSpec ivParameterSpec = new IvParameterSpec(ivBytes);
	Cipher cipher = Cipher.getInstance("AES/CBC/ISO10126Padding");
    cipher.init(Cipher.DECRYPT_MODE, key, ivParameterSpec);
    String decrypted = new String(cipher.doFinal(encryptedBytes, ivLen, encryptedBytes.length - ivLen));
    return decrypted;


SOAP Request:

SOAP Response:

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ricardo Viana
      Ricardo Viana

      Hi Sunny Kapoor,

      First of all Xmas for you and thanks for such nice blog.

      I would like to ask something, I will need also to produce POC for encryption and sign XML using CPI standard functions:

      "As there is no encryption/decryption flow step in CPI for XML messages, there are two possible solution to decrypt the above XML using SAP CPI:"

      Why you could not used it instead of go for custom solution using groovy.

      I was not able to check those functionalities but I tired in the past produce POC using the SOAP adapter with encrypt and sign and not works proper with SAP PO.

      Thanks and happy new year.


      Author's profile photo Sunny Kapoor
      Sunny Kapoor
      Blog Post Author

      Hi Ricardo Viana

      Kindly excuse me for replying you late on this.

      As I have mentioned in the blog, there is a specification for XML Encryption/Decryption from W3C

      XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002

      As of today there is no flowstep in CPI which understand the encrypted XML and can encrypt/decrypt the XML payload as per the specification.

      In an existing example the XML data is encrypted via AES256-CBC symmetric algorithm, where key is encrypted via RSA - asymmetric algirthm and is part of the XML payload itself.

      You can encrypt the entire XML or part of it.

      PGP and PKCS7 decryptor do not understand the encrypted XML specification and syntax and therefore cannot be used.

      Where as Signer is used for creating a digital signature and has a different concept and usage than encryption.

      Kindly go through the specification to understand this in detail.

      I hope this will help.



      Author's profile photo Noveen Bacchu
      Noveen Bacchu

      Hi Sunny,


      Can you please let us know the Ciphers suites supported by SAP CPI Neo?