PGP PI Module
description
Transcript of PGP PI Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 1
Learning Series: SAP NetWeaver
Process Orchestration, Secure
Connectivity add-on 1d PGP
Module
Applies to:
SAP NetWeaver Process Orchestration, Secure Connectivity Add-on 1.0 SP0
Summary
This article explains various use cases and corresponding configuration options of PGP modules that are available as part of SAP NetWeaver Process Orchestration‟s Secure Connectivity add-on.
Author: Sivasubramaniam Arunachalam
Company: SAP Labs India Pvt. Ltd.
Created on: May 18, 2012
Author Bio
Sivasubramaniam Arunachalam is a developer at SAP Labs. He is currently working with development activities of SFTP, PGP and OFTP components.
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 2
Table of Contents
Introduction ......................................................................................................................................................... 4
Cryptographic Privacy (Encryption/Decryption) .............................................................................................. 4
Authentication (Signing/Verification) ............................................................................................................... 4
Message Compression ................................................................................................................................... 4
ASCII Armor Protected Data Transfer ............................................................................................................ 4
Different Types of Data Transfer ..................................................................................................................... 4
Prerequisites ................................................................................................................................................... 4
PGP Keys ........................................................................................................................................................... 4
Supported Algorithms ......................................................................................................................................... 5
Encryption ....................................................................................................................................................... 5
Signing ............................................................................................................................................................ 5
Compression ................................................................................................................................................... 5
PGP Modules ...................................................................................................................................................... 5
Module Configuration Parameters ...................................................................................................................... 6
Common Parameters ...................................................................................................................................... 6 keyRootPath ................................................................................................................................................................ 6
partnerPublicKey .......................................................................................................................................................... 6
ownPrivateKey ............................................................................................................................................................. 6
pwdOwnPrivateKey ...................................................................................................................................................... 6
PGPEncryption Module ................................................................................................................................... 6 format ........................................................................................................................................................................... 6
asciiArmored ................................................................................................................................................................ 6
applyCompression ....................................................................................................................................................... 6
applyEncryption ........................................................................................................................................................... 6
applySignature ............................................................................................................................................................. 6
encryptionAlgo ............................................................................................................................................................. 6
signingAlgo .................................................................................................................................................................. 6
PGPDecryption Module................................................................................................................................... 7
Default Values .................................................................................................................................................... 7
Example Scenarios for PGP Module parameters configuration ......................................................................... 7
Reference Scenario Table .............................................................................................................................. 7
Scenario - 01 ................................................................................................................................................... 7 PGPEncryption Module ................................................................................................................................................ 7
PGPDecryption Module ............................................................................................................................................... 8
Message Flow in PGPEncryption Module .................................................................................................................... 9
Message Flow in PGPDecryption Module .................................................................................................................... 9
Scenario - 02 ................................................................................................................................................... 9 PGPEncryption Module ................................................................................................................................................ 9
PGPDecryption Module ............................................................................................................................................. 10
Message Flow in PGPEncryption Module .................................................................................................................. 11
Message Flow in PGPDecryption Module .................................................................................................................. 11
Scenario - 03 ................................................................................................................................................. 11
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 3
PGPEncryption Module .............................................................................................................................................. 11
PGPDecryption Module ............................................................................................................................................. 12
Message Flow in PGPEncryption Module .................................................................................................................. 13
Message Flow in PGPDecryption Module .................................................................................................................. 13
Message Format after applying PGP Encryption Module ................................................................................ 14
Notes……… ...................................................................................................................................................... 14
Other Learning Series Articles .......................................................................................................................... 15
Related Content ................................................................................................................................................ 16
Copyright........................................................................................................................................................... 17
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 4
Introduction
SAP‟s Secure Connectivity Add-on‟s PGP (Pretty Good Privacy) module offers the following major features.
Cryptographic Privacy (Encryption/Decryption)
Encryption is the process of transforming the plain text using a cipher algorithm to make it unreadable to anyone except those possessing relevant key used in the algorithm. The result of the process is encrypted information .The reverse process is called decryption which converts the encrypted information in to original readable plain text.
