Multiple PGP Secrets in SAP Cloud Integration

Requirements

With SCPI as enterprise wide middleware, multiple systems and services make use of SCPI’s transfer mechanisms to transfer encrypted data from Point A to Point B. Sometimes, there are conflicts of interest in re-using the existing PGP key pairs to decrypt information.

This solution is targeted to scenarios where we need multiple Private keys to co-exist in SCPI tenant for decryption.

With this arises the requirement to have multiple secrets within SCPI to handle mutiple systems / projects requirements to use their unique key pairs for encryption/decryption. Consider the 2 scenarios below:

Scenario A

1. HR systems would like to use a PGP key pair # 1 (codename – ABC) to be used when encrypting / decrypting information related to HR and people systems
2. Another ERP enterprise system (say FIN) would like to use PGP encryption /decryption for their data being transferred to/from legacy systems

In this case, HR system would like to refrain from sharing the key information with FIN system admins and thus arises the need for a new PGP key pair to be deployed in SCPI

Scenario B

1. An existing key pair created in DSA format exists in SCPI which is currently being used in PROD scenarios by various integrations
2. A new system (say Bank) is introduced in the landscape which supports only RSA key

In this case, without disrupting existing integrations, we would like to have 2 PGP key pairs existing in SCPI to support encryption/decryption of data.

Solution

• Create new PGP Key pair using a tool of your choice (e.g., Kleopatra)
• Use the passphrase same as the existing secring passphrase used earlier in your tenant
  • This can be checked with owners of earlier key or else with the Central Admin team of SCPI tenant

• To Upload Pubring with new key pair:
  • Follow the steps outlined in blogs available over SAP sites – e.g. OSS Note 2511130 – Importing public keys into the PGP Public Keyring

• To upload the Secring:
  • Download the current Secring from SCPI tenant -> Monitoring -> Overview -> Manage Security -> Security Material -> Secring
  • Open the downloaded secring in Notepad / Notepad++
  • Copy the newly created secring to the end of this file downloaded
  • Upload the file to SCPI tenant Security Material under secring with the common passphrase.

Please note – Thanks to Franz Forsthofer for inputs, we need to note this concatenation method only works if you have armored PGP public or secret keys (keys in PEM format!).

A public key is armored if there is the header “—–BEGIN PGP PUBLIC KEY BLOCK—–” and the footer “—–END PGP PUBLIC KEY BLOCK—–“.

A secret key is armored if there is the header “—–BEGIN PGP PRIVATE KEY BLOCK—–” and the footer “—–BEGIN PGP PRIVATE KEY BLOCK——“.

Conclusion

We can have multiple PGP secrets (secrings) deployed on SCPI tenant by following above steps. Need to ensure that we use the same passphrase for all secrings uploaded in same file to SCPI tenant.

I have tested it in multiple client landscapes without any issues under scenario “A” and “B”, please review and comment on where can this be found useful.

Thanks,

Aditya