Encryption and Decryption of Data Using Pretty Good Privacy (PGP) with the Advantco Modules in SAP PI/PO

Sep 17, 2018 posted by Aamir Suhail under SAP

Advantco provides two PGP adapter modules, the OpenPGP Sender Module and the OpenPGP Receiver Module. These modules are used to encrypt and decrypt messages and can be deployed on PI/PO servers. They work in tandem to ensure the validity and security of data as it is exchanged in and out of the SAP system.

 

Asset

 

1. Advantco OpenPGP Sender Module

The OpenPGP sender module is used as the sender of PGP messages. It can do the following tasks:

●    Encrypt message payload
●    Sign message payload
●    Compress message payload

Asset2

 

The OpenPGP sender module is used in the receiver adapter of SAP PI (Process Integration). The adapter module is configured under the “modules” tab of the SAP PI receiver adapter. 

 

asset1

 

2. Advantco OpenPGP Receiver Module

The OpenPGP receiver module is used as the receiver of PGP messages. It can do the following tasks:

  • Decrypt message payload
  • Verify signed message payload
  • Decompress message payload

 

asset3

 

OpenPGP receiver module is used in the sender adapter of SAP PI. The adapter module is configured under the “modules” tab of the SAP PI sender adapter. 

 

asset2

 

Key Management for Advantco PGP Modules

The Advantco OpenPGP adapter modules can access PGP keys from two locations, the Netweaver J2EE Database of the SAP PI System or directly from the local file server of PI. While both are acceptable storage locations, accessing the PGP keys via the Netweaver J2EE Database of the SAP PI System offers some distinct advantages, both for security and ease of management, making it the recommended approach. 

1. Netweaver J2EE Database of the SAP PI System (Recommended Approach)

When keys are stored in the Netweaver J2EE Database of the SAP PI System, the encryption and ongoing maintenance of keys is done using the OpenPGP key manager. It can be accessed via a web browser and provides an excellent user interface to create/update/delete keys. It also allows you to implement security settings so that only designated resources have access to view/edit keys. It provides robust functionality to import/generate new keys. Below are some of the standard features provided by OpenPGP Key Manager:

  • Generating PGP Key Pairs generate PGP key pairs for encryption and/or message signature.
  • Importing/Exporting PGP Keys import/export keys via a Keyring file (a file in which public and secret keys are kept). Importing someone’s public key allows you to decrypt their email and check their digital signature against their public key on your keyring. This enables you to verify the validity of future files or documents sent from those entities by comparing them against the keys in your keyring.
  • Deleting PGP Keys delete PGP keys, which are no longer required.
  • Editing PGP Keys enables the modification of PGP keys.
  • Backup PGP Keys allows us to backup all PGP keys and store them on a Database/Keyring file.
  • Setting Key Expiry Dates determine and set a date on which a key will expire.
  • Changing Key Passphrase allows us to change the passphrase for the keys.
  • Changing Key Encryption Algorithm allows us to change the algorithm, which is used for message encryption.
  • Search for Keys allows us to search keys based on Key ID, User ID, etc.

2. Storing Keys on a Local File Server of SAP PI (Not Recommended):

This is the second approach to key management and involves storing keys directly on the SAP PI server. It does not provide a user interface to maintain keys and change security settings to restrict access (at the file server level) to view/edit keys. As the number of keys increases, this key storage and maintenance method becomes increasingly cumbersome and error-prone while posing vital security concerns.

 

asset3

 

Advantco PGP Modules provides modules for SAP PI/PO Adapters that are very easy to use and maintain. These modules support the industry-wide encryption and decryption standards and can be deployed on an existing SAP PI/PO server with minimal effort.

Category

Share this: