Sap Pi Pgp Key Generation

admin

Symptom

Apr 10, 2012  I am sure many of you must have by now been made aware that SAP has released B2B and SFTP/PGP capabilities for SAP PI. Earlier, we had to depend upon third party vendors for this service but with SAP filling this gap, I strongly believe that PI is now in a better position to be provisioned and a true enterprise service bus.

The PGP Capabilities of SAP PI. Encrypt Only; Use the public key provided by the partner to do encryption. Along with the public key, you can also specify the encryption algorithm. The SAP standard module supports the following algorithms for encryption: AES128, AES192, AES256, BLOWFISH, CAST5, DES, 3DES, and TWOFISH. PGP is one of the most commonly-used encryption and decryption mechanism used in data transmission across internal and external systems. SAP PI/PO provides out-of-the-box functionality via Adapter Modules to support PGP— utilized to encrypt or decrypt data as well as sign it. Public keys (safe to share) are used to encrypt messages while private keys (must not be shared) are used to decrypt.

  • What is PGP and how does it work in SuccessFactors?
  • Customer wants to encrypt their Data
  • Customer requests public key

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

Free Pgp Software

Resolution

What is PGP?

PGP is a key based encryption/authentication process. It allows users to publicly share keys that are used to sign and/or encrypt messages and data. At SuccessFactors, we only use the encryption function.

How does PGP work?

A user or his company needs to install PGP software. They can also use the compatible GPG (Open Source) software. After the install, the user can create their own keys and install keys provided by business partners. Every key comes in two parts. The Public key that can be shared with partners or even posted publicly somewhere for anyone to access. The Private key that should be kept secure on the system where it was created.

The two keys are used for two different purposes.

  • The Public key is used to Encrypt data you are sending.
  • The Private key is used to Decrypt data you receive.

So any of your business partners can use your Public key to encrypt data they send you. They can safely send the file over a public network. Only you are able to decrypt it.

Working with PGP Keys at SuccessFactors

SuccessFactors has included the Managing PGP Keys screen in Provisioning. This screen has two sections that relate to the two keys discussed earlier.

Generate Key

The top half of the screen allows us to generate (a private/public key pair) and export the Public key our customer will use to encrypt data before sending it to us.

  • Generate Key creates a new key. We offer two key options. The DSA option creates a 512 bit key. The RSA option creates a 2048 bit key;
  • Choose the RSA key when creating a new one. The smaller DSA key only exists for backwards compatibility. The few customers who require DSA will actually ask for it;
  • Do not generate a new key if one is already listed in the Generated Key Section;
  • The Generated Key area list the key type, key fingerprint and creation date. The last two items can be used to validate that our customer has installed our key properly;
  • Use Remove Key with caution. There is normally never any reason to do this. Once the key is removed, there is no way to recover it. Any customer data encrypted with it won’t be able to be decrypted;
  • Export Key button creates a Public key file you can save and send to the customer. This can be sent in plain email;
  • The Export Key button does not create a key that we can import into another instance;
  • NOTE: After a key has been generated, we can only export the public key from Provisioning however Support has no access to the Private Key or the Passphrase. This is to safeguard your data.
    As a result this screen is NOT suitable for generating keys to use with LMS;
  • To generate a Private / Public Key pair for LMS, it can be done manually by the customer or via a paid engagement (Professional services or customer consultant)

Import Key

Sap Pi Pgp Key Generation Software

The bottom half allows us to import Public Keys sent by our customers. We will use these to encrypt data we send to them.
Note: Multiple keys can be installed here. They will ALL be used to encrypt data we send. However ANY ONE of them can be used to decrypt the data.

  • Browse on your PC for the Public key file the customer sent you;
  • Select Import Key to install it in provisioning;
  • The key will appear in the list. We can share the UserName, Creation Date and Fingerprint info with a customer questioning if we have the correct key installed;
  • As noted earlier, it’s OK to install multiple keys here;
  • There is no way to export these keys. We can install customer provided keys in multiple instances only if we still have their original key file;
  • It’s OK to remove unused keys. Please be sure they are truly not needed. There is no way to recover them. To remove, select the checkbox and hit Remove Key;
  • We no longer provide or install the old SF PGP key. While it’s still in use for many of our existing customers there is never a reason to use it for a new one;
  • For LMS, this is where the public key generated will be imported so that the BizX scheduled jobs encrypt the file with the right key (LMS connector will then decrypt the file using the private key setup on LMS). For more information on LMS encryption setup please check the references section of this KBA.

How to request a key or to import a key on SuccessFactors?

Please engage your Implementation Partner or Customer Support under the component LOD-SF-PLT. To request the generation, please inform:

  • The Company ID of the instance;
  • The type of the key (DSA/RSA).

To request the import of the key, please inform:

  • The Company ID of the instance;
  • Attach the key file in the ticket.

See Also

2361997 - How to use PGP encryption in LMS connectors

Keywords

PGP, Encryption, Securing Data, Scheduled Jobs, Decrypt, Data, Public Key, Private Key , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SFTP , LOD-SF-PLT-SFTP , LOD-SF-PLT-SEC , Security & Permissions , How To

Product

Symptom

You are processing encrypted files using SFTP channel. You see that the messages are failing with the exception below:

PGP Encryption Module: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)Cause: Illegal key size
MP: exception caught with message Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
Exception caught by adapter framework: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)
Transmitting the message to endpoint <local> using connection SFTP_http://sap.com/xi/XI/SFTP failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.lang.Exception: Could not process message, Internal PGP Error (org.bouncycastle.openpgp.PGPException: Exception creating cipher)

If you go to http://<host>:<port>/BC//VerifyJCE in order to check the JCE Policy, you will see the following configuration:

8 bit ok
16 bit ok
32 bit ok
64 bit ok
128 bit ok
256 bit null
512 bit null
1024 bit null
2048 bit null
4096 bit null

Pgp Keys In Sap Pi


Read more..

Environment

  • PI Release Independent
  • SAP NetWeaver
  • SAP Process Integration
  • SAP Process Integration, business-to-business add-on
  • SAP Process Integration, secure connectivity add-on

Product

SAP NetWeaver all versions ; SAP Process Integration all versions ; SAP Process Integration, business-to-business add-on all versions ; SAP Process Integration, secure connectivity add-on all versions

Keywords

Process Integration 7.0, PI 7.0, PI 7.01, PI 7.02, Process Integration 7.10, PI 7.10, Process Integration 7.11, PI 7.11, Process Integration 7.30, PI 7.30, Process Integration 7.31, PI 7.31, Process Orchestration 7.40, PI 7.40, PO 7.40, Process Orchestration 7.50, PI 7.50, PO 7.50, NetWeaver, XI, local_policy.jar, US_export_policy, PIB2BPGP, PIB2BSFTP, Ilegal Key Size, SFTP, PGP, Internal PGP Error, Jurisdiction Policies, Exception decrypting key, JCE, PGPException, Exception creating cipher , KBA , BC-XI-CON-SFT , Secure File Transfer Protocol Adapter , Problem

About this page

Generate Pgp Key Windows

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Generate a 128 bit key encoded to base64. Visit SAP Support Portal's SAP Notes and KBA Search.