There has been interest in sending encrypted files from Employee Central Payroll. This blog post will describe one way to encrypt the RAW files from SAP Successfactors Employee Central Payroll using an open source program and then using a sample program to create an encrypted PDF file to test decryption.
The following steps for creating keys and certificates are provided only as an example. The sample code generates a single PDF for testing purposes. Your conditions, specifications, system set-up, and other factors will require that you modify and adapt for your needs.
REMEMBER, before attempting these steps, follow-up with your IT & Security teams to ensure this procedure will adhere to your company’s standards and policies.
In this example, the certificate is created using
OpenSSL, a permissive free software. Other encryption options are available that you should explore. Use the encryption option that best meets your requirements.
Roles:
In this procedure, four roles are used:
- The creator of the encryption key
- An administrator with access to your SAP Employee Central Payroll system to set parameters and runs the program created by the developer.
- A developer, who creates the ABAP program using the sample code.
- The person decrypting the file.
Procedure
Creating the Encryption Key
[
Role:
Creator of the encryption keys, person receiving the encrypted file]
- Go to OpenSSL and download Win64OpenSSL-<latest build>.exe to your local PC.
NOTE: OpenSSL is continually updated, ensure you are using the latest build.
- Scan for threats, then install the application to C:\OpenSSL-Win64
- Go to the C:\OpenSSL-Win64\bin folder and create a new folder, for example, certificate_demo.
- Run Cmd as an administrator.
- Enter Cmd C:\Openssl-Win64\bin\certificate_demo
- Run ..\openssl.exe
- Generate Private Key: Within the openssl console enter the following to generate a private key:
genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:1024 .
NOTE: For this example, RSA has a length of 1024. The length of 2048 may create problems.
- Generate Certificate: Within the openssl console enter the following to generate an x509 certificate:
req -new -x509 -key private_key.pem -out cacert.pem -days 3650 .
- When prompted, provide the followings:
- Country: <Your Country>
- State: <Your State>
- Locality Name: <Your City>
- Organization Name: <Your Company Name>
- Organizational Unit Name: Leave blank
- Common Name: <Your Initials>
- Email Address: Leave blank
- Verify that the two pem files (pem & cacert.pem) are in the certificate_demo folder. The cacert.pem file is used in the next step, loading into the SAP SuccessFactors STRUST manager.
Set EC Payroll Parameters in the SAP Trust Manager
[
Role: SAP EC Payroll
administrator, who has access to SAP Trust Manager, transaction STRUST]
NOTE: SAP Trust Manager performs the personal security environment (PSE) and certificate maintenance functions, maintaining the list of Certification Authority that the system accepts.
- Sign in to the SAP GUI and enter transaction SE16 .
- Enter table SSFAPPLIC, then Execute to open the Data Browser: Table SSFAPPLIC Select Entries
NOTE: If the SSFAPPLIC table is not in your system, you must create the table.
- Go to Context Menu of Table Entry, and then select
- Enter APPLIC (a unique name of the application).
- Check only the following, leaving all others unchecked:
- B TOOLKIT
- B FORMAT
- B PAB
- B PROFID
- B PROFILE
- B ENCRALG
- Enter a unique description in the DESCRIPT field, for example, <Demo_Date>.
- Save the new table.
- Enter transaction STRUST.
- Go to the Environment tab, then select SSF Parameters.
- Choose Change View.
- Choose New Entries.
- Under SSF Application, select the newly created application description from Step 16, for example, <Demo_Date>.
- The values for the following fields are auto-generated, though you have the option to rename or change:
- Security Product
- SSF Format
- Private Address Book
- SSF Profile Name
- SSF Profile ID (Opt.): Leave blank
- Encryption Algorithm
- Choose
- The newly created SSF Application displays with a red X, instead of a folder symbol, next to the name of the application.
- Right-click the name of the newly created SSF Application and then select Create.
- In the Create PSE dialog box that displays, choose the green check mark to use the default values.
- The red X is now replaced by the folder symbol.
- Choose Import Certificate.