Authentication (Signing/Verification)
Digital Signature (Signing & Verification) is used to demonstrate the authenticity of a message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used in financial transactions and in other cases where it is important to detect forgery or tampering. During Signing, the message is signed with the sender's private key and appended to the original message. The reverse process of verifying the sender at the receiver end is called Verification.
Message Compression
The message which is about to be transferred can be compressed to for optimized transfer through physical medium. At the receiver end, it will be uncompressed to the original size.
ASCII Armor Protected Data Transfer
If the protocol (or) transmission channel supports only ASCII printable characters, the data to be transferred should be encoded as plain text. This is referred as binary to text encoding. If it is applied on the plain text itself, and decoded on the receiver end is called "ASCII Armoring"
When the system has a limited character set, the limitations will apply
It won‟t have having 8-bit clean character set
It can‟t able to handle every printable ASCII character
Different Types of Data Transfer
It supports both text and binary modes of data transfer.
Prerequisites
PGP modules should be deployed as per the supplied installation guide of secure connectivity add-on.
The JVM should be installed with unlimited JCE policy (SAP Note 1240081)
ASCII armored keys representing two different trading partners as explained in the next section “PGP Keys”
Other PI related prerequisites will apply
PGP Keys
The ASCII Armored PGP keys can be created by using the steps mentioned the wiki
As of now, SAP Netweaver‟s key storage does not support PGP keys. So it needs to be stored in file system where PI is installed.
The relevant file system access is required to store all the key files used
It can be relative (or) complete path.
Example:
/usr/sap/SYS_ID/INSTANCE_ID/sec
../../../../SYS/global/pgpkeys
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 5
Relevant OS level permissions need to be configured to secure the key files and to prevent unauthorized access to the keys, especially private keys.
Read access needs to be given to the folder containing the PGP Keys for the Operating System user that runs the PI JVM. Please check with the system admin for the corresponding user name.
Supported Algorithms
Encryption
AES_128
AES_192
AES_256
BLOWFISH
CAST5 (Default)
DES
3DES
TWOFISH
Signing
MD5
RIPEMD160
SHA1 (Default)
SHA224
SHA256
SHA384
SHA512
Compression
ZIP
ZLIB (Default)
BZIP2
PGP Modules
localejbs/PGPEncryption (Encryption)
localejbs/PGPDecryption (Decryption)
Both modules have to be configured as “Local Enterprise Bean”
It can be configured in any adapter like standard modules
It can be configured in both the direction based on the business scenario
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 6
Module Configuration Parameters
Common Parameters
All the below mentioned parameters are mandatory for both the modules.
keyRootPath
The operating system path where the keys are stored. This should be same as the path used for storing the PGP keys in the prerequisite step.
partnerPublicKey
The file name of the partner‟s public key. This file should be available and accessible in the configured „keyRootPath‟.
ownPrivateKey
The file name of the own private key. This file should be available and accessible in the configured „keyRootPath‟.
pwdOwnPrivateKey
The password to read the configured private key. This should be same as the password given in key generation step. (Reference wiki)
PGPEncryption Module
format
The message format during data transfer. It could be either “binary” or “text”. The default is “binary”
asciiArmored
The ACSII Armor protection can be turn on/off. To enable, set this parameter as “true” and disable, set it as “false”. By default, the messages are ASCII Armor protected.
applyCompression
The message compression can be turned on/off during data transfer. To disable, configured it as “none”. To enable, specify the supported compression algorithm. It would be any one these ZIP, ZLIB or BZIP2. By default the compression is enabled with “ZLIB” algorithm.
applyEncryption
The message encryption can be turn on/off. To enable, set this parameter as “true” and disable, set it as “false”. By default, the messages are not encrypted.
applySignature
The message signing can be turn on/off. To enable, set this parameter as “true” and disable, set it as “false”. By default, the messages are not signed.
encryptionAlgo
If the “applyEncryption” is true, the specific supported encryption algorithm can be specified. By default it is “CAST5”
signingAlgo
If the “applySignature” is true, the specific supported encryption algorithm can be specified. By default it is “SHA1”
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 7
PGPDecryption Module
This module doesn‟t have any special configuration parameters other than common key related parameters mentioned the previous “Common Parameters” section. It will identify the algorithms for decryption/verification/un-compression from the message header.
