PGP PI Module

SAP COMMUNITY NETWORK scn.sap.com

© 2012 SAP AG 1

Learning Series: SAP NetWeaver

Process Orchestration, Secure

Connectivity add-on 1d PGP

Module

Applies to:

SAP NetWeaver Process Orchestration, Secure Connectivity Add-on 1.0 SP0

Summary

This article explains various use cases and corresponding configuration options of PGP modules that are available as part of SAP NetWeaver Process Orchestration‟s Secure Connectivity add-on.

Author: Sivasubramaniam Arunachalam

Company: SAP Labs India Pvt. Ltd.

Created on: May 18, 2012

Author Bio

Sivasubramaniam Arunachalam is a developer at SAP Labs. He is currently working with development activities of SFTP, PGP and OFTP components.

Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module


© 2012 SAP AG 2

Table of Contents

Introduction ......................................................................................................................................................... 4

Cryptographic Privacy (Encryption/Decryption) .............................................................................................. 4

Authentication (Signing/Verification) ............................................................................................................... 4

Message Compression ................................................................................................................................... 4

ASCII Armor Protected Data Transfer ............................................................................................................ 4

Different Types of Data Transfer ..................................................................................................................... 4

Prerequisites ................................................................................................................................................... 4

PGP Keys ........................................................................................................................................................... 4

Supported Algorithms ......................................................................................................................................... 5

Encryption ....................................................................................................................................................... 5

Signing ............................................................................................................................................................ 5

Compression ................................................................................................................................................... 5

PGP Modules ...................................................................................................................................................... 5

Module Configuration Parameters ...................................................................................................................... 6

Common Parameters ...................................................................................................................................... 6 keyRootPath ................................................................................................................................................................ 6

partnerPublicKey .......................................................................................................................................................... 6

ownPrivateKey ............................................................................................................................................................. 6

pwdOwnPrivateKey ...................................................................................................................................................... 6

PGPEncryption Module ................................................................................................................................... 6 format ........................................................................................................................................................................... 6

asciiArmored ................................................................................................................................................................ 6

applyCompression ....................................................................................................................................................... 6

applyEncryption ........................................................................................................................................................... 6

applySignature ............................................................................................................................................................. 6

encryptionAlgo ............................................................................................................................................................. 6

signingAlgo .................................................................................................................................................................. 6

PGPDecryption Module................................................................................................................................... 7

Default Values .................................................................................................................................................... 7

Example Scenarios for PGP Module parameters configuration ......................................................................... 7

Reference Scenario Table .............................................................................................................................. 7

Scenario - 01 ................................................................................................................................................... 7 PGPEncryption Module ................................................................................................................................................ 7

PGPDecryption Module ............................................................................................................................................... 8

Message Flow in PGPEncryption Module .................................................................................................................... 9

Message Flow in PGPDecryption Module .................................................................................................................... 9

Scenario - 02 ................................................................................................................................................... 9 PGPEncryption Module ................................................................................................................................................ 9

PGPDecryption Module ............................................................................................................................................. 10

Message Flow in PGPEncryption Module .................................................................................................................. 11

Message Flow in PGPDecryption Module .................................................................................................................. 11

Scenario - 03 ................................................................................................................................................. 11



© 2012 SAP AG 3

PGPEncryption Module .............................................................................................................................................. 11

PGPDecryption Module ............................................................................................................................................. 12

Message Flow in PGPEncryption Module .................................................................................................................. 13

Message Flow in PGPDecryption Module .................................................................................................................. 13

Message Format after applying PGP Encryption Module ................................................................................ 14

Notes……… ...................................................................................................................................................... 14

Other Learning Series Articles .......................................................................................................................... 15

Related Content ................................................................................................................................................ 16

Copyright........................................................................................................................................................... 17



© 2012 SAP AG 4

Introduction

SAP‟s Secure Connectivity Add-on‟s PGP (Pretty Good Privacy) module offers the following major features.

Cryptographic Privacy (Encryption/Decryption)

Encryption is the process of transforming the plain text using a cipher algorithm to make it unreadable to anyone except those possessing relevant key used in the algorithm. The result of the process is encrypted information .The reverse process is called decryption which converts the encrypted information in to original readable plain text.

