Sap Pi Pgp Key Generation

/ Comments off

I would like to share information on security mechanism through PI when the sensitive customer and business data is sent through PI Interfaces to third party systems.

Touch authorizedkeys. Yes, you need to run chmod on this file too: chmod 700 authorizedkeys. When you're done, exit your SSH session. Run ssh-copy-id. Now it's time to copy the contents of your SFTP public key to the authorizedkeys file. The easiest way to do this would be to run the ssh-copy-id command. Professional academic writers. Our global writing staff includes experienced ENL & ESL academic writers in a variety of disciplines. This lets us find the most appropriate writer for any type of assignment.

The AEDaptive created a tool was used for the encryption of files hand in hand with PGPkeys. This tool is an add on to the JAVA Application of the Process Integration 7.1 system and this tool was used for the two way encryption and decryption process with the one of our vendor. One of the vendors of our client utilizes and implements credit card functionality for non banking institutions. We implemented the same for our client to run their business securely.

PGP (Pretty Good Privacy) in PI 7.1:

i) Introduction to PGP:

PGP is a data encryption and decryption program that provides a secure method of sending and receiving information between two parties. To be able to utilize the encryption facility, each party will be required to send one another Public Keys, this Key is used to encrypt the file before the package is sent off. The recipient then utilizes the secret key to decrypt and extract the content of the package created by the sender.

ii) Importance of Keys and Key generation :

Keys can be generated using many PGP Key creation products, in this example we will be using PGP Desktop (Version 10).

All keys, both public and private need to be placed in a folder that can be read by the SAP J2EE Engine, best option would be on a the PI system itself, this way you are guaranteed there will be no read issue against the file.

There are 2 keys to be generated on each side.

– Public Key – Used to encrypt the file.

– Secret Key- Used with a Passphrase to decrypt the file created using the Public Key.

iii) The Encryption and Decryption process:

The Workflow of transferring files between two parties occurs with the encryption as first step and then the decryption as the second step, the following information provides the perquisites setup steps as well as the monitoring of the file transfer, note this only includes the steps within the PI environment.

  • Encryption Process:

– PI encryption Module is used to encrypt the files by using recipient generated public key.

– Send the encrypted file to the recipient

– Vendor decrypts the file using their own Secret Key and Passphrase.

Mandatory PI Adapter Encryption Module parameters:

a) Algorithm – Many algorithms are being supported. Need to provide one algorithm at least to encrypt the message.

b) Public Key – To identify the secret key in receiver party in decryption process.

c) Recipient – Recipient name is important to identify the correct receiver, using the name of the Public Key should suffice.

Along with the above parameters there are additional module key parameters basing the encryption requirements.

Example: Hash key algorithm, compression, signer of the message and compatibility etc.

Testing the encryption process:

Before Encryption:

After Encryption:

  • Decryption Process:

– Vendor needs to use PI generated public key to encrypt the files.

– Sends the encrypted Files to PI.

– PI decryption module needs to be used to decrypt the files using the sender generated secret key and passphrase. (Passphrase is used in generation of keys)

Mandatory PI Adapter Decryption Module parameters:

a) Public Key and Secret key –

To Identify the correct key to decrypt the message

b) passphrase –

This passphrase is the one which should be used in Key generation in sender party.

Testing the decryption process:

Content of encrypted file (pre-decryption)

After the decryption

iv) Monitoring:

Encryption and decryption process can be monitored by channel monitoring.

Encryption Log:

Decryption Log:

v) Trouble shooting

There are many trouble shooting techniques available in user guide. Common errors are mentioned in this document.

An error occurred when reading the secret key ring.

Check the parameter secretKeyRing. Either this parameter is omitted or the path to the secret key ring file is incorrect.

An error occurred when reading the public key ring.

Check the parameter publicKeyRing. Either this parameter is omitted or the path to the public key ring file is incorrect.

vi) Reference

http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html

Note: Please not that AEDAPTIVE was used during the set up of PI encryption and decryption process.

Skip to end of metadataGo to start of metadata

Applies to:

SAP Netweaver PI based SFTP Adapters

Summary

The following sections briefly describe the steps to create SSH key pairs which can be used as an alternative for password based authentication. It also includes steps to verify key based authentication and import the keys in NWA key storage. It mainly foucses on creating PKCS12 Keys from OpenSSH Keys.

Author(s):

Sap pi pgp key generation software

Sivasubramaniam Arunachalam

Company: SAP Labs
Created on: 30-Dec-2011
Author(s) Bio
Sivasubramaniam Arunachalam is a senior developer at SAP Labs (Technology Innovation Platform). He is currently occupied with PI 7.31 development/maintenace activities. Since Sivasubramaniam joined SAP Labs in July 2010, he has developed new features in several adapters/areas including File, JDBC, IDoc, SOAP/XI, HTTP, JPR, B2B(RNIF 1.1/2.0, CIDX & PIDX) Adapters, XML Validation and Mapping Runtime. Currently, he is the component responsible for File, JDBC, B2B Adapters and XML Validation and takes care of all new development, enhancement and maintenance activities.
Table of Contents

Tools Required

  • PuTTY Key Generator
  • PuTTY
  • Open SSL Utility
  • SSH Key Generator
  • Cygwin(for Windows Users) with the following packages
    • OpenSSL
    • SSH

Keys to be Generated

  • Public Key (OpenSSH Format)
  • Private Key (Putty Format)
  • Private Key (PEM)
  • Public Key (X.509 Certificate)
  • Private Key (PKCS 12)

Use PuTTY Key Generator to Create SSH Public/Private Keys

  • Download PuTTYgen.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
  • Select SSH2-RSA as a key type
  • Click on 'Generate' and move your mouse cursor in 'Key' section to generate the keys based on random mouse move co-ordinates.
  • After the required mouse movements, it will generate the random key
Sap Pi Pgp Key Generation
  • Click 'Save public key' and save it as 'public_key' name
  • It will look like below
  • Click 'Save private key' and save it as 'private_key.ppk' name
  • It will look like below
  • Leave Passphrase fields as blank and Select Conversions -> Export OpenSSH key
  • Ignore the warning by choosing 'Yes'

Sap Pi Pgp Key Generation Manual

  • Save it under 'private_key.pem' name
  • It will look like below
  • The following keys are created

Use Open SSL to Create X.509 and P12 Certificates

  • If you are in windows, use Cygwin
  • Navigate to the location where the keys generated above are stored
  • Create the X509 certificate from the private key
  • It will look like below
  • Create the PKCS type 12 Keystore

Sap Pi Pgp Key Generation

  • Provide the password (which will be used in channel configuration)
  • The created key would be in encrypted (binary) form

Import the Private Key into NWA Key Store

  • Open the nwa key store and create a new view called SFTP_TEST
  • Click on 'Import Entry' and select the generated p12 file
  • After import, verify the entries.

Configure the Public Key in SSH Server

  • Copy the public key in to SSH Server via SFTP
  • Login to SSH server verify the copied public key
  • Since the public key does not have any permissions, change it to 400 (for read)
Sap
  • Use ssh-keygen tool to create openSSH format public key
  • Add the created openSSH public key to authorized_keys filles
  • Check the permissions of .ssh folder and authorized_keys file for access permissions

Verify the Key Pairs with PuTTY

Free Pgp Software

  • Now, the key based authentication can be verified with PuTTY.
  • Enter the host name and port

Sap Pi Pgp Key Generation User

  • Select the private key (.ppk)

Pgp

  • Confirm the Security alert

Sap Pi Pgp Key Generation Software

  • If the configuration is correct, the connection will be established successfully