Default Values
PGPEncryption & PGPDecryption modules use the default values under the following conditions
If the parameter is not configured
If the parameter is configured with incorrect value
Example Scenarios for PGP Module parameters configuration
Reference Scenario Table
Scenario format ascii
Armored
apply Compression
apply Encryption
encryption Algo
apply Signature
signing Algo
01 text True none false Not Configured
true Not Configured
02 binary False ZIP true Not Configured
false Not Configured
03 Incorrect Value
Not Configured
ZLIB true AES_128 true RIPEMD160
Scenario - 01
PGPEncryption Module
This scenario is configured with the following options.
Text format
ASCII Armor Protected
No Encryption
No Compression
Signature/Signing
Since “signingAlgo” is not configured, it will use the default SHA1.
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 8
PGPDecryption Module
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 9
Message Flow in PGPEncryption Module
Message Flow in PGPDecryption Module
Scenario - 02
PGPEncryption Module
This scenario is configured with the following options.
Binary format
Message transfer is not ASCII Armor Protected
Encryption
Compression using ZIP algorithm
No Signature/Signing
Since “encryptionAlgo” is not configured, it will use the default CAST5.
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 10
PGPDecryption Module
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 11
Message Flow in PGPEncryption Module
Message Flow in PGPDecryption Module
Scenario - 03
PGPEncryption Module
This scenario is configured with the following options.
Incorrect format
Encryption using AES_128 algorithm
Compression using ZLIB algorithm
Signature/Signing using RIPEMD160
As “asciiArmored” is not configured, by default, the message will be ASCII Armor Protected
As “format” is configured with wrong value, it will use the default “binary” mode.
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 12
PGPDecryption Module
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 13
Message Flow in PGPEncryption Module
Message Flow in PGPDecryption Module
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 14
Message Format after applying PGP Encryption Module
Once PGP module is applied to the payload, it can‟t be used for further modification unless it is decrypted. The screen shot below shows an example of a wired message.
Notes
The configured module parameters can be verified with the channel logs
The encryption and decryption modules can be combined with other modules. But the payload is unreadable after applying encryption module
The algorithm name used for encryption visible in decryption module logs
If the JVM doesn‟t have unlimited JCE policy, the algorithms which uses more than 128 bit won‟t be supported
These modules are compatible with other third party PGP solutions
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 15
Other Learning Series Articles
SL No
Product Name Topic Name
1. SAP NetWeaver Process Orchestration, secure connectivity add-on 1.0
a) How to Proceed Guide
b) Installation Guide
c) SFTP Adapter
d) PGP Module
2. SAP NetWeaver Process Orchestration, business to business add-on 1.0
a) How To Proceed Guide
b) Installation Guide
c) AS2 Adapter
d) OFTP Adapter
e) X400 Adapter
f) EDI Separator
g) Archiver Module and Archiver Mapping
h) Number Range Objects Module
i) EDI XML Converter I. Master Guide: EDI XML Converter II. EDIFACT_Info_Guide
III. X12_Info_Guide IV. TRADACOMS_Info_Guide V. ODETTE_Info_Guide VI. VDA_Info_Guide VII. PLAIN_Info_Guide
j) B2B Content
3. SAP NetWeaver Process Orchestration, business to business add-on 1.0
a) Sample Scenario Set-up (contains File Adapter, AS2 Adapter, EDI XML Converter, Mapping Templates, and NRO Module)
b) Sample Scenario Set-up (contains File Adapter, OFTP
Adapter, EDI XML Converter, Mapping Templates, and PGP Module)
c) Sample Scenario Set-up (contains File Adapter, X400
Adapter, EDI Separator Adapter, Mapping Templates, EDI XML Converter and Archiver Module)
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 16
Related Content
http://wiki.sdn.sap.com/wiki/display/XI/Generating+ASCII+Armored+PGP+Key+Pairs
http://en.wikipedia.org/wiki/Binary-to-text_encoding
Learning Series: SAP NetWeaver Process Orchestration, Secure Connectivity add-on 1d PGP Module
SAP COMMUNITY NETWORK scn.sap.com
© 2012 SAP AG 17
Copyright
© Copyright 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Oracle Corporation.
JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.