Skip to Content
Technical Articles
Author's profile photo Former Member

Multiple PGP Secrets in SAP Cloud Integration

Requirements

With SCPI as enterprise wide middleware, multiple systems and services make use of SCPI’s transfer mechanisms to transfer encrypted data from Point A to Point B. Sometimes, there are conflicts of interest in re-using the existing PGP key pairs to decrypt information.

This solution is targeted to scenarios where we need multiple Private keys to co-exist in SCPI tenant for decryption.

With this arises the requirement to have multiple secrets within SCPI to handle mutiple systems / projects requirements to use their unique key pairs for encryption/decryption. Consider the 2 scenarios below:

Scenario A

  1. HR systems would like to use a PGP key pair # 1 (codename – ABC) to be used when encrypting / decrypting information related to HR and people systems
  2. Another ERP enterprise system (say FIN) would like to use PGP encryption /decryption for their data being transferred to/from legacy systems

In this case, HR system would like to refrain from sharing the key information with FIN system admins and thus arises the need for a new PGP key pair to be deployed in SCPI

Scenario B

  1. An existing key pair created in DSA format exists in SCPI which is currently being used in PROD scenarios by various integrations
  2. A new system (say Bank) is introduced in the landscape which supports only RSA key

In this case, without disrupting existing integrations, we would like to have 2 PGP key pairs existing in SCPI to support encryption/decryption of data.

Solution

  • Create new PGP Key pair using a tool of your choice (e.g., Kleopatra)
  • Use the passphrase same as the existing secring passphrase used earlier in your tenant
    • This can be checked with owners of earlier key or else with the Central Admin team of SCPI tenant
  • To upload the Secring:
    • Download the current Secring from SCPI tenant -> Monitoring -> Overview -> Manage Security -> Security Material -> Secring
    • Open the downloaded secring in Notepad / Notepad++
    • Copy the newly created secring to the end of this file downloaded
    • Upload the file to SCPI tenant Security Material under secring with the common passphrase.

Please note – Thanks to Franz Forsthofer for inputs, we need to note this concatenation method only works if you have armored PGP public or secret keys (keys in PEM format!).

A public key is armored if there is the header “—–BEGIN PGP PUBLIC KEY BLOCK—–” and the footer “—–END PGP PUBLIC KEY BLOCK—–“.

A secret key is armored if there is the header “—–BEGIN PGP PRIVATE KEY BLOCK—–” and the footer “—–BEGIN PGP PRIVATE KEY BLOCK——“.

Conclusion

We can have multiple PGP secrets (secrings) deployed on SCPI tenant by following above steps. Need to ensure that we use the same passphrase for all secrings uploaded in same file to SCPI tenant.

I have tested it in multiple client landscapes without any issues under scenario “A” and “B”, please review and comment on where can this be found useful.

Thanks,

Aditya

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Souvik Sinha
      Souvik Sinha

      Very much helpful blog. It will make few developer life easy.

       

      Regards,

      Souvik

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Thanks Souvik

      Author's profile photo ravi subramanya
      ravi subramanya

      Nice information.

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Thanks Ravi

      Author's profile photo Franz Forsthofer
      Franz Forsthofer

      Hi Aditya,

      I found out that the concatenation method you propose only works if you have armored PGP public or secret keys (keys in PEM format!). Can you please mention this in your block.

      A public key is armored if there is the header "-----BEGIN PGP PUBLIC KEY BLOCK-----" and the footer "-----END PGP PUBLIC KEY BLOCK-----".

      A secret key is armored if there is the header "-----BEGIN PGP PRIVATE KEY BLOCK-----" and the footer "-----BEGIN PGP PRIVATE KEY BLOCK------".

      Regards Franz

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Thanks Franz, the blog is now updated