PGP PI Module PDF

Learning Series: SAP NetWeaver
Process Orchestration, Secure

Connectivity add-on 1d PGP
Module
Applies to:
SAP NetWeaver Process Orchestration, Secure Connectivity Add-on 1.0 SP0
Summary
This article explains various use cases and corresponding configuration options of PGP modules that are
available as part of SAP NetWeaver Process Orchestrations Secure Connectivity add-on.
Author: Sivasubramaniam Arunachalam

Company: SAP Labs India Pvt. Ltd.
Created on: May 18, 2012
Author Bio
Sivasubramaniam Arunachalam is a developer at SAP Labs. He is currently working with
development activities of SFTP, PGP and OFTP components.
SAP COMMUNITY NETWORK scn.sap.com

2012 SAP AG 1
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
Table of Contents
Introduction ......................................................................................................................................................... 4
Cryptographic Privacy (Encryption/Decryption) .............................................................................................. 4
Authentication (Signing/Verification) ............................................................................................................... 4
Message Compression ................................................................................................................................... 4
ASCII Armor Protected Data Transfer ............................................................................................................ 4
Different Types of Data Transfer ..................................................................................................................... 4
Prerequisites ................................................................................................................................................... 4
PGP Keys ........................................................................................................................................................... 4
Supported Algorithms ......................................................................................................................................... 5
Encryption ....................................................................................................................................................... 5
Signing ............................................................................................................................................................ 5
Compression ................................................................................................................................................... 5
PGP Modules ...................................................................................................................................................... 5
Module Configuration Parameters ...................................................................................................................... 6
Common Parameters ...................................................................................................................................... 6
keyRootPath ................................................................................................................................................................ 6
partnerPublicKey.......................................................................................................................................................... 6
ownPrivateKey ............................................................................................................................................................. 6
pwdOwnPrivateKey ...................................................................................................................................................... 6
PGPEncryption Module ................................................................................................................................... 6
format ........................................................................................................................................................................... 6
asciiArmored ................................................................................................................................................................ 6
applyCompression ....................................................................................................................................................... 6
applyEncryption ........................................................................................................................................................... 6
applySignature ............................................................................................................................................................. 6
encryptionAlgo ............................................................................................................................................................. 6
signingAlgo .................................................................................................................................................................. 6
PGPDecryption Module................................................................................................................................... 7
Default Values .................................................................................................................................................... 7
Example Scenarios for PGP Module parameters configuration ......................................................................... 7
Reference Scenario Table .............................................................................................................................. 7
Scenario - 01 ................................................................................................................................................... 7
PGPEncryption Module ................................................................................................................................................ 7
PGPDecryption Module ............................................................................................................................................... 8
Message Flow in PGPEncryption Module .................................................................................................................... 9
Message Flow in PGPDecryption Module .................................................................................................................... 9
Scenario - 02 ................................................................................................................................................... 9
PGPEncryption Module ................................................................................................................................................ 9
PGPDecryption Module ............................................................................................................................................. 10
Message Flow in PGPEncryption Module .................................................................................................................. 11
Message Flow in PGPDecryption Module .................................................................................................................. 11
Scenario - 03 ................................................................................................................................................. 11

2012 SAP AG 2
PGPEncryption Module .............................................................................................................................................. 11

PGPDecryption Module ............................................................................................................................................. 12
Message Flow in PGPEncryption Module .................................................................................................................. 13
Message Flow in PGPDecryption Module .................................................................................................................. 13
Message Format after applying PGP Encryption Module ................................................................................ 14
Notes ...................................................................................................................................................... 14
Other Learning Series Articles .......................................................................................................................... 15
Related Content ................................................................................................................................................ 16
Copyright........................................................................................................................................................... 17

2012 SAP AG 3
Introduction
SAPs Secure Connectivity Add-ons PGP (Pretty Good Privacy) module offers the following major features.
Cryptographic Privacy (Encryption/Decryption)

Encryption is the process of transforming the plain text using a cipher algorithm to make it unreadable to
anyone except those possessing relevant key used in the algorithm. The result of the process is encrypted
information .The reverse process is called decryption which converts the encrypted information in to original
readable plain text.
Authentication (Signing/Verification)
Digital Signature (Signing & Verification) is used to demonstrate the authenticity of a message. A valid digital
signature gives a recipient reason to believe that the message was created by a known sender, and that it
was not altered in transit. Digital signatures are commonly used in financial transactions and in other cases
where it is important to detect forgery or tampering. During Signing, the message is signed with the sender's
private key and appended to the original message. The reverse process of verifying the sender at the
receiver end is called Verification.
Message Compression
The message which is about to be transferred can be compressed to for optimized transfer through physical
medium. At the receiver end, it will be uncompressed to the original size.
ASCII Armor Protected Data Transfer

