Blog > PGP (Pretty Good Privacy) in SAP PI/PO using Secure Connectivity Add-on

PGP (Pretty Good Privacy) in SAP PI/PO using Secure Connectivity Add-on

PGP_Eichert
Wojciech Eichert SAP Integration Consultant, SAP Press author
icon__calendar 2019-10-23

In this article Wojciech Eichert explains:

  • How to increase communication security by implementing PGP encryption into SAP PI/PO configuration
  • SAP PGP in SAP PI/PO
  • How to use Sender Communication Channel
  • How does the Receiver Communication Channel work

SAP PGP in SAP PI/PO

When developing SAP PI/PO interfaces, one might come across a requirement to provide a more secure way of sending messages back and forth. Especially, when setting up communication with banks, you want to ensure files send to bank reach their destination with original content. We want to be sure nobody modified details of our payment. This requirement can be met with use of PGP (Pretty Good Privacy) software, provided with SAP PGP module and adapter modules it provides. The idea behind PGP is to encrypt the message in such a way that only the intended recipient can decrypt it’s content. This is achieved using shared keys.

 

In the example below, we use Secure Store feature to store encryption/decryption keys, however, SAP PI/PO file system can be used as well.

 

B2B Integration Cockpit

On the screenshot above we can see three keys imported into PGP Secure Store:

  • Own pair of keys (they can be generated with publically available software)
  • Public key that we share with third party (‘LOCAL_PUBLIC’)
  • Private key we keep to ourselves (‘LOCAL_PRIVATE’)
  • Public key provided by the third party (‘3rdParty_PUBLIC’)

Sender Communication Channel

Now we can configure our communication channels to implement PGP security with provided adapter modules.

First, let’s set up decription for messages we receive from third party. For this purpose, we use ‘localejbs/PGPDecryption’ module in our sender communication channel:

  • ownPrivateKey – name of our private key in Secure Store
  • partnerPublicKey – name of third party public key as maintained in Secure Store
  • pwdOwnPrivateKey – password to our private key (the password is set as part of key generation process)
  • useSecureStore – indicates if we use Secure Store or file system

 

Sender Communication Channel

Receiver Communication Channel

In order to send out encrypted messages to third party, use ‘localejbs/PGPEncryption’ adapter module in our receiver channel and configure following parameters:

  • applyEncryption
  • applySignature- true if recipient expects the message to be signed
  • encryptionAlgo – algorithm used for encryption
  • format – text or binary
  • ownPrivateKey – name of our private key in Secure Store
  • partnerPublicKey – name of third party public key as maintained in Secure Store
  • pwdOwnPrivateKey – password to our private key (the password is set as part of key generation process)
  • useSecureStore – indicates if we use Secure Store or file system for the keys

 

Receiver Communication Channel

Learn more!

For more details on additional parameters and allowed values, you can visit website below: https://help.sap.com/viewer/5336c62e683348a8886ff7ef4b15c40f/1.0.5/en-US/08d47f0c5abd4f4f9d0b167ff693b1a7.html

Wojciech Eichert SAP Integration Consultant, SAP Press author
SAP consultant since 2012 with broad experience gathered through involvement in several international projects. Main focus of interest are SAP integration technologies, especially including PI/PO middleware and AIF implementations. Enjoys programming challenges.