Skip to Content
Technical Articles
Author's profile photo Wayne Brown

Encrypting RAW files from SuccessFactors EC Payroll

There has been interest in sending encrypted files from Employee Central Payroll. This blog post will describe one way to encrypt the RAW files from SAP Successfactors Employee Central Payroll using an open source program and then using a sample program to create an encrypted PDF file to test decryption.

The following steps for creating keys and certificates are provided only as an example. The sample code generates a single PDF for testing purposes. Your conditions, specifications, system set-up, and other factors will require that you modify and adapt for your needs.

REMEMBER, before attempting these steps, follow-up with your IT & Security teams to ensure this procedure will adhere to your company’s standards and policies.

In this example, the certificate is created using OpenSSL, a permissive free software. Other encryption options are available that you should explore. Use the encryption option that best meets your requirements.


In this procedure, four roles are used:

  1. The creator of the encryption key
  2. An administrator with access to your SAP Employee Central Payroll system to set parameters and runs the program created by the developer.
  3. A developer, who creates the ABAP program using the sample code.
  4. The person decrypting the file.


Creating the Encryption Key

[Role: Creator of the encryption keys, person receiving the encrypted file]

  1. Go to OpenSSL and download Win64OpenSSL-<latest build>.exe to your local PC.

NOTE: OpenSSL is continually updated, ensure you are using the latest build.

  1. Scan for threats, then install the application to C:\OpenSSL-Win64
  2. Go to the C:\OpenSSL-Win64\bin folder and create a new folder, for example, certificate_demo.
  3. Run Cmd as an administrator.
  4. Enter Cmd C:\Openssl-Win64\bin\certificate_demo
  5. Run ..\openssl.exe
  6. Generate Private Key: Within the openssl console enter the following to generate a private key:

genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:1024 .

NOTE: For this example, RSA has a length of 1024. The length of 2048 may create problems.

  1. Generate Certificate: Within the openssl console enter the following to generate an x509 certificate:

req -new -x509 -key private_key.pem -out cacert.pem -days 3650 .

  1. When prompted, provide the followings:
    1. Country: <Your Country>
    2. State: <Your State>
    3. Locality Name: <Your City>
    4. Organization Name: <Your Company Name>
    5. Organizational Unit Name: Leave blank
    6. Common Name: <Your Initials>
    7. Email Address: Leave blank
  2. Verify that the two pem files (pem & cacert.pem) are in the certificate_demo folder. The cacert.pem file is used in the next step, loading into the SAP SuccessFactors STRUST manager.

Set EC Payroll Parameters in the SAP Trust Manager

[Role: SAP EC Payroll administrator, who has access to SAP Trust Manager, transaction STRUST]

NOTE: SAP Trust Manager performs the personal security environment (PSE) and certificate maintenance functions, maintaining the list of Certification Authority that the system accepts.

  1. Sign in to the SAP GUI and enter transaction SE16 .
  2. Enter table SSFAPPLIC, then Execute to open the Data Browser: Table SSFAPPLIC Select Entries

NOTE: If the SSFAPPLIC table is not in your system, you must create the table.