If the protocol (or) transmission channel supports only ASCII printable characters, the data to be
transferred should be encoded as plain text. This is referred as binary to text encoding. If it is
applied on the plain text itself, and decoded on the receiver end is called "ASCII Armoring"
When the system has a limited character set, the limitations will apply
It wont have having 8-bit clean character set
It cant able to handle every printable ASCII character
Different Types of Data Transfer

It supports both text and binary modes of data transfer.
Prerequisites
PGP modules should be deployed as per the supplied installation guide of secure connectivity add-
on.
The JVM should be installed with unlimited JCE policy (SAP Note 1240081)
ASCII armored keys representing two different trading partners as explained in the next section
PGP Keys
Other PI related prerequisites will apply
PGP Keys
The ASCII Armored PGP keys can be created by using the steps mentioned the wiki
As of now, SAP Netweavers key storage does not support PGP keys. So it needs to be stored in file
system where PI is installed.
The relevant file system access is required to store all the key files used
It can be relative (or) complete path.
Example:
/usr/sap/SYS_ID/INSTANCE_ID/sec
../../../../SYS/global/pgpkeys

2012 SAP AG 4
Relevant OS level permissions need to be configured to secure the key files and to prevent
unauthorized access to the keys, especially private keys.
Read access needs to be given to the folder containing the PGP Keys for the Operating System user
that runs the PI JVM. Please check with the system admin for the corresponding user name.
Supported Algorithms
Encryption
AES_128
AES_192
AES_256
BLOWFISH
CAST5 (Default)
DES
3DES
TWOFISH
Signing
MD5
RIPEMD160
SHA1 (Default)
SHA224
SHA256
SHA384
SHA512
Compression
ZIP
ZLIB (Default)
BZIP2
PGP Modules
localejbs/PGPEncryption (Encryption)
localejbs/PGPDecryption (Decryption)
Both modules have to be configured as Local Enterprise Bean

It can be configured in any adapter like standard modules
It can be configured in both the direction based on the business scenario

2012 SAP AG 5
Module Configuration Parameters

Common Parameters
All the below mentioned parameters are mandatory for both the modules.
keyRootPath
The operating system path where the keys are stored. This should be same as the path used for storing the
PGP keys in the prerequisite step.
partnerPublicKey
The file name of the partners public key. This file should be available and accessible in the configured
keyRootPath.
ownPrivateKey
The file name of the own private key. This file should be available and accessible in the configured
keyRootPath.
pwdOwnPrivateKey
The password to read the configured private key. This should be same as the password given in key
generation step. (Reference wiki)
PGPEncryption Module
format
The message format during data transfer. It could be either binary or text. The default is binary
asciiArmored
The ACSII Armor protection can be turn on/off. To enable, set this parameter as true and disable, set it as
false. By default, the messages are ASCII Armor protected.
applyCompression
The message compression can be turned on/off during data transfer. To disable, configured it as none. To
enable, specify the supported compression algorithm. It would be any one these ZIP, ZLIB or BZIP2. By
default the compression is enabled with ZLIB algorithm.
applyEncryption
The message encryption can be turn on/off. To enable, set this parameter as true and disable, set it as
false. By default, the messages are not encrypted.
applySignature
The message signing can be turn on/off. To enable, set this parameter as true and disable, set it as false.
By default, the messages are not signed.
encryptionAlgo
If the applyEncryption is true, the specific supported encryption algorithm can be specified. By default it is
CAST5
signingAlgo
If the applySignature is true, the specific supported encryption algorithm can be specified. By default it is
SHA1

2012 SAP AG 6
PGPDecryption Module
This module doesnt have any special configuration parameters other than common key related parameters
mentioned the previous Common Parameters section. It will identify the algorithms for
decryption/verification/un-compression from the message header.
Default Values
PGPEncryption & PGPDecryption modules use the default values under the following conditions
If the parameter is not configured
If the parameter is configured with incorrect value
Example Scenarios for PGP Module parameters configuration

Reference Scenario Table
ascii apply apply encryption apply signing

Scenario format
Armored Compression Encryption Algo Signature Algo
Not
01 text True none false true Not Configured
Configured
Not
02 binary False ZIP true false Not Configured
Configured
Incorrect Not
03 ZLIB true AES_128 true RIPEMD160
Value Configured
Scenario - 01
This scenario is configured with the following options.
Text format
ASCII Armor Protected
No Encryption
No Compression
Signature/Signing
Since signingAlgo is not configured, it will use the default SHA1.

2012 SAP AG 7

2012 SAP AG 8
Message Flow in PGPEncryption Module
Message Flow in PGPDecryption Module
Scenario - 02
Binary format
Message transfer is not ASCII Armor Protected
Encryption
Compression using ZIP algorithm
No Signature/Signing
Since encryptionAlgo is not configured, it will use the default CAST5.