- Under File Path, enter C:\OpenSSL-Win64\bin\certificate_demo\cacert.pem
- Choose
- Choose Add to Certificate List.
- Highlight the newly added certificate and select Verification PSE.
- Assign a PSE name.
- Save the change.
- Highlight the whole line of the subject of the desired certificate, and copy to the clipboard, then paste to Notepad or other text editor, for later use.
- Go to the Environment tab, then select ICM Monitor
- In the ICM Monitor, go to Administration > ICM > Restart, and Yes.
- Choose Back to return to the Trust Manager
Generate a Sample Encrypted File
[
Roles: An ABAP
Developer, who can add the sample code to generate a program. The SAP EC Payroll administrator runs the program.]
- Use the following ABAP sample code, adding your task-specific information that creates the program to generate an encrypted PDF statement to test your results.
- Run the ABAP program and an encrypted file is generated.
- Save and store this file to a local PC file folder.
- Send that file to the receiving party.
Decrypting the File
[
Role:
Person decrypting the file, who has access to the private key for decryption]
Prerequisite: You have received the encrypted file from the sending party and have access to the private key.
- Place the encrypted file you received into the same folder where you ran the command exe.
NOTE: If you weren’t involved with
Creating the Encryption Key, repeat steps 1-3 of that procedure before proceeding.
- Go to the folder and run ..\openssl.exe .
- Enter the following command to decrypt the file:
smime -decrypt -in <encrypted file> -inkey private_key.pem -inform DER -out <decrypted file>
NOTE: This is the private key that was created in step 7 of
Creating the Encryption Key.
- Verify if the <decrypted file> correctly opens.
Summary
This procedure demonstrates a proof-of-concept to provide you with an example of how to publish a raw file as an encrypted PDF. Security and encryption are serious topics and it is important to do your own research as to how you can provided safety and security with your encrypted files for your situation. This example provides you with an initial example, you need to find the best way to satisfy your organization's security policies.
*&---------------------------------------------------------------------*
*& Report ZSAMPLE_ENCRYPT_PAYSLIP
*&
*&---------------------------------------------------------------------*
*& This program uses Logical Database PNP, please create the executable program
*& using that parameter in the attributes screen.
*&---------------------------------------------------------------------*
REPORT zsample_encrypt_payslip USING DATABASE pnp.
TABLES: pernr.
INFOTYPES: 0001. "Org assign. to focus on Pay-Area, CoCode
SELECTION-SCREEN: BEGIN OF BLOCK a01 WITH FRAME TITLE text-a01. "General Settings
PARAMETERS: p_pse TYPE ssfappl MATCHCODE OBJECT f4strustssf. "SSF Application (PSE)
PARAMETERS: p_rec TYPE certsubjct. "Recipient (Cert. Subject)
SELECTION-SCREEN: END OF BLOCK a01.
SELECTION-SCREEN SKIP 1.
SELECTION-SCREEN: BEGIN OF BLOCK b01 WITH FRAME.
PARAMETERS:
p_rfold LIKE rlgrap-filename. "Encrypted filename
SELECTION-SCREEN: END OF BLOCK b01.
DATA: lo_payslip_helper TYPE REF TO cl_hrxss_rem_helper. "Type in Central routines for ESS Payslip class
DATA: lt_rgdir TYPE TABLE OF pc261, "Cluster Directory for export and import of Payroll Results
ls_rgdir TYPE pc261, " Paroll Results structure
lv_form_name TYPE hrf_name, " HR Forms: Object Name
lv_document TYPE xstring.
DATA: ls_pmehf TYPE pmehf. " Structure of Feature HRFOR for Form Selection
DATA: lc_molga TYPE molga. " Country Grouping
DATA: params LIKE ssfparms. " SSF function module parameter fields;
DATA: it_temp_doc_table TYPE saml2_pse_bin_data_t, " Table for SAML 2.0 PSE data
it_input_table TYPE saml2_pse_bin_data_t,
it_output_table TYPE saml2_pse_bin_data_t,
lv_payslip_doc_size TYPE i,
lv_doc_size TYPE i,
lv_output_doc_size TYPE i.