  1. Go to Context Menu of Table Entry, and then select
  2. Enter APPLIC (a unique name of the application).
  3. Check only the following, leaving all others unchecked:
    • B FORMAT
    • B PAB
    • B PROFID
  4. Enter a unique description in the DESCRIPT field, for example, <Demo_Date>.
  5. Save the new table.
  6. Enter transaction STRUST.
  7. Go to the Environment tab, then select SSF Parameters.
  8. Choose Change View.
  9. Choose New Entries.
  10. Under SSF Application, select the newly created application description from Step 16, for example, <Demo_Date>.
  11. The values for the following fields are auto-generated, though you have the option to rename or change:
    1. Security Product
    2. SSF Format
    3. Private Address Book
    4. SSF Profile Name
    5. SSF Profile ID (Opt.): Leave blank
    6. Encryption Algorithm
  12. Choose
  13. The newly created SSF Application displays with a red X, instead of a folder symbol, next to the name of the application.
  14. Right-click the name of the newly created SSF Application and then select Create.
  15. In the Create PSE dialog box that displays, choose the green check mark to use the default values.
  16. The red X is now replaced by the folder symbol.
  17. Choose Import Certificate.
  18. Under File Path, enter C:\OpenSSL-Win64\bin\certificate_demo\cacert.pem
  19. Choose
  20. Choose Add to Certificate List.
  21. Highlight the newly added certificate and select Verification PSE.
  22. Assign a PSE name.
  23. Save the change.
  24. Highlight the whole line of the subject of the desired certificate, and copy to the clipboard, then paste to Notepad or other text editor, for later use.
  25. Go to the Environment tab, then select ICM Monitor
  26. In the ICM Monitor, go to Administration > ICM > Restart, and Yes.
  27. Choose Back to return to the Trust Manager

Generate a Sample Encrypted File

[Roles: An ABAP Developer, who can add the sample code to generate a program. The SAP EC Payroll administrator runs the program.]

  1. Use the following ABAP sample code, adding your task-specific information that creates the program to generate an encrypted PDF statement to test your results.
  2. Run the ABAP program and an encrypted file is generated.
  3. Save and store this file to a local PC file folder.
  4. Send that file to the receiving party.

Decrypting the File

[Role: Person decrypting the file, who has access to the private key for decryption]

Prerequisite: You have received the encrypted file from the sending party and have access to the private key.

  1. Place the encrypted file you received into the same folder where you ran the command exe.

NOTE: If you weren’t involved with Creating the Encryption Key, repeat steps 1-3 of that procedure before proceeding.

  1. Go to the folder and run ..\openssl.exe .
  2. Enter the following command to decrypt the file:

smime -decrypt -in <encrypted file> -inkey private_key.pem -inform DER -out <decrypted file>

NOTE: This is the private key that was created in step 7 of Creating the Encryption Key.

  1. Verify if the <decrypted file> correctly opens.


This procedure demonstrates a proof-of-concept to provide you with an example of how to publish a raw file as an encrypted PDF. Security and encryption are serious topics and it is important to do your own research as to how you can provided safety and security with your encrypted files for your situation. This example provides you with an initial example, you need to find the best way to satisfy your organization’s security policies.

*& This program uses Logical Database PNP, please create the executable program
*& using that parameter in the attributes screen.
REPORT zsample_encrypt_payslip USING DATABASE pnp.

TABLES: pernr.
INFOTYPES: 0001.                                                             "Org assign. to focus on Pay-Area, CoCode

SELECTION-SCREEN: BEGIN OF BLOCK a01 WITH FRAME TITLE text-a01.              "General Settings

PARAMETERS: p_pse TYPE ssfappl MATCHCODE OBJECT f4strustssf.                 "SSF Application (PSE)
PARAMETERS: p_rec TYPE  certsubjct.                                          "Recipient (Cert. Subject)


  p_rfold LIKE rlgrap-filename.                                                 "Encrypted filename

DATA: lo_payslip_helper TYPE REF TO cl_hrxss_rem_helper.                     "Type in Central routines for ESS Payslip class
DATA: lt_rgdir     TYPE TABLE OF pc261,                                       "Cluster Directory for export and import of Payroll Results
      ls_rgdir     TYPE pc261,                                                " Paroll Results structure
      lv_form_name TYPE hrf_name,                                             " HR Forms: Object Name
      lv_document  TYPE xstring.