2012 SAP AG 9

2012 SAP AG 10
Scenario - 03
Incorrect format
Encryption using AES_128 algorithm
Compression using ZLIB algorithm
Signature/Signing using RIPEMD160
As asciiArmored is not configured, by default, the message will be ASCII Armor Protected
As format is configured with wrong value, it will use the default binary mode.

2012 SAP AG 11

2012 SAP AG 12

2012 SAP AG 13
Message Format after applying PGP Encryption Module

Once PGP module is applied to the payload, it cant be used for further modification unless it is decrypted.
The screen shot below shows an example of a wired message.
Notes
The configured module parameters can be verified with the channel logs
The encryption and decryption modules can be combined with other modules. But the payload is
unreadable after applying encryption module
The algorithm name used for encryption visible in decryption module logs
If the JVM doesnt have unlimited JCE policy, the algorithms which uses more than 128 bit wont be
supported
These modules are compatible with other third party PGP solutions

2012 SAP AG 14
Other Learning Series Articles
SL Product Name Topic Name

No
a) How to Proceed Guide

1. SAP NetWeaver Process
Orchestration, secure b) Installation Guide
connectivity add-on 1.0
c) SFTP Adapter
d) PGP Module
a) How To Proceed Guide

Orchestration, business to b) Installation Guide
business add-on 1.0
c) AS2 Adapter
d) OFTP Adapter
e) X400 Adapter
f) EDI Separator
g) Archiver Module and Archiver Mapping
h) Number Range Objects Module
i) EDI XML Converter

I. Master Guide: EDI XML Converter
II. EDIFACT_Info_Guide
III. X12_Info_Guide
IV. TRADACOMS_Info_Guide
V. ODETTE_Info_Guide
VI. VDA_Info_Guide
VII. PLAIN_Info_Guide
j) B2B Content
a) Sample Scenario Set-up (contains File Adapter, AS2

Adapter, EDI XML Converter, Mapping Templates, and
Orchestration, business to
NRO Module)
business add-on 1.0
b) Sample Scenario Set-up (contains File Adapter, OFTP

Adapter, EDI XML Converter, Mapping Templates, and
PGP Module)
c) Sample Scenario Set-up (contains File Adapter, X400

Adapter, EDI Separator Adapter, Mapping Templates,
EDI XML Converter and Archiver Module)

2012 SAP AG 15
Related Content
http://wiki.sdn.sap.com/wiki/display/XI/Generating+ASCII+Armored+PGP+Key+Pairs
http://en.wikipedia.org/wiki/Binary-to-text_encoding

2012 SAP AG 16
Copyright
Copyright 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Oracle Corporation.
JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document
serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.

2012 SAP AG 17

PGP PI Module PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PGP PI Module PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Learning Series: SAP NetWeaver

Process Orchestration, Secure

Author: Sivasubramaniam Arunachalam

SAP COMMUNITY NETWORK scn.sap.com

SAP COMMUNITY NETWORK scn.sap.com

PGPEncryption Module .............................................................................................................................................. 11

SAP COMMUNITY NETWORK scn.sap.com

Cryptographic Privacy (Encryption/Decryption)

ASCII Armor Protected Data Transfer

Different Types of Data Transfer

SAP COMMUNITY NETWORK scn.sap.com

Both modules have to be configured as Local Enterprise Bean

SAP COMMUNITY NETWORK scn.sap.com

Module Configuration Parameters

SAP COMMUNITY NETWORK scn.sap.com

Example Scenarios for PGP Module parameters configuration

ascii apply apply encryption apply signing

Since signingAlgo is not configured, it will use the default SHA1.

SAP COMMUNITY NETWORK scn.sap.com

SAP COMMUNITY NETWORK scn.sap.com

Message Flow in PGPEncryption Module

Message Flow in PGPDecryption Module

SAP COMMUNITY NETWORK scn.sap.com

SAP COMMUNITY NETWORK scn.sap.com

Message Flow in PGPEncryption Module

Message Flow in PGPDecryption Module

SAP COMMUNITY NETWORK scn.sap.com

SAP COMMUNITY NETWORK scn.sap.com

Message Flow in PGPEncryption Module

Message Flow in PGPDecryption Module

SAP COMMUNITY NETWORK scn.sap.com

Message Format after applying PGP Encryption Module

SAP COMMUNITY NETWORK scn.sap.com

Other Learning Series Articles

SL Product Name Topic Name

a) How to Proceed Guide

a) How To Proceed Guide

g) Archiver Module and Archiver Mapping

h) Number Range Objects Module

i) EDI XML Converter

a) Sample Scenario Set-up (contains File Adapter, AS2

b) Sample Scenario Set-up (contains File Adapter, OFTP

c) Sample Scenario Set-up (contains File Adapter, X400

SAP COMMUNITY NETWORK scn.sap.com

SAP COMMUNITY NETWORK scn.sap.com

SAP COMMUNITY NETWORK scn.sap.com

Das könnte Ihnen auch gefallen