PGP is one of the most commonly-used encryption and decryption mechanism used in data transmission across internal and external systems. SAP PI/PO provides out-of-the-box functionality via Adapter Modules to support PGP— utilized to encrypt or decrypt data as well as sign it. Public keys (safe to share) are used to encrypt messages while private keys (must not be shared) are used to decrypt the messages.
1. PGPEncryption Module
The PGPEncryption module functions as the originator of PGP messages. It is used for the following activities:
- Data Encryption
- Payload Signature
- Data Compression
The PGPEncryption module is configured under the ‘modules’ tab in the receiver communication channel. It can be used in every communication channel that supports enhancement via modules (e.g. File, SFTP, JMS, SOAP, etc.)
Options for PGPEncryption
Parameter Name | Description |
applyEncryption | Set to true if you want to encrypt the outgoing message |
applySignature | Set to true if you want to sign the outgoing message |
applyCompression | Set to true if you want to compress the outgoing message |
encryptionAlgo | Specify the algorithm to be used for encryption |
signingAlgo | Specify the algorithm to be used for signature |
asciiArmored | Set to true if you want the message to be ASCII armored |
partnerPublicKey | Used to specify the public key of the partner |
ownPrivateKey | Used to specify your own private key (never share this key with anyone) |
pwdOwnPrivateKey | Password for your own private key (never share this password with anyone) |
keyRootPath | Path where PGP keys are stored (if storing keys on PI/PO server) |
useSecureStorage | Set to true if you want to use PGP keys stored in B2B integration cockpit |
2. PGPDecryption Module
The PGPDecryption module functions as the subscriber of PGP messages. It is used for the following tasks:
- Data Decryption
- Signature verification
- Data Decompression
The PGPDecryption module is configured under the ‘modules’ tab in sender communication channel. It can be used in every communication channel that supports enhancement via Modules (e.g. File, SFTP, JMS, SOAP, etc.)
Options for PGPDecryption
Parameter | Description |
partnerPublicKey | Used to specify the public key of the partner |
ownPrivateKey | Used to specify your own private key (never share this key with anyone) |
pwdOwnPrivateKey | Password for your own private key (never share this password with anyone) |
keyRootPath | Path where keys are stored (if storing keys on PI/PO server) |
useSecureStorage | Set to true if you want to use PGP keys stored in B2B integration cockpit |
Managing PGP Modules
The PGP Keys (private as well as public) can either be stored in NetWeaver J2EE server's Secure Store or on the file server where PI/PO is installed. Storing keys in secure store provides better and more secure options as compared to the local file server.
1. Secure Store of NetWeaver J2EE Server (Recommended Approach)
When keys are stored in Secure Store, the encryption and maintenance of keys are done using the B2B Integration Cockpit. It can be accessed via a web browser and provides an excellent user interface to upload/download keys. Currently, you can only import/export PGP keys in Secure Store. It does not provide an option to generate PGP key pairs.
When using this approach, you need to set ‘useSecureStore’ option in the adapter module to ‘true’ to let the system know where the keys are stored.
2. Storing Keys on a File Server of SAP PI/PO (Not Recommended)
Even though PI/PO allows keys to be stored on the file server, it is not advisable to do so. Using this approach may keep your keys exposed to anyone who has access to the server. Private keys must be stored in a safe location and must not be shared with anyone. Public keys can be freely shared across systems. If you decide to store your keys on the file server, you must set ‘useSecureStore’ to ‘false’ and provide the physical location of the key in the adapter module.
Conclusion
By using SAP PGP Adapter Modules, you can successfully encrypt, decrypt, and sign your data. Most of the industry-standard encryption algorithms are supported and depending upon your licensing agreement with SAP, you may be able to download these modules without any additional costs.