DATA: ls_pmehf TYPE pmehf.                                                      " Structure of Feature HRFOR for Form Selection
DATA: lc_molga TYPE molga.                                                      " Country Grouping
DATA: params        LIKE ssfparms.                                              " SSF function module parameter fields;

DATA: it_temp_doc_table    TYPE saml2_pse_bin_data_t,                           " Table for SAML 2.0 PSE data
      it_input_table       TYPE saml2_pse_bin_data_t,
      it_output_table      TYPE saml2_pse_bin_data_t,
      lv_payslip_doc_size  TYPE i,
      lv_doc_size          TYPE i,
      lv_output_doc_size   TYPE i.

  PERFORM file_f4 CHANGING p_rfold.                                             " user specify filename & location on Windows PC



GET pernr.

  CREATE OBJECT lo_payslip_helper EXPORTING iv_pernr = pernr-pernr.
  CLEAR: lt_rgdir.
  lt_rgdir = lo_payslip_helper->get_filtered_rgdir( ).

  LOOP AT lt_rgdir INTO ls_rgdir.

  LOOP AT p0001 WHERE begda LE ls_rgdir-ipend
                  AND endda GE ls_rgdir-ipend.

  MOVE-CORRESPONDING p0001 TO ls_pmehf ##ENH_OK.
  MOVE-CORRESPONDING ls_rgdir TO ls_pmehf ##ENH_OK.

  CALL FUNCTION 'HR_COUNTRYGROUPING_GET'                                        " Determine Country Grouping
      pernr     = pernr-pernr                                                   " Personnel Number
      molga     = lc_molga                                                      " country grouping
      not_found = 1
      OTHERS    = 2.

  ls_pmehf-rclas = 'CESS'.                                                      " C for payslip: CESS; T for Timeslip: 'TESD', 'TESP'.
  ls_pmehf-molga = lc_molga.
  ls_pmehf-uname = sy-uname.
  CLEAR: lv_document.

      feature       = 'HRFOR'
      struc_content = ls_pmehf
      kind_of_error = space
      back          = lv_form_name.

  CALL METHOD lo_payslip_helper->get_payslip
      is_rgdir     = ls_rgdir
      iv_form_name = lv_form_name                                               " paystub print form
      ev_document  = lv_document                                                " payslip in pdf format
      OTHERS       = 0.

  CLEAR: it_temp_doc_table, lv_payslip_doc_size.

      buffer        = lv_document
      output_length = lv_payslip_doc_size
      binary_tab    = it_temp_doc_table.

  APPEND LINES OF it_temp_doc_table TO it_input_table.

  ADD lv_payslip_doc_size TO lv_doc_size.


* encrypt the paystub with user specified SSF-Application profile, recipient's certificate subject for public-key lookup
* obtain the encrypted file in PDF along with doc size
  PERFORM encrypt USING p_pse p_rec lv_doc_size it_input_table CHANGING lv_output_doc_size it_output_table.

* download the encrypted paystubs to the specified location with specified filename, on Windows PC
  PERFORM out_data_table_to_disk TABLES it_output_table USING p_rfold lv_output_doc_size.

* Windows GUI access to specify filename and location
FORM file_f4 CHANGING file.

    lt_filetable TYPE filetable,
    lf_rc        TYPE i,
    ls_file      TYPE file_table.

* Call file selector at frontend
  CALL METHOD cl_gui_frontend_services=>file_open_dialog
      multiselection          = abap_false
      file_table              = lt_filetable
      rc                      = lf_rc
      file_open_dialog_failed = 1
      cntl_error              = 2
      error_no_gui            = 3
      not_supported_by_gui    = 4
      OTHERS                  = 5.

  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE 'S' NUMBER sy-msgno
               DISPLAY LIKE 'E'
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.

* Number of selected filed must be equal to one.
  CHECK lf_rc = 1.

* Access selected file
  READ TABLE lt_filetable INTO ls_file INDEX 1.
  CHECK sy-subrc = 0.
  file = ls_file-filename.