Authentication (Signing/Verification)

Digital Signature (Signing & Verification) is used to demonstrate the authenticity of a message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used in financial transactions and in other cases where it is important to detect forgery or tampering. During Signing, the message is signed with the sender's private key and appended to the original message. The reverse process of verifying the sender at the receiver end is called Verification.

Message Compression

The message which is about to be transferred can be compressed to for optimized transfer through physical medium. At the receiver end, it will be uncompressed to the original size.

ASCII Armor Protected Data Transfer

If the protocol (or) transmission channel supports only ASCII printable characters, the data to be transferred should be encoded as plain text. This is referred as binary to text encoding. If it is applied on the plain text itself, and decoded on the receiver end is called "ASCII Armoring"

When the system has a limited character set, the limitations will apply

It won‟t have having 8-bit clean character set

It can‟t able to handle every printable ASCII character

Different Types of Data Transfer

It supports both text and binary modes of data transfer.

Prerequisites

PGP modules should be deployed as per the supplied installation guide of secure connectivity add-on.

The JVM should be installed with unlimited JCE policy (SAP Note 1240081)

ASCII armored keys representing two different trading partners as explained in the next section “PGP Keys”

Other PI related prerequisites will apply

PGP Keys

The ASCII Armored PGP keys can be created by using the steps mentioned the wiki

As of now, SAP Netweaver‟s key storage does not support PGP keys. So it needs to be stored in file system where PI is installed.

The relevant file system access is required to store all the key files used

It can be relative (or) complete path.

Example:

/usr/sap/SYS_ID/INSTANCE_ID/sec

../../../../SYS/global/pgpkeys

http://wiki.sdn.sap.com/wiki/display/XI/Generating+ASCII+Armored+PGP+Key+Pairs



© 2012 SAP AG 5

Relevant OS level permissions need to be configured to secure the key files and to prevent unauthorized access to the keys, especially private keys.

Read access needs to be given to the folder containing the PGP Keys for the Operating System user that runs the PI JVM. Please check with the system admin for the corresponding user name.

Supported Algorithms

Encryption

AES_128

AES_192

AES_256

BLOWFISH

CAST5 (Default)

DES

3DES

TWOFISH

Signing

MD5

RIPEMD160

SHA1 (Default)

SHA224

SHA256

SHA384

SHA512

Compression

ZIP

ZLIB (Default)

BZIP2

PGP Modules

localejbs/PGPEncryption (Encryption)

localejbs/PGPDecryption (Decryption)

Both modules have to be configured as “Local Enterprise Bean”

It can be configured in any adapter like standard modules

It can be configured in both the direction based on the business scenario



© 2012 SAP AG 6

Module Configuration Parameters

Common Parameters

All the below mentioned parameters are mandatory for both the modules.

keyRootPath

The operating system path where the keys are stored. This should be same as the path used for storing the PGP keys in the prerequisite step.

partnerPublicKey

The file name of the partner‟s public key. This file should be available and accessible in the configured „keyRootPath‟.

ownPrivateKey

The file name of the own private key. This file should be available and accessible in the configured „keyRootPath‟.

pwdOwnPrivateKey

The password to read the configured private key. This should be same as the password given in key generation step. (Reference wiki)

PGPEncryption Module

format

The message format during data transfer. It could be either “binary” or “text”. The default is “binary”

asciiArmored

The ACSII Armor protection can be turn on/off. To enable, set this parameter as “true” and disable, set it as “false”. By default, the messages are ASCII Armor protected.

applyCompression

The message compression can be turned on/off during data transfer. To disable, configured it as “none”. To enable, specify the supported compression algorithm. It would be any one these ZIP, ZLIB or BZIP2. By default the compression is enabled with “ZLIB” algorithm.

applyEncryption

The message encryption can be turn on/off. To enable, set this parameter as “true” and disable, set it as “false”. By default, the messages are not encrypted.

applySignature

The message signing can be turn on/off. To enable, set this parameter as “true” and disable, set it as “false”. By default, the messages are not signed.

encryptionAlgo

If the “applyEncryption” is true, the specific supported encryption algorithm can be specified. By default it is “CAST5”

signingAlgo

If the “applySignature” is true, the specific supported encryption algorithm can be specified. By default it is “SHA1”




© 2012 SAP AG 7

PGPDecryption Module

This module doesn‟t have any special configuration parameters other than common key related parameters mentioned the previous “Common Parameters” section. It will identify the algorithms for decryption/verification/un-compression from the message header.