AT SELECTION-SCREEN ON VALUE-REQUEST FOR p_rfold.
PERFORM file_f4 CHANGING p_rfold. " user specify filename & location on Windows PC
INITIALIZATION.
START-OF-SELECTION.
GET pernr.
CREATE OBJECT lo_payslip_helper EXPORTING iv_pernr = pernr-pernr.
CLEAR: lt_rgdir.
lt_rgdir = lo_payslip_helper->get_filtered_rgdir( ).
LOOP AT lt_rgdir INTO ls_rgdir.
EXIT.
ENDLOOP.
LOOP AT p0001 WHERE begda LE ls_rgdir-ipend
AND endda GE ls_rgdir-ipend.
ENDLOOP.
MOVE-CORRESPONDING p0001 TO ls_pmehf ##ENH_OK.
MOVE-CORRESPONDING ls_rgdir TO ls_pmehf ##ENH_OK.
CALL FUNCTION 'HR_COUNTRYGROUPING_GET' " Determine Country Grouping
EXPORTING
pernr = pernr-pernr " Personnel Number
IMPORTING
molga = lc_molga " country grouping
EXCEPTIONS
not_found = 1
OTHERS = 2.
ls_pmehf-rclas = 'CESS'. " C for payslip: CESS; T for Timeslip: 'TESD', 'TESP'.
ls_pmehf-molga = lc_molga.
ls_pmehf-uname = sy-uname.
CLEAR: lv_document.
CALL FUNCTION 'HR_FEATURE_BACKFIELD'
EXPORTING
feature = 'HRFOR'
struc_content = ls_pmehf
kind_of_error = space
IMPORTING
back = lv_form_name.
CALL METHOD lo_payslip_helper->get_payslip
EXPORTING
is_rgdir = ls_rgdir
iv_form_name = lv_form_name " paystub print form
IMPORTING
ev_document = lv_document " payslip in pdf format
EXCEPTIONS
OTHERS = 0.
CLEAR: it_temp_doc_table, lv_payslip_doc_size.
CALL FUNCTION 'SCMS_XSTRING_TO_BINARY'
EXPORTING
buffer = lv_document
IMPORTING
output_length = lv_payslip_doc_size
TABLES
binary_tab = it_temp_doc_table.
APPEND LINES OF it_temp_doc_table TO it_input_table.
ADD lv_payslip_doc_size TO lv_doc_size.
END-OF-SELECTION.
* encrypt the paystub with user specified SSF-Application profile, recipient's certificate subject for public-key lookup
* obtain the encrypted file in PDF along with doc size
PERFORM encrypt USING p_pse p_rec lv_doc_size it_input_table CHANGING lv_output_doc_size it_output_table.
* download the encrypted paystubs to the specified location with specified filename, on Windows PC
PERFORM out_data_table_to_disk TABLES it_output_table USING p_rfold lv_output_doc_size.
* Windows GUI access to specify filename and location
FORM file_f4 CHANGING file.
DATA:
lt_filetable TYPE filetable,
lf_rc TYPE i,
ls_file TYPE file_table.
* Call file selector at frontend
CALL METHOD cl_gui_frontend_services=>file_open_dialog
EXPORTING
multiselection = abap_false
CHANGING
file_table = lt_filetable
rc = lf_rc
EXCEPTIONS
file_open_dialog_failed = 1
cntl_error = 2
error_no_gui = 3
not_supported_by_gui = 4
OTHERS = 5.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno
DISPLAY LIKE 'E'
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
EXIT.
ENDIF.
* Number of selected filed must be equal to one.
CHECK lf_rc = 1.
* Access selected file
READ TABLE lt_filetable INTO ls_file INDEX 1.
CHECK sy-subrc = 0.
file = ls_file-filename.