*&      Form  ENCRYPT
* Takes user pre-configured SSF Application profile (PSE), and certificate
* subject of the previously imported certificate of recipient, encrypt the readable (plain-text)
* paystubs in PDF, generate the encrypted data.
*      -->LP_PSE  SSF Application
*      -->LP_REC  Recipient of encrypted file
*      -->LP_LV_DOC_SIZE   paystub doc size
*      -->LP_IT_INPUT_TABLE  readable paystubs
*      <--LP_LV_OUTPUT_DOC_SIZE  encrypted file size
*      <--LP_IT_OUTPUT_TABLE  encrypted file in PDF
FORM encrypt  USING    lp_pse
                      lp_it_input_table TYPE saml2_pse_bin_data_t
              CHANGING lp_lv_output_doc_size
                       lp_it_output_table TYPE saml2_pse_bin_data_t.

    lv_ssftoolkit       TYPE  ssftoolkit,                                       " Secure Store & Forward (SSF): Selection of security product
    lv_str_format       TYPE  ssfform,                                          " SSF format
    lv_str_pab          TYPE  ssfpab,                                           " Private Address Book for SSF, contains the imported certificates of intented receipients
    lv_str_pab_password TYPE  ssfpabpw,                                         " SSF Password for private address book
    lt_recipient        TYPE TABLE OF ssfinfo,
    ls_recipient        TYPE ssfinfo.

  CALL FUNCTION 'SSF_GET_PARAMETER'                                             " fetch the SSF security product, format, certificate subject of recipient of private address book
      mandt            = sy-mandt
      application      = lp_pse
      ssftoolkit       = lv_ssftoolkit
      str_format       = lv_str_format
      str_pab          = lv_str_pab
      str_pab_password = lv_str_pab_password
      OTHERS           = 1.

  IF sy-subrc <> 0.
    WRITE: / 'SSF parameter read failed - see system log (SM21)'.

  ls_recipient-id = lp_rec.
  APPEND ls_recipient TO lt_recipient.

  CALL FUNCTION 'SSF_KRN_ENVELOPE'                                              " encrypt the given employee paystub and output the encrpted data in table
      ssftoolkit            = lv_ssftoolkit
      str_format            = lv_str_format
      b_inenc               = 'X'
      ostr_input_data_l     = lp_lv_doc_size  " iv_doc_size
      str_pab               = lv_str_pab
      str_pab_password      = lv_str_pab_password
      ostr_enveloped_data_l = lp_lv_output_doc_size
      ostr_input_data       = lp_it_input_table "it_original "
      recipient_list        = lt_recipient
      ostr_enveloped_data   = lp_it_output_table
      OTHERS                = 1.
ENDFORM.  "Encrypt

FORM out_data_table_to_disk
  TABLES lt_document
     USING file TYPE c
           lv_doc_size TYPE i.

  DATA: filesize TYPE i.
  DATA: filestrg TYPE string.
  DATA: fileleng TYPE i.

  filesize = params-outdatalen.
  filestrg = file.
      bin_filesize            = filesize
      filename                = filestrg
      filetype                = 'BIN'                  " Binary file
      filelength              = fileleng
      data_tab                = lt_document
      file_write_error        = 1
      no_batch                = 2
      gui_refuse_filetransfer = 3
      invalid_type            = 4
      no_authority            = 5
      unknown_error           = 6
      header_not_allowed      = 7
      separator_not_allowed   = 8
      filesize_not_allowed    = 9
      header_too_long         = 10
      dp_error_create         = 11
      dp_error_send           = 12
      dp_error_write          = 13
      unknown_dp_error        = 14
      access_denied           = 15
      dp_out_of_memory        = 16
      disk_full               = 17
      dp_timeout              = 18
      file_not_found          = 19
      dataprovider_exception  = 20
      control_flush_error     = 21
      OTHERS                  = 22.
  IF sy-subrc NE 0.
    MESSAGE e206(1s) WITH file.
ENDFORM. "out_data_table_to_disk

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Siddharth Rajora
      Siddharth Rajora

      Very detailed Wayne, Thanks for sharing