Default Values

PGPEncryption & PGPDecryption modules use the default values under the following conditions

If the parameter is not configured

If the parameter is configured with incorrect value

Example Scenarios for PGP Module parameters configuration

Reference Scenario Table

Scenario format ascii

Armored

apply Compression

apply Encryption

encryption Algo

apply Signature

signing Algo

01 text True none false Not Configured

true Not Configured

02 binary False ZIP true Not Configured

false Not Configured

03 Incorrect Value

Not Configured

ZLIB true AES_128 true RIPEMD160

Scenario - 01


This scenario is configured with the following options.

Text format

ASCII Armor Protected

No Encryption

No Compression

Signature/Signing

Since “signingAlgo” is not configured, it will use the default SHA1.



© 2012 SAP AG 8




© 2012 SAP AG 9

Message Flow in PGPEncryption Module

Message Flow in PGPDecryption Module

Scenario - 02



Binary format

Message transfer is not ASCII Armor Protected

Encryption

Compression using ZIP algorithm

No Signature/Signing

Since “encryptionAlgo” is not configured, it will use the default CAST5.



© 2012 SAP AG 10




© 2012 SAP AG 11



Scenario - 03



Incorrect format

Encryption using AES_128 algorithm

Compression using ZLIB algorithm

Signature/Signing using RIPEMD160

As “asciiArmored” is not configured, by default, the message will be ASCII Armor Protected

As “format” is configured with wrong value, it will use the default “binary” mode.



© 2012 SAP AG 12




© 2012 SAP AG 13





© 2012 SAP AG 14

Message Format after applying PGP Encryption Module

Once PGP module is applied to the payload, it can‟t be used for further modification unless it is decrypted. The screen shot below shows an example of a wired message.

Notes

The configured module parameters can be verified with the channel logs

The encryption and decryption modules can be combined with other modules. But the payload is unreadable after applying encryption module

The algorithm name used for encryption visible in decryption module logs

If the JVM doesn‟t have unlimited JCE policy, the algorithms which uses more than 128 bit won‟t be supported

These modules are compatible with other third party PGP solutions



© 2012 SAP AG 15

Other Learning Series Articles

SL No

Product Name Topic Name

1. SAP NetWeaver Process Orchestration, secure connectivity add-on 1.0

a) How to Proceed Guide

b) Installation Guide

c) SFTP Adapter

d) PGP Module

2. SAP NetWeaver Process Orchestration, business to business add-on 1.0

a) How To Proceed Guide

b) Installation Guide

c) AS2 Adapter

d) OFTP Adapter

e) X400 Adapter

f) EDI Separator

g) Archiver Module and Archiver Mapping

h) Number Range Objects Module

i) EDI XML Converter I. Master Guide: EDI XML Converter II. EDIFACT_Info_Guide

III. X12_Info_Guide IV. TRADACOMS_Info_Guide V. ODETTE_Info_Guide VI. VDA_Info_Guide VII. PLAIN_Info_Guide

j) B2B Content

3. SAP NetWeaver Process Orchestration, business to business add-on 1.0

a) Sample Scenario Set-up (contains File Adapter, AS2 Adapter, EDI XML Converter, Mapping Templates, and NRO Module)

b) Sample Scenario Set-up (contains File Adapter, OFTP

Adapter, EDI XML Converter, Mapping Templates, and PGP Module)

c) Sample Scenario Set-up (contains File Adapter, X400

Adapter, EDI Separator Adapter, Mapping Templates, EDI XML Converter and Archiver Module)



© 2012 SAP AG 16

Related Content


http://en.wikipedia.org/wiki/Binary-to-text_encoding


http://en.wikipedia.org/wiki/Binary-to-text_encoding



© 2012 SAP AG 17

Copyright

© Copyright 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Oracle Corporation.

JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Documents

PGP PI Module