ENDFORM. "FILE_F4
*&---------------------------------------------------------------------*
*& Form ENCRYPT
*&---------------------------------------------------------------------*
* Takes user pre-configured SSF Application profile (PSE), and certificate
* subject of the previously imported certificate of recipient, encrypt the readable (plain-text)
* paystubs in PDF, generate the encrypted data.
*----------------------------------------------------------------------*
* -->LP_PSE SSF Application
* -->LP_REC Recipient of encrypted file
* -->LP_LV_DOC_SIZE paystub doc size
* -->LP_IT_INPUT_TABLE readable paystubs
* <--LP_LV_OUTPUT_DOC_SIZE encrypted file size
* <--LP_IT_OUTPUT_TABLE encrypted file in PDF
*----------------------------------------------------------------------*
FORM encrypt USING lp_pse
lp_rec
lp_lv_doc_size
lp_it_input_table TYPE saml2_pse_bin_data_t
CHANGING lp_lv_output_doc_size
lp_it_output_table TYPE saml2_pse_bin_data_t.
DATA:
lv_ssftoolkit TYPE ssftoolkit, " Secure Store & Forward (SSF): Selection of security product
lv_str_format TYPE ssfform, " SSF format
lv_str_pab TYPE ssfpab, " Private Address Book for SSF, contains the imported certificates of intented receipients
lv_str_pab_password TYPE ssfpabpw, " SSF Password for private address book
lt_recipient TYPE TABLE OF ssfinfo,
ls_recipient TYPE ssfinfo.
CALL FUNCTION 'SSF_GET_PARAMETER' " fetch the SSF security product, format, certificate subject of recipient of private address book
EXPORTING
mandt = sy-mandt
application = lp_pse
IMPORTING
ssftoolkit = lv_ssftoolkit
str_format = lv_str_format
str_pab = lv_str_pab
str_pab_password = lv_str_pab_password
EXCEPTIONS
OTHERS = 1.
IF sy-subrc <> 0.
WRITE: / 'SSF parameter read failed - see system log (SM21)'.
ENDIF.
ls_recipient-id = lp_rec.
APPEND ls_recipient TO lt_recipient.
CALL FUNCTION 'SSF_KRN_ENVELOPE' " encrypt the given employee paystub and output the encrpted data in table
EXPORTING
ssftoolkit = lv_ssftoolkit
str_format = lv_str_format
b_inenc = 'X'
ostr_input_data_l = lp_lv_doc_size " iv_doc_size
str_pab = lv_str_pab
str_pab_password = lv_str_pab_password
IMPORTING
ostr_enveloped_data_l = lp_lv_output_doc_size
TABLES
ostr_input_data = lp_it_input_table "it_original "
recipient_list = lt_recipient
ostr_enveloped_data = lp_it_output_table
EXCEPTIONS
OTHERS = 1.
ENDFORM. "Encrypt
FORM out_data_table_to_disk
TABLES lt_document
USING file TYPE c
lv_doc_size TYPE i.
DATA: filesize TYPE i.
DATA: filestrg TYPE string.
DATA: fileleng TYPE i.
filesize = params-outdatalen.
filestrg = file.
CALL FUNCTION 'GUI_DOWNLOAD'
EXPORTING
bin_filesize = filesize
filename = filestrg
filetype = 'BIN' " Binary file
IMPORTING
filelength = fileleng
TABLES
data_tab = lt_document
EXCEPTIONS
file_write_error = 1
no_batch = 2
gui_refuse_filetransfer = 3
invalid_type = 4
no_authority = 5
unknown_error = 6
header_not_allowed = 7
separator_not_allowed = 8
filesize_not_allowed = 9
header_too_long = 10
dp_error_create = 11
dp_error_send = 12
dp_error_write = 13
unknown_dp_error = 14
access_denied = 15
dp_out_of_memory = 16
disk_full = 17
dp_timeout = 18
file_not_found = 19
dataprovider_exception = 20
control_flush_error = 21
OTHERS = 22.
IF sy-subrc NE 0.
MESSAGE e206(1s) WITH file.
ENDIF.
ENDFORM. "out_data_table_to_